Skip to content

Commit 9b5964a

Browse files
stackable-botstackable-bot
authoredMay 14, 2024··
Generated commit to update templated files based on rev effd218 in stackabletech/operator-templating repo. (#594)
Triggered by: Manual run triggered by: Maleware with message [Rollout of Multi-Architecture CI/CD Pipeline, beku.py fixes as well as removing nix from CI/CD]
·
24.11.124.7.0
1 parent c387429 commit 9b5964a

8 files changed

+137
-339
lines changed
 

‎.actionlint.yaml

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
self-hosted-runner:
3+
# BuildJet machines we are using
4+
labels:
5+
- buildjet-2vcpu-ubuntu-2204-arm
6+
- buildjet-4vcpu-ubuntu-2204-arm

‎.github/workflows/build.yml

+70-23
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ jobs:
4242
with:
4343
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
4444
version: 1.0
45-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
45+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
4646
with:
4747
submodules: recursive
4848
- uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a
@@ -111,7 +111,7 @@ jobs:
111111
continue-on-error: ${{ matrix.checks == 'advisories' }}
112112

113113
steps:
114-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
114+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
115115
with:
116116
submodules: recursive
117117
- uses: EmbarkStudios/cargo-deny-action@3f4a782664881cf5725d0ffd23969fcce89fd868 # v1.6.3
@@ -122,7 +122,7 @@ jobs:
122122
name: Run Rustfmt
123123
runs-on: ubuntu-latest
124124
steps:
125-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
125+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
126126
with:
127127
submodules: recursive
128128
- uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a
@@ -140,7 +140,7 @@ jobs:
140140
with:
141141
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
142142
version: 1.0
143-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
143+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
144144
with:
145145
submodules: recursive
146146
- uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a
@@ -175,8 +175,7 @@ jobs:
175175
with:
176176
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
177177
version: 1.0
178-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
179-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
178+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
180179
with:
181180
submodules: recursive
182181
- uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a
@@ -198,7 +197,7 @@ jobs:
198197
with:
199198
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
200199
version: 1.0
201-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
200+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
202201
with:
203202
submodules: recursive
204203
- uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a
@@ -218,11 +217,10 @@ jobs:
218217
name: Check if committed README is the one we would render from the available parts
219218
runs-on: ubuntu-latest
220219
steps:
221-
- name: Checkout
222-
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
220+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
223221
with:
224222
submodules: recursive
225-
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # tag=v5.1.0
223+
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
226224
with:
227225
python-version: '3.12'
228226
- name: Install jinja2-cli
@@ -257,8 +255,7 @@ jobs:
257255
with:
258256
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
259257
version: 1.0
260-
- name: Checkout
261-
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
258+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
262259
with:
263260
submodules: recursive
264261
- name: Set up Helm
@@ -301,11 +298,14 @@ jobs:
301298
run: echo All tests have passed!
302299

303300
package_and_publish:
304-
name: Package Charts, Build Docker Image and publish them
301+
name: Package Charts, Build Docker Image and publish them - ${{ matrix.runner }}
305302
needs:
306303
- tests_passed
307304
- select_helm_repo
308-
runs-on: ubuntu-latest
305+
strategy:
306+
matrix:
307+
runner: ["ubuntu-latest", "buildjet-2vcpu-ubuntu-2204-arm"]
308+
runs-on: ${{ matrix.runner }}
309309
permissions:
310310
id-token: write
311311
env:
@@ -324,11 +324,10 @@ jobs:
324324
with:
325325
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
326326
version: 1.0
327-
- name: Checkout
328-
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
327+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
329328
with:
330329
submodules: recursive
331-
- uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # tag=v26
330+
- uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
332331
- uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a
333332
with:
334333
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
@@ -344,15 +343,25 @@ jobs:
344343
if: ${{ github.event_name == 'pull_request' }}
345344
run: cargo set-version --offline --workspace 0.0.0-pr${{ github.event.pull_request.number }}
346345

347-
# Recreate charts and publish charts and docker image. The "-e" is needed as we want to override the
348-
# default value in the makefile if called from this action, but not otherwise (i.e. when called locally).
349-
# This is needed for the HELM_REPO variable.
346+
# Recreate charts and publish charts and docker image. The "-e" is needed as we want to override the
347+
# default value in the makefile if called from this action, but not otherwise (i.e. when called locally).
348+
# This is needed for the HELM_REPO variable.
350349
- name: Install cosign
351-
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # tag=v3.5.0
350+
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
352351
- name: Install syft
353352
uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
354353
- name: Build Docker image and Helm chart
355-
run: make -e build
354+
run: |
355+
# Installing helm on BuildJet only
356+
if [ "$(arch)" = "aarch64" ]; then
357+
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
358+
sudo apt-get -y install apt-transport-https --yes
359+
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
360+
sudo apt-get -y update
361+
sudo apt-get -y install helm
362+
fi
363+
364+
make -e build
356365
- name: Publish Docker image and Helm chart
357366
if: ${{ !github.event.pull_request.head.repo.fork }}
358367
run: make -e publish
@@ -362,10 +371,48 @@ jobs:
362371
if: ${{ !github.event.pull_request.head.repo.fork }}
363372
run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> $GITHUB_OUTPUT
364373

374+
create_manifest_list:
375+
name: Build and publish manifest list
376+
needs:
377+
- package_and_publish
378+
runs-on: ubuntu-latest
379+
permissions:
380+
id-token: write
381+
env:
382+
NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
383+
OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
384+
OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build"
385+
OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
386+
OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
387+
steps:
388+
- name: Install cosign
389+
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
390+
- name: Checkout
391+
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
392+
with:
393+
submodules: recursive
394+
# This step checks if the current run was triggered by a push to a pr (or a pr being created).
395+
# If this is the case it changes the version of this project in all Cargo.toml files to include the suffix
396+
# "-pr<prnumber>" so that the published artifacts can be linked to this PR.
397+
- uses: stackabletech/cargo-install-action@main
398+
with:
399+
crate: cargo-edit
400+
bin: cargo-set-version
401+
- name: Update version if PR
402+
if: ${{ github.event_name == 'pull_request' }}
403+
run: cargo set-version --offline --workspace 0.0.0-pr${{ github.event.pull_request.number }}
404+
- name: Build manifest list
405+
run: |
406+
# Creating manifest list
407+
make -e docker-manifest-list-build
408+
# Pushing and signing manifest list
409+
make -e docker-manifest-list-publish
410+
365411
openshift_preflight:
366412
name: Run the OpenShift Preflight check on the published images
367413
if: ${{ !github.event.pull_request.head.repo.fork }}
368414
needs:
415+
- create_manifest_list
369416
- package_and_publish
370417
runs-on: ubuntu-latest
371418
env:
@@ -380,4 +427,4 @@ jobs:
380427
ARCH_FOR_PREFLIGHT="$(arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')"
381428
./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out
382429
- name: "Passed?"
383-
run: '[ "$(./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" | jq -r .passed)" == true ]'
430+
run: '[ "$(cat preflight.out | jq -r .passed)" == true ]'

‎.github/workflows/general_daily_security.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
audit:
1515
runs-on: ubuntu-latest
1616
steps:
17-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
17+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
1818
- uses: rustsec/audit-check@dd51754d4e59da7395a4cd9b593f0ff2d61a9b95 # v1.4.1
1919
with:
2020
token: ${{ secrets.GITHUB_TOKEN }}

‎.github/workflows/pr_reviewdog.yaml

+9-9
Original file line numberDiff line numberDiff line change
@@ -18,15 +18,15 @@ jobs:
1818
actionlint:
1919
runs-on: ubuntu-latest
2020
steps:
21-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
22-
- uses: reviewdog/action-actionlint@51bfb044ddaed55059d16f14daedbe05a9937dc1 # v1.45.0
21+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
22+
- uses: reviewdog/action-actionlint@89a03f6ba8c0a9fd238e82c075ffb34b86e40291 # v1.46.0
2323
with:
2424
github_token: ${{ secrets.GITHUB_TOKEN }}
2525

2626
flake8:
2727
runs-on: ubuntu-latest
2828
steps:
29-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
29+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
3030
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # tag=v5.1.0
3131
with:
3232
python-version: "3.12"
@@ -37,15 +37,15 @@ jobs:
3737
hadolint:
3838
runs-on: ubuntu-latest
3939
steps:
40-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
40+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
4141
- uses: reviewdog/action-hadolint@13c293e6679cd4c90fa41dd5155fb067a28c0a5f # v1.41.1
4242
with:
4343
github_token: ${{ secrets.GITHUB_TOKEN }}
4444

4545
markdownlint:
4646
runs-on: ubuntu-latest
4747
steps:
48-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
48+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
4949
- uses: reviewdog/action-markdownlint@5bc6ad5ba9e1250878f351bafcc7ac0a11dc050f # v0.18.0
5050
with:
5151
github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -54,23 +54,23 @@ jobs:
5454
shellcheck:
5555
runs-on: ubuntu-latest
5656
steps:
57-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
57+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
5858
- uses: reviewdog/action-shellcheck@72365a51bf6476fe952a117c3ff703eb7775e40a # v1.20.0
5959
with:
6060
github_token: ${{ secrets.GITHUB_TOKEN }}
6161

6262
yamllint:
6363
runs-on: ubuntu-latest
6464
steps:
65-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
65+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
6666
- uses: reviewdog/action-yamllint@8d79c3d034667db2792e328936811ed44953d691 # v1.14.0
6767
with:
6868
github_token: ${{ secrets.GITHUB_TOKEN }}
6969

7070
misspell:
7171
runs-on: ubuntu-latest
7272
steps:
73-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
73+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
7474
- uses: reviewdog/action-misspell@5bd7be2fc7ae56a517184f5c4bbcf2fd7afe3927 # v1.17.0
7575
with:
7676
github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -82,7 +82,7 @@ jobs:
8282
languagetool:
8383
runs-on: ubuntu-latest
8484
steps:
85-
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
85+
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
8686
- uses: reviewdog/action-languagetool@73e4df96aa7b1b741a32ee2e1fff3405d3461583 # v1.14.0
8787
with:
8888
github_token: ${{ secrets.GITHUB_TOKEN }}

‎.gitignore

+2
Original file line numberDiff line numberDiff line change
@@ -17,3 +17,5 @@ tilt_options.json
1717
.direnv/
1818
.direnvrc
1919
.envrc
20+
21+
.DS_Store

‎Makefile

+42-10
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
TAG := $(shell git rev-parse --short HEAD)
1313
OPERATOR_NAME := trino-operator
1414
VERSION := $(shell cargo metadata --format-version 1 | jq -r '.packages[] | select(.name=="stackable-${OPERATOR_NAME}") | .version')
15+
ARCH := $(shell arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')
1516

1617
DOCKER_REPO := docker.stackable.tech
1718
ORGANIZATION := stackable
@@ -30,17 +31,17 @@ render-readme:
3031

3132
## Docker related targets
3233
docker-build:
33-
docker build --force-rm --build-arg VERSION=${VERSION} -t "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" -f docker/Dockerfile .
34-
docker tag "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}"
34+
docker build --force-rm --build-arg VERSION=${VERSION} -t "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile .
35+
docker tag "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}"
3536

3637
docker-publish:
3738
# Push to Nexus
3839
echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}"
3940
DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\
4041
# Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\
41-
REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
42+
REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}-${ARCH}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
4243
if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\
43-
echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}';\
44+
echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}';\
4445
exit 1;\
4546
fi;\
4647
# This generates a signature and publishes it to the registry, next to the image\
@@ -51,8 +52,8 @@ docker-publish:
5152
# Determine the PURL for the container image\
5253
PURL="pkg:docker/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE?repository_url=${DOCKER_REPO}";\
5354
# Get metadata from the image\
54-
IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}");\
55-
IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}");\
55+
IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
56+
IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
5657
# Merge the SBOM with the metadata for the operator\
5758
jq -s '{"metadata":{"component":{"description":"'"$$IMAGE_NAME. $$IMAGE_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"'"$$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;\
5859
# Attest the SBOM to the image\
@@ -63,9 +64,9 @@ docker-publish:
6364
docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}'
6465
DOCKER_OUTPUT=$$(docker push --all-tags '${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}');\
6566
# Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\
66-
REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
67+
REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}-${ARCH}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
6768
if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\
68-
echo 'Could not find repo digest for container image: ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}';\
69+
echo 'Could not find repo digest for container image: ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}';\
6970
exit 1;\
7071
fi;\
7172
# This generates a signature and publishes it to the registry, next to the image\
@@ -76,13 +77,39 @@ docker-publish:
7677
# Determine the PURL for the container image\
7778
PURL="pkg:docker/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE?repository_url=${OCI_REGISTRY_HOSTNAME}";\
7879
# Get metadata from the image\
79-
IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}");\
80-
IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}");\
80+
IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
81+
IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
8182
# Merge the SBOM with the metadata for the operator\
8283
jq -s '{"metadata":{"component":{"description":"'"$$IMAGE_NAME. $$IMAGE_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"'"$$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;\
8384
# Attest the SBOM to the image\
8485
cosign attest -y --predicate sbom.merged.json --type cyclonedx "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE"
8586

87+
# This assumes "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-amd64 and "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-arm64 are build and pushed
88+
docker-manifest-list-build:
89+
docker manifest create "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" --amend "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-arm64"
90+
docker manifest create "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64"
91+
92+
docker-manifest-list-publish:
93+
# Push to Nexus
94+
echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}"
95+
# `docker manifest push` directly returns the digest of the manifest list
96+
# As it is an experimental feature, this might change in the future
97+
# Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/
98+
DIGEST_NEXUS=$$(docker manifest push "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}");\
99+
# Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)\
100+
# This generates a signature and publishes it to the registry, next to the image\
101+
# Uses the keyless signing flow with Github Actions as identity provider\
102+
cosign sign -y "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}@$$DIGEST_NEXUS"
103+
104+
# Push to Harbor
105+
# We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot)
106+
docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}'
107+
DIGEST_HARBOR=$$(docker manifest push "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}");\
108+
# Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...);\
109+
# This generates a signature and publishes it to the registry, next to the image\
110+
# Uses the keyless signing flow with Github Actions as identity provider\
111+
cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}@$$DIGEST_HARBOR"
112+
86113
# TODO remove if not used/needed
87114
docker: docker-build docker-publish
88115

@@ -148,6 +175,11 @@ regenerate-nix:
148175

149176
build: regenerate-charts regenerate-nix helm-package docker-build
150177

178+
# This target is used by the CI
179+
# It doesn't make use of any nix dependencies and thus aviods building the
180+
# operator unnecessarily often.
181+
build-ci: regenerate-charts helm-package docker-build
182+
151183
publish: docker-publish helm-publish
152184

153185
check-nix:

‎crate-hashes.json

+1-290
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎nix/sources.json

+6-6
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
Please sign in to comment.