initial checkin

Dockerfile

@@ -0,0 +1,12 @@
+ARG DISTRO_VERSION="alpine"
+
+FROM golang:${DISTRO_VERSION} as builder
+
+RUN apk add --update git
+RUN git clone https://github.com/kuberenetes-learning-group/fuse-device-plugin.git --depth 1
+WORKDIR fuse-device-plugin
+RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" .
+
+FROM scratch
+COPY --from=builder /go/fuse-device-plugin/fuse-device-plugin /fuse-device-plugin
+ENTRYPOINT ["/fuse-device-plugin", "--mounts_allowed", "5000"]

Jenkinsfile

@@ -0,0 +1,55 @@
+pipeline {
+  agent { node { label 'podman-aws-trivy' } }
+  stages {
+    stage('Prepare'){
+        steps {
+	    // get tags
+            sh 'git fetch --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
+        }
+    }
+
+    // Build using rootless podman
+    stage('Build'){
+        steps {
+            sh 'make build'
+        }
+    }
+
+    stage('Test'){
+        steps {
+            sh 'make test'
+        }
+    }
+
+    // Scan via trivy
+    stage('Scan'){
+        environment { 
+	    TRIVY_FORMAT = "template"
+	    TRIVY_OUTPUT = "reports/trivy.html"
+        }
+        steps {
+            sh 'mkdir -p reports'
+            sh 'make scan'
+            publishHTML target : [
+                allowMissing: true,
+                alwaysLinkToLastBuild: true,
+                keepAll: true,
+                reportDir: 'reports',
+                reportFiles: 'trivy.html',
+                reportName: 'TrivyScan',
+                reportTitles: 'TrivyScan'
+            ]
+
+            // Scan again and fail on CRITICAL vulns
+            sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
+        }
+    }
+
+    // Push to ECR
+    stage('Push'){
+        steps {
+            sh 'make push'
+        }
+    }
+  }
+}

Makefile

@@ -0,0 +1,32 @@
+REGISTRY := public.ecr.aws/zero-downtime
+REPOSITORY := fuse-device-plugin
+REGION := us-east-1
+
+# Parse version from latest git semver tag
+GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
+
+ifeq ($(TRIVY_REMOTE),)
+        TRIVY_OPTS := image
+else
+        TRIVY_OPTS := client --remote ${TRIVY_REMOTE}
+endif
+
+.PHONY: build push scan test
+
+all: build
+
+build:
+	podman build --rm --squash-all -t $(REPOSITORY):$(TAG) -t $(REPOSITORY):latest .
+
+push:
+	aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
+	podman tag $(REPOSITORY):latest $(REGISTRY)/$(REPOSITORY):$(TAG) $(REGISTRY)/$(REPOSITORY):latest
+	podman push $(REGISTRY)/$(REPOSITORY):$(TAG)
+	podman push $(REGISTRY)/$(REPOSITORY):latest
+
+scan:
+	trivy $(TRIVY_OPTS) $(REPOSITORY):$(TAG)
+
+test:
+	@echo "Not implemented (yet)"

README.md

@@ -0,0 +1,7 @@
+# fuse-device-plugin
+
+Public ECR repo: https://gallery.ecr.aws/zero-downtime/fuse-device-plugin
+
+# Resources
+- https://github.com/kuberenetes-learning-group/fuse-device-plugin
+- https://flavio.castelli.me/2020/09/16/build-multi-architecture-container-images-using-kubernetes/

test-pod.yaml

@@ -0,0 +1,33 @@
+# Once pod is running:
+# kubectl -n NAME-SPACE-TO-TEST exec -it pod/POD_NAME /bin/sh 
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: podman
+  labels:
+    app: podman
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: podman
+  template:
+    metadata:
+      labels:
+        app: podman
+      # can be removed once the podman upstream AppArmor profile is fixed / allows mount syscall
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/podman: unconfined
+    spec:
+      containers:
+      - name: podman
+        image: public.ecr.aws/zero-downtime/jenkins-podman:latest
+        command:
+          - podman
+        args:
+          - "system"
+          - "info"
+        resources:
+          limits:
+            github.com/fuse: 1