diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..6c31284 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,68 @@ +name: Release + +on: + push: + tags: + - 'v*' + +jobs: + + publish: + runs-on: ubuntu-latest + permissions: + contents: read + # write is needed for: + # - OIDC for cosign's use in ecm-distro-tools/publish-image. + # - Read vault secrets in rancher-eio/read-vault-secrets. + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD + - name: Parse target tag + run: | + TARGET=${{ github.ref_name }} + echo "TAG=${TARGET#v}" >> $GITHUB_ENV + - name: Publish neuvector manifest + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + push-to-public: true + push-to-prime: false + image: prometheus-exporter + tag: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + + public-registry: docker.io + public-repo: neuvector + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + - name: Publish rancher manifest + uses: rancher/ecm-distro-tools/actions/publish-image@master + env: + IMAGE_PREFIX: neuvector- + with: + image: neuvector-prometheus-exporter + tag: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + + public-registry: docker.io + public-repo: rancher + public-username: ${{ env.RANCHER_DOCKER_USERNAME }} + public-password: ${{ env.RANCHER_DOCKER_PASSWORD }} + + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-repo: rancher + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index c2bf0d4..0000000 --- a/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -FROM alpine:3.20.0 -MAINTAINER support@neuvector.com - -RUN apk add --no-cache python3 && \ - if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \ - python3 -m venv .venv && \ - source .venv/bin/activate && \ - pip3 install --upgrade pip setuptools prometheus_client requests -COPY startup.sh /usr/local/bin -COPY nv_exporter.py /usr/local/bin -ENTRYPOINT ["startup.sh"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..48629fb --- /dev/null +++ b/Makefile @@ -0,0 +1,67 @@ +RUNNER := docker +IMAGE_BUILDER := $(RUNNER) buildx +MACHINE := neuvector +BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max +DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64 + +COMMIT = $(shell git rev-parse --short HEAD) +ifeq ($(VERSION),) + # Define VERSION, which is used for image tags or to bake it into the + # compiled binary to enable the printing of the application version, + # via the --version flag. + CHANGES = $(shell git status --porcelain --untracked-files=no) + ifneq ($(CHANGES),) + DIRTY = -dirty + endif + + + COMMIT = $(shell git rev-parse --short HEAD) + VERSION = $(COMMIT)$(DIRTY) + + # Override VERSION with the Git tag if the current HEAD has a tag pointing to + # it AND the worktree isn't dirty. + GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1) + ifneq ($(GIT_TAG),) + ifeq ($(DIRTY),) + VERSION = $(GIT_TAG) + endif + endif +endif + +ifeq ($(TAG),) + TAG = $(VERSION) + ifneq ($(DIRTY),) + TAG = dev + endif +endif + +TARGET_PLATFORMS ?= linux/amd64,linux/arm64 +STAGE_DIR=stage +REPO ?= neuvector +IMAGE = $(REPO)/prometheus-exporter:$(TAG) +BUILD_ACTION = --load + +.PHONY: all build test copy_adpt + +buildx-machine: + docker buildx ls + @docker buildx ls | grep $(MACHINE) || \ + docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS) + +test-image: + # Instead of loading image, target all platforms, effectivelly testing + # the build for the target architectures. + $(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)" + +build-image: buildx-machine ## build (and load) the container image targeting the current platform. + $(IMAGE_BUILDER) build -f package/Dockerfile \ + --builder $(MACHINE) $(IMAGE_ARGS) \ + --build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) . + @echo "Built $(IMAGE)" + + +push-image: buildx-machine + $(IMAGE_BUILDER) build -f package/Dockerfile \ + --builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \ + --build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/$(IMAGE_PREFIX)prometheus-exporter:$(TAG)" --push . + @echo "Pushed $(REPO)/$(IMAGE_PREFIX)prometheus-exporter:$(TAG)" diff --git a/package/Dockerfile b/package/Dockerfile new file mode 100644 index 0000000..e2ab4d0 --- /dev/null +++ b/package/Dockerfile @@ -0,0 +1,23 @@ +FROM registry.suse.com/bci/python:3.12 + +ARG COMMIT +ARG VERSION + +RUN python3 -m venv .venv && source .venv/bin/activate && pip3 install --upgrade pip setuptools prometheus_client requests +COPY startup.sh /usr/local/bin +COPY nv_exporter.py /usr/local/bin + +LABEL "name"="prometheus-exporter" \ + "vendor"="SUSE Security" \ + "neuvector.image"="neuvector/prometheus-exporter" \ + "neuvector.role"="prometheus-exporter" \ + "neuvector.rev"="${COMMIT}" \ + "io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \ + "io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/prometheus-exporter/${VERSION}/README.md" \ + "org.opencontainers.image.description"="SUSE Security Prometheus Exporter" \ + "org.opencontainers.image.title"="SUSE Security Prometheus Exporter" \ + "org.opencontainers.image.source"="https://github.com/neuvector/prometheus-exporter/" \ + "org.opencontainers.image.version"="${VERSION}" \ + "org.opensuse.reference"="neuvector/prometheus-exporter:${VERSION}" + +ENTRYPOINT ["startup.sh"] diff --git a/startup.sh b/startup.sh index 5cf3675..81ffd69 100755 --- a/startup.sh +++ b/startup.sh @@ -2,4 +2,4 @@ if [ -f /.venv/bin/activate ]; then source /.venv/bin/activate fi -python -u /usr/local/bin/nv_exporter.py "$@" +python3 -u /usr/local/bin/nv_exporter.py "$@"