ory · Demonsthere · Nov 30, 2021 · Nov 29, 2021 · Nov 29, 2021 · Nov 29, 2021
@@ -0,0 +1,2 @@
+*
+!.gitignore
@@ -14,11 +14,13 @@ kube-builder: &install-kube-builder
     # (you'll need to set the KUBEBUILDER_ASSETS env var if you put it somewhere else)
     sudo mv /tmp/kubebuilder_2.3.2_${os}_${arch} /usr/local/kubebuilder
     export PATH=$PATH:/usr/local/kubebuilder/bin
+golaing_image: &golang_image
+  image: circleci/golang:1.16.10
 version: 2
 jobs:
   build:
     docker:
-      - image: circleci/golang:1.15
+      - <<: *golang_image
     working_directory: /go/src/github.com/ory/hydra-maester
     steps:
       - checkout
@@ -27,7 +29,7 @@ jobs:
       - run: make
   test:
     docker:
-      - image: circleci/golang:1.15
+      - <<: *golang_image
     working_directory: /go/src/github.com/ory/hydra-maester
     steps:
       - checkout
@@ -42,8 +44,8 @@ jobs:
           name: Update golang
           command: |
             sudo rm -rf /usr/local/go/
-            curl -LO https://dl.google.com/go/go1.15.11.linux-amd64.tar.gz
-            sudo tar -C /usr/local -xzf go1.15.11.linux-amd64.tar.gz
+            curl -LO https://go.dev/dl/go1.16.10.linux-amd64.tar.gz
+            sudo tar -C /usr/local -xzf go1.16.10.linux-amd64.tar.gz
             sudo echo "export PATH=$PATH:/usr/local/go/bin" >> $HOME/.profile
             go version
       - run:
@@ -73,7 +75,7 @@ jobs:
 
   release:
     docker:
-      - image: circleci/golang:1.15
+      - <<: *golang_image
     working_directory: /go/src/github.com/ory/hydra-maester
     steps:
       - checkout

@@ -0,0 +1,52 @@
+name: Docker Image Scan
+on:
+  push:
+    branches:
+      - 'master'
+    tags:
+      - 'v*.*.*'
+  pull_request:
+    branches:
+      - 'master'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        name: Setup Golang
+        with:
+          go-version: '^1.16'
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Fetch kube-builder
+        shell: bash
+        run: |
+          os=$(go env GOOS)
+          arch=$(go env GOARCH)
+          curl -sL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_${os}_${arch}.tar.gz | tar -xz -C /tmp/
+          sudo mv /tmp/kubebuilder_2.3.2_${os}_${arch} /usr/local/kubebuilder
+          export PATH=$PATH:/usr/local/kubebuilder/bin
+          kubebuilder version
+      - name: Build images
+        shell: bash
+        run: |
+          make docker-build-notest
+      - name: Anchore Scan
+        uses: anchore/scan-action@v3
+        with:
+          image: controller:latest
+          fail-build: true
+      - name: Trivy Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: controller:latest
+          format: 'table'
+          exit-code: '42'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
@@ -1,6 +1,11 @@
+FROM golang:1.16 as builder
+WORKDIR /go/src/app
+COPY . .
+RUN make manager
+
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:latest
-COPY manager .
+COPY --from=builder /go/src/app/manager .
 USER 1000
 ENTRYPOINT ["/manager"]
@@ -1,94 +1,137 @@
+ifeq ($(OS),Windows_NT)
+	ifeq ($(PROCESSOR_ARCHITECTURE),AMD64)
+		ARCH=amd64
+		OS=windows
+	endif
+else
+	UNAME_S := $(shell uname -s)
+	ifeq ($(UNAME_S),Linux)
+		OS=linux
+		ARCH=amd64
+	endif
+	ifeq ($(UNAME_S),Darwin)
+		OS=darwin
+		ARCH=amd64
+	endif
+endif
 
+HELL=/bin/bash -o pipefail
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:trivialVersions=true,crdVersions=v1"
 
 run-with-cleanup = $(1) && $(2) || (ret=$$?; $(2) && exit $$ret)
 
+.PHONY: all
 all: manager
 
 # Run tests
+.PHONY: test
 test: generate fmt vet manifests
 	go test ./api/... ./controllers/... ./hydra/... ./helpers/... -coverprofile cover.out
 
 # Start KIND pseudo-cluster
+.PHONY: kind-start
 kind-start:
 	GO111MODULE=on go get "sigs.k8s.io/[email protected]" && kind create cluster
 
 # Stop KIND pseudo-cluster
+.PHONY: kind-stop
 kind-stop:
 	GO111MODULE=on go get "sigs.k8s.io/[email protected]" && kind delete cluster
 
 # Deploy on KIND
 # Ensures the controller image is built, deploys the image to KIND cluster along with necessary configuration
+.PHONY: kind-deploy
 kind-deploy: manager manifests docker-build-notest kind-start
 	kubectl config set-context kind-kind
 	kind load docker-image controller:latest
 	kubectl apply -f config/crd/bases
 	kustomize build config/default | kubectl apply -f -
 
 # private
+.PHONY: kind-test
 kind-test: kind-deploy
 	kubectl config set-context kind-kind
 	go get github.com/onsi/ginkgo/ginkgo
 	ginkgo -v ./controllers/...
 
 # Run integration tests on local KIND cluster
+.PHONY: test-integration
 test-integration:
 	$(call run-with-cleanup, $(MAKE) kind-test, $(MAKE) kind-stop)
 
 # Build manager binary
+.PHONY: manager
 manager: generate fmt vet
 	CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build -a -o manager main.go
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
+.PHONY: run
 run: generate fmt vet
 	go run ./main.go --hydra-url ${HYDRA_URL}
 
 # Install CRDs into a cluster
+.PHONY: install
 install: manifests
 	kubectl apply -f config/crd/bases
 
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
+.PHONY: deploy
 deploy: manifests
 	kubectl apply -f config/crd/bases
 	kustomize build config/default | kubectl apply -f -
 
 # Generate manifests e.g. CRD, RBAC etc.
+.PHONY: manifests
 manifests: controller-gen
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 # Run go fmt against code
+.PHONY: fmt
 fmt:
 	go fmt ./...
 
 # Run go vet against code
+.PHONY: vet
 vet:
 	go vet ./...
 
 # Generate code
+.PHONY: generate
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths=./api/...
 
 # Build the docker image
-docker-build-notest: manager
+.PHONY: docker-build-notest
+docker-build-notest:
 	docker build . -t ${IMG}
 	@echo "updating kustomize image patch file for manager resource"
 	sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/default/manager_image_patch.yaml
 
+.PHONY: docker-build
 docker-build: test docker-build-notest
 
 # Push the docker image
+.PHONY: docker-push
 docker-push:
 	docker push ${IMG}
 
 # find or download controller-gen
 # download controller-gen if necessary
+.PHONY: controller-gen
 controller-gen:
 ifeq (, $(shell which controller-gen))
 	go get sigs.k8s.io/controller-tools/cmd/[email protected]
 CONTROLLER_GEN=$(shell which controller-gen)
 else
 CONTROLLER_GEN=$(shell which controller-gen)
 endif
+
+# Download and setup kubebuilder
+.PHONY: kubebuilder
+kubebuilder:
+	curl -sL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_${OS}_${ARCH}.tar.gz | tar -xz -C /tmp/
+	mv /tmp/kubebuilder_2.3.2_${OS}_${ARCH} ${PWD}/.bin/kubebuilder
+	export PATH=${PATH}:${PWD}/.bin/kubebuilder/bin
@@ -1,20 +1,23 @@
 module github.com/ory/hydra-maester
 
-go 1.15
+go 1.16
 
 require (
 	github.com/go-logr/logr v0.4.0
 	github.com/go-openapi/runtime v0.19.28
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.10.2
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.6.1
+	golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f // indirect
 	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
+	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/api v0.20.2
 	k8s.io/apiextensions-apiserver v0.20.1
 	k8s.io/apimachinery v0.20.2
 	k8s.io/client-go v0.20.2
 	k8s.io/utils v0.0.0-20210305010621-2afb4311ab10
 	sigs.k8s.io/controller-runtime v0.8.3
-	sigs.k8s.io/kind v0.11.1 // indirect
 )