feat: OCI authentication sidecar

.github/workflows/oci-auth-cd.yaml

@@ -0,0 +1,93 @@
+name: CD / OCI Authentication Sidecar
+
+on:
+  pull_request:
+    branches:
+      - "master"
+    paths:
+      - "go/oci-auth/**"
+  push:
+    tags:
+    - 'v*.*.*'
+
+permissions:
+  contents: read
+
+env:
+  GOPATH: /home/runner/go
+  GOBIN: /home/runner/go/bin
+  GOPROXY: "https://proxy.golang.org"
+
+jobs:
+  test:
+    name: Unit test
+    runs-on: ubuntu-20.04
+    defaults:
+      run:
+        shell: bash
+        working-directory: go/oci-auth
+    timeout-minutes: 5
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      with:
+        go-version-file: go/oci-auth/go.mod
+        cache: true
+    - run: go mod download
+    - run: PATH=$PATH:$GOPATH/bin make --directory=.. tools
+    - run: PATH=$PATH:$GOPATH/bin make test
+  publish-docker:
+    name: Build and push oci-auth container
+    runs-on: ubuntu-20.04
+    defaults:
+      run:
+        shell: bash
+        working-directory: go/oci-auth
+    needs: [ test ]
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      packages: 'write'
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        fetch-depth: 0
+    - id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: |
+          ghcr.io/pluralsh/oci-auth
+          gcr.io/pluralsh/oci-auth
+          docker.io/pluralsh/oci-auth
+    - uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - uses: google-github-actions/auth@v1
+      with:
+        workload_identity_provider: 'projects/${{ secrets.GOOGLE_PROJECT_ID }}/locations/global/workloadIdentityPools/github/providers/github'
+        service_account: '[email protected]'
+        token_format: 'access_token'
+        create_credentials_file: true
+    - uses: google-github-actions/[email protected]
+    - run: gcloud auth configure-docker -q
+    - uses: docker/login-action@v3
+      with:
+        username: mjgpluralsh
+        password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+    - uses: docker/setup-qemu-action@v3
+    - uses: docker/[email protected]
+    - uses: docker/[email protected]
+      with:
+        context: "./go"
+        file: "./go/oci-auth/Dockerfile"
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        platforms: linux/amd64,linux/arm64
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        build-args: |
+          GIT_COMMIT=${{ github.sha }}
+          VERSION=${{ steps.meta.outputs.version }}

.github/workflows/oci-auth-ci.yaml

@@ -0,0 +1,68 @@
+name: CI / OCI Authentication Sidecar
+on:
+  push:
+    branches:
+      - "master"
+    paths:
+      - ".github/workflows/oci-auth-ci.yaml"
+      - "go/oci-auth/**"
+  pull_request:
+    branches:
+      - "**"
+    paths:
+      - ".github/workflows/oci-auth-ci.yaml"
+      - "go/oci-auth/**"
+permissions:
+  contents: read
+env:
+  GOPATH: /home/runner/go/
+  GOPROXY: "https://proxy.golang.org"
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        working-directory: go/oci-auth
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: go/oci-auth/go.mod
+          cache: true
+      - run: go mod download
+      - run: PATH=$PATH:$GOPATH/bin make --directory=.. tools
+      - run: PATH=$PATH:$GOPATH/bin make build
+  unit-test:
+    name: Unit tests
+    runs-on: ubuntu-20.04
+    defaults:
+      run:
+        shell: bash
+        working-directory: go/oci-auth
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: go/oci-auth/go.mod
+          cache: true
+      - run: go mod download
+      - run: PATH=$PATH:$GOPATH/bin make --directory=.. tools
+      - run: PATH=$PATH:$GOPATH/bin make test
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: go/oci-auth/go.mod
+          check-latest: true
+      - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+        with:
+          version: v1.59
+          working-directory: go/oci-auth
+          args: --timeout=30m

go/go.work

@@ -1,7 +1,8 @@
-go 1.22.0
+go 1.22.5
 
 use (
 	./client // github.com/pluralsh/console/go/client
 	./controller // github.com/pluralsh/console/go/controller
+	./oci-auth // github.com/pluralsh/console/go/oci-auth
 	./tools // github.com/pluralsh/console/go/tools
 )

go/oci-auth/.gitignore

@@ -0,0 +1,26 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+bin/*
+tmp/*
+dist/*
+Dockerfile.cross
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Kubernetes Generated files - skip generated files, except for vendored files
+!vendor/**/zz_generated.*
+
+# editor and IDE paraphernalia
+.idea
+.vscode
+*.swp
+*.swo
+*~

go/oci-auth/.golangci.yml

@@ -0,0 +1,33 @@
+run:
+  allow-parallel-runners: true
+issues:
+  max-same-issues: 0
+linters:
+  disable-all: true
+  enable:
+    - dupl
+    - durationcheck
+    - errcheck
+    - exportloopref
+    - forcetypeassert
+    - goconst
+    - gocyclo
+    - godot
+    - gofmt
+    - goimports
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - makezero
+    - misspell
+    - nakedret
+    - nilerr
+    - prealloc
+    - predeclared
+    - staticcheck
+    - tenv
+    - typecheck
+    - unconvert
+    - unparam
+    - unused

go/oci-auth/.goreleaser.yml

@@ -0,0 +1,61 @@
+# Visit https://goreleaser.com for documentation on how to customize this behavior.
+
+# Requires a GoReleaser Pro to run
+partial:
+  by: goos
+
+project_name: plural-oci-auth-sidecar
+
+monorepo:
+  tag_prefix: v
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - env:
+      - CGO_ENABLED=0
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    flags:
+      - -trimpath
+    ldflags:
+      - '-s -w -X github.com/pluralsh/console/go/oci-auth/internal/environment.Version={{.Version}} -X github.com/pluralsh/console/go/oci-auth/internal/environment.Commit={{.Commit}}'
+    goos:
+      - freebsd
+      - windows
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - '386'
+      - arm
+      - arm64
+    ignore:
+      - goos: darwin
+        goarch: '386'
+    binary: '{{ .ProjectName }}_v{{ .Version }}'
+
+archives:
+  - format: zip
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+
+checksum:
+  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
+
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+
+changelog:
+  sort: asc
+  use: github-native
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+
+release:
+  name_template: "{{ .ProjectName }}-v{{ .Version }}"
+  header: |
+    ## Plural OCI Authentication Sidecar release ({{ .Date }})
+    Welcome to this new release of the Plural OCI Authentication Sidecar!

go/oci-auth/Dockerfile

@@ -0,0 +1,30 @@
+FROM golang:1.22 as builder
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace/oci-auth
+
+# Retrieve application dependencies.
+# This allows the container build to reuse cached dependencies.
+# Expecting to copy go.mod and if present go.sum.
+COPY oci-auth/go.* ./
+RUN go mod download
+
+COPY oci-auth/internal ./internal
+COPY oci-auth/main.go ./
+
+# Build
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags '-s -w -X github.com/pluralsh/console/go/oci-auth/internal/environment.Version=${VERSION} -X github.com/pluralsh/console/go/oci-auth/internal/environment.Commit=${GIT_COMMIT}' -a -o oci-auth .
+
+# Use distroless as minimal base image to package the oci-auth binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/oci-auth/oci-auth .
+USER 65532:65532
+
+ENTRYPOINT ["/oci-auth"]

go/oci-auth/Makefile

@@ -0,0 +1,52 @@
+ROOT_DIRECTORY := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))/../..
+
+include $(ROOT_DIRECTORY)/go/paths.mk
+include $(TOOLS_BINARIES_MAKEFILE)
+
+# Setting SHELL to bash allows bash commands to be executed by recipes.
+# Options are set to exit when a recipe line exits non-zero or a piped command fails.
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+
+##@ General
+
+.PHONY: help
+help: ## show help
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+.PHONY: show-dependency-updates
+show-dependency-updates: ## show possible dependency updates
+	go list -u -f '{{if (and (not (or .Main .Indirect)) .Update)}}{{.Path}} {{.Version}} -> {{.Update.Version}}{{end}}' -m all
+
+.PHONY: update-dependencies
+update-dependencies: ## update dependencies
+	go get -u ./...
+	go mod tidy
+
+##@ Build
+
+.PHONY: build
+build: ## build binary
+	go build -o bin/oci-auth .
+
+.PHONY: run
+run: ## run locally
+	go run ./cmd/main.go
+
+.PHONY: release
+release: lint test ## builds release version of the app, requires GoReleaser to work
+	goreleaser build --clean --single-target --snapshot
+
+##@ Checks
+
+.PHONY: lint
+lint: ## run linters
+	@$(GOLANGCI_LINT) run ./...
+
+.PHONY: fix
+fix: ## run linters and fix found issues
+	@$(GOLANGCI_LINT) run --fix ./...
+
+.PHONY: test
+test: ## run tests
+	go test ./...