feat: better build process for operators

Author: abhimanyu003

.github/workflows/build-dexop.yaml

@@ -10,15 +10,36 @@ on:
       - "go/dexop/**"
 
 jobs:
-  build-ghcr-registry:
+  build-dexop:
     runs-on: ubuntu-latest
     permissions:
       packages: write
-      contents: read
+      contents: write
+      id-token: write
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        with:
+          fetch-depth: 0
+
+      - name: Install Go
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
+        with:
+          go-version: '1.24'
+          cache: true
+          cache-dependency-path: 'go/dexop/go.sum'
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0.21.1
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Login to ghcr.io
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
@@ -31,13 +52,14 @@ jobs:
         id: extract_tag
         run: echo "tag=${GITHUB_REF#refs/tags/dexop-v}" >> $GITHUB_OUTPUT
 
-      - name: Build and deploy Dexop image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
         with:
-          context: go/dexop/
-          file: go/dexop/Dockerfile
-          # push for all main branch commits
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ghcr.io/${{ github.repository }}/dexop:latest,ghcr.io/${{ github.repository }}/dexop:${{ steps.extract_tag.outputs.tag }}
-          labels: |
-            org.opencontainers.image.version=${{ steps.extract_tag.outputs.tag }}
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean --skip=validate
+          workdir: go/dexop
+        env:
+          GIT_REPO: ${{ github.repository }}
+          CUSTOM_TAG: ${{ steps.extract_tag.outputs.tag }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-nautobotop.yaml

@@ -60,6 +60,7 @@ jobs:
           args: release --clean --skip=validate
           workdir: go/nautobotop
         env:
+          GIT_REPO: ${{ github.repository }}
           CUSTOM_TAG: ${{ steps.extract_tag.outputs.tag }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

go/dexop/.gitignore

@@ -15,6 +15,8 @@ Dockerfile.cross
 
 # Go workspace file
 go.work
+vendor/
+dist/
 
 # Kubernetes Generated files - skip generated files, except for vendored files
 !vendor/**/zz_generated.*

go/dexop/.goreleaser.Dockerfile

@@ -0,0 +1,5 @@
+# goreleaser is making the binary dynamically linked so can't use the static container
+FROM gcr.io/distroless/base-debian12:nonroot
+COPY --chmod=555 dexop /usr/local/bin/dexop
+USER 65532:65532
+ENTRYPOINT ["/usr/local/bin/dexop"]

go/dexop/.goreleaser.yaml

@@ -0,0 +1,98 @@
+project_name: "dexop"
+version: 2
+
+before:
+  hooks:
+    - go mod tidy
+
+env:
+  - CUSTOM_TAG={{ .Env.CUSTOM_TAG }}
+  - GIT_REPO={{ .Env.GIT_REPO }}
+
+builds:
+  - main: main.go
+    dir: ./cmd
+    binary: dexop
+    goos: ["linux"]
+    goarch: ["amd64", "arm64"]
+    flags:
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X main.version={{.Version}}
+      - -X main.commit={{.ShortCommit}}
+    env:
+      - CGO_ENABLED=0
+
+changelog:
+  disable: true
+
+dockers:
+  - skip_push: false
+    use: buildx
+    dockerfile: .goreleaser.Dockerfile
+    image_templates:
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
+    build_flag_templates:
+      - --platform=linux/amd64
+      - --label=org.opencontainers.image.version={{ .Env.CUSTOM_TAG }}
+      - --label=org.opencontainers.image.revision={{ .Commit }}
+      - --label=org.opencontainers.image.title={{ .ProjectName }}
+      - --label=org.opencontainers.image.created={{ .Date }}
+      - --label=org.opencontainers.image.description=Rackspace Cloud DNS support for cert-manager
+      - --label=org.opencontainers.image.vendor=rackspace
+      - --label=org.opencontainers.image.licenses=Apache License 2.0
+      - --label=org.opencontainers.image.source=https://rackspace.com/
+      - --label=org.opencontainers.image.authors=Rackspace
+  - skip_push: false
+    goarch: arm64
+    use: buildx
+    dockerfile: .goreleaser.Dockerfile
+    image_templates:
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
+    build_flag_templates:
+      - --platform=linux/arm64
+      - --label=org.opencontainers.image.version={{ .Env.CUSTOM_TAG }}
+      - --label=org.opencontainers.image.revision={{ .Commit }}
+      - --label=org.opencontainers.image.title={{ .ProjectName }}
+      - --label=org.opencontainers.image.created={{ .Date }}
+      - --label=org.opencontainers.image.description=Rackspace Cloud DNS support for cert-manager
+      - --label=org.opencontainers.image.vendor=rackspace
+      - --label=org.opencontainers.image.licenses=Apache License 2.0
+      - --label=org.opencontainers.image.source=https://rackspace.com/
+      - --label=org.opencontainers.image.authors=Rackspace
+docker_manifests:
+  - name_template: ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}
+    image_templates:
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
+  - name_template: ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:latest
+    image_templates:
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
+
+
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - "--oidc-provider=github-actions"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - --yes
+
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests
+    output: true
+    args:
+      - "sign"
+      - "--oidc-provider=github-actions"
+      - "${artifact}@${digest}"
+      - --yes

go/nautobotop/.gitignore

@@ -17,6 +17,8 @@ Dockerfile.cross
 
 # Go workspace file
 go.work
+vendor/
+dist/
 
 # Kubernetes Generated files - skip generated files, except for vendored files
 !vendor/**/zz_generated.*

go/nautobotop/.goreleaser.yaml

@@ -7,6 +7,7 @@ before:
 
 env:
   - CUSTOM_TAG={{ .Env.CUSTOM_TAG }}
+  - GIT_REPO={{ .Env.GIT_REPO }}
 
 builds:
   - main: main.go
@@ -32,7 +33,7 @@ dockers:
     use: buildx
     dockerfile: .goreleaser.Dockerfile
     image_templates:
-      - ghcr.io/rackerlabs/understack/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
     build_flag_templates:
       - --platform=linux/amd64
       - --label=org.opencontainers.image.version={{ .Env.CUSTOM_TAG }}
@@ -49,7 +50,7 @@ dockers:
     use: buildx
     dockerfile: .goreleaser.Dockerfile
     image_templates:
-      - ghcr.io/rackerlabs/understack/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
     build_flag_templates:
       - --platform=linux/arm64
       - --label=org.opencontainers.image.version={{ .Env.CUSTOM_TAG }}
@@ -62,14 +63,14 @@ dockers:
       - --label=org.opencontainers.image.source=https://rackspace.com/
       - --label=org.opencontainers.image.authors=Rackspace
 docker_manifests:
-  - name_template: ghcr.io/rackerlabs/understack/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}
+  - name_template: ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}
     image_templates:
-      - ghcr.io/rackerlabs/understack/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
-      - ghcr.io/rackerlabs/understack/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
-  - name_template: ghcr.io/rackerlabs/understack/{{ .ProjectName }}:latest
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
+  - name_template: ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:latest
     image_templates:
-      - ghcr.io/rackerlabs/understack/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
-      - ghcr.io/rackerlabs/understack/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-amd64
+      - ghcr.io/{{ .Env.GIT_REPO }}/{{ .ProjectName }}:{{ .Env.CUSTOM_TAG }}-arm64
 
 
 signs:

operators/rook/values-cluster.yaml

@@ -43,7 +43,7 @@ cephBlockPools:
         size: 2
     storageClass:
       enabled: false
-  - name: ceph-blockpool-ecoded
+  - name: ceph-blockpool-encoded
     # For caches and other unimportant data
     spec:
       failureDomain: host
@@ -52,7 +52,7 @@ cephBlockPools:
         dataChunks: 2
     storageClass:
       enabled: true
-      name: ceph-block-ecoded
+      name: ceph-block-encoded
       isDefault: false
       reclaimPolicy: Retain
       allowVolumeExpansion: true
@@ -66,7 +66,7 @@ cephBlockPools:
         csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
         csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
         csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
-        dataPool: ceph-blockpool-ecoded
+        dataPool: ceph-blockpool-encoded
         pool: replicated-metadata-pool
   - name: ceph-block-single
     # see https://github.com/rook/rook/blob/master/Documentation/CRDs/Block-Storage/ceph-block-pool-crd.md#spec for available configuration