Merge pull request #39 from spectrocloud/fips-cicd

zulfilee · web-flow · commit 2d9a9948c1e2 · 2023-06-09T16:53:54.000-07:00
Spectro FIPS and CICD
diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
@@ -0,0 +1,68 @@
+name: Spectro Release
+run-name: Release for Cluster API  Vsphere Static IP ${{ github.event.inputs.release_version }}
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Cluster API Version to Build'
+        required: true
+        default: '0.0.0'
+jobs:
+  builder:
+    # edge-runner machine group is a bunch of machines in US Datacenter
+    runs-on: ubuntu-latest
+    # Initialize all secrets required for the job
+    # Ensure that the credentials are provided as encrypted secrets
+    env:
+      SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+    steps:
+      -
+        uses: mukunku/tag-exists-action@v1.2.0
+        id: checkTag
+        with:
+          tag: spectro-v${{ github.event.inputs.release_version }}
+      -
+        if: ${{ steps.checkTag.outputs.exists == 'true' }}
+        run: |
+          echo "Tag already exists for spectro-v${{ github.event.inputs.release_version }}..."
+          exit 1
+      -
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to private registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.REGISTRY_URL }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      -
+        name: Build Image
+        env:
+          REGISTRY: gcr.io/spectro-images-public/release/cluster-api-vsphere
+        run: |
+          make docker-build
+          make docker-push
+      -
+        name: Build Image - FIPS Mode
+        env:
+          FIPS_ENABLE: yes
+          REGISTRY: gcr.io/spectro-images-public/release-fips/cluster-api-vsphere
+        run: |
+          make docker-build
+          make docker-push
+      -
+        name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: spectro-v${{ github.event.inputs.release_version }}
+          release_name: Release spectro-v${{ github.event.inputs.release_version }}
+          body: |
+            Release version ${{ github.event.inputs.release_version }}
+          draft: false
+          prerelease: false
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,10 @@
 # Build the manager binary
 FROM golang:1.19.8 as builder
 
+# FIPS
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
+
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
@@ -13,12 +17,12 @@ RUN go mod download
 COPY . .
 
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags "${LDFLAGS} -extldflags '-static'" -a -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 #FROM gcr.io/distroless/static:latest
-FROM alpine:3.17
+FROM alpine:3.18
 RUN addgroup -S spectro
 RUN adduser -S -D -h / spectro spectro
 USER spectro
diff --git a/Makefile b/Makefile
@@ -1,14 +1,23 @@
 
 .DEFAULT_GOAL:=help
 
-VERSION_SUFFIX ?= -dev
-PROD_VERSION ?= 0.7.4${VERSION_SUFFIX}
-PROD_BUILD_ID ?= latest
+# Fips Flags
+FIPS_ENABLE ?= ""
 
-IMG_URL ?= gcr.io/$(shell gcloud config get-value project)/${USER}
-IMG_TAG ?= latest
-STATIC_IP_IMG ?= ${IMG_URL}/capv-static-ip:${IMG_TAG}
-OVERLAY ?= base
+RELEASE_LOC := release
+ifeq ($(FIPS_ENABLE),yes)
+  RELEASE_LOC := release-fips
+endif
+
+SPECTRO_VERSION ?= 4.0.0-dev
+TAG ?= spectro-${SPECTRO_VERSION}
+ARCH ?= amd64
+# ALL_ARCH = amd64 arm arm64 ppc64le s390x
+ALL_ARCH = amd64 
+
+REGISTRY ?= gcr.io/spectro-dev-public/$(USER)/${RELEASE_LOC}
+
+STATIC_IP_IMG ?= ${REGISTRY}/capv-static-ip:${TAG}
 
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:trivialVersions=true"
@@ -82,7 +91,7 @@ bin: generate ## Generate binaries
 docker: docker-build docker-push ## Tags docker image and also pushes it to container registry
 
 docker-build: ## Build the docker image for controller-manager
-	docker build . -t ${STATIC_IP_IMG}
+	docker build  --build-arg CRYPTO_LIB=${FIPS_ENABLE} . -t ${STATIC_IP_IMG}
 
 docker-push: ## Push the docker image
 	docker push ${STATIC_IP_IMG}
