PCP-1845: Go update, arm support and workflow change (#124)

spectrocloud · Jan 16, 2024 · 5dd8926 · 5dd8926
1 parent e96f7ce
commit 5dd8926
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 32 deletions.
diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
@@ -21,7 +21,8 @@ jobs:
     # Ensure that the credentials are provided as encrypted secrets
     env:
       SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
-      REGISTRY: gcr.io/spectro-images-public/release/cluster-api
+      LEGACY_REGISTRY: gcr.io/spectro-images-public/release/cluster-api
+      FIPS_REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api
     steps:
       -
         uses: mukunku/[email protected]
@@ -35,7 +36,9 @@ jobs:
           exit 1
       -
         if: ${{ github.event.inputs.rel_type == 'rc' }}
-        run: echo "REGISTRY=gcr.io/spectro-dev-public/release/cluster-api" >> $GITHUB_ENV
+        run: |
+          echo "LEGACY_REGISTRY=gcr.io/spectro-dev-public/release/cluster-api" >> $GITHUB_ENV
+          echo "FIPS_REGISTRY=gcr.io/spectro-dev-public/release-fips/cluster-api" >> $GITHUB_ENV
       -
         uses: actions/checkout@v3
       -
@@ -50,13 +53,17 @@ jobs:
           password: ${{ secrets.REGISTRY_PASSWORD }}
       -
         name: Build Image
+        env:
+          REGISTRY: ${{ env.LEGACY_REGISTRY }}
         run: |
           make docker-build-all
           make docker-push-all
       -
         name: Build Image - FIPS Mode
         env:
+          REGISTRY: ${{ env.FIPS_REGISTRY }}
           FIPS_ENABLE: yes
+          ALL_ARCH: amd64
         run: |
           make docker-build-all
           make docker-push-all

diff --git a/Dockerfile b/Dockerfile
@@ -35,7 +35,7 @@ FROM toolchain as builder
 WORKDIR /workspace
 
 RUN apk update
-RUN apk add git gcc g++ curl
+RUN apk add git gcc g++ curl binutils-gold
 
 # Run this with docker build --build-arg goproxy=$(go env GOPROXY) to override the goproxy
 # Run this with docker build --build-arg package=./controlplane/kubeadm or --build-arg package=./bootstrap/kubeadm
@@ -64,9 +64,9 @@ RUN  --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/root/.local/share/golang \
     if [ ${CRYPTO_LIB} ]; \
     then \
-      GOARCH=${ARCH} go-build-fips.sh -a -o manager main.go ;\
+      GOARCH=${ARCH} go-build-fips.sh -a -o manager ${package};\
     else \
-      GOARCH=${ARCH} go-build-static.sh -a -o manager main.go ;\
+      GOARCH=${ARCH} go-build-static.sh -a -o manager ${package};\
     fi
 
 RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh manager; fi

diff --git a/Makefile b/Makefile
@@ -779,7 +779,7 @@ docker-build-%:
 	$(MAKE) ARCH=$* docker-build
 
 # ALL_DOCKER_BUILD = core kubeadm-bootstrap kubeadm-control-plane docker-infrastructure test-extension clusterctl
-ALL_DOCKER_BUILD = core kubeadm-bootstrap kubeadm-control-plane
+ALL_DOCKER_BUILD = core kubeadm-bootstrap kubeadm-control-plane clusterctl
 
 .PHONY: docker-build
 docker-build: docker-pull-prerequisites ## Run docker-build-* targets for all the images
@@ -801,13 +801,13 @@ docker-build-core: ## Build the docker image for core controller manager
 
 .PHONY: docker-build-kubeadm-bootstrap
 docker-build-kubeadm-bootstrap: ## Build the docker image for kubeadm bootstrap controller manager
-	DOCKER_BUILDKIT=1 docker buildx build --load --platform linux/${ARCH} ${BUILD_ARGS} --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH):$(TAG)
+	DOCKER_BUILDKIT=1 docker buildx build --load --platform linux/${ARCH} ${BUILD_ARGS} --build-arg ARCH=$(ARCH) --build-arg package=./bootstrap/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_pull_policy.yaml"
 
 .PHONY: docker-build-kubeadm-control-plane
 docker-build-kubeadm-control-plane: ## Build the docker image for kubeadm control plane controller manager
-	DOCKER_BUILDKIT=1 docker buildx build --load --platform linux/${ARCH} ${BUILD_ARGS} --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH):$(TAG)
+	DOCKER_BUILDKIT=1 docker buildx build --load --platform linux/${ARCH} ${BUILD_ARGS} --build-arg ARCH=$(ARCH) --build-arg package=./controlplane/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH):$(TAG)
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_pull_policy.yaml"
 
@@ -1130,7 +1130,7 @@ docker-push-all: $(addprefix docker-push-,$(ALL_ARCH))  ## Push the docker image
 	$(MAKE) docker-push-manifest-kubeadm-bootstrap
 	$(MAKE) docker-push-manifest-kubeadm-control-plane
 #	$(MAKE) docker-push-manifest-docker-infrastructure
-#	$(MAKE) docker-push-clusterctl
+	$(MAKE) docker-push-clusterctl
 
 docker-push-%:
 	$(MAKE) ARCH=$* docker-push
@@ -1143,7 +1143,7 @@ docker-push-core: ## Push the core docker image
 	docker push $(CONTROLLER_IMG)-$(ARCH):$(TAG)
 	docker push $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH):$(TAG)
 	docker push $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH):$(TAG)
-#	docker push $(CLUSTERCTL_IMG)-$(ARCH):$(TAG)
+	docker push $(CLUSTERCTL_IMG)-$(ARCH):$(TAG)
 #	docker push $(CAPD_CONTROLLER_IMG)-$(ARCH):$(TAG)
 
 .PHONY: docker-push-manifest-core

diff --git a/cmd/clusterctl/Dockerfile b/cmd/clusterctl/Dockerfile
@@ -16,59 +16,66 @@
 
 # Build the clusterctl binary
 # Run this with docker build --build-arg builder_image=<golang:x.y.z>
-ARG builder_image
+ARG BUILDER_GOLANG_VERSION
+ # First stage: build the executable.
+FROM --platform=$TARGETPLATFORM gcr.io/spectro-images-public/golang:${BUILDER_GOLANG_VERSION}-alpine as toolchain
+ARG goproxy=https://proxy.golang.org
+ENV GOPROXY=$goproxy
 
-# Build architecture
-ARG ARCH
+# FIPS
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
 
 # Ignore Hadolint rule "Always tag the version of an image explicitly."
 # It's an invalid finding since the image is explicitly set in the Makefile.
 # https://github.com/hadolint/hadolint/wiki/DL3006
 # hadolint ignore=DL3006
-FROM ${builder_image} as builder
+FROM toolchain as builder
 WORKDIR /workspace
 
-# Run this with docker build --build-arg goproxy=$(go env GOPROXY) to override the goproxy
-ARG goproxy=https://proxy.golang.org
-# Run this with docker build --build-arg package=./cmd/clusterctl
-ENV GOPROXY=$goproxy
-
-# FIPS
-ARG CRYPTO_LIB
-ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
+RUN apk update
+RUN apk add git gcc g++ curl binutils-gold
 
+# Run this with docker build --build-arg goproxy=$(go env GOPROXY) to override the goproxy
+# Run this with docker build --build-arg package=./controlplane/kubeadm or --build-arg package=./bootstrap/kubeadm
 
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
 
 # Cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
-RUN --mount=type=cache,target=/go/pkg/mod \
+RUN --mount=type=cache,target=/root/.local/share/golang \
+    --mount=type=cache,target=/go/pkg/mod \
     go mod download
 
 # Copy the sources
 COPY ./ ./
 
-# Cache the go build into the Go’s compiler cache folder so we take benefits of compiler caching across docker build calls
-RUN --mount=type=cache,target=/root/.cache/go-build \
-    --mount=type=cache,target=/go/pkg/mod \
-    go build ./cmd/clusterctl
 
 # Build
 ARG package=.
 ARG ARCH
 ARG ldflags
 
 # Do not force rebuild of up-to-date packages (do not use -a) and use the compiler cache folder
-RUN --mount=type=cache,target=/root/.cache/go-build \
+RUN  --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
-    go build -trimpath -ldflags "${ldflags} -extldflags '-static'" \
-    -o clusterctl ${package}
+    --mount=type=cache,target=/root/.local/share/golang \
+    if [ ${CRYPTO_LIB} ]; \
+    then \
+      GOARCH=${ARCH} go-build-fips.sh -a -o clusterctl ${package} ;\
+    else \
+      GOARCH=${ARCH} go-build-static.sh -a -o clusterctl ${package} ;\
+    fi
+
+RUN if [ "${CRYPTO_LIB}" ]; then assert-static.sh clusterctl; fi
+RUN if [ "${CRYPTO_LIB}" ]; then assert-fips.sh clusterctl; fi
+RUN scan-govulncheck.sh clusterctl
+
 
 # Production image
-FROM gcr.io/distroless/static:nonroot-${ARCH}
+FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/clusterctl .
 # Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies