diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index cf52edddd..cf643d5a4 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -194,6 +194,7 @@ jobs: container-image: "trust-manager" - dir: "./trust-packages" container-image: "trust-packages" + make-targets: "download-certificates" - dir: "./ttypdb" container-image: "ttypdb-controller" target: "controller" diff --git a/maintenance.md b/maintenance.md index ed48dcc6d..7aa43e515 100644 --- a/maintenance.md +++ b/maintenance.md @@ -882,24 +882,20 @@ Only the base image and module dependency should be updated. ![Regular Update](./regular_update.svg) 1. Check the [release page](https://github.com/cert-manager/trust-manager/releases). -2. Check the upstream Dockerfile. If there are any updates, update our `Dockerfile`. - - https://github.com/cert-manager/trust-manager/blob/vX.Y.Z/Dockerfile -3. Update `BRANCH` and `TAG` files. +2. Update `BRANCH` and `TAG` files. ## trust-packages ![Regular Update](./regular_update.svg) 1. Check the [release page](https://github.com/cert-manager/trust-manager/releases). -2. Check the upstream Containerfile. If there are any updates, update our `Dockerfile`. - - https://github.com/cert-manager/trust-manager/blob/vX.Y.Z/trust-packages/debian/Containerfile -3. Update `TRUST_MANAGER_VERSION` in `Dockerfile`. -4. Update `EXPECTED_VERSION` in `Dockerfile` as needed. You can check it to run docker command as follows. +2. Update `TRUST_MANAGER_VERSION` in `Dockerfile`. +3. Update `EXPECTED_VERSION` in `Dockerfile` as needed. You can check it to run docker command as follows. ```bash $ docker run --rm ghcr.io/cybozu/ubuntu:22.04 dpkg-query --show ca-certificates ``` -5. Check the [tini release page](https://github.com/krallin/tini/releases) and update `TINI_VERSION` in `Dockerfile` as needed. -6. Update `TAG` file. The TAG format is `.`. +4. Check the [tini release page](https://github.com/krallin/tini/releases) and update `TINI_VERSION` in `Dockerfile` as needed. +5. Update `TAG` file. The TAG format is `.`. ## ttypdb diff --git a/trust-manager/BRANCH b/trust-manager/BRANCH index b63ba696b..51176c7c8 100644 --- a/trust-manager/BRANCH +++ b/trust-manager/BRANCH @@ -1 +1 @@ -0.9 +0.11 diff --git a/trust-manager/Dockerfile b/trust-manager/Dockerfile index bba71538a..9bfa4c57c 100644 --- a/trust-manager/Dockerfile +++ b/trust-manager/Dockerfile @@ -10,7 +10,10 @@ RUN VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \ && curl -fsSL https://github.com/cert-manager/trust-manager/archive/v${VERSION}.tar.gz | \ tar --strip-components=1 -xzf - -RUN make build +# Parameters retrieved from: +# $ make ko-config-manager +# $ cat _bin/scratch/image/oci-layout-manager.v0.11.1.ko_config.yaml +RUN CGO_ENABLED=0 GO_EXPERIMENT= go build -ldflags '-w -s' -o bin/trust-manager ./cmd/trust-manager # Stage2: setup runtime container FROM scratch diff --git a/trust-manager/TAG b/trust-manager/TAG index 69667e51b..071f9c185 100644 --- a/trust-manager/TAG +++ b/trust-manager/TAG @@ -1 +1 @@ -0.9.2.1 +0.11.1.1 diff --git a/trust-packages/.dockerignore b/trust-packages/.dockerignore index 72e8ffc0d..216f84f33 100644 --- a/trust-packages/.dockerignore +++ b/trust-packages/.dockerignore @@ -1 +1,2 @@ * +!trust-manager-source diff --git a/trust-packages/.gitignore b/trust-packages/.gitignore new file mode 100644 index 000000000..52b867162 --- /dev/null +++ b/trust-packages/.gitignore @@ -0,0 +1 @@ +/trust-manager-source diff --git a/trust-packages/Dockerfile b/trust-packages/Dockerfile index 7e13769d9..e374f6425 100644 --- a/trust-packages/Dockerfile +++ b/trust-packages/Dockerfile @@ -3,41 +3,24 @@ # Stage1: build from source FROM ghcr.io/cybozu/golang:1.22-jammy AS build -ARG TRUST_MANAGER_VERSION=0.9.2 +ARG TRUST_MANAGER_VERSION=0.11.1 +ARG TINI_VERSION=0.19.0 WORKDIR /work SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl -fsSL https://github.com/cert-manager/trust-manager/archive/v${TRUST_MANAGER_VERSION}.tar.gz | \ tar --strip-components=1 -xzf - +RUN CGO_ENABLED=0 go build -o debian-bundle-static ./trust-packages/debian/main.go -WORKDIR /work/trust-packages/debian -RUN CGO_ENABLED=0 go build -o copyandmaybepause main.go -RUN CGO_ENABLED=0 go install github.com/cert-manager/trust-manager/cmd/validate-trust-package@main - -# Stage2: copy ca-certificates from ubuntu -FROM quay.io/cybozu/ubuntu:22.04 as debbase - -ARG EXPECTED_VERSION=20230311ubuntu0.22.04.1 -ARG VERSION_SUFFIX=.0 -ARG TINI_VERSION=0.19.0 -WORKDIR /work - -COPY --from=build /work/trust-packages/debian/build.sh /work/build.sh -COPY --from=build /go/bin/validate-trust-package /usr/bin/validate-trust-package - -RUN /work/build.sh $EXPECTED_VERSION $VERSION_SUFFIX /work/package.json -RUN curl -fsSL -o /usr/bin/tini-static https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-static - -# Stage3: setup runtime container +# Stage2: setup runtime container FROM scratch LABEL org.opencontainers.image.source="https://github.com/cybozu/neco-containers" LABEL description="cert-manager trust package based on Debian" -COPY --from=debbase /usr/bin/tini-static /tini -COPY --from=debbase /work/package.json /debian-package/cert-manager-package-debian.json -COPY --from=build /work/trust-packages/debian/copyandmaybepause /copyandmaybepause +COPY --from=build /work/debian-bundle-static /debian-bundle-static COPY --from=build /work/LICENSE /LICENSE - -ENTRYPOINT ["/tini", "--"] +COPY trust-manager-source/package.json /debian-package/cert-manager-package-debian.json USER 10000:10000 -CMD ["/copyandmaybepause", "/debian-package", "/packages"] + +ENTRYPOINT ["/debian-bundle-static"] +CMD ["/debian-package", "/packages"] diff --git a/trust-packages/Makefile b/trust-packages/Makefile new file mode 100644 index 000000000..a41ad5946 --- /dev/null +++ b/trust-packages/Makefile @@ -0,0 +1,23 @@ +TRUST_MANAGER_VERSION := $(shell cat ../trust-manager/TAG | cut -d'.' -f1-3) +TRUST_MANAGER_SOURCE := trust-manager-source + +.PHONY: clean +clean: + rm -rf ./$(TRUST_MANAGER_SOURCE) + +$(TRUST_MANAGER_SOURCE): + mkdir $@ + cd $@; \ + curl -fsSL https://github.com/cert-manager/trust-manager/archive/v$(TRUST_MANAGER_VERSION).tar.gz | \ + tar --strip-components=1 -xzf - + +$(TRUST_MANAGER_SOURCE)/validate-trust-package: | $(TRUST_MANAGER_SOURCE) + cd $(TRUST_MANAGER_SOURCE); go build -o validate-trust-package ./cmd/validate-trust-package/main.go + +$(TRUST_MANAGER_SOURCE)/package.json: | $(TRUST_MANAGER_SOURCE) $(TRUST_MANAGER_SOURCE)/validate-trust-package + BIN_VALIDATE_TRUST_PACKAGE=$(TRUST_MANAGER_SOURCE)/validate-trust-package \ + $(TRUST_MANAGER_SOURCE)/make/debian-trust-package-fetch.sh latest ghcr.io/cybozu/ubuntu:22.04 \ + $(TRUST_MANAGER_SOURCE)/package.json latest + +.PHONY: download-certificates +download-certificates: | $(TRUST_MANAGER_SOURCE)/package.json diff --git a/trust-packages/TAG b/trust-packages/TAG index 69a37852c..03daa1363 100644 --- a/trust-packages/TAG +++ b/trust-packages/TAG @@ -1 +1 @@ -20230311ubuntu0.22.04.1.2 +20230311ubuntu0.22.04.1.3