hyperspike · dmolik · Dec 19, 2024 · Dec 20, 2024 · Dec 24, 2024 · Dec 25, 2024
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,19 +1,47 @@
-name: Go Build
+name: Build
 
 on:
   pull_request:
 
+env:
+  REGISTRY: ghcr.io
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - name: Setup Go ${{ matrix.go-version }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.23
-      # You can test your matrix by printing the current Go version
-      - name: Display Go version
-        run: go version
-      - name: Build it
-        run: make V=1
+    - uses: actions/checkout@v4
+    - name: Setup Go ${{ matrix.go-version }}
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.23
+    # You can test your matrix by printing the current Go version
+    - name: Display Go version
+      run: go version
+    - name: Build it
+      run: make V=1
+  build-operator-container:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Setup Go ${{ matrix.go-version }}
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.23
+    - name: Build it
+      run: make V=1
+    - name: Extract metadata (Operator tags, labels) for Docker
+      id: meta_operator
+      uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
+      with:
+        images: ${{ env.REGISTRY }}/hyperspike/valkey-operator:${{ github.sha }}
+    - name: Build Operator image
+      uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc
+      id: docker_build_operator
+      with:
+        file: Dockerfile.controller
+        context: .
+        push: false
+        visibility: public
+        tags: ${{ steps.meta_operator.outputs.images }}
+        labels: ${{ steps.meta_operator.outputs.labels }}
diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
@@ -13,6 +13,8 @@ on:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
+  VALKEY_VERSION: 8.0.2
+  RELEASE_VERSION: ${{ github.ref_name }}
 
 jobs:
   build-and-push-image:
@@ -22,6 +24,7 @@ jobs:
       packages: write
       id-token: write
       security-events: write
+      attestations: write
 
     steps:
     - name: Checkout repository
@@ -34,16 +37,26 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Extract metadata (tags, labels) for Docker
-      id: meta
+    - name: Extract metadata (Controller tags, labels) for Docker
+      id: meta_controller
       uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
       with:
-        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ env.RELEASE_VERSION }}
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
+    - name: Extract metadata (Sidecar tags, labels) for Docker
+      id: meta_sidecar
+      uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
+      with:
+        images: ${{ env.REGISTRY }}/hyperspike/valkey-sidecar:${{ env.RELEASE_VERSION }}
+    - name: Extract metadata (Valkey tags, labels) for Docker
+      id: meta_valkey
+      uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
+      with:
+        images: ${{ env.REGISTRY }}/hyperspike/valkey:${{ env.VALKEY_VERSION }}
 
     - name: Setup Go ${{ matrix.go-version }}
       uses: actions/setup-go@v5
       with:
-        go-version: 1.22
+        go-version: 1.23
     # You can test your matrix by printing the current Go version
     - name: Display Go version
       run: go version
@@ -52,26 +65,75 @@ jobs:
       run: make V=1
 
     - name: Build and push Docker image
-      uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
-      id: docker_build
+      uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc
+      id: docker_build_controller
+      with:
+        file: Dockerfile.controller
+        context: .
+        push: true
+        visibility: public
+        tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
+        labels: ${{ steps.meta_manager.outputs.labels }}
+    - name: Build and push Sidecar image
+      uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc
+      id: docker_build_sidecar
+      with:
+        file: Dockerfile.sidecar
+        context: .
+        push: true
+        visibility: public
+        tags: ${{ env.REGISTRY }}/hyperspike/valkey-sidecar:${{ env.RELEASE_VERSION }}
+        labels: ${{ steps.meta_sidecar.outputs.labels }}
+    - name: Build and push Valkey image
+      uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc
+      id: docker_build_valkey
       with:
+        file: Dockerfile.valkey
         context: .
         push: true
         visibility: public
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
+        tags: ${{ env.REGISTRY }}/hyperspike/valkey:${{ env.VALKEY_VERSION }}
+        labels: ${{ steps.meta_valkey.outputs.labels }}
 
     - name: Set up Cosign
       uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
-    - name: Sign image with GitHub OIDC Token
+    - name: Sign Controller image with GitHub OIDC Token
+      run: |
+        cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}@${{ steps.docker_build_controller.outputs.digest }}
+    - name: Sign Sidecar image with GitHub OIDC Token
+      run: |
+        cosign sign --yes ${{ env.REGISTRY }}/hyperspike/valkey-sidecar:${{ env.RELEASE_VERSION }}@${{ steps.docker_build_sidecar.outputs.digest }}
+    - name: Sign Valkey image with GitHub OIDC Token
       run: |
-        cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ env.RELEASE_VERSION }}@${{ steps.docker_build.outputs.digest }}
+        cosign sign --yes ${{ env.REGISTRY }}/hyperspike/valkey:${{ env.VALKEY_VERSION }}@${{ steps.docker_build_valkey.outputs.digest }}
+
+    - name: Attest the Controller image
+      uses: actions/attest-build-provenance@v2
+      id: attest_controller
+      with:
+        subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        subject-digest: ${{ steps.docker_build_controller.outputs.digest }}
+        push-to-registry: true
+    - name: Attest the Sidecar image
+      uses: actions/attest-build-provenance@v2
+      id: attest_sidecar
+      with:
+        subject-name: ${{ env.REGISTRY }}/hyperspike/valkey-sidecar
+        subject-digest: ${{ steps.docker_build_sidecar.outputs.digest }}
+        push-to-registry: true
+    - name: Attest the Valkey image
+      uses: actions/attest-build-provenance@v2
+      id: attest_valkey
+      with:
+        subject-name: ${{ env.REGISTRY }}/hyperspike/valkey
+        subject-digest: ${{ steps.docker_build_valkey.outputs.digest }}
+        push-to-registry: true
 
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@master
       with:
-        image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ env.RELEASE_VERSION }}'
+        image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}'
         format: 'sarif'
         output: 'trivy-results.sarif'
 

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -28,6 +28,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: publish
     name: Upload release assets
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+      attestations: write
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -38,6 +43,12 @@ jobs:
         check-latest: true
     - name: Build Installer
       run: make build-installer IMG=ghcr.io/hyperspike/valkey-operator:${{ github.ref_name }}
+    - name: Attest
+      uses: actions/attest-build-provenance@v2
+      id: attest
+      with:
+        subject-path: |
+          dist/install.yaml
     - name: Upload dist/install.yaml to release
       uses: svenstaro/upload-release-action@v2
       with:

diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -8,6 +8,9 @@ on:
     - main
   pull_request:
 
+env:
+  REGISTRY: ghcr.io
+
 permissions:
   contents: read
   security-events: write
@@ -20,7 +23,13 @@ jobs:
     - uses: actions/checkout@v4
     - uses: hadolint/[email protected]
       with:
-        dockerfile: Dockerfile
+        dockerfile: Dockerfile.valkey
+    - uses: hadolint/[email protected]
+      with:
+        dockerfile: Dockerfile.controller
+    - uses: hadolint/[email protected]
+      with:
+        dockerfile: Dockerfile.sidecar
   gosec:
     runs-on: ubuntu-latest
     steps:
@@ -68,3 +77,27 @@ jobs:
 
         # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
         # skip-build-cache: true
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Build the Valkey image
+      uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc
+      id: docker_build_valkey
+      with:
+        file: Dockerfile.valkey
+        context: .
+        push: false
+        tags:  ${{ env.REGISTRY }}/hyperspike/valkey:${{ github.SHA }}
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ env.REGISTRY }}/hyperspike/valkey:${{ github.SHA }}
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: trivy-results.sarif
diff --git a/.gitignore b/.gitignore
@@ -32,6 +32,7 @@ go.work
 .ingress.yaml
 blank.yaml
 cilium/
-manager
+/manager
+/sidecar
 valkey-operator/
 valkey-operator-*-chart.tgz
diff --git a/.golangci.yml b/.golangci.yml
@@ -39,3 +39,6 @@ linters:
     - unconvert
     - unparam
     - unused
+linters-settings:
+  lll:
+    line-length: 256
diff --git a/Dockerfile b/Dockerfile
diff --git a/Dockerfile.controller b/Dockerfile.controller
@@ -0,0 +1,5 @@
+FROM gcr.io/distroless/static:nonroot
+COPY manager /manager
+USER 65532:65532
+
+ENTRYPOINT ["/manager"]
diff --git a/Dockerfile.sidecar b/Dockerfile.sidecar
@@ -0,0 +1,6 @@
+FROM gcr.io/distroless/static:nonroot
+
+COPY sidecar /sidecar
+USER 65532:65532
+
+ENTRYPOINT ["/sidecar"]
diff --git a/Dockerfile.valkey b/Dockerfile.valkey
@@ -0,0 +1,35 @@
+FROM alpine:3.21.2 AS builder
+
+ARG VALKEY_VERSION=8.0.1
+
+WORKDIR /home/valkey
+
+RUN apk add --no-cache --virtual .build-deps \
+	git=2.47.1-r0 \
+	coreutils=9.5-r2 \
+	linux-headers=6.6-r1 \
+	musl-dev=1.2.5-r8 \
+	openssl-dev=3.3.2-r4 \
+	gcc=14.2.0-r4 \
+	curl=8.11.1-r0 \
+	make=4.4.1-r2 \
+	&& curl -L https://github.com/valkey-io/valkey/archive/refs/tags/${VALKEY_VERSION}.tar.gz -o valkey.tar.gz \
+	&& tar -xzf valkey.tar.gz --strip-components=1 \
+	&& make PREFIX=/usr BUILD_TLS=yes \
+	&& make install BUILD_TLS=yes PREFIX=/home/valkey/build
+
+FROM alpine:3.21.2 AS valkey
+
+RUN apk add --no-cache \
+	openssl=3.3.2-r4 \
+	ca-certificates=20241121-r1 \
+	&& addgroup -S valkey -g 1009 \
+	&& adduser -S -G valkey valkey -u 1009 \
+	&& mkdir /etc/valkey \
+	&& chown valkey:valkey /etc/valkey \
+	&& mkdir /var/lib/valkey \
+	&& chown valkey:valkey /var/lib/valkey
+
+COPY --from=builder /home/valkey/build/ /usr/
+
+USER valkey