Merge pull request #282 from cert-manager/self-upgrade

[CI] Merge self-upgrade into main

deploy/charts/istio-csr/values.schema.json

@@ -12,6 +12,9 @@
         "commonLabels": {
           "$ref": "#/$defs/helm-values.commonLabels"
         },
+        "global": {
+          "$ref": "#/$defs/helm-values.global"
+        },
         "image": {
           "$ref": "#/$defs/helm-values.image"
         },
@@ -452,6 +455,9 @@
       "description": "Labels to apply to all resources",
       "type": "object"
     },
+    "helm-values.global": {
+      "description": "Global values shared across all (sub)charts"
+    },
     "helm-values.image": {
       "additionalProperties": false,
       "properties": {

klone.yaml

@@ -10,55 +10,55 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/generate-verify
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/klone
     - folder_name: oci-image
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/oci-image
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: d3fbbe92ebeace2b369fdc51eb785b42fe39d1d9
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/tools

make/_shared/help/help.sh

@@ -54,7 +54,7 @@ done <<< "$raw_lines"
 
 ## 2. Build mapping for expanding targets
 
-ASSIGNMENT_REGEX="^(([a-zA-Z0-9\_\/\%\$\(\)]|-)+)\s*:=\s*(.*)$"
+ASSIGNMENT_REGEX="^(([a-zA-Z0-9\_\/\%\$\(\)]|-)+)[[:space:]]*:=[[:space:]]*(.*)$"
 
 raw_expansions=$(${MAKE} --dry-run --print-data-base noop | tr '\t' '    ' | grep -E "$ASSIGNMENT_REGEX")
 extracted_expansions=""
@@ -93,8 +93,10 @@ IFS=$'\n'; for line in $extracted_lines; do
 
     # replace any $(...) with the actual value
     if [[ $target =~ \$\((.*)\) ]]; then
-        target=$(echo -e "$extracted_expansions" | grep "<start-target>${BASH_REMATCH[1]}<end-target>")
-        target=$([[ $target =~ \<start-expansion\>(.*)\<end-expansion\> ]] && echo -e "${BASH_REMATCH[1]}")
+        new_target=$(echo -e "$extracted_expansions" | grep "<start-target>${BASH_REMATCH[1]}<end-target>" || true)
+        if [[ -n "$new_target" ]]; then
+            target=$([[ $new_target =~ \<start-expansion\>(.*)\<end-expansion\> ]] && echo -e "${BASH_REMATCH[1]}")
+        fi
     fi
 
     # Print the target and its multiline comment

make/_shared/oci-image/01_mod.mk

@@ -80,8 +80,13 @@ RELEASE_DRYRUN ?= false
 CGO_ENABLED ?= 0
 GOEXPERIMENT ?=  # empty by default
 
+COSIGN_FLAGS ?= # empty by default
+OCI_SIGN_ON_PUSH ?= true
+
 oci_build_targets := $(build_names:%=oci-build-%)
 oci_push_targets := $(build_names:%=oci-push-%)
+oci_push_no_sign_targets := $(build_names:%=oci-push-no-sign-%)
+oci_sign_targets := $(build_names:%=oci-sign-%)
 oci_maybe_push_targets := $(build_names:%=oci-maybe-push-%)
 oci_load_targets := $(build_names:%=oci-load-%)
 docker_tarball_targets := $(build_names:%=docker-tarball-%)
@@ -138,6 +143,21 @@ $(oci_build_targets): oci-build-%: | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS_YQ) $(bin_d
 		$(CURDIR)/$(oci_layout_path_$*) \
 		> $(CURDIR)/$(oci_layout_path_$*).digests
 
+# Function for ensuring the .digests file exists. In the use case where pushing
+# and signing happen independently, we need to ensure this file exists for 
+# signing
+define oci_digest_ensure 
+ifeq ($(call oci_digest,$1),)
+$$(error "$(oci_layout_path_$1).digests" does not exist, has this image been built?)
+endif
+endef
+
+# Functions for pushing and signing. We have a few targets that push/sign, this
+# use of functions means we can define the commands once.
+oci_digest = $(shell head -1 $(CURDIR)/$(oci_layout_path_$1).digests)
+oci_push_command = $(foreach oci_image_name,$(oci_$1_image_name),$(CRANE) push "$(oci_layout_path_$1)" "$(oci_image_name):$(oci_$1_image_tag)";)
+oci_sign_command = $(foreach oci_image_name,$(oci_$1_image_name),$(COSIGN) sign --yes=true $(COSIGN_FLAGS) "$(oci_image_name)@$(call oci_digest,$1)";)
+
 .PHONY: $(oci_push_targets)
 ## Build and push OCI image.
 ## If the tag already exists, this target will overwrite it.
@@ -147,16 +167,14 @@ $(oci_build_targets): oci-build-%: | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS_YQ) $(bin_d
 ## - :v1.2.3.sig, :sha256-0000001.sig
 ## @category [shared] Build
 $(oci_push_targets): oci-push-%: oci-build-% | $(NEEDS_CRANE) $(NEEDS_COSIGN) $(NEEDS_YQ) $(bin_dir)/scratch/image
-	$(eval image_ref := $(shell head -1 $(CURDIR)/$(oci_layout_path_$*).digests))
-
 ifneq ($(RELEASE_DRYRUN),true)
-	if $(CRANE) image digest $(oci_$*_image_name)@$(image_ref) >/dev/null 2>&1; then \
+	if $(CRANE) image digest $(oci_$*_image_name)@$(call oci_digest,$*) >/dev/null 2>&1; then \
 		echo "Digest already exists, will retag without resigning."; \
-		$(CRANE) push "$(oci_layout_path_$*)" "$(oci_$*_image_name):$(oci_$*_image_tag)"; \
+		$(call oci_push_command,$*); \
 	else \
 		echo "Digest does not yet exist, pushing image and signing."; \
-		$(CRANE) push "$(oci_layout_path_$*)" "$(oci_$*_image_name):$(oci_$*_image_tag)"; \
-		$(COSIGN) sign --yes=true "$(oci_$*_image_name)@$(image_ref)"; \
+		$(call oci_push_command,$*); \
+		$(call oci_sign_command,$*); \
 	fi
 endif
 
@@ -171,6 +189,24 @@ $(oci_maybe_push_targets): oci-maybe-push-%: | $(NEEDS_CRANE)
 		$(MAKE) oci-push-$*; \
 	fi
 
+.PHONY: $(oci_push_no_sign_targets)
+## Build and push OCI image.
+## If the tag already exists, this target will overwrite it.
+## If an identical image was already built before, we will add a new tag to it.
+## This target will not sign the image
+## Expected pushed images:
+## - :v1.2.3, @sha256:0000001
+## @category [shared] Build
+$(oci_push_no_sign_targets): oci-push-no-sign-%: oci-build-% | $(NEEDS_CRANE) $(bin_dir)/scratch/image
+	$(call oci_push_command,$*)
+
+.PHONY: $(oci_sign_targets)
+## Run 'make oci-sign-...' to force a sign of the image.
+## @category [shared] Build
+$(oci_sign_targets): oci-sign-%: | $(NEEDS_COSIGN)
+	$(eval $(call oci_digest_ensure,$*)) 
+	$(call oci_sign_command,$*)
+
 .PHONY: $(oci_load_targets)
 ## Build OCI image for the local architecture and load
 ## it into the $(kind_cluster_name) kind cluster.

make/_shared/oci-image/image_tool/go.mod

@@ -3,41 +3,43 @@ module image_tool
 go 1.21
 
 require (
-	github.com/google/go-containerregistry v0.17.0
-	github.com/sigstore/cosign/v2 v2.2.2
+	github.com/google/go-containerregistry v0.19.0
+	github.com/sigstore/cosign/v2 v2.2.3
 )
 
 require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.4 // indirect
-	github.com/go-openapi/jsonpointer v0.20.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.26.0 // indirect
-	github.com/go-openapi/spec v0.20.11 // indirect
-	github.com/go-openapi/strfmt v0.21.8 // indirect
-	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-openapi/validate v0.22.3 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.17.2 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
+	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240311221846-ffef10ab36cd // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
-	github.com/sigstore/rekor v1.3.4 // indirect
-	github.com/sigstore/sigstore v1.7.6 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
+	github.com/sigstore/rekor v1.3.5 // indirect
+	github.com/sigstore/sigstore v1.8.2 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
-	go.mongodb.org/mongo-driver v1.12.1 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/sync v0.5.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/term v0.15.0 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )