✨ add new builder image approach and update dependencies

.builder-image-version.txt

@@ -1 +1 @@
-1.0.0
+1.1.0

.envrc.sample

@@ -1,3 +1,4 @@
+export PATH="$(pwd)/hack/tools/bin/:$PATH"
 export KUBECONFIG=$PWD/.mgt-cluster-kubeconfig.yaml
 export K8S_VERSION=1-27
 export GIT_PROVIDER_B64=Z2l0aHVi

.github/workflows/release.yml

@@ -126,6 +126,12 @@ jobs:
   release:
     name: Create draft release
     runs-on: ubuntu-latest
+    permissions:
+      packages: read
+      contents: write
+    defaults:
+      run:
+        shell: bash
     needs:
       - manager-image
     steps:

.golangci.yaml

@@ -104,6 +104,10 @@ linters-settings:
   revive:
     enable-all-rules: true
     rules:
+      - name: import-alias-naming
+        disabled: true
+      - name: redundant-import-alias
+        disabled: true
       - name: dot-imports
         disabled: true
       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#add-constant

Makefile

@@ -19,6 +19,7 @@ IMAGE_PREFIX ?= ghcr.io/sovereigncloudstack
 STAGING_IMAGE = $(CONTROLLER_SHORT)-staging
 BUILDER_IMAGE = $(IMAGE_PREFIX)/$(CONTROLLER_SHORT)-builder
 BUILDER_IMAGE_VERSION = $(shell cat .builder-image-version.txt)
+HACK_TOOLS_BIN_VERSION = $(shell cat ./hack/tools/bin/version.txt)
 
 SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
@@ -80,16 +81,19 @@ MGT_CLUSTER_KUBECONFIG ?= ".mgt-cluster-kubeconfig.yaml"
 
 # Kubebuilder.
 export KUBEBUILDER_ENVTEST_KUBERNETES_VERSION ?= 1.25.0
+# versions 
+CTLPTL_VERSION := 0.8.25
 
 ##@ Binaries
 ############
 # Binaries #
 ############
+# need in CI for releasing
 CONTROLLER_GEN := $(abspath $(TOOLS_BIN_DIR)/controller-gen)
-controller-gen: $(CONTROLLER_GEN) ## Build a local copy of controller-gen
 $(CONTROLLER_GEN): # Build controller-gen from tools folder.
 	go install sigs.k8s.io/controller-tools/cmd/[email protected]
 
+# need this in CI for releasing
 KUSTOMIZE := $(abspath $(TOOLS_BIN_DIR)/kustomize)
 kustomize: $(KUSTOMIZE) ## Build a local copy of kustomize
 $(KUSTOMIZE): # Build kustomize from tools folder.
@@ -114,24 +118,10 @@ $(SETUP_ENVTEST): # Build setup-envtest from tools folder.
 CTLPTL := $(abspath $(TOOLS_BIN_DIR)/ctlptl)
 ctlptl: $(CTLPTL) ## Build a local copy of ctlptl
 $(CTLPTL):
-	go install github.com/tilt-dev/ctlptl/cmd/[email protected]
-
-CLUSTERCTL := $(abspath $(TOOLS_BIN_DIR)/clusterctl)
-clusterctl: $(CLUSTERCTL) ## Build a local copy of clusterctl
-$(CLUSTERCTL):
-	curl -sSLf https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.5.0/clusterctl-$$(go env GOOS)-$$(go env GOARCH) -o $(CLUSTERCTL)
-	chmod a+rx $(CLUSTERCTL)
-
-KIND := $(abspath $(TOOLS_BIN_DIR)/kind)
-kind: $(KIND) ## Build a local copy of kind
-$(KIND):
-	go install sigs.k8s.io/[email protected]
+	curl -sSL https://github.com/tilt-dev/ctlptl/releases/download/v$(CTLPTL_VERSION)/ctlptl.$(CTLPTL_VERSION).linux.x86_64.tar.gz | tar xz -C $(TOOLS_BIN_DIR) ctlptl
 
 KUBECTL := $(abspath $(TOOLS_BIN_DIR)/kubectl)
-kubectl: $(KUBECTL) ## Build a local copy of kubectl
-$(KUBECTL):
-	curl -fsSL "https://dl.k8s.io/release/v1.27.3/bin/$$(go env GOOS)/$$(go env GOARCH)/kubectl" -o $(KUBECTL)
-	chmod a+rx $(KUBECTL)
+
 
 HELM := $(abspath $(TOOLS_BIN_DIR)/helm)
 helm: $(HELM) ## Build a local copy of helm
@@ -181,7 +171,7 @@ $(GOTESTSUM):
 	go install gotest.tools/[email protected]
 
 
-all-tools: $(KIND) $(KUBECTL) $(CLUSTERCTL) $(CTLPTL) $(SETUP_ENVTEST) $(ENVSUBST) $(KUSTOMIZE) $(CONTROLLER_GEN)
+all-tools: get-dependencies $(CTLPTL) $(SETUP_ENVTEST) $(ENVSUBST) $(KUSTOMIZE) $(CONTROLLER_GEN)
 	echo 'done'
 
 ##@ Development
@@ -197,7 +187,7 @@ delete-bootstrap-cluster: $(CTLPTL)  ## Deletes Kind-dev Cluster
 	$(CTLPTL) delete registry cso-registry
 
 .PHONY: cluster
-cluster: $(CTLPTL) $(KUBECTL) ## Creates kind-dev Cluster
+cluster: get-dependencies $(CTLPTL) $(KUBECTL) ## Creates kind-dev Cluster
 	@# Fail early. Background: After Tilt started, changing .envrc has no effect for processes
 	@# started via Tilt. That's why this should fail early.
 	./hack/kind-dev.sh
@@ -282,12 +272,6 @@ set-manifest-pull-policy:
 	$(info Updating kustomize pull policy file for default resource)
 	sed -i'' -e 's@imagePullPolicy: .*@imagePullPolicy: '"$(PULL_POLICY)"'@' $(TARGET_RESOURCE)
 
-builder-image-promote-latest:
-	./hack/ensure-env-variables.sh USERNAME PASSWORD
-	skopeo copy --src-creds=$(USERNAME):$(PASSWORD) --dest-creds=$(USERNAME):$(PASSWORD) \
-		docker://$(BUILDER_IMAGE):$(BUILDER_IMAGE_VERSION) \
-		docker://$(BUILDER_IMAGE):latest
-
 ##@ Binary
 ##########
 # Binary #
@@ -545,5 +529,31 @@ create-workload-cluster-docker: $(ENVSUBST) $(KUBECTL)
 	cat .cluster.yaml | $(ENVSUBST) - | $(KUBECTL) apply -f -
 
 .PHONY: tilt-up
-tilt-up: env-vars-for-wl-cluster $(ENVSUBST) $(KUBECTL) $(KUSTOMIZE) $(TILT) cluster  ## Start a mgt-cluster & Tilt. Installs the CRDs and deploys the controllers
+tilt-up: env-vars-for-wl-cluster get-dependencies $(ENVSUBST) $(TILT) cluster  ## Start a mgt-cluster & Tilt. Installs the CRDs and deploys the controllers
 	EXP_CLUSTER_RESOURCE_SET=true $(TILT) up --port=10351
+
+BINARIES = clusterctl controller-gen helm kind kubectl kustomize trivy
+get-dependencies:
+ifeq ($(BUILD_IN_CONTAINER),true)
+	docker run --rm -t -i \
+		-v $(shell pwd):/src/cluster-stack-operator \
+		$(BUILDER_IMAGE):$(BUILDER_IMAGE_VERSION) $@;
+else
+	@if [ "$(HACK_TOOLS_BIN_VERSION)" != "$(BUILDER_IMAGE_VERSION)" ]; then \
+		echo "Updating binaries"; \
+		rm -rf hack/tools/bin; \
+		mkdir -p $(TOOLS_BIN_DIR); \
+		cp ./.builder-image-version.txt $(TOOLS_BIN_DIR)/version.txt; \
+		for tool in $(BINARIES); do \
+			if command -v $$tool > /dev/null; then \
+				cp `command -v $$tool` $(TOOLS_BIN_DIR); \
+				echo "copied $$tool to $(TOOLS_BIN_DIR)"; \
+			else \
+				echo "$$tool not found"; \
+			fi; \
+		done; \
+	else \
+		echo "No action required"; \
+		echo "Binaries are up to date"; \
+	fi
+endif

images/builder/Dockerfile

@@ -17,20 +17,48 @@
 # If you make changes to this Dockerfile run `make builder-image-push`.
 
 # Install Lychee
-FROM docker.io/library/alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as lychee
-# update: datasource=github-tags depName=lycheeverse/lychee versioning=semver
-ENV LYCHEE_VERSION="v0.11.1"
+FROM docker.io/library/alpine:3.19.0@sha256:13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd as lychee
 # hadolint ignore=DL3018
+# update: datasource=github-tags depName=lycheeverse/lychee versioning=semver
+ENV LYCHEE_VERSION="v0.14.3"
 RUN apk add --no-cache curl && \
     curl -L -o /tmp/lychee-${LYCHEE_VERSION}.tgz https://github.com/lycheeverse/lychee/releases/download/${LYCHEE_VERSION}/lychee-${LYCHEE_VERSION}-x86_64-unknown-linux-gnu.tar.gz && \
     tar -xz -C /tmp -f /tmp/lychee-${LYCHEE_VERSION}.tgz && \
     mv /tmp/lychee /usr/bin/lychee && \
     rm -rf /tmp/linux-amd64 /tmp/lychee-${LYCHEE_VERSION}.tgz
 
+FROM cgr.dev/chainguard/wolfi-base:latest as wolfi
+
+# renovate: datasource=github-tags depName=kubernetes-sigs/cluster-api
+ARG CLUSTERCTL_VERSION="v1.6.2"
+# renovate: datasource=github-tags depName=helm/helm
+ENV HELM_VERSION="v3.14.1"
+# renovate: datasource=github-tags depName=kubernetes-sigs/kind
+ARG KIND_VERSION="v0.20.0"
+# renovate: datasource=github-tags depName=kubernetes/kubernetes
+ARG KUBECTL_VERSION="v1.27.3"
+# renovate: datasource=github-tags depName=kubernetes-sigs/kustomize extractVersion=^kustomize\/v(?<version>.+)$
+ARG KUSTOMIZE_VERSION="v5.3.0"
+# renovate: datasource=github-tags depName=aquasecurity/trivy
+ARG TRIVY_VERSION="v0.48.3"
+# renovate: datasource=github-tags depName=kubernetes-sigs/controller-tools
+ARG CONTROLLER_GEN_VERSION="v0.14.0"
+
+# hadolint ignore=DL3018
+RUN apk add -U --no-cache \
+    curl \
+    clusterctl=~${CLUSTERCTL_VERSION#v} \
+    controller-gen=~${CONTROLLER_GEN_VERSION#v} \
+    helm=~${HELM_VERSION#v} \
+    kind=~${KIND_VERSION#v} \
+    kubectl=~${KUBECTL_VERSION#v} \
+    kustomize=~${KUSTOMIZE_VERSION#v} \
+    trivy=~${TRIVY_VERSION#v} 
+
 # Install Golang CI Lint
-FROM docker.io/library/alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d as golangci
+FROM docker.io/library/alpine:3.19.1 as golangci
 # update: datasource=github-tags depName=golangci/golangci-lint versioning=semver
-ENV GOLANGCI_VERSION="v1.52.2"
+ENV GOLANGCI_VERSION="v1.55.2"
 WORKDIR /
 # hadolint ignore=DL3018,DL4006
 RUN apk add --no-cache curl && \
@@ -39,18 +67,13 @@ RUN apk add --no-cache curl && \
 # Install Hadolint
 FROM docker.io/hadolint/hadolint:v2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 as hadolint
 
-# Install Trivy
-FROM docker.io/aquasec/trivy:0.39.0@sha256:ab281f43ee11b8ea5443ca8897641441f04f14e8832fefd103d32b4acd7055e1 as trivy
-
 ############################
 # CSO Build Image Base #
 ############################
-FROM docker.io/library/golang:1.20.2-bullseye@sha256:2101aa981e68ab1e06e3d4ac35ae75ed122f0380e5331e3ae4ba7e811bf9d256
+FROM docker.io/library/golang:1.21.6-bullseye
 
-# update: datasource=repology depName=debian_11/skopeo versioning=loose
-ENV SKOPEO_VERSION="1.2.2+dfsg1-1+b6"
 # update: datasource=github-tags depName=adrienverge/yamllint versioning=semver
-ENV YAMLLINT_VERSION="v1.30.0"
+ENV YAMLLINT_VERSION="v1.33.0"
 # update: datasource=github-tags depName=opt-nc/yamlfixer versioning=semver
 ENV YAMLFIXER_VERSION="0.9.15"
 
@@ -59,17 +82,22 @@ RUN apt-get update && \
     apt-get install -qy --no-install-recommends \
     gnupg python3 python3-pip \
     file zip unzip jq gettext \
-    skopeo=${SKOPEO_VERSION} \
     libsystemd-dev jq && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
     pip install --no-cache-dir \
     yamllint==${YAMLLINT_VERSION} \
     yamlfixer-opt-nc==${YAMLFIXER_VERSION}
 
+COPY --from=wolfi /usr/bin/clusterctl /usr/bin/clusterctl
+COPY --from=wolfi /usr/bin/controller-gen /usr/bin/controller-gen
+COPY --from=wolfi /usr/bin/helm /usr/bin/helm
+COPY --from=wolfi /usr/bin/kubectl /usr/bin/kubectl
+COPY --from=wolfi /usr/bin/kind /usr/bin/kind
+COPY --from=wolfi /usr/bin/kustomize /usr/bin/kustomize
+COPY --from=wolfi /usr/bin/trivy /usr/bin/trivy
 COPY --from=lychee /usr/bin/lychee /usr/bin/lychee
 COPY --from=golangci /bin/golangci-lint /usr/local/bin
 COPY --from=hadolint /bin/hadolint /usr/bin/hadolint
-COPY --from=trivy /usr/local/bin/trivy /usr/bin/trivy
 
 ENV GOCACHE=/go/cache