diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7eb205f..0b363cc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,7 @@ jobs: id: get-TAG run: | echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" + - name: Build container image uses: docker/build-push-action@v6 with: @@ -28,6 +29,18 @@ jobs: push: false tags: rancher/hardened-multus-cni:${{ env.TAG }}-amd64 file: Dockerfile + target: multus-cni + build-args: | + TAG=${{ env.TAG }} + + - name: Build thick plugin image + uses: docker/build-push-action@v6 + with: + context: . + push: false + tags: rancher/hardened-multus-thick:${{ env.TAG }}-amd64 + file: Dockerfile + target: multus-thick build-args: | TAG=${{ env.TAG }} @@ -40,6 +53,7 @@ jobs: severity: 'CRITICAL,HIGH' format: 'sarif' output: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() @@ -69,6 +83,20 @@ jobs: push: false tags: rancher/hardened-multus-cni:${{ env.TAG }}-arm64 file: Dockerfile + target: multus-cni + outputs: type=docker + platforms: linux/arm64 + build-args: | + TAG=${{ env.TAG }} + + - name: Build thick plugin image + uses: docker/build-push-action@v6 + with: + context: . + push: false + tags: rancher/hardened-multus-thick:${{ env.TAG }}-arm64 + file: Dockerfile + target: multus-thick outputs: type=docker platforms: linux/arm64 build-args: | diff --git a/Dockerfile b/Dockerfile index ddcc52d..e776a74 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ ARG GO_IMAGE=rancher/hardened-build-base:v1.21.11b3 # Image that provides cross compilation tooling. -FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 as xx +FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 AS xx -FROM --platform=$BUILDPLATFORM ${GO_IMAGE} as base-builder +FROM --platform=$BUILDPLATFORM ${GO_IMAGE} AS base-builder # copy xx scripts to your build stage COPY --from=xx / / RUN apk add file make git clang lld patch @@ -12,7 +12,7 @@ RUN set -x && \ xx-apk --no-cache add musl-dev gcc lld # Build the multus project -FROM base-builder as multus-builder +FROM base-builder AS multus-builder ARG TAG=v4.1.0 ARG SRC=github.com/k8snetworkplumbingwg/multus-cni ARG PKG=github.com/k8snetworkplumbingwg/multus-cni @@ -28,17 +28,19 @@ RUN xx-go --wrap && \ ./hack/build-go.sh RUN xx-verify --static bin/thin_entrypoint bin/multus -FROM ${GO_IMAGE} as strip_binary +FROM ${GO_IMAGE} AS strip_binary #strip needs to run on TARGETPLATFORM, not BUILDPLATFORM COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/thin_entrypoint /thin_entrypoint COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/multus /multus COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/kubeconfig_generator /kubeconfig_generator COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/cert-approver /cert-approver COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/install_multus /install_multus -RUN strip /thin_entrypoint /multus /kubeconfig_generator /cert-approver /install_multus +COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/multus-daemon /multus-daemon +COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/bin/multus-shim /multus-shim +RUN strip /thin_entrypoint /multus /kubeconfig_generator /cert-approver /install_multus /multus-daemon /multus-shim # Create the multus image -FROM scratch as multus-cni +FROM scratch AS multus-cni COPY --from=strip_binary /multus /usr/src/multus-cni/bin/multus COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/LICENSE /usr/src/multus-cni/LICENSE COPY --from=strip_binary /thin_entrypoint / @@ -46,3 +48,10 @@ COPY --from=strip_binary /kubeconfig_generator / COPY --from=strip_binary /cert-approver / COPY --from=strip_binary /install_multus / ENTRYPOINT ["/thin_entrypoint"] + +# Create the thick plugin image +FROM scratch AS multus-thick +COPY --from=multus-builder /go/src/github.com/k8snetworkplumbingwg/multus-cni/LICENSE /usr/src/multus-cni/LICENSE +COPY --from=strip_binary /multus-daemon /usr/src/multus-cni/bin/multus-daemon +COPY --from=strip_binary /multus-shim /usr/src/multus-cni/bin/multus-shim +ENTRYPOINT [ "/usr/src/multus-cni/bin/multus-daemon" ] \ No newline at end of file diff --git a/Makefile b/Makefile index 0b4cd36..9d56ab1 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ ifeq (,$(filter %$(BUILD_META),$(TAG))) $(error TAG $(TAG) needs to end with build metadata: $(BUILD_META)) endif -.PHONY: image-build +.PHONY: image-build-thin image-build: docker buildx build \ --platform=$(ARCH) \ @@ -37,6 +37,19 @@ image-build: --load \ . +.PHONY: image-build-thick +image-build-thick: + docker buildx build \ + --platform=$(ARCH) \ + --build-arg PKG=$(PKG) \ + --build-arg SRC=$(SRC) \ + --build-arg TAG=$(TAG:$(BUILD_META)=) \ + --target multus-thick \ + --tag $(ORG)/hardened-multus-thick:$(TAG) \ + --tag $(ORG)/hardened-multus-thick:$(TAG)-$(ARCH) \ + --load \ + . + .PHONY: image-push image-push: docker push $(ORG)/hardened-multus-cni:$(TAG)-$(ARCH)