diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 6d51f05b..10d1279a 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -11,3 +11,4 @@ aliases: - irbekrm - sgtcodfish - inteon + - thatsmrtalbot diff --git a/klone.yaml b/klone.yaml index 6101af27..66b49640 100644 --- a/klone.yaml +++ b/klone.yaml @@ -10,70 +10,70 @@ targets: - folder_name: api-docs repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/api-docs - folder_name: boilerplate repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/boilerplate - folder_name: cert-manager repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/cert-manager - folder_name: controller-gen repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/controller-gen - folder_name: generate-verify repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/generate-verify - folder_name: go repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/go - folder_name: helm repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/helm - folder_name: help repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/help - folder_name: kind repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/kind - folder_name: klone repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/klone - folder_name: oci-build repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/oci-build - folder_name: oci-publish repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/oci-publish - folder_name: repository-base repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/repository-base - folder_name: tools repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98 + repo_hash: b6dc86973e937be38a138f38cf83134760487f26 repo_path: modules/tools diff --git a/make/_shared/cert-manager/00_mod.mk b/make/_shared/cert-manager/00_mod.mk index 0a61381a..863508b4 100644 --- a/make/_shared/cert-manager/00_mod.mk +++ b/make/_shared/cert-manager/00_mod.mk @@ -15,14 +15,14 @@ images_amd64 ?= images_arm64 ?= -cert_manager_version := v1.14.4 +cert_manager_version := v1.14.5 -images_amd64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:f84edf06327f84ed2ca056776659aa144cf3cc982c5403650c24553c5a44b03d -images_amd64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:8267563833c31cc428b9ae460b890d079a1da09a4d8d00ec299a47dd613fbd24 -images_amd64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:ba5469d1a77b1cb04a703199b0e69bc25644a00498adc3694a0369c87375b4ca -images_amd64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:2a1545099cf6386ab08e979a58a6280fe123d091c69f8222bfb22c597003a3f0 +images_amd64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:f37f460aaa7598ba251ff1cbe7438012fd56c4acc94be64245e8a836203c5542 +images_amd64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:6d9ebced61371cc903f7934690923034382456f3ce6e0fe2b692c40dbd67d523 +images_amd64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:ac34b1905a2ff20789fde27115d3e1aa7b3d09f57efba4e91ae2ba1744de4ad2 +images_amd64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:5c74e4e37586dc5c35442515f43ecf222e961b65e954798428ac9239408bc0f3 -images_arm64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:39a6e9e699b3dacb8b92538efbaff85c16d4b30343ebeaaf2f35772ff3cebf53 -images_arm64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:956aac21371499fdcc8811b4b5fc8e2e0d6e552b15723c783fe56270347fc9e0 -images_arm64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:8ea8462c1daa7604f4f2e71e0cdeef3dd5d7e0f04341982a05dc296299766126 -images_arm64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:f4cd54540f8813e63a2f53b5b210454ae2a5fe0949b9f55d8f1270162ebad9a8 +images_arm64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:96668890d162a743407c0ef14d7769e970aa16655959b5f5cab0c595167148fa +images_arm64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:719aec5d99e86377829261451985592bc4129c5ca8dcb7f20b32170742f2b29b +images_arm64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:874da5701a98e352fa28d88470671eb792a472737a3cf2b7ce9966817e962de8 +images_arm64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:35d35b325b980cc702324e52b443cc7eb1df7211ce4e8e91d96da4eff4b6c894 diff --git a/make/_shared/oci-build/image_tool/append_layers.go b/make/_shared/oci-build/image_tool/append_layers.go index 04528292..3592c11c 100644 --- a/make/_shared/oci-build/image_tool/append_layers.go +++ b/make/_shared/oci-build/image_tool/append_layers.go @@ -30,6 +30,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/match" "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/tarball" + "github.com/google/go-containerregistry/pkg/v1/types" "github.com/spf13/cobra" ) @@ -45,16 +46,33 @@ var CommandAppendLayers = cobra.Command{ return } + path, err := layout.FromPath(oci) + must("could not load oci directory", err) + + index, err := path.ImageIndex() + must("could not load oci image index", err) + + indexMediaType, err := index.MediaType() + must("could not get image index media type", err) + + layerType := types.DockerLayer + if indexMediaType == types.OCIImageIndex { + layerType = types.OCILayer + } + layers := []v1.Layer{} for _, path := range extra { - layers = append(layers, loadLayerFromDirOrTarball(path)) + layers = append(layers, loadLayerFromDirOrTarball(path, layerType)) } - appendLayersToAllImages(oci, layers...) + index = appendLayersToImageIndex(index, layers) + + _, err = layout.Write(oci, index) + must("could not write image", err) }, } -func loadLayerFromDirOrTarball(path string) v1.Layer { +func loadLayerFromDirOrTarball(path string, mediaType types.MediaType) v1.Layer { stat, err := os.Stat(path) must("could not open directory or tarball", err) @@ -102,31 +120,24 @@ func loadLayerFromDirOrTarball(path string) v1.Layer { byts := buf.Bytes() - layer, err = tarball.LayerFromOpener(func() (io.ReadCloser, error) { - return io.NopCloser(bytes.NewReader(byts)), nil - }) + layer, err = tarball.LayerFromOpener( + func() (io.ReadCloser, error) { + return io.NopCloser(bytes.NewReader(byts)), nil + }, + tarball.WithMediaType(mediaType), + ) } else { - layer, err = tarball.LayerFromFile(path) + layer, err = tarball.LayerFromFile( + path, + tarball.WithMediaType(mediaType), + ) } must("could not open directory or tarball", err) return layer } -func appendLayersToAllImages(oci string, layers ...v1.Layer) { - path, err := layout.FromPath(oci) - must("could not load oci directory", err) - - index, err := path.ImageIndex() - must("could not load oci image index", err) - - index = appendLayersToImageIndex(index, layers) - - _, err = layout.Write(oci, index) - must("could not write image", err) -} - func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIndex { manifest, err := index.IndexManifest() must("could not load oci image manifest", err) @@ -145,11 +156,15 @@ func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIn digest, err := img.Digest() must("could not get image digest", err) + size, err := img.Size() + must("could not get image size", err) + slog.Info("appended layers to image", "old_digest", descriptor.Digest, "digest", digest, "platform", descriptor.Platform) index = mutate.RemoveManifests(index, match.Digests(descriptor.Digest)) descriptor.Digest = digest + descriptor.Size = size index = mutate.AppendManifests(index, mutate.IndexAddendum{ Add: img, Descriptor: descriptor, @@ -159,16 +174,20 @@ func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIn slog.Info("found image index", "digest", descriptor.Digest) child, err := index.ImageIndex(descriptor.Digest) - must("could not load oci image manifest", err) + must("could not load oci index manifest", err) child = appendLayersToImageIndex(child, layers) digest, err := child.Digest() - must("could not get image digest", err) + must("could not get index digest", err) + + size, err := child.Size() + must("could not get index size", err) index = mutate.RemoveManifests(index, match.Digests(descriptor.Digest)) descriptor.Digest = digest + descriptor.Size = size index = mutate.AppendManifests(index, mutate.IndexAddendum{ Add: child, Descriptor: descriptor, diff --git a/make/_shared/oci-publish/01_mod.mk b/make/_shared/oci-publish/01_mod.mk index 3294770b..348490c9 100644 --- a/make/_shared/oci-publish/01_mod.mk +++ b/make/_shared/oci-publish/01_mod.mk @@ -19,8 +19,8 @@ sanitize_target = $(subst :,-,$1) registry_for = $(firstword $(subst /, ,$1)) # Utility variables -current_makefile = $(lastword $(MAKEFILE_LIST)) -current_makefile_directory = $(dir $(current_makefile)) +current_makefile_directory := $(dir $(lastword $(MAKEFILE_LIST))) +image_exists_script := $(current_makefile_directory)/image-exists.sh # Validate globals that are required $(call fatal_if_undefined,bin_dir) @@ -78,10 +78,10 @@ $(call sanitize_target,oci-push-$2): oci-build-$1 | $(NEEDS_CRANE) .PHONY: $(call sanitize_target,oci-maybe-push-$2) $(call sanitize_target,oci-maybe-push-$2): oci-build-$1 | $(NEEDS_CRANE) - $$(CRANE) $(crane_flags_$1) manifest $2:$(call oci_image_tag_for,$1) > /dev/null 2>&1 || (\ - $$(CRANE) $(crane_flags_$1) push "$(oci_layout_path_$1)" "$2:$(call oci_image_tag_for,$1)" && \ - $(if $(filter true,$(oci_sign_on_push_$1)),$(MAKE) $(call sanitize_target,oci-sign-$2)) \ - ) + CRANE="$$(CRANE) $(crane_flags_$1)" \ + source $(image_exists_script) $2:$(call oci_image_tag_for,$1); \ + $$(CRANE) $(crane_flags_$1) push "$(oci_layout_path_$1)" "$2:$(call oci_image_tag_for,$1)"; \ + $(if $(filter true,$(oci_sign_on_push_$1)),$(MAKE) $(call sanitize_target,oci-sign-$2)) oci-push-$1: $(call sanitize_target,oci-push-$2) oci-maybe-push-$1: $(call sanitize_target,oci-maybe-push-$2) diff --git a/make/_shared/oci-publish/image-exists.sh b/make/_shared/oci-publish/image-exists.sh new file mode 100755 index 00000000..9ecbb61a --- /dev/null +++ b/make/_shared/oci-publish/image-exists.sh @@ -0,0 +1,70 @@ +#!/usr/bin/env bash + +# Copyright 2022 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +# This script checks if a given image exists in the upstream registry, and if it +# does, whether it contains all the expected architectures. + +crane=${CRANE:-} + +FULL_IMAGE=${1:-} + +function print_usage() { + echo "usage: $0 [commands...]" +} + +if [[ -z $FULL_IMAGE ]]; then + print_usage + echo "Missing full-image" + exit 1 +fi + +if [[ -z $crane ]]; then + echo "CRANE environment variable must be set to the path of the crane binary" + exit 1 +fi + +shift 1 + +manifest=$(mktemp) +trap 'rm -f "$manifest"' EXIT SIGINT + +manifest_error=$(mktemp) +trap 'rm -f "$manifest_error"' EXIT SIGINT + +echo "+++ searching for $FULL_IMAGE in upstream registry" + +set +o errexit +$crane manifest "$FULL_IMAGE" > "$manifest" 2> "$manifest_error" +exit_code=$? +set -o errexit + +manifest_error_data=$(cat "$manifest_error") +if [[ $exit_code -eq 0 ]]; then + echo "+++ upstream registry appears to contain $FULL_IMAGE, exiting" + exit 0 + +elif [[ "$manifest_error_data" == *"MANIFEST_UNKNOWN"* ]]; then + echo "+++ upstream registry does not contain $FULL_IMAGE, will build and push" + # fall through to run the commands passed to this script + +else + echo "FATAL: upstream registry returned an unexpected error: $manifest_error_data, exiting" + exit 1 +fi diff --git a/make/_shared/repository-base/base/OWNERS_ALIASES b/make/_shared/repository-base/base/OWNERS_ALIASES index 6d51f05b..10d1279a 100644 --- a/make/_shared/repository-base/base/OWNERS_ALIASES +++ b/make/_shared/repository-base/base/OWNERS_ALIASES @@ -11,3 +11,4 @@ aliases: - irbekrm - sgtcodfish - inteon + - thatsmrtalbot diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk index 295b1617..6807190b 100644 --- a/make/_shared/tools/00_mod.mk +++ b/make/_shared/tools/00_mod.mk @@ -126,8 +126,10 @@ tools += operator-sdk=v1.34.1 tools += gh=v2.49.0 # https:///github.com/redhat-openshift-ecosystem/openshift-preflight/releases tools += preflight=1.9.2 -# https://github.com/daixiang0/gci/releases/ +# https://github.com/daixiang0/gci/releases tools += gci=v0.13.4 +# https://github.com/google/yamlfmt/releases +tools += yamlfmt=v0.12.1 # https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions K8S_CODEGEN_VERSION := v0.29.3 @@ -150,7 +152,7 @@ ADDITIONAL_TOOLS ?= tools += $(ADDITIONAL_TOOLS) # https://go.dev/dl/ -VENDORED_GO_VERSION := 1.22.2 +VENDORED_GO_VERSION := 1.22.3 # Print the go version which can be used in GH actions .PHONY: print-go-version @@ -326,6 +328,7 @@ go_dependencies += govulncheck=golang.org/x/vuln/cmd/govulncheck go_dependencies += operator-sdk=github.com/operator-framework/operator-sdk/cmd/operator-sdk go_dependencies += gh=github.com/cli/cli/v2/cmd/gh go_dependencies += gci=github.com/daixiang0/gci +go_dependencies += yamlfmt=github.com/google/yamlfmt/cmd/yamlfmt ################# # go build tags # @@ -359,10 +362,10 @@ $(call for_each_kv,go_dependency,$(go_dependencies)) # File downloads # ################## -go_linux_amd64_SHA256SUM=5901c52b7a78002aeff14a21f93e0f064f74ce1360fce51c6ee68cd471216a17 -go_linux_arm64_SHA256SUM=36e720b2d564980c162a48c7e97da2e407dfcc4239e1e58d98082dfa2486a0c1 -go_darwin_amd64_SHA256SUM=33e7f63077b1c5bce4f1ecadd4d990cf229667c40bfb00686990c950911b7ab7 -go_darwin_arm64_SHA256SUM=660298be38648723e783ba0398e90431de1cb288c637880cdb124f39bd977f0d +go_linux_amd64_SHA256SUM=8920ea521bad8f6b7bc377b4824982e011c19af27df88a815e3586ea895f1b36 +go_linux_arm64_SHA256SUM=6c33e52a5b26e7aa021b94475587fce80043a727a54ceb0eee2f9fc160646434 +go_darwin_amd64_SHA256SUM=610e48c1df4d2f852de8bc2e7fd2dc1521aac216f0c0026625db12f67f192024 +go_darwin_arm64_SHA256SUM=02abeab3f4b8981232237ebd88f0a9bad933bc9621791cd7720a9ca29eacbe9d .PRECIOUS: $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(DOWNLOAD_DIR)/tools @@ -615,6 +618,12 @@ tools: $(tools_paths) self_file := $(dir $(lastword $(MAKEFILE_LIST)))/00_mod.mk +# see https://stackoverflow.com/a/53408233 +sed_inplace := sed -i'' +ifeq ($(HOST_OS),darwin) + sed_inplace := sed -i '' +endif + # This target is used to learn the sha256sum of the tools. It is used only # in the makefile-modules repo, and should not be used in any other repo. .PHONY: tools-learn-sha @@ -635,5 +644,5 @@ tools-learn-sha: | $(bin_dir) HOST_OS=darwin HOST_ARCH=arm64 $(MAKE) vendor-go while read p; do \ - sed -i "$$p" $(self_file); \ + $(sed_inplace) "$$p" $(self_file); \ done <"$(LEARN_FILE)"