chore: migrate to standard build

Adapts the team's standard Makefile to use on GitHub, and migrates the controller's Docker base image library/golang and distroless.
cloudflare · Dec 22, 2023 · 9ee4892 · 9ee4892
1 parent 51c5188
commit 9ee4892
Show file tree

Hide file tree

Showing 14 changed files with 152 additions and 164 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1 @@
+bin/
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -1,26 +1,26 @@
 name: Docker
 on:
-  push:
-    tags:
-      - 'v*'
+  - pull_request
+  - push
 jobs:
-  publish-docker:
+  docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: nixbuild/nix-quick-install-action@v14
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/metadata-action@v5
+        id: docker-meta
         with:
-          nix_version: "2.8.1"
-      - run: nix-build ./hack/docker.nix -o docker-amd64
-      - run: nix-build ./hack/docker.nix --arg pkgs '(import ./hack/nixpkgs.nix {}).pkgsCross.aarch64-multiplatform' -o docker-arm64
-      - run: |
-          nix-shell -I ./hack/nixpkgs.nix -p buildah --run bash <<EOF
-          buildah manifest create lockbox
-          buildah manifest add lockbox docker-archive:./docker-amd64
-          buildah manifest add lockbox docker-archive:./docker-arm64
-          buildah manifest inspect lockbox
-          buildah manifest push --all --creds ${DOCKER_HUB_USERNAME}:${DOCKER_HUB_TOKEN} -f v2s2 lockbox docker://cloudflare/lockbox:${GITHUB_REF#refs/tags/}
-          EOF
-        env:
-          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
-          DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
+          images: cloudflare/lockbox
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - uses: docker/build-push-action@v5
+        with:
+          file: ./cmd/lockbox-controller/Dockerfile
+          platforms: linux/amd64, linux/arm64
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          push: ${{ startsWith(github.ref, 'refs/tags/v') }}
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -5,22 +5,38 @@ on:
 jobs:
   unit:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go: [ 'stable', 'oldstable' ]
+    name: 'Go ${{ matrix.go }} Test'
     steps:
-      - uses: actions/checkout@v3
-      - uses: nixbuild/nix-quick-install-action@v13
-      - run: nix-shell --pure --run "go test -v -race ./..."
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ matrix.go }}
+      - run: make test
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: nixbuild/nix-quick-install-action@v13
-      - run: nix-shell --pure --run "golangci-lint run --timeout 15m"
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 'stable'
+      - uses: dominikh/staticcheck-action@v1
+        with:
+          build-tags: suite
+          install-go: false
   integration:
     needs:
       - unit
       - lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: nixbuild/nix-quick-install-action@v13
-      - run: nix-shell --pure --run "go test ./... -tags suite"
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 'stable'
+      - run: |
+          go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+          source <(setup-envtest use -p env)
+          go test ./... -tags suite
diff --git a/.gitignore b/.gitignore
@@ -16,3 +16,4 @@
 ## nix.gitignore ##
 
 /result*
+/bin/
diff --git a/Makefile b/Makefile
@@ -0,0 +1,85 @@
+.DEFAULT_GOAL := binaries
+
+KERNEL := $(shell uname -s)
+VERSION := $(shell cat VERSION)
+GOTESTSUM := $(shell command -v gotestsum 2> /dev/null)
+
+DIB ?= docker
+IMAGE_ROOT ?= localhost/lockbox
+IMAGE_VERSION ?= $(shell git log -1 --pretty=format:%cd-%h --date short HEAD)
+# Build docker images for the native arch, but allow overriding in the environment for local development
+PLATFORM ?= local
+
+# Bind mount $SSL_CERT_FILE (or default) to build container if the file exists.
+SSL_CERT_FILE ?= /etc/ssl/certs/ca-certificates.crt
+ifneq (,$(wildcard ${SSL_CERT_FILE}))
+SECRETS = --secret id=certificates,src=${SSL_CERT_FILE}
+endif
+
+# When compiling for Linux enable Security's recommend hardening to satisfy `checksec' checks.
+# Unfortunately, most of these flags aren't portable to other operating systems.
+ifeq (${KERNEL},Linux)
+	CGO_ENABLED ?= 1
+	CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -fstack-protector-all
+	CFLAGS ?= -O2 -pipe -fno-plt
+	CXXFLAGS ?= -O2 -pipe -fno-plt
+	LDFLAGS ?= -Wl,-O1,-sort-common,-as-needed,-z,relro,-z,now
+	GO_LDFLAGS ?= -linkmode=external
+	GOFLAGS ?= -buildmode=pie
+endif
+
+GO_LDFLAGS += -w -s -X main.version=v${VERSION}
+GOFLAGS += -v
+
+export CGO_ENABLED
+export CGO_CPPFLAGS ?= ${CPPFLAGS}
+export CGO_CFLAGS ?= ${CFLAGS}
+export CGO_CXXFLAGS ?= ${CXXFLAGS}
+export CGO_LDFLAGS ?= ${LDFLAGS}
+
+CMDS := $(shell find cmd -mindepth 1 -maxdepth 1 -type d | awk -F '/' '{ print $$NF }' )
+IMAGES := $(shell find cmd -mindepth 1 -type f -name Dockerfile | awk -F '/' '{ print $$2 }')
+
+define make-go-target
+.PHONY: bin/$1
+bin/$1:
+	go build ${GOFLAGS} -o $$@ -ldflags "${GO_LDFLAGS}" ./cmd/$1
+endef
+
+define make-dib-targets
+.PHONY: images/$1
+images/$1:
+	${DIB} buildx build --platform "$(PLATFORM)" ${SECRETS} -f cmd/$1/Dockerfile -t "${IMAGE_ROOT}/$1:${IMAGE_VERSION}" .
+
+.PHONY: push/images/$1
+push/images/$1:
+	${DIB} push "${IMAGE_ROOT}/$1:${IMAGE_VERSION}"
+endef
+
+$(foreach element,$(CMDS), $(eval $(call make-go-target,$(element))))
+$(foreach element,$(IMAGES), $(eval $(call make-dib-targets,$(element))))
+
+.PHONY: binaries
+binaries: $(CMDS:%=bin/%)
+
+.PHONY: images
+images: $(IMAGES:%=images/%)
+
+.PHONY: push-images
+push-images: $(IMAGES:%=push/images/%)
+
+.PHONY: clean
+clean:
+	rm -rf bin
+
+.PHONY: test
+test:
+ifdef GOTESTSUM
+	"${GOTESTSUM}" -- -count 1 ./...
+else
+	go test -cover -count 1 ./...
+endif
+
+.PHONY: lint
+lint:
+	staticcheck ./...
diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+0.6.0
diff --git a/build.nix b/build.nix
diff --git a/cmd/lockbox-controller/Dockerfile b/cmd/lockbox-controller/Dockerfile
@@ -0,0 +1,13 @@
+FROM docker.io/library/golang:1.21.5-bookworm AS builder
+WORKDIR /go/src/app
+ADD . /go/src/app
+
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=secret,id=certificates,target=/etc/ssl/certs/ca-certificates.crt \
+    make bin/lockbox-controller
+
+
+FROM gcr.io/distroless/base-nossl-debian12:nonroot
+COPY --from=builder /go/src/app/bin/lockbox-controller /
+CMD ["/bin/lockbox-controller"]
diff --git a/hack/derivation.nix b/hack/derivation.nix
diff --git a/hack/docker.nix b/hack/docker.nix
diff --git a/hack/k8s-boilerplate.go.txt b/hack/k8s-boilerplate.go.txt
diff --git a/hack/nixpkgs.nix b/hack/nixpkgs.nix
diff --git a/pkg/lockbox-controller/secretreconciler_test.go b/pkg/lockbox-controller/secretreconciler_test.go
@@ -9,7 +9,6 @@ import (
 	"github.com/kevinburke/nacl"
 	"gotest.tools/v3/assert"
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -93,7 +92,7 @@ func TestSecretReconciler(t *testing.T) {
 									"wave": "ignore",
 								},
 							},
-							Type: v1.SecretTypeOpaque,
+							Type: corev1.SecretTypeOpaque,
 						},
 						Data: map[string][]byte{
 							"test":  {0x7b, 0xca, 0x32, 0x90, 0xf7, 0x97, 0x3b, 0x6, 0xfb, 0x7c, 0xdc, 0x3a, 0x25, 0x82, 0x29, 0xdf, 0x9d, 0x1e, 0x46, 0x8d, 0xd4, 0x99, 0x49, 0x2, 0x63, 0x56, 0x54, 0x64, 0xae, 0x9e, 0xf2, 0xc0, 0x35, 0xf5, 0xf1, 0xcb, 0x67, 0xb7, 0xe2, 0xb1, 0x14, 0x42, 0x71, 0xc},
@@ -127,7 +126,7 @@ func TestSecretReconciler(t *testing.T) {
 						},
 					},
 				},
-				Type: v1.SecretTypeOpaque,
+				Type: corev1.SecretTypeOpaque,
 				Data: map[string][]byte{
 					"test":  []byte("test"),
 					"test1": []byte("test1"),
@@ -151,7 +150,7 @@ func TestSecretReconciler(t *testing.T) {
 							"updated": {0x78, 0x70, 0x68, 0xae, 0x9f, 0xf5, 0xed, 0x60, 0x74, 0x14, 0x6a, 0xc5, 0xc3, 0xb, 0xe2, 0xaa, 0x20, 0x68, 0x7a, 0xfb, 0xa6, 0x6a, 0x38, 0xc2, 0x20, 0x73, 0xb5, 0x45, 0x9f, 0x9, 0xf0, 0x15, 0xd1, 0x5c, 0x16, 0x51, 0x50, 0xaa, 0xea, 0x68, 0x3a, 0x95, 0xe6},
 						},
 						Template: lockboxv1.LockboxSecretTemplate{
-							Type: v1.SecretTypeOpaque,
+							Type: corev1.SecretTypeOpaque,
 						},
 					},
 				},
@@ -180,7 +179,7 @@ func TestSecretReconciler(t *testing.T) {
 							},
 						},
 					},
-					Type: v1.SecretTypeOpaque,
+					Type: corev1.SecretTypeOpaque,
 					Data: map[string][]byte{
 						"test":  []byte("test"),
 						"test1": []byte("test1"),
@@ -246,7 +245,7 @@ func TestSecretReconciler(t *testing.T) {
 							},
 						},
 					},
-					Type: v1.SecretTypeOpaque,
+					Type: corev1.SecretTypeOpaque,
 					Data: map[string][]byte{
 						"test":  []byte("test"),
 						"test1": []byte("test1"),
@@ -269,7 +268,7 @@ func TestSecretReconciler(t *testing.T) {
 						},
 					},
 				},
-				Type: v1.SecretTypeOpaque,
+				Type: corev1.SecretTypeOpaque,
 				Data: map[string][]byte{
 					"test":  []byte("test"),
 					"test1": []byte("test1"),

diff --git a/shell.nix b/shell.nix