[enhancement] Add OCB docker image release (#671)

jackgopack4 · andrzej-stencel · web-flow · commit 226dd5dfd9d9 · 2024-10-21T11:23:06.000+02:00
* create docker and update release workflows * Update builder-config.yaml * add otelcol-otlp manifest to Update Version workflow * Update .gitignore * remove update-version workflow to separate to PR#684 * add workflow for repo testing * Revert "add workflow for repo testing" This reverts commit fd61f1c. * Update builder-config.yaml to reference v0.111.0 release * add user and set permissions/workdir for ocb * update goreleaser and gh actions to remove builder-config.yaml refs * fix goreleaser docker repo ref * remove unnecessary commands from Dockerfile --------- Co-authored-by: Andrzej Stencel <andrzej.stencel@elastic.co>
diff --git a/.github/workflows/builder-release.yaml b/.github/workflows/builder-release.yaml
@@ -7,6 +7,12 @@ on:
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    
+    permissions:
+      id-token: write
+      packages: write
+      contents: write
+
     steps:
       - name: Checkout Releases Repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
@@ -27,10 +33,32 @@ jobs:
           repository: "open-telemetry/opentelemetry-collector"
           ref: ${{ github.ref_name }}
           path: ".core"
+      - name: Copy Dockerfile to Core Repo directory
+        run:  cp cmd/builder/Dockerfile .core/cmd/builder/Dockerfile
+      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+      - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        with:
+          platforms: amd64, arm64,ppc64le
+      - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
       - name: Setup Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ~1.23
+      - name: Log into Docker.io
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Package Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - shell: bash
+        run: |
+          echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV          
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
@@ -39,4 +67,6 @@ jobs:
           args: release --clean -f cmd/builder/.goreleaser.yml
         env:
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          COSIGN_YES: true
+          SKIP_SIGNS: false
diff --git a/.github/workflows/builder-testbuild.yaml b/.github/workflows/builder-testbuild.yaml
@@ -36,6 +36,14 @@ jobs:
           fetch-depth: 0
           repository: "open-telemetry/opentelemetry-collector"
           path: ".core"
+      - name: Copy Dockerfile to Core Repo directory
+        run:  cp cmd/builder/Dockerfile .core/cmd/builder/Dockerfile
+      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+      - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        with:
+          platforms: amd64, arm64,ppc64le
+      - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
       - name: Setup Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
@@ -57,4 +65,6 @@ jobs:
           args: --snapshot --clean -f cmd/builder/.goreleaser.yml
         env:
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_PAT}}
+          COSIGN_YES: false
+          SKIP_SIGNS: true
diff --git a/Makefile b/Makefile
@@ -73,3 +73,24 @@ push-tags:
 	@git tag -a ${TAG} -s -m "Version ${TAG}"
 	@echo "Pushing tag ${TAG}"
 	@git push ${REMOTE} ${TAG}
+
+# Used for debug only
+REMOTE?=git@github.com:open-telemetry/opentelemetry-collector-releases.git
+.PHONY: delete-tags
+delete-tags:
+	@[ "${TAG}" ] || ( echo ">> env var TAG is not set"; exit 1 )
+	@echo "Deleting local tag ${TAG}"
+	@if [ -n "$$(git tag -l ${TAG})" ]; then \
+		git tag -d ${TAG}; \
+	fi
+	@if [ -n "$$(git tag -l cmd/builder/${TAG})" ]; then \
+		git tag -d cmd/builder/${TAG}; \
+	fi
+	@echo "Deleting remote tag ${TAG}"
+	@git push ${REMOTE} :refs/tags/${TAG}
+	@git push ${REMOTE} :refs/tags/cmd/builder/${TAG}
+
+# Used for debug only
+REMOTE?=git@github.com:open-telemetry/opentelemetry-collector-releases.git
+.PHONY: repeat-tags
+repeat-tags: delete-tags push-tags
diff --git a/cmd/builder/.goreleaser.yml b/cmd/builder/.goreleaser.yml
@@ -4,6 +4,7 @@ before:
 monorepo:
   tag_prefix: cmd/builder/
   dir: .core/cmd/builder
+version: 2
 builds:
   - flags:
       - -trimpath
@@ -23,6 +24,80 @@ builds:
       - goos: windows
         goarch: arm64
     binary: ocb
+dockers:
+  - goos: linux
+    goarch: amd64
+    dockerfile: Dockerfile
+    image_templates:
+      - otel/opentelemetry-collector-builder:{{ .Version }}-amd64
+      - otel/opentelemetry-collector-builder:latest-amd64
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-amd64
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-amd64
+    build_flag_templates:
+      - --pull
+      - --platform=linux/amd64
+      - --label=org.opencontainers.image.created={{.Date}}
+      - --label=org.opencontainers.image.name={{.ProjectName}}
+      - --label=org.opencontainers.image.revision={{.FullCommit}}
+      - --label=org.opencontainers.image.version={{.Version}}
+      - --label=org.opencontainers.image.source={{.GitURL}}
+      - --label=org.opencontainers.image.licenses=Apache-2.0
+  - goos: linux
+    goarch: arm64
+    dockerfile: Dockerfile
+    image_templates:
+      - otel/opentelemetry-collector-builder:{{ .Version }}-arm64
+      - otel/opentelemetry-collector-builder:latest-arm64
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-arm64
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-arm64
+    build_flag_templates:
+      - --pull
+      - --platform=linux/arm64
+      - --label=org.opencontainers.image.created={{.Date}}
+      - --label=org.opencontainers.image.name={{.ProjectName}}
+      - --label=org.opencontainers.image.revision={{.FullCommit}}
+      - --label=org.opencontainers.image.version={{.Version}}
+      - --label=org.opencontainers.image.source={{.GitURL}}
+      - --label=org.opencontainers.image.licenses=Apache-2.0
+  - goos: linux
+    goarch: ppc64le
+    dockerfile: Dockerfile
+    image_templates:
+      - otel/opentelemetry-collector-builder:{{ .Version }}-ppc64le
+      - otel/opentelemetry-collector-builder:latest-ppc64le
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-ppc64le
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-ppc64le
+    build_flag_templates:
+      - --pull
+      - --platform=linux/ppc64le
+      - --label=org.opencontainers.image.created={{.Date}}
+      - --label=org.opencontainers.image.name={{.ProjectName}}
+      - --label=org.opencontainers.image.revision={{.FullCommit}}
+      - --label=org.opencontainers.image.version={{.Version}}
+      - --label=org.opencontainers.image.source={{.GitURL}}
+      - --label=org.opencontainers.image.licenses=Apache-2.0
+    use: buildx
+docker_manifests:
+  - name_template: otel/opentelemetry-collector-builder:{{ .Version }}
+    image_templates:
+      - otel/opentelemetry-collector-builder:{{ .Version }}-amd64
+      - otel/opentelemetry-collector-builder:{{ .Version }}-arm64
+      - otel/opentelemetry-collector-builder:{{ .Version }}-ppc64le
+  - name_template: otel/opentelemetry-collector-builder:latest
+    image_templates:
+      - otel/opentelemetry-collector-builder:latest-amd64
+      - otel/opentelemetry-collector-builder:latest-arm64
+      - otel/opentelemetry-collector-builder:latest-ppc64le
+  - name_template: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}
+    image_templates:
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-amd64
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-arm64
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:{{ .Version }}-ppc64le
+  - name_template: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest
+    image_templates:
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-amd64
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-arm64
+      - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-builder:latest-ppc64le
 release:
   github:
     owner: open-telemetry
@@ -37,3 +112,28 @@ snapshot:
   version_template: "{{ .Tag }}-next"
 changelog:
   disable: true
+signs:
+  - if: $SKIP_SIGNS != "true"
+    cmd: cosign
+    args:
+      - sign-blob
+      - --output-signature
+      - ${artifact}.sig
+      - --output-certificate
+      - ${artifact}.pem
+      - ${artifact}
+    signature: ${artifact}.sig
+    artifacts: all
+    certificate: ${artifact}.pem
+docker_signs:
+  - if: $SKIP_SIGNS != "true"
+    args:
+      - sign
+      - ${artifact}
+    artifacts: all
+sboms:
+  - id: archive
+    artifacts: archive
+  - id: package
+    artifacts: package
+    
diff --git a/cmd/builder/Dockerfile b/cmd/builder/Dockerfile
@@ -0,0 +1,14 @@
+FROM golang:1.23-alpine3.20
+RUN apk --update add ca-certificates
+
+ARG SERVICE_NAME=ocb
+
+RUN addgroup --gid 10001 --system ${SERVICE_NAME} && \
+    adduser --ingroup ${SERVICE_NAME} --shell /bin/false \
+    --disabled-password --uid 10001 ${SERVICE_NAME}
+
+USER ${SERVICE_NAME}
+WORKDIR /home/${SERVICE_NAME}
+
+COPY --chmod=755 ocb /usr/local/bin/ocb
+ENTRYPOINT [ "ocb" ]
