-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: OCI authentication sidecar (#1272)
- Loading branch information
1 parent
699dfac
commit 4184e54
Showing
22 changed files
with
1,212 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
name: CD / OCI Authentication Sidecar | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- "master" | ||
paths: | ||
- "go/oci-auth/**" | ||
push: | ||
tags: | ||
- 'v*.*.*' | ||
|
||
permissions: | ||
contents: read | ||
|
||
env: | ||
GOPATH: /home/runner/go | ||
GOBIN: /home/runner/go/bin | ||
GOPROXY: "https://proxy.golang.org" | ||
|
||
jobs: | ||
test: | ||
name: Unit test | ||
runs-on: ubuntu-20.04 | ||
defaults: | ||
run: | ||
shell: bash | ||
working-directory: go/oci-auth | ||
timeout-minutes: 5 | ||
steps: | ||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version-file: go/oci-auth/go.mod | ||
cache: true | ||
- run: go mod download | ||
- run: PATH=$PATH:$GOPATH/bin make --directory=.. tools | ||
- run: PATH=$PATH:$GOPATH/bin make test | ||
publish-docker: | ||
name: Build and push oci-auth container | ||
runs-on: ubuntu-20.04 | ||
defaults: | ||
run: | ||
shell: bash | ||
working-directory: go/oci-auth | ||
needs: [ test ] | ||
permissions: | ||
contents: 'read' | ||
id-token: 'write' | ||
packages: 'write' | ||
steps: | ||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
with: | ||
fetch-depth: 0 | ||
- id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: | | ||
ghcr.io/pluralsh/oci-auth | ||
gcr.io/pluralsh/oci-auth | ||
docker.io/pluralsh/oci-auth | ||
- uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- uses: google-github-actions/auth@v1 | ||
with: | ||
workload_identity_provider: 'projects/${{ secrets.GOOGLE_PROJECT_ID }}/locations/global/workloadIdentityPools/github/providers/github' | ||
service_account: '[email protected]' | ||
token_format: 'access_token' | ||
create_credentials_file: true | ||
- uses: google-github-actions/[email protected] | ||
- run: gcloud auth configure-docker -q | ||
- uses: docker/login-action@v3 | ||
with: | ||
username: mjgpluralsh | ||
password: ${{ secrets.DOCKER_ACCESS_TOKEN }} | ||
- uses: docker/setup-qemu-action@v3 | ||
- uses: docker/[email protected] | ||
- uses: docker/[email protected] | ||
with: | ||
context: "./go" | ||
file: "./go/oci-auth/Dockerfile" | ||
push: true | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
platforms: linux/amd64,linux/arm64 | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
build-args: | | ||
GIT_COMMIT=${{ github.sha }} | ||
VERSION=${{ steps.meta.outputs.version }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
name: CI / OCI Authentication Sidecar | ||
on: | ||
push: | ||
branches: | ||
- "master" | ||
paths: | ||
- ".github/workflows/oci-auth-ci.yaml" | ||
- "go/oci-auth/**" | ||
pull_request: | ||
branches: | ||
- "**" | ||
paths: | ||
- ".github/workflows/oci-auth-ci.yaml" | ||
- "go/oci-auth/**" | ||
permissions: | ||
contents: read | ||
env: | ||
GOPATH: /home/runner/go/ | ||
GOPROXY: "https://proxy.golang.org" | ||
jobs: | ||
build: | ||
name: Build | ||
runs-on: ubuntu-latest | ||
defaults: | ||
run: | ||
shell: bash | ||
working-directory: go/oci-auth | ||
timeout-minutes: 5 | ||
steps: | ||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version-file: go/oci-auth/go.mod | ||
cache: true | ||
- run: go mod download | ||
- run: PATH=$PATH:$GOPATH/bin make --directory=.. tools | ||
- run: PATH=$PATH:$GOPATH/bin make build | ||
unit-test: | ||
name: Unit tests | ||
runs-on: ubuntu-20.04 | ||
defaults: | ||
run: | ||
shell: bash | ||
working-directory: go/oci-auth | ||
timeout-minutes: 5 | ||
steps: | ||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version-file: go/oci-auth/go.mod | ||
cache: true | ||
- run: go mod download | ||
- run: PATH=$PATH:$GOPATH/bin make --directory=.. tools | ||
- run: PATH=$PATH:$GOPATH/bin make test | ||
lint: | ||
name: Lint | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version-file: go/oci-auth/go.mod | ||
check-latest: true | ||
- uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 | ||
with: | ||
version: v1.59 | ||
working-directory: go/oci-auth | ||
args: --timeout=30m |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,8 @@ | ||
go 1.22.0 | ||
go 1.22.5 | ||
|
||
use ( | ||
./client // github.com/pluralsh/console/go/client | ||
./controller // github.com/pluralsh/console/go/controller | ||
./oci-auth // github.com/pluralsh/console/go/oci-auth | ||
./tools // github.com/pluralsh/console/go/tools | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Binaries for programs and plugins | ||
*.exe | ||
*.exe~ | ||
*.dll | ||
*.so | ||
*.dylib | ||
bin/* | ||
tmp/* | ||
dist/* | ||
Dockerfile.cross | ||
|
||
# Test binary, build with `go test -c` | ||
*.test | ||
|
||
# Output of the go coverage tool, specifically when used with LiteIDE | ||
*.out | ||
|
||
# Kubernetes Generated files - skip generated files, except for vendored files | ||
!vendor/**/zz_generated.* | ||
|
||
# editor and IDE paraphernalia | ||
.idea | ||
.vscode | ||
*.swp | ||
*.swo | ||
*~ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
run: | ||
allow-parallel-runners: true | ||
issues: | ||
max-same-issues: 0 | ||
linters: | ||
disable-all: true | ||
enable: | ||
- dupl | ||
- durationcheck | ||
- errcheck | ||
- exportloopref | ||
- forcetypeassert | ||
- goconst | ||
- gocyclo | ||
- godot | ||
- gofmt | ||
- goimports | ||
- gosimple | ||
- govet | ||
- ineffassign | ||
- lll | ||
- makezero | ||
- misspell | ||
- nakedret | ||
- nilerr | ||
- prealloc | ||
- predeclared | ||
- staticcheck | ||
- tenv | ||
- typecheck | ||
- unconvert | ||
- unparam | ||
- unused |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
# Visit https://goreleaser.com for documentation on how to customize this behavior. | ||
|
||
# Requires a GoReleaser Pro to run | ||
partial: | ||
by: goos | ||
|
||
project_name: plural-oci-auth-sidecar | ||
|
||
monorepo: | ||
tag_prefix: v | ||
|
||
before: | ||
hooks: | ||
- go mod tidy | ||
|
||
builds: | ||
- env: | ||
- CGO_ENABLED=0 | ||
mod_timestamp: '{{ .CommitTimestamp }}' | ||
flags: | ||
- -trimpath | ||
ldflags: | ||
- '-s -w -X github.com/pluralsh/console/go/oci-auth/internal/environment.Version={{.Version}} -X github.com/pluralsh/console/go/oci-auth/internal/environment.Commit={{.Commit}}' | ||
goos: | ||
- freebsd | ||
- windows | ||
- linux | ||
- darwin | ||
goarch: | ||
- amd64 | ||
- '386' | ||
- arm | ||
- arm64 | ||
ignore: | ||
- goos: darwin | ||
goarch: '386' | ||
binary: '{{ .ProjectName }}_v{{ .Version }}' | ||
|
||
archives: | ||
- format: zip | ||
name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}' | ||
|
||
checksum: | ||
name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS' | ||
|
||
snapshot: | ||
name_template: "{{ incpatch .Version }}-next" | ||
|
||
changelog: | ||
sort: asc | ||
use: github-native | ||
filters: | ||
exclude: | ||
- '^docs:' | ||
- '^test:' | ||
|
||
release: | ||
name_template: "{{ .ProjectName }}-v{{ .Version }}" | ||
header: | | ||
## Plural OCI Authentication Sidecar release ({{ .Date }}) | ||
Welcome to this new release of the Plural OCI Authentication Sidecar! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
FROM golang:1.22 as builder | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
|
||
WORKDIR /workspace/oci-auth | ||
|
||
# Retrieve application dependencies. | ||
# This allows the container build to reuse cached dependencies. | ||
# Expecting to copy go.mod and if present go.sum. | ||
COPY oci-auth/go.* ./ | ||
RUN go mod download | ||
|
||
COPY oci-auth/internal ./internal | ||
COPY oci-auth/main.go ./ | ||
|
||
# Build | ||
# the GOARCH has not a default value to allow the binary be built according to the host where the command | ||
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO | ||
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, | ||
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. | ||
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags '-s -w -X github.com/pluralsh/console/go/oci-auth/internal/environment.Version=${VERSION} -X github.com/pluralsh/console/go/oci-auth/internal/environment.Commit=${GIT_COMMIT}' -a -o oci-auth . | ||
|
||
# Use distroless as minimal base image to package the oci-auth binary | ||
# Refer to https://github.com/GoogleContainerTools/distroless for more details | ||
FROM gcr.io/distroless/static:nonroot | ||
WORKDIR / | ||
COPY --from=builder /workspace/oci-auth/oci-auth . | ||
USER 65532:65532 | ||
|
||
ENTRYPOINT ["/oci-auth"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
ROOT_DIRECTORY := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))/../.. | ||
|
||
include $(ROOT_DIRECTORY)/go/paths.mk | ||
include $(TOOLS_BINARIES_MAKEFILE) | ||
|
||
# Setting SHELL to bash allows bash commands to be executed by recipes. | ||
# Options are set to exit when a recipe line exits non-zero or a piped command fails. | ||
SHELL = /usr/bin/env bash -o pipefail | ||
.SHELLFLAGS = -ec | ||
|
||
##@ General | ||
|
||
.PHONY: help | ||
help: ## show help | ||
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) | ||
|
||
.PHONY: show-dependency-updates | ||
show-dependency-updates: ## show possible dependency updates | ||
go list -u -f '{{if (and (not (or .Main .Indirect)) .Update)}}{{.Path}} {{.Version}} -> {{.Update.Version}}{{end}}' -m all | ||
|
||
.PHONY: update-dependencies | ||
update-dependencies: ## update dependencies | ||
go get -u ./... | ||
go mod tidy | ||
|
||
##@ Build | ||
|
||
.PHONY: build | ||
build: ## build binary | ||
go build -o bin/oci-auth . | ||
|
||
.PHONY: run | ||
run: ## run locally | ||
go run ./cmd/main.go | ||
|
||
.PHONY: release | ||
release: lint test ## builds release version of the app, requires GoReleaser to work | ||
goreleaser build --clean --single-target --snapshot | ||
|
||
##@ Checks | ||
|
||
.PHONY: lint | ||
lint: ## run linters | ||
@$(GOLANGCI_LINT) run ./... | ||
|
||
.PHONY: fix | ||
fix: ## run linters and fix found issues | ||
@$(GOLANGCI_LINT) run --fix ./... | ||
|
||
.PHONY: test | ||
test: ## run tests | ||
go test ./... |
Oops, something went wrong.