commit 87570569f06dd038dfa90a8f41d38cb29733a42b Author: Stefan Reimer Date: Tue Jan 18 23:46:48 2022 +0100 initial checkin diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..c009ffb --- /dev/null +++ b/Dockerfile @@ -0,0 +1,12 @@ +ARG DISTRO_VERSION="alpine" + +FROM golang:${DISTRO_VERSION} as builder + +RUN apk add --update git +RUN git clone https://github.com/kuberenetes-learning-group/fuse-device-plugin.git --depth 1 +WORKDIR fuse-device-plugin +RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" . + +FROM scratch +COPY --from=builder /go/fuse-device-plugin/fuse-device-plugin /fuse-device-plugin +ENTRYPOINT ["/fuse-device-plugin", "--mounts_allowed", "5000"] diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..a0fee82 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,55 @@ +pipeline { + agent { node { label 'podman-aws-trivy' } } + stages { + stage('Prepare'){ + steps { + // get tags + sh 'git fetch --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}' + } + } + + // Build using rootless podman + stage('Build'){ + steps { + sh 'make build' + } + } + + stage('Test'){ + steps { + sh 'make test' + } + } + + // Scan via trivy + stage('Scan'){ + environment { + TRIVY_FORMAT = "template" + TRIVY_OUTPUT = "reports/trivy.html" + } + steps { + sh 'mkdir -p reports' + sh 'make scan' + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'trivy.html', + reportName: 'TrivyScan', + reportTitles: 'TrivyScan' + ] + + // Scan again and fail on CRITICAL vulns + sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan' + } + } + + // Push to ECR + stage('Push'){ + steps { + sh 'make push' + } + } + } +} diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..e08cf7b --- /dev/null +++ b/Makefile @@ -0,0 +1,32 @@ +REGISTRY := public.ecr.aws/zero-downtime +REPOSITORY := fuse-device-plugin +REGION := us-east-1 + +# Parse version from latest git semver tag +GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null || echo "unknown") +TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//') + +ifeq ($(TRIVY_REMOTE),) + TRIVY_OPTS := image +else + TRIVY_OPTS := client --remote ${TRIVY_REMOTE} +endif + +.PHONY: build push scan test + +all: build + +build: + podman build --rm --squash-all -t $(REPOSITORY):$(TAG) -t $(REPOSITORY):latest . + +push: + aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY) + podman tag $(REPOSITORY):latest $(REGISTRY)/$(REPOSITORY):$(TAG) $(REGISTRY)/$(REPOSITORY):latest + podman push $(REGISTRY)/$(REPOSITORY):$(TAG) + podman push $(REGISTRY)/$(REPOSITORY):latest + +scan: + trivy $(TRIVY_OPTS) $(REPOSITORY):$(TAG) + +test: + @echo "Not implemented (yet)" diff --git a/README.md b/README.md new file mode 100644 index 0000000..b0dff4a --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +# fuse-device-plugin + +Public ECR repo: https://gallery.ecr.aws/zero-downtime/fuse-device-plugin + +# Resources +- https://github.com/kuberenetes-learning-group/fuse-device-plugin +- https://flavio.castelli.me/2020/09/16/build-multi-architecture-container-images-using-kubernetes/ diff --git a/test-pod.yaml b/test-pod.yaml new file mode 100644 index 0000000..cbd7854 --- /dev/null +++ b/test-pod.yaml @@ -0,0 +1,33 @@ +# Once pod is running: +# kubectl -n NAME-SPACE-TO-TEST exec -it pod/POD_NAME /bin/sh + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: podman + labels: + app: podman +spec: + replicas: 1 + selector: + matchLabels: + app: podman + template: + metadata: + labels: + app: podman + # can be removed once the podman upstream AppArmor profile is fixed / allows mount syscall + annotations: + container.apparmor.security.beta.kubernetes.io/podman: unconfined + spec: + containers: + - name: podman + image: public.ecr.aws/zero-downtime/jenkins-podman:latest + command: + - podman + args: + - "system" + - "info" + resources: + limits: + github.com/fuse: 1