diff --git a/.github/workflows/push-ubi.yml b/.github/workflows/push-ubi.yml new file mode 100644 index 0000000..0c7370d --- /dev/null +++ b/.github/workflows/push-ubi.yml @@ -0,0 +1,65 @@ +name: push-ubi +on: + workflow_dispatch: + +permissions: + contents: read + +env: + CONTROLLER: ${{ github.event.repository.name }} + +jobs: + flux-push: + runs-on: ubuntu-latest + permissions: + id-token: write # for creating OIDC tokens for signing. + packages: write # for pushing and signing container images. + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Prepare + id: prep + run: | + RELEASE=$(gh release view --json tagName -q '.tagName') + echo "VERSION=${RELEASE}" >> $GITHUB_OUTPUT + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Setup QEMU + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + - name: Setup Docker Buildx + id: buildx + uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0 + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Generate images meta + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: | + ghcr.io/controlplaneio-fluxcd/${{ env.CONTROLLER }} + tags: | + type=raw,value=${{ steps.prep.outputs.VERSION }}-ubi + - name: Publish images + id: build-push + uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 + with: + sbom: true + provenance: true + push: true + builder: ${{ steps.buildx.outputs.name }} + context: . + file: ./config/olm/build/Dockerfile + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: "VERSION=${{ steps.prep.outputs.VERSION }}" + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - name: Sign images + env: + COSIGN_EXPERIMENTAL: 1 + run: | + cosign sign --yes ghcr.io/controlplaneio-fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }} diff --git a/Makefile b/Makefile index 1c315f9..716f552 100644 --- a/Makefile +++ b/Makefile @@ -110,6 +110,9 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . - $(CONTAINER_TOOL) buildx rm flux-operator-builder +docker-build-ubi: ## Build docker image with the manager using UBI base image. + $(CONTAINER_TOOL) build -t ${IMG}-ubi --build-arg VERSION=$(FLUX_OPERATOR_VERSION) -f config/olm/build/Dockerfile . + .PHONY: build-installer build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment. mkdir -p dist diff --git a/config/olm/build/Dockerfile b/config/olm/build/Dockerfile new file mode 100644 index 0000000..6f81e52 --- /dev/null +++ b/config/olm/build/Dockerfile @@ -0,0 +1,26 @@ +ARG VERSION + +FROM --platform=${BUILDPLATFORM} ghcr.io/controlplaneio-fluxcd/flux-operator:${VERSION} AS distroless +FROM --platform=${BUILDPLATFORM} registry.access.redhat.com/ubi8/ubi-minimal + +### Required OpenShift Labels +LABEL name="flux-operator" \ + vendor="ControlPlane" \ + version="${VERSION}" \ + release="1" \ + summary="This is the flux-operator image." \ + description="This image contains the operator of ControlPlane Enterprise for Flux." + +WORKDIR / + +# Copy the license. +COPY LICENSE /licenses/LICENSE.txt + +# Copy the manifests data. +COPY config/data/ /data/ + +# Copy the operator binary. +COPY --from=distroless flux-operator . + +# Run the operator as the default user. +ENTRYPOINT ["/flux-operator"]