-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile
377 lines (346 loc) · 13.2 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
# syntax = docker.io/docker/dockerfile-upstream:1.4.2
ARG FETCH_RESOURCES_IMAGE=scratch
ARG PKG_SINK_SOURCE
ARG OUT_DIR=/_out
ARG IN_DIR=/_in
FROM docker.io/library/golang:1.17.9-alpine3.15 as golang
FROM golang as mdrip-build
RUN apk add -U git
ARG MDRIP_GIT_REF=v1.0.2
RUN go install "github.com/monopole/mdrip@${MDRIP_GIT_REF}"
FROM alpine as tools
RUN apk add -U git curl bash jq
COPY --link --from=kpt /usr/local/bin/kpt /usr/local/bin/kpt-bin
COPY --link --from=clusterctl /clusterctl /usr/local/bin/clusterctl
COPY --link --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/kubectl
COPY --link --from=kpt-fn-search-replace /usr/local/bin/function /usr/local/bin/kpt-fn-search-replace
COPY --link --from=kpt-fn-set-annotations /usr/local/bin/function /usr/local/bin/kpt-fn-set-annotations
COPY --link --from=kpt-fn-set-namespace /usr/local/bin/function /usr/local/bin/kpt-fn-set-namespace
COPY --link --from=kpt-fn-create-setters /usr/local/bin/function /usr/local/bin/kpt-fn-create-setters
COPY --link --from=kpt-fn-apply-setters /usr/local/bin/function /usr/local/bin/kpt-fn-apply-setters
COPY --link --from=kpt-fn-starlark /usr/local/bin/function /usr/local/bin/kpt-fn-starlark
COPY --link --from=kpt-fn-set-labels /usr/local/bin/function /usr/local/bin/kpt-fn-set-labels
COPY --link --from=kpt-fn-ensure-name-substring /usr/local/bin/function /usr/local/bin/kpt-fn-ensure-name-substring
COPY --link --from=kpt-fn-apply-replacements /usr/local/bin/function /usr/local/bin/kpt-fn-apply-replacements
COPY --link --from=kpt-fn-gatekeeper /usr/local/bin/function /usr/local/bin/kpt-fn-gatekeeper
COPY --link --from=mdrip-build /go/bin/mdrip /usr/local/bin/mdrip
COPY --link <<'eot' /usr/local/bin/kpt
#!/usr/bin/env bash
set -euxo pipefail
run_kpt() {
/usr/local/bin/kpt-bin "${@}"
}
run_kpt_render() {
pkg="${@: -1}"
if [ "${pkg}" = "render" ] || [ "${pkg}" = "--allow-exec" ]; then
pkg="${PWD}"
fi
for kptfile in $(/usr/bin/find "${pkg}" -type f -name Kptfile); do
sed -i.bak -e 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' "${kptfile}"
done
run_kpt "${@}"
return_code="${?}"
for kptfile in $(/usr/bin/find "${pkg}" -type f -name Kptfile); do
backup_file="${kptfile}.bak"
rm "${kptfile}"
mv "${backup_file}" "${kptfile}"
done
exit "${return_code}"
}
if [ "${#}" -lt "3" ]; then
run_kpt "${@}"
exit "${?}"
fi
if [ "${1}" = "fn" ] && [ "${2}" = "render" ]; then
run_kpt_render "${@}"
fi
run_kpt "${@}"
eot
RUN chmod +x /usr/local/bin/kpt
FROM tools as fetch-github-release-file
ARG GITHUB_ORG
ARG GITHUB_REPO
ARG VERSION
ARG FILENAME
ARG OUT_DIR
ARG OUT_FILE=${OUT_DIR}/${FILENAME}
ARG URL="https://github.com/${GITHUB_ORG}/${GITHUB_REPO}/releases/download/${VERSION}/${FILENAME}"
RUN curl --fail --create-dirs -L -o "${OUT_FILE}" "${URL}"
FROM scratch as github-release-file
ARG OUT_DIR
COPY --link --from=fetch-github-release-file ${OUT_DIR} /
FROM tools as clusterctl-generate-yaml-build
ARG ENVIRONMENT_VARIABLES=
ARG SECRETS_ENV_FILE="/run/secrets/secrets-env"
ENV SECRETS_ENV_FILE=${SECRETS_ENV_FILE}
ARG OUT_DIR
ARG IN_DIR
ARG OUT_FILE="${OUT_DIR}/file"
COPY --link --from=github-release-file / ${IN_DIR}
RUN mkdir -p "${OUT_DIR}"
RUN --mount=type=secret,id=secrets-env <<eot
#!/usr/bin/env sh
set -euxo pipefail
if [ -n "${ENVIRONMENT_VARIABLES}" ]; then
echo "${ENVIRONMENT_VARIABLES}" > /tmp/vars.env
set -a; . /tmp/vars.env; set +a
fi
if [ -f "${SECRETS_ENV_FILE}" ]; then
set +x; set -a; . "${SECRETS_ENV_FILE}"; set +a; set -x
fi
cat $(find "${IN_DIR}" -type f -maxdepth 1) | clusterctl generate yaml > "${OUT_FILE}"
eot
FROM scratch as clusterctl-generate-yaml
ARG OUT_DIR
COPY --link --from=clusterctl-generate-yaml-build ${OUT_DIR} /
FROM tools as add-clusterctl-provider-resource-build
ARG PROVIDER_TYPE
ARG PROVIDER_NAME
ARG NAMESPACE
ARG PROVIDER_TYPE_GO
ARG VERSION
ARG OUT_DIR
ARG OUT_FILE="${OUT_DIR}/file"
COPY --link --from=clusterctl-generate-yaml / ${OUT_DIR}
RUN <<eot
#!/usr/bin/env sh
set -euxo pipefail
provider_name_short="${PROVIDER_NAME}"
provider_name_full="${PROVIDER_TYPE}-${PROVIDER_NAME}"
if [ "${PROVIDER_TYPE}" == "core" ]; then
provider_name_full="${PROVIDER_NAME}"
fi
cat <<EOT >> "${OUT_FILE}"
---
apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
kind: Provider
metadata:
name: ${provider_name_full}
namespace: ${NAMESPACE}
providerName: ${provider_name_short}
type: ${PROVIDER_TYPE_GO}
version: ${VERSION}
EOT
eot
FROM scratch as cluster-api-provider-resources
ARG OUT_DIR
COPY --link --from=add-clusterctl-provider-resource-build ${OUT_DIR} /
FROM ${FETCH_RESOURCES_IMAGE} as fetch-resources-image
FROM tools as kpt-fn-sink-build
ARG OUT_DIR
ARG IN_DIR
ARG ENSURE_PORT_PROTOCOL_STARLARK="/fn-configs/ensure-port-protocol.star"
COPY --link <<eot ${ENSURE_PORT_PROTOCOL_STARLARK}
def addportprotocol(resources):
for resource in resources:
spec = resource.get("spec")
ports = spec.get("ports")
if not ports:
continue
for port in ports:
port.setdefault("protocol", "TCP")
addportprotocol(ctx.resource_list["items"])
eot
COPY --link --from=fetch-resources-image / ${IN_DIR}
RUN mkdir -p "$(dirname "${OUT_PKG}")"
# The use of kpt-fn-search-replace is a workaround so we can use cert-manager v1.7.X with sidero.
# TODO: Create an issue with https://github.com/siderolabs/sidero
RUN <<eot
#!/usr/bin/env sh
set -euxo pipefail
cat $(find "${IN_DIR}" -type f -maxdepth 1) \
| sed '/^rules: \[\]$/d' \
| sed '/^ *caBundle: Cg==$/d' \
| sed '/^ creationTimestamp: null$/d' \
| kpt fn eval - --exec="kpt-fn-starlark" --match-kind="Service" -- "source=$(cat ${ENSURE_PORT_PROTOCOL_STARLARK})" \
| kpt fn eval - --exec="kpt-fn-search-replace" --match-kind="Certificate" -- "by-path=apiVersion" "by-value=cert-manager.io/v1alpha2" "put-value=cert-manager.io/v1" \
| kpt fn eval - --exec="kpt-fn-search-replace" --match-kind="Issuer" -- "by-path=apiVersion" "by-value=cert-manager.io/v1alpha2" "put-value=cert-manager.io/v1" \
| kpt fn sink "${OUT_DIR}"
eot
FROM scratch as kpt-fn-sink
ARG OUT_DIR
COPY --link --from=kpt-fn-sink-build ${OUT_DIR} /
FROM tools as pkg-sink-source-sidero-cluster-build
ARG OUT_DIR
ARG CONTROL_PLANE_ENDPOINT_FN_CONFIG="/fn-configs/set-controlPlaneEndpoint-from-metalcluster.yaml"
COPY --link --from=kpt-fn-sink /cluster_clustername.yaml ${OUT_DIR}/cluster.yaml
COPY --link --from=kpt-fn-sink /metalcluster_clustername.yaml ${OUT_DIR}/metalcluster.yaml
COPY --link --from=kpt-fn-sink /metalmachinetemplate_clustername-cp.yaml ${OUT_DIR}/control-plane/metalmachinetemplate.yaml
COPY --link --from=kpt-fn-sink /taloscontrolplane_clustername-cp.yaml ${OUT_DIR}/control-plane/taloscontrolplane.yaml
COPY --link --from=kpt-fn-sink /metalmachinetemplate_clustername-workers.yaml ${OUT_DIR}/workers/metalmachinetemplate.yaml
COPY --link --from=kpt-fn-sink /machinedeployment_clustername-workers.yaml /tmp/machinedeployment.yaml
RUN kubectl patch -f /tmp/machinedeployment.yaml --local -o yaml --type=json -p '[{"op":"remove","path":"/spec/selector"}]' > "${OUT_DIR}/workers/machinedeployment.yaml"
COPY --link --from=kpt-fn-sink /talosconfigtemplate_clustername-workers.yaml ${OUT_DIR}/workers/talosconfigtemplate.yaml
COPY --link <<eot ${CONTROL_PLANE_ENDPOINT_FN_CONFIG}
apiVersion: fn.kpt.dev/v1alpha1
kind: ApplyReplacements
metadata:
name: set-controlPlaneEndpoint-from-metalcluster
replacements:
- source:
kind: MetalCluster
fieldPath: spec.controlPlaneEndpoint
targets:
- select:
kind: Cluster
fieldPaths:
- spec.controlPlaneEndpoint
options:
create: true
eot
RUN kpt fn eval "${OUT_DIR}" --exec="kpt-fn-apply-replacements" --fn-config="${CONTROL_PLANE_ENDPOINT_FN_CONFIG}"
RUN kpt fn eval "${OUT_DIR}" --exec="kpt-fn-search-replace" -- "by-path=metadata.name" "put-value=cluster-name"
RUN kpt fn eval "${OUT_DIR}" --exec="kpt-fn-search-replace" --match-kind="Cluster" -- "by-path=metadata.namespace" "put-value=default"
RUN kpt fn eval "${OUT_DIR}" --exec="kpt-fn-search-replace" --match-kind="MetalMachineTemplate" -- "by-path=spec.template.spec.serverClassRef.name" "put-value=any"
FROM scratch as pkg-sink-source-sidero-cluster
ARG OUT_DIR
COPY --link --from=pkg-sink-source-sidero-cluster-build ${OUT_DIR} /
FROM scratch as pkg-sink-source-sidero-serverclass
COPY --link <<eot /serverclass.yaml
apiVersion: metal.sidero.dev/v1alpha1
kind: ServerClass
metadata:
name: serverclass
eot
FROM scratch as pkg-sink-source-sidero-environment
COPY --link <<eot /environment.yaml
apiVersion: metal.sidero.dev/v1alpha1
kind: Environment
metadata:
name: environment
spec:
initrd:
url: https://github.com/talos-systems/talos/releases/download/v0.10.3/initramfs-amd64.xz
kernel:
args:
- talos.config=https://sidero-endpoint:8081/configdata?uuid=
- talos.platform=metal
- console=tty0
- console=ttyS0
- consoleblank=0
- earlyprintk=ttyS0
- ima_appraise=fix
- ima_hash=sha512
- ima_template=ima-ng
- init_on_alloc=1
- initrd=initramfs.xz
- nvme_core.io_timeout=4294967295
- printk.devkmsg=on
- pti=on
- random.trust_cpu=on
- slab_nomerge=
url: https://github.com/talos-systems/talos/releases/download/v0.10.3/vmlinuz-amd64
eot
FROM ${PKG_SINK_SOURCE} as pkg-sink-source
FROM tools as pkg-rename-files-build
ARG OUT_DIR
ARG IN_DIR
COPY --link --from=pkg-sink-source / ${IN_DIR}
RUN mkdir -p "${OUT_DIR}"
RUN <<eot
#!/usr/bin/env sh
set -euxo pipefail
for filepath in $(find "${IN_DIR}" -type f -iname '*.yaml' | sort); do
kind="$(echo "${filepath}" | sed 's|\(.*/\)\(\w*\)_.*.yaml|\2|')"
if [ "${kind}" = "customresourcedefinition" ] || [ -z "${kind}" ]; then
continue
fi
# This is a workaround for issues with missing permissions.
# TODO: create an issue in https://github.com/siderolabs/cluster-api-bootstrap-provider-talos
if [ "$(basename "${filepath}")" == "clusterrole_cabpt-manager-role.yaml" ]; then
cat <<'EOF' >> "${filepath}"
- apiGroups:
- cluster.x-k8s.io
resources:
- machinepools
- machinepools/status
verbs:
- get
- list
- watch
EOF
fi
dir="$(dirname "${filepath}")"
outfile="${dir}/${kind}.yaml"
echo '---' >> "${outfile}"
cat "${filepath}" >> "${outfile}"
rm "${filepath}"
done
cp -r $(find "${IN_DIR}" -maxdepth 1 -mindepth 1) "${OUT_DIR}"
eot
FROM scratch as pkg-rename-files
ARG OUT_DIR
COPY --link --from=pkg-rename-files-build ${OUT_DIR} /
FROM tools as example-artifacts-build
ARG OUT_DIR
ARG IN_DIR
ARG GIT_REPO_DIR="${IN_DIR}/repo"
ENV GIT_REPO_DIR=${GIT_REPO_DIR}
ARG GIT_REPO="file://${GIT_REPO_DIR}/.git"
ENV GIT_REPO=${GIT_REPO}
ARG GIT_REF="test_e2e"
ENV GIT_REF=${GIT_REF}
ENV EXAMPLE_DIR="${OUT_DIR}"
ARG EXAMPLE_SOURCE_DIR="${IN_DIR}/example"
ARG CAPI_API_GROUP
ENV CAPI_API="${CAPI_API_GROUP}"
COPY --link --from=repo-source / "${GIT_REPO_DIR}/.git"
COPY --link --from=example-source / "${EXAMPLE_SOURCE_DIR}"
RUN <<eot
#!/usr/bin/env sh
set -euxo pipefail
git -C "${GIT_REPO_DIR}" checkout "${GIT_REF}" -- .
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
git -C "${GIT_REPO_DIR}" tag "${GIT_REF}" -f
eot
RUN <<eot
#!/usr/bin/env sh
set -euxo pipefail
sed -i 's/kpt fn render/kpt fn render --allow-exec/g' "${EXAMPLE_SOURCE_DIR}/README.md"
sed -i 's|--image="gcr.io/kpt-fn/\(.*\):unstable"|--exec=kpt-fn-\1|g' "${EXAMPLE_SOURCE_DIR}/README.md"
mdrip "${EXAMPLE_SOURCE_DIR}" > /example.sh
chmod +x /example.sh
bash -c /example.sh
eot
FROM scratch as example-artifacts
ARG OUT_DIR
COPY --link --from=example-artifacts-build ${OUT_DIR} /
FROM tools as kpt-fn-render
ARG OUT_DIR
COPY --link --from=pkg-local / ${OUT_DIR}
COPY --link --from=pkg-rename-files / ${OUT_DIR}
RUN kpt fn render --allow-exec --truncate-output=false "${OUT_DIR}"
FROM scratch as pkg
ARG OUT_DIR
COPY --link --from=kpt-fn-render "${OUT_DIR}" /
FROM tools as cluster-api-workload-sidero-cluster-kpt-fn-render
ARG OUT_DIR
COPY --link --from=pkg-local / ${OUT_DIR}
COPY --link --from=control-plane-pkg-local / ${OUT_DIR}/control-plane
COPY --link --from=workers-pkg-local / ${OUT_DIR}/workers
COPY --link --from=pkg-rename-files / ${OUT_DIR}
RUN kpt fn render --allow-exec --truncate-output=false "${OUT_DIR}"
FROM tools as cluster-api-workload-sidero-cluster-pkg-build
ARG OUT_DIR
COPY --link --from=cluster-api-workload-sidero-cluster-kpt-fn-render "${OUT_DIR}" "${OUT_DIR}"
RUN find "${OUT_DIR}" -mindepth 2 -not -path "${OUT_DIR}/.fn-configs*" -delete
RUN find "${OUT_DIR}" -mindepth 1 -type d -not -path "${OUT_DIR}/.fn-configs" -delete
FROM scratch as cluster-api-workload-sidero-cluster-pkg
ARG OUT_DIR
COPY --link --from=cluster-api-workload-sidero-cluster-pkg-build "${OUT_DIR}" /
FROM scratch as cluster-api-workload-sidero-control-plane-pkg
ARG OUT_DIR
COPY --link --from=cluster-api-workload-sidero-cluster-kpt-fn-render "${OUT_DIR}/control-plane" /
FROM scratch as cluster-api-workload-sidero-workers-pkg
ARG OUT_DIR
COPY --link --from=cluster-api-workload-sidero-cluster-kpt-fn-render "${OUT_DIR}/workers" /
FROM tools as git-tag-packages
ARG PKG_VERSIONS
ENV PKG_VERSIONS=${PKG_VERSIONS}
COPY --link --from=git-repo /.git /repo/.git
COPY --link /hack/git_tag_packages.sh /git_tag_packages.sh
WORKDIR /repo
RUN --mount="type=secret,required=true,target=/root/secrets/.git-credentials" /git_tag_packages.sh
# FROM scratch as git-tag-packages
# COPY --link --from=git-tag-packages-build /repo/.git /