forked from projectcalico/calico
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMakefile
284 lines (241 loc) · 12.4 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
include ../metadata.mk
PACKAGE_NAME = github.com/projectcalico/calico/cni-plugin
# Add in local static-checks
LOCAL_CHECKS=check-boring-ssl
# Name of the images.
# e.g., <registry>/<name>:<tag>
CNI_PLUGIN_IMAGE ?=cni
BUILD_IMAGES ?=$(CNI_PLUGIN_IMAGE)
###############################################################################
# Download and include ../lib.Makefile
# Additions to EXTRA_DOCKER_ARGS need to happen before the include since
# that variable is evaluated when we declare DOCKER_RUN and siblings.
###############################################################################
include ../lib.Makefile
###############################################################################
SRC_FILES=$(shell find pkg cmd internal -name '*.go')
TEST_SRC_FILES=$(shell find tests -name '*.go')
WINFV_SRCFILES=$(shell find win_tests -name '*.go')
# fail if unable to download
CURL=curl -C - -sSf
CNI_VERSION=v1.0.1
# By default set the CNI_SPEC_VERSION to 0.3.1 for tests.
CNI_SPEC_VERSION?=0.3.1
# Markers for various images we produce.
DEPLOY_CONTAINER_STATIC_MARKER=cni_deploy_container-$(ARCH).created
DEPLOY_CONTAINER_FIPS_MARKER=cni_deploy_container-$(ARCH)-fips.created
# Set FIPS to true to enable a FIPS compliant build using BoringSSL and CGO.
# Note that this produces binaries that are dynamically linked, and so have dependencies
# on the host machine.
FIPS ?= false
ifeq ($(FIPS), true)
CGO_ENABLED=1
CHECK_BORINGSSL=go tool nm $(BIN)/install > $(BIN)/tags.txt && grep '_Cfunc__goboringcrypto_' $(BIN)/tags.txt 1> /dev/null
BIN=bin/$(ARCH)-fips
DEPLOY_CONTAINER_MARKER=$(DEPLOY_CONTAINER_FIPS_MARKER)
VALIDARCHES=amd64
else
CGO_ENABLED=0
CHECK_BORINGSSL=echo 'Skipping boringSSL check'
BIN=bin/$(ARCH)
DEPLOY_CONTAINER_MARKER=$(DEPLOY_CONTAINER_STATIC_MARKER)
endif
.PHONY: clean
clean:
# Clean .created files which indicate images / releases have been built.
find . -name '.*.created*' -type f -delete
find . -name '.*.published*' -type f -delete
rm -rf $(BIN) bin $(DEPLOY_CONTAINER_MARKER) .go-pkg-cache pkg/install/install.test
rm -f *.created
rm -rf config/
###############################################################################
# Building the binary
###############################################################################
build: $(BIN)/install $(BIN)/calico $(BIN)/calico-ipam
ifeq ($(ARCH),amd64)
# Go only supports amd64 for Windows builds.
BIN_WIN=bin/windows
build: $(BIN_WIN)/calico.exe $(BIN_WIN)/calico-ipam.exe
endif
# If ARCH is arm based, find the requested version/variant
ifeq ($(word 1,$(subst v, ,$(ARCH))),arm)
ARM_VERSION := $(word 2,$(subst v, ,$(ARCH)))
endif
# Define go architecture flags to support arm variants
GOARCH_FLAGS :=-e GOARCH=$(ARCH)
ifdef ARM_VERSION
GOARCH_FLAGS :=-e GOARCH=arm -e GOARM=$(ARM_VERSION)
endif
build-all: $(addprefix sub-build-,$(VALIDARCHES))
sub-build-%:
$(MAKE) build ARCH=$*
## Build the Calico network plugin and ipam plugins
$(BIN)/install binary: $(SRC_FILES)
-mkdir -p .go-pkg-cache
-mkdir -p $(BIN)
$(DOCKER_RUN) -e CGO_ENABLED=$(CGO_ENABLED) $(CALICO_BUILD) sh -c '\
$(GIT_CONFIG_SSH) go build -v -o $(BIN)/install -ldflags "-X main.VERSION=$(GIT_VERSION) -w" $(PACKAGE_NAME)/cmd/calico && \
$(CHECK_BORINGSSL)'
## Build the Calico network plugin and ipam plugins for Windows
$(BIN_WIN)/calico.exe $(BIN_WIN)/calico-ipam.exe: $(SRC_FILES)
$(DOCKER_RUN) \
-e GOOS=windows \
-e CGO_ENABLED=1 \
$(CALICO_BUILD) sh -c '$(GIT_CONFIG_SSH) \
go build -v -o $(BIN_WIN)/calico.exe -ldflags "-X main.VERSION=$(GIT_VERSION) -s -w" $(PACKAGE_NAME)/cmd/calico && \
go build -v -o $(BIN_WIN)/calico-ipam.exe -ldflags "-X main.VERSION=$(GIT_VERSION) -s -w" $(PACKAGE_NAME)/cmd/calico'
###############################################################################
# Building the image
###############################################################################
image: $(DEPLOY_CONTAINER_MARKER)
image-all: $(addprefix sub-image-,$(VALIDARCHES)) sub-image-fips-amd64
sub-image-%:
$(MAKE) image ARCH=$*
sub-image-fips-%:
$(MAKE) image FIPS=true ARCH=$*
# Builds the statically compiled binaries into a container.
$(DEPLOY_CONTAINER_STATIC_MARKER): Dockerfile.$(ARCH) build fetch-cni-bins
$(DOCKER_BUILD) --build-arg BIN_DIR=$(BIN) -t $(CNI_PLUGIN_IMAGE):latest-$(ARCH) -f Dockerfile.$(ARCH) . --load
$(MAKE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest
touch $@
# Builds the FIPS binaries into a container.
$(DEPLOY_CONTAINER_FIPS_MARKER): Dockerfile.$(ARCH) build fetch-cni-bins
$(DOCKER_BUILD) --build-arg BIN_DIR=$(BIN) -t $(CNI_PLUGIN_IMAGE):latest-fips-$(ARCH) -f Dockerfile.$(ARCH) . --load
$(MAKE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest-fips LATEST_IMAGE_TAG=latest-fips
touch $@
.PHONY: fetch-cni-bins
fetch-cni-bins: $(BIN)/flannel $(BIN)/loopback $(BIN)/host-local $(BIN)/portmap $(BIN)/tuning $(BIN)/bandwidth
$(BIN)/loopback $(BIN)/host-local $(BIN)/portmap $(BIN)/tuning $(BIN)/bandwidth:
mkdir -p $(BIN)
$(CURL) -L --retry 5 https://github.com/containernetworking/plugins/releases/download/$(CNI_VERSION)/cni-plugins-linux-$(subst v7,,$(ARCH))-$(CNI_VERSION).tgz | tar -xz -C $(BIN) ./loopback ./host-local ./portmap ./tuning ./bandwidth
$(BIN)/flannel:
mkdir -p $(BIN)
$(CURL) -L --retry 5 https://github.com/flannel-io/cni-plugin/releases/download/$(CNI_VERSION)/cni-plugin-flannel-linux-$(subst v7,,$(ARCH))-$(CNI_VERSION).tgz | tar -xz -C $(BIN) ./flannel-$(subst v7,,$(ARCH))
mv $(BIN)/flannel-$(subst v7,,$(ARCH)) $(BIN)/flannel
###############################################################################
# Unit Tests
###############################################################################
## Run the unit tests.
ut: run-k8s-controller-manager $(BIN)/install $(BIN)/host-local $(BIN)/calico-ipam $(BIN)/calico
$(MAKE) ut-datastore DATASTORE_TYPE=etcdv3
$(MAKE) ut-datastore DATASTORE_TYPE=kubernetes
check-boring-ssl: $(BIN)/install
$(DOCKER_RUN) -e CGO_ENABLED=$(CGO_ENABLED) $(CALICO_BUILD) $(CHECK_BORINGSSL)
-rm -f $(BIN)/tags.txt
$(BIN)/calico-ipam $(BIN)/calico: $(BIN)/install
cp "$<" "$@"
ut-datastore:
# The tests need to run as root
docker run --rm -t --privileged --net=host \
$(EXTRA_DOCKER_ARGS) \
-e ETCD_IP=$(LOCAL_IP_ENV) \
-e LOCAL_USER_ID=$(LOCAL_USER_ID) \
-e RUN_AS_ROOT=true \
-e ARCH=$(ARCH) \
-e PLUGIN=calico \
-e BIN=/go/src/$(PACKAGE_NAME)/$(BIN) \
-e CNI_SPEC_VERSION=$(CNI_SPEC_VERSION) \
-e DATASTORE_TYPE=$(DATASTORE_TYPE) \
-e ETCD_ENDPOINTS=http://$(LOCAL_IP_ENV):2379 \
-e KUBECONFIG=/home/user/certs/kubeconfig \
-v $(CURDIR)/../:/go/src/github.com/projectcalico/calico:rw \
-v $(CERTS_PATH):/home/user/certs \
$(CALICO_BUILD) sh -c '$(GIT_CONFIG_SSH) \
cd /go/src/$(PACKAGE_NAME) && \
ginkgo -cover -r -skipPackage pkg/install $(GINKGO_ARGS)'
ut-etcd: run-k8s-controller-manager build $(BIN)/host-local
$(MAKE) ut-datastore DATASTORE_TYPE=etcdv3
make stop-etcd
make stop-k8s-controller
ut-kdd: run-k8s-controller-manager build $(BIN)/host-local
$(MAKE) ut-datastore DATASTORE_TYPE=kubernetes
make stop-etcd
make stop-k8s-controller
## Run the tests in a container (as root) for different CNI spec versions
## to make sure we don't break backwards compatibility.
.PHONY: test-cni-versions
test-cni-versions:
for cniversion in "0.2.0" "0.3.1" ; do \
if make ut CNI_SPEC_VERSION=$$cniversion; then \
echo "CNI version $$cniversion PASSED"; \
else \
echo "CNI version $$cniversion FAILED"; \
exit 1; \
fi; \
done
###############################################################################
# Install test
###############################################################################
# We pre-build the test binary so that we can run it outside a container and allow it
# to interact with docker.
pkg/install/install.test: pkg/install/*.go
$(DOCKER_RUN) $(CALICO_BUILD) sh -c '$(GIT_CONFIG_SSH) \
cd /go/src/$(PACKAGE_NAME) && \
go test ./pkg/install -c --tags install_test -o ./pkg/install/install.test'
.PHONY: test-install-cni
## Test the install
test-install-cni: image pkg/install/install.test
cd pkg/install && CONTAINER_NAME=$(CNI_PLUGIN_IMAGE):latest-$(ARCH) ./install.test
###############################################################################
# CI/CD
###############################################################################
.PHONY: ci
ci: clean mod-download build static-checks test-cni-versions image-all test-install-cni
## Deploys images to registry
cd: image-all cd-common
## Build fv binary for Windows
$(BIN_WIN)/win-fv.exe: $(WINFV_SRCFILES)
$(DOCKER_RUN) -e GOOS=windows $(CALICO_BUILD) sh -c '$(GIT_CONFIG_SSH) go test ./win_tests -c -o $(BIN_WIN)/win-fv.exe'
###############################################################################
# Release
###############################################################################
## Produces a clean build of release artifacts at the specified version.
release-build: .release-$(VERSION).created
.release-$(VERSION).created:
$(MAKE) clean image-all RELEASE=true
$(MAKE) retag-build-images-with-registries RELEASE=true IMAGETAG=$(VERSION)
$(MAKE) retag-build-images-with-registries RELEASE=true IMAGETAG=latest
$(MAKE) FIPS=true retag-build-images-with-registries RELEASE=true IMAGETAG=$(VERSION)-fips LATEST_IMAGE_TAG=latest-fips
$(MAKE) FIPS=true retag-build-images-with-registries RELEASE=true IMAGETAG=latest-fips LATEST_IMAGE_TAG=latest-fips
$(MAKE) release-verify
touch $@
## Verifies the release artifacts produces by `make release-build` are correct.
release-verify: release-prereqs
# Check the reported version is correct for each release artifact.
$(MAKE) release-verify-version IMAGE=calico/cni:$(VERSION)-$(ARCH)
$(MAKE) release-verify-version IMAGE=calico/cni:$(VERSION)-fips-$(ARCH)
$(MAKE) release-verify-version IMAGE=quay.io/calico/cni:$(VERSION)-$(ARCH)
$(MAKE) release-verify-version IMAGE=quay.io/calico/cni:$(VERSION)-fips-$(ARCH)
# Check that the FIPS binaries have the correct symbols.
$(MAKE) release-verify-fips IMAGE=calico/cni:$(VERSION)-fips-$(ARCH)
$(MAKE) release-verify-fips IMAGE=quay.io/calico/cni:$(VERSION)-fips-$(ARCH)
release-verify-version:
docker run --rm $(IMAGE) calico -v | grep -x $(VERSION) || ( echo "Reported version does not match" && exit 1 )
docker run --rm $(IMAGE) calico-ipam -v | grep -x $(VERSION) || ( echo "Reported version does not match" && exit 1 )
release-verify-fips:
rm -rf .tmp && mkdir -p .tmp
# Copy binaries from the image so we can analyze them.
sh -c "docker create --name calico-cni-verify $(IMAGE); docker cp calico-cni-verify:/opt/cni/bin/install .tmp/calico; docker rm -f calico-cni-verify"
go tool nm .tmp/calico | grep '_Cfunc__goboringcrypto_' 1> /dev/null || echo "ERROR: Binary in image '$(IMAGE)' is missing expected goboring symbols"
rm -rf .tmp
release-publish: release-prereqs .release-$(VERSION).published
.release-$(VERSION).published:
$(MAKE) push-images-to-registries push-manifests IMAGETAG=$(VERSION) RELEASE=$(RELEASE) CONFIRM=$(CONFIRM)
$(MAKE) FIPS=true push-images-to-registries push-manifests IMAGETAG=$(VERSION)-fips RELEASE=$(RELEASE) CONFIRM=$(CONFIRM)
touch $@
# WARNING: Only run this target if this release is the latest stable release. Do NOT
# run this target for alpha / beta / release candidate builds, or patches to earlier Calico versions.
## Pushes `latest` release images. WARNING: Only run this for latest stable releases.
release-publish-latest: release-prereqs
# Check latest versions match.
if ! docker run $(CNI_PLUGIN_IMAGE):latest-$(ARCH) calico -v | grep '^$(VERSION)$$'; then echo "Reported version:" `docker run $(CNI_PLUGIN_IMAGE):latest-$(ARCH) calico -v` "\nExpected version: $(VERSION)"; false; else echo "\nVersion check passed\n"; fi
if ! docker run quay.io/$(CNI_PLUGIN_IMAGE):latest-$(ARCH) calico -v | grep '^$(VERSION)$$'; then echo "Reported version:" `docker run quay.io/$(CNI_PLUGIN_IMAGE):latest-$(ARCH) calico -v` "\nExpected version: $(VERSION)"; false; else echo "\nVersion check passed\n"; fi
$(MAKE) push-images-to-registries push-manifests RELEASE=true IMAGETAG=latest RELEASE=$(RELEASE) CONFIRM=$(CONFIRM)
###############################################################################
# Developer helper scripts (not used by build or test)
###############################################################################
.PHONY: test-watch
## Run the unit tests, watching for changes.
test-watch: $(BIN)/install run-etcd run-k8s-apiserver
# The tests need to run as root
CGO_ENABLED=0 ETCD_IP=127.0.0.1 PLUGIN=calico GOPATH=$(GOPATH) $(shell which ginkgo) watch -skipPackage pkg/install