chore: migrate to standard build

Adapts the team's standard Makefile to use on GitHub, and migrates the
controller's Docker base image library/golang and distroless.

Author: terinjokes

.dockerignore

@@ -0,0 +1 @@
+bin/

.github/workflows/docker.yaml

@@ -1,24 +1,26 @@
 name: Docker
 on:
-  push:
-    tags:
-      - 'v*'
+  - pull_request
+  - push
 jobs:
-  publish-docker:
+  docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: nixbuild/nix-quick-install-action@v4
-      - run: nix-build ./hack/docker.nix -o docker-amd64
-      - run: nix-build ./hack/docker.nix --arg pkgs '(import ./hack/nixpkgs.nix {}).pkgsCross.aarch64-multiplatform' -o docker-arm64
-      - run: |
-          nix run -f ./hack/nixpkgs.nix pkgs.buildah<<EOF
-          buildah manifest create origin-ca-issuer
-          buildah manifest add origin-ca-issuer docker-archive:./docker-amd64
-          buildah manifest add origin-ca-issuer docker-archive:./docker-arm64
-          buildah manifest inspect origin-ca-issuer
-          buildah manifest push --all --creds ${DOCKER_HUB_USERNAME}:${DOCKER_HUB_TOKEN} -f v2s2 origin-ca-issuer docker://cloudflare/origin-ca-issuer:${GITHUB_REF#refs/tags/}
-          EOF
-        env:
-          DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
-          DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/metadata-action@v5
+        id: docker-meta
+        with:
+          images: cloudflare/origin-ca-issuer
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - uses: docker/build-push-action@v5
+        with:
+          file: ./cmd/controller/Dockerfile
+          platforms: linux/amd64, linux/arm64
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          push: ${{ startsWith(github.ref, 'refs/tags/v') }}

.github/workflows/tests.yaml

@@ -5,22 +5,38 @@ on:
 jobs:
   unit:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go: [ 'stable', 'oldstable' ]
+    name: 'Go ${{ matrix.go }} Test'
     steps:
-      - uses: actions/checkout@v2
-      - uses: nixbuild/nix-quick-install-action@v4
-      - run: nix-shell --pure --run "go test -v -race ./..."
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ matrix.go }}
+      - run: make test
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: nixbuild/nix-quick-install-action@v4
-      - run: nix-shell --pure --run "golangci-lint run --timeout 15m -e 'please use pkg/envtest for testing'"
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 'stable'
+      - uses: dominikh/staticcheck-action@v1
+        with:
+          build-tags: suite
+          install-go: false
   integration:
     needs:
       - unit
       - lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: nixbuild/nix-quick-install-action@v4
-      - run: nix-shell --pure --run "go test ./... -tags suite"
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 'stable'
+      - run: |
+          go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+          source <(setup-envtest use -p env)
+          go test ./... -tags suite

.gitignore

@@ -1,3 +1,4 @@
 result
 result-*
 .envrc
+/bin/

Makefile

@@ -0,0 +1,85 @@
+.DEFAULT_GOAL := binaries
+
+KERNEL := $(shell uname -s)
+GOTESTSUM := $(shell command -v gotestsum 2> /dev/null)
+
+DIB ?= docker
+IMAGE_ROOT ?= localhost/origin-ca-issuer
+IMAGE_VERSION ?= $(shell git log -1 --pretty=format:%cd-%h --date short HEAD)
+VERSION := $(shell git describe --tags --always --dirty=-dev)
+# Build docker images for the native arch, but allow overriding in the environment for local development
+PLATFORM ?= local
+
+# Bind mount $SSL_CERT_FILE (or default) to build container if the file exists.
+SSL_CERT_FILE ?= /etc/ssl/certs/ca-certificates.crt
+ifneq (,$(wildcard ${SSL_CERT_FILE}))
+SECRETS = --secret id=certificates,src=${SSL_CERT_FILE}
+endif
+
+# When compiling for Linux enable Security's recommend hardening to satisfy `checksec' checks.
+# Unfortunately, most of these flags aren't portable to other operating systems.
+ifeq (${KERNEL},Linux)
+	CGO_ENABLED ?= 1
+	CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -fstack-protector-all
+	CFLAGS ?= -O2 -pipe -fno-plt
+	CXXFLAGS ?= -O2 -pipe -fno-plt
+	LDFLAGS ?= -Wl,-O1,-sort-common,-as-needed,-z,relro,-z,now
+	GO_LDFLAGS ?= -linkmode=external
+	GOFLAGS ?= -buildmode=pie
+endif
+
+GO_LDFLAGS += -w -s -X main.version=${VERSION}
+GOFLAGS += -v
+
+export CGO_ENABLED
+export CGO_CPPFLAGS ?= ${CPPFLAGS}
+export CGO_CFLAGS ?= ${CFLAGS}
+export CGO_CXXFLAGS ?= ${CXXFLAGS}
+export CGO_LDFLAGS ?= ${LDFLAGS}
+
+CMDS := $(shell find cmd -mindepth 1 -maxdepth 1 -type d | awk -F '/' '{ print $$NF }' )
+IMAGES := $(shell find cmd -mindepth 1 -type f -name Dockerfile | awk -F '/' '{ print $$2 }')
+
+define make-go-target
+.PHONY: bin/$1
+bin/$1:
+	go build ${GOFLAGS} -o $$@ -ldflags "${GO_LDFLAGS}" ./cmd/$1
+endef
+
+define make-dib-targets
+.PHONY: images/$1
+images/$1:
+	${DIB} buildx build --platform "$(PLATFORM)" ${SECRETS} -f cmd/$1/Dockerfile -t "${IMAGE_ROOT}/$1:${IMAGE_VERSION}" .
+
+.PHONY: push/images/$1
+push/images/$1:
+	${DIB} push "${IMAGE_ROOT}/$1:${IMAGE_VERSION}"
+endef
+
+$(foreach element,$(CMDS), $(eval $(call make-go-target,$(element))))
+$(foreach element,$(IMAGES), $(eval $(call make-dib-targets,$(element))))
+
+.PHONY: binaries
+binaries: $(CMDS:%=bin/%)
+
+.PHONY: images
+images: $(IMAGES:%=images/%)
+
+.PHONY: push-images
+push-images: $(IMAGES:%=push/images/%)
+
+.PHONY: clean
+clean:
+	rm -rf bin
+
+.PHONY: test
+test:
+ifdef GOTESTSUM
+	"${GOTESTSUM}" -- -count 1 ./...
+else
+	go test -cover -count 1 ./...
+endif
+
+.PHONY: lint
+lint:
+	staticcheck -tags suite ./...

cmd/controller/Dockerfile

@@ -0,0 +1,13 @@
+FROM docker.io/library/golang:1.21.5-bookworm AS builder
+WORKDIR /go/src/app
+ADD . /go/src/app
+
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=secret,id=certificates,target=/etc/ssl/certs/ca-certificates.crt \
+    make bin/controller
+
+
+FROM gcr.io/distroless/base-nossl-debian12:nonroot
+COPY --from=builder /go/src/app/bin/controller /bin
+ENTRYPOINT ["/bin/controller"]

go.mod

@@ -1,6 +1,6 @@
 module github.com/cloudflare/origin-ca-issuer
 
-go 1.19
+go 1.20
 
 require (
 	github.com/cert-manager/cert-manager v1.9.2