|
| 1 | +SHELL := /bin/bash |
| 2 | + |
| 3 | +IMAGE_TAG?=${IMAGE_REGISTRY}/coder/coder-${TEMPLATE_NAME}:${VERSION} |
| 4 | +REUSE_TEST_WORKSPACE?=false |
| 5 | + |
| 6 | +#BUILD_DIR given via variables.mk |
| 7 | +TEMPLATE_DIR=${WORKDIR}/template |
| 8 | +CONTAINER_BUILD_DIR=${WORKDIR}/container |
| 9 | +SECRETS_DIR=${WORKDIR}/secrets |
| 10 | +CODER_LIB_PATH=${BUILD_DIR}/make/coder-lib.sh |
| 11 | + |
| 12 | +RELEASE_DIR=${WORKDIR}/release |
| 13 | +MAKE_CHANGE_TOKEN_DIR=${RELEASE_DIR}/make |
| 14 | +CONTAINER_FILE?=${CONTAINER_BUILD_DIR}/Dockerfile |
| 15 | +CONTAINER_IMAGE_CHANGE_TOKEN?=${MAKE_CHANGE_TOKEN_DIR}/${TEMPLATE_NAME}_image_id.txt |
| 16 | +CONTAINER_IMAGE_TAR?=${RELEASE_DIR}/${TEMPLATE_NAME}.tar |
| 17 | +CONTAINER_IMAGE_TARGZ?=${RELEASE_DIR}/${TEMPLATE_NAME}.tar.gz |
| 18 | +CONTAINER_IMAGE_TRIVY_SCAN_JSON?=${RELEASE_DIR}/trivy.json |
| 19 | +CONTAINER_IMAGE_TRIVY_SCAN_TABLE?=${RELEASE_DIR}/trivy.txt |
| 20 | +CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_TABLE?=${RELEASE_DIR}/trivy_critical.txt |
| 21 | +CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_JSON?=${RELEASE_DIR}/trivy_critical.json |
| 22 | + |
| 23 | +IMAGE_REGISTRY?=registry.cloudogu.com |
| 24 | +IMAGE_REGISTRY_USER_FILE?=${SECRETS_DIR}/harbor-user |
| 25 | +IMAGE_REGISTRY_PW_FILE?=${SECRETS_DIR}/harbor-pw |
| 26 | + |
| 27 | +CHANGELOG_FILE=${WORKDIR}/CHANGELOG.md |
| 28 | +TEMPLATE_RELEASE_TAR_GZ=${RELEASE_DIR}/${TEMPLATE_NAME}-template.tar.gz |
| 29 | + |
| 30 | +TEST_WORKSPACE_PREFIX?=test-${TEMPLATE_NAME} |
| 31 | +CODER_USER?=$(shell . ${CODER_LIB_PATH} && getCoderUser) |
| 32 | + |
| 33 | +CONTAINER_BIN?=$(shell . ${CODER_LIB_PATH} && getContainerBin) |
| 34 | +GOPASS_BIN?=$(shell command -v gopass 2> /dev/null) |
| 35 | + |
| 36 | +EXCLUDED_TEMPLATE_FILES?=rich-parameters.yaml variables.yaml |
| 37 | + |
| 38 | + |
| 39 | +##@ Coder template development |
| 40 | + |
| 41 | +${SECRETS_DIR}: |
| 42 | + mkdir -p ${SECRETS_DIR} |
| 43 | + |
| 44 | +${IMAGE_REGISTRY_USER_FILE}: ${SECRETS_DIR} |
| 45 | +ifeq ($(ENVIRONMENT), local) |
| 46 | + @echo "Found developer environment. creating secret ${IMAGE_REGISTRY_USER_FILE}" |
| 47 | + @${GOPASS_BIN} show ces/websites/registry.cloudogu.com/robot_coder_jenkins | tail -n 1 | sed -e "s/^username: //" > ${IMAGE_REGISTRY_USER_FILE}; |
| 48 | +else |
| 49 | + @echo "Found CI environment. Please create secrets yourself" |
| 50 | +endif |
| 51 | + |
| 52 | +${IMAGE_REGISTRY_PW_FILE}: ${SECRETS_DIR} |
| 53 | +ifeq ($(ENVIRONMENT), local) |
| 54 | + @echo "Found developer environment. creating secret ${IMAGE_REGISTRY_PW_FILE}" |
| 55 | + @${GOPASS_BIN} show ces/websites/registry.cloudogu.com/robot_coder_jenkins | head -n 1 > ${IMAGE_REGISTRY_PW_FILE}; |
| 56 | +else |
| 57 | + @echo "Found CI environment. Please create secrets yourself" |
| 58 | +endif |
| 59 | + |
| 60 | +.PHONY: loadGopassSecrets |
| 61 | +loadGopassSecrets: ${IMAGE_REGISTRY_USER_FILE} ${IMAGE_REGISTRY_PW_FILE} ${ADDITIONAL_SECRETS_TARGET} ## load secrets from gopass into secret files, so that the build process works locally |
| 62 | + |
| 63 | +.PHONY: imageRegistryLogin |
| 64 | +imageRegistryLogin: loadGopassSecrets ${IMAGE_REGISTRY_USER_FILE} ${IMAGE_REGISTRY_PW_FILE} ## log in to the registry |
| 65 | + @${CONTAINER_BIN} login -u "$$(cat ${IMAGE_REGISTRY_USER_FILE})" --password-stdin '${IMAGE_REGISTRY}' < ${IMAGE_REGISTRY_PW_FILE} |
| 66 | + |
| 67 | +.PHONY: imageRegistryLogout |
| 68 | +imageRegistryLogout: ## log out of the registry |
| 69 | + @${CONTAINER_BIN} logout '${IMAGE_REGISTRY}' |
| 70 | + |
| 71 | +.PHONY: buildImage |
| 72 | +buildImage: buildImage-$(ENVIRONMENT) ## build the container image |
| 73 | + |
| 74 | +.PHONY: buildImage-local |
| 75 | +buildImage-local: imageRegistryLogin ${CONTAINER_IMAGE_CHANGE_TOKEN} ## build the container image locally |
| 76 | + @echo "if the build is not triggered without a change in the dockerfile, try to delete ${CONTAINER_IMAGE_CHANGE_TOKEN}" |
| 77 | + |
| 78 | +.PHONY: buildImage-ci |
| 79 | +buildImage-ci: ${CONTAINER_IMAGE_CHANGE_TOKEN} ## build the container image without automatic secret management |
| 80 | + |
| 81 | +${CONTAINER_IMAGE_CHANGE_TOKEN}: ${CONTAINER_FILE} |
| 82 | + @. ${CODER_LIB_PATH} && buildImage ${IMAGE_TAG} ${CONTAINER_BUILD_DIR} ${SECRETS_DIR} ${CONTAINER_BIN} |
| 83 | + @mkdir -p ${MAKE_CHANGE_TOKEN_DIR} |
| 84 | + @${CONTAINER_BIN} image ls --format="{{.ID}}" ${IMAGE_TAG} > ${CONTAINER_IMAGE_CHANGE_TOKEN} |
| 85 | + |
| 86 | +.PHONY: uploadTemplate |
| 87 | +uploadTemplate: ## upload template to coder server |
| 88 | + @. ${CODER_LIB_PATH} && uploadTemplate ${TEMPLATE_DIR} ${TEMPLATE_NAME} |
| 89 | + |
| 90 | +.PHONY: startTestWorkspace |
| 91 | +startTestWorkspace: ## start a test workspace with coder |
| 92 | + @. ${CODER_LIB_PATH} && startTestWorkspace ${CODER_USER} ${TEMPLATE_DIR} ${TEST_WORKSPACE_PREFIX} ${TEMPLATE_NAME} ${REUSE_TEST_WORKSPACE} |
| 93 | + |
| 94 | +.PHONY: createImageRelease |
| 95 | +createImageRelease: ${CONTAINER_IMAGE_TARGZ} ## export the container image as a tar.gz |
| 96 | + |
| 97 | +${CONTAINER_IMAGE_TAR}: ${CONTAINER_IMAGE_CHANGE_TOKEN} |
| 98 | + ${CONTAINER_BIN} save "${IMAGE_TAG}" -o ${CONTAINER_IMAGE_TAR} |
| 99 | + |
| 100 | +${CONTAINER_IMAGE_TARGZ}: ${CONTAINER_IMAGE_TAR} |
| 101 | + gzip -f --keep "${CONTAINER_IMAGE_TAR}" |
| 102 | + |
| 103 | +.PHONY: trivyscanImage |
| 104 | +trivyscanImage: ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} ${CONTAINER_IMAGE_TRIVY_SCAN_TABLE} ${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_TABLE} ${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_JSON} ## do a trivy scan for the workspace image in various output formats |
| 105 | + |
| 106 | +${CONTAINER_IMAGE_TRIVY_SCAN_JSON}: ${CONTAINER_IMAGE_TAR} |
| 107 | + ${CONTAINER_BIN} run --rm --pull=always \ |
| 108 | + -v "trivy-cache:/root/.cache" \ |
| 109 | + -v "${CONTAINER_IMAGE_TAR}:/tmp/image.tar" \ |
| 110 | + aquasec/trivy -q \ |
| 111 | + image --scanners vuln --input /tmp/image.tar -f json --timeout 15m \ |
| 112 | + > ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} |
| 113 | + |
| 114 | +${CONTAINER_IMAGE_TRIVY_SCAN_TABLE}: ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} |
| 115 | + @. ${CODER_LIB_PATH} && \ |
| 116 | + doTrivyConvert "--format table" ${CONTAINER_IMAGE_TRIVY_SCAN_TABLE} ${CONTAINER_BIN} ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} |
| 117 | + |
| 118 | +${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_TABLE}: ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} |
| 119 | + @. ${CODER_LIB_PATH} && \ |
| 120 | + doTrivyConvert "--format table --severity CRITICAL" ${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_TABLE} ${CONTAINER_BIN} ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} |
| 121 | + |
| 122 | +${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_JSON}: ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} |
| 123 | + @. ${CODER_LIB_PATH} && \ |
| 124 | + doTrivyConvert "--format json --severity CRITICAL" ${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_JSON} ${CONTAINER_BIN} ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} |
| 125 | + |
| 126 | +.PHONY: createTemplateRelease |
| 127 | +createTemplateRelease: ## generate template.tar.gz with all files needed for customers |
| 128 | + # remove release dir first as 'cp' cannot merge and will place the source dir inside the target dir if it already exists |
| 129 | + rm -rf "${RELEASE_DIR}/${TEMPLATE_NAME}" |
| 130 | + cp -r "${TEMPLATE_DIR}" "${RELEASE_DIR}/${TEMPLATE_NAME}/" |
| 131 | + #copy changelog |
| 132 | + cp "${CHANGELOG_FILE}" "${RELEASE_DIR}/${TEMPLATE_NAME}/" |
| 133 | + # remove excludes |
| 134 | + for file in "${EXCLUDED_TEMPLATE_FILES}"; do \ |
| 135 | + rm -f "${RELEASE_DIR}/${TEMPLATE_NAME}/$$file"; \ |
| 136 | + done |
| 137 | + tar -czf "${RELEASE_DIR}/${TEMPLATE_NAME}-template.tar.gz" -C "${RELEASE_DIR}" "${TEMPLATE_NAME}" |
| 138 | + |
| 139 | +.PHONY: createRelease ## generate template- and container archives and the trivy scans |
| 140 | +createRelease: createTemplateRelease ${CONTAINER_IMAGE_TARGZ} trivyscanImage ## create the image.tar.gz, template.tar.gz and trivy scans |
| 141 | + |
| 142 | +.PHONY: cleanCoderRelease |
| 143 | +cleanCoderRelease: ## clean release directory |
| 144 | + rm -rf "${RELEASE_DIR}" |
| 145 | + mkdir -p "${RELEASE_DIR}" |
| 146 | + |
| 147 | +.PHONY: pushImage |
| 148 | +pushImage: ## push the container image into the registry |
| 149 | + ${CONTAINER_BIN} push ${IMAGE_TAG} |
| 150 | + |
| 151 | +.PHONY: uploadRelease |
| 152 | +uploadRelease: createTemplateRelease ${CONTAINER_IMAGE_TARGZ} ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} ${CONTAINER_IMAGE_TRIVY_SCAN_TABLE} ${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_TABLE} ${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_JSON} ## upload release artifacts to nexus |
| 153 | + @. ${CODER_LIB_PATH} && uploadToNexus ${TEMPLATE_RELEASE_TAR_GZ} ${TEMPLATE_NAME} ${VERSION} |
| 154 | + @. ${CODER_LIB_PATH} && uploadToNexus ${CONTAINER_IMAGE_TRIVY_SCAN_JSON} ${TEMPLATE_NAME} ${VERSION} |
| 155 | + @. ${CODER_LIB_PATH} && uploadToNexus ${CONTAINER_IMAGE_TRIVY_SCAN_TABLE} ${TEMPLATE_NAME} ${VERSION} |
| 156 | + @. ${CODER_LIB_PATH} && uploadToNexus ${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_TABLE} ${TEMPLATE_NAME} ${VERSION} |
| 157 | + @. ${CODER_LIB_PATH} && uploadToNexus ${CONTAINER_IMAGE_TRIVY_SCAN_CRITICAL_JSON} ${TEMPLATE_NAME} ${VERSION} |
| 158 | + @. ${CODER_LIB_PATH} && uploadToNexus ${CONTAINER_IMAGE_TARGZ} ${TEMPLATE_NAME} ${VERSION} |
| 159 | + |
0 commit comments