Merge pull request #114 from csoylu/108-create-one-dockerfile-per-app

v0lkan · web-flow · commit a41711c7c309 · 2025-03-09T14:07:58.000-07:00
create one dockerfile per app
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -57,10 +57,6 @@ jobs:
           fetch-depth: 0
       - name: Set up Go
         uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-          # Specify a compatible Go version for linting
-          # go-version: '1.23'
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
diff --git a/.github/workflows/dockerhub.yaml b/.github/workflows/dockerhub.yaml
@@ -0,0 +1,113 @@
+name: Build and Push to Docker Hub
+
+on:
+  release:
+    types: [published]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: docker.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+  DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+  COSIGN_EXPERIMENTAL: 1
+  DOCKER_CONTENT_TRUST: 1
+  DOCKER_CONTENT_TRUST_SERVER: https://notary.docker.io
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - dockerfile: kubernetes/dockerfiles/spike.Dockerfile
+            image: spike/spike
+          - dockerfile: kubernetes/dockerfiles/keeper.Dockerfile
+            image: spike/keeper
+          - dockerfile: kubernetes/dockerfiles/nexus.Dockerfile
+            image: spike/nexus
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.3.0
+
+      # Setup Docker Content Trust keys
+      - name: Setup DCT
+        if: github.event_name == 'release'
+        env:
+          DCT_DELEGATION_KEY: ${{ secrets.DCT_DELEGATION_KEY }}
+          DCT_ROOT_KEY: ${{ secrets.DCT_ROOT_KEY }}
+        run: |
+          mkdir -p ~/.docker/trust/private
+          echo "$DCT_DELEGATION_KEY" > ~/.docker/trust/private/$(echo -n "${{ env.REGISTRY }}/${{ matrix.image }}" | sha256sum | cut -d' ' -f1).key
+          echo "$DCT_ROOT_KEY" > ~/.docker/trust/private/root_keys
+
+      # Login to Docker Hub
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ matrix.image }}
+          tags: |
+            type=semver,pattern={{version}},value=${{ github.event.release.tag_name }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ github.event.release.tag_name }}
+            type=raw,value=latest
+            type=sha
+        # example tags in order: 1.2.3, 1.2, latest, sha-1234567890(git commit sha)
+
+      # Build and push Docker image
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        id: build-and-push
+        with:
+          context: .
+          file: ${{ matrix.dockerfile }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name == 'release' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ matrix.image }}:buildcache
+          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ matrix.image }}:buildcache,mode=max
+          provenance: mode=max
+
+      - name: Sign the images with GitHub OIDC (Cosign)
+        if: github.event_name == 'release'
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          echo "${TAGS}" | tr ',' '\n' | while read -r tag; do
+            cosign sign --yes "${tag}@${DIGEST}"
+          done
+
+      - name: Sign the images with DCT
+        if: github.event_name == 'release'
+        env:
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DCT_REPOSITORY_PASSPHRASE }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          echo "${TAGS}" | tr ',' '\n' | while read -r tag; do
+            docker trust sign "$tag"
+          done
diff --git a/Dockerfile b/Dockerfile
diff --git a/kubernetes/README.MD b/kubernetes/README.MD
@@ -0,0 +1,65 @@
+# SPIKE Kubernetes Resources
+
+This directory contains container and deployment-related files for the SPIKE project.
+
+## Directory Structure
+
+- `./dockerfiles/` - Contains Dockerfiles for all SPIKE components
+- `./build.sh` - Build script used by Dockerfiles for cross-compilation
+
+## Building Container Images
+
+### Basic Build
+
+To build a SPIKE component container image:
+
+```bash
+# General syntax
+docker build -t <component-name>:tag -f kubernetes/dockerfiles/<component-name>.Dockerfile .
+
+# Examples
+docker build -t keeper:latest -f kubernetes/dockerfiles/keeper.Dockerfile .
+docker build -t nexus:latest -f kubernetes/dockerfiles/nexus.Dockerfile .
+docker build -t spike:latest -f kubernetes/dockerfiles/spike.Dockerfile .
+```
+
+### Multi-Architecture Builds with Docker Buildx
+
+For building multi-architecture images (e.g., for both amd64 and arm64):
+
+```bash
+# Create a new builder instance if you haven't already
+docker buildx create --name spike-builder --use
+
+# Build and push multi-arch image
+docker buildx build --platform linux/amd64,linux/arm64 \
+  -t <registry>/<component-name>:tag \
+  -f kubernetes/dockerfiles/<component-name>.Dockerfile \
+  --push .
+
+# Example for building and pushing to Docker Hub
+docker buildx build --platform linux/amd64,linux/arm64 \
+  -t yourusername/spike-keeper:latest \
+  -f kubernetes/dockerfiles/keeper.Dockerfile \
+  --push .
+```
+
+## Running Containers
+
+```bash
+# Run with debug logging
+docker run --rm -e SPIKE_SYSTEM_LOG_LEVEL=DEBUG keeper:latest
+
+# Run with mounted configuration
+docker run --rm -v /path/to/config:/config nexus:latest
+```
+
+## Kubernetes Deployment
+
+Sample Kubernetes manifests for deploying SPIKE components will be added in future releases.
+
+## Notes
+
+- All Dockerfiles use distroless base images for minimal attack surface
+- The keeper and spike components use the static distroless image
+- The nexus component uses the base distroless image due to CGO dependencies
diff --git a/kubernetes/build.sh b/kubernetes/build.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+# Check if both arguments are provided
+if [ $# -ne 2 ]; then
+    echo "Usage: $0 <arch> <app>"
+    echo "  arch: amd64 or arm64"
+    echo "  app: application name"
+    exit 1
+fi
+
+TARGETARCH=$1
+APP=$2
+
+if [ "$TARGETARCH" = "amd64" ]; then
+    CC=x86_64-linux-gnu-gcc go build -o $APP /workspace/app/$APP/cmd/main.go
+elif [ "$TARGETARCH" = "arm64" ]; then
+    CC=aarch64-linux-gnu-gcc go build -o $APP /workspace/app/$APP/cmd/main.go
+else
+    echo "Error: Supported architectures are amd64 and arm64"
+    exit 1
+fi
diff --git a/kubernetes/dockerfiles/keeper.Dockerfile b/kubernetes/dockerfiles/keeper.Dockerfile
@@ -0,0 +1,39 @@
+FROM --platform=$BUILDPLATFORM golang:1.24.1 AS builder
+ARG BUILDPLATFORM
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+
+ENV GOOS=$TARGETOS \
+    GOARCH=$TARGETARCH \
+    GOEXPERIMENT=boringcrypto \
+    CGO_ENABLED=0
+
+WORKDIR /workspace
+
+# Install cross-compilation tools
+RUN apt-get update && apt-get install -y \
+    gcc-x86-64-linux-gnu \
+    g++-x86-64-linux-gnu \
+    gcc-aarch64-linux-gnu \
+    g++-aarch64-linux-gnu \
+    libc6-dev-arm64-cross \
+    libc6-dev-amd64-cross
+
+
+# Download dependencies first (better layer caching)
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy the app source code
+COPY . .
+
+# Build the app for the target architecture
+RUN echo "Building keeper on $BUILDPLATFORM targeting $TARGETPLATFORM"
+RUN ./kubernetes/build.sh ${TARGETARCH} keeper
+
+# Target distroless base image for CGO_ENABLED apps
+# This image includes a basic runtime environment with libc and other minimal dependencies
+FROM gcr.io/distroless/static AS keeper
+COPY --from=builder /workspace/keeper /keeper
+ENTRYPOINT ["/keeper"]
diff --git a/kubernetes/dockerfiles/nexus.Dockerfile b/kubernetes/dockerfiles/nexus.Dockerfile
@@ -0,0 +1,39 @@
+FROM --platform=$BUILDPLATFORM golang:1.24.1 AS builder
+ARG BUILDPLATFORM
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+
+ENV GOOS=$TARGETOS \
+    GOARCH=$TARGETARCH \
+    GOEXPERIMENT=boringcrypto \
+    CGO_ENABLED=1
+
+WORKDIR /workspace
+
+# Install cross-compilation tools
+RUN apt-get update && apt-get install -y \
+    gcc-x86-64-linux-gnu \
+    g++-x86-64-linux-gnu \
+    gcc-aarch64-linux-gnu \
+    g++-aarch64-linux-gnu \
+    libc6-dev-arm64-cross \
+    libc6-dev-amd64-cross
+
+
+# Download dependencies first (better layer caching)
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy the app source code
+COPY . .
+
+# Build the app for the target architecture
+RUN echo "Building nexus on $BUILDPLATFORM targeting $TARGETPLATFORM"
+RUN ./kubernetes/build.sh ${TARGETARCH} nexus
+
+# Target distroless base image for CGO_ENABLED apps
+# This image includes a basic runtime environment with libc and other minimal dependencies
+FROM gcr.io/distroless/base AS nexus
+COPY --from=builder /workspace/nexus /nexus
+ENTRYPOINT ["/nexus"]
diff --git a/kubernetes/dockerfiles/spike.Dockerfile b/kubernetes/dockerfiles/spike.Dockerfile
@@ -0,0 +1,39 @@
+FROM --platform=$BUILDPLATFORM golang:1.24.1 AS builder
+ARG BUILDPLATFORM
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+
+ENV GOOS=$TARGETOS \
+    GOARCH=$TARGETARCH \
+    GOEXPERIMENT=boringcrypto \
+    CGO_ENABLED=0
+
+WORKDIR /workspace
+
+# Install cross-compilation tools
+RUN apt-get update && apt-get install -y \
+    gcc-x86-64-linux-gnu \
+    g++-x86-64-linux-gnu \
+    gcc-aarch64-linux-gnu \
+    g++-aarch64-linux-gnu \
+    libc6-dev-arm64-cross \
+    libc6-dev-amd64-cross
+
+
+# Download dependencies first (better layer caching)
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy the app source code
+COPY . .
+
+# Build the app for the target architecture
+RUN echo "Building spike on $BUILDPLATFORM targeting $TARGETPLATFORM"
+RUN ./kubernetes/build.sh ${TARGETARCH} spike
+
+# Target distroless base image for CGO_ENABLED apps
+# This image includes a basic runtime environment with libc and other minimal dependencies
+FROM gcr.io/distroless/static AS spike
+COPY --from=builder /workspace/spike /spike
+ENTRYPOINT ["/spike"]
