From 39227c762a73ad8a1fa69d633fc05a9e62c1b399 Mon Sep 17 00:00:00 2001 From: Ciprian Goea Date: Fri, 29 Aug 2025 15:43:00 +0300 Subject: [PATCH 1/6] scan docker images --- .github/workflows/lint-test-build-publish.yml | 23 +++ Makefile | 160 ++++++++++++++---- 2 files changed, 151 insertions(+), 32 deletions(-) diff --git a/.github/workflows/lint-test-build-publish.yml b/.github/workflows/lint-test-build-publish.yml index e8b9d746a..5da62b87e 100644 --- a/.github/workflows/lint-test-build-publish.yml +++ b/.github/workflows/lint-test-build-publish.yml @@ -41,6 +41,29 @@ jobs: run_test: false bootstrap_tools: "" trivy_config_path: trivy.yaml + + pre-merge-scan: + name: Build+Scan (${{ matrix.service }}) + if: github.event_name == 'pull_request' + strategy: + fail-fast: false + matrix: + service: + [authService, awsSmProxy, certSynchronizer, secretsConfig, squidProxy, tokenFS, + tenancyAPIMapping, tenancyManager, tenancyDatamodel, nexusAPIGateway, + keycloakTenantController, nexusCompiler, openAPIGenerator] + uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@7d984ef618c17ff5e616879327f19f37b67307ee # 0.1.46 + with: + project_folder: '.' + only_service: ${{ matrix.service }} + run_docker_build: true + run_build: false + run_docker_push: false + run_helm_build: false + run_helm_push: false + version_suffix: "-pr-${{ github.event.number }}" + trivy_config_path: ".trivy.yaml" + #trivy_image_skip: "${{ vars.TRIVY_IMAGE_SKIP }}" use if needed lint-go: permissions: diff --git a/Makefile b/Makefile index 583053433..fc3b3c4d9 100644 --- a/Makefile +++ b/Makefile @@ -1,15 +1,102 @@ # SPDX-FileCopyrightText: (C) 2025 Intel Corporation # SPDX-License-Identifier: Apache-2.0 -SHELL := bash -eu -o pipefail +SHELL := bash -eu -o pipefail # default goal to show help .DEFAULT_GOAL := help -HELM_DIRS=$(shell ls charts) +# Build one service (ONLY_SERVICE=) or all in SERVICES +ONLY_SERVICE ?= + +# List of services +SERVICES ?= \ + authService \ + awsSmProxy \ + certSynchronizer \ + secretsConfig \ + squidProxy \ + tokenFS \ + tenancyAPIMapping \ + tenancyManager \ + tenancyDatamodel \ + nexusAPIGateway \ + keycloakTenantController \ + nexusCompiler \ + openAPIGenerator + +# Suffix from CI (e.g. "-pr-123"); when set, images will be retagged +VERSION_SUFFIX ?= + +.PHONY: docker-build docker-push helm-build helm-push retag-with-suffix + +# Build containers for CI (uses ONLY_SERVICE or all) +docker-build: ## Build Docker images (ONLY_SERVICE builds one; otherwise builds all SERVICES) + @if [ -n "$(ONLY_SERVICE)" ]; then \ + svc="$(ONLY_SERVICE)"; \ + echo "==> Building single service: $$svc"; \ + case $$svc in \ + authService) $(MAKE) docker-build-auth-service ;; \ + awsSmProxy) $(MAKE) docker-build-aws-sm-proxy ;; \ + certSynchronizer) $(MAKE) docker-build-cert-synchronizer ;; \ + secretsConfig) $(MAKE) docker-build-secrets-config ;; \ + squidProxy) $(MAKE) docker-build-squid-proxy ;; \ + tokenFS) $(MAKE) docker-build-token-fs ;; \ + tenancyAPIMapping) $(MAKE) docker-build-tenancy-api-mapping ;; \ + tenancyManager) $(MAKE) docker-build-tenancy-manager ;; \ + tenancyDatamodel) $(MAKE) docker-build-tenancy-datamodel ;; \ + nexusAPIGateway) $(MAKE) docker-build-nexus-api-gw ;; \ + keycloakTenantController) $(MAKE) docker-build-keycloak-tenant-controller ;; \ + nexusCompiler) $(MAKE) docker-build-nexus/compiler ;; \ + openAPIGenerator) $(MAKE) docker-build-nexus/openapi-generator ;; \ + *) echo "Unknown service '$$svc'"; exit 2 ;; \ + esac; \ + else \ + echo "==> Building all services: $(SERVICES)"; \ + for svc in $(SERVICES); do \ + ONLY_SERVICE="$$svc" $(MAKE) docker-build; \ + done; \ + fi + @if [ -n "$(VERSION_SUFFIX)" ]; then \ + $(MAKE) retag-with-suffix; \ + else \ + echo "VERSION_SUFFIX empty; skipping retag."; \ + fi + +# Push containers (uses ONLY_SERVICE or all) via mage +docker-push: ## Push Docker images to registry (ONLY_SERVICE or all SERVICES) using mage push: + @if [ -n "$(ONLY_SERVICE)" ]; then \ + echo "==> Pushing $(ONLY_SERVICE) via mage"; \ + mage push:$(ONLY_SERVICE); \ + else \ + echo "==> Pushing all services via mage"; \ + for svc in $(SERVICES); do mage push:$$svc; done; \ + fi + +# Retag built images with VERSION_SUFFIX using mage listContainers +retag-with-suffix: docker-list ## Retag images discovered by 'mage listContainers' with VERSION_SUFFIX + @set -euo pipefail; \ + echo "==> Retagging with suffix '$(VERSION_SUFFIX)'"; \ + images=$$(mage listContainers); \ + if [ -z "$$images" ]; then echo "No images from mage listContainers"; exit 0; fi; \ + echo "$$images" | while read -r line; do \ + # Expect 'repo:tag' in the first column; skip anything else + name_tag=$$(echo "$$line" | awk '{print $$1}'); \ + case "$$name_tag" in *:*) ;; *) echo "Skip: $$line"; continue ;; esac; \ + repo=$${name_tag%:*}; \ + tag=$${name_tag##*:}; \ + new_tag="$$tag$(VERSION_SUFFIX)"; \ + echo "Tagging $$repo:$$tag -> $$repo:$$new_tag"; \ + docker tag "$$repo:$$tag" "$$repo:$$new_tag"; \ + done + +# ------------------------------ +# Helm helpers +# ------------------------------ +HELM_DIRS = $(shell ls charts) helm-list: ## List helm charts, tag format, and versions in YAML format - @echo "charts:" - @for d in $(HELM_DIRS); do \ + @echo "charts:" + @for d in $(HELM_DIRS); do \ cname=$$(grep "^name:" "charts/$$d/Chart.yaml" | cut -d " " -f 2) ;\ echo " $$cname:" ;\ echo -n " "; grep "^version" "charts/$$d/Chart.yaml" ;\ @@ -18,66 +105,75 @@ helm-list: ## List helm charts, tag format, and versions in YAML format done helm-build: ## build all helm charts - mage chartsBuild + mage chartsBuild +helm-push: helm-build ## push helm charts (no-op by default; wire up if needed) + @echo "helm-push: no-op (implement chart publishing if desired)" + +# ------------------------------ +# Docker helpers +# ------------------------------ docker-list: ## list all docker containers built by this repo - @mage listContainers + @mage listContainers # map container name to the mage build:... invocations docker-build-auth-service: - mage build:authService + mage build:authService docker-build-aws-sm-proxy: - mage build:awsSmProxy + mage build:awsSmProxy docker-build-cert-synchronizer: - mage build:certSynchronizer + mage build:certSynchronizer docker-build-keycloak-tenant-controller: - mage build:keycloakTenantController + mage build:keycloakTenantController docker-build-nexus-api-gw: - mage build:nexusAPIGateway + mage build:nexusAPIGateway docker-build-nexus/compiler: - mage build:nexusCompiler + mage build:nexusCompiler docker-build-nexus/openapi-generator: - mage build:openAPIGenerator + mage build:openAPIGenerator docker-build-secrets-config: - mage build:secretsConfig + mage build:secretsConfig docker-build-squid-proxy: - mage build:squidProxy + mage build:squidProxy docker-build-tenancy-api-mapping: - mage build:tenancyAPIMapping + mage build:tenancyAPIMapping docker-build-tenancy-datamodel: - mage build:tenancyDatamodel + mage build:tenancyDatamodel docker-build-tenancy-manager: - mage build:tenancyManager + mage build:tenancyManager docker-build-token-fs: - mage build:tokenFS + mage build:tokenFS +# ------------------------------ +# Tests +# ------------------------------ ginkgo: ## Run all ginkgo tests in sub-projects - make -C auth-service ginkgo - make -C aws-sm-proxy ginkgo - make -C internal ginkgo - make -C nexus-api-gw ginkgo - make -C nexus ginkgo - make -C secrets ginkgo - make -C tenancy-manager ginkgo - # make -C tenancy-api-mapping ginkgo # needs to be fixed + make -C auth-service ginkgo + make -C aws-sm-proxy ginkgo + make -C internal ginkgo + make -C nexus-api-gw ginkgo + make -C nexus ginkgo + make -C secrets ginkgo + make -C tenancy-manager ginkgo + # make -C tenancy-api-mapping ginkgo # needs to be fixed #### Help Target #### help: ## print help for each target - @echo orch-utils make targets - @echo "Target Makefile:Line Description" - @echo "-------------------- ---------------- -----------------------------------------" - @grep -H -n '^[[:alnum:]%_-]*:.* ##' $(MAKEFILE_LIST) \ + @echo orch-utils make targets + @echo "Target Makefile:Line Description" + @echo "-------------------- ---------------- -----------------------------------------" + @grep -H -n '^[[:alnum:]%_-]*:.* ##' $(MAKEFILE_LIST) \ | sort -t ":" -k 3 \ - | awk 'BEGIN {FS=":"}; {sub(".* ## ", "", $$4)}; {printf "%-20s %-16s %s\n", $$3, $$1 ":" $$2, $$4};' + | awk 'BEGIN {FS=":"}; {sub(".* ## ", "", $$4)}; {printf "%-20s %-16s %s\n", $$3, $$1 ":" $$2, $$4};' \ No newline at end of file From e1faefc2b9154f2c9c26e08bf2a786f7c79fde9b Mon Sep 17 00:00:00 2001 From: Ciprian Goea Date: Fri, 29 Aug 2025 15:59:15 +0300 Subject: [PATCH 2/6] Update Makefile Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- Makefile | 60 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/Makefile b/Makefile index fc3b3c4d9..0eaa56244 100644 --- a/Makefile +++ b/Makefile @@ -32,36 +32,36 @@ VERSION_SUFFIX ?= # Build containers for CI (uses ONLY_SERVICE or all) docker-build: ## Build Docker images (ONLY_SERVICE builds one; otherwise builds all SERVICES) - @if [ -n "$(ONLY_SERVICE)" ]; then \ - svc="$(ONLY_SERVICE)"; \ - echo "==> Building single service: $$svc"; \ - case $$svc in \ - authService) $(MAKE) docker-build-auth-service ;; \ - awsSmProxy) $(MAKE) docker-build-aws-sm-proxy ;; \ - certSynchronizer) $(MAKE) docker-build-cert-synchronizer ;; \ - secretsConfig) $(MAKE) docker-build-secrets-config ;; \ - squidProxy) $(MAKE) docker-build-squid-proxy ;; \ - tokenFS) $(MAKE) docker-build-token-fs ;; \ - tenancyAPIMapping) $(MAKE) docker-build-tenancy-api-mapping ;; \ - tenancyManager) $(MAKE) docker-build-tenancy-manager ;; \ - tenancyDatamodel) $(MAKE) docker-build-tenancy-datamodel ;; \ - nexusAPIGateway) $(MAKE) docker-build-nexus-api-gw ;; \ - keycloakTenantController) $(MAKE) docker-build-keycloak-tenant-controller ;; \ - nexusCompiler) $(MAKE) docker-build-nexus/compiler ;; \ - openAPIGenerator) $(MAKE) docker-build-nexus/openapi-generator ;; \ - *) echo "Unknown service '$$svc'"; exit 2 ;; \ - esac; \ - else \ - echo "==> Building all services: $(SERVICES)"; \ - for svc in $(SERVICES); do \ - ONLY_SERVICE="$$svc" $(MAKE) docker-build; \ - done; \ - fi - @if [ -n "$(VERSION_SUFFIX)" ]; then \ - $(MAKE) retag-with-suffix; \ - else \ - echo "VERSION_SUFFIX empty; skipping retag."; \ - fi + @if [ -n "$(ONLY_SERVICE)" ]; then \ + svc="$(ONLY_SERVICE)"; \ + echo "==> Building single service: $$svc"; \ + case $$svc in \ + authService) $(MAKE) docker-build-auth-service ;; \ + awsSmProxy) $(MAKE) docker-build-aws-sm-proxy ;; \ + certSynchronizer) $(MAKE) docker-build-cert-synchronizer ;; \ + secretsConfig) $(MAKE) docker-build-secrets-config ;; \ + squidProxy) $(MAKE) docker-build-squid-proxy ;; \ + tokenFS) $(MAKE) docker-build-token-fs ;; \ + tenancyAPIMapping) $(MAKE) docker-build-tenancy-api-mapping ;; \ + tenancyManager) $(MAKE) docker-build-tenancy-manager ;; \ + tenancyDatamodel) $(MAKE) docker-build-tenancy-datamodel ;; \ + nexusAPIGateway) $(MAKE) docker-build-nexus-api-gw ;; \ + keycloakTenantController) $(MAKE) docker-build-keycloak-tenant-controller ;; \ + nexusCompiler) $(MAKE) docker-build-nexus/compiler ;; \ + openAPIGenerator) $(MAKE) docker-build-nexus/openapi-generator ;; \ + *) echo "Unknown service '$$svc'"; exit 2 ;; \ + esac; \ + else \ + echo "==> Building all services: $(SERVICES)"; \ + for svc in $(SERVICES); do \ + ONLY_SERVICE="$$svc" $(MAKE) docker-build; \ + done; \ + fi + @if [ -n "$(VERSION_SUFFIX)" ]; then \ + $(MAKE) retag-with-suffix; \ + else \ + echo "VERSION_SUFFIX empty; skipping retag."; \ + fi # Push containers (uses ONLY_SERVICE or all) via mage docker-push: ## Push Docker images to registry (ONLY_SERVICE or all SERVICES) using mage push: From 37e09ab7540fe796d32af96b181cb3e569f0cc03 Mon Sep 17 00:00:00 2001 From: Ciprian Goea Date: Fri, 29 Aug 2025 15:59:38 +0300 Subject: [PATCH 3/6] Update Makefile Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0eaa56244..0a26702b6 100644 --- a/Makefile +++ b/Makefile @@ -108,7 +108,7 @@ helm-build: ## build all helm charts mage chartsBuild helm-push: helm-build ## push helm charts (no-op by default; wire up if needed) - @echo "helm-push: no-op (implement chart publishing if desired)" + @echo "helm-push: no-op (implement chart publishing if desired)" # ------------------------------ # Docker helpers From 7096f4661a330d6118cf70a6210172d5dab4f049 Mon Sep 17 00:00:00 2001 From: Ciprian Goea Date: Fri, 29 Aug 2025 15:59:47 +0300 Subject: [PATCH 4/6] Update Makefile Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 0a26702b6..975c859a2 100644 --- a/Makefile +++ b/Makefile @@ -65,13 +65,13 @@ docker-build: ## Build Docker images (ONLY_SERVICE builds one; otherwise builds # Push containers (uses ONLY_SERVICE or all) via mage docker-push: ## Push Docker images to registry (ONLY_SERVICE or all SERVICES) using mage push: - @if [ -n "$(ONLY_SERVICE)" ]; then \ - echo "==> Pushing $(ONLY_SERVICE) via mage"; \ - mage push:$(ONLY_SERVICE); \ - else \ - echo "==> Pushing all services via mage"; \ - for svc in $(SERVICES); do mage push:$$svc; done; \ - fi + @if [ -n "$(ONLY_SERVICE)" ]; then \ + echo "==> Pushing $(ONLY_SERVICE) via mage"; \ + mage push:$(ONLY_SERVICE); \ + else \ + echo "==> Pushing all services via mage"; \ + for svc in $(SERVICES); do mage push:$$svc; done; \ + fi # Retag built images with VERSION_SUFFIX using mage listContainers retag-with-suffix: docker-list ## Retag images discovered by 'mage listContainers' with VERSION_SUFFIX From 0479189fd5994780883ae01a18f0e243b8871c0d Mon Sep 17 00:00:00 2001 From: Ciprian Goea Date: Fri, 29 Aug 2025 16:16:13 +0300 Subject: [PATCH 5/6] Update Makefile Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- Makefile | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/Makefile b/Makefile index 975c859a2..fdc7db1ee 100644 --- a/Makefile +++ b/Makefile @@ -75,20 +75,20 @@ docker-push: ## Push Docker images to registry (ONLY_SERVICE or all SERVICES) us # Retag built images with VERSION_SUFFIX using mage listContainers retag-with-suffix: docker-list ## Retag images discovered by 'mage listContainers' with VERSION_SUFFIX - @set -euo pipefail; \ - echo "==> Retagging with suffix '$(VERSION_SUFFIX)'"; \ - images=$$(mage listContainers); \ - if [ -z "$$images" ]; then echo "No images from mage listContainers"; exit 0; fi; \ - echo "$$images" | while read -r line; do \ - # Expect 'repo:tag' in the first column; skip anything else - name_tag=$$(echo "$$line" | awk '{print $$1}'); \ - case "$$name_tag" in *:*) ;; *) echo "Skip: $$line"; continue ;; esac; \ - repo=$${name_tag%:*}; \ - tag=$${name_tag##*:}; \ - new_tag="$$tag$(VERSION_SUFFIX)"; \ - echo "Tagging $$repo:$$tag -> $$repo:$$new_tag"; \ - docker tag "$$repo:$$tag" "$$repo:$$new_tag"; \ - done + @set -euo pipefail; \ + echo "==> Retagging with suffix '$(VERSION_SUFFIX)'"; \ + images=$$(mage listContainers); \ + if [ -z "$$images" ]; then echo "No images from mage listContainers"; exit 0; fi; \ + echo "$$images" | while read -r line; do \ + # Expect 'repo:tag' in the first column; skip anything else + name_tag=$$(echo "$$line" | awk '{print $$1}'); \ + case "$$name_tag" in *:*) ;; *) echo "Skip: $$line"; continue ;; esac; \ + repo=$${name_tag%:*}; \ + tag=$${name_tag##*:}; \ + new_tag="$$tag$(VERSION_SUFFIX)"; \ + echo "Tagging $$repo:$$tag -> $$repo:$$new_tag"; \ + docker tag "$$repo:$$tag" "$$repo:$$new_tag"; \ + done # ------------------------------ # Helm helpers From 99544f9a90d22f4df1e071780de320422a032f63 Mon Sep 17 00:00:00 2001 From: Ciprian Goea Date: Fri, 29 Aug 2025 17:56:55 +0300 Subject: [PATCH 6/6] Update .github/workflows/lint-test-build-publish.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/lint-test-build-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-test-build-publish.yml b/.github/workflows/lint-test-build-publish.yml index 5da62b87e..d9befb760 100644 --- a/.github/workflows/lint-test-build-publish.yml +++ b/.github/workflows/lint-test-build-publish.yml @@ -63,7 +63,7 @@ jobs: run_helm_push: false version_suffix: "-pr-${{ github.event.number }}" trivy_config_path: ".trivy.yaml" - #trivy_image_skip: "${{ vars.TRIVY_IMAGE_SKIP }}" use if needed + # trivy_image_skip: "${{ vars.TRIVY_IMAGE_SKIP }}" # use if needed lint-go: permissions: