feat: NVSHAS-9501 support SLSA L3 #27
Conversation
holyspectral
commented
Oct 8, 2024
holyspectral
commented
- Move the Jenkins build to GHA as dev.yml and dev-arm64.yml
- Provide release.yml as SLSA-compliant release build.
|
From a quick look:
|
To make this feature work, add below secrets and variables to the repo: 1. DOCKER_REPO secret 2. DOCKER_USERNAME secret 3. DOCKER_PASSWORD secret 4. PRIME_REGISTRY secret 5. PRIME_REPO secret 6. PRIME_REGISTRY_USERNAME secret 7. PRIME_REGISTRY_PASSWORD secret 8. DEV_BUILD_REPOSITORY variable
|
@flavio Thanks for the comment!
Yes I agree that will be much simple in the code level if we merge them into one file. There are two reasons why it's separate right now:
I will revisit this once we setup GitHub-hosted ARM64 runners in neuvector, which should speed up the ARM64 build. Also, according to GitHub blog,
Oops, it's fixed now. Thanks for noticing it. |
|
|
||
| RUN cd /usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch | ||
|
|
||
| LABEL name="registry-adapter" \ |
There was a problem hiding this comment.
Please note that by using BCI images, you may need to overwrite some specific labels, or you will end-up with labels from the base image instead. Here's more context.
There was a problem hiding this comment.
Thanks. It's very good to know.
| RUN cd /usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch | ||
|
|
||
| LABEL name="registry-adapter" \ | ||
| vendor="SuSE Security" \ |
There was a problem hiding this comment.
Should this not be all capitals these days?
| vendor="SuSE Security" \ | |
| vendor="SUSE Security" \ |
| FROM neuvector/adapter_base:${BASE_IMAGE_TAG} | ||
| # | ||
| # Builder image | ||
| FROM registry.suse.com/bci/golang:1.22.7 AS builder |
There was a problem hiding this comment.
Either lean on a higher level mutable tag, or add renovate/updatecli to ensure this is being kept up to date.
| FROM registry.suse.com/bci/golang:1.22.7 AS builder | |
| FROM registry.suse.com/bci/golang:1.22 AS builder |
There was a problem hiding this comment.
@jayhuang-suse any concern about this? I don't think Golang would bring breaking changes in minor update, so I'm okay with using 1.22.
| COPY --from=base /chroot/ / | ||
| COPY --from=builder /src/stage / | ||
|
|
||
| RUN cd /usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch |
There was a problem hiding this comment.
This creates a new layer on the final image, so although the binaries won't be shipped, they would already be present on higher layers which translate in little to no gains in final image size. An alternative here, is to do this on an intermediate layer, and just copy that over to a final scratch image.
There was a problem hiding this comment.
yeah this is the code that the current pipeline has. I will check to see if we should do it with SLSA scope or later. Thanks for letting us know!
| ifneq ($(DRONE_TAG),) | ||
| GIT_TAG = $(DRONE_TAG) |
There was a problem hiding this comment.
| ifneq ($(DRONE_TAG),) | |
| GIT_TAG = $(DRONE_TAG) | |
| ifneq ($(GITHUB_TAG),) | |
| GIT_TAG = $(GITHUB_TAG) |
| DIRTY = -dirty | ||
| endif | ||
|
|
||
| # Prioritise DRONE_TAG for backwards compatibility. However, the git tag |
There was a problem hiding this comment.
Assuming that we are leaning on GitHub level tags.
| # Prioritise DRONE_TAG for backwards compatibility. However, the git tag | |
| # Prioritise GITHUB_TAG for backwards compatibility. However, the git tag |
There was a problem hiding this comment.
The code comes from cis-operator and I think that's for DRONE only. I will remove this part.
| matrix: | ||
| include: | ||
| - platforms: linux/amd64,linux/arm64 |
There was a problem hiding this comment.
If a single multi-arch image is to be published, this is not needed.
| uses: rancher/ecm-distro-tools/actions/publish-image@master | ||
| with: | ||
| image: registry-adapter | ||
| tag: ${{ github.ref_name }}${{ matrix.tag-suffix }} |
There was a problem hiding this comment.
Same here:
| tag: ${{ github.ref_name }}${{ matrix.tag-suffix }} | |
| tag: ${{ github.ref_name }} |
|
I will be working on the PR a little more. Closing it for now to prevent spam. :-) |
