[2.14 main] Removing dapper from the build process (#1150)

* Removing dapper from the build process

* Move binary build into Dockerfile

* Eliminate redundant build

* Add validate-ci run

* Fix up for the make validate target

* Now using buildx, caching, and introducing a stage for unit tests and building the integration test binary

* Remove --no-cache from unit test step

* Cleanup ci.yaml to rely on make package target

* Move golangci-lint into Dockerfile

* Use uname rather than go-specific command in version script

* Use uname for integration test and eliminate separate validate script

* Add early stage for getting the webhook binary

* Add test-binary Makefile target, move that logic from integration-test-ci

* Make ARCH and PLATFORM configurable in Makefile

* Organize Dockerfile to pair build and scratch stages.  Move TARGETOS and TARGETARCH to the webhook-build stage

* Make ARCH/PLATFORM configurable, but default to sensible host-based values

* Create separate image Makefile target to quickly produce dev image

* Remove unneeded scripts/validate

* Rename test-binary to integration-test-binary and cleanup duplicated arch setting from the script

* Rename "package" makefile target to the more appropriate "ci"

* Update release.yaml to use the new Makefile/Dockerfile

* Update publish-head.yaml to use the new Makefile/Dockerfile

Author: crobby

.github/workflows/ci.yaml

@@ -35,16 +35,6 @@ jobs:
         # https://github.com/actions/checkout/releases/tag/v4.1.1
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - name: Setup Go
-        # https://github.com/actions/setup-go/releases/tag/v5.0.0
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
-        with:
-          go-version-file: 'go.mod'
-      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
-        with:
-          version: v1.64.8
-
       # TODO: Pull this next one out once there's a helm-release for rancher 2.9
       - name: Checkout rancher/rancher and build the chart
         run: |
@@ -56,14 +46,14 @@ jobs:
           tar cfz "${{ runner.temp }}/rancher.tgz" -C build/chart/rancher .
           popd
 
+      - name: Build, Test, and Package
+        run: make ci
+
       - name: install K3d
         run: ./.github/workflows/scripts/install-k3d.sh
         env:
           K3D_VERSION: latest
 
-      - name: ci
-        run: make ci
-
       - name: setup cluster
         run: ./.github/workflows/scripts/setup-cluster.sh
         env:

.github/workflows/publish-head.yaml

@@ -25,9 +25,14 @@ jobs:
       uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version-file: 'go.mod'
+    - name: Set Version/Commit
+      run: |
+            source ./scripts/version
+            echo "VERSION=${VERSION}" >> $GITHUB_ENV
+            echo "COMMIT=${COMMIT}" >> $GITHUB_ENV
     - name: Build and package
       run: |
-          ./scripts/build
+          make build ARCH=${{ matrix.arch }}
           mkdir -p dist/artifacts
           cp bin/webhook dist/artifacts/webhook-linux-${{ matrix.arch }}
       env:
@@ -80,6 +85,11 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ env.DOCKER_PASSWORD }}
+      - name: Set Version/Commit
+        run: |
+          source ./scripts/version
+          echo "VERSION=${VERSION}" >> $GITHUB_ENV
+          echo "COMMIT=${COMMIT}" >> $GITHUB_ENV
       - name: Build and push the webhook image
         id: build
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
@@ -88,6 +98,9 @@ jobs:
           file: ./package/Dockerfile
           platforms: "linux/${{ matrix.arch }}"
           outputs: type=image,name=${{ env.REPO }}/rancher-webhook,push-by-digest=true,name-canonical=true,push=true
+          build-args: |
+            VERSION=${{ env.VERSION }}
+            COMMIT=${{ env.COMMIT }}
       - name: Export digest
         run: |
           mkdir -p /tmp/digests

.github/workflows/release.yaml

@@ -26,26 +26,17 @@ jobs:
 
     - name : Checkout repository
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      # https://github.com/actions/checkout/releases/tag/v4.1.1
 
-    - name: Setup Go
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
-      # https://github.com/actions/setup-go/releases/tag/v5.0.0
-      with:
-        go-version-file: 'go.mod'
+    - name: Build Binary
+      run: make build ARCH=${{ matrix.arch }}
 
-    - name: Build and package
-      run: |
-          ./scripts/build
-          mkdir -p dist/artifacts
-          cp bin/webhook dist/artifacts/webhook-linux-${{ matrix.arch }}
-      env:
-        ARCH: "${{ matrix.arch}}"
-        GOARCH: "${{ matrix.arch}}"
+    - name: Package Helm Chart
+      run: make package-helm
 
-    - name: Generate checksum files
+    - name: Prepare Artifacts
       run: |
-        ls -lR dist
+        mkdir -p dist/artifacts
+        cp bin/webhook dist/artifacts/webhook-linux-${{ matrix.arch }}
         cd dist/artifacts
         sha256sum webhook-linux-${{ matrix.arch }} > sha256sum-${{ matrix.arch }}.txt
 
@@ -122,12 +113,6 @@ jobs:
           name: webhook-artifacts-${{ matrix.arch }}
           path: dist/artifacts
 
-      - name: Move binary to bin/
-        run: |
-          mkdir -p bin/
-          cp -v dist/artifacts/webhook-linux-${{ matrix.arch }} bin/webhook
-          chmod +x bin/webhook
-
       - name: "Read vault secrets"
         uses: rancher-eio/read-vault-secrets@main
         with:
@@ -151,6 +136,12 @@ jobs:
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ env.DOCKER_PASSWORD }}
 
+      - name: Set Version/Commit
+        run: |
+          source ./scripts/version
+          echo "VERSION=${VERSION}" >> $GITHUB_ENV
+          echo "COMMIT=${COMMIT}" >> $GITHUB_ENV
+
       - name: Build and push the webhook image
         id: build
         # https://github.com/docker/build-push-action/releases/tag/v6.3.0
@@ -159,6 +150,9 @@ jobs:
           context: .
           file: ./package/Dockerfile
           platforms: "linux/${{ matrix.arch }}"
+          build-args: |
+            VERSION=${{ env.VERSION }}
+            COMMIT=${{ env.COMMIT }}
           outputs: type=image,name=${{ env.REPO }}/rancher-webhook,push-by-digest=true,name-canonical=true,push=true
 
       - name: Export digest

.github/workflows/scripts/integration-test-ci

@@ -4,6 +4,9 @@ set -eu
 cd $(dirname $0)/../../..
 DIST_DIR="$PWD"/dist
 
+# Build the integration test binary
+make integration-test-binary ARCH=${ARCH}
+
 source ./scripts/version
 # Source tags file to get the last built tags
 source ./dist/tags

Dockerfile.dapper

@@ -1,18 +1,82 @@
-TARGETS := $(shell ls scripts)
+# Set default ARCH, but allow it to be overridden
+UNAME_ARCH := $(shell uname -m)
+ifeq ($(UNAME_ARCH),x86_64)
+    ARCH ?= amd64
+else ifeq ($(UNAME_ARCH),aarch64)
+    ARCH ?= arm64
+else
+    ARCH ?= $(UNAME_ARCH)
+endif
 
-.dapper:
-	@echo Downloading dapper
-	@curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp
-	@@chmod +x .dapper.tmp
-	@./.dapper.tmp -v
-	@mv .dapper.tmp .dapper
+# Export ARCH so it's available to subshells (like the scripts)
+export ARCH
+PLATFORM ?= linux/$(ARCH)
 
-$(TARGETS): .dapper
-	./.dapper $@
+.PHONY: all build integration-test-binary test validate ci package-helm image clean
 
-clean:
-	rm -rf build bin dist
+all: ci
+
+build:
+	@echo "--- Building Webhook Binary ---"
+	@bash -c 'source scripts/version && \
+	mkdir -p bin && \
+	docker buildx build \
+		--file package/Dockerfile \
+		--target binary \
+		--build-arg VERSION=$${VERSION} \
+		--build-arg COMMIT=$${COMMIT} \
+		--platform=$(PLATFORM) \
+		--output=type=local,dest=./bin \
+		. '
+
+integration-test-binary:
+	@echo "--- Building Integration Test Binary ---"
+	@bash -c 'source scripts/version && \
+	mkdir -p bin && \
+	docker buildx build \
+		--file package/Dockerfile \
+		--target integration-test-binary \
+		--platform=$(PLATFORM) \
+		--output=type=local,dest=./bin \
+		. '
+
+test:
+	@echo "--- Running Unit Tests ---"
+	@docker buildx build \
+		--file package/Dockerfile \
+		--target test \
+		--progress=plain \
+		.
 
-.DEFAULT_GOAL := default
+validate:
+	@echo "--- Validating ---"
+	@docker buildx build \
+        --file package/Dockerfile \
+        --target validate \
+        --progress=plain \
+        .
 
-.PHONY: $(TARGETS)
+package-helm:
+	./scripts/package-helm
+
+image: build
+	@echo "--- Building Development Image ---"
+	@bash -c 'source scripts/version && \
+	docker buildx build \
+		--file package/Dockerfile \
+		--build-arg VERSION=$${VERSION} \
+		--build-arg COMMIT=$${COMMIT} \
+		--platform=$(PLATFORM) \
+		-t rancher/webhook:$${TAG} \
+		--load \
+		. && \
+	mkdir -p dist && \
+	chmod a+rwx dist && \
+	docker save -o dist/rancher-webhook-image.tar rancher/webhook:$${TAG} && \
+	echo IMAGE_TAG=$${TAG} > dist/image_tag'
+
+# ci target is for CI, ensuring tests and validation run first
+ci: test validate image package-helm
+
+clean:
+	rm -rf bin dist

Makefile

@@ -1,3 +1,74 @@
+# ===============
+# Build Stage
+# ===============
+FROM --platform=$BUILDPLATFORM registry.suse.com/bci/golang:1.24 AS build
+
+# Set up build cache
+ENV GOMODCACHE=/root/.cache/go/modcache
+ENV GOCACHE=/root/.cache/go/cache
+ENV CGO_ENABLED=0
+
+WORKDIR /src
+
+# Define build arguments
+ARG VERSION
+ARG COMMIT
+ARG LINKFLAGS="-extldflags -static -s"
+ARG LDFLAGS="-X main.Version=${VERSION} -X main.GitCommit=${COMMIT} ${LINKFLAGS}"
+
+# Download dependencies
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/root/.cache,id=rancher go mod download
+
+# ===============
+# Webhook Binary Build Stage
+# ===============
+FROM --platform=$BUILDPLATFORM build AS webhook-build
+ARG TARGETOS
+ARG TARGETARCH
+# Copy source and build the webhook binary
+COPY pkg/ pkg/
+COPY main.go ./
+RUN --mount=type=cache,target=/root/.cache,id=rancher GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags "${LDFLAGS}" -o /dist/webhook .
+
+# ===============
+# Binary Stage (for extracting the main binary)
+# ===============
+FROM scratch AS binary
+COPY --from=webhook-build /dist/webhook /webhook
+
+# ===============
+# Test Stage
+# ===============
+FROM build AS test
+COPY . .
+RUN --mount=type=cache,target=/root/.cache,id=rancher go test --coverpkg=./pkg/... -coverprofile=coverage.out --count=1 ./pkg/...
+RUN cat coverage.out | awk 'BEGIN {cov=0; stat=0;} $3!="" { cov+=($3==1?$2:0); stat+=$2; } END {printf("Total coverage: %.2f%% of statements\n", (cov/stat)*100);}'
+
+# ===============
+# Validate Stage
+# ===============
+FROM build AS validate
+RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin v1.64.8
+COPY . .
+RUN --mount=type=cache,target=/root/.cache,id=rancher golangci-lint run
+
+# ===============
+# Integration Test Build Stage
+# ===============
+FROM build AS integration-test-build
+COPY . .
+RUN --mount=type=cache,target=/root/.cache,id=rancher go test ./tests/integration/... -c -o /dist/rancher-webhook-integration.test
+
+# ===============
+# Test Binary Stage to extract the integration test binary
+# ===============
+FROM scratch AS integration-test-binary
+COPY --from=integration-test-build /dist/rancher-webhook-integration.test /rancher-webhook-integration.test
+
+# ===============
+# Final Stage
+# ===============
 FROM registry.suse.com/bci/bci-micro:15.7
 
 ARG user=webhook
@@ -7,7 +78,8 @@ RUN echo "$user:x:1000:1000::/home/$user:/bin/bash" >> /etc/passwd && \
     mkdir /home/$user && \
     chown -R $user:$user /home/$user
 
-COPY bin/webhook /usr/bin/
+# Copy the compiled binary from the webhook-build stage
+COPY --from=webhook-build /dist/webhook /usr/bin/
 
 USER $user