Skip to content

Commit

Permalink
feat: NVSHAS-9490 support controller SLSA L3
Browse files Browse the repository at this point in the history 
1. Provide cross platform/standalone Dockerfile for controller
   and enforcer.
2. Release.yml to publish SLSA-capable artifacts
3. Make sure third party checksum is checked.
4. Provide build target, test-image, build-image and push-image to sync
   with rancher.
5. Switch to golang:1.22 as its base image
  • Loading branch information
@holyspectral
holyspectral committed Dec 12, 2024
1 parent ad0f038 commit 94b16e0
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 8 deletions.
8 changes: 3 additions & 5 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | RANCHER_DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | RANCHER_DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
Expand All @@ -58,7 +58,7 @@ jobs:
cat sha256sum-controller-amd64 | sha256sum --check
cat sha256sum-controller-arm64 | sha256sum --check
- name: Publish public manifest
- name: Publish neuvector manifest
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
push-to-public: true
Expand All @@ -72,13 +72,11 @@ jobs:
public-repo: neuvector
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}
- name: Publish prime manifest
- name: Publish rancher manifest
uses: rancher/ecm-distro-tools/actions/publish-image@master
env:
IMAGE_PREFIX: neuvector-
with:
push-to-public: true
push-to-prime: true
image: ${{ matrix.rancher_target }}
tag: ${{ env.TAG }}
platforms: ${{ matrix.platforms }}
Expand Down
5 changes: 2 additions & 3 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,6 @@ REPO ?= neuvector
CONTROLLER_IMAGE = $(REPO)/controller:$(TAG)
ENFORCER_IMAGE = $(REPO)/enforcer:$(TAG)
BUILD_ACTION = --load
TARGET_PREFIX ?=

buildx-machine:
docker buildx ls
Expand All @@ -218,7 +217,7 @@ build-controller-image: buildx-machine ## build (and load) the container image t
push-controller-image: buildx-machine
$(IMAGE_BUILDER) build -f package/Dockerfile.controller \
--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/controller:$(TAG)" --push .
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/$(IMAGE_PREFIX)controller:$(TAG)" --push .
@echo "Pushed $(REPO)/$(IMAGE_PREFIX)controller:$(TAG)"

test-enforcer-image:
Expand All @@ -236,4 +235,4 @@ push-enforcer-image: buildx-machine
$(IMAGE_BUILDER) build -f package/Dockerfile.enforcer \
--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/$(IMAGE_PREFIX)enforcer:$(TAG)" --push .
@echo "Pushed $(REPO)/enforcer:$(TAG)"
@echo "Pushed $(REPO)/$(IMAGE_PREFIX)enforcer:$(TAG)"

0 comments on commit 94b16e0

Please sign in to comment.