diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 1c9fd4f0b..2d4d9f874 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -68,7 +68,7 @@ jobs: uses: actions/checkout@v2 - name: Build docker image - run: make image tag-latest + run: make release-local image-quick tag-latest - name: Setup kind/istio run: | diff --git a/Dockerfile b/Dockerfile index ab52d0d69..a5760bb4a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,25 @@ -# Copyright 2018 The OPA Authors. All rights reserved. +# Copyright 2019 The OPA Authors. All rights reserved. # Use of this source code is governed by an Apache2 # license that can be found in the LICENSE file. -FROM gcr.io/distroless/base +ARG BASE -MAINTAINER Ashutosh Narkar +FROM ${BASE} + +# Any non-zero number will do, and unfortunately a named user will not, as k8s +# pod securityContext runAsNonRoot can't resolve the user ID: +# https://github.com/kubernetes/kubernetes/issues/40958. Make root (uid 0) when +# not specified. +ARG USER=0 -WORKDIR /app +MAINTAINER Ashutosh Narkar -COPY opa_envoy_linux_GOARCH /app +# Hack.. https://github.com/moby/moby/issues/37965 +# _Something_ needs to be between the two COPY steps. +USER ${USER} -ENTRYPOINT ["./opa_envoy_linux_GOARCH"] +ARG BIN_DIR=. +COPY ${BIN_DIR}/opa_envoy_linux_amd64 /opa +ENTRYPOINT ["/opa"] CMD ["run"] diff --git a/Makefile b/Makefile index 2ae23a8a8..496754566 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,7 @@ VERSION_ISTIO := $(VERSION_OPA)-istio$(shell ./build/get-plugin-rev.sh) PACKAGES := $(shell go list ./.../ | grep -v 'vendor') GO := go +GO_TAGS := -tags=opa_wasm GOVERSION := $(shell cat ./.go-version) GOARCH := $(shell go env GOARCH) GOOS := $(shell go env GOOS) @@ -41,9 +42,10 @@ LDFLAGS := "-X github.com/open-policy-agent/opa/version.Version=$(VERSION) \ GO15VENDOREXPERIMENT := 1 export GO15VENDOREXPERIMENT -.PHONY: all build build-darwin build-linux build-windows clean check check-fmt check-vet check-lint \ - deploy-ci docker-login generate image image-quick push push-latest tag-latest \ - test test-cluster test-e2e update-opa update-istio-quickstart-version version +.PHONY: all build build-darwin build-linux build-windows clean check \ + check-fmt check-vet check-lint deploy-ci docker-login generate image image-quick \ + push push-latest tag-latest test test-cluster test-e2e update-opa \ + update-istio-quickstart-version version ###################################################### # @@ -60,7 +62,8 @@ generate: $(GO) generate ./... build: generate - $(GO) build -o $(BIN) -ldflags $(LDFLAGS) ./cmd/opa-envoy-plugin/... + CGO_LDFLAGS="-Wl,-rpath,/usr/lib/opa" $(GO) build $(GO_TAGS) -o $(BIN) \ + -ldflags $(LDFLAGS) ./cmd/opa-envoy-plugin build-darwin: @$(MAKE) build GOOS=darwin @@ -76,8 +79,11 @@ image: @$(MAKE) image-quick image-quick: - sed -e 's/GOARCH/$(GOARCH)/g' Dockerfile > .Dockerfile_$(GOARCH) - docker build -t $(IMAGE):$(VERSION) -f .Dockerfile_$(GOARCH) . + docker build \ + -t $(IMAGE):$(VERSION) \ + --build-arg BASE=openpolicyagent/opa:$(VERSION_OPA)-debug \ + --build-arg BIN_DIR=$(RELEASE_DIR) \ + . docker tag $(IMAGE):$(VERSION) $(IMAGE):$(VERSION_ISTIO) push: @@ -96,7 +102,7 @@ docker-login: @echo "Docker Login..." @echo ${DOCKER_PASSWORD} | docker login -u ${DOCKER_USER} --password-stdin -deploy-ci: docker-login image push tag-latest push-latest +deploy-ci: release docker-login image-quick push tag-latest push-latest update-opa: @./build/update-opa-version.sh $(TAG) @@ -144,7 +150,15 @@ release: $(RELEASE_BUILD_IMAGE) \ /_src/build/build-release.sh --version=$(VERSION) --output-dir=/$(RELEASE_DIR) --source-url=/_src +.PHONY: release-local +release-local: + docker run $(DOCKER_FLAGS) \ + -v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR) \ + -v $(PWD):/_src \ + $(RELEASE_BUILD_IMAGE) \ + /_src/build/build-release.sh --output-dir=/$(RELEASE_DIR) --source-url=/_src +# The remaining targets are invoked by build/build-release.sh (`make release` above) .PHONY: release-build-linux release-build-linux: ensure-release-dir build-linux mv opa_envoy_linux_$(GOARCH) $(RELEASE_DIR)/