-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathMakefile.docker
107 lines (93 loc) · 6.56 KB
/
Makefile.docker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Makefile.docker contains the shared tasks for building, tagging and pushing Docker images.
# This file is included into the Makefile files which contain the Dockerfile files (E.g.
# kafka-base, kafka etc.).
#
# The DOCKER_ORG (default is name of the current user) and DOCKER_TAG (based on Git Tag,
# default latest) variables are used to name the Docker image. DOCKER_REGISTRY identifies
# the registry where the image will be pushed (default is Docker Hub).
TOPDIR=$(dir $(lastword $(MAKEFILE_LIST)))
SBOM_DIR=$(TOPDIR)sbom
DOCKERFILE_DIR ?= ./
DOCKER_REGISTRY ?= docker.io
DOCKER_ORG ?= $(USER)
DOCKER_TAG ?= latest
BUILD_TAG ?= latest
ifdef DOCKER_ARCHITECTURE
DOCKER_PLATFORM = --platform linux/$(DOCKER_ARCHITECTURE)
DOCKER_PLATFORM_TAG_SUFFIX = -$(DOCKER_ARCHITECTURE)
SBOM_DIR=$(TOPDIR)sbom/$(DOCKER_ARCHITECTURE)
endif
.PHONY: docker_build
docker_build:
# Build Docker image ...
docker $(DOCKER_BUILDX) build $(DOCKER_PLATFORM) $(DOCKER_BUILD_ARGS) -t strimzi/$(PROJECT_NAME):latest $(DOCKERFILE_DIR)
# The Dockerfiles all use FROM ...:latest, so it is necessary to tag images with latest (-t above)
# But because we generate Kafka images for different versions we also need to tag with something
# including the kafka version number. This BUILD_TAG is used by the docker_tag target.
# Also tag with $(BUILD_TAG)
docker tag strimzi/$(PROJECT_NAME):latest strimzi/$(PROJECT_NAME):$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX)
.PHONY: docker_save
docker_save:
# Saves the container as TGZ file
docker save strimzi/$(PROJECT_NAME):$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) | gzip > drain-cleaner-container$(DOCKER_PLATFORM_TAG_SUFFIX).tar.gz
.PHONY: docker_load
docker_load:
# Loads the container as TGZ file
docker load < drain-cleaner-container$(DOCKER_PLATFORM_TAG_SUFFIX).tar.gz
.PHONY: docker_tag
docker_tag:
# Tag the $(BUILD_TAG) image we built with the given $(DOCKER_TAG) tag
docker tag strimzi/$(PROJECT_NAME):$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX)
.PHONY: docker_push
docker_push: docker_tag
# Push the $(DOCKER_TAG)-tagged image to the registry
docker push $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX)
.PHONY: docker_delete_archive
docker_delete_archive:
# Deletes the archive
rm drain-cleaner-container$(DOCKER_PLATFORM_TAG_SUFFIX).tar.gz
.PHONY: docker_amend_manifest
docker_amend_manifest:
# Create / Amend the manifest
docker manifest create $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG) --amend $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX)
.PHONY: docker_push_manifest
docker_push_manifest:
# Push the manifest to the registry
docker manifest push $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)
.PHONY: docker_delete_manifest
docker_delete_manifest:
# Delete the manifest to the registry, ignore the error if manifest doesn't exist
docker manifest rm $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG) || true
.PHONY: docker_sign_manifest
docker_sign_manifest:
# Signs the manifest and its images
@echo $$COSIGN_PRIVATE_KEY | base64 -d > cosign.key
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign sign --recursive --tlog-upload=false -a author=StrimziCI -a BuildID=$(BUILD_ID) -a Commit=$(BUILD_COMMIT) --key cosign.key $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST
@rm cosign.key
.PHONY: docker_sbom
docker_sbom:
# Saves the SBOM of the image
test -d $(SBOM_DIR) || mkdir -p $(SBOM_DIR)
# Generate the text format
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
syft packages $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST --output syft-table --file $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.txt
# Generate the SPDX JSON format for machine processing
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
syft packages $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST --output spdx-json --file $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.json
# Sign the TXT and SPDX-JSON SBOM
@echo $$COSIGN_PRIVATE_KEY | base64 -d > cosign.key
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign sign-blob --tlog-upload=false --key cosign.key --bundle $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.txt.bundle $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.txt
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign sign-blob --tlog-upload=false --key cosign.key --bundle $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.json.bundle $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.json
@rm cosign.key
.PHONY: docker_push_sbom
docker_push_sbom:
# Push the SBOMto the container registry and sign it
@echo $$COSIGN_PRIVATE_KEY | base64 -d > cosign.key
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign attach sbom --sbom $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.json $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX)
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign sign --tlog-upload=false -a author=StrimziCI -a BuildID=$(BUILD_ID) -a Commit=$(BUILD_COMMIT) --key cosign.key --attachment sbom $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST
@rm cosign.key