✨ Update push builder image dockerfile (#404)

build/all.alpine.Dockerfile

@@ -7,8 +7,8 @@ FROM --platform=$BUILDPLATFORM node:${NODE_VERSION} AS web-builder
 ARG USE_MIRROR=false
 
 RUN set -eux && \
-    if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
-    apk add --no-cache make bash ncurses build-base
+  if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
+  apk add --no-cache make bash ncurses build-base
 
 COPY ./web /web
 
@@ -23,12 +23,12 @@ ARG TARGETOS TARGETARCH
 ARG USE_MIRROR=false
 
 RUN set -eux && \
-    if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
-    apk add --no-cache wget && \
-    wget --progress=dot:giga -O syft_"${SYFT_VERSION}"_"${TARGETOS}"_"${TARGETARCH}".tar.gz https://github.com/anchore/syft/releases/download/v"${SYFT_VERSION}"/syft_"${SYFT_VERSION}"_"${TARGETOS}"_"${TARGETARCH}".tar.gz && \
-    tar -xzf syft_"${SYFT_VERSION}"_"${TARGETOS}"_"${TARGETARCH}".tar.gz && \
-    mv syft /usr/local/bin/syft && \
-    rm syft_"${SYFT_VERSION}"_"${TARGETOS}"_"${TARGETARCH}".tar.gz
+  if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
+  apk add --no-cache wget && \
+  wget --progress=dot:giga -O syft_"${SYFT_VERSION}"_"${TARGETOS}"_"${TARGETARCH}".tar.gz https://github.com/anchore/syft/releases/download/v"${SYFT_VERSION}"/syft_"${SYFT_VERSION}"_"${TARGETOS}"_"${TARGETARCH}".tar.gz && \
+  tar -xzf syft_"${SYFT_VERSION}"_"${TARGETOS}"_"${TARGETARCH}".tar.gz && \
+  mv syft /usr/local/bin/syft && \
+  rm syft_"${SYFT_VERSION}"_"${TARGETOS}"_"${TARGETARCH}".tar.gz
 
 FROM alpine:${ALPINE_VERSION} AS trivy
 
@@ -40,20 +40,20 @@ ARG TARGETOS TARGETARCH
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
 RUN set -eux && \
-    if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
-    apk add --no-cache wget && \
-    case "${TARGETARCH}" in \
-    amd64) export TRIVYARCH='64bit' ;; \
-    arm64) export TRIVYARCH='ARM64' ;; \
-    esac; \
-    export TRIVYOS=$(echo "${TARGETOS}" | awk '{print toupper(substr($0, 1, 1)) substr($0, 2)}') && \
-    wget --progress=dot:giga -O trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz https://github.com/aquasecurity/trivy/releases/download/v"${TRIVY_VERSION}"/trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
-    tar -xzf trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
-    mv trivy /usr/local/bin/trivy && \
-    rm trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
-    mkdir -p /opt/trivy/ && \
-    if [ "$WITH_TRIVY_DB" = true ]; then trivy --cache-dir /opt/trivy/ image --download-java-db-only --no-progress; fi && \
-    trivy --cache-dir /opt/trivy/ image --download-db-only --no-progress
+  if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
+  apk add --no-cache wget && \
+  case "${TARGETARCH}" in \
+  amd64) export TRIVYARCH='64bit' ;; \
+  arm64) export TRIVYARCH='ARM64' ;; \
+  esac; \
+  export TRIVYOS=$(echo "${TARGETOS}" | awk '{print toupper(substr($0, 1, 1)) substr($0, 2)}') && \
+  wget --progress=dot:giga -O trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz https://github.com/aquasecurity/trivy/releases/download/v"${TRIVY_VERSION}"/trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
+  tar -xzf trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
+  mv trivy /usr/local/bin/trivy && \
+  rm trivy_"${TRIVY_VERSION}"_"${TRIVYOS}"-"${TRIVYARCH}".tar.gz && \
+  mkdir -p /opt/trivy/ && \
+  if [ "$WITH_TRIVY_DB" = true ]; then trivy --cache-dir /opt/trivy/ image --download-java-db-only --no-progress; fi && \
+  trivy --cache-dir /opt/trivy/ image --download-db-only --no-progress
 
 FROM --platform=$BUILDPLATFORM golang:${GOLANG_VERSION} AS skopeo
 
@@ -62,12 +62,12 @@ ARG SKOPEO_VERSION=1.16.0
 ARG TARGETOS TARGETARCH
 
 RUN set -eux && \
-    if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
-    apk add --no-cache make git && \
-    git clone --branch v"${SKOPEO_VERSION}" https://github.com/containers/skopeo /go/src/github.com/containers/skopeo && \
-    cd /go/src/github.com/containers/skopeo && \
-    DISABLE_CGO=1 make bin/skopeo."${TARGETOS}"."${TARGETARCH}" && \
-    cp bin/skopeo."${TARGETOS}"."${TARGETARCH}" /tmp/skopeo
+  if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
+  apk add --no-cache make git && \
+  git clone --branch v"${SKOPEO_VERSION}" https://github.com/containers/skopeo /go/src/github.com/containers/skopeo && \
+  cd /go/src/github.com/containers/skopeo && \
+  DISABLE_CGO=1 make bin/skopeo."${TARGETOS}"."${TARGETARCH}" && \
+  cp bin/skopeo."${TARGETOS}"."${TARGETARCH}" /tmp/skopeo
 
 FROM --platform=$BUILDPLATFORM golang:${GOLANG_VERSION} AS builder
 
@@ -85,15 +85,15 @@ WORKDIR /go/src/github.com/go-sigma/sigma
 ARG TARGETOS TARGETARCH
 
 RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build \
-    GOOS=$TARGETOS GOARCH=$TARGETARCH make build
+  GOOS=$TARGETOS GOARCH=$TARGETARCH make build
 
 FROM alpine:${ALPINE_VERSION}
 
 ARG USE_MIRROR=false
 
 RUN set -eux && \
-    if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
-    apk add --no-cache curl
+  if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
+  apk add --no-cache curl
 
 COPY --from=syft /usr/local/bin/syft /usr/local/bin/syft
 COPY --from=trivy /usr/local/bin/trivy /usr/local/bin/trivy
@@ -106,4 +106,13 @@ COPY --from=builder /go/src/github.com/go-sigma/sigma/bin/sigma /usr/local/bin/s
 VOLUME /var/lib/sigma
 VOLUME /etc/sigma
 
+RUN adduser --disabled-password -h /home/sigma -s /bin/sh -u 1001 sigma && \
+  chown -R 1001:1001 /opt/trivy && \
+  mkdir -p /var/lib/sigma && \
+  chown -R 1001:1001 /var/lib/sigma
+
+WORKDIR /home/sigma
+
+USER sigma
+
 CMD ["sigma", "server"]

build/all.debian.Dockerfile

@@ -124,4 +124,13 @@ COPY --from=builder /go/src/github.com/go-sigma/sigma/bin/sigma /usr/local/bin/s
 VOLUME /var/lib/sigma
 VOLUME /etc/sigma
 
+RUN adduser --disabled-password -h /home/sigma -s /bin/bash -u 1001 sigma && \
+  chown -R 1001:1001 /opt/trivy && \
+  mkdir -p /var/lib/sigma && \
+  chown -R 1001:1001 /var/lib/sigma
+
+WORKDIR /home/sigma
+
+USER sigma
+
 CMD ["sigma", "server"]

build/local.Dockerfile

@@ -34,18 +34,6 @@ RUN set -eux && \
 
 FROM alpine:${ALPINE_VERSION}
 
-ARG USE_MIRROR=false
-
-RUN set -eux && \
-  if [ "$USE_MIRROR" = true ]; then sed -i "s/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g" /etc/apk/repositories; fi && \
-  apk add --no-cache curl
-
-RUN adduser --disabled-password -h /home/sigma -s /bin/sh -u 1001 sigma
-
-USER sigma
-
-WORKDIR /home/sigma
-
 COPY --from=fetcher /tmp/skopeo /usr/local/bin/skopeo
 COPY --from=fetcher /usr/local/bin/syft /usr/local/bin/syft
 COPY --from=fetcher /usr/local/bin/trivy /usr/local/bin/trivy
@@ -57,4 +45,11 @@ COPY ./bin/sigma /usr/local/bin/sigma
 VOLUME /var/lib/sigma
 VOLUME /etc/sigma
 
+RUN adduser --disabled-password -h /home/sigma -s /bin/sh -u 1001 sigma && \
+  chown -R 1001:1001 /opt/trivy/
+
+WORKDIR /home/sigma
+
+USER sigma
+
 CMD ["sigma", "server"]

cmd/tools.go

@@ -50,44 +50,46 @@ var toolsCmd = &cobra.Command{
 }
 
 var toolsForPushBuilderImageCmd = &cobra.Command{
-	Use:   "push-builder-image",
-	Short: "Push builder image to distribution",
+	Use:   "push-builder-images",
+	Short: "Push builder images to distribution",
 	PersistentPreRun: func(_ *cobra.Command, _ []string) {
 		initConfig()
 		logger.SetLevel(viper.GetString("log.level"))
 	},
-	Run: func(_ *cobra.Command, _ []string) {
+	RunE: func(_ *cobra.Command, _ []string) error {
 		err := configs.Initialize()
 		if err != nil {
 			log.Error().Err(err).Msg("initialize configs with error")
-			return
+			return err
 		}
 
 		config := ptr.To(configs.GetConfiguration())
 
 		err = badger.Initialize(context.Background(), config)
 		if err != nil {
 			log.Error().Err(err).Msg("initialize badger with error")
-			return
+			return err
 		}
 
 		err = locker.Initialize(config)
 		if err != nil {
 			log.Error().Err(err).Msg("initialize locker with error")
-			return
+			return err
 		}
 
 		err = dal.Initialize(config)
 		if err != nil {
 			log.Error().Err(err).Msg("initialize database with error")
-			return
+			return err
 		}
 
 		err = initBaseimage(config)
 		if err != nil {
 			log.Error().Err(err).Msg("push builder image with error")
-			return
+			return err
 		}
+
+		return nil
 	},
 }
 

deploy/sigma/templates/configmap.yaml

@@ -38,7 +38,7 @@ data:
       type: external
       url: redis://:{{ .Values.redis.auth.password }}@{{ .Release.Name }}-redis-master:{{ .Values.redis.master.service.ports.redis }}/0
     http:
-      internalEndpoint: {{ include "sigma.distribution" . }}:{{ .Values.service.distribution.port }}
+      internalEndpoint: http://{{ include "sigma.distribution" . }}:{{ .Values.service.distribution.port }}
       server: 0.0.0.0:{{.Values.service.server.port}}
       worker: 0.0.0.0:{{.Values.service.worker.port}}
     daemon:

deploy/sigma/templates/post-job.yaml

@@ -6,13 +6,15 @@ metadata:
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "sigma.postJob.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
 spec:
-  backoffLimit: 6
+  backoffLimit: 1
   template:
     metadata:
-      annotations:
-        rollme: {{ randAlphaNum 5 | quote }}
       {{- with .Values.podAnnotations }}
+      annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
@@ -23,20 +25,29 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
         - name: check-distribution
-          image: {{ printf "%s:%s" .Values.busybox.repository .Values.busybox.tag | quote }}
+          image: {{ printf "%s:%s" .Values.image.osShell.repository .Values.image.osShell.tag | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
-            - /bin/sh
-            - -c
-            - 'until nc -z {{ include "sigma.distribution" . }} 80; do echo waiting for {{ include "sigma.distribution" . }}; sleep 3; done;'
+            - "/bin/bash"
+            - "-c"
+            - |-
+              set -e;
+              echo "Waiting for sigma distribution";
+              wait-for-port \
+                --host={{ include "sigma.distribution" . }} \
+                --state=inuse \
+                --timeout=120 \
+                {{ .Values.service.distribution.port }};
+              echo "sigma distribution is available";
       containers:
-        - name: push-images
+        - name: push-builder-images
           image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
             - sigma
           args:
-            - worker
+            - tools
+            - push-builder-images
             - --config=/etc/sigma/config.yaml
           volumeMounts:
             - name: config

deploy/sigma/templates/server/deployment.yaml

@@ -59,10 +59,10 @@ spec:
               mountPath: /etc/sigma/config.yaml
               subPath: config.yaml
               readOnly: true
-            {{- if semverCompare ">= 1.31" .Capabilities.KubeVersion.Version }}
-            - name: trivy
-              mountPath: /opt/trivy
-            {{- end }}
+            # {{- if semverCompare ">= 1.31" .Capabilities.KubeVersion.Version }}
+            # - name: trivy
+            #   mountPath: /opt/trivy
+            # {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       volumes:

deploy/sigma/templates/worker/deployment.yaml

@@ -57,10 +57,10 @@ spec:
               mountPath: /etc/sigma/config.yaml
               subPath: config.yaml
               readOnly: true
-            {{- if semverCompare ">= 1.31" .Capabilities.KubeVersion.Version }}
-            - name: trivy
-              mountPath: /opt/trivy
-            {{- end }}
+            # {{- if semverCompare ">= 1.31" .Capabilities.KubeVersion.Version }}
+            # - name: trivy
+            #   mountPath: /opt/trivy
+            # {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       volumes:

deploy/sigma/values.yaml

@@ -16,10 +16,10 @@ image:
   web:
     repository: go-sigma/sigma-web
     tag: latest
-  ## busybox image used in init-container
-  busybox:
-    repository: busybox
-    tag: 1.36.1-musl
+  ## osShell image used in init-container
+  osShell:
+    repository: bitnami/os-shell
+    tag: 12-debian-12-r30
   pullPolicy: IfNotPresent
 
 imagePullSecrets: []

go.mod

@@ -17,13 +17,13 @@ require (
 	github.com/caarlos0/env/v9 v9.0.0
 	github.com/casbin/casbin/v2 v2.100.0
 	github.com/casbin/gorm-adapter/v3 v3.28.0
-	github.com/containers/podman/v5 v5.2.1
+	github.com/containers/podman/v5 v5.2.2
 	github.com/deckarep/golang-set/v2 v2.6.0
 	github.com/dgraph-io/badger/v4 v4.3.0
 	github.com/distribution/distribution/v3 v3.0.0-beta.1
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v27.1.2+incompatible
-	github.com/docker/docker v27.2.1+incompatible
+	github.com/docker/cli v27.3.1+incompatible
+	github.com/docker/docker v27.3.1+incompatible
 	github.com/dustin/go-humanize v1.0.1
 	github.com/fatih/color v1.17.0
 	github.com/glebarez/sqlite v1.11.0
@@ -156,9 +156,9 @@ require (
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
-	github.com/containers/buildah v1.37.1 // indirect
-	github.com/containers/common v0.60.1 // indirect
-	github.com/containers/image/v5 v5.32.1 // indirect
+	github.com/containers/buildah v1.37.2 // indirect
+	github.com/containers/common v0.60.2 // indirect
+	github.com/containers/image/v5 v5.32.2 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/containers/ocicrypt v1.2.0 // indirect
 	github.com/containers/psgo v1.9.0 // indirect
@@ -334,7 +334,7 @@ require (
 	github.com/nwaples/rardecode v1.1.3 // indirect
 	github.com/nxadm/tail v1.4.11 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/open-policy-agent/opa v0.67.1 // indirect
+	github.com/open-policy-agent/opa v0.68.0 // indirect
 	github.com/opencontainers/runc v1.1.14 // indirect
 	github.com/opencontainers/runtime-spec v1.2.0 // indirect
 	github.com/opencontainers/runtime-tools v0.9.1-0.20230914150019-408c51e934dc // indirect
@@ -352,7 +352,7 @@ require (
 	github.com/pkg/sftp v1.13.6 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/proglottis/gpgme v0.1.3 // indirect
-	github.com/prometheus/client_golang v1.20.1 // indirect
+	github.com/prometheus/client_golang v1.20.2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
@@ -442,7 +442,7 @@ require (
 	google.golang.org/genproto v0.0.0-20240730163845-b1a4ccb954bf // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf // indirect
-	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/grpc v1.66.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect