fix(*): Embed build info into binaries

Signed-off-by: Anurag Rajawat <[email protected]>

.dockerignore

@@ -1,3 +1,3 @@
-# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
-# Ignore build and test binaries.
 bin/
+pkg/adapter
+go.work*

Dockerfile

@@ -1,11 +1,13 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2023 Authors of Nimbus
 
-# Build the manager binary
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
+# Required to embed build info into binary.
+COPY .git /.git
+
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
@@ -15,23 +17,20 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
-COPY cmd/main.go cmd/main.go
-COPY api/ api/
-COPY internal/ internal/
-COPY pkg/processor/ pkg/processor/
+COPY . .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --from=builder /workspace/bin/nimbus .
 USER 65532:65532
 
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/nimbus"]

Makefile

@@ -8,6 +8,8 @@ TAG ?= latest
 
 TEST_DIR ?= tests/controllers
 
+BINARY_NAME ?= nimbus
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -46,6 +48,8 @@ all: build
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.DEFAULT_GOAL := help
+
 ##@ Development
 
 .PHONY: manifests
@@ -97,11 +101,11 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 
 .PHONY: build
 build: manifests generate fmt vet ## Build manager binary.
-	go build -o bin/manager cmd/main.go
+	@go build -ldflags="-s" -o bin/"${BINARY_NAME}" ./cmd
 
 .PHONY: run
-run: manifests generate fmt vet ## Run a controller from your host.
-	go run cmd/main.go
+run: manifests generate fmt vet build ## Run a controller from your host.
+	@./bin/"${BINARY_NAME}"
 
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.

cmd/main.go

@@ -5,11 +5,11 @@ package main
 
 import (
 	"flag"
-	"os"
-
-	"k8s.io/apimachinery/pkg/runtime"
+	"github.com/5GSEC/nimbus/pkg/util"
+	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"os"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/config"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
@@ -24,7 +24,7 @@ import (
 
 // Global variables for scheme registration and setup logging.
 var (
-	scheme   = runtime.NewScheme()        // Scheme for registering API types for client and server.
+	scheme   = k8sruntime.NewScheme()     // Scheme for registering API types for client and server.
 	setupLog = ctrl.Log.WithName("setup") // Logger for setup process.
 )
 
@@ -51,6 +51,7 @@ func main() {
 
 	// Setting the logger with the provided options.
 	ctrl.SetLogger(zap.New())
+	util.LogBuildInfo(ctrl.Log)
 
 	// Creating a new manager which will manage all the controllers.
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{

pkg/adapter/nimbus-k8tls/Dockerfile

@@ -21,17 +21,14 @@ COPY $ADAPTER_DIR/go.mod go.mod
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
-COPY $ADAPTER_DIR/manager manager
-COPY $ADAPTER_DIR/builder builder
-COPY $ADAPTER_DIR/watcher watcher
-COPY $ADAPTER_DIR/main.go main.go
+COPY $ADAPTER_DIR/ .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-s" -o bin/nimbus-k8tls main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /

pkg/adapter/nimbus-k8tls/Makefile

@@ -18,9 +18,13 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.DEFAULT_GOAL := help
+
+.PHONY: build
 build: ## Build nimbus-k8tls executable.
-	@go build -ldflags="-s" -o ${BINARY}  main.go
+	@go build -ldflags="-s" -o ${BINARY} .
 
+.PHONY: run
 run: build ## Run nimbus-k8tls.
 	@./${BINARY}
 

pkg/adapter/nimbus-k8tls/main.go

@@ -5,6 +5,7 @@ package main
 
 import (
 	"context"
+	"github.com/5GSEC/nimbus/pkg/util"
 	"os"
 	"os/signal"
 	"syscall"
@@ -18,6 +19,7 @@ import (
 func main() {
 	ctrl.SetLogger(zap.New())
 	logger := ctrl.Log
+	util.LogBuildInfo(logger)
 
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	ctrl.LoggerInto(ctx, logger)

pkg/adapter/nimbus-kubearmor/Dockerfile

@@ -2,15 +2,13 @@
 # Copyright 2023 Authors of Nimbus
 
 # Build the nimbus-kubearmor binary
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
 WORKDIR /nimbus
 
-
 # relative deps requried by the adapter
-
 ADD api/ api/
 ADD pkg/ pkg/
 ADD go.mod go.mod
@@ -28,18 +26,14 @@ COPY $ADAPTER_DIR/go.sum go.sum
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
-COPY $ADAPTER_DIR/manager manager
-COPY $ADAPTER_DIR/processor processor
-COPY $ADAPTER_DIR/watcher watcher
-COPY $ADAPTER_DIR/main.go main.go
-
+COPY $ADAPTER_DIR/ .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-kubearmor main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /

pkg/adapter/nimbus-kubearmor/Makefile

@@ -9,23 +9,31 @@ TAG ?= latest
 CONTAINER_TOOL ?= docker
 BINARY ?= bin/nimbus-kubearmor
 
-build:
-	@go build -ldflags="-w" -o ${BINARY}  main.go
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
-run: build
+.DEFAULT_GOAL := help
+
+.PHONY: build
+build: ## Build nimbus-kubearmor executable.
+	@go build -ldflags="-w" -o ${BINARY} .
+
+.PHONY: run
+run: build ## Run nimbus-kubearmor locally.
 	@./${BINARY}
 
 .PHONY: docker-build
-docker-build:
+docker-build: ## Build nimbus-kubearmor container image.
 	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
 
 .PHONY: docker-push
-docker-push:
+docker-push: ## Push nimbus-kubearmor container image.
 	$(CONTAINER_TOOL) push ${IMG}:${TAG}
 
 PLATFORMS ?= linux/arm64,linux/amd64
 .PHONY: docker-buildx
-docker-buildx:
+docker-buildx: ## Build and push container image for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
 	- $(CONTAINER_TOOL) buildx create --name project-v3-builder

pkg/adapter/nimbus-kubearmor/main.go

@@ -5,6 +5,7 @@ package main
 
 import (
 	"context"
+	"github.com/5GSEC/nimbus/pkg/util"
 	"os"
 	"os/signal"
 	"syscall"
@@ -18,6 +19,7 @@ import (
 func main() {
 	ctrl.SetLogger(zap.New())
 	logger := ctrl.Log
+	util.LogBuildInfo(logger)
 
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	ctrl.LoggerInto(ctx, logger)

pkg/adapter/nimbus-kyverno/Dockerfile

@@ -2,7 +2,7 @@
 # Copyright 2023 Authors of Nimbus
 
 # Build the nimbus-kubearmor binary
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -26,18 +26,14 @@ COPY $ADAPTER_DIR/go.sum go.sum
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
-COPY $ADAPTER_DIR/manager manager
-COPY $ADAPTER_DIR/processor processor
-COPY $ADAPTER_DIR/watcher watcher
-COPY $ADAPTER_DIR/utils utils
-COPY $ADAPTER_DIR/main.go main.go
+COPY $ADAPTER_DIR/ .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-kyverno main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /

pkg/adapter/nimbus-kyverno/Makefile

@@ -9,23 +9,31 @@ TAG ?= latest
 CONTAINER_TOOL ?= docker
 BINARY ?= bin/nimbus-kyverno
 
-build:
-	@go build -ldflags="-w" -o ${BINARY}  main.go
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
-run: build
+.DEFAULT_GOAL := help
+
+.PHONY: build
+build: ## Build nimbus-kyverno executable.
+	@go build -ldflags="-w" -o ${BINARY}  .
+
+.PHONY: run
+run: build ## Run nimbus-kyverno locally.
 	@./${BINARY}
 
 .PHONY: docker-build
-docker-build:
+docker-build: ## Build nimbus-kyverno container image.
 	$(CONTAINER_TOOL) build -t ${IMG}:${TAG} --build-arg VERSION=${TAG} -f ./Dockerfile ../../../
 
 .PHONY: docker-push
-docker-push:
+docker-push: ## Push nimbus-kyverno container image.
 	$(CONTAINER_TOOL) push ${IMG}:${TAG}
 
 PLATFORMS ?= linux/arm64,linux/amd64
 .PHONY: docker-buildx
-docker-buildx:
+docker-buildx: ## Build and push container image for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
 	- $(CONTAINER_TOOL) buildx create --name project-v3-builder

pkg/adapter/nimbus-kyverno/clusterrole.yaml

@@ -1,3 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

pkg/adapter/nimbus-kyverno/main.go

@@ -5,6 +5,7 @@ package main
 
 import (
 	"context"
+	"github.com/5GSEC/nimbus/pkg/util"
 	"os"
 	"os/signal"
 	"syscall"
@@ -17,6 +18,7 @@ import (
 func main() {
 	ctrl.SetLogger(zap.New())
 	logger := ctrl.Log
+	util.LogBuildInfo(logger)
 
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	ctrl.LoggerInto(ctx, logger)

pkg/adapter/nimbus-netpol/Dockerfile

@@ -2,7 +2,7 @@
 # Copyright 2023 Authors of Nimbus
 
 # Build the nimbus-netpol binary
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -26,17 +26,14 @@ COPY $ADAPTER_DIR/go.sum go.sum
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
-COPY $ADAPTER_DIR/manager manager
-COPY $ADAPTER_DIR/processor processor
-COPY $ADAPTER_DIR/watcher watcher
-COPY $ADAPTER_DIR/main.go main.go
+COPY $ADAPTER_DIR/ .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags="-w" -a -o nimbus-netpol main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} make build
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /