Merge branch 'kyverno:main' into main

giantswarm · Jul 4, 2024 · 8c623ef · 8c623ef
2 parents f045abb + e28d413
commit 8c623ef
Show file tree

Hide file tree

Showing 37 changed files with 1,226 additions and 276 deletions.
diff --git a/.github/actions/publish-image/action.yaml b/.github/actions/publish-image/action.yaml
@@ -0,0 +1,89 @@
+name: Publish image
+
+description: Publishes a docker image, SBOM, scans vulns, and signs the image.
+
+inputs:
+  makefile-target:
+    required: true
+    description: makefile target to invoke for publishing image with ko
+  registry:
+    required: true
+    description: registry to publish image to
+  registry-username:
+    required: true
+    description: registry credentials username
+  registry-password:
+    required: true
+    description: registry credentials password
+  repository:
+    required: true
+    description: repository to publish image to
+  version:
+    required: true
+    description: published image version
+  sign-image:
+    required: true
+    description: sign image
+  sbom-name:
+    required: true
+    description: name of the cyclonedx sbom
+  sbom-repository:
+    required: true
+    description: sbom repository
+  signature-repository:
+    required: true
+    description: signature repository
+  main-path:
+    required: true
+    description: path to main go entry point
+
+outputs:
+  digest:
+    value: ${{ steps.digest.outputs.digest }}
+    description: published image digest
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      id: ko-publish
+      env:
+        REGISTRY: ${{ inputs.registry }}
+        REPO: ${{ inputs.repository }}
+        REGISTRY_USERNAME: ${{ inputs.registry-username }}
+        REGISTRY_PASSWORD: ${{ inputs.registry-password }}
+        COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
+      run: |
+        set -e
+        echo "digest=$(VERSION=${{ inputs.version }} make ${{ inputs.makefile-target }})" >> $GITHUB_OUTPUT
+    - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
+      with:
+        version: v1
+        args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }}
+    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      with:
+        name: ${{ inputs.sbom-name }}-bom-cdx
+        path: ${{ inputs.sbom-name }}-bom.cdx.json
+    - shell: bash
+      if: ${{ inputs.sign-image == 'true' }}
+      env:
+        COSIGN_REPOSITORY: ${{ inputs.signature-repository }}
+      run: |
+        set -e
+        cosign sign --yes \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ${{ steps.ko-publish.outputs.digest }}
+    - shell: bash
+      env:
+        COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
+      run: |
+        cosign attach sbom --sbom ./${{ inputs.sbom-name }}-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
+    - shell: bash
+      id: digest
+      run: |
+        echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
+        DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
+        echo "Digest from image is: $DIGEST"
+        echo "digest=$DIGEST" >> $GITHUB_OUTPUT
diff --git a/.github/actions/setup-build-env/action.yaml b/.github/actions/setup-build-env/action.yaml
@@ -0,0 +1,37 @@
+name: Setup build env
+
+description: Clone repo, unshallow, setup go, cache and install tools.
+
+inputs:
+  unshallow:
+    description: git unshallow
+    default: 'true'
+  free-disk-space:
+    description: free disk space
+    default: 'true'
+
+runs:
+  using: composite
+  steps:
+    - uses: jlumbroso/free-disk-space@76866dbe54312617f00798d1762df7f43def6e5c # v1.2.0
+      if: ${{ inputs.free-disk-space == 'true' }}
+      with:
+        tool-cache: true
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: false
+        swap-storage: false
+    - shell: bash
+      if: ${{ inputs.unshallow == 'true' }}
+      run: |
+        git fetch --prune --unshallow
+    - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+      with:
+        go-version: ~1.22.2
+    - shell: bash
+      run: |
+        go mod download
+    - shell: bash
+      run: |
+        GOCACHE=~/.cache/kyverno/tools make install-tools
diff --git a/.github/actions/setup-caches/action.yaml b/.github/actions/setup-caches/action.yaml
@@ -0,0 +1,24 @@
+name: Setup caches
+
+description: Setup caches for go modules, tools and build cache.
+
+inputs:
+  build-cache-key:
+    description: build cache prefix
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
+    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+      with:
+        path: ~/.cache/kyverno/tools
+        key: ${{ runner.os }}-cache-kyverno-tools-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
+    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+      if: ${{ inputs.build-cache-key }}
+      with:
+        path: ~/.cache/go-build
+        key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml
@@ -41,7 +41,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: ~1.21.1
+          go-version: ~1.22.2
       - name: Install helm
         id: helm
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
@@ -82,15 +82,13 @@ jobs:
       - name: Wait for kyverno ready
         run: |
           set -e
-          kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
+          kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=120s
       - name: API Service status
         run: |
           set -e
           kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@204730d723e1fd712e54e069031290ba2c1c14bd # v0.1.6
-        with:
-          release: v0.0.9
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       - name: Test with Chainsaw
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml
@@ -41,7 +41,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: ~1.21.1
+          go-version: ~1.22.2
       - name: Install helm
         id: helm
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
@@ -73,7 +73,7 @@ jobs:
       - name: Wait for kyverno ready
         run: |
           set -e
-          kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
+          kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=120s
       - name: API Service status before migation
         run: |
           set -e
@@ -82,7 +82,8 @@ jobs:
         run: |
           set -e
           kubectl create ns reports-server
-          kubectl apply -f ./config/install.yaml
+          export HELM=${{ steps.helm.outputs.helm-path }}
+          make kind-apply
       - name: Wait for report server ready
         run: |
           set -e
@@ -97,9 +98,7 @@ jobs:
           set -e
           kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@07b6c986572f2abaf6647c85d37cbecfddc4a6ab # v0.1.3
-        with:
-          release: v0.0.9
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       - name: Test with Chainsaw
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/publish-images.yaml b/.github/workflows/publish-images.yaml
@@ -0,0 +1,75 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Publish images
+
+permissions: {}
+
+on:
+  push:
+    branches:
+      - 'main'
+      - 'release*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-images:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      id-token: write 
+    outputs:
+      reports-server-digest: ${{ steps.publish-reports-server.outputs.digest }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: publish-images
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+        timeout-minutes: 30
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      - name: Publish reports server
+        id: publish-reports-server
+        uses: ./.github/actions/publish-image
+        with:
+          makefile-target: ko-publish-reports-server
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          repository: reports-server
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: reports-server
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/reports-server/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/reports-server/signatures
+          main-path: .
+  generate-reports-server-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/reports-server
+      digest: "${{ needs.publish-images.outputs.reports-server-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,13 @@
+ARG ARCH
+FROM golang:1.22.2 as build
+
+WORKDIR /
+COPY . ./
+
+RUN GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-w -s" -o reports-server ./main.go
+
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=build reports-server reports-server
+USER 65534
+ENTRYPOINT ["/reports-server"]