feat: NVSHAS-9501 standalone Dockerfile

1. Provide cross-platform/standalone Dockerfile
2. Release.yml to publish SLSA-capable artifacts
3. Provide build target, test-image, build-image and push-image to sync
   with rancher.
4. Switch to golang:1.22 as its base image

Author: holyspectral

build/dockerignore renamed to .dockerignore

@@ -0,0 +1,38 @@
+name: dev build
+
+on:
+  push:
+    branches:
+      - main
+      - master
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DEV_DOCKER_USERNAME }}
+          password: ${{ secrets.DEV_DOCKER_PASSWORD }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Create builder
+        run: make buildx-machine
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          file: package/Dockerfile
+          tags: ${{ secrets.DEV_BUILD_REPOSITORY }}/registry-adapter:latest
+          build-args: |
+            COMMIT=${{ github.sha }}
+            VERSION=${{ github.ref_name }}
+          platforms: linux/arm64,linux/amd64 
+      - name: Retag
+        run: |
+          docker buildx imagetools create -t ${{ secrets.DEV_BUILD_REPOSITORY }}/registry-adapter:latest ${{ secrets.DEV_BUILD_REPOSITORY }}/registry-adapter:${{github.run_number}}

.github/workflows/dev.yml

@@ -0,0 +1,48 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # write is needed for:
+      # - OIDC for cosign's use in ecm-distro-tools/publish-image.
+      # - Read vault secrets in rancher-eio/read-vault-secrets.
+      id-token: write
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Load Secrets from Vault
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+
+    - name: Publish manifest
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      with:
+        image: registry-adapter
+        tag: ${{ github.ref_name }}
+        platforms: linux/amd64,linux/arm64
+
+        public-registry: docker.io
+        public-repo: neuvector
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-repo: rancher
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}

.github/workflows/release.yml

@@ -1,26 +1,79 @@
-BASE_IMAGE_TAG = latest
-BUILD_IMAGE_TAG = v2
+RUNNER := docker
+IMAGE_BUILDER := $(RUNNER) buildx
+MACHINE := neuvector
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
+DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64
 
-all:
-	go build -ldflags='-s -w' -buildvcs=false -o adapter
+COMMIT = $(shell git rev-parse --short HEAD)
+ifeq ($(VERSION),)
+	# Define VERSION, which is used for image tags or to bake it into the
+	# compiled binary to enable the printing of the application version, 
+	# via the --version flag.
+	CHANGES = $(shell git status --porcelain --untracked-files=no)
+	ifneq ($(CHANGES),)
+		DIRTY = -dirty
+	endif
+
+
+	COMMIT = $(shell git rev-parse --short HEAD)
+	VERSION = $(COMMIT)$(DIRTY)
+
+	# Override VERSION with the Git tag if the current HEAD has a tag pointing to
+	# it AND the worktree isn't dirty.
+	GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)
+	ifneq ($(GIT_TAG),)
+		ifeq ($(DIRTY),)
+			VERSION = $(GIT_TAG)
+		endif
+	endif
+endif
+
+ifeq ($(TAG),)
+	TAG = $(VERSION)
+	ifneq ($(DIRTY),)
+		TAG = dev
+	endif
+endif
+
+TARGET_PLATFORMS ?= linux/amd64,linux/arm64
+STAGE_DIR=stage
+REPO ?= neuvector
+IMAGE = $(REPO)/registry-adapter:$(TAG)
+BUILD_ACTION = --load
 
-STAGE_DIR = stage
+.PHONY: all build test copy_adpt
 
-copy_adpt:
+all: test build copy_adpt
+
+test:
+	go test ./...
+
+copy_adpt: build
 	mkdir -p ${STAGE_DIR}/usr/local/bin/
-	#
-	cp registry-adapter/adapter ${STAGE_DIR}/usr/local/bin/
+	cp adapter ${STAGE_DIR}/usr/local/bin/
+
+build:
+	go build -ldflags='-s -w' -buildvcs=false -o adapter
+
+buildx-machine:
+	docker buildx ls
+	@docker buildx ls | grep $(MACHINE) || \
+	docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)
 
-stage_init:
-	rm -rf ${STAGE_DIR}; mkdir -p ${STAGE_DIR}
+test-image:
+	# Instead of loading image, target all platforms, effectivelly testing
+	# the build for the target architectures.
+	$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
 
-stage_adpt: stage_init copy_adpt
+build-image: buildx-machine ## build (and load) the container image targeting the current platform.
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
+		--builder $(MACHINE) $(IMAGE_ARGS) \
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) .
+	@echo "Built $(IMAGE)"
 
-adapter_image: stage_adpt
-	docker pull neuvector/adapter_base:${BASE_IMAGE_TAG}
-	docker build --build-arg NV_TAG=$(NV_TAG) --build-arg BASE_IMAGE_TAG=${BASE_IMAGE_TAG} -t neuvector/registry-adapter -f registry-adapter/build/Dockerfile .
 
-binary:
-	@echo "Making $@ ..."
-	@docker pull neuvector/build_fleet:${BUILD_IMAGE_TAG}
-	@docker run --rm -ia STDOUT --name build --net=none -v $(CURDIR):/go/src/github.com/neuvector/registry-adapter -w /go/src/github.com/neuvector/registry-adapter --entrypoint ./make_bin.sh neuvector/build_fleet:${BUILD_IMAGE_TAG}
+push-image: buildx-machine
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
+		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/registry-adapter:$(TAG)" --push .
+	@echo "Pushed $(IMAGE)"

Makefile

@@ -0,0 +1,67 @@
+#
+# Builder image
+FROM registry.suse.com/bci/golang:1.22 AS builder
+
+ENV GOPATH=/go
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+COPY config/ /src/config
+COPY server/ /src/server
+COPY vendor/ /src/vendor
+COPY go.mod go.sum adapter.go version.go Makefile /src
+WORKDIR /src
+RUN make
+
+#
+# base image
+FROM registry.suse.com/bci/bci-micro:15.6 AS micro
+FROM registry.suse.com/bci/bci-base:15.6 AS base
+FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 AS xx
+FROM --platform=$BUILDPLATFORM registry.suse.com/bci/bci-base:15.6 AS basebuilder
+
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+
+COPY --from=xx / /
+COPY --from=micro / /chroot/
+
+RUN echo "[main]" > /etc/zypp/zypp.conf && \
+    echo -n "arch = " >> /etc/zypp/zypp.conf && \
+    xx-info march >> /etc/zypp/zypp.conf
+
+COPY --from=base /etc/products.d/ /etc/products.d/
+COPY --from=base /etc/zypp/ /chroot/etc/zypp/
+
+# Runtime dependencies
+RUN zypper refresh && zypper --non-interactive --installroot /chroot install --no-recommends \
+    ca-certificates && \
+    zypper --non-interactive --installroot /chroot clean -a && \
+    rm -rf /chroot/var/log/ /chroot/var/cache/zypp/* /chroot/etc/zypp/
+
+RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch
+
+RUN mkdir -p /chroot/etc/neuvector/certs/internal/
+
+FROM micro
+ARG VERSION
+ARG COMMIT
+WORKDIR /
+COPY --from=basebuilder /chroot/ /
+COPY --from=builder /src/stage /
+
+LABEL "name"="registry-adapter" \
+      "vendor"="SUSE Security" \
+      "neuvector.image"="neuvector/registry-adapter" \
+      "neuvector.role"="registry-adapater" \
+      "neuvector.rev"="${COMMIT}" \
+      "io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
+      "io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/registry-adapter/${VERSION}/README.md" \
+      "org.opencontainers.image.description"="SUSE Security Registry Adapter" \
+      "org.opencontainers.image.title"="SUSE Security Registry Adapter" \
+      "org.opencontainers.image.source"="https://github.com/neuvector/registry-adapter/" \
+      "org.opencontainers.image.version"="${VERSION}" \
+      "org.opensuse.reference"="neuvector/registry-adapter:${VERSION}"
+      
+
+ENTRYPOINT ["/usr/local/bin/adapter"]