fix(CI): Update image tag in helm charts & build and Makefile updates (…

…#256)

* fix(*): Embed build info into binaries

Signed-off-by: Anurag Rajawat <[email protected]>

* chore: Update engines version

Signed-off-by: Anurag Rajawat <[email protected]>

* fix(CI): Add job to update image tag in helm charts

Signed-off-by: Anurag Rajawat <[email protected]>

* fix(integration-test): Fix SIB selector

Signed-off-by: Anurag Rajawat <[email protected]>

---------

Signed-off-by: Anurag Rajawat <[email protected]>

.dockerignore

@@ -1,3 +1,2 @@
-# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
-# Ignore build and test binaries.
 bin/
+go.work*

.github/workflows/pr-checks.yaml

@@ -172,6 +172,7 @@ jobs:
           working-directory: ./deployments/nimbus
           run: |
             helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
+            --set image.tag=latest \
             --set image.pullPolicy=Never \
             --set autoDeploy.kubearmor=false \
             --set autoDeploy.kyverno=false \
@@ -232,6 +233,7 @@ jobs:
           working-directory: ./deployments/nimbus
           run: |
             helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
+            --set image.tag=latest \
             --set image.pullPolicy=Never \
             --set autoDeploy.kubearmor=false \
             --set autoDeploy.kyverno=false \
@@ -245,7 +247,7 @@ jobs:
         - name: Install nimbus-netpol
           working-directory: deployments/nimbus-netpol/
           run: |
-            helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-netpol to start
           run: |
@@ -255,7 +257,7 @@ jobs:
         - name: Install nimbus-kubearmor
           working-directory: deployments/nimbus-kubearmor/
           run: |
-            helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-kubearmor to start
           run: |
@@ -265,7 +267,7 @@ jobs:
         - name: Install nimbus-kyverno
           working-directory: deployments/nimbus-kyverno/
           run: |
-            helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never
+            helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never --set image.tag=latest
 
         - name: Wait for nimbus-kyverno to start
           run: |

.github/workflows/stable-release.yaml

@@ -3,7 +3,10 @@
 
 name: Stable release
 
-on: workflow_dispatch
+on:
+  create:
+    tags:
+      - "v*"
 
 permissions: read-all
 
@@ -33,8 +36,35 @@ jobs:
       NAME: ${{ matrix.adapters }}
     secrets: inherit
 
+  update-image-tags-in-helm-charts:
+    if: github.repository == '5GSEC/nimbus'
+    needs: [ release-nimbus-image, release-adapters-image ]
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Get tag
+        id: tag
+        run: |
+          if [ ${{ github.ref }} == "refs/heads/main" ]; then
+            echo "tag=latest" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update images tag
+        run: |
+          ./scripts/update-image-tag.sh ${{ steps.tag.outputs.tag }} 
+
+      - name: Commit changes
+        uses: stefanzweifel/git-auto-commit-action@v5
+
   release_helm_charts:
     if: github.repository == '5GSEC/nimbus'
+    needs: [ update-image-tags-in-helm-charts ]
     permissions:
       contents: write
     runs-on: ubuntu-latest

Dockerfile

@@ -1,37 +1,29 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2023 Authors of Nimbus
 
-# Build the manager binary
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
+# Required to embed build info into binary.
+COPY .git /.git
+
 WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
 
-# Copy the go source
-COPY cmd/main.go cmd/main.go
-COPY api/ api/
-COPY internal/ internal/
-COPY pkg/processor/ pkg/processor/
+COPY . .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --from=builder /workspace/bin/nimbus .
 USER 65532:65532
 
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/nimbus"]

Makefile

@@ -8,6 +8,8 @@ TAG ?= latest
 
 TEST_DIR ?= tests/controllers
 
+BINARY_NAME ?= nimbus
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -46,6 +48,8 @@ all: build
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.DEFAULT_GOAL := help
+
 ##@ Development
 
 .PHONY: manifests
@@ -96,12 +100,12 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 ##@ Build
 
 .PHONY: build
-build: manifests generate fmt vet ## Build manager binary.
-	go build -o bin/manager cmd/main.go
+build: fmt vet ## Build manager binary.
+	@go build -ldflags="-s" -o bin/"${BINARY_NAME}" ./cmd
 
 .PHONY: run
-run: manifests generate fmt vet ## Run a controller from your host.
-	go run cmd/main.go
+run: manifests generate fmt vet build ## Run a controller from your host.
+	@./bin/"${BINARY_NAME}"
 
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.

cmd/main.go

@@ -5,11 +5,11 @@ package main
 
 import (
 	"flag"
-	"os"
-
-	"k8s.io/apimachinery/pkg/runtime"
+	"github.com/5GSEC/nimbus/pkg/util"
+	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"os"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/config"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
@@ -24,7 +24,7 @@ import (
 
 // Global variables for scheme registration and setup logging.
 var (
-	scheme   = runtime.NewScheme()        // Scheme for registering API types for client and server.
+	scheme   = k8sruntime.NewScheme()     // Scheme for registering API types for client and server.
 	setupLog = ctrl.Log.WithName("setup") // Logger for setup process.
 )
 
@@ -51,6 +51,7 @@ func main() {
 
 	// Setting the logger with the provided options.
 	ctrl.SetLogger(zap.New())
+	util.LogBuildInfo(ctrl.Log)
 
 	// Creating a new manager which will manage all the controllers.
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{

deployments/nimbus-kubearmor/Chart.yaml

@@ -16,7 +16,7 @@ appVersion: "0.1.2"
 
 dependencies:
   - name: kubearmor-operator
-    version: ">= 1.3.4"
+    version: ">= 1.4.3"
     repository: https://kubearmor.github.io/charts
     condition: autoDeploy
 

deployments/nimbus-kyverno/Chart.yaml

@@ -17,6 +17,6 @@ appVersion: "0.1.0"
 
 dependencies:
   - name: kyverno
-    version: ">= 3.2.0"
+    version: ">= 3.2.6"
     repository: https://kyverno.github.io/kyverno/
     condition: autoDeploy

pkg/adapter/nimbus-k8tls/Dockerfile

@@ -5,6 +5,9 @@ FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
+# Required to embed build info into binary.
+COPY .git /.git
+
 WORKDIR /nimbus
 
 # relative deps requried by the adapter
@@ -25,13 +28,14 @@ COPY $ADAPTER_DIR/manager manager
 COPY $ADAPTER_DIR/builder builder
 COPY $ADAPTER_DIR/watcher watcher
 COPY $ADAPTER_DIR/main.go main.go
+COPY $ADAPTER_DIR/Makefile Makefile
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-s" -o bin/nimbus-k8tls main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /

pkg/adapter/nimbus-k8tls/Makefile

@@ -18,9 +18,13 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.DEFAULT_GOAL := help
+
+.PHONY: build
 build: ## Build nimbus-k8tls executable.
-	@go build -ldflags="-s" -o ${BINARY}  main.go
+	@go build -ldflags="-s" -o ${BINARY} .
 
+.PHONY: run
 run: build ## Run nimbus-k8tls.
 	@./${BINARY}
 

pkg/adapter/nimbus-k8tls/main.go

@@ -5,6 +5,7 @@ package main
 
 import (
 	"context"
+	"github.com/5GSEC/nimbus/pkg/util"
 	"os"
 	"os/signal"
 	"syscall"
@@ -18,6 +19,7 @@ import (
 func main() {
 	ctrl.SetLogger(zap.New())
 	logger := ctrl.Log
+	util.LogBuildInfo(logger)
 
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	ctrl.LoggerInto(ctx, logger)

pkg/adapter/nimbus-kubearmor/Dockerfile

@@ -2,15 +2,16 @@
 # Copyright 2023 Authors of Nimbus
 
 # Build the nimbus-kubearmor binary
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
-WORKDIR /nimbus
+# Required to embed build info into binary.
+COPY .git /.git
 
+WORKDIR /nimbus
 
 # relative deps requried by the adapter
-
 ADD api/ api/
 ADD pkg/ pkg/
 ADD go.mod go.mod
@@ -32,18 +33,18 @@ COPY $ADAPTER_DIR/manager manager
 COPY $ADAPTER_DIR/processor processor
 COPY $ADAPTER_DIR/watcher watcher
 COPY $ADAPTER_DIR/main.go main.go
-
+COPY $ADAPTER_DIR/Makefile Makefile
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-kubearmor main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
-COPY --from=builder /nimbus/pkg/adapter/nimbus-kubearmor .
+COPY --from=builder /nimbus/pkg/adapter/nimbus-kubearmor/bin/nimbus-kubearmor .
 USER 65532:65532
 
 ENTRYPOINT ["/nimbus-kubearmor"]

pkg/adapter/nimbus-kubearmor/Makefile

@@ -9,23 +9,31 @@ TAG ?= latest
 CONTAINER_TOOL ?= docker
 BINARY ?= bin/nimbus-kubearmor
 
-build:
-	@go build -ldflags="-w" -o ${BINARY}  main.go
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
-run: build
+.DEFAULT_GOAL := help
+
+.PHONY: build
+build: ## Build nimbus-kubearmor executable.
+	@go build -ldflags="-w" -o ${BINARY} .
+
+.PHONY: run
+run: build ## Run nimbus-kubearmor locally.
 	@./${BINARY}
 
 .PHONY: docker-build
-docker-build:
+docker-build: ## Build nimbus-kubearmor container image.
 	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
 
 .PHONY: docker-push
-docker-push:
+docker-push: ## Push nimbus-kubearmor container image.
 	$(CONTAINER_TOOL) push ${IMG}:${TAG}
 
 PLATFORMS ?= linux/arm64,linux/amd64
 .PHONY: docker-buildx
-docker-buildx:
+docker-buildx: ## Build and push container image for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
 	- $(CONTAINER_TOOL) buildx create --name project-v3-builder

pkg/adapter/nimbus-kubearmor/go.sum

@@ -15,6 +15,7 @@ github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
@@ -156,15 +157,21 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ=
+k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04=
 k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws=
+k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4=
 k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
+k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
 k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
+k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA=
+k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc=
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak=
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4=
+sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=