raft-tech · dagan · Sep 1, 2024 · Aug 31, 2024 · Sep 1, 2024 · Sep 1, 2024
diff --git a/.github/workflows/go-build.yml → .github/workflows/build.yml b/.github/workflows/go-build.yml → .github/workflows/build.yml
@@ -1,86 +1,77 @@
-name: Go Build
+name: Build
 
-permissions:
-  contents: read
+permissions: { }
 
 on:
   push:
-    branches: ['develop']
+    branches: [ 'develop' ]
   pull_request:
-    branches: ['develop']
-    paths-ignore:
-      - '.github/**'
-      - 'charts/**'
-      - 'LICENSE'
-      - 'README.md'
+    branches: [ 'develop' ]
     types:
       - opened
       - ready_for_review
       - reopened
       - synchronize
+    paths-ignore:
+      - '.github/**'
+      - 'charts/**'
+      - 'LICENSE'
+      - 'README.md'
 
 jobs:
-  Setup:
-    if: github.event.pull_request.draft == false
+
+  SetUp:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: stable
       - name: Install Dependencies
         run: go mod download
+
   Test:
-    needs: Setup
     runs-on: ubuntu-latest
+    needs: [ SetUp ]
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: stable
       - name: Test
         run: make test
-        env:
-          ENVTEST_K8S_VERSION: "1.30"
+
   Build:
-    needs: Test
+    needs: [ SetUp ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: stable
       - name: Build
-        run: make build
-      - name: Upload Konfirm
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
-        with:
-          name: konfirm
-          path: bin/konfirm
-          retention-days: 1
-  Scan:
-    needs: Build
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-      actions: read
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Download Konfirm
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        run: make docker-build
       - name: Scan with Trivy
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
-          scan-type: 'fs'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+          scan-type: 'image'
+          scanners: 'vuln'
+          format: 'table'
+          image-ref: 'ghcr.io/raft-tech/konfirm/controller'
+          ignore-unfixed: 'true'
           severity: 'MEDIUM,HIGH,CRITICAL'
-      - name: Upload scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@0e346f2c4a1b999b44f1ef93fe08bdb83dae63ab # v2.18.1
-        with:
-          sarif_file: 'trivy-results.sarif'
+          vuln-type: 'os,library'
+          exit-code: 1
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,59 @@
+name: Docker Build
+
+permissions: { }
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ 'develop' ]
+  release:
+    types: [ 'published' ]
+
+env:
+  IMAGE_REGISTRY: ghcr.io/raft-tech/konfirm
+  IMAGE_NAME: controller
+
+jobs:
+
+  Publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+    outputs:
+      IMAGE_ID: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker.outputs.digest }}
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db #v3.6.1
+      - name: Login to the Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Extract metadata (tags, labels) for Docker
+        id: metadata
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1
+        with:
+          images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=edge,branch=develop
+            type=ref,event=pr
+      - name: Build and push
+        id: docker
+        uses: docker/build-push-action/@5cd11c3a4ced054e52742c5fd54dca954e0edd85 #v6.7.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          annotations: ${{ steps.metadata.outputs.annotations }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          tags: ${{ steps.metadata.outputs.tags }}
diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
@@ -1,49 +1,22 @@
 name: Release Charts
 
-permissions:
-  contents: read
+permissions: { }
 
 on:
   workflow_dispatch:
-  push:
-    tags: ["*"]
+  release:
+    types: [ 'published' ]
 
 jobs:
-  release:
+
+  Publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
-      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
-        name: Setup Helm
-        with:
-          version: 'latest'
-          token: ${{ secrets.GHUB_TOKEN }} # only needed if version is 'latest'
-        id: install
-      - name: Package Helm Chart
-        run: |
-          helm package ./charts/
-      - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
-        name: Upload Helm Chart Snapshot Version
-        if: startsWith(github.ref, 'refs/tags/v') != true
-        with:
-          name: konfirm-${{ github.sha }}.tgz
-          path: konfirm*.tgz
-      - name: Set env containing release tag
-        if: startsWith(github.ref, 'refs/tags/v')
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
-      - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
-        name: Upload Helm Chart Release Version
-        if: startsWith(github.ref, 'refs/tags/v')
-        with:
-          name: konfirm-${{ env.RELEASE_VERSION }}.tgz
-          path: konfirm*.tgz
-      - name: Release with Notes
-        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
-        if: startsWith(github.ref, 'refs/tags/v')
-        with:
-          files: konfirm*.tgz
-        env:
-          GITHUB_TOKEN: ${{ secrets.GHUB_TOKEN }}
+      - name: Helm Setup
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
diff --git a/.github/workflows/helm-validate.yml b/.github/workflows/helm-validate.yml
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,13 @@
-FROM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build
+FROM --platform=$BUILDPLATFORM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build
 WORKDIR /go/src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . ./
-RUN CGO_ENABLED=0 go build -o konfirm .
+ARG GOOS=${TARGETOS}
+ARG GOARCH=${TARGETARCH}
+RUN go build -o konfirm .
 
-FROM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a
+FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a
 COPY --from=build --chown=0:0 /go/src/konfirm /usr/local/bin/
 USER 1001
 ENTRYPOINT ["/usr/local/bin/konfirm"]
diff --git a/Makefile b/Makefile
@@ -1,15 +1,16 @@
 
 VERSION ?= $(shell cat VERSION)
-IMG ?= rafttech/konfirm:latest
-IMG_VERSION = rafttech/konfirm:v$(VERSION)
-E2E_IMG ?= rafttech/konfirm-e2e:latest
-E2E_IMG_VERSION ?= rafttech/konfirm-e2e:v$(VERSION)
-MOCK_IMG ?= rafttech/konfirm-mock:latest
-MOCK_IMG_VERSION ?= rafttech/konfirm-mock:v$(VERSION)
+IMAGE_REGISTRY ?= ghcr.io/raft-tech/konfirm
+IMAGE ?= $(IMAGE_REGISTRY)/controller
+IMAGE_VERSION = $(IMAGE):$(VERSION)
+E2E_IMAGE ?= $(IMAGE_REGISTRY)/controller-e2e
+E2E_IMAGE_VERSION ?= $(E2E_IMAGE):$(VERSION)
+MOCK_IMAGE ?= $(IMAGE_REGISTRY)/mock-inspection
+MOCK_IMAGE_VERSION ?= $(MOCK_IMAGE):$(VERSION)
 ENVTEST ?= $(BIN)/setup-envtest
 ENVTEST_K8S_VERSION = 1.30.0
 KUBECTL ?= kubectl
-KUBE_PROMETHEUS_STACK_CHART ?= https://github.com/prometheus-community/helm-charts/releases/download/kube-prometheus-stack-60.3.0/kube-prometheus-stack-60.3.0.tgz
+KUBE_PROMETHEUS_STACK_CHART ?= https://github.com/prometheus-community/helm-charts/releases/download/kube-prometheus-stack-62.3.1/kube-prometheus-stack-62.3.1.tgz
 
 .PHONY: generate
 generate:
@@ -18,7 +19,7 @@ generate:
 .PHONY: test
 test: generate vet envtest
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(BIN) -p path)" \
-		go test -v ./... -coverprofile cover.out -ginkgo.label-filter="!e2e && !broken"
+		go test -v ./... -ginkgo.label-filter="!e2e && !broken"
 
 .PHONY: clean
 clean: clean-kind-cluster
@@ -38,15 +39,15 @@ build: generate
 
 .PHONY: docker-build
 docker-build:
-	docker build -t $(IMG) -t $(IMG_VERSION) .
+	docker build -t $(IMAGE) -t $(IMAGE_VERSION) .
 
 .PHONY: docker-build-e2e
 docker-build-e2e:
-	docker build -f docker/e2e.dockerfile -t $(E2E_IMG) -t $(E2E_IMG_VERSION) .
+	docker build -f docker/e2e.dockerfile -t $(E2E_IMAGE) -t $(E2E_IMAGE_VERSION) .
 
 .PHONY: docker-build-mock
 docker-build-mock:
-	docker build -f docker/mock.dockerfile -t $(MOCK_IMG) -t $(MOCK_IMG_VERSION) .
+	docker build -f docker/mock.dockerfile -t $(MOCK_IMAGE) -t $(MOCK_IMAGE_VERSION) .
 
 BIN ?= $(shell pwd)/bin
 $(BIN):
@@ -75,7 +76,7 @@ clean-kind-cluster:
 
 .PHONY: kind-load
 kind-load: kind-cluster docker-build docker-build-e2e docker-build-mock
-	kind load docker-image --name konfirm $(IMG) $(IMG_VERSION) $(E2E_IMG) $(E2E_IMG_VERSION) $(MOCK_IMG) $(MOCK_IMG_VERSION)
+	kind load docker-image --name konfirm $(IMAGE) $(IMAGE_VERSION) $(E2E_IMAGE) $(E2E_IMAGE_VERSION) $(MOCK_IMAGE) $(MOCK_IMAGE_VERSION)
 
 .PHONY: kind-deploy
 kind-deploy: kind-load kind-monitoring

diff --git a/charts/konfirm/Chart.lock b/charts/konfirm/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: konfirm-validate
+  repository: ""
+  version: 0.1.0
+digest: sha256:6992bb419068aeefb304ed31d203b1df9e35cfeeb14ab046b80ab56190474dcf
+generated: "2024-08-31T15:21:31.881042-07:00"
diff --git a/charts/konfirm/charts/konfirm-validate/templates/testsuite.yaml b/charts/konfirm/charts/konfirm-validate/templates/testsuite.yaml
@@ -18,4 +18,4 @@ spec:
             spec:
               containers:
                 - name: tests
-                  image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+                  image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
diff --git a/charts/konfirm/charts/konfirm-validate/values.yaml b/charts/konfirm/charts/konfirm-validate/values.yaml
@@ -1,6 +1,6 @@
 
 image:
-  repository: rafttech/konfirm-e2e
+  repository: ghcr.io/raft-tech/konfirm/controller-e2e
   tag: ""
 
 schedule: "*/2 * * * *"
diff --git a/charts/konfirm/templates/deployment.yaml b/charts/konfirm/templates/deployment.yaml
@@ -30,7 +30,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http-healthz

diff --git a/charts/konfirm/values.yaml b/charts/konfirm/values.yaml
@@ -2,7 +2,7 @@
 replicaCount: 1
 
 image:
-  repository: rafttech/konfirm
+  repository: ghcr.io/raft-tech/konfirm/controller
   pullPolicy: IfNotPresent
   tag: ""