feat: prepare github action workflows #1

Signed-off-by: Thomas Pham <thomas.pham@sicpa.com>

.github/workflows/chart.yaml

@@ -0,0 +1,39 @@
+name: 'Release Helm Chart'
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - 'deploy/**'
+
+jobs:
+  release:
+    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
+    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.11.2
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.5.0
+        with:
+          charts_dir: deploy
+          charts_repo_url: https://github.com/thpham/cert-manager-webhook-oci
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/ci.yaml

@@ -0,0 +1,91 @@
+name: 'Build and push main/tags'
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+    # Ignore specific changes
+    paths-ignore:
+      - 'deploy/**'
+  pull_request:
+    types: [ labeled ]
+    branches:
+      - 'main'
+    paths-ignore:
+      - 'deploy/**'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository_owner }}/cert-manager-webhook-oci
+
+jobs:
+  build-and-publish:
+    if: github.event_name == 'push' || github.event.label.name == 'build'
+    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
+    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Add support for more platforms with QEMU (optional)
+      # https://github.com/docker/setup-qemu-action
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v2
+
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GHCR
+        if: github.event_name == 'push'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # https://github.com/docker/metadata-action
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=tag
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            # set latest tag for main branch
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+
+      - name: Release build
+        id: release_build
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms:  ${{ matrix.platform }}
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            Version=${{ steps.meta.outputs.tags }}
+            GitCommit=${{ github.sha }}
+
+      - name: Image digest
+        run: echo ${{ steps.release_build.outputs.digest }}

.github/workflows/sync-readme.yaml

@@ -0,0 +1,26 @@
+name: 'README sync'
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - 'gh-pages-readme.md'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: |
+          cp -f gh-pages-readme.md ${{ runner.temp }}/README.md
+      - uses: actions/checkout@v3
+        with:
+          ref: gh-pages
+      - run: |
+          cp -f ${{ runner.temp }}/README.md .
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git add README.md
+          git commit --signoff -m "Sync README from main"
+          git push

.github/workflows/test.yaml

@@ -0,0 +1,23 @@
+name: 'Run tests'
+
+on:
+  pull_request:
+    types: [ labeled ]
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    if: github.event.label.name == 'testing'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '1.20.4'
+
+      - name: Run tests
+        shell: bash
+        run: |
+          make test

Dockerfile

@@ -1,28 +1,42 @@
 ARG GOLANG_VERSION=1.20.4
-ARG ALPINE_VERSION=3.17
 
-FROM golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS build_deps
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:${GOLANG_VERSION} AS builder
 
-RUN apk add --no-cache git
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
 
-WORKDIR /workspace
+ARG Version
+ARG GitCommit
+
+ENV CGO_ENABLED=0
 ENV GO111MODULE=on
 
-COPY go.mod .
-COPY go.sum .
+RUN mkdir -p /go/src/github.com/thpham/cert-manager-webhook-oci
+WORKDIR /go/src/github.com/thpham/cert-manager-webhook-oci
 
+# Cache the download before continuing
+COPY go.mod go.mod
+COPY go.sum go.sum
 RUN go mod download
 
-FROM build_deps AS build
+COPY pkg  pkg
+COPY main.go main.go
+COPY main_test.go main_test.go
 
-COPY . .
+#RUN CGO_ENABLED=${CGO_ENABLED} GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+#  go test -v ./...
 
-RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
+RUN CGO_ENABLED=${CGO_ENABLED} GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+  go build -ldflags "-s -w -X github.com/thpham/cert-manager-webhook-oci/pkg/version.Release=${Version} -X github.com/thpham/cert-manager-webhook-oci/pkg/version.SHA=${GitCommit}" -o /usr/bin/cert-manager-webhook-oci .
 
-FROM alpine:${ALPINE_VERSION}
+FROM --platform=${BUILDPLATFORM:-linux/amd64} gcr.io/distroless/base:nonroot
 
-RUN apk add --no-cache ca-certificates
+LABEL org.opencontainers.image.source=https://github.com/thpham/cert-manager-webhook-oci
 
-COPY --from=build /workspace/webhook /usr/local/bin/webhook
+WORKDIR /
+COPY --from=builder /usr/bin/cert-manager-webhook-oci /
+USER nonroot:nonroot
 
-ENTRYPOINT ["webhook"]
+CMD ["/cert-manager-webhook-oci"]

Makefile

@@ -1,8 +1,14 @@
 OS ?= $(shell go env GOOS)
 ARCH ?= $(shell go env GOARCH)
 
-IMAGE_NAME := "tpham/cert-manager-webhook-oci"
-IMAGE_TAG := "latest"
+SERVER?=ghcr.io
+OWNER?=thpham
+IMG_NAME?=cert-manager-webhook-oci
+
+PLATFORM?= "linux/amd64,linux/arm/v7,linux/arm/v8,linux/arm64"
+
+Version := $(shell git describe --tags --dirty)
+GitCommit := $(shell git rev-parse HEAD)
 
 OUT := $(shell pwd)/deploy
 
@@ -12,9 +18,12 @@ $(shell mkdir -p "$(OUT)")
 export TEST_ASSET_ETCD=_test/kubebuilder/bin/etcd
 export TEST_ASSET_KUBE_APISERVER=_test/kubebuilder/bin/kube-apiserver
 export TEST_ASSET_KUBECTL=_test/kubebuilder/bin/kubectl
+export TEST_ZONE_NAME=example.com.
 
 test: _test/kubebuilder
-	/usr/local/bin/go test -timeout 30s -v .
+	@envsubst < testdata/oci/config.json.sample > testdata/oci/config.json && \
+  envsubst < testdata/oci/oci-profile.yaml.sample > testdata/oci/oci-profile.yaml && \
+	go test -timeout 30s -v .
 
 _test/kubebuilder:
 	curl -fsSL https://go.kubebuilder.io/test-tools/$(KUBE_VERSION)/$(OS)/$(ARCH) -o kubebuilder-tools.tar.gz
@@ -29,14 +38,30 @@ clean: clean-kubebuilder
 clean-kubebuilder:
 	rm -Rf _test/kubebuilder
 
+.PHONY: build-local
+build-local:
+	@docker buildx build \
+		--progress=plain \
+		--build-arg Version=$(Version) --build-arg GitCommit=$(GitCommit) \
+		--platform linux/amd64 \
+		--output "type=docker,push=false" \
+		--tag $(SERVER)/$(OWNER)/$(IMG_NAME):$(Version) .
+
+.PHONY: build
 build:
-	docker buildx build --load -t "$(IMAGE_NAME):$(IMAGE_TAG)" .
+	@echo $(SERVER)/$(OWNER)/$(IMG_NAME):$(Version) && \
+	docker buildx build \
+		--progress=plain \
+		--build-arg Version=$(Version) --build-arg GitCommit=$(GitCommit) \
+		--platform $(PLATFORM) \
+		--output "type=image,push=false" \
+		--tag $(SERVER)/$(OWNER)/$(IMG_NAME):$(Version) .
 
 .PHONY: rendered-manifest.yaml
 rendered-manifest.yaml:
 	helm template \
 	    cert-manager-webhook-oci \
-        --set image.repository=$(IMAGE_NAME) \
-        --set image.tag=$(IMAGE_TAG) \
+        --set image.repository=$(SERVER)/$(OWNER)/$(IMG_NAME) \
+        --set image.tag=$(Version) \
 		--namespace cert-manager \
         deploy/cert-manager-webhook-oci > "$(OUT)/rendered-manifest.yaml"

README.md

@@ -11,7 +11,7 @@ This solver can be used when you want to use cert-manager with Oracle Cloud Infr
 ## Clone
 
 ```bash
-git clone https://github.com/pacphi/cert-manager-webhook-oci
+git clone https://github.com/thpham/cert-manager-webhook-oci
 ```
 
 ## Installation

deploy/cert-manager-webhook-oci/values.yaml

@@ -11,7 +11,7 @@ certManager:
   serviceAccountName: cert-manager
 
 image:
-  repository: tpham/cert-manager-webhook-oci
+  repository: ghcr.io/thpham/cert-manager-webhook-oci
   tag: latest
   pullPolicy: Always