diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 0000000..8337548 --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,5 @@ +--- +self-hosted-runner: + # Ubicloud machines we are using + labels: + - ubicloud-standard-8-arm diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 203c208..45f49b3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -88,18 +88,18 @@ jobs: TRIGGER: ${{ github.event_name }} GITHUB_REF: ${{ github.ref }} run: | - if [[ $TRIGGER == "pull_request" ]]; then + if [[ "$TRIGGER" == "pull_request" ]]; then echo "exporting test as target helm repo: ${{ env.TEST_REPO_HELM_URL }}" - echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> $GITHUB_OUTPUT - elif [[ ( $TRIGGER == "push" || $TRIGGER == "schedule" || $TRIGGER == "workflow_dispatch" ) && $GITHUB_REF == "refs/heads/main" ]]; then + echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT" + elif [[ ( "$TRIGGER" == "push" || "$TRIGGER" == "schedule" || "$TRIGGER" == "workflow_dispatch" ) && "$GITHUB_REF" == "refs/heads/main" ]]; then echo "exporting dev as target helm repo: ${{ env.DEV_REPO_HELM_URL }}" - echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> $GITHUB_OUTPUT - elif [[ $TRIGGER == "push" && $GITHUB_REF == refs/tags/* ]]; then + echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT" + elif [[ "$TRIGGER" == "push" && $GITHUB_REF == refs/tags/* ]]; then echo "exporting stable as target helm repo: ${{ env.STABLE_REPO_HELM_URL }}" - echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> $GITHUB_OUTPUT + echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT" else echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF" - echo "helm_repo=skip" >> $GITHUB_OUTPUT + echo "helm_repo=skip" >> "$GITHUB_OUTPUT" fi run_cargodeny: @@ -265,7 +265,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: - version: v3.13.3 + version: v3.16.1 - name: Set up cargo uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a with: @@ -310,6 +310,7 @@ jobs: matrix: runner: ["ubuntu-latest", "ubicloud-standard-8-arm"] runs-on: ${{ matrix.runner }} + timeout-minutes: 120 permissions: id-token: write env: @@ -379,7 +380,7 @@ jobs: - id: printtag name: Output image name and tag if: ${{ !github.event.pull_request.head.repo.fork }} - run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> $GITHUB_OUTPUT + run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> "$GITHUB_OUTPUT" create_manifest_list: name: Build and publish manifest list @@ -437,4 +438,4 @@ jobs: ARCH_FOR_PREFLIGHT="$(arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')" ./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out - name: "Passed?" - run: '[ "$(cat preflight.out | jq -r .passed)" == true ]' + run: '[ "$(jq -r .passed < preflight.out)" == true ]' diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml index c7df5b4..5050dc0 100644 --- a/.github/workflows/pr_pre-commit.yaml +++ b/.github/workflows/pr_pre-commit.yaml @@ -16,6 +16,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 + submodules: recursive - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.12' @@ -39,6 +40,7 @@ jobs: chmod 700 "${LOCATION_BIN}" echo "$LOCATION_DIR" >> "$GITHUB_PATH" + - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 with: extra_args: "--from-ref ${{ github.event.pull_request.base.sha }} --to-ref ${{ github.event.pull_request.head.sha }}" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4b1c512..f30ef3a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -66,13 +66,13 @@ repos: - id: regenerate-charts name: regenerate-charts language: system - entry: make regenerate-charts + entry: nix-shell --run 'make regenerate-charts' stages: [commit, merge-commit, manual] pass_filenames: false - id: cargo-test name: cargo-test language: system - entry: cargo test + entry: nix-shell --run 'cargo test' stages: [commit, merge-commit, manual] pass_filenames: false diff --git a/docker/Dockerfile b/docker/Dockerfile index 85b8253..b2a02a1 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,40 +1,171 @@ +# syntax=docker/dockerfile:1.10.0@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5 +# NOTE: The syntax directive needs to be the first line in a Dockerfile + # ============= # This file is automatically generated from the templates in stackabletech/operator-templating # DON'T MANUALLY EDIT THIS FILE # ============= -FROM oci.stackable.tech/sdp/ubi9-rust-builder AS builder -FROM registry.access.redhat.com/ubi9/ubi-minimal AS operator +# https://docs.docker.com/build/checks/#fail-build-on-check-violations +# check=error=true + +# We want to automatically use the latest. We also don't tag our images with a version. +# hadolint ignore=DL3007 +FROM oci.stackable.tech/sdp/ubi9-rust-builder:latest AS builder + + +# We want to automatically use the latest. +# hadolint ignore=DL3007 +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS operator ARG VERSION ARG RELEASE="1" -LABEL name="Stackable Operator for EDC" \ - maintainer="info@stackable.tech" \ - vendor="Stackable GmbH" \ - version="${VERSION}" \ - release="${RELEASE}" \ - summary="Deploy and manage EDC clusters." \ - description="Deploy and manage EDC clusters." - -# Update image and install kerberos client libraries -# install_weak_deps in microdnf does not support the literal "False" as dnf does -# https://github.com/rpm-software-management/microdnf/blob/a600c62f29262d71a6259b70dc220df65a2ab9b5/dnf/dnf-main.c#L176-L189 -RUN microdnf update -y --setopt=install_weak_deps=0 \ - && microdnf install -y --setopt=install_weak_deps=0 \ - krb5-libs \ - libkadm5 \ - && microdnf clean all \ - && rm -rf /var/cache/yum +# These are chosen at random and are this high on purpose to have very little chance to clash with an existing user or group on the host system +ARG STACKABLE_USER_GID="574654813" +ARG STACKABLE_USER_UID="782252253" + +# These labels have mostly been superceded by the OpenContainer spec annotations below but it doesn't hurt to include them +# http://label-schema.org/rc1/ +LABEL name="Stackable Operator for EDC" +LABEL maintainer="info@stackable.tech" +LABEL vendor="Stackable GmbH" +LABEL version="${VERSION}" +LABEL release="${RELEASE}" +LABEL summary="Deploy and manage EDC clusters." +LABEL description="Deploy and manage EDC clusters." + +# Overwriting/Pinning UBI labels +# https://github.com/projectatomic/ContainerApplicationGenericLabels +LABEL vcs-ref="" +LABEL distribution-scope="public" +LABEL url="https://stackable.tech" +ARG TARGETARCH +LABEL architecture="${TARGETARCH}" +LABEL com.redhat.component="" +# It complains about it being an invalid label but RedHat uses it and we want to override it and it works.... +# hadolint ignore=DL3048 +LABEL com.redhat.license_terms="" +LABEL io.buildah.version="" +LABEL io.openshift.expose-services="" + +# https://github.com/opencontainers/image-spec/blob/036563a4a268d7c08b51a08f05a02a0fe74c7268/annotations.md#annotations +LABEL org.opencontainers.image.authors="info@stackable.tech" +LABEL org.opencontainers.image.url="https://stackable.tech" +LABEL org.opencontainers.image.vendor="Stackable GmbH" +LABEL org.opencontainers.image.licenses="OSL-3.0" +LABEL org.opencontainers.image.documentation="https://docs.stackable.tech/home/stable/edc/" +LABEL org.opencontainers.image.version="${VERSION}" +LABEL org.opencontainers.image.revision="${RELEASE}" +LABEL org.opencontainers.image.title="Stackable Operator for EDC" +LABEL org.opencontainers.image.description="Deploy and manage EDC clusters." + +# https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#defining-image-metadata +# https://github.com/projectatomic/ContainerApplicationGenericLabels/blob/master/vendor/redhat/labels.md +LABEL io.openshift.tags="ubi9,stackable,sdp,edc" +LABEL io.k8s.description="Deploy and manage EDC clusters." +LABEL io.k8s.display-name="Stackable Operator for EDC" + +COPY <> /stackable/.bashrc + +echo -e "if [ -f ~/.bashrc ]; then\n\tsource ~/.bashrc\nfi" >> /stackable/.profile + +chown ${STACKABLE_USER_UID}:0 /stackable/.bashrc +chown ${STACKABLE_USER_UID}:0 /stackable/.profile + +# All files and folders owned by root to support running as arbitrary users +# This is best practice as all container users will belong to the root group (0) +# This is not very relevant for the operator images but this makes it consistent with `docker-images` +chown -R ${STACKABLE_USER_UID}:0 /stackable +chmod -R g=u /stackable +EOF + +COPY <