✨ Update helm chart (#395)

* ⬆️ Upgrade deps * 💚 Remove tcr * 💚 Update dockerfile * ✨ Update helm chart * ✨ Add web dockerfile * ✨ Add trivy dockerfile * ✨ Add web deployment * ✨ Update config * 🐛 Fix lint error
go-sigma · Sep 16, 2024 · 7b340bc · 7b340bc
1 parent 44ea9af
commit 7b340bc
Show file tree

Hide file tree

Showing 39 changed files with 2,452 additions and 1,853 deletions.
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -31,6 +31,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "1.22"
+          cache: false
       - name: Build latest skopeo
         run: |
           git clone --depth 1 --branch v1.15.0 https://github.com/containers/skopeo.git
@@ -49,7 +50,7 @@ jobs:
 
           docker buildx create --use
           make docker-build-builder-local dockerfile-local
-          docker buildx build -f build/Dockerfile --build-arg WITH_TRIVY_DB=true --platform linux/amd64 --progress plain --output type=docker,dest=- -t sigma:latest . | docker load
+          docker buildx build -f build/all.alpine.Dockerfile --build-arg WITH_TRIVY_DB=true --platform linux/amd64 --progress plain --output type=docker,dest=- -t sigma:latest . | docker load
       - name: Run sigma
         run: |
           docker run --name sigma -v /var/run/docker.sock:/var/run/docker.sock -d -p 3000:3000 sigma:latest

diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
@@ -43,13 +43,6 @@ jobs:
           registry: ghcr.io
           username: tosone
           password: ${{ secrets.GHCR_TOKEN }}
-      - name: Login to tencent tcr
-        uses: docker/login-action@v3
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          registry: ccr.ccs.tencentyun.com
-          username: ${{ secrets.TCR_USERNAME }}
-          password: ${{ secrets.TCR_PASSWORD }}
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         if: ${{ github.event_name != 'pull_request' }}
@@ -79,7 +72,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: build/Dockerfile.builder
+          file: build/builder.Dockerfile
           platforms: linux/amd64,linux/arm64
           push: false
           tags: docker.io/sigma/sigma-builder:latest
@@ -94,7 +87,6 @@ jobs:
           images: |
             ghcr.io/${{ github.repository }}
             docker.io/tosone/sigma
-            ccr.ccs.tencentyun.com/go-sigma/sigma
           tags: |
             type=ref,event=pr
             type=ref,event=branch,enable=${{ github.ref != 'refs/heads/main' }}
@@ -106,7 +98,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: build/Dockerfile
+          file: build/all.alpine.Dockerfile
           platforms: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && 'linux/amd64,linux/arm64' || 'linux/amd64,linux/arm64' }}
           push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -142,13 +134,6 @@ jobs:
           registry: ghcr.io
           username: tosone
           password: ${{ secrets.GHCR_TOKEN }}
-      - name: Login to tencent tcr
-        uses: docker/login-action@v3
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          registry: ccr.ccs.tencentyun.com
-          username: ${{ secrets.TCR_USERNAME }}
-          password: ${{ secrets.TCR_PASSWORD }}
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         if: ${{ github.event_name != 'pull_request' }}
@@ -178,7 +163,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: build/Dockerfile.builder
+          file: build/builder.Dockerfile
           platforms: linux/amd64,linux/arm64
           push: false
           tags: docker.io/sigma/sigma-builder:latest
@@ -193,7 +178,6 @@ jobs:
           images: |
             ghcr.io/${{ github.repository }}
             docker.io/tosone/sigma
-            ccr.ccs.tencentyun.com/go-sigma/sigma
           flavor: |
             latest=false
           tags: |
@@ -207,7 +191,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: build/Dockerfile
+          file: build/all.alpine.Dockerfile
           platforms: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && 'linux/amd64,linux/arm64' || 'linux/amd64,linux/arm64' }}
           push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -245,13 +229,6 @@ jobs:
           registry: ghcr.io
           username: tosone
           password: ${{ secrets.GHCR_TOKEN }}
-      - name: Login to tencent tcr
-        uses: docker/login-action@v3
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          registry: ccr.ccs.tencentyun.com
-          username: ${{ secrets.TCR_USERNAME }}
-          password: ${{ secrets.TCR_PASSWORD }}
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         if: ${{ github.event_name != 'pull_request' }}
@@ -281,7 +258,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: build/Dockerfile.builder
+          file: build/builder.Dockerfile
           platforms: linux/amd64,linux/arm64
           push: false
           tags: docker.io/sigma/sigma-builder:latest
@@ -296,7 +273,6 @@ jobs:
           images: |
             ghcr.io/${{ github.repository }}
             docker.io/tosone/sigma
-            ccr.ccs.tencentyun.com/go-sigma/sigma
           flavor: |
             latest=false
           tags: |
@@ -310,7 +286,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: build/Dockerfile.debian
+          file: build/all.debian.Dockerfile
           platforms: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && 'linux/amd64,linux/arm64' || 'linux/amd64,linux/arm64' }}
           push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -346,13 +322,6 @@ jobs:
           registry: ghcr.io
           username: tosone
           password: ${{ secrets.GHCR_TOKEN }}
-      - name: Login to tencent tcr
-        uses: docker/login-action@v3
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          registry: ccr.ccs.tencentyun.com
-          username: ${{ secrets.TCR_USERNAME }}
-          password: ${{ secrets.TCR_PASSWORD }}
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         if: ${{ github.event_name != 'pull_request' }}
@@ -382,7 +351,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: build/Dockerfile.builder
+          file: build/builder.Dockerfile
           platforms: linux/amd64,linux/arm64
           push: false
           tags: docker.io/sigma/sigma-builder:latest
@@ -397,7 +366,6 @@ jobs:
           images: |
             ghcr.io/${{ github.repository }}
             docker.io/tosone/sigma
-            ccr.ccs.tencentyun.com/go-sigma/sigma
           flavor: |
             latest=false
           tags: |
@@ -411,7 +379,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: build/Dockerfile.debian
+          file: build/all.debian.Dockerfile
           platforms: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && 'linux/amd64,linux/arm64' || 'linux/amd64,linux/arm64' }}
           push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }}
           tags: ${{ steps.meta.outputs.tags }}

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -48,5 +48,10 @@ jobs:
       - name: Lint Dockerfile
         uses: hadolint/[email protected]
         with:
-          dockerfile: ./build/Dockerfile
+          dockerfile: ./build/all.alpine.Dockerfile
           ignore: DL3018,DL3003,SC2155
+      - name: Lint Dockerfile
+        uses: hadolint/[email protected]
+        with:
+          dockerfile: ./build/all.debian.Dockerfile
+          ignore: DL3018,DL3003,SC2155,DL4006,SC2046,DL3008
diff --git a/Makefile b/Makefile
@@ -79,17 +79,25 @@ endif
 
 ## Docker:
 docker-build: docker-build-builder-local dockerfile-local ## Use the dockerfile to build the sigma image
-	docker buildx build --build-arg USE_MIRROR=$(USE_MIRROR) --build-arg WITH_TRIVY_DB=$(WITH_TRIVY_DB) -f build/Dockerfile --platform $(DOCKER_PLATFORMS) --progress plain --output type=docker,name=$(DOCKER_REGISTRY)/$(BINARY_NAME):latest,push=false,oci-mediatypes=true,compression=zstd,compression-level=12,force-compression=true .
+	docker buildx build --build-arg USE_MIRROR=$(USE_MIRROR) --build-arg WITH_TRIVY_DB=$(WITH_TRIVY_DB) -f build/all.alpine.Dockerfile --platform $(DOCKER_PLATFORMS) --progress plain --output type=docker,name=$(DOCKER_REGISTRY)/$(BINARY_NAME):latest,push=false,oci-mediatypes=true,compression=zstd,compression-level=12,force-compression=true .
 
 docker-build-builder: ## Use the dockerfile to build the sigma-builder image
-	docker buildx build --build-arg USE_MIRROR=$(USE_MIRROR) -f build/Dockerfile.builder --platform $(DOCKER_PLATFORMS) --progress plain --output type=docker,name=$(DOCKER_REGISTRY)/$(BINARY_NAME)-builder:latest,push=false,oci-mediatypes=true,compression=zstd,compression-level=12,force-compression=true .
+	docker buildx build --build-arg USE_MIRROR=$(USE_MIRROR) -f build/builder.Dockerfile --platform $(DOCKER_PLATFORMS) --progress plain --output type=docker,name=$(DOCKER_REGISTRY)/$(BINARY_NAME)-builder:latest,push=false,oci-mediatypes=true,compression=zstd,compression-level=12,force-compression=true .
 
 docker-build-builder-local: ## Use the dockerfile to build the sigma-builder image and save to local tarball file
-	docker buildx build --build-arg USE_MIRROR=$(USE_MIRROR) -f build/Dockerfile.builder --platform linux/amd64,linux/arm64 --progress plain --output type=oci,name=$(DOCKER_REGISTRY)/$(BINARY_NAME)-builder:latest,push=false,oci-mediatypes=true,dest=./bin/builder.$(VERSION).tar .
+	docker buildx build --build-arg USE_MIRROR=$(USE_MIRROR) -f build/builder.Dockerfile --platform linux/amd64,linux/arm64 --progress plain --output type=oci,name=$(DOCKER_REGISTRY)/$(BINARY_NAME)-builder:latest,push=false,oci-mediatypes=true,dest=./bin/builder.$(VERSION).tar .
 
 dockerfile-local: ## Use skopeo to copy dockerfile to local tarball file
 	skopeo copy -a docker://docker/dockerfile:1.8.1 oci-archive:bin/dockerfile.1.8.1.tar
 
+.PHONY: docker-build-web
+docker-build-web: ## Build the web image
+	@docker buildx build --build-arg USE_MIRROR=$(USE_MIRROR) -f build/web.Dockerfile --platform $(DOCKER_PLATFORMS) --progress plain --output type=docker,name=$(DOCKER_REGISTRY)/$(BINARY_NAME)-web:latest,push=false,oci-mediatypes=true,compression=zstd,compression-level=12,force-compression=true .
+
+.PHONY: docker-build-trivy
+docker-build-trivy: ## Build the trivy image
+	@docker buildx build --build-arg USE_MIRROR=$(USE_MIRROR) -f build/trivy.Dockerfile --platform $(DOCKER_PLATFORMS) --progress plain --output type=docker,name=$(DOCKER_REGISTRY)/$(BINARY_NAME)-trivy:latest,push=false,oci-mediatypes=true,compression=zstd,compression-level=12,force-compression=true .
+
 ## Misc:
 migration-create: ## Create a new migration file
 	@migrate create -dir ./pkg/dal/migrations/mysql -seq -digits 4 -ext sql $(MIGRATION_NAME)

diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ Sigma is an image registry that is extremely easy to deploy and maintain, and it
 Now you can use this command to run a simple server:
 
 ``` bash
-docker run --name sigma -p 3000:3000 --rm ccr.ccs.tencentyun.com/go-sigma/sigma:nightly-alpine
+docker run --name sigma -p 3000:3000 --rm tosone/sigma:nightly-alpine
 ```
 
 The default username and password is: sigma/Admin@123, if you want to modify the default password, please refer to the instructions provided [here](https://docs.sigma.tosone.cn/docs/configuration).

diff --git a/Readme_zh.md b/Readme_zh.md
@@ -14,7 +14,7 @@ Sigma 是一个极容易部署和维护的镜像仓库，并且自主完整实
 你可以用以下的一个简单的命令来运行起来 Sigma 镜像仓库:
 
 ``` bash
-docker run --name sigma -p 3000:3000 --rm ccr.ccs.tencentyun.com/go-sigma/sigma:nightly-alpine
+docker run --name sigma -p 3000:3000 --rm tosone/sigma:nightly-alpine
 ```
 
 默认的用户名密码是: sigma/Admin@123, 如果你想在启动的时候初始化其他的用户名密码, 请根据[这里](https://docs.sigma.tosone.cn/docs/configuration)的配置说明来修改配置文件。

diff --git a/build/Dockerfile → build/all.alpine.Dockerfile b/build/Dockerfile → build/all.alpine.Dockerfile
@@ -1,4 +1,4 @@
-ARG GOLANG_VERSION=1.23.0-alpine3.19
+ARG GOLANG_VERSION=1.23.1-alpine3.19
 ARG NODE_VERSION=20-alpine3.19
 ARG ALPINE_VERSION=3.19
 
@@ -34,7 +34,7 @@ FROM alpine:${ALPINE_VERSION} AS trivy
 
 ARG USE_MIRROR=false
 ARG WITH_TRIVY_DB=false
-ARG TRIVY_VERSION=0.54.1
+ARG TRIVY_VERSION=0.55.1
 ARG TARGETOS TARGETARCH
 
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]

diff --git a/build/Dockerfile.debian → build/all.debian.Dockerfile b/build/Dockerfile.debian → build/all.debian.Dockerfile
@@ -1,4 +1,4 @@
-ARG GOLANG_VERSION=1.23.0-bookworm
+ARG GOLANG_VERSION=1.23.1-bookworm
 ARG NODE_VERSION=20-alpine3.19
 ARG ALPINE_VERSION=3.19
 ARG DEBIAN_VERSION=bookworm-slim
@@ -35,7 +35,7 @@ FROM alpine:${ALPINE_VERSION} AS trivy
 
 ARG USE_MIRROR=false
 ARG WITH_TRIVY_DB=false
-ARG TRIVY_VERSION=0.54.1
+ARG TRIVY_VERSION=0.55.1
 ARG TARGETOS TARGETARCH
 
 RUN set -eux && \

diff --git a/build/Dockerfile.builder → build/builder.Dockerfile b/build/Dockerfile.builder → build/builder.Dockerfile
@@ -1,4 +1,4 @@
-ARG GOLANG_VERSION=1.23.0-alpine3.19
+ARG GOLANG_VERSION=1.23.1-alpine3.19
 ARG BUILDKIT_VERSION=v0.13.2-rootless
 ARG ALPINE_VERSION=3.19
 

diff --git a/build/trivy.Dockerfile b/build/trivy.Dockerfile
@@ -0,0 +1,29 @@
+ARG ALPINE_VERSION=3.19
+
+FROM alpine:${ALPINE_VERSION} AS trivy
+
+ARG USE_MIRROR=false
+ARG WITH_TRIVY_DB=false
+ARG TRIVY_VERSION=0.55.1
+ARG TARGETOS TARGETARCH
+
+RUN set -eux && \
+  if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
+  apk add --no-cache wget && \
+  case "${TARGETARCH}" in \
+		amd64) export TRIVYARCH='64bit' ;; \
+		arm64) export TRIVYARCH='ARM64' ;; \
+	esac; \
+  export TRIVYOS=$(echo "${TARGETOS}" | awk '{print toupper(substr($0, 1, 1)) substr($0, 2)}') && \
+  wget -q -O trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz https://github.com/aquasecurity/trivy/releases/download/v"${TRIVY_VERSION}"/trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
+  tar -xzf trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
+  mv trivy /usr/local/bin/trivy && \
+  rm trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
+  mkdir -p /opt/trivy/ && \
+  trivy --cache-dir /opt/trivy/ image --download-java-db-only --no-progress && \
+  trivy --cache-dir /opt/trivy/ image --download-db-only --no-progress
+
+FROM scratch
+
+COPY --from=trivy /usr/local/bin/trivy /usr/local/bin/trivy
+COPY --from=trivy /opt/trivy/ /opt/trivy/
diff --git a/build/web.Dockerfile b/build/web.Dockerfile
@@ -0,0 +1,20 @@
+ARG NODE_VERSION=20-alpine3.19
+ARG NGINX_VERSION=1.27.1-alpine
+
+FROM --platform=$BUILDPLATFORM node:${NODE_VERSION} AS web-builder
+
+ARG USE_MIRROR=false
+
+RUN set -eux && \
+    if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
+    apk add --no-cache make bash ncurses build-base
+
+COPY ./web /web
+
+WORKDIR /web
+
+RUN --mount=type=cache,target=/web/node_modules set -eux && corepack enable && yarn install --immutable && yarn build
+
+FROM nginx:1.27.1-alpine
+
+COPY --from=web-builder /web/dist /usr/share/nginx/html
diff --git a/conf/config-dev.yaml b/conf/config-dev.yaml
@@ -12,16 +12,16 @@ database:
   mysql:
     host: localhost
     port: 3306
-    user: sigma
+    username: sigma
     password: sigma
-    dbname: sigma
+    database: sigma
   postgresql:
     host: localhost
     port: 5432
-    user: sigma
+    username: sigma
     password: sigma
-    dbname: sigma
-    sslmode: disable
+    database: sigma
+    sslMode: disable
 
 redis:
   # redis type available: none, external. Following all of redis config just use reference here.
@@ -128,7 +128,7 @@ proxy:
 # daemon task config
 daemon:
   builder:
-    enabled: true
+    enabled: false
     image: docker.io/tosone/sigma-builder:latest
     type: docker
     docker:

diff --git a/conf/config-full.yaml b/conf/config-full.yaml
@@ -12,16 +12,16 @@ database:
   mysql:
     host: localhost
     port: 3306
-    user: sigma
+    username: sigma
     password: sigma
-    dbname: sigma
+    database: sigma
   postgresql:
     host: localhost
     port: 5432
-    user: sigma
+    username: sigma
     password: sigma
-    dbname: sigma
-    sslmode: disable
+    database: sigma
+    sslMode: disable
 
 # deploy available: single, replica
 # replica should use external redis

diff --git a/conf/config.yaml b/conf/config.yaml
@@ -12,16 +12,16 @@ database:
   mysql:
     host: localhost
     port: 3306
-    user: sigma
+    username: sigma
     password: sigma
-    dbname: sigma
+    database: sigma
   postgresql:
     host: localhost
     port: 5432
-    user: sigma
+    username: sigma
     password: sigma
-    dbname: sigma
-    sslmode: disable
+    database: sigma
+    sslMode: disable
 
 redis:
   # redis type available: none, external. Following all of redis config just use reference here.