diff --git a/.tekton/backfill-redis-1-0-gamma-pull-request.yaml b/.tekton/backfill-redis-pull-request.yaml similarity index 97% rename from .tekton/backfill-redis-1-0-gamma-pull-request.yaml rename to .tekton/backfill-redis-pull-request.yaml index 57575ad33..886a11cfc 100644 --- a/.tekton/backfill-redis-1-0-gamma-pull-request.yaml +++ b/.tekton/backfill-redis-pull-request.yaml @@ -8,24 +8,24 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "redhat-v1.3" + == "main" creationTimestamp: null labels: - appstudio.openshift.io/application: rekor-1-0-gamma - appstudio.openshift.io/component: backfill-redis-1-0-gamma + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: backfill-redis pipelines.appstudio.openshift.io/type: build - name: backfill-redis-1-0-gamma-on-pull-request + name: backfill-redis-on-pull-request namespace: rhtas-tenant spec: params: - name: dockerfile - value: Dockerfile.backfill-redis + value: Dockerfile.backfill-redis.rh - name: git-url value: '{{repo_url}}' - name: image-expires-after value: 5d - name: output-image - value: quay.io/redhat-user-workloads/rhtas-tenant/rekor-1-0-gamma/backfill-redis-1-0-gamma:on-pr-{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/rekor/backfill-redis:on-pr-{{revision}} - name: path-context value: . - name: revision diff --git a/.tekton/rekor-server-1-0-gamma-push.yaml b/.tekton/backfill-redis-push.yaml similarity index 97% rename from .tekton/rekor-server-1-0-gamma-push.yaml rename to .tekton/backfill-redis-push.yaml index ccd773cbf..cc5ecf315 100644 --- a/.tekton/rekor-server-1-0-gamma-push.yaml +++ b/.tekton/backfill-redis-push.yaml @@ -7,22 +7,22 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch - == "redhat-v1.3" + == "main" creationTimestamp: null labels: - appstudio.openshift.io/application: rekor-1-0-gamma - appstudio.openshift.io/component: rekor-server-1-0-gamma + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: backfill-redis pipelines.appstudio.openshift.io/type: build - name: rekor-server-1-0-gamma-on-push + name: backfill-redis-on-push namespace: rhtas-tenant spec: params: - name: dockerfile - value: Dockerfile + value: Dockerfile.backfill-redis.rh - name: git-url value: '{{repo_url}}' - name: output-image - value: quay.io/redhat-user-workloads/rhtas-tenant/rekor-1-0-gamma/rekor-server-1-0-gamma:{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/rekor/backfill-redis:{{revision}} - name: path-context value: . - name: revision diff --git a/.tekton/rekor-cli-1-3-pull-request.yaml b/.tekton/rekor-cli-pull-request.yaml similarity index 97% rename from .tekton/rekor-cli-1-3-pull-request.yaml rename to .tekton/rekor-cli-pull-request.yaml index da4fc8e75..684faa206 100644 --- a/.tekton/rekor-cli-1-3-pull-request.yaml +++ b/.tekton/rekor-cli-pull-request.yaml @@ -8,24 +8,24 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "redhat-v1.3" + == "main" creationTimestamp: null labels: - appstudio.openshift.io/application: cli-1-0-gamma - appstudio.openshift.io/component: rekor-cli-1-3 + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-cli pipelines.appstudio.openshift.io/type: build - name: rekor-cli-1-3-on-pull-request + name: rekor-cli-on-pull-request namespace: rhtas-tenant spec: params: - name: dockerfile - value: Dockerfile.cli + value: Dockerfile.rekor-cli.rh - name: git-url value: '{{repo_url}}' - name: image-expires-after value: 5d - name: output-image - value: quay.io/redhat-user-workloads/rhtas-tenant/cli-1-0-gamma/rekor-cli-1-3:on-pr-{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/rekor/rekor-cli:on-pr-{{revision}} - name: path-context value: . - name: revision diff --git a/.tekton/rekor-cli-1-3-push.yaml b/.tekton/rekor-cli-push.yaml similarity index 97% rename from .tekton/rekor-cli-1-3-push.yaml rename to .tekton/rekor-cli-push.yaml index e1bfa54d2..593eca8d3 100644 --- a/.tekton/rekor-cli-1-3-push.yaml +++ b/.tekton/rekor-cli-push.yaml @@ -7,22 +7,22 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch - == "redhat-v1.3" + == "main" creationTimestamp: null labels: - appstudio.openshift.io/application: cli-1-0-gamma - appstudio.openshift.io/component: rekor-cli-1-3 + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-cli pipelines.appstudio.openshift.io/type: build - name: rekor-cli-1-3-on-push + name: rekor-cli-on-push namespace: rhtas-tenant spec: params: - name: dockerfile - value: Dockerfile.cli + value: Dockerfile.rekor-cli.rh - name: git-url value: '{{repo_url}}' - name: output-image - value: quay.io/redhat-user-workloads/rhtas-tenant/cli-1-0-gamma/rekor-cli-1-3:{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/rekor/rekor-cli:{{revision}} - name: path-context value: . - name: revision diff --git a/.tekton/rekor-server-1-0-gamma-pull-request.yaml b/.tekton/rekor-server-pull-request.yaml similarity index 97% rename from .tekton/rekor-server-1-0-gamma-pull-request.yaml rename to .tekton/rekor-server-pull-request.yaml index f810052aa..c0323d632 100644 --- a/.tekton/rekor-server-1-0-gamma-pull-request.yaml +++ b/.tekton/rekor-server-pull-request.yaml @@ -8,24 +8,24 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "redhat-v1.3" + == "main" creationTimestamp: null labels: - appstudio.openshift.io/application: rekor-1-0-gamma - appstudio.openshift.io/component: rekor-server-1-0-gamma + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-server pipelines.appstudio.openshift.io/type: build - name: rekor-server-1-0-gamma-on-pull-request + name: rekor-server-on-pull-request namespace: rhtas-tenant spec: params: - name: dockerfile - value: Dockerfile + value: Dockerfile.rekor-server.rh - name: git-url value: '{{repo_url}}' - name: image-expires-after value: 5d - name: output-image - value: quay.io/redhat-user-workloads/rhtas-tenant/rekor-1-0-gamma/rekor-server-1-0-gamma:on-pr-{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/rekor/rekor-server:on-pr-{{revision}} - name: path-context value: . - name: revision diff --git a/.tekton/backfill-redis-1-0-gamma-push.yaml b/.tekton/rekor-server-push.yaml similarity index 97% rename from .tekton/backfill-redis-1-0-gamma-push.yaml rename to .tekton/rekor-server-push.yaml index 6d4db5ff0..842020ce4 100644 --- a/.tekton/backfill-redis-1-0-gamma-push.yaml +++ b/.tekton/rekor-server-push.yaml @@ -7,22 +7,22 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch - == "redhat-v1.3" + == "main" creationTimestamp: null labels: - appstudio.openshift.io/application: rekor-1-0-gamma - appstudio.openshift.io/component: backfill-redis-1-0-gamma + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-server pipelines.appstudio.openshift.io/type: build - name: backfill-redis-1-0-gamma-on-push + name: rekor-server-on-push namespace: rhtas-tenant spec: params: - name: dockerfile - value: Dockerfile.backfill-redis + value: Dockerfile.rekor-server.rh - name: git-url value: '{{repo_url}}' - name: output-image - value: quay.io/redhat-user-workloads/rhtas-tenant/rekor-1-0-gamma/backfill-redis-1-0-gamma:{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/rekor/rekor-server:{{revision}} - name: path-context value: . - name: revision diff --git a/Dockerfile b/Dockerfile index d5ddad4c4..1749ed8b2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,10 +17,9 @@ FROM golang:1.21.6@sha256:7b575fe0d9c2e01553b04d9de8ffea6d35ca3ab3380d2a8db2acc8 ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT - WORKDIR $APP_ROOT/src/ ADD go.mod go.sum $APP_ROOT/src/ -RUN CGO_ENABLED=0 go mod download +RUN go mod download # Add source code ADD ./cmd/ $APP_ROOT/src/cmd/ @@ -41,42 +40,12 @@ COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server CMD ["rekor-server", "serve"] # debug compile options & debugger -FROM registry.access.redhat.com/ubi9/go-toolset@sha256:330c52d81d5bde432fb59c4943fcb5143940ceb460f99c1ac8e0a9ea1f8f77e8 as debug -RUN go install github.com/go-delve/delve/cmd/dlv@v1.8.0 +FROM deploy as debug +RUN go install github.com/go-delve/delve/cmd/dlv@v1.21.0 # overwrite server and include debugger -COPY --from=build-env /opt/app-root/src/rekor-server_debug /usr/local/bin/rekor-server - -FROM registry.access.redhat.com/ubi9/go-toolset@sha256:330c52d81d5bde432fb59c4943fcb5143940ceb460f99c1ac8e0a9ea1f8f77e8 as test - -USER root - -# Extract the x86_64 minisign binary to /usr/local/bin/ -RUN curl -LO https://github.com/jedisct1/minisign/releases/download/0.11/minisign-0.11-linux.tar.gz && \ - tar -xzf minisign-0.11-linux.tar.gz minisign-linux/x86_64/minisign -O > /usr/local/bin/minisign && \ - chmod +x /usr/local/bin/minisign && \ - rm minisign-0.11-linux.tar.gz - -# Create test directory -RUN mkdir -p /var/run/attestations && \ - touch /var/run/attestations/attestation.json && \ - chmod 777 /var/run/attestations/attestation.json +COPY --from=builder /opt/app-root/src/rekor-server_debug /usr/local/bin/rekor-server +FROM deploy as test # overwrite server with test build with code coverage -COPY --from=build-env /opt/app-root/src/rekor-server_test /usr/local/bin/rekor-server - -# Multi-Stage production build -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:06d06f15f7b641a78f2512c8817cbecaa1bf549488e273f5ac27ff1654ed33f0 as deploy - -LABEL description="Rekor aims to provide an immutable, tamper-resistant ledger of metadata generated within a software project’s supply chain." -LABEL io.k8s.description="Rekor-Server provides a tamper resistant ledger." -LABEL io.k8s.display-name="Rekor-Server container image for Red Hat Trusted Signer" -LABEL io.openshift.tags="rekor-server trusted-signer" -LABEL summary="Provides the rekor Server binary for running Rekor-Server" -LABEL com.redhat.component="rekor-server" - -# Retrieve the binary from the previous stage -COPY --from=build-env /opt/app-root/src/rekor-server /usr/local/bin/rekor-server - -# Set the binary as the entrypoint of the container -ENTRYPOINT ["rekor-server"] \ No newline at end of file +COPY --from=builder /opt/app-root/src/rekor-server_test /usr/local/bin/rekor-server \ No newline at end of file diff --git a/Dockerfile.backfill-redis b/Dockerfile.backfill-redis.rh similarity index 100% rename from Dockerfile.backfill-redis rename to Dockerfile.backfill-redis.rh diff --git a/Dockerfile.cli b/Dockerfile.rekor-cli.rh similarity index 100% rename from Dockerfile.cli rename to Dockerfile.rekor-cli.rh diff --git a/Dockerfile.rekor-server.rh b/Dockerfile.rekor-server.rh new file mode 100644 index 000000000..8cbb0610c --- /dev/null +++ b/Dockerfile.rekor-server.rh @@ -0,0 +1,76 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.21@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 AS build-env + +RUN mkdir /opt/app-root && mkdir /opt/app-root/src && mkdir /opt/app-root/src/cmd && mkdir /opt/app-root/src/pkg && git config --global --add safe.directory /opt/app-root/src + +ENV APP_ROOT=/opt/app-root +ENV GOPATH=$APP_ROOT + + +WORKDIR $APP_ROOT/src/ +ADD go.mod go.sum $APP_ROOT/src/ +RUN CGO_ENABLED=0 go mod download + +# Add source code +ADD ./cmd/ $APP_ROOT/src/cmd/ +ADD ./pkg/ $APP_ROOT/src/pkg/ + +ARG SERVER_LDFLAGS +RUN go build -ldflags "${SERVER_LDFLAGS}" -mod=readonly ./cmd/rekor-server +RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o rekor-server_debug -mod=readonly ./cmd/rekor-server +RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test -mod=readonly ./cmd/rekor-server + +# debug compile options & debugger +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:330c52d81d5bde432fb59c4943fcb5143940ceb460f99c1ac8e0a9ea1f8f77e8 as debug +RUN go install github.com/go-delve/delve/cmd/dlv@v1.8.0 + +# overwrite server and include debugger +COPY --from=build-env /opt/app-root/src/rekor-server_debug /usr/local/bin/rekor-server + +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:330c52d81d5bde432fb59c4943fcb5143940ceb460f99c1ac8e0a9ea1f8f77e8 as test + +USER root + +# Extract the x86_64 minisign binary to /usr/local/bin/ +RUN curl -LO https://github.com/jedisct1/minisign/releases/download/0.11/minisign-0.11-linux.tar.gz && \ + tar -xzf minisign-0.11-linux.tar.gz minisign-linux/x86_64/minisign -O > /usr/local/bin/minisign && \ + chmod +x /usr/local/bin/minisign && \ + rm minisign-0.11-linux.tar.gz + +# Create test directory +RUN mkdir -p /var/run/attestations && \ + touch /var/run/attestations/attestation.json && \ + chmod 777 /var/run/attestations/attestation.json + +# overwrite server with test build with code coverage +COPY --from=build-env /opt/app-root/src/rekor-server_test /usr/local/bin/rekor-server + +# Multi-Stage production build +FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:06d06f15f7b641a78f2512c8817cbecaa1bf549488e273f5ac27ff1654ed33f0 as deploy + +LABEL description="Rekor aims to provide an immutable, tamper-resistant ledger of metadata generated within a software project’s supply chain." +LABEL io.k8s.description="Rekor-Server provides a tamper resistant ledger." +LABEL io.k8s.display-name="Rekor-Server container image for Red Hat Trusted Signer" +LABEL io.openshift.tags="rekor-server trusted-signer" +LABEL summary="Provides the rekor Server binary for running Rekor-Server" +LABEL com.redhat.component="rekor-server" + +# Retrieve the binary from the previous stage +COPY --from=build-env /opt/app-root/src/rekor-server /usr/local/bin/rekor-server + +# Set the binary as the entrypoint of the container +ENTRYPOINT ["rekor-server"] \ No newline at end of file