Merge pull request 'Configure Renovate' (#1) from renovate/configure into master

Reviewed-on: #1

.ci/podman.mk

@@ -1,64 +1,85 @@
 # Parse version from latest git semver tag
-GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
-TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
+GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
+GIT_TAG := $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
 
-# EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }')
-
-ifeq ($(TRIVY_REMOTE),)
-  TRIVY_OPTS := image
-else
-  TRIVY_OPTS := client --remote ${TRIVY_REMOTE}
+# append branch name to tag if NOT main nor master
+TAG := $(GIT_TAG)
+ifeq (,$(filter main master, $(GIT_BRANCH)))
+	ifneq ($(GIT_TAG), $(GIT_BRANCH))
+		TAG = $(GIT_TAG)-$(GIT_BRANCH)
+	endif
 endif
 
-.PHONY: build test scan push clean
+# optionally set by the caller
+EXTRA_TAGS :=
 
-all: test
+ARCH := amd64
+ALL_ARCHS := amd64 arm64
+_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
 
-build:
-	@docker image exists $(REGISTRY)/$(IMAGE):$(TAG) || \
-		docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
+ifneq ($(TRIVY_REMOTE),)
+	TRIVY_OPTS := --server $(TRIVY_REMOTE)
+endif
 
-test: build rm-test-image
-	@test -f Dockerfile.test && \
-		{ docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test . && \
-			docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-test; } || \
+.SILENT: ; # no need for @
+.ONESHELL: ; # recipes execute in same shell
+.NOTPARALLEL: ; # wait for this target to finish
+.EXPORT_ALL_VARIABLES: ; # send all vars to shell
+.PHONY: all # All targets are accessible for user
+.DEFAULT: help # Running Make will run the help target
+
+help: ## Show Help
+	grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+build: ## Build the app
+	buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
+
+test: rm-test-image ## Execute Dockerfile.test
+	test -f Dockerfile.test && \
+		{ buildah build --rm --layers -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test --platform linux/$(_ARCH) . && \
+			podman run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-$(_ARCH)-test; } || \
 		echo "No Dockerfile.test found, skipping test"
 
-scan: build
-	@echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG) using Trivy"
-	@trivy $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG)
+scan: ## Scan image using trivy
+	echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
+	trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
 
-push: build
-	@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
-	@for t in $(TAG) latest $(EXTRA_TAGS); do echo "tag and push: $$t"; docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$$t && docker push $(REGISTRY)/$(IMAGE):$$t; done
+# first tag and push all actual images
+# create new manifest for each tag and add all available TAG-ARCH before pushing
+push: ecr-login ## push images to registry
+	for t in $(TAG) latest $(EXTRA_TAGS); do \
+		echo "Tagging image with $(REGISTRY)/$(IMAGE):$${t}-$(ARCH)"
+		buildah tag $(IMAGE):$(TAG)-$(_ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(_ARCH); \
+		buildah manifest rm $(IMAGE):$$t || true; \
+		buildah manifest create $(IMAGE):$$t; \
+		for a in $(ALL_ARCHS); do \
+			buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$$a; \
+		done; \
+		echo "Pushing manifest $(IMAGE):$$t"
+		buildah manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t; \
+	done
 
-clean: rm-test-image rm-image
+ecr-login: ## log into AWS ECR public
+	aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
 
-# Delete all untagged images
-.PHONY: rm-remote-untagged
-rm-remote-untagged:
-	@echo "Removing all untagged images from $(IMAGE) in $(REGION)"
-	@aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
+clean: rm-test-image rm-image ## delete local built container and test images
+
+rm-remote-untagged: ## delete all remote untagged images
+	echo "Removing all untagged images from $(IMAGE) in $(REGION)"
+	IMAGE_IDS=$$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done) ; \
+		[ -n "$$IMAGE_IDS" ] && aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$IMAGE_IDS || echo "No image to remove"
 
-.PHONY: rm-image
 rm-image:
-	@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || docker image rm -f $(IMAGE):$(TAG) > /dev/null
-	@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || echo "Error: Removing image failed"
+	test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
+	test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
 
 # Ensure we run the tests by removing any previous runs
-.PHONY: rm-test-image
 rm-test-image:
-	@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
-	@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
+	test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH)-test)" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH)-test > /dev/null
+	test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH)-test)" || echo "Error: Removing test image failed"
 
-# Convience task during dev of downstream projects
-.PHONY: ci-pull-upstream
-ci-pull-upstream:
+ci-pull-upstream: ## pull latest shared .ci subtree
 	git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
 
-.PHONY: create-repo
-create-repo:
+create-repo: ## create new AWS ECR public repository
 	aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
-
-.DEFAULT:
-	@echo "$@ not implemented. NOOP"

.ci/vars/buildPodman.groovy

@@ -7,12 +7,14 @@ def call(Map config=[:]) {
           label 'podman-aws-trivy'
         }
       }
-
       stages {
         stage('Prepare') {
-          // get tags
           steps {
-            sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
+            // pull tags
+            withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
+              sh 'git fetch -q --tags ${GIT_URL}'
+            }
+            sh 'make prepare || true'
           }
         }
 
@@ -36,8 +38,7 @@ def call(Map config=[:]) {
             TRIVY_OUTPUT = "reports/trivy.html"
           }
           steps {
-            sh 'mkdir -p reports'
-            sh 'make scan'
+            sh 'mkdir -p reports && make scan'
             publishHTML target: [
               allowMissing: true,
               alwaysLinkToLastBuild: true,
@@ -59,8 +60,9 @@ def call(Map config=[:]) {
           }
         }
 
-        // Push to ECR
+        // Push to container registry, skip if PR
         stage('Push') {
+          when { not { changeRequest() } }
           steps {
             sh 'make push'
           }

Dockerfile

@@ -1,4 +1,4 @@
-ARG ALPINE_VERSION=3.16
+ARG ALPINE_VERSION=3.17
 
 FROM alpine:${ALPINE_VERSION}
 ARG ALPINE_VERSION
@@ -12,7 +12,7 @@ RUN cd /etc/apk/keys && \
     apk upgrade -U --available --no-cache && \
     apk add --no-cache \
       openvpn \
-      nftables \
+      iptables \
       bash \
       easy-rsa \
       openvpn-auth-pam \
@@ -25,7 +25,8 @@ RUN cd /etc/apk/keys && \
 ENV OPENVPN=/etc/openvpn
 ENV EASYRSA=/usr/share/easy-rsa \
     EASYRSA_CRL_DAYS=3650 \
-    EASYRSA_PKI=$OPENVPN/pki
+    EASYRSA_PKI=$OPENVPN/pki \
+    EASYRSA_SILENT=1
 
 VOLUME ["/etc/openvpn"]
 

Jenkinsfile

@@ -0,0 +1,5 @@
+library identifier: 'zdt-lib@master', retriever: modernSCM(
+  [$class: 'GitSCMSource',
+   remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
+
+buildPodman name: 'zdt-openvpn'

bin/ovpn_create_client

@@ -25,9 +25,12 @@ if [ -f "$EASYRSA_PKI/issued/${cn}.crt" ]; then
   exit 1
 fi
 
-easyrsa build-client-full "$cn" nopass 1>/dev/null 2>&1
+cat << EOF | easyrsa build-client-full "$cn" nopass
+yes
+EOF
 
 # Generate OpenVPN users via google authenticator
+mkdir -p /etc/openvpn/otp
 
 # Skip confirmation if not running in interctive mode. Essential for integration tests.
 google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \

bin/ovpn_create_server

@@ -6,6 +6,8 @@
 
 if [ "$DEBUG" == "1" ]; then
   set -x
+else
+  exec 2> /dev/null
 fi
 
 set -e
@@ -15,7 +17,9 @@ mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPE
 touch $OPENVPN/otp/_empty $OPENVPN/ccd/_empty
 
 # Finally generate server cert
-easyrsa build-server-full "$1" nopass
+cat << EOF | easyrsa build-server-full "$1" nopass
+yes
+EOF
 
 # write server FQDN
 echo "$1" > $OPENVPN/server

bin/ovpn_initpki

@@ -6,6 +6,8 @@
 
 if [ "$DEBUG" == "1" ]; then
   set -x
+else
+  exec 2> /dev/null
 fi
 
 set -e
@@ -20,3 +22,5 @@ easyrsa gen-dh
 openvpn --genkey secret $EASYRSA_PKI/ta.key
 
 easyrsa gen-crl
+
+echo "Successfully bootstrapped PKI"

renovate.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":label(renovate)",
+    ":semanticCommits"
+  ],
+  "prHourlyLimit": 0
+}