From 47ff0d19dc14623f289bf7a9e5d17ca0da9486b2 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Mon, 16 Dec 2024 12:30:06 +0100 Subject: [PATCH 1/8] remove references to nexus --- Makefile | 53 ++----------------- Tiltfile | 8 +-- default.nix | 2 +- deploy/helm/opa-operator/values.yaml | 2 +- .../reference/environment-variables.adoc | 6 +-- .../20-install-test-regorule.yaml | 2 +- .../20-install-test-regorule.yaml | 2 +- .../kuttl/logging/03-install-opa.yaml.j2 | 2 +- .../logging/04-install-opa-test-runner.yaml | 2 +- .../kuttl/smoke/20-install-test-regorule.yaml | 2 +- tests/test-definition.yaml | 6 +-- 11 files changed, 21 insertions(+), 66 deletions(-) diff --git a/Makefile b/Makefile index 541424f7..3a737b3e 100644 --- a/Makefile +++ b/Makefile @@ -14,13 +14,10 @@ OPERATOR_NAME := opa-operator VERSION := $(shell cargo metadata --format-version 1 | jq -r '.packages[] | select(.name=="stackable-${OPERATOR_NAME}") | .version') ARCH := $(shell uname -m | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#') -DOCKER_REPO := docker.stackable.tech -ORGANIZATION := stackable OCI_REGISTRY_HOSTNAME := oci.stackable.tech OCI_REGISTRY_PROJECT_IMAGES := sdp OCI_REGISTRY_PROJECT_CHARTS := sdp-charts -# This will be overwritten by an environmental variable if called from the github action -HELM_REPO := https://repo.stackable.tech/repository/helm-dev + HELM_CHART_NAME := ${OPERATOR_NAME} HELM_CHART_ARTIFACT := target/helm/${OPERATOR_NAME}-${VERSION}.tgz @@ -34,35 +31,9 @@ render-docs: ## Docker related targets docker-build: - docker build --force-rm --build-arg VERSION=${VERSION} -t "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile . - docker tag "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}" + docker build --force-rm --build-arg VERSION=${VERSION} -t "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile . docker-publish: - # Push to Nexus - echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}" - DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\ - # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\ - REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}-${ARCH}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\ - if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\ - echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}';\ - exit 1;\ - fi;\ - # This generates a signature and publishes it to the registry, next to the image\ - # Uses the keyless signing flow with Github Actions as identity provider\ - cosign sign -y "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\ - # Generate the SBOM for the operator image, this leverages the already generated SBOM for the operator binary by cargo-cyclonedx\ - syft scan --output cyclonedx-json@1.5=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}-${ARCH}" "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\ - # Determine the PURL for the container image\ - URLENCODED_REPO_DIGEST_OF_IMAGE=$$(echo "$$REPO_DIGEST_OF_IMAGE" | sed 's/:/%3A/g');\ - PURL="pkg:oci/${OPERATOR_NAME}@$$URLENCODED_REPO_DIGEST_OF_IMAGE?arch=${ARCH}&repository_url=${DOCKER_REPO}%2F${ORGANIZATION}%2F${OPERATOR_NAME}";\ - # Get metadata from the image\ - IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\ - IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\ - # Merge the SBOM with the metadata for the operator\ - jq -s '{"metadata":{"component":{"description":"'"$$IMAGE_NAME. $$IMAGE_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"'"$$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;\ - # Attest the SBOM to the image\ - cosign attest -y --predicate sbom.merged.json --type cyclonedx "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE" - # Push to Harbor # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' @@ -89,23 +60,11 @@ docker-publish: # Attest the SBOM to the image\ cosign attest -y --predicate sbom.merged.json --type cyclonedx "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE" -# This assumes "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-amd64 and "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-arm64 are build and pushed +# This assumes "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64 and "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64 are built and pushed docker-manifest-list-build: - docker manifest create "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" --amend "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-arm64" docker manifest create "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64" docker-manifest-list-publish: - # Push to Nexus - echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}" - # `docker manifest push` directly returns the digest of the manifest list - # As it is an experimental feature, this might change in the future - # Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/ - DIGEST_NEXUS=$$(docker manifest push "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}");\ - # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)\ - # This generates a signature and publishes it to the registry, next to the image\ - # Uses the keyless signing flow with Github Actions as identity provider\ - cosign sign -y "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}@$$DIGEST_NEXUS" - # Push to Harbor # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' @@ -119,12 +78,9 @@ docker-manifest-list-publish: docker: docker-build docker-publish print-docker-tag: - @echo "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" + @echo "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" helm-publish: - # Push to Nexus - curl --fail -u "github:${NEXUS_PASSWORD}" --upload-file "${HELM_CHART_ARTIFACT}" "${HELM_REPO}/" - # Push to Harbor # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) helm registry login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' @@ -170,7 +126,6 @@ chart-lint: compile-chart clean: chart-clean cargo clean - docker rmi --force "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" docker rmi --force '${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}' regenerate-charts: chart-clean compile-chart diff --git a/Tiltfile b/Tiltfile index 73c19bcf..fb84bcc0 100644 --- a/Tiltfile +++ b/Tiltfile @@ -1,8 +1,8 @@ # If tilt_options.json exists read it and load the default_registry value from it settings = read_json('tilt_options.json', default={}) -registry = settings.get('default_registry', 'docker.stackable.tech/sandbox') +registry = settings.get('default_registry', 'oci.stackable.tech/sandbox') -# Configure default registry either read from config file above, or with default value of "docker.stackable.tech/sandbox" +# Configure default registry either read from config file above, or with default value of "oci.stackable.tech/sandbox" default_registry(registry) meta = read_json('nix/meta.json') @@ -23,8 +23,8 @@ if os.path.exists('result'): k8s_yaml('result/crds.yaml') # We need to set the correct image annotation on the operator Deployment to use e.g. -# docker.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of -# docker.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist) +# oci.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of +# oci.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist) k8s_kind('Deployment', image_json_path='{.spec.template.metadata.annotations.internal\\.stackable\\.tech/image}') # Exclude stale CRDs from Helm chart, and apply the rest diff --git a/default.nix b/default.nix index 4932cb85..263d8193 100644 --- a/default.nix +++ b/default.nix @@ -40,7 +40,7 @@ }; } , meta ? pkgs.lib.importJSON ./nix/meta.json -, dockerName ? "docker.stackable.tech/sandbox/${meta.operator.name}" +, dockerName ? "oci.stackable.tech/sandbox/${meta.operator.name}" , dockerTag ? null }: rec { diff --git a/deploy/helm/opa-operator/values.yaml b/deploy/helm/opa-operator/values.yaml index b90b2af4..83773cd1 100644 --- a/deploy/helm/opa-operator/values.yaml +++ b/deploy/helm/opa-operator/values.yaml @@ -1,7 +1,7 @@ # Default values for opa-operator. --- image: - repository: docker.stackable.tech/stackable/opa-operator + repository: oci.stackable.tech/sdp/opa-operator pullPolicy: IfNotPresent pullSecrets: [] diff --git a/docs/modules/opa/pages/reference/environment-variables.adoc b/docs/modules/opa/pages/reference/environment-variables.adoc index a21f99f5..2e664f44 100644 --- a/docs/modules/opa/pages/reference/environment-variables.adoc +++ b/docs/modules/opa/pages/reference/environment-variables.adoc @@ -30,7 +30,7 @@ docker run \ --env KUBECONFIG=/home/stackable/.kube/config \ --env KUBERNETES_CLUSTER_DOMAIN=mycluster.local \ --mount type=bind,source="$HOME/.kube/config",target="/home/stackable/.kube/config" \ -docker.stackable.tech/stackable/opa-operator:latest +oci.stackable.tech/sdp/opa-operator:latest ---- == PRODUCT_CONFIG @@ -56,7 +56,7 @@ docker run \ --env KUBECONFIG=/home/stackable/.kube/config \ --env PRODUCT_CONFIG=/my/product/config.yaml \ --mount type=bind,source="$HOME/.kube/config",target="/home/stackable/.kube/config" \ - docker.stackable.tech/stackable/opa-operator:latest + oci.stackable.tech/sdp/opa-operator:latest ---- == WATCH_NAMESPACE @@ -85,7 +85,7 @@ docker run \ --env KUBECONFIG=/home/stackable/.kube/config \ --env WATCH_NAMESPACE=test \ --mount type=bind,source="$HOME/.kube/config",target="/home/stackable/.kube/config" \ -docker.stackable.tech/stackable/opa-operator:latest +oci.stackable.tech/sdp/opa-operator:latest ---- == OPA_BUNDLE_BUILDER_CLUSTERROLE diff --git a/tests/templates/kuttl/aas-user-info/20-install-test-regorule.yaml b/tests/templates/kuttl/aas-user-info/20-install-test-regorule.yaml index 2647cf23..8d58df98 100644 --- a/tests/templates/kuttl/aas-user-info/20-install-test-regorule.yaml +++ b/tests/templates/kuttl/aas-user-info/20-install-test-regorule.yaml @@ -18,7 +18,7 @@ spec: serviceAccountName: test-sa containers: - name: test-regorule - image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev stdin: true tty: true resources: diff --git a/tests/templates/kuttl/keycloak-user-info/20-install-test-regorule.yaml b/tests/templates/kuttl/keycloak-user-info/20-install-test-regorule.yaml index f6770ed2..816f6148 100644 --- a/tests/templates/kuttl/keycloak-user-info/20-install-test-regorule.yaml +++ b/tests/templates/kuttl/keycloak-user-info/20-install-test-regorule.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: test-regorule - image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev stdin: true tty: true resources: diff --git a/tests/templates/kuttl/logging/03-install-opa.yaml.j2 b/tests/templates/kuttl/logging/03-install-opa.yaml.j2 index 528c57ef..89c66041 100644 --- a/tests/templates/kuttl/logging/03-install-opa.yaml.j2 +++ b/tests/templates/kuttl/logging/03-install-opa.yaml.j2 @@ -72,7 +72,7 @@ spec: spec: initContainers: - name: create-opa-log-dir - image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev # Create the log directory for the opa container upfront # to avoid a race condition between the opa and the # vector container. If the vector container is diff --git a/tests/templates/kuttl/logging/04-install-opa-test-runner.yaml b/tests/templates/kuttl/logging/04-install-opa-test-runner.yaml index ab1c2975..493f6eaf 100644 --- a/tests/templates/kuttl/logging/04-install-opa-test-runner.yaml +++ b/tests/templates/kuttl/logging/04-install-opa-test-runner.yaml @@ -44,6 +44,6 @@ spec: serviceAccountName: logging-sa containers: - name: opa-test-runner - image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev stdin: true tty: true diff --git a/tests/templates/kuttl/smoke/20-install-test-regorule.yaml b/tests/templates/kuttl/smoke/20-install-test-regorule.yaml index f6770ed2..816f6148 100644 --- a/tests/templates/kuttl/smoke/20-install-test-regorule.yaml +++ b/tests/templates/kuttl/smoke/20-install-test-regorule.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: test-regorule - image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev stdin: true tty: true resources: diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index 0ec62395..38a929eb 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -3,12 +3,12 @@ dimensions: - name: opa values: # To use a custom image, add a comma and the full name after the product version - - 0.67.1,docker.stackable.tech/stackable/opa:0.67.1-stackable0.0.0-dev - - 0.66.0,docker.stackable.tech/stackable/opa:0.66.0-stackable0.0.0-dev + - 0.67.1,oci.stackable.tech/sdp/opa:0.67.1-stackable0.0.0-dev + - 0.66.0,oci.stackable.tech/sdp/opa:0.66.0-stackable0.0.0-dev - name: opa-latest values: # To use a custom image, add a comma and the full name after the product version - - 0.67.1,docker.stackable.tech/stackable/opa:0.67.1-stackable0.0.0-dev + - 0.67.1,oci.stackable.tech/sdp/opa:0.67.1-stackable0.0.0-dev - name: keycloak values: - 23.0.1 From 93919f6e8047efa98a302b3c45c7d286aaffc854 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Fri, 10 Jan 2025 12:54:30 +0100 Subject: [PATCH 2/8] re-add nexus actions --- Makefile | 49 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 3a737b3e..9036c41c 100644 --- a/Makefile +++ b/Makefile @@ -14,10 +14,13 @@ OPERATOR_NAME := opa-operator VERSION := $(shell cargo metadata --format-version 1 | jq -r '.packages[] | select(.name=="stackable-${OPERATOR_NAME}") | .version') ARCH := $(shell uname -m | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#') +DOCKER_REPO := docker.stackable.tech +ORGANIZATION := stackable OCI_REGISTRY_HOSTNAME := oci.stackable.tech OCI_REGISTRY_PROJECT_IMAGES := sdp OCI_REGISTRY_PROJECT_CHARTS := sdp-charts - +# This will be overwritten by an environmental variable if called from the github action +HELM_REPO := https://repo.stackable.tech/repository/helm-dev HELM_CHART_NAME := ${OPERATOR_NAME} HELM_CHART_ARTIFACT := target/helm/${OPERATOR_NAME}-${VERSION}.tgz @@ -31,9 +34,35 @@ render-docs: ## Docker related targets docker-build: - docker build --force-rm --build-arg VERSION=${VERSION} -t "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile . + docker build --force-rm --build-arg VERSION=${VERSION} -t "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile . + docker tag "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}" docker-publish: + # Push to Nexus + echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}" + DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\ + # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\ + REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}-${ARCH}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\ + if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\ + echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}';\ + exit 1;\ + fi;\ + # This generates a signature and publishes it to the registry, next to the image\ + # Uses the keyless signing flow with Github Actions as identity provider\ + cosign sign -y "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\ + # Generate the SBOM for the operator image, this leverages the already generated SBOM for the operator binary by cargo-cyclonedx\ + syft scan --output cyclonedx-json@1.5=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}-${ARCH}" "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\ + # Determine the PURL for the container image\ + URLENCODED_REPO_DIGEST_OF_IMAGE=$$(echo "$$REPO_DIGEST_OF_IMAGE" | sed 's/:/%3A/g');\ + PURL="pkg:oci/${OPERATOR_NAME}@$$URLENCODED_REPO_DIGEST_OF_IMAGE?arch=${ARCH}&repository_url=${DOCKER_REPO}%2F${ORGANIZATION}%2F${OPERATOR_NAME}";\ + # Get metadata from the image\ + IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\ + IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\ + # Merge the SBOM with the metadata for the operator\ + jq -s '{"metadata":{"component":{"description":"'"$$IMAGE_NAME. $$IMAGE_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"'"$$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;\ + # Attest the SBOM to the image\ + cosign attest -y --predicate sbom.merged.json --type cyclonedx "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE" + # Push to Harbor # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' @@ -62,9 +91,21 @@ docker-publish: # This assumes "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64 and "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64 are built and pushed docker-manifest-list-build: + docker manifest create "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" --amend "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-arm64" docker manifest create "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64" docker-manifest-list-publish: + # Push to Nexus + echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}" + # `docker manifest push` directly returns the digest of the manifest list + # As it is an experimental feature, this might change in the future + # Further reading: https://docs.docker.com/reference/cli/docker/manifest/push/ + DIGEST_NEXUS=$$(docker manifest push "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}");\ + # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)\ + # This generates a signature and publishes it to the registry, next to the image\ + # Uses the keyless signing flow with Github Actions as identity provider\ + cosign sign -y "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}@$$DIGEST_NEXUS" + # Push to Harbor # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' @@ -81,6 +122,9 @@ print-docker-tag: @echo "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" helm-publish: + # Push to Nexus + curl --fail -u "github:${NEXUS_PASSWORD}" --upload-file "${HELM_CHART_ARTIFACT}" "${HELM_REPO}/" + # Push to Harbor # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) helm registry login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' @@ -126,6 +170,7 @@ chart-lint: compile-chart clean: chart-clean cargo clean + docker rmi --force "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" docker rmi --force '${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}' regenerate-charts: chart-clean compile-chart From 84fc85ef51a0079a244886df2e12736343dacaea Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Fri, 17 Jan 2025 10:32:16 +0100 Subject: [PATCH 3/8] remove changes that will be suppliedm by templating --- Makefile | 4 ++-- Tiltfile | 8 ++++---- default.nix | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 9036c41c..541424f7 100644 --- a/Makefile +++ b/Makefile @@ -89,7 +89,7 @@ docker-publish: # Attest the SBOM to the image\ cosign attest -y --predicate sbom.merged.json --type cyclonedx "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE" -# This assumes "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64 and "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64 are built and pushed +# This assumes "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-amd64 and "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-arm64 are build and pushed docker-manifest-list-build: docker manifest create "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" --amend "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-arm64" docker manifest create "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64" @@ -119,7 +119,7 @@ docker-manifest-list-publish: docker: docker-build docker-publish print-docker-tag: - @echo "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" + @echo "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" helm-publish: # Push to Nexus diff --git a/Tiltfile b/Tiltfile index fb84bcc0..73c19bcf 100644 --- a/Tiltfile +++ b/Tiltfile @@ -1,8 +1,8 @@ # If tilt_options.json exists read it and load the default_registry value from it settings = read_json('tilt_options.json', default={}) -registry = settings.get('default_registry', 'oci.stackable.tech/sandbox') +registry = settings.get('default_registry', 'docker.stackable.tech/sandbox') -# Configure default registry either read from config file above, or with default value of "oci.stackable.tech/sandbox" +# Configure default registry either read from config file above, or with default value of "docker.stackable.tech/sandbox" default_registry(registry) meta = read_json('nix/meta.json') @@ -23,8 +23,8 @@ if os.path.exists('result'): k8s_yaml('result/crds.yaml') # We need to set the correct image annotation on the operator Deployment to use e.g. -# oci.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of -# oci.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist) +# docker.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of +# docker.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist) k8s_kind('Deployment', image_json_path='{.spec.template.metadata.annotations.internal\\.stackable\\.tech/image}') # Exclude stale CRDs from Helm chart, and apply the rest diff --git a/default.nix b/default.nix index 263d8193..4932cb85 100644 --- a/default.nix +++ b/default.nix @@ -40,7 +40,7 @@ }; } , meta ? pkgs.lib.importJSON ./nix/meta.json -, dockerName ? "oci.stackable.tech/sandbox/${meta.operator.name}" +, dockerName ? "docker.stackable.tech/sandbox/${meta.operator.name}" , dockerTag ? null }: rec { From c994e05f247b8a3bed3720fb1a310cf654f06bc3 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Fri, 17 Jan 2025 12:48:14 +0100 Subject: [PATCH 4/8] replace latest with 0.0.0-dev in harbor --- docs/modules/opa/pages/reference/environment-variables.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/modules/opa/pages/reference/environment-variables.adoc b/docs/modules/opa/pages/reference/environment-variables.adoc index 2e664f44..06a7c036 100644 --- a/docs/modules/opa/pages/reference/environment-variables.adoc +++ b/docs/modules/opa/pages/reference/environment-variables.adoc @@ -30,7 +30,7 @@ docker run \ --env KUBECONFIG=/home/stackable/.kube/config \ --env KUBERNETES_CLUSTER_DOMAIN=mycluster.local \ --mount type=bind,source="$HOME/.kube/config",target="/home/stackable/.kube/config" \ -oci.stackable.tech/sdp/opa-operator:latest +oci.stackable.tech/sdp/opa-operator:0.0.0-dev ---- == PRODUCT_CONFIG @@ -56,7 +56,7 @@ docker run \ --env KUBECONFIG=/home/stackable/.kube/config \ --env PRODUCT_CONFIG=/my/product/config.yaml \ --mount type=bind,source="$HOME/.kube/config",target="/home/stackable/.kube/config" \ - oci.stackable.tech/sdp/opa-operator:latest + oci.stackable.tech/sdp/opa-operator:0.0.0-dev ---- == WATCH_NAMESPACE @@ -85,7 +85,7 @@ docker run \ --env KUBECONFIG=/home/stackable/.kube/config \ --env WATCH_NAMESPACE=test \ --mount type=bind,source="$HOME/.kube/config",target="/home/stackable/.kube/config" \ -oci.stackable.tech/sdp/opa-operator:latest +oci.stackable.tech/sdp/opa-operator:0.0.0-dev ---- == OPA_BUNDLE_BUILDER_CLUSTERROLE From aa42cfa7471c06506002cd59a4aedbb68528d606 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Wed, 29 Jan 2025 12:42:42 +0100 Subject: [PATCH 5/8] bump op-rs to 0.85 --- Cargo.lock | 8 ++++---- Cargo.nix | 14 +++++++------- Cargo.toml | 2 +- crate-hashes.json | 6 +++--- deploy/helm/opa-operator/crds/crds.yaml | 4 ++-- tests/test-definition.yaml | 4 ++-- 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3573fc52..4b8b64fb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2935,8 +2935,8 @@ dependencies = [ [[package]] name = "stackable-operator" -version = "0.84.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.84.1#b8fe43f7368249bf95b06d6cba3fd0135f7523ac" +version = "0.85.0" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.85.0#59506c6202778889a27b6ae8153457e60a49c68d" dependencies = [ "chrono", "clap", @@ -2974,7 +2974,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.84.1#b8fe43f7368249bf95b06d6cba3fd0135f7523ac" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.85.0#59506c6202778889a27b6ae8153457e60a49c68d" dependencies = [ "darling", "proc-macro2", @@ -2985,7 +2985,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.0.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.84.1#b8fe43f7368249bf95b06d6cba3fd0135f7523ac" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.85.0#59506c6202778889a27b6ae8153457e60a49c68d" dependencies = [ "kube", "semver", diff --git a/Cargo.nix b/Cargo.nix index e4d81848..f8117b10 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -9522,13 +9522,13 @@ rec { }; "stackable-operator" = rec { crateName = "stackable-operator"; - version = "0.84.1"; + version = "0.85.0"; edition = "2021"; workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "b8fe43f7368249bf95b06d6cba3fd0135f7523ac"; - sha256 = "0vwq3dzxj56y4vrnw4ry7wajm12f32jipvc6f3izdrixy2pazq3i"; + rev = "59506c6202778889a27b6ae8153457e60a49c68d"; + sha256 = "0rh476rmn5850yj85hq8znwmlfhd7l5bkxz0n5i9m4cddxhi2cl5"; }; libName = "stackable_operator"; authors = [ @@ -9687,8 +9687,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "b8fe43f7368249bf95b06d6cba3fd0135f7523ac"; - sha256 = "0vwq3dzxj56y4vrnw4ry7wajm12f32jipvc6f3izdrixy2pazq3i"; + rev = "59506c6202778889a27b6ae8153457e60a49c68d"; + sha256 = "0rh476rmn5850yj85hq8znwmlfhd7l5bkxz0n5i9m4cddxhi2cl5"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -9722,8 +9722,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "b8fe43f7368249bf95b06d6cba3fd0135f7523ac"; - sha256 = "0vwq3dzxj56y4vrnw4ry7wajm12f32jipvc6f3izdrixy2pazq3i"; + rev = "59506c6202778889a27b6ae8153457e60a49c68d"; + sha256 = "0rh476rmn5850yj85hq8znwmlfhd7l5bkxz0n5i9m4cddxhi2cl5"; }; libName = "stackable_shared"; authors = [ diff --git a/Cargo.toml b/Cargo.toml index af680dbc..6ad10256 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -33,7 +33,7 @@ semver = "1.0" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" snafu = "0.8" -stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.84.1" } +stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.85.0" } strum = { version = "0.26", features = ["derive"] } tar = "0.4" tokio = { version = "1.40", features = ["full"] } diff --git a/crate-hashes.json b/crate-hashes.json index a0346ddb..290d87f2 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,6 +1,6 @@ { - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.84.1#stackable-operator-derive@0.3.1": "0vwq3dzxj56y4vrnw4ry7wajm12f32jipvc6f3izdrixy2pazq3i", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.84.1#stackable-operator@0.84.1": "0vwq3dzxj56y4vrnw4ry7wajm12f32jipvc6f3izdrixy2pazq3i", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.84.1#stackable-shared@0.0.1": "0vwq3dzxj56y4vrnw4ry7wajm12f32jipvc6f3izdrixy2pazq3i", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.85.0#stackable-operator-derive@0.3.1": "0rh476rmn5850yj85hq8znwmlfhd7l5bkxz0n5i9m4cddxhi2cl5", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.85.0#stackable-operator@0.85.0": "0rh476rmn5850yj85hq8znwmlfhd7l5bkxz0n5i9m4cddxhi2cl5", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.85.0#stackable-shared@0.0.1": "0rh476rmn5850yj85hq8znwmlfhd7l5bkxz0n5i9m4cddxhi2cl5", "git+https://github.com/stackabletech/product-config.git?tag=0.7.0#product-config@0.7.0": "0gjsm80g6r75pm3824dcyiz4ysq1ka4c1if6k1mjm9cnd5ym0gny" } \ No newline at end of file diff --git a/deploy/helm/opa-operator/crds/crds.yaml b/deploy/helm/opa-operator/crds/crds.yaml index aca62fda..59bf7630 100644 --- a/deploy/helm/opa-operator/crds/crds.yaml +++ b/deploy/helm/opa-operator/crds/crds.yaml @@ -265,7 +265,7 @@ spec: description: The OPA image to use properties: custom: - description: Overwrite the docker image. Specify the full docker image name, e.g. `docker.stackable.tech/stackable/superset:1.4.1-stackable2.1.0` + description: Overwrite the docker image. Specify the full docker image name, e.g. `oci.stackable.tech/sdp/superset:1.4.1-stackable2.1.0` type: string productVersion: description: Version of the product, e.g. `1.4.1`. @@ -292,7 +292,7 @@ spec: nullable: true type: array repo: - description: Name of the docker repo, e.g. `docker.stackable.tech/stackable` + description: Name of the docker repo, e.g. `oci.stackable.tech/sdp` nullable: true type: string stackableVersion: diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index 99442546..38ebe400 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -3,12 +3,12 @@ dimensions: - name: opa values: # To use a custom image, add a comma and the full name after the product version - - 0.67.1,oci.stackable.tech/sdp/opa:0.67.1-stackable0.0.0-dev + - 0.67.1 - 1.0.0 - name: opa-latest values: # To use a custom image, add a comma and the full name after the product version - - 0.67.1,oci.stackable.tech/sdp/opa:0.67.1-stackable0.0.0-dev + - 0.67.1 - 1.0.0 - name: keycloak values: From 6b3d1b2fa8440eff6968f9d0afe35adfa5649e26 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Wed, 29 Jan 2025 13:22:20 +0100 Subject: [PATCH 6/8] minor test def change --- tests/test-definition.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index 38ebe400..4c388cd7 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -3,11 +3,13 @@ dimensions: - name: opa values: # To use a custom image, add a comma and the full name after the product version + # 0.67.1,oci.stackable.tech/sdp/opa:0.67.1-stackable0.0.0-dev - 0.67.1 - 1.0.0 - name: opa-latest values: # To use a custom image, add a comma and the full name after the product version + # 0.67.1,oci.stackable.tech/sdp/opa:0.67.1-stackable0.0.0-dev - 0.67.1 - 1.0.0 - name: keycloak From 9df8b687c8a5c031c8d51184c9a8a7d485bbafb1 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Wed, 29 Jan 2025 13:23:09 +0100 Subject: [PATCH 7/8] minor test def change II --- tests/test-definition.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index 4c388cd7..5bd30729 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -10,7 +10,6 @@ dimensions: values: # To use a custom image, add a comma and the full name after the product version # 0.67.1,oci.stackable.tech/sdp/opa:0.67.1-stackable0.0.0-dev - - 0.67.1 - 1.0.0 - name: keycloak values: From 2398ef533f8c68951c7f951edcbc271e62524e82 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Wed, 29 Jan 2025 13:36:21 +0100 Subject: [PATCH 8/8] changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a7ab414..cbb150bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,13 @@ All notable changes to this project will be documented in this file. - Removed support for OPA `0.66.0` ([#677]). +### Changed + +- Default to OCI for image metadata and product image selection ([#671]). + [#666]: https://github.com/stackabletech/opa-operator/pull/666 [#677]: https://github.com/stackabletech/opa-operator/pull/677 +[#671]: https://github.com/stackabletech/opa-operator/pull/671 [#675]: https://github.com/stackabletech/opa-operator/pull/675 ## [24.11.1] - 2025-01-10