forked from enterprise-contract/ec-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile.dist
178 lines (149 loc) · 7.13 KB
/
Dockerfile.dist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# Copyright The Enterprise Contract Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
## Build
# This works fine but will produce an EC violation
#FROM docker.io/library/golang:1.21 AS build
# This currently has go version 1.20 but we need version 1.21
#FROM registry.access.redhat.com/ubi9/go-toolset:latest AS build
# This image has go version 1.21 but requires an extra pull secret to access
# See https://source.redhat.com/groups/public/teamnado/wiki/brew_registry for how to get your own pull secret
# See our Konflux pull secret at https://console.redhat.com/preview/application-pipeline/secrets
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.21@sha256:4fe910174caaaae09ff75b6f1b1c2f4460fd9acfe38ec778a818a54de7f31afc AS build
ARG TARGETOS
ARG TARGETARCH
ARG BUILD_LIST="darwin_amd64 darwin_arm64 linux_amd64 linux_arm64 linux_ppc64le linux_s390x windows_amd64"
#ARG BUILD_LIST="linux_amd64"
WORKDIR /build
# Copy just the mod file for better layer caching when building locally
COPY go.mod go.sum .
RUN go mod download
# Now copy everything including .git
COPY . .
# Notes:
# Derive the version from the branch name with the "release-" prefix removed
# if it's present, e.g. in the branch "release-v0.1-alpha" the version will
# be "v0.1-alpha"
#
# If the branch doesn't start with release- then assume it's not a release
# branch and build just a single binary to save time and cpu cycles. If the
# branch is a release branch then build all the binaries in ${BUILD_LIST}.
#
# The normal way to get the branch name is this:
# EC_GIT_BRANCH=$( git rev-parse --abbrev-ref HEAD )
# but it doesn't work because the git-clone task checks out a sha directly
# rather than a branch. That's why we need to use `git for-each-ref`. Beware
# that testing this locally requires that you push the relevant branches to
# your 'origin' remote.
#
# Note that EC_GIT_ORIGIN_BRANCH, EC_GIT_BRANCH may be blank in a pre-merge PR
# because the PR branch refs are generally not present. In that case we'll use
# "_ci_build" as the version.
#
# For the EC_PATCH_NUM we assume there is a v0.2.0 (for example) tag created
# by a human. Using --merges there because we assume every build happens after
# a PR is merged.
#
RUN \
EC_GIT_SHA=$( git rev-parse --short HEAD ); \
echo "EC_GIT_SHA=$EC_GIT_SHA"; \
\
EC_GIT_ORIGIN_BRANCH=$( git for-each-ref --points-at HEAD --format='%(refname:short)' refs/remotes/origin/ ); \
echo "EC_GIT_ORIGIN_BRANCH=$EC_GIT_ORIGIN_BRANCH"; \
\
EC_GIT_BRANCH=${EC_GIT_ORIGIN_BRANCH#"origin/"}; \
echo "EC_GIT_BRANCH=$EC_GIT_BRANCH"; \
\
EC_VERSION=${EC_GIT_BRANCH#"release-"}; \
echo "EC_VERSION=$EC_VERSION"; \
\
EC_BASE_TAG="${EC_VERSION}.0"; \
echo "EC_BASE_TAG=$EC_BASE_TAG"; \
git log -n1 --format="%h %s" "$EC_BASE_TAG"; \
\
EC_PATCH_NUM=$( git rev-list --merges --count ${EC_BASE_TAG}..HEAD ); \
echo "EC_PATCH_NUM=$EC_PATCH_NUM"; \
\
if [ -z "$EC_VERSION" ]; then \
EC_FULL_VERSION="_ci_build-${EC_GIT_SHA}"; \
else \
EC_FULL_VERSION="${EC_VERSION}.${EC_PATCH_NUM}"; \
fi; \
echo "EC_FULL_VERSION=$EC_FULL_VERSION"; \
\
if [ -z "$EC_VERSION" -o "$EC_GIT_BRANCH" = "$EC_VERSION" ]; then \
BUILDS="${TARGETOS}_${TARGETARCH}"; \
else \
BUILDS="${BUILD_LIST}"; \
fi; \
echo "BUILDS=$BUILDS"; \
\
for os_arch in ${BUILDS}; do \
export GOOS="${os_arch%_*}"; \
export GOARCH="${os_arch#*_}"; \
[ "$GOOS" = "windows" ] && DOT_EXE=".exe" || DOT_EXE=""; \
BINFILE="ec_${GOOS}_${GOARCH}${DOT_EXE}"; \
echo "Building ${BINFILE} for ${EC_FULL_VERSION}"; \
go build \
-trimpath \
--mod=readonly \
-ldflags="-s -w -X github.com/enterprise-contract/ec-cli/internal/version.Version=${EC_FULL_VERSION}" \
-o "dist/${BINFILE}"; \
done
# Extract this so we can download the matching cosign version below
RUN go list --mod=readonly -f '{{.Version}}' -m github.com/sigstore/cosign/v2 | tee cosign_version.txt
## Downloads
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3@sha256:bc552efb4966aaa44b02532be3168ac1ff18e2af299d0fe89502a1d9fabafbc5 AS download
ARG TARGETOS
ARG TARGETARCH
WORKDIR /download
COPY --from=build /build/cosign_version.txt /download/
# Download the matching version of cosign
RUN COSIGN_VERSION=$(cat /download/cosign_version.txt) && \
curl -sLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-${TARGETOS}-${TARGETARCH} && \
curl -sLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign_checksums.txt && \
sha256sum --check <(grep -w "cosign-${TARGETOS}-${TARGETARCH}" < cosign_checksums.txt) && \
mv "cosign-${TARGETOS}-${TARGETARCH}" cosign && \
chmod +x cosign
## Final image
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3@sha256:bc552efb4966aaa44b02532be3168ac1ff18e2af299d0fe89502a1d9fabafbc5
ARG TARGETOS
ARG TARGETARCH
LABEL \
description="Enterprise Contract verifies and checks supply chain artifacts to ensure they meet security and business policies." \
io.k8s.description="Enterprise Contract verifies and checks supply chain artifacts to ensure they meet security and business policies." \
summary="Provides the binaries for downloading the EC CLI. Also used as a Tekton task runner image for EC tasks." \
io.k8s.display-name="Enterprise Contract for Red Hat Trusted Artifact Signer" \
io.openshift.tags="rhtas rhtap trusted-artifact-signer trusted-application-pipeline enterprise-contract ec opa cosign sigstore" \
com.redhat.component="ec-cli"
# Install cosign and other tools we want to use in the Tekton task
RUN microdnf -y --nodocs --setopt=keepcache=0 install git-core jq
COPY --from=download /download/cosign /usr/local/bin/cosign
# Copy all the binaries so they're available to extract and download
# (Beware if you're testing this locally it will copy everything from
# your dist directory, not just the freshly built binaries.)
COPY --from=build /build/dist/ /usr/local/bin/
# Gzip them because that's what the cli downloader image expects, see
# https://github.com/securesign/sigstore-ocp/blob/main/images/Dockerfile-clientserver
RUN gzip /usr/local/bin/ec_*
# Copy the one ec binary that can run in this container
COPY --from=build "/build/dist/ec_${TARGETOS}_${TARGETARCH}" /usr/local/bin/ec
# OpenShift preflight check requires a license
COPY --from=build /build/LICENSE /licenses/LICENSE
# OpenShift preflight check requires a non-root user
USER 1001
# Show some version numbers for troubleshooting purposes
RUN git version && jq --version && cosign version && ec version && ls -l /usr/local/bin
ENTRYPOINT ["/usr/local/bin/ec"]