diff --git a/.github/ISSUE_TEMPLATE/normal-issue.md b/.github/ISSUE_TEMPLATE/normal-issue.md new file mode 100644 index 00000000..a518ec71 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/normal-issue.md @@ -0,0 +1,16 @@ +--- +name: Normal issue +about: This is just a normal empty issue with a simple checklist +title: '' +labels: '' +assignees: '' + +--- + +## Issue checklist + +This is a simple checklist of things to bear in mind when creating a new issue. + +- [ ] Describe the use-case, as far is possible. For instance, using the pattern "As a XXXX, I would like XXXX to be able to do XXXX" helps to identify the feature as well as the problem it is intended to address. +- [ ] Indicate an approximate level of importance and urgency. +- [ ] Indicate if there is a known work-around until such time as the issue has been implemented. diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4508652b..ecd7d395 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -292,6 +292,8 @@ jobs: env: NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} HELM_REPO: ${{ needs.select_helm_repo.outputs.helm_repository }} + OCI_REGISTRY_PASSWORD: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }} + OCI_REGISTRY_USERNAME: "robot$stackable+github-action-build" if: needs.select_helm_repo.outputs.helm_repository != 'skip' outputs: IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }} diff --git a/Makefile b/Makefile index c997f2b0..fa4eed3e 100644 --- a/Makefile +++ b/Makefile @@ -15,8 +15,12 @@ VERSION := $(shell cargo metadata --format-version 1 | jq -r '.packages[] | sele DOCKER_REPO := docker.stackable.tech ORGANIZATION := stackable +OCI_REGISTRY_HOSTNAME := oci.stackable.tech +OCI_REGISTRY_PROJECT_IMAGES := ${ORGANIZATION}/images +OCI_REGISTRY_PROJECT_CHARTS := ${ORGANIZATION}/charts # this will be overwritten by an environmental variable if called from the github action HELM_REPO := https://repo.stackable.tech/repository/helm-dev +HELM_CHART_NAME := ${OPERATOR_NAME} HELM_CHART_ARTIFACT := target/helm/${OPERATOR_NAME}-${VERSION}.tgz SHELL=/usr/bin/env bash -euo pipefail @@ -27,8 +31,10 @@ render-readme: ## Docker related targets docker-build: docker build --force-rm --build-arg VERSION=${VERSION} -t "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" -f docker/Dockerfile . + docker tag "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" docker-publish: + # push to Nexus echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}" DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\ # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\ @@ -41,6 +47,20 @@ docker-publish: # Uses the keyless signing flow with Github Actions as identity provider\ cosign sign -y ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:@$$REPO_DIGEST_OF_IMAGE + # push to Harbor + # we need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) + docker login --username '${value OCI_REGISTRY_USERNAME}' --password '${OCI_REGISTRY_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' + DOCKER_OUTPUT=$$(docker push --all-tags '${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}');\ + # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\ + REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\ + if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\ + echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}';\ + exit 1;\ + fi;\ + # This generates a signature and publishes it to the registry, next to the image\ + # Uses the keyless signing flow with Github Actions as identity provider\ + cosign sign -y ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:@$$REPO_DIGEST_OF_IMAGE + # TODO remove if not used/needed docker: docker-build docker-publish @@ -48,8 +68,23 @@ print-docker-tag: @echo "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" helm-publish: + # push to Nexus curl --fail -u "github:${NEXUS_PASSWORD}" --upload-file "${HELM_CHART_ARTIFACT}" "${HELM_REPO}/" + # push to Harbor + # we need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) + helm registry login --username '${value OCI_REGISTRY_USERNAME}' --password '${OCI_REGISTRY_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' + # Obtain the digest of the pushed artifact from the output of `helm push`, because signing by tag is deprecated and will be removed from cosign in the future\ + HELM_OUTPUT=$$(helm push '${HELM_CHART_ARTIFACT}' 'oci://${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}' 2>&1);\ + REPO_DIGEST_OF_ARTIFACT=$$(echo "$$HELM_OUTPUT" | awk '/^Digest: sha256:[0-9a-f]{64}$$/ { print $$2 }');\ + if [ -z "$$REPO_DIGEST_OF_ARTIFACT" ]; then\ + echo 'Could not find repo digest for helm chart: ${HELM_CHART_NAME}';\ + exit 1;\ + fi;\ + # This generates a signature and publishes it to the registry, next to the chart artifact\ + # Uses the keyless signing flow with Github Actions as identity provider\ + cosign sign -y ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}/${HELM_CHART_NAME}:@$$REPO_DIGEST_OF_ARTIFACT + helm-package: mkdir -p target/helm && helm package --destination target/helm deploy/helm/${OPERATOR_NAME} @@ -80,6 +115,7 @@ chart-lint: compile-chart clean: chart-clean cargo clean docker rmi --force "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" + docker rmi --force '${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}' regenerate-charts: chart-clean compile-chart