-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathMakefile.docker
More file actions
153 lines (128 loc) · 8.23 KB
/
Makefile.docker
File metadata and controls
153 lines (128 loc) · 8.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Makefile.docker contains the shared tasks for building, tagging and pushing Docker images.
# This file is included into the Makefile files which contain the Dockerfile files (E.g.
# kafka-base, kafka-statefulsets etc.).
#
# The DOCKER_ORG (default is name of the current user) and DOCKER_TAG (based on Git Tag,
# default latest) variables are used to name the Docker image. DOCKER_REGISTRY identifies
# the registry where the image will be pushed (default is Docker Hub). DOCKER_VERSION_ARG
# is passed to the image build (based on Git commit, default latest)
TOPDIR=$(dir $(lastword $(MAKEFILE_LIST)))
ARCHIVE_DIR=$(TOPDIR)docker-images/container-archives
SBOM_DIR=$(TOPDIR)sbom
DOCKERFILE_DIR ?= ./
DOCKER_REGISTRY ?= quay.io
DOCKER_ORG ?= $(USER)
DOCKER_TAG ?= latest
BUILD_TAG ?= latest
DOCKER_VERSION_ARG ?= $(VERSION)
DOCKER_CMD ?= docker
ifdef DOCKER_ARCHITECTURE
DOCKER_PLATFORM = --platform linux/$(DOCKER_ARCHITECTURE)
DOCKER_PLATFORM_TAG_SUFFIX = -$(DOCKER_ARCHITECTURE)
endif
MANIFEST_ARCHITECTURES ?= $(DOCKER_ARCHITECTURE)
all: docker_build docker_push
.PHONY: docker_build
docker_build:
$(MAKE) execute_docker_goal goal=docker_build_goal
.PHONY: docker_build_goal
docker_build_goal:
@echo "Building Docker image for Kafka version $(KAFKA_VERSION)..."
$(DOCKER_CMD) $(DOCKER_BUILDX) build $(DOCKER_PLATFORM) --build-arg version=$(DOCKER_VERSION_ARG) --build-arg kafkaVersion=$(KAFKA_VERSION) -t strimzi/$(PROJECT_NAME):$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) -f $(DOCKERFILE_DIR)/Dockerfile .
.PHONY: docker_tag
docker_tag:
$(MAKE) execute_docker_goal goal=docker_tag_goal
.PHONY: docker_tag_goal
docker_tag_goal:
echo "Tagging strimzi/$(PROJECT_NAME):$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) to $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) ..."
$(DOCKER_CMD) tag strimzi/$(PROJECT_NAME):$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX)
.PHONY: docker_push
docker_push:
$(MAKE) execute_docker_goal goal=docker_push_goal
.PHONY: docker_push_goal
docker_push_goal:
echo "Pushing $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) ..."
$(DOCKER_CMD) push $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX)
.PHONY: docker_amend_manifest
docker_amend_manifest:
$(MAKE) execute_docker_goal goal=docker_amend_manifest_goal
.PHONY: docker_amend_manifest_goal
docker_amend_manifest_goal:
# Create the multi-platform manifest from architecture-specific images
sources="" ; \
for arch in $$(echo "$(MANIFEST_ARCHITECTURES)" | tr ',' ' '); do \
sources="$$sources $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)-$$arch" ; \
done ; \
$(DOCKER_CMD) buildx imagetools create -t $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG) $$sources
.PHONY: docker_save
docker_save:
$(MAKE) execute_docker_goal goal=docker_save_goal
.PHONY: docker_save_goal
docker_save_goal:
# Saves the container as TGZ file
test -d $(ARCHIVE_DIR) || mkdir -p $(ARCHIVE_DIR)
$(DOCKER_CMD) save $(DOCKER_PLATFORM) strimzi/$(PROJECT_NAME):$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) | gzip > $(ARCHIVE_DIR)/$(PROJECT_NAME)-$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX).tar.gz
.PHONY: docker_load
docker_load:
$(MAKE) execute_docker_goal goal=docker_load_goal
.PHONY: docker_load_goal
docker_load_goal:
# Loads the container as TGZ file
docker load < $(ARCHIVE_DIR)/$(PROJECT_NAME)-$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX).tar.gz
.PHONY: docker_delete_archive
docker_delete_archive:
$(MAKE) execute_docker_goal goal=docker_delete_archive_goal
.PHONY: docker_delete_archive_goal
docker_delete_archive_goal:
# Deletes the archive
rm $(ARCHIVE_DIR)/$(PROJECT_NAME)-$(BUILD_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX).tar.gz
.PHONY: docker_gha_sign_manifest
docker_gha_sign_manifest:
$(MAKE) execute_docker_goal goal=docker_gha_sign_manifest_goal
.PHONY: docker_gha_sign_manifest_goal
docker_gha_sign_manifest_goal:
# Signs the manifest and its images using keyless signing (GitHub OIDC)
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign clean -f --type signature $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST || true; \
cosign sign --yes --recursive --timeout 6m0s -a author=StrimziCI -a BuildID=$(BUILD_ID) -a Commit=$(BUILD_COMMIT) $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST
.PHONY: docker_gha_sbom
docker_gha_sbom:
$(MAKE) execute_docker_goal goal=docker_gha_sbom_goal
.PHONY: docker_gha_sbom_goal
docker_gha_sbom_goal:
# Saves the SBOM of the image and signs with keyless signing
test -d $(SBOM_DIR) || mkdir -p $(SBOM_DIR)
# Generate the text format
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
syft packages $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST --output syft-table --file $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.txt
# Generate the SPDX JSON format for machine processing
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
syft packages $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST --output spdx-json --file $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.json
# Sign the TXT and SPDX-JSON SBOM with keyless signing
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign sign-blob --yes --bundle $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.txt.bundle $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.txt
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign sign-blob --yes --bundle $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.json.bundle $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.json
.PHONY: docker_gha_push_sbom
docker_gha_push_sbom:
$(MAKE) execute_docker_goal goal=docker_gha_push_sbom_goal
.PHONY: docker_gha_push_sbom_goal
docker_gha_push_sbom_goal:
# Push the SBOM to the container registry and sign it with keyless signing
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign attach sbom --sbom $(SBOM_DIR)/$(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)/$(DOCKER_TAG)/$$MANIFEST_DIGEST.json $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX)
MANIFEST_DIGEST=$(shell docker buildx imagetools inspect $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME):$(DOCKER_TAG)$(DOCKER_PLATFORM_TAG_SUFFIX) --format '{{ json . }}' | jq -r .manifest.digest); \
cosign sign --yes -a author=StrimziCI -a BuildID=$(BUILD_ID) -a Commit=$(BUILD_COMMIT) --attachment sbom $(DOCKER_REGISTRY)/$(DOCKER_ORG)/$(PROJECT_NAME)@$$MANIFEST_DIGEST
.PHONY: execute_docker_goal
execute_docker_goal:
# Goal for handling execution of specified goals for each of Kafka version
# It is easier to have this one goal instead of copying the if-else with loops to each of the goal.
ifeq ($(BUILD_ALL_KAFKA_VERSIONS),true)
@echo "Executing '$(goal)' for all Kafka versions"
@for version in $(KAFKA_VERSIONS); do \
$(MAKE) $(goal) KAFKA_VERSION=$$version DOCKER_TAG=$(DOCKER_TAG)-kafka-$$version BUILD_TAG=$(BUILD_TAG)-kafka-$$version; \
done
else
@echo "Executing '$(goal)' for single Kafka version: $(ACTUAL_KAFKA_VERSION)"
$(MAKE) $(goal) KAFKA_VERSION=$(ACTUAL_KAFKA_VERSION);
endif