✨ use new builder image approach (#133)

* use new builder image approach

this commit updates builder images and adds a make target so that we
copy the static executables right from the container image.
it's fast and we don't have to pull it from the internet again and again
if we have the builder image present locally.

This commit also updates go to 1.21.8 patch version.

Signed-off-by: kranurag7 <[email protected]>

* bump dev cluster to 1.27.3 and bump trivy

Signed-off-by: kranurag7 <[email protected]>

---------

Signed-off-by: kranurag7 <[email protected]>
Co-authored-by: Roman Hros <[email protected]>

Author: kranurag7

.envrc.sample

@@ -1,3 +1,4 @@
+export PATH="$(pwd)/hack/tools/bin/:$PATH"
 export KUBECONFIG=$PWD/.mgt-cluster-kubeconfig.yaml
 export CLUSTER_TOPOLOGY=true
 export CLUSTER_NAME=test-dfkhje

.github/workflows/release.yaml

@@ -121,10 +121,16 @@ jobs:
   release:
     name: Create draft release
     runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    defaults:
+      run:
+        shell: bash
     needs:
       - manager-image
     steps:
       - name: Set env
+        shell: bash
         run: echo "RELEASE_TAG=${GITHUB_REF:10}" >> $GITHUB_ENV
 
       - name: checkout code

Makefile

@@ -19,6 +19,7 @@ IMAGE_PREFIX ?= ghcr.io/sovereigncloudstack
 STAGING_IMAGE = $(CONTROLLER_SHORT)-staging
 BUILDER_IMAGE = $(IMAGE_PREFIX)/$(CONTROLLER_SHORT)-builder
 BUILDER_IMAGE_VERSION = $(shell cat .builder-image-version.txt)
+HACK_TOOLS_BIN_VERSION = $(shell cat ./hack/tools/bin/version.txt)
 
 SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
@@ -117,27 +118,9 @@ $(CTLPTL):
 	go install github.com/tilt-dev/ctlptl/cmd/[email protected]
 
 CLUSTERCTL := $(abspath $(TOOLS_BIN_DIR)/clusterctl)
-clusterctl: $(CLUSTERCTL) ## Build a local copy of clusterctl
-$(CLUSTERCTL):
-	curl -sSLf https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.5.3/clusterctl-$$(go env GOOS)-$$(go env GOARCH) -o $(CLUSTERCTL)
-	chmod a+rx $(CLUSTERCTL)
-
 KIND := $(abspath $(TOOLS_BIN_DIR)/kind)
-kind: $(KIND) ## Build a local copy of kind
-$(KIND):
-	go install sigs.k8s.io/[email protected]
-
 KUBECTL := $(abspath $(TOOLS_BIN_DIR)/kubectl)
-kubectl: $(KUBECTL) ## Build a local copy of kubectl
-$(KUBECTL):
-	curl -fsSL "https://dl.k8s.io/release/v1.27.3/bin/$$(go env GOOS)/$$(go env GOARCH)/kubectl" -o $(KUBECTL)
-	chmod a+rx $(KUBECTL)
-
 TRIVY := $(abspath $(TOOLS_BIN_DIR)/trivy)
-trivy: $(TRIVY) ## Build a local copy of trivy
-$(TRIVY):
-	curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.45.1/trivy_0.45.1_Linux-64bit.tar.gz | tar xz -C $(TOOLS_BIN_DIR) trivy
-	chmod a+rx $(TRIVY)
 
 go-binsize-treemap := $(abspath $(TOOLS_BIN_DIR)/go-binsize-treemap)
 go-binsize-treemap: $(go-binsize-treemap) # Build go-binsize-treemap from tools folder.
@@ -154,7 +137,7 @@ gotestsum: $(GOTESTSUM) # Build gotestsum from tools folder.
 $(GOTESTSUM):
 	go install gotest.tools/[email protected]
 
-all-tools: $(GOTESTSUM) $(go-cover-treemap) $(go-binsize-treemap) $(KIND) $(PACKER) $(KUBECTL) $(CLUSTERCTL) $(CTLPTL) $(SETUP_ENVTEST) $(ENVSUBST) $(KUSTOMIZE) $(CONTROLLER_GEN) $(TRIVY)
+all-tools: get-dependencies $(GOTESTSUM) $(go-cover-treemap) $(go-binsize-treemap) $(CTLPTL) $(SETUP_ENVTEST) $(ENVSUBST)
 	echo 'done'
 
 ##@ Development
@@ -169,7 +152,7 @@ else
 endif
 
 .PHONY: cluster
-cluster: $(CTLPTL) $(KUBECTL) ## Creates kind-dev Cluster 
+cluster: get-dependencies $(CTLPTL) ## Creates kind-dev Cluster 
 	./hack/kind-dev.sh
 
 .PHONY: delete-bootstrap-cluster
@@ -327,18 +310,6 @@ endif
 format-starlark: ## Format the Starlark codebase
 	./hack/verify-starlark.sh fix
 
-.PHONY: format-yaml
-format-yaml: ## Lint YAML files
-ifeq ($(BUILD_IN_CONTAINER),true)
-	docker run  --rm -t -i \
-		-v $(shell go env GOPATH)/pkg:/go/pkg$(MOUNT_FLAGS) \
-		-v $(shell pwd):/src/cluster-stack-provider-openstack$(MOUNT_FLAGS) \
-		$(BUILDER_IMAGE):$(BUILDER_IMAGE_VERSION) $@;
-else
-	yamlfixer --version
-	yamlfixer -c .yamllint.yaml .
-endif
-
 ##@ Lint
 ########
 # Lint #
@@ -556,7 +527,7 @@ test-integration-openstack: $(SETUP_ENVTEST) $(GOTESTSUM)
 lint: lint-golang lint-yaml lint-dockerfile lint-links ## Lint Codebase
 
 .PHONY: format
-format: format-starlark format-golang format-yaml ## Format Codebase
+format: format-starlark format-golang ## Format Codebase
 
 .PHONY: generate
 generate: generate-manifests generate-go-deepcopy generate-boilerplate generate-modules ## Generate Files
@@ -594,5 +565,31 @@ get-kubeconfig-workload-cluster:
 	./hack/get-kubeconfig-of-workload-cluster.sh
 
 .PHONY: tilt-up
-tilt-up: env-vars-for-wl-cluster $(ENVSUBST) $(KUBECTL) $(KUSTOMIZE) $(TILT) cluster  ## Start a mgt-cluster & Tilt. Installs the CRDs and deploys the controllers
+tilt-up: env-vars-for-wl-cluster get-dependencies $(ENVSUBST) $(TILT) cluster  ## Start a mgt-cluster & Tilt. Installs the CRDs and deploys the controllers
 	$(TILT) up --port=10351
+
+BINARIES = clusterctl controller-gen kind kubectl kustomize trivy
+get-dependencies:
+ifeq ($(BUILD_IN_CONTAINER),true)
+	docker run --rm -t -i \
+		-v $(shell pwd):/src/cluster-stack-provider-openstack \
+		$(BUILDER_IMAGE):$(BUILDER_IMAGE_VERSION) $@;
+else
+	@if [ "$(HACK_TOOLS_BIN_VERSION)" != "$(BUILDER_IMAGE_VERSION)" ]; then \
+		echo "Updating binaries"; \
+		rm -rf hack/tools/bin; \
+		mkdir -p $(TOOLS_BIN_DIR); \
+		cp ./.builder-image-version.txt $(TOOLS_BIN_DIR)/version.txt; \
+		for tool in $(BINARIES); do \
+			if command -v $$tool > /dev/null; then \
+				cp `command -v $$tool` $(TOOLS_BIN_DIR); \
+				echo "copied $$tool to $(TOOLS_BIN_DIR)"; \
+			else \
+				echo "$$tool not found"; \
+			fi; \
+		done; \
+	else \
+		echo "No action required"; \
+		echo "Binaries are up to date"; \
+	fi
+endif

hack/kind-dev.sh

@@ -18,7 +18,7 @@ set -o errexit
 set -o pipefail
 set -x
 
-K8S_VERSION=v1.27.2
+K8S_VERSION=v1.27.3
 
 REPO_ROOT=$(git rev-parse --show-toplevel)
 cd "${REPO_ROOT}" || exit 1

images/builder/Dockerfile

@@ -1,4 +1,4 @@
-# Copyright 2023 The Kubernetes Authors.
+# Copyright 2024 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,43 +17,47 @@
 # If you make changes to this Dockerfile run `make builder-image-push`.
 
 # Install Lychee
-FROM docker.io/library/alpine:3.19.1@sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0 as lychee
-# update: datasource=github-tags depName=lycheeverse/lychee versioning=semver
-ENV LYCHEE_VERSION="v0.14.3"
-# hadolint ignore=DL3018
-RUN apk add --no-cache curl && \
-    curl -L -o /tmp/lychee-${LYCHEE_VERSION}.tgz https://github.com/lycheeverse/lychee/releases/download/${LYCHEE_VERSION}/lychee-${LYCHEE_VERSION}-x86_64-unknown-linux-gnu.tar.gz && \
-    tar -xz -C /tmp -f /tmp/lychee-${LYCHEE_VERSION}.tgz && \
-    mv /tmp/lychee /usr/bin/lychee && \
-    rm -rf /tmp/linux-amd64 /tmp/lychee-${LYCHEE_VERSION}.tgz
+FROM docker.io/lycheeverse/lychee:0.14.3 as lychee
+# Install Hadolint
+FROM docker.io/hadolint/hadolint:v2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 as hadolint
 
-# Install Golang CI Lint
-FROM docker.io/library/alpine:3.19.1@sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0 as golangci
-# update: datasource=github-tags depName=golangci/golangci-lint versioning=semver
+FROM cgr.dev/chainguard/wolfi-base:latest as wolfi
+
+# update: datasource=github-tags depName=kubernetes-sigs/cluster-api
+ARG CLUSTERCTL_VERSION="v1.6.3"
+# update: datasource=github-tags depName=golangci/golangci-lint
 ENV GOLANGCI_VERSION="v1.56.2"
-WORKDIR /
-# hadolint ignore=DL3018,DL4006
-RUN apk add --no-cache curl && \
-    curl -L -o /tmp/golangci.tgz https://github.com/golangci/golangci-lint/releases/download/${GOLANGCI_VERSION}/golangci-lint-${GOLANGCI_VERSION#v}-linux-amd64.tar.gz && \
-    ls -la /tmp && \
-    tar -xz -C /tmp -f /tmp/golangci.tgz && \
-    mv /tmp/golangci-lint-${GOLANGCI_VERSION#v}-linux-amd64/golangci-lint /bin/golangci-lint
+# update: datasource=github-tags depName=kubernetes-sigs/kind
+ARG KIND_VERSION="v0.22.0"
+# update: datasource=github-tags depName=kubernetes/kubernetes
+ARG KUBECTL_VERSION="v1.27.3"
+# update: datasource=github-tags depName=kubernetes-sigs/kustomize extractVersion=^kustomize\/v(?<version>.+)$
+ARG KUSTOMIZE_VERSION="v5.3.0"
+# update: datasource=github-tags depName=aquasecurity/trivy
+ARG TRIVY_VERSION="v0.49.1"
+# update: datasource=github-tags depName=kubernetes-sigs/controller-tools
+ARG CONTROLLER_GEN_VERSION="v0.14.0"
 
-# Install Hadolint
-FROM docker.io/hadolint/hadolint:v2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 as hadolint
+# hadolint ignore=DL3018
+RUN apk add -U --no-cache \
+    curl \
+    clusterctl=~${CLUSTERCTL_VERSION#v} \
+    controller-gen=~${CONTROLLER_GEN_VERSION#v} \
+    kind=~${KIND_VERSION#v} \
+    kubectl=~${KUBECTL_VERSION#v} \
+    kustomize=~${KUSTOMIZE_VERSION#v} \
+    trivy=~${TRIVY_VERSION#v} 
 
-# Install Trivy
-FROM docker.io/aquasec/trivy:0.49.1@sha256:026a1ab5714dd19ffde0aed18ac034d1d354f119d6e62330cd6522081dd74628 as trivy
+WORKDIR /
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s ${GOLANGCI_VERSION}
 
 ############################
-# Cspo Build Image Base #
+# CSPO Build Image Base #
 ############################
-FROM docker.io/library/golang:1.21.6-bullseye@sha256:a8712f27d9ac742e7bded8f81f7547c5635e855e8b80302e8fc0ce424f559295
+FROM docker.io/library/golang:1.21.8-bullseye
 
 # update: datasource=github-tags depName=adrienverge/yamllint versioning=semver
 ENV YAMLLINT_VERSION="v1.35.1"
-# update: datasource=github-tags depName=opt-nc/yamlfixer versioning=semver
-ENV YAMLFIXER_VERSION="0.9.15"
 
 # hadolint ignore=DL3008
 RUN apt-get update && \
@@ -64,13 +68,17 @@ RUN apt-get update && \
     libsystemd-dev jq && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
     pip install --no-cache-dir \
-    yamllint==${YAMLLINT_VERSION} \
-    yamlfixer-opt-nc==${YAMLFIXER_VERSION}
+    yamllint==${YAMLLINT_VERSION}
 
-COPY --from=lychee /usr/bin/lychee /usr/bin/lychee
-COPY --from=golangci /bin/golangci-lint /usr/local/bin
+COPY --from=wolfi /usr/bin/clusterctl /usr/bin/clusterctl
+COPY --from=wolfi /usr/bin/controller-gen /usr/bin/controller-gen
+COPY --from=wolfi /bin/golangci-lint /usr/bin/golangci-lint
+COPY --from=wolfi /usr/bin/kubectl /usr/bin/kubectl
+COPY --from=wolfi /usr/bin/kind /usr/bin/kind
+COPY --from=wolfi /usr/bin/kustomize /usr/bin/kustomize
+COPY --from=wolfi /usr/bin/trivy /usr/bin/trivy
+COPY --from=lychee /usr/local/bin/lychee /usr/bin/lychee
 COPY --from=hadolint /bin/hadolint /usr/bin/hadolint
-COPY --from=trivy /usr/local/bin/trivy /usr/bin/trivy
 
 ENV GOCACHE=/go/cache
 

images/cspo/Dockerfile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.21.6-bullseye as build
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.21.8-bullseye as build
 ARG TARGETOS TARGETARCH
 
 COPY . /src/cluster-stack-provider-openstack