Merge pull request #216 from cert-manager/self-upgrade

[CI] Merge self-upgrade into main
cert-manager · Mar 12, 2024 · 9cce9d2 · 9cce9d2
2 parents 50bc83b + ee94a60
commit 9cce9d2
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 124 deletions.
diff --git a/klone.yaml b/klone.yaml
@@ -10,55 +10,55 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/generate-verify
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/klone
     - folder_name: oci-image
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/oci-image
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7df721d1c901b74d1212d00eeb4ce8da2deadba4
+      repo_hash: eb6afb7091095df05b83ca62903fb55af0946f5e
       repo_path: modules/tools
diff --git a/make/_shared/oci-image/01_mod.mk b/make/_shared/oci-image/01_mod.mk
@@ -80,8 +80,13 @@ RELEASE_DRYRUN ?= false
 CGO_ENABLED ?= 0
 GOEXPERIMENT ?=  # empty by default
 
+COSIGN_FLAGS ?= # empty by default
+OCI_SIGN_ON_PUSH ?= true
+
 oci_build_targets := $(build_names:%=oci-build-%)
 oci_push_targets := $(build_names:%=oci-push-%)
+oci_push_no_sign_targets := $(build_names:%=oci-push-no-sign-%)
+oci_sign_targets := $(build_names:%=oci-sign-%)
 oci_maybe_push_targets := $(build_names:%=oci-maybe-push-%)
 oci_load_targets := $(build_names:%=oci-load-%)
 docker_tarball_targets := $(build_names:%=docker-tarball-%)
@@ -138,6 +143,21 @@ $(oci_build_targets): oci-build-%: | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS_YQ) $(bin_d
 		$(CURDIR)/$(oci_layout_path_$*) \
 		> $(CURDIR)/$(oci_layout_path_$*).digests
 
+# Function for ensuring the .digests file exists. In the use case where pushing
+# and signing happen independently, we need to ensure this file exists for 
+# signing
+define oci_digest_ensure 
+ifeq ($(call oci_digest,$1),)
+$$(error "$(oci_layout_path_$1).digests" does not exist, has this image been built?)
+endif
+endef
+
+# Functions for pushing and signing. We have a few targets that push/sign, this
+# use of functions means we can define the commands once.
+oci_digest = $(shell head -1 $(CURDIR)/$(oci_layout_path_$1).digests)
+oci_push_command = $(foreach oci_image_name,$(oci_$1_image_name),$(CRANE) push "$(oci_layout_path_$1)" "$(oci_image_name):$(oci_$1_image_tag)";)
+oci_sign_command = $(foreach oci_image_name,$(oci_$1_image_name),$(COSIGN) sign --yes=true $(COSIGN_FLAGS) "$(oci_image_name)@$(call oci_digest,$1)";)
+
 .PHONY: $(oci_push_targets)
 ## Build and push OCI image.
 ## If the tag already exists, this target will overwrite it.
@@ -147,16 +167,14 @@ $(oci_build_targets): oci-build-%: | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS_YQ) $(bin_d
 ## - :v1.2.3.sig, :sha256-0000001.sig
 ## @category [shared] Build
 $(oci_push_targets): oci-push-%: oci-build-% | $(NEEDS_CRANE) $(NEEDS_COSIGN) $(NEEDS_YQ) $(bin_dir)/scratch/image
-	$(eval image_ref := $(shell head -1 $(CURDIR)/$(oci_layout_path_$*).digests))
-
 ifneq ($(RELEASE_DRYRUN),true)
-	if $(CRANE) image digest $(oci_$*_image_name)@$(image_ref) >/dev/null 2>&1; then \
+	if $(CRANE) image digest $(oci_$*_image_name)@$(call oci_digest,$*) >/dev/null 2>&1; then \
 		echo "Digest already exists, will retag without resigning."; \
-		$(CRANE) push "$(oci_layout_path_$*)" "$(oci_$*_image_name):$(oci_$*_image_tag)"; \
+		$(call oci_push_command,$*); \
 	else \
 		echo "Digest does not yet exist, pushing image and signing."; \
-		$(CRANE) push "$(oci_layout_path_$*)" "$(oci_$*_image_name):$(oci_$*_image_tag)"; \
-		$(COSIGN) sign --yes=true "$(oci_$*_image_name)@$(image_ref)"; \
+		$(call oci_push_command,$*); \
+		$(call oci_sign_command,$*); \
 	fi
 endif
 
@@ -171,6 +189,24 @@ $(oci_maybe_push_targets): oci-maybe-push-%: | $(NEEDS_CRANE)
 		$(MAKE) oci-push-$*; \
 	fi
 
+.PHONY: $(oci_push_no_sign_targets)
+## Build and push OCI image.
+## If the tag already exists, this target will overwrite it.
+## If an identical image was already built before, we will add a new tag to it.
+## This target will not sign the image
+## Expected pushed images:
+## - :v1.2.3, @sha256:0000001
+## @category [shared] Build
+$(oci_push_no_sign_targets): oci-push-no-sign-%: oci-build-% | $(NEEDS_CRANE) $(bin_dir)/scratch/image
+	$(call oci_push_command,$*)
+
+.PHONY: $(oci_sign_targets)
+## Run 'make oci-sign-...' to force a sign of the image.
+## @category [shared] Build
+$(oci_sign_targets): oci-sign-%: | $(NEEDS_COSIGN)
+	$(eval $(call oci_digest_ensure,$*)) 
+	$(call oci_sign_command,$*)
+
 .PHONY: $(oci_load_targets)
 ## Build OCI image for the local architecture and load
 ## it into the $(kind_cluster_name) kind cluster.

diff --git a/make/_shared/oci-image/image_tool/go.mod b/make/_shared/oci-image/image_tool/go.mod
@@ -9,36 +9,37 @@ require (
 
 require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/go-openapi/analysis v0.22.0 // indirect
-	github.com/go-openapi/errors v0.21.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.2 // indirect
-	github.com/go-openapi/jsonreference v0.20.4 // indirect
-	github.com/go-openapi/loads v0.21.5 // indirect
-	github.com/go-openapi/runtime v0.27.1 // indirect
-	github.com/go-openapi/spec v0.20.13 // indirect
-	github.com/go-openapi/strfmt v0.22.0 // indirect
-	github.com/go-openapi/swag v0.22.9 // indirect
-	github.com/go-openapi/validate v0.22.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.17.2 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
+	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240311221846-ffef10ab36cd // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
-	github.com/sigstore/rekor v1.3.4 // indirect
-	github.com/sigstore/sigstore v1.8.1 // indirect
+	github.com/sigstore/rekor v1.3.5 // indirect
+	github.com/sigstore/sigstore v1.8.2 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
-	go.mongodb.org/mongo-driver v1.13.1 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
-	golang.org/x/term v0.16.0 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )