@@ -14,13 +14,10 @@ OPERATOR_NAME := stackable-cockpit
14
14
VERSION := $(shell cargo metadata --format-version 1 | jq -r '.packages[] | select(.name=="stackable-cockpitd") | .version')
15
15
ARCH := $(shell uname -m | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')
16
16
17
- DOCKER_REPO := docker.stackable.tech
18
- ORGANIZATION := stackable
19
17
OCI_REGISTRY_HOSTNAME := oci.stackable.tech
20
18
OCI_REGISTRY_PROJECT_IMAGES := sdp
21
19
OCI_REGISTRY_PROJECT_CHARTS := sdp-charts
22
20
# This will be overwritten by an environmental variable if called from the github action
23
- HELM_REPO := https://repo.stackable.tech/repository/helm-dev
24
21
HELM_CHART_NAME := ${OPERATOR_NAME}
25
22
HELM_CHART_ARTIFACT := target/helm/${OPERATOR_NAME}-${VERSION}.tgz
26
23
@@ -32,34 +29,9 @@ SHELL=/usr/bin/env bash -euo pipefail
32
29
33
30
# # Docker related targets
34
31
docker-build :
35
- docker build --force-rm --build-arg VERSION=${VERSION} -t " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} :${VERSION} -${ARCH} " -f docker/Dockerfile .
36
- docker tag " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} :${VERSION} -${ARCH} " " ${OCI_REGISTRY_HOSTNAME} /${OCI_REGISTRY_PROJECT_IMAGES} /${OPERATOR_NAME} :${VERSION} -${ARCH} "
32
+ docker build --force-rm --build-arg VERSION=${VERSION} -t " ${OCI_REGISTRY_HOSTNAME} /${OCI_REGISTRY_PROJECT_IMAGES} /${OPERATOR_NAME} :${VERSION} -${ARCH} " -f docker/Dockerfile .
37
33
38
34
docker-publish :
39
- # Push to Nexus
40
- echo " ${NEXUS_PASSWORD} " | docker login --username github --password-stdin " ${DOCKER_REPO} "
41
- DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}" ) ; \
42
- # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\
43
- REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}-${ARCH}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }' ) ; \
44
- if [ -z " $$ REPO_DIGEST_OF_IMAGE" ]; then\
45
- echo ' Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}' ; \
46
- exit 1; \
47
- fi ; \
48
- # This generates a signature and publishes it to the registry, next to the image\
49
- # Uses the keyless signing flow with Github Actions as identity provider\
50
- cosign sign -y " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} @$$ REPO_DIGEST_OF_IMAGE" ; \
51
- # Generate the SBOM for the operator image, this leverages the already generated SBOM for the operator binary by cargo-cyclonedx\
52
- syft scan --output cyclonedx-json=sbom.json --select-catalogers " -cargo-auditable-binary-cataloger" --scope all-layers --source-name " ${OPERATOR_NAME} " --source-version " ${VERSION} " " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} @$$ REPO_DIGEST_OF_IMAGE" ; \
53
- # Determine the PURL for the container image\
54
- PURL=" pkg:docker/${ORGANIZATION} /${OPERATOR_NAME} @$$ REPO_DIGEST_OF_IMAGE?repository_url=${DOCKER_REPO} " ; \
55
- # Get metadata from the image\
56
- IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" ) ; \
57
- IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" ) ; \
58
- # Merge the SBOM with the metadata for the operator\
59
- jq -s ' {"metadata":{"component":{"description":"' " $$ IMAGE_NAME. $$ IMAGE_DESCRIPTION" ' ","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"' " $$ PURL" ' ","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json; \
60
- # Attest the SBOM to the image\
61
- cosign attest -y --predicate sbom.merged.json --type cyclonedx " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} @$$ REPO_DIGEST_OF_IMAGE"
62
-
63
35
# Push to Harbor
64
36
# We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot)
65
37
docker login --username ' ${value OCI_REGISTRY_SDP_USERNAME}' --password ' ${OCI_REGISTRY_SDP_PASSWORD}' ' ${OCI_REGISTRY_HOSTNAME}'
@@ -87,21 +59,9 @@ docker-publish:
87
59
88
60
# This assumes "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-amd64 and "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-arm64 are build and pushed
89
61
docker-manifest-list-build :
90
- docker manifest create " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} :${VERSION} " --amend " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} :${VERSION} -amd64" --amend " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} :${VERSION} -arm64"
91
62
docker manifest create " ${OCI_REGISTRY_HOSTNAME} /${OCI_REGISTRY_PROJECT_IMAGES} /${OPERATOR_NAME} :${VERSION} " --amend " ${OCI_REGISTRY_HOSTNAME} /${OCI_REGISTRY_PROJECT_IMAGES} /${OPERATOR_NAME} :${VERSION} -amd64" --amend " ${OCI_REGISTRY_HOSTNAME} /${OCI_REGISTRY_PROJECT_IMAGES} /${OPERATOR_NAME} :${VERSION} -arm64"
92
63
93
64
docker-manifest-list-publish :
94
- # Push to Nexus
95
- echo " ${NEXUS_PASSWORD} " | docker login --username github --password-stdin " ${DOCKER_REPO} "
96
- # `docker manifest push` directly returns the digest of the manifest list
97
- # As it is an experimental feature, this might change in the future
98
- # Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/
99
- DIGEST_NEXUS=$$(docker manifest push "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" ) ; \
100
- # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)\
101
- # This generates a signature and publishes it to the registry, next to the image\
102
- # Uses the keyless signing flow with Github Actions as identity provider\
103
- cosign sign -y " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} :${VERSION} @$$ DIGEST_NEXUS"
104
-
105
65
# Push to Harbor
106
66
# We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot)
107
67
docker login --username ' ${value OCI_REGISTRY_SDP_USERNAME}' --password ' ${OCI_REGISTRY_SDP_PASSWORD}' ' ${OCI_REGISTRY_HOSTNAME}'
@@ -118,9 +78,6 @@ print-docker-tag:
118
78
@echo " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} :${VERSION} "
119
79
120
80
helm-publish :
121
- # Push to Nexus
122
- curl --fail -u " github:${NEXUS_PASSWORD} " --upload-file " ${HELM_CHART_ARTIFACT} " " ${HELM_REPO} /"
123
-
124
81
# Push to Harbor
125
82
# We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot)
126
83
helm registry login --username ' ${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password ' ${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' ' ${OCI_REGISTRY_HOSTNAME}'
@@ -166,7 +123,6 @@ chart-lint: compile-chart
166
123
167
124
clean : chart-clean
168
125
cargo clean
169
- docker rmi --force " ${DOCKER_REPO} /${ORGANIZATION} /${OPERATOR_NAME} :${VERSION} "
170
126
docker rmi --force ' ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}'
171
127
172
128
regenerate-charts : chart-clean compile-chart
0 commit comments