Skip to content

Commit

Permalink
feat: OCI authentication sidecar (#1272)
Browse files Browse the repository at this point in the history
  • Loading branch information
maciaszczykm authored Aug 19, 2024
1 parent 699dfac commit 4184e54
Show file tree
Hide file tree
Showing 22 changed files with 1,212 additions and 1 deletion.
93 changes: 93 additions & 0 deletions .github/workflows/oci-auth-cd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
name: CD / OCI Authentication Sidecar

on:
pull_request:
branches:
- "master"
paths:
- "go/oci-auth/**"
push:
tags:
- 'v*.*.*'

permissions:
contents: read

env:
GOPATH: /home/runner/go
GOBIN: /home/runner/go/bin
GOPROXY: "https://proxy.golang.org"

jobs:
test:
name: Unit test
runs-on: ubuntu-20.04
defaults:
run:
shell: bash
working-directory: go/oci-auth
timeout-minutes: 5
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: go/oci-auth/go.mod
cache: true
- run: go mod download
- run: PATH=$PATH:$GOPATH/bin make --directory=.. tools
- run: PATH=$PATH:$GOPATH/bin make test
publish-docker:
name: Build and push oci-auth container
runs-on: ubuntu-20.04
defaults:
run:
shell: bash
working-directory: go/oci-auth
needs: [ test ]
permissions:
contents: 'read'
id-token: 'write'
packages: 'write'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/pluralsh/oci-auth
gcr.io/pluralsh/oci-auth
docker.io/pluralsh/oci-auth
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: google-github-actions/auth@v1
with:
workload_identity_provider: 'projects/${{ secrets.GOOGLE_PROJECT_ID }}/locations/global/workloadIdentityPools/github/providers/github'
service_account: '[email protected]'
token_format: 'access_token'
create_credentials_file: true
- uses: google-github-actions/[email protected]
- run: gcloud auth configure-docker -q
- uses: docker/login-action@v3
with:
username: mjgpluralsh
password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
- uses: docker/setup-qemu-action@v3
- uses: docker/[email protected]
- uses: docker/[email protected]
with:
context: "./go"
file: "./go/oci-auth/Dockerfile"
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
GIT_COMMIT=${{ github.sha }}
VERSION=${{ steps.meta.outputs.version }}
68 changes: 68 additions & 0 deletions .github/workflows/oci-auth-ci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: CI / OCI Authentication Sidecar
on:
push:
branches:
- "master"
paths:
- ".github/workflows/oci-auth-ci.yaml"
- "go/oci-auth/**"
pull_request:
branches:
- "**"
paths:
- ".github/workflows/oci-auth-ci.yaml"
- "go/oci-auth/**"
permissions:
contents: read
env:
GOPATH: /home/runner/go/
GOPROXY: "https://proxy.golang.org"
jobs:
build:
name: Build
runs-on: ubuntu-latest
defaults:
run:
shell: bash
working-directory: go/oci-auth
timeout-minutes: 5
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: go/oci-auth/go.mod
cache: true
- run: go mod download
- run: PATH=$PATH:$GOPATH/bin make --directory=.. tools
- run: PATH=$PATH:$GOPATH/bin make build
unit-test:
name: Unit tests
runs-on: ubuntu-20.04
defaults:
run:
shell: bash
working-directory: go/oci-auth
timeout-minutes: 5
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: go/oci-auth/go.mod
cache: true
- run: go mod download
- run: PATH=$PATH:$GOPATH/bin make --directory=.. tools
- run: PATH=$PATH:$GOPATH/bin make test
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: go/oci-auth/go.mod
check-latest: true
- uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
with:
version: v1.59
working-directory: go/oci-auth
args: --timeout=30m
3 changes: 2 additions & 1 deletion go/go.work
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
go 1.22.0
go 1.22.5

use (
./client // github.com/pluralsh/console/go/client
./controller // github.com/pluralsh/console/go/controller
./oci-auth // github.com/pluralsh/console/go/oci-auth
./tools // github.com/pluralsh/console/go/tools
)
26 changes: 26 additions & 0 deletions go/oci-auth/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
bin/*
tmp/*
dist/*
Dockerfile.cross

# Test binary, build with `go test -c`
*.test

# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# Kubernetes Generated files - skip generated files, except for vendored files
!vendor/**/zz_generated.*

# editor and IDE paraphernalia
.idea
.vscode
*.swp
*.swo
*~
33 changes: 33 additions & 0 deletions go/oci-auth/.golangci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
run:
allow-parallel-runners: true
issues:
max-same-issues: 0
linters:
disable-all: true
enable:
- dupl
- durationcheck
- errcheck
- exportloopref
- forcetypeassert
- goconst
- gocyclo
- godot
- gofmt
- goimports
- gosimple
- govet
- ineffassign
- lll
- makezero
- misspell
- nakedret
- nilerr
- prealloc
- predeclared
- staticcheck
- tenv
- typecheck
- unconvert
- unparam
- unused
61 changes: 61 additions & 0 deletions go/oci-auth/.goreleaser.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Visit https://goreleaser.com for documentation on how to customize this behavior.

# Requires a GoReleaser Pro to run
partial:
by: goos

project_name: plural-oci-auth-sidecar

monorepo:
tag_prefix: v

before:
hooks:
- go mod tidy

builds:
- env:
- CGO_ENABLED=0
mod_timestamp: '{{ .CommitTimestamp }}'
flags:
- -trimpath
ldflags:
- '-s -w -X github.com/pluralsh/console/go/oci-auth/internal/environment.Version={{.Version}} -X github.com/pluralsh/console/go/oci-auth/internal/environment.Commit={{.Commit}}'
goos:
- freebsd
- windows
- linux
- darwin
goarch:
- amd64
- '386'
- arm
- arm64
ignore:
- goos: darwin
goarch: '386'
binary: '{{ .ProjectName }}_v{{ .Version }}'

archives:
- format: zip
name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'

checksum:
name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'

snapshot:
name_template: "{{ incpatch .Version }}-next"

changelog:
sort: asc
use: github-native
filters:
exclude:
- '^docs:'
- '^test:'

release:
name_template: "{{ .ProjectName }}-v{{ .Version }}"
header: |
## Plural OCI Authentication Sidecar release ({{ .Date }})
Welcome to this new release of the Plural OCI Authentication Sidecar!
30 changes: 30 additions & 0 deletions go/oci-auth/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
FROM golang:1.22 as builder
ARG TARGETOS
ARG TARGETARCH

WORKDIR /workspace/oci-auth

# Retrieve application dependencies.
# This allows the container build to reuse cached dependencies.
# Expecting to copy go.mod and if present go.sum.
COPY oci-auth/go.* ./
RUN go mod download

COPY oci-auth/internal ./internal
COPY oci-auth/main.go ./

# Build
# the GOARCH has not a default value to allow the binary be built according to the host where the command
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags '-s -w -X github.com/pluralsh/console/go/oci-auth/internal/environment.Version=${VERSION} -X github.com/pluralsh/console/go/oci-auth/internal/environment.Commit=${GIT_COMMIT}' -a -o oci-auth .

# Use distroless as minimal base image to package the oci-auth binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot
WORKDIR /
COPY --from=builder /workspace/oci-auth/oci-auth .
USER 65532:65532

ENTRYPOINT ["/oci-auth"]
52 changes: 52 additions & 0 deletions go/oci-auth/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
ROOT_DIRECTORY := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))/../..

include $(ROOT_DIRECTORY)/go/paths.mk
include $(TOOLS_BINARIES_MAKEFILE)

# Setting SHELL to bash allows bash commands to be executed by recipes.
# Options are set to exit when a recipe line exits non-zero or a piped command fails.
SHELL = /usr/bin/env bash -o pipefail
.SHELLFLAGS = -ec

##@ General

.PHONY: help
help: ## show help
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

.PHONY: show-dependency-updates
show-dependency-updates: ## show possible dependency updates
go list -u -f '{{if (and (not (or .Main .Indirect)) .Update)}}{{.Path}} {{.Version}} -> {{.Update.Version}}{{end}}' -m all

.PHONY: update-dependencies
update-dependencies: ## update dependencies
go get -u ./...
go mod tidy

##@ Build

.PHONY: build
build: ## build binary
go build -o bin/oci-auth .

.PHONY: run
run: ## run locally
go run ./cmd/main.go

.PHONY: release
release: lint test ## builds release version of the app, requires GoReleaser to work
goreleaser build --clean --single-target --snapshot

##@ Checks

.PHONY: lint
lint: ## run linters
@$(GOLANGCI_LINT) run ./...

.PHONY: fix
fix: ## run linters and fix found issues
@$(GOLANGCI_LINT) run --fix ./...

.PHONY: test
test: ## run tests
go test ./...
Loading

0 comments on commit 4184e54

Please sign in to comment.