diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index c12957f..0000000 --- a/.drone.yml +++ /dev/null @@ -1,126 +0,0 @@ -kind: pipeline -name: linux-amd64 - -platform: - os: linux - arch: amd64 - -steps: - - name: prepare-amd64-binaries - image: ubuntu:20.04 - commands: - - apt-get -y update && apt-get -y install make curl tar docker.io - - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b $(pwd) - - make check-security - - make k8s-binaries - privileged: true - volumes: - - name: socket - path: /var/run/docker.sock - when: - event: - - tag - - pull_request - - - name: publish-hyperkube-linux-amd64 - image: plugins/docker - settings: - username: - from_secret: docker_username - password: - from_secret: docker_password - dockerfile: Dockerfile - repo: rancher/hyperkube - tag: "${DRONE_TAG}-linux-amd64" - when: - instance: - - drone-publish.rancher.io - event: - - tag -volumes: -- name: socket - host: - path: /var/run/docker.sock ---- -kind: pipeline -name: linux-arm64 - -platform: - os: linux - arch: arm64 - -steps: - - name: prepare-arm64-binaries - image: ubuntu:20.04 - commands: - - apt-get -y update && apt-get -y install make curl tar docker.io - - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b $(pwd) - - make check-security - - make ARCH=arm64 k8s-binaries - privileged: true - volumes: - - name: socket - path: /var/run/docker.sock - when: - event: - - tag - - pull_request - - - name: publish-hyperkube-linux-arm64 - image: plugins/docker - settings: - username: - from_secret: docker_username - password: - from_secret: docker_password - dockerfile: Dockerfile - repo: rancher/hyperkube - tag: "${DRONE_TAG}-linux-arm64" - when: - instance: - - drone-publish.rancher.io - event: - - tag - -volumes: -- name: socket - host: - path: /var/run/docker.sock ---- -kind: pipeline -name: manifest - -steps: - - name: push-manifest - image: plugins/manifest - settings: - username: - from_secret: docker_username - password: - from_secret: docker_password - spec: manifest.tmpl - when: - instance: - - drone-publish.rancher.io - event: - - tag -depends_on: -- linux-amd64 -- linux-arm64 - ---- - -kind: pipeline -name: fossa - -steps: -- name: fossa - image: rancher/drone-fossa:latest - failure: ignore - settings: - api_key: - from_secret: FOSSA_API_KEY - when: - instance: - - drone-publish.rancher.io - diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml new file mode 100644 index 0000000..9b502e3 --- /dev/null +++ b/.github/workflows/fossa.yaml @@ -0,0 +1,31 @@ +name: Run Fossa Scan + +on: + push: + tags: + - '*' + +jobs: + fossa: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # needed for the Vault authentication + continue-on-error: true # we know that fossa test will report errors + steps: + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/fossa/credentials token | FOSSA + - name: Checkout Repo + uses: actions/checkout@v4 + - name: Run Fossa analyze + uses: fossas/fossa-action@v1.3.3 + with: + api-key: ${{ env.FOSSA }} + - name: Run Fossa test + uses: fossas/fossa-action@v1.3.3 + with: + api-key: ${{ env.FOSSA }} + run-tests: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..b3730d6 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,117 @@ +name: Release + +on: + push: + tags: + - '*' + +env: + IMAGE: rancher/hyperkube + +jobs: + build-push-images: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # needed for the Vault authentication + strategy: + fail-fast: true + matrix: + os: [linux] + arch: [amd64, arm64] + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Setup Environment Variables + run: | + echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV" + echo "K8S_VERSION=$( echo ${{ github.ref_name }} | tr -s " " | cut -d "-" -f1 )" >> "$GITHUB_ENV" + - name: Prepare binaries + run: make k8s-binaries + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE }} + flavor: | + latest=false + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKER_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} + - name: Build and push Docker image + id: build + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: "${{ steps.meta.outputs.tags }}" + platforms: "${{ matrix.os }}/${{ matrix.arch }}" + labels: "${{ steps.meta.outputs.labels }}" + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: "digests-${{ matrix.os }}-${{ matrix.arch }}" + path: /tmp/digests/* + if-no-files-found: error + retention-days: 7 + overwrite: true + + merge: + runs-on: ubuntu-latest + needs: + - build-push-images + permissions: + contents: read + id-token: write # needed for the Vault authentication + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE }} + flavor: | + latest=false + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKER_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.IMAGE }}@sha256:%s ' *) + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.meta.outputs.version }} diff --git a/.github/workflows/test-prepare-binaries.yaml b/.github/workflows/test-prepare-binaries.yaml new file mode 100644 index 0000000..14f78e4 --- /dev/null +++ b/.github/workflows/test-prepare-binaries.yaml @@ -0,0 +1,24 @@ +name: Test Prepare Binaries + +on: + push: + branches: + - "*" + pull_request: + +jobs: + tests: + runs-on: ubuntu-latest + strategy: + matrix: + arch: [ amd64, arm64 ] + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Setup Environment Variables + run: | + echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV" + - name: Prepare binaries + run: make k8s-binaries diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..6fb045a --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,28 @@ +name: Run Trivy scan + +on: + push: + tags: + - '*' + pull_request: + + +jobs: + trivy: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout Repo + uses: actions/checkout@v4 + - name: Get base image + run: | + image=$(grep hyperkube-base Dockerfile | awk '{ print $2 }') + echo "HYPERKUBE=${image}" + echo "HYPERKUBE=${image}" >> "$GITHUB_ENV" + - name: Run Trivy scanner + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: ${{ env.HYPERKUBE }} + exit-code: '1' + severity: 'CRITICAL,HIGH' diff --git a/.gitignore b/.gitignore index 8aee2bc..e6f0f46 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ k8s-tars/ -k8s-binaries/ \ No newline at end of file +k8s-binaries/ +.idea/ diff --git a/manifest.tmpl b/manifest.tmpl deleted file mode 100644 index 3ddc842..0000000 --- a/manifest.tmpl +++ /dev/null @@ -1,12 +0,0 @@ -image: rancher/hyperkube:{{build.tag}} -manifests: - - - image: rancher/hyperkube:{{build.tag}}-linux-amd64 - platform: - architecture: amd64 - os: linux - - - image: rancher/hyperkube:{{build.tag}}-linux-arm64 - platform: - architecture: arm64 - os: linux