Merge pull request #21 from Conjur-Enterprise/add-redhat-image

CNJR-3715: Add Redhat image and publishing

CHANGELOG.md

@@ -10,16 +10,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
-## [0.1.0] - 2023-01-18
-
-### Fixed
-- Fixed an error in Provider termination which prevented the socket used to
-  connect to the Secrets Store CSI Driver from being closed and removed.
-  [Conjur-Enterprise/conjur-k8s-csi-provider#19](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/19)
+## [0.0.3] - 2023-02-16
 
 ### Added
-- Added additional logging to gRPC and HTTP servers.
-  [Conjur-Enterprise/conjur-k8s-csi-provider#19](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/19)
+- Include a Redhat UBI9 based Docker image.
+  [Conjur-Enterprise/conjur-k8s-csi-provider#21](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/21)
+
+### Fixed
 - Helm chart allows for customizing Provider container's `securityContext`.
   [Conjur-Enterprise/conjur-k8s-csi-provider#19](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/19)
 - Provider and Helm chart support customizable socket directory path and health
@@ -29,6 +26,18 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Changed
 - Docker image now built from Alpine base image.
   [Conjur-Enterprise/conjur-k8s-csi-provider#19](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/19)
+  [Conjur-Enterprise/conjur-k8s-csi-provider#20](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/20)
+
+## [0.0.2] - 2023-01-22
+
+### Fixed
+- Fixed an error in Provider termination which prevented the socket used to
+  connect to the Secrets Store CSI Driver from being closed and removed.
+  [Conjur-Enterprise/conjur-k8s-csi-provider#19](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/19)
+
+### Added
+- Added additional logging to gRPC and HTTP servers.
+  [Conjur-Enterprise/conjur-k8s-csi-provider#19](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/19)
 
 ## [0.0.1] - 2023-12-26
 

Dockerfile

@@ -21,10 +21,44 @@ RUN go build -o /conjur-csi-provider ./cmd/conjur-k8s-csi-provider/main.go
 #############
 # RUN STAGE #
 #############
-FROM alpine:3.19.0
+FROM alpine:3.19.0 as conjur-k8s-csi-provider
 LABEL org.opencontainers.image.authors="CyberArk Software Ltd."
 LABEL id="conjur-k8s-csi-provider"
 
 COPY --from=builder /conjur-csi-provider /conjur-csi-provider
 
 ENTRYPOINT [ "/conjur-csi-provider" ]
+
+
+################
+# REDHAT IMAGE #
+################
+FROM registry.access.redhat.com/ubi9/ubi as conjur-k8s-csi-provider-redhat
+
+ARG VERSION
+
+LABEL org.opencontainers.image.authors="CyberArk Software Ltd."
+LABEL id="conjur-k8s-csi-provider"
+LABEL vendor="CyberArk"
+LABEL version="$VERSION"
+LABEL release="$VERSION"
+LABEL summary="Inject Conjur secrets into Kubernetes environments via Container Storage Interface volumes."
+LABEL description="Conjur's integration for the Kubernetes Secrets Store CSI Driver, which injects secrets into \
+Kubernetes environments via Container Storage Interface volumes."
+
+RUN yum -y distro-sync
+
+# Add a non-root user with permissions on the default socket dir.
+# NOTE: If deploying this image via the helm chart, the csi-provider
+# user will require special permissions on the host to access the
+# secrets-store-csi-provider socket directory which is volume mounted.
+RUN useradd -m csi-provider
+RUN mkdir -p /var/run/secrets-store-csi-providers /licenses
+RUN chown -R csi-provider:0 /var/run/secrets-store-csi-providers
+
+USER csi-provider
+
+ADD LICENSE /licenses
+COPY --from=builder /conjur-csi-provider /conjur-csi-provider
+
+ENTRYPOINT [ "/conjur-csi-provider" ]

Jenkinsfile

@@ -24,7 +24,7 @@ if (params.MODE == "PROMOTE") {
       export PATH="release-tools/bin:${PATH}"
       docker pull registry.tld/conjur-k8s-csi-provider:${sourceVersion}
       # Promote source version to target version.
-      bin/publish --promote --source ${sourceVersion} --target ${targetVersion}
+      summon bin/publish --promote --source ${sourceVersion} --target ${targetVersion}
     """
   }
 

bin/build

@@ -28,13 +28,22 @@ function build_docker_image() {
   echo "Building conjur-k8s-csi-provider:$FULL_VERSION_TAG Docker image"
 
   docker build \
+    --target "conjur-k8s-csi-provider" \
     --tag "conjur-k8s-csi-provider:dev" \
     --tag "conjur-k8s-csi-provider:${FULL_VERSION_TAG}" \
     --tag "conjur-k8s-csi-provider:latest" \
     .
 
   echo "---"
 
+  echo "Building conjur-k8s-csi-provider-redhat:$FULL_VERSION_TAG Docker image"
+
+  docker build \
+    --target conjur-k8s-csi-provider-redhat \
+    --build-arg VERSION="$FULL_VERSION_TAG" \
+    --tag "conjur-k8s-csi-provider-redhat:${FULL_VERSION_TAG}" \
+    --tag "conjur-k8s-csi-provider-redhat:latest" \
+    .
 }
 
 main

bin/poc

@@ -32,6 +32,7 @@ helm repo update
 docker pull cyberark/conjur-cli:8
 docker pull alpine:latest
 docker build -t conjur-csi-provider:latest \
+  --target conjur-k8s-csi-provider \
   --no-cache \
   -f Dockerfile \
   .

bin/publish

@@ -1,5 +1,3 @@
-
-
 #!/bin/bash
 
 set -e
@@ -62,21 +60,28 @@ while [[ $# -gt 0 ]]; do
   shift
 done
 
+readonly REDHAT_LOCAL_IMAGE="conjur-k8s-csi-provider-redhat"
 readonly IMAGE_NAME="conjur-k8s-csi-provider"
 readonly REGISTRY='cyberark'
 readonly LOCAL_REGISTRY='registry.tld'
+readonly REDHAT_REGISTRY="quay.io"
+readonly REDHAT_CERT_PID="65a80cc827baac6bf0816f1d"
 # Version derived from CHANGELOG and automated release library
 VERSION=$(<VERSION)
 readonly VERSION
 FULL_VERSION_TAG="$VERSION-$(git_tag)"
 readonly FULL_VERSION_TAG
 
+REDHAT_REMOTE_IMAGE="${REDHAT_REGISTRY}/redhat-isv-containers/${REDHAT_CERT_PID}"
+REDHAT_USER="redhat-isv-containers+${REDHAT_CERT_PID}-robot"
+
 if [[ ${PUBLISH_INTERNAL} = true ]]; then
   echo "Publishing built images internally to registry.tld."
   SOURCE_TAG=$FULL_VERSION_TAG
   REMOTE_TAG=$VERSION
 
   tag_and_push "${IMAGE_NAME}:${SOURCE_TAG}" "${LOCAL_REGISTRY}/${IMAGE_NAME}:${REMOTE_TAG}"
+  tag_and_push "${REDHAT_LOCAL_IMAGE}:${SOURCE_TAG}" "${LOCAL_REGISTRY}/${REDHAT_LOCAL_IMAGE}:${REMOTE_TAG}"
 fi
 
 if [[ ${PUBLISH_EDGE} = true ]]; then
@@ -114,6 +119,26 @@ if [[ ${PROMOTE} = true ]]; then
   for tag in "${TAGS[@]}" $(gen_versions "$REMOTE_TAG"); do
     echo "Tagging and pushing $REGISTRY/$IMAGE_NAME:$tag"
     tag_and_push "${LOCAL_REGISTRY}/$IMAGE_NAME:$SOURCE_TAG" "$REGISTRY/$IMAGE_NAME:$tag"
+    tag_and_push "${LOCAL_REGISTRY}/${REDHAT_LOCAL_IMAGE}:${SOURCE_TAG}" "$REGISTRY/${REDHAT_LOCAL_IMAGE}:$tag"
   done
 
+  # Publish only latest to Redhat Registries
+  echo "Tagging and pushing ${REDHAT_REMOTE_IMAGE} with tag ${REMOTE_TAG}"
+  docker tag "${LOCAL_REGISTRY}/${REDHAT_LOCAL_IMAGE}:${SOURCE_TAG}" "${REDHAT_REMOTE_IMAGE}:${REMOTE_TAG}"
+
+  # Publish RedHat image to RedHat Registry
+  if docker login "${REDHAT_REGISTRY}" -u "${REDHAT_USER}" -p "${REDHAT_API_KEY}"; then
+    # you can't push the same tag twice to redhat registry, so ignore errors
+    if ! docker push "${REDHAT_REMOTE_IMAGE}:${REMOTE_TAG}"; then
+      echo 'Red Hat push FAILED! (maybe the image was pushed already?)'
+      exit 0
+    fi
+
+    # scan image with preflight tool
+    scan_redhat_image "${REDHAT_REMOTE_IMAGE}:${REMOTE_TAG}" "${REDHAT_CERT_PID}"
+  else
+    echo 'Failed to log in to quay.io'
+    exit 1
+  fi
+
 fi

go.sum

@@ -3,6 +3,10 @@ github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPp
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyberark/conjur-api-go v0.11.1 h1:vjaMkw0geJsA+ikMM6UDLg4VLFQWKo/B0i9IWlOQ1f0=
+github.com/cyberark/conjur-api-go v0.11.1/go.mod h1:n1p46Hj9l8wkZjM17cVYdfcatyPboWyioLGlC0QszCs=
+github.com/cyberark/conjur-authn-k8s-client v0.26.1 h1:eod150C7iBDXu1AdFF6si7RH93M0NKpt97qbgEKYWCA=
+github.com/cyberark/conjur-authn-k8s-client v0.26.1/go.mod h1:Jqbs1zWeaG2MY0jFNlmpGRKg3m5XqXBYVR2Kw88oXDk=
 github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
 github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -15,18 +19,15 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
@@ -52,7 +53,6 @@ google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
-gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

secrets.yml

@@ -0,0 +1 @@
+REDHAT_API_KEY: !var redhat/projects/conjur-k8s-csi-provider/api-key