chore: Introduce cli image variable

Signed-off-by: Jan Bouska <[email protected]>

Author: bouskaJ

Containerfile

@@ -1,19 +1,33 @@
-# Use the official Golang image as a base
-FROM golang:1.23
+# Build the manager binary
+FROM golang:1.23 AS builder
+ARG TARGETOS
+ARG TARGETARCH
 
-# Set the working directory
-WORKDIR /app
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
 
-# Copy all files
-COPY . .
+# Copy the go source
+COPY cmd/main.go cmd/main.go
+COPY api/ api/
+COPY internal/ internal/
 
-# Download dependencies
-RUN go mod download && go mod verify
+# Build
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
 
-# Build the application
-RUN CGO_ENABLED=0 go build -v -o app .
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/manager .
+USER 65532:65532
 
-FROM scratch
-COPY --from=0 /app/app /app
-EXPOSE 8080
-CMD ["/app"]
+ENTRYPOINT ["/manager"]

Dockerfile

@@ -21,6 +21,9 @@ import (
 	"flag"
 	"os"
 
+	"github.com/sigstore/model-validation-controller/internal/constants"
+	"github.com/sigstore/model-validation-controller/internal/utils"
+
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -70,6 +73,7 @@ func main() {
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	utils.StringFlagOrEnv(&constants.ModelTransparencyCliImage, "model-transparency-cli-image", "MODEL_TRANSPARENCY_CLI_IMAGE", constants.ModelTransparencyCliImage, "Model transparency CLI image to be used.")
 	opts := zap.Options{
 		Development: true,
 	}

cmd/main.go

@@ -1,3 +1,5 @@
 package constants
 
-var ()
+var (
+	ModelTransparencyCliImage = "ghcr.io/sigstore/model-transparency-cli:v1.0.1"
+)

internal/constants/images.go

@@ -0,0 +1,16 @@
+package utils
+
+import (
+	"flag"
+	"os"
+)
+
+// StringFlagOrEnv defines a string flag which can be set by an environment variable.
+// Precedence: flag > env var > default value.
+func StringFlagOrEnv(p *string, name string, envName string, defaultValue string, usage string) {
+	envValue := os.Getenv(envName)
+	if envValue != "" {
+		defaultValue = envValue
+	}
+	flag.StringVar(p, name, defaultValue, usage)
+}

internal/utils/utils.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/sigstore/model-validation-controller/internal/constants"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -84,7 +85,7 @@ func (p *podInterceptor) Handle(ctx context.Context, req admission.Request) admi
 	pp.Spec.InitContainers = append(pp.Spec.InitContainers, corev1.Container{
 		Name:            modelValidationInitContainerName,
 		ImagePullPolicy: corev1.PullAlways,
-		Image:           "ghcr.io/sigstore/model-transparency-cli:v1.0.1", // TODO: get image from operator config.
+		Image:           constants.ModelTransparencyCliImage,
 		Command:         []string{"/usr/local/bin/model_signing"},
 		Args:            args,
 		VolumeMounts:    vm,