-
Notifications
You must be signed in to change notification settings - Fork 13
/
Earthfile
318 lines (269 loc) · 10 KB
/
Earthfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
VERSION 0.6
IMPORT github.com/kairos-io/kairos
FROM alpine
ARG VARIANT=kairos # core, lite, framework
ARG FLAVOR=opensuse-leap
## Versioning
ARG K3S_VERSION
RUN apk add git
COPY . ./
RUN echo $(git describe --always --tags --dirty) > VERSION
ARG CORE_VERSION=$(cat CORE_VERSION || echo "latest")
ARG VERSION=$(cat VERSION)
RUN echo "version ${VERSION}"
ARG K3S_VERSION_TAG=$(echo $K3S_VERSION | sed s/+/-/)
ARG TAG=${VERSION}-k3s${K3S_VERSION_TAG}
ARG BASE_REPO=quay.io/kairos
ARG IMAGE=${BASE_REPO}/${VARIANT}-${FLAVOR}:$TAG
ARG BASE_IMAGE=quay.io/kairos/core-${FLAVOR}:${CORE_VERSION}
ARG ISO_NAME=${VARIANT}-${FLAVOR}-${VERSION}-k3s${K3S_VERSION}
# renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced
ARG OSBUILDER_VERSION=v0.7.8
ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION
## External deps pinned versions
ARG LUET_VERSION=0.33.0
# renovate: datasource=docker depName=golang
ARG GO_VERSION=1.20
ARG OS_ID=kairos
ARG CGO_ENABLED=0
RELEASEVERSION:
COMMAND
RUN echo "$IMAGE" > IMAGE
RUN echo "$VERSION" > VERSION
SAVE ARTIFACT VERSION AS LOCAL build/VERSION
SAVE ARTIFACT IMAGE AS LOCAL build/IMAGE
all-arm-generic:
BUILD --platform=linux/arm64 +docker
BUILD --platform=linux/arm64 +image-sbom
BUILD --platform=linux/arm64 +iso
DO +RELEASEVERSION
all:
ARG SECURITY_SCANS=true
BUILD +docker
IF [ "$SECURITY_SCANS" = "true" ]
BUILD +image-sbom
END
BUILD +iso
BUILD +netboot
BUILD +ipxe-iso
DO +RELEASEVERSION
ci:
BUILD +docker
BUILD +iso
all-arm:
ARG SECURITY_SCANS=true
BUILD --platform=linux/arm64 +docker
IF [ "$SECURITY_SCANS" = "true" ]
BUILD --platform=linux/arm64 +image-sbom
END
BUILD +arm-image --MODEL=rpi64
DO +RELEASEVERSION
go-deps:
ARG GO_VERSION
FROM golang:$GO_VERSION
WORKDIR /build
COPY go.mod go.sum ./
RUN go mod download
SAVE ARTIFACT go.mod AS LOCAL go.mod
SAVE ARTIFACT go.sum AS LOCAL go.sum
test:
FROM +go-deps
WORKDIR /build
COPY (kairos+luet/luet) /usr/bin/luet
COPY . .
RUN go run github.com/onsi/ginkgo/v2/ginkgo --fail-fast --covermode=atomic --coverprofile=coverage.out -p -r ./internal
SAVE ARTIFACT coverage.out AS LOCAL coverage.out
BUILD_GOLANG:
COMMAND
WORKDIR /build
COPY . ./
ARG CGO_ENABLED
ARG VERSION
ARG LDFLAGS="-s -w -X 'github.com/kairos-io/provider-kairos/v2/internal/cli.VERSION=$VERSION'"
ARG BIN
ARG SRC
ENV CGO_ENABLED=${CGO_ENABLED}
RUN echo $LDFLAGS
RUN go build -ldflags "${LDFLAGS}" -o ${BIN} ${SRC}
SAVE ARTIFACT ${BIN} ${BIN} AS LOCAL build/${BIN}
build-kairos-agent-provider:
FROM +go-deps
DO +BUILD_GOLANG --BIN=agent-provider-kairos --SRC=./ --CGO_ENABLED=$CGO_ENABLED
build-kairosctl:
FROM +go-deps
DO +BUILD_GOLANG --BIN=kairosctl --SRC=./cli/kairosctl --CGO_ENABLED=$CGO_ENABLED
build:
BUILD +build-kairos-agent-provider
BUILD +build-kairosctl
version:
FROM alpine
RUN apk add git
COPY . ./
RUN --no-cache echo $(git describe --always --tags --dirty) > VERSION
ARG VERSION=$(cat VERSION)
SAVE ARTIFACT VERSION VERSION
docker:
ARG FLAVOR
ARG VARIANT
FROM $BASE_IMAGE
DO +PROVIDER_INSTALL
ARG KAIROS_VERSION
IF [ "$KAIROS_VERSION" = "" ]
ARG OS_VERSION=${VERSION}
ELSE
ARG OS_VERSION=${KAIROS_VERSION}
END
ARG OS_ID
ARG OS_NAME=${OS_ID}-${FLAVOR}
ARG OS_REPO=quay.io/kairos/${VARIANT}-${FLAVOR}
ARG OS_LABEL=latest
DO kairos+OSRELEASE --BUG_REPORT_URL="https://github.com/kairos-io/kairos/issues/new/choose" --HOME_URL="https://github.com/kairos-io/provider-kairos" --OS_ID=${OS_ID} --OS_LABEL=${OS_LABEL} --OS_NAME=${OS_NAME} --OS_REPO=${OS_REPO} --OS_VERSION=${OS_VERSION}-k3s${K3S_VERSION} --GITHUB_REPO="kairos-io/provider-kairos" --VARIANT=${VARIANT}
SAVE IMAGE $IMAGE
# This install the requirements for the provider to be included.
# Made as a command so it can be reused from other targets without depending on this repo BASE_IMAGE
PROVIDER_INSTALL:
COMMAND
IF [ "$K3S_VERSION" = "latest" ]
ELSE
ENV INSTALL_K3S_VERSION=${K3S_VERSION}
END
IF [ "$FLAVOR" = "opensuse-leap" ] || [ "$FLAVOR" = "opensuse-leap-arm-rpi" ]
RUN zypper ref && zypper in -y nohang
ELSE IF [ "$FLAVOR" = "alpine-ubuntu" ] || [ "$FLAVOR" = "alpine-opensuse-leap" ] || [ "$FLAVOR" = "alpine-arm-rpi" ]
RUN apk add grep
ELSE IF [ "$FLAVOR" = "opensuse-tumbleweed" ] || [ "$FLAVOR" = "opensuse-tumbleweed-arm-rpi" ]
RUN zypper ref && zypper in -y nohang
ELSE IF [ "$FLAVOR" = "ubuntu" ] || [ "$FLAVOR" = "ubuntu-20-lts" ] || [ "$FLAVOR" = "ubuntu-22-lts" ] || [ "$FLAVOR" = "debian" ]
RUN apt-get update && apt-get install -y nohang
END
ENV INSTALL_K3S_BIN_DIR="/usr/bin"
RUN curl -sfL https://get.k3s.io > installer.sh \
&& INSTALL_K3S_SELINUX_WARN=true INSTALL_K3S_SKIP_START="true" INSTALL_K3S_SKIP_ENABLE="true" INSTALL_K3S_SKIP_SELINUX_RPM="true" bash installer.sh \
&& INSTALL_K3S_SELINUX_WARN=true INSTALL_K3S_SKIP_START="true" INSTALL_K3S_SKIP_ENABLE="true" INSTALL_K3S_SKIP_SELINUX_RPM="true" bash installer.sh agent \
&& rm -rf installer.sh
# If base image does not bundle a luet config use one
# TODO: Remove this, use luet config from base images so they are in sync
IF [ ! -e "/etc/luet/luet.yaml" ]
COPY repository.yaml /etc/luet/luet.yaml
END
RUN luet install -y utils/edgevpn utils/k9s utils/nerdctl container/kubectl utils/kube-vip && luet cleanup
# Drop env files from k3s as we will generate them
IF [ -e "/etc/rancher/k3s/k3s.env" ]
RUN rm -rf /etc/rancher/k3s/k3s.env /etc/rancher/k3s/k3s-agent.env && touch /etc/rancher/k3s/.keep
END
COPY +build-kairos-agent-provider/agent-provider-kairos /system/providers/agent-provider-kairos
RUN ln -s /system/providers/agent-provider-kairos /usr/bin/kairos
docker-rootfs:
FROM +docker
SAVE ARTIFACT /. rootfs
kairos:
ARG KAIROS_VERSION=master
FROM alpine
RUN apk add git
WORKDIR /kairos
RUN git clone https://github.com/kairos-io/kairos /kairos && cd /kairos && git checkout "$KAIROS_VERSION"
SAVE ARTIFACT /kairos/
iso:
ARG OSBUILDER_IMAGE
ARG ISO_NAME=${OS_ID}
ARG IMG=docker:$IMAGE
ARG overlay=overlay/files-iso
FROM $OSBUILDER_IMAGE
RUN zypper in -y jq docker
WORKDIR /build
COPY . ./
RUN mkdir -p overlay/files-iso
COPY +kairos/kairos/overlay/files-iso/ ./$overlay/
COPY +docker-rootfs/rootfs /build/image
RUN /entrypoint.sh --name $ISO_NAME --debug build-iso --date=false dir:/build/image --overlay-iso /build/${overlay} --output /build
# See: https://github.com/rancher/elemental-cli/issues/228
RUN sha256sum $ISO_NAME.iso > $ISO_NAME.iso.sha256
SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256
netboot:
FROM opensuse/leap
ARG VERSION
ARG ISO_NAME
WORKDIR /build
COPY +iso/kairos.iso kairos.iso
COPY . .
RUN zypper in -y cdrtools
COPY +kairos/kairos/scripts/netboot.sh ./
RUN sh netboot.sh kairos.iso $ISO_NAME $VERSION
SAVE ARTIFACT /build/$ISO_NAME.squashfs squashfs AS LOCAL build/$ISO_NAME.squashfs
SAVE ARTIFACT /build/$ISO_NAME-kernel kernel AS LOCAL build/$ISO_NAME-kernel
SAVE ARTIFACT /build/$ISO_NAME-initrd initrd AS LOCAL build/$ISO_NAME-initrd
SAVE ARTIFACT /build/$ISO_NAME.ipxe ipxe AS LOCAL build/$ISO_NAME.ipxe
arm-image:
ARG OSBUILDER_IMAGE
ARG COMPRESS_IMG=true
FROM $OSBUILDER_IMAGE
ARG MODEL=rpi64
ARG IMAGE_NAME=${VARIANT}-${FLAVOR}-${VERSION}-k3s${K3S_VERSION}.img
WORKDIR /build
ENV SIZE="15200"
IF [[ "$FLAVOR" = "ubuntu-20-lts-arm-nvidia-jetson-agx-orin" ]]
ENV STATE_SIZE="14000"
ENV RECOVERY_SIZE="10000"
ENV DEFAULT_ACTIVE_SIZE="4500"
ELSE IF [[ "$FLAVOR" =~ ^ubuntu* ]]
ENV STATE_SIZE="6900"
ENV RECOVERY_SIZE="4600"
ENV DEFAULT_ACTIVE_SIZE="2700"
ELSE
ENV STATE_SIZE="6200"
ENV RECOVERY_SIZE="4200"
ENV DEFAULT_ACTIVE_SIZE="2000"
END
COPY --platform=linux/arm64 +docker-rootfs/rootfs /build/image
# With docker is required for loop devices
WITH DOCKER --allow-privileged
RUN /build-arm-image.sh --use-lvm --model $MODEL --directory "/build/image" /build/$IMAGE_NAME
END
IF [ "$COMPRESS_IMG" = "true" ]
RUN xz -v /build/$IMAGE_NAME
SAVE ARTIFACT /build/$IMAGE_NAME.xz img AS LOCAL build/$IMAGE_NAME.xz
ELSE
SAVE ARTIFACT /build/$IMAGE_NAME img AS LOCAL build/$IMAGE_NAME
END
SAVE ARTIFACT /build/$IMAGE_NAME.sha256 img-sha256 AS LOCAL build/$IMAGE_NAME.sha256
syft:
FROM anchore/syft:latest
SAVE ARTIFACT /syft syft
image-sbom:
FROM +docker
WORKDIR /build
ARG TAG
ARG FLAVOR
ARG VARIANT
COPY +syft/syft /usr/bin/syft
RUN syft / -o json=sbom.syft.json -o spdx-json=sbom.spdx.json
SAVE ARTIFACT /build/sbom.syft.json sbom.syft.json AS LOCAL build/${VARIANT}-${FLAVOR}-${TAG}-sbom.syft.json
SAVE ARTIFACT /build/sbom.spdx.json sbom.spdx.json AS LOCAL build/${VARIANT}-${FLAVOR}-${TAG}-sbom.spdx.json
ipxe-iso:
FROM ubuntu
ARG ipxe_script
RUN apt update
RUN apt install -y -o Acquire::Retries=50 \
mtools syslinux isolinux gcc-arm-none-eabi git make gcc liblzma-dev mkisofs xorriso
# jq docker
WORKDIR /build
ARG ISO_NAME=${OS_ID}
RUN git clone https://github.com/ipxe/ipxe
IF [ "$ipxe_script" = "" ]
COPY +netboot/ipxe /build/ipxe/script.ipxe
ELSE
COPY $ipxe_script /build/ipxe/script.ipxe
END
RUN cd ipxe/src && make EMBED=/build/ipxe/script.ipxe
SAVE ARTIFACT /build/ipxe/src/bin/ipxe.iso iso AS LOCAL build/${ISO_NAME}-ipxe.iso.ipxe
SAVE ARTIFACT /build/ipxe/src/bin/ipxe.usb usb AS LOCAL build/${ISO_NAME}-ipxe-usb.img.ipxe
## Security targets
trivy:
FROM aquasec/trivy
SAVE ARTIFACT /usr/local/bin/trivy /trivy
trivy-scan:
ARG SEVERITY=CRITICAL
FROM +docker
COPY +trivy/trivy /trivy
RUN /trivy filesystem --severity $SEVERITY --exit-code 1 --no-progress /