feat: NVSHAS-9494 make manager SLSA capable

Author: holyspectral

.dockerignore

@@ -0,0 +1,68 @@
+*.class
+*.log
+apis.yaml
+docker-compose.yml
+
+# sbt specific
+.cache
+.history
+.lib/
+target/
+lib_managed/
+src_managed/
+project/boot/
+project/plugins/project/
+
+# Scala-IDE specific
+.scala_dependencies
+.worksheet
+*.sc
+
+#IntelliJ specific
+.idea
+
+# eclipse specific
+*.pydevproject
+.project
+.metadata
+bin/**
+tmp/**
+tmp/**/*
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.classpath
+.settings/
+.loadpath
+
+# External tool builders
+.externalToolBuilders/
+
+# Locally stored "Eclipse launch configurations"
+*.launch
+
+# Downloaded dependencies
+
+*.DS_Store
+.DS_Store
+
+.sass-cache
+.sass-cache/*
+
+.vscode/
+admin/webapp/.bsp/
+admin/webapp/websrc/.bsp/
+token.json
+
+.metals
+admin/test/REST_API/output
+admin/webapp/root
+admin/webapp/.angular
+/.bsp/*
+/admin/.angular/
+/admin/webapp/websrc/assets/mockdata
+/admin/webapp/package-lock.json
+admin/webapp/websrc/assets/i18n/en.json
+admin/webapp/websrc/assets/i18n/zh_cn.json

.github/workflows/release.yml

@@ -24,25 +24,45 @@ jobs:
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_DOCKER_PASSWORD ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
           secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
           secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
-
-    - name: Publish manifest
+    - name: Parse target tag
+      run: |
+        TARGET=${{ github.ref_name }}
+        echo "TAG=${TARGET#v}" >> $GITHUB_ENV
+    - name: Publish neuvector manifest
       uses: rancher/ecm-distro-tools/actions/publish-image@master
       with:
-        image: registry-adapter
-        tag: ${{ github.ref_name }}
+        push-to-public: true
+        push-to-prime: false
+        image: manager
+        tag: ${{ env.TAG }}
         platforms: linux/amd64,linux/arm64
 
         public-registry: docker.io
         public-repo: neuvector
         public-username: ${{ env.DOCKER_USERNAME }}
         public-password: ${{ env.DOCKER_PASSWORD }}
+    - name: Publish rancher manifest
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      env:
+        IMAGE_PREFIX: neuvector-
+      with:
+        image: neuvector-manager
+        tag: ${{ env.TAG }}
+        platforms: linux/amd64,linux/arm64
+
+        public-registry: docker.io
+        public-repo: rancher
+        public-username: ${{ env.RANCHER_DOCKER_USERNAME }}
+        public-password: ${{ env.RANCHER_DOCKER_PASSWORD }}
 
         prime-registry: ${{ env.PRIME_REGISTRY }}
         prime-repo: rancher
         prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
-        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}

Makefile

@@ -36,6 +36,7 @@ jar:
 RUNNER := docker
 IMAGE_BUILDER := $(RUNNER) buildx
 MACHINE := neuvector
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
 DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64
 
 COMMIT = $(shell git rev-parse --short HEAD)
@@ -48,20 +49,13 @@ ifeq ($(VERSION),)
 		DIRTY = -dirty
 	endif
 
-	# Prioritise DRONE_TAG for backwards compatibility. However, the git tag
-	# command should be able to gather the current tag, except when the git
-	# clone operation was done with "--no-tags".
-	ifneq ($(DRONE_TAG),)
-		GIT_TAG = $(DRONE_TAG)
-	else
-		GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)
-	endif
 
 	COMMIT = $(shell git rev-parse --short HEAD)
 	VERSION = $(COMMIT)$(DIRTY)
 
 	# Override VERSION with the Git tag if the current HEAD has a tag pointing to
 	# it AND the worktree isn't dirty.
+	GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)
 	ifneq ($(GIT_TAG),)
 		ifeq ($(DIRTY),)
 			VERSION = $(GIT_TAG)
@@ -81,13 +75,6 @@ STAGE_DIR=stage
 REPO ?= neuvector
 IMAGE = $(REPO)/manager:$(TAG)
 BUILD_ACTION = --load
-BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max --cache-to type=gha --cache-from type=gha
-
-stage_init:
-	rm -rf ${STAGE_DIR}; mkdir -p ${STAGE_DIR}
-	mkdir -p ${STAGE_DIR}/usr/local/bin/
-	mkdir -p ${STAGE_DIR}/licenses/
-	mkdir -p ${STAGE_DIR}/usr/lib/jvm/java-17-openjdk/lib/security/
 
 buildx-machine:
 	docker buildx ls
@@ -100,13 +87,13 @@ test-image:
 	$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
 
 build-image: buildx-machine ## build (and load) the container image targeting the current platform.
-	$(IMAGE_BUILDER) build -f build/Dockerfile \
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) \
-		--build-arg VERSION=$(VERSION) -t "$(IMAGE)" $(BUILD_ACTION) .
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) .
 	@echo "Built $(IMAGE)"
 
-push-image: stage_init buildx-machine
-	$(IMAGE_BUILDER) build -f build/Dockerfile \
+push-image: buildx-machine
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
-		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/manager:$(TAG)" --push .
-	@echo "Pushed $(IMAGE)"
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/$(IMAGE_PREFIX)manager:$(TAG)" --push .
+	@echo "Pushed $(REPO)/$(IMAGE_PREFIX)manager:$(TAG)"

make_jar.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+export CHROME_BIN=/usr/bin/google-chrome
+
+rm -rf admin/target
+pushd admin/webapp
+if [[ $# > 0 ]]; then
+    case $1 in
+        -d)
+        mkdir -p /root/.ivy2
+        ln -s /prebuild/manager/cache /root/.ivy2/cache
+        # ln -s /prebuild/manager/node_modules node_modules
+        ;;
+        *)
+        ;;
+    esac
+fi
+npm install --legacy-peer-deps 2>&1
+if [ $? -eq 0 ]; then
+    echo npm package installation SUCCEED
+else
+    npm cache clean --force 2>&1
+    sleep 10
+    npm install 2>&1
+    if [ $? -eq 0 ]; then
+        echo npm package installation SUCCEED
+    else
+        echo ================================
+        echo npm package installation FAILED
+        echo ================================
+        exit 1
+    fi
+fi
+npm run build 2>&1
+if [ $? -eq 0 ]; then
+    echo UI build SUCCEED
+else
+    echo ================================
+    echo UI build FAILED
+    echo ================================
+    exit 1
+fi
+# npm run unittest
+popd
+env JAVA_OPTS="-Xms2g -Xmx3g" sbt admin/assembly
+zip -d admin/target/scala-3.3.4/admin-assembly-1.0.jar rest-management-private-classpath\*
+rm -rf admin/webapp/root/.sass-cache

build/Dockerfile package/Dockerfile

@@ -4,16 +4,29 @@ FROM registry.suse.com/bci/openjdk:17 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
-COPY . /src
+COPY admin /src/admin
+COPY cli /src/cli
+COPY common /src/common
+COPY images /src/images
+COPY licenses /src/licenses
+COPY java.security /src/java.security
+COPY package /src/package
+COPY project /src/project
+COPY scripts /src/scripts
+COPY build.sbt .scalafix.conf .scalafmt.conf /src/
+
 WORKDIR /src
 
 RUN zypper refresh && \
     zypper install -y ca-certificates wget curl zip git awk nodejs20 npm20
 
+ARG VERSION
+
+ARG CS_VERSION=v2.1.18
 RUN if [ "$TARGETARCH" = "amd64" ]; then \
-    curl -fL https://github.com/coursier/launchers/raw/master/cs-x86_64-pc-${TARGETOS}.gz | gzip -d > cs; \
+    curl -fL https://github.com/coursier/coursier/releases/download/${CS_VERSION}/cs-x86_64-pc-${TARGETOS}.gz | gzip -d > cs; \
   elif [ "$TARGETARCH" = "arm64" ]; then \
-    curl -fL https://github.com/VirtusLab/coursier-m1/releases/latest/download/cs-aarch64-pc-${TARGETOS}.gz | gzip -d > cs; \
+    curl -fL https://github.com/VirtusLab/coursier-m1/releases/download/${CS_VERSION}/cs-aarch64-pc-${TARGETOS}.gz | gzip -d > cs; \
   else \
     echo "Unsupported architecture: $ARCH"; \
     exit 1; \
@@ -25,12 +38,14 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then \
 RUN npm install -g @angular/cli@14 && \
     npm install -g npm-force-resolutions
 
-RUN bash build/build_manager.sh
+RUN sed -i -e 's/interim.*xxxx/'"$VERSION"'/g' ./common/src/main/resources/application.conf
+RUN bash package/build_manager.sh
 
 # Manager unitest
 RUN if [ "$ARCH" = "amd64" ]; then \
   zypper addrepo https://download.opensuse.org/repositories/M17N:fonts/15.6/M17N:fonts.repo && \
-  zypper --non-interactive --gpg-auto-import-keys refresh && \
+  rpm --import https://download.opensuse.org/repositories/M17N/15.6/repodata/repomd.xml.key && \
+  zypper --non-interactive refresh && \
   zypper install -y liberation-fonts && \
   wget https://dl.google.com/${OS}/direct/google-chrome-stable_current_${ARCH}.rpm && \
   wget https://dl.google.com/${OS}/${OS}_signing_key.pub && \
@@ -42,10 +57,10 @@ fi
 FROM registry.suse.com/bci/bci-micro:15.6 AS micro
 FROM registry.suse.com/bci/bci-base:15.6 AS base
 
-COPY --from=builder /src/build/requirements.txt /chroot/requirements.txt
+COPY --from=builder /src/package/requirements.txt /chroot/requirements.txt
 COPY --from=micro / /chroot/
 
-RUN zypper --installroot /chroot -n --gpg-auto-import-keys in --no-recommends \
+RUN zypper refresh && zypper --installroot /chroot -n in --no-recommends \
     python312 python312-pip iproute2 lsof procps grep awk && \
     cp /etc/resolv.conf /chroot/etc/resolv.conf && \
     chroot /chroot /usr/bin/python3.12 -m pip install --upgrade pip setuptools && \
@@ -77,22 +92,27 @@ ARG COMMIT
 WORKDIR /
 COPY --from=base /chroot/ /
 COPY --from=base /usr/sbin/useradd /usr/sbin
-COPY --from=builder /src/stage /
 COPY --from=builder /usr/lib64/ /usr/lib64/
+COPY --from=builder /src/stage /
 
 ENV JAVA_HOME=/usr/lib64/jvm/java-17-openjdk-17 \
     PATH=/usr/lib64/jvm/java-17-openjdk-17/bin:$PATH \
     LD_LIBRARY_PATH=/usr/lib64 \
     LANG=C.UTF-8 \
     PYTHONUNBUFFERED=1
 
-LABEL name="manager" \
-      vendor="SUSE Security" \
-      version=${VERSION} \
-      release=${VERSION} \
-      neuvector.image="neuvector/manager" \
-      neuvector.role="manager" \
-      neuvector.rev="${COMMIT}"
+LABEL "name"="manager" \
+      "vendor"="SUSE Security" \
+      "neuvector.image"="neuvector/manager" \
+      "neuvector.role"="manager" \
+      "neuvector.rev"="${COMMIT}" \
+      "io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
+      "io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/manager/${VERSION}/README.md" \
+      "org.opencontainers.image.description"="SUSE Security Manager" \
+      "org.opencontainers.image.title"="SUSE Security Manager" \
+      "org.opencontainers.image.source"="https://github.com/neuvector/manager/" \
+      "org.opencontainers.image.version"="${VERSION}" \
+      "org.opensuse.reference"="neuvector/manager:${VERSION}"
 
 ARG user=manager
 RUN echo "$user:x:1000:1000::/nonexistent:/bin/bash" >> /etc/passwd && \

build/build_manager.sh package/build_manager.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e
 
 STAGE_DIR=stage
 
@@ -48,10 +49,12 @@ env JAVA_OPTS="-Xms2g -Xmx3g" sbt admin/assembly
 zip -d admin/target/scala-3.3.4/admin-assembly-1.0.jar rest-management-private-classpath\*
 rm -rf admin/webapp/root/.sass-cache
 
+mkdir -p ${STAGE_DIR}/licenses/ ${STAGE_DIR}/usr/local/bin/ ${STAGE_DIR}/usr/lib/jvm/java-17-openjdk/lib/security ${STAGE_DIR}/usr/lib64/jvm/java-17-openjdk-17/conf/security/
 cp licenses/* ${STAGE_DIR}/licenses/
 cp cli/cli ${STAGE_DIR}/usr/local/bin/
 cp cli/cli.py ${STAGE_DIR}/usr/local/bin/
 cp -r cli/prog ${STAGE_DIR}/usr/local/bin/
 cp scripts/* ${STAGE_DIR}/usr/local/bin/
-cp java.security ${STAGE_DIR}/usr/lib/jvm/java-17-openjdk/lib/security/java.security
+cp java.security ${STAGE_DIR}/usr/lib/jvm/java-17-openjdk/lib/security/
+cp java.security ${STAGE_DIR}/usr/lib64/jvm/java-17-openjdk-17/conf/security/
 cp admin/target/scala-3.3.4/admin-assembly-1.0.jar ${STAGE_DIR}/usr/local/bin/

build/requirements.txt package/requirements.txt

@@ -4,4 +4,5 @@ prettytable==2.5.0
 requests==2.32.0
 six==1.11.0
 supervisor==4.2.5
-urllib3==1.26.19
+urllib3==1.26.19
+