diff --git a/.github/scripts/upgrade-sec-scanners-config.sh b/.github/scripts/upgrade-sec-scanners-config.sh index 77177b0c9..b8c3975c4 100755 --- a/.github/scripts/upgrade-sec-scanners-config.sh +++ b/.github/scripts/upgrade-sec-scanners-config.sh @@ -2,4 +2,21 @@ IMG_VERSION=${IMG_VERSION?"Define IMG_VERSION env"} -yq -i ".protecode[] |= sub(\":main\", \":${IMG_VERSION}\")" sec-scanners-config.yaml +yq eval-all --inplace ' + select(fileIndex == 0).protecode=[ + select(fileIndex == 1) + | .global.containerRegistry.path as $registryPath + | ( + { + "serverless_operator" : { + "name" : "serverless-operator", + "directory" : "prod", + "version" : env(IMG_VERSION) + } + } + + .global.images + )[] + | $registryPath + "/" + .directory + "/" + .name + ":" + .version + ] + | select(fileIndex == 0) + ' sec-scanners-config.yaml config/serverless/values.yaml \ No newline at end of file diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml index dae232659..80a2ec0ec 100644 --- a/.github/workflows/create-release.yaml +++ b/.github/workflows/create-release.yaml @@ -35,18 +35,18 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - - name: Bump sec-scanners-config.yaml - run: ./.github/scripts/upgrade-sec-scanners-config.sh - env: - IMG_VERSION: ${{ github.event.inputs.name }} - + - name: Bump values.yaml run: | - make -C components/operator/hack/ci replace-chart-images + make -C components/operator/hack/ci replace-function-chart-images env: IMG_DIRECTORY: "prod" IMG_VERSION: ${{ github.event.inputs.name }} + + - name: Bump sec-scanners-config.yaml based on values.yaml + run: ./.github/scripts/upgrade-sec-scanners-config.sh + env: + IMG_VERSION: ${{ github.event.inputs.name }} - name: Commit&Push run: | diff --git a/components/operator/Dockerfile.dev b/components/operator/Dockerfile.dev index dc84316d2..8e4ba3ca5 100644 --- a/components/operator/Dockerfile.dev +++ b/components/operator/Dockerfile.dev @@ -1,3 +1,8 @@ +# +# This Dockerfile is used to build serverless-operator image on every pre- and post-submit job +# It's a copy of Dockerfile.release with additional logic bumping serverless images in the values.yaml +# + # Build the operator binary FROM golang:1.21.6 as builder @@ -32,7 +37,7 @@ RUN apk update && apk add make yq COPY components/operator/hack components/operator/hack COPY config/serverless config/serverless -RUN make -C components/operator/hack/ci replace-chart-images +RUN make -C components/operator/hack/ci replace-function-chart-images # Use distroless as minimal base image to package the operator binary # Refer to https://github.com/GoogleContainerTools/distroless for more details diff --git a/components/operator/Dockerfile.local b/components/operator/Dockerfile.local new file mode 100644 index 000000000..b11356edb --- /dev/null +++ b/components/operator/Dockerfile.local @@ -0,0 +1,51 @@ +# +# This Dockerfile is used to build serverless-operator image locally +# It's a copy of Dockerfile.release with additional logic bumping serverless images in the values.yaml +# + +# Build the operator binary +FROM golang:1.21.6 as builder + +WORKDIR /workspace + +# Copy the Go Modules manifests +COPY go.mod go.sum ./ + +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer +RUN go mod download + +# Copy the go source +COPY components/operator components/operator + +# Build +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o operator ./components/operator/main.go + +# Replace main images in values.yaml +FROM alpine:3.19.0 as replacer + +WORKDIR /workspace + +ARG IMG_DIRECTORY +ARG IMG_VERSION + +ENV IMG_DIRECTORY=$IMG_DIRECTORY +ENV IMG_VERSION=$IMG_VERSION + +RUN apk update && apk add make yq + +COPY components/operator/hack components/operator/hack +COPY config/serverless config/serverless + +RUN make -C components/operator/hack/ci replace-only-main-chart-images + +# Use distroless as minimal base image to package the operator binary +# Refer to https://github.com/GoogleContainerTools/distroless for more details +FROM gcr.io/distroless/static:nonroot + +WORKDIR / +COPY --chown=65532:65532 --from=builder /workspace/operator . +COPY --chown=65532:65532 --from=replacer /workspace/config/serverless /module-chart +USER 65532:65532 + +ENTRYPOINT ["/operator"] diff --git a/components/operator/Makefile b/components/operator/Makefile index 51eb9a85f..6a857aae3 100644 --- a/components/operator/Makefile +++ b/components/operator/Makefile @@ -95,7 +95,11 @@ docker-build-release: manifests generate ## Build docker release image with the .PHONY: docker-build-dev docker-build-dev: manifests generate ## Build docker dev image with the operator. - docker build -t ${IMG} -f Dockerfile.dev $(PROJECT_ROOT) --build-arg=IMG_DIRECTORY="$(IMG_DIRECTORY)" --build-arg=IMG_VERSION="$(IMG_VERSION)" #TODO: Defaults + docker build -t ${IMG} -f Dockerfile.dev $(PROJECT_ROOT) --build-arg=IMG_DIRECTORY="$(IMG_DIRECTORY)" --build-arg=IMG_VERSION="$(IMG_VERSION)" + +.PHONY: docker-build-local +docker-build-local: manifests generate ## Build docker local image with the operator. + docker build -t ${IMG} -f Dockerfile.local $(PROJECT_ROOT) --build-arg=IMG_DIRECTORY="$(IMG_DIRECTORY)" --build-arg=IMG_VERSION="$(IMG_VERSION)" .PHONY: docker-push docker-push: ## Push docker image with the operator. @@ -137,6 +141,10 @@ module-image-release: docker-build-release docker-push ## Build the release Modu module-image-dev: docker-build-dev docker-push ## Build the dev Module Image and push it to a registry defined in IMG. echo "built and pushed module image $(IMG)" +.PHONY: module-image-local +module-image-local: docker-build-local docker-push ## Build the local Module Image and push it to a registry defined in IMG. + echo "built and pushed module image $(IMG)" + .PHONY: module-build module-build: ## Build the Module and push artifacts to the registry module-build: kyma kustomize render-manifest module-config-template configure-git-origin diff --git a/components/operator/hack/ci/Makefile b/components/operator/hack/ci/Makefile index 612a19247..5cde66408 100644 --- a/components/operator/hack/ci/Makefile +++ b/components/operator/hack/ci/Makefile @@ -118,10 +118,25 @@ render-manifest: @make -C ${OPERATOR_ROOT} render-manifest \ MODULE_VERSION=${MODULE_VERSION} +# used only by prow (tests: pre-serverless-integration-k3s, pre-serverless-git-auth-integration-k3s) .PHONY: replace-chart-images -replace-chart-images: - @IMG_VERSION=${IMG_VERSION} IMG_DIRECTORY=${IMG_DIRECTORY} \ - make -C ${PROJECT_COMMON} replace-chart-images +replace-chart-images: replace-function-chart-images + +.PHONY: replace-only-main-chart-images +replace-only-main-chart-images: + yq -i "(.global.images[] | select(.version == \"main\") | .directory) = \"${IMG_DIRECTORY}\"" ${PROJECT_ROOT}/config/serverless/values.yaml + yq -i "(.global.images[] | select(.version == \"main\") | .version) = \"${IMG_VERSION}\"" ${PROJECT_ROOT}/config/serverless/values.yaml + @echo "==== Local Changes ====" + yq '.global.images' ${PROJECT_ROOT}/config/serverless/values.yaml + @echo "==== End of Local Changes ====" + +.PHONY: replace-function-chart-images +replace-function-chart-images: + yq -i "(.global.images[] | select(key == \"function_*\") | .directory) = \"${IMG_DIRECTORY}\"" ${PROJECT_ROOT}/config/serverless/values.yaml + yq -i "(.global.images[] | select(key == \"function_*\") | .version) = \"${IMG_VERSION}\"" ${PROJECT_ROOT}/config/serverless/values.yaml + @echo "==== Local Changes ====" + yq '.global.images' ${PROJECT_ROOT}/config/serverless/values.yaml + @echo "==== End of Local Changes ====" .PHONY: run-without-lm-on-k3d-cluster run-without-lm-on-k3d-cluster: diff --git a/components/operator/hack/common/Makefile b/components/operator/hack/common/Makefile index 710221069..b6649beb1 100644 --- a/components/operator/hack/common/Makefile +++ b/components/operator/hack/common/Makefile @@ -168,6 +168,11 @@ module-image-dev: @make -C ${OPERATOR_ROOT} module-image-dev \ IMG=localhost:${REGISTRY_PORT}/${OPERATOR_IMAGE_NAME}:${OPERATOR_IMAGE_TAG} +.PHONY: module-image-local +module-image-local: + @make -C ${OPERATOR_ROOT} module-image-local \ + IMG=localhost:${REGISTRY_PORT}/${OPERATOR_IMAGE_NAME}:${OPERATOR_IMAGE_TAG} + .PHONY: module-build module-build: @make -C ${OPERATOR_ROOT} module-build \ @@ -191,11 +196,3 @@ deploy-k3d: .PHONY: deploy-cluster deploy-cluster: @make -C ${OPERATOR_ROOT} deploy - -.PHONY: replace-chart-images -replace-chart-images: - yq -i "(.global.images[] | select(.version == \"main\") | .directory) = \"${IMG_DIRECTORY}\"" ${PROJECT_ROOT}/config/serverless/values.yaml - yq -i "(.global.images[] | select(.version == \"main\") | .version) = \"${IMG_VERSION}\"" ${PROJECT_ROOT}/config/serverless/values.yaml - @echo "==== Local Changes ====" - yq '.global.images' ${PROJECT_ROOT}/config/serverless/values.yaml - @echo "==== End of Local Changes ====" \ No newline at end of file diff --git a/components/operator/hack/local/Makefile b/components/operator/hack/local/Makefile index 8595e1b6d..fb934b3c3 100644 --- a/components/operator/hack/local/Makefile +++ b/components/operator/hack/local/Makefile @@ -11,7 +11,7 @@ help: ## Display this help. .PHONY: deploy-k3d deploy-k3d: ## Build image and deploy operator on a k3d cluster. @make -C ${PROJECT_COMMON} \ - module-image-dev \ + module-image-local \ deploy-k3d \ apply-serverless \ verify-serverless @@ -29,12 +29,22 @@ stop: ## Delete k3d cluster and registry. .PHONY: run run: ## Create k3d cluster and deploy operator. - @IMG_VERSION="main" IMG_DIRECTORY="prod" make -C ${PROJECT_COMMON} run-without-lifecycle-manager + @IMG_VERSION="main" IMG_DIRECTORY="prod" make -C ${PROJECT_COMMON} \ + kyma \ + create-k3d \ + module-image-local \ + deploy \ + apply-serverless \ + verify-serverless .PHONY: run-for-img run-for-img: ## Create k3d cluster with operator using the IMG env. @echo "this target requires IMG env" - @IMG=${IMG} make -C ${PROJECT_COMMON} create-k3d run-without-lm-on-cluster + @IMG=${IMG} make -C ${PROJECT_COMMON} \ + create-k3d \ + deploy-cluster \ + apply-serverless \ + verify-serverless .PHONY: build-and-run build-and-run: ## Create k3d cluster with operator using locally built images. @@ -47,11 +57,21 @@ build-and-run: ## Create k3d cluster with operator using locally built images. @${PROJECT_LOCAL}/build_local_images.sh @IMG_VERSION="local" IMG_DIRECTORY="dev" \ - make -C ${PROJECT_COMMON} module-image-dev \ + make -C ${PROJECT_COMMON} module-image-local \ deploy \ apply-serverless \ verify-serverless .PHONY: run-with-lm run-with-lm: ## Create k3d cluster with module installed by the lifecycle-manager. - @IMG_VERSION="main" IMG_DIRECTORY="prod" make -C ${PROJECT_COMMON} run-with-lifecycle-manager + @IMG_VERSION="main" IMG_DIRECTORY="prod" make -C ${PROJECT_COMMON} \ + kyma \ + create-k3d \ + module-image-local \ + module-build \ + fix-template \ + install-kyma-with-lm \ + patch-mod-mgr-role \ + install-module-template \ + enable-module \ + verify-kyma diff --git a/sec-scanners-config.yaml b/sec-scanners-config.yaml index 2a8423073..2a99a6e20 100644 --- a/sec-scanners-config.yaml +++ b/sec-scanners-config.yaml @@ -3,16 +3,16 @@ rc-tag: 1.3.0 protecode: - europe-docker.pkg.dev/kyma-project/prod/serverless-operator:main - europe-docker.pkg.dev/kyma-project/prod/function-controller:main - - europe-docker.pkg.dev/kyma-project/prod/function-build-init:main - europe-docker.pkg.dev/kyma-project/prod/function-webhook:main - - europe-docker.pkg.dev/kyma-project/prod/tpi/registry:2.8.1-1ae4c190 - - europe-docker.pkg.dev/kyma-project/prod/tpi/kaniko-executor:1.9.2-ea54c1c7 + - europe-docker.pkg.dev/kyma-project/prod/function-build-init:main - europe-docker.pkg.dev/kyma-project/prod/function-runtime-nodejs16:main - europe-docker.pkg.dev/kyma-project/prod/function-runtime-nodejs18:main - europe-docker.pkg.dev/kyma-project/prod/function-runtime-python39:main + - europe-docker.pkg.dev/kyma-project/prod/tpi/kaniko-executor:1.9.2-ea54c1c7 + - europe-docker.pkg.dev/kyma-project/prod/tpi/registry:2.8.1-1ae4c190 whitesource: language: golang-mod subprojects: false exclude: - "**/test/**" - - "**/*_test.go" \ No newline at end of file + - "**/*_test.go"