update build system

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

Author: mblaschke

.editorconfig

@@ -2,10 +2,10 @@
 
 # top-most EditorConfig file
 root = true
-charset = utf-8
-trim_trailing_whitespace = true
 
 [*]
+charset = utf-8
+trim_trailing_whitespace = true
 end_of_line = lf
 insert_final_newline = true
 indent_style = space

.github/workflows/ci-docker.yml

@@ -3,12 +3,21 @@ name: "CI: docker build"
 on: [pull_request]
 
 jobs:
-
   build:
-
     runs-on: ubuntu-latest
-
     steps:
-    - uses: actions/checkout@v2
-    - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag webdevops/kube-bootstrap-token-manager:$(date +%s)
+      - uses: actions/checkout@v2
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run Golangci lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: latest
+          args: -E exportloopref,gofmt --timeout=30m
+
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --tag ${{ github.repository }}:$(date +%s)

.github/workflows/release-docker.yml

@@ -1,8 +1,6 @@
 name: "Release: docker"
 
 on:
-  schedule:
-    - cron: '0 6 * * 1'
   push:
     branches:
       - '**'
@@ -13,39 +11,52 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Docker meta
-      id: docker_meta
-      uses: crazy-max/ghaction-docker-meta@v1
-      with:
-        images: webdevops/kube-bootstrap-token-manager,quay.io/webdevops/kube-bootstrap-token-manager
-        #tag-sha: true
-
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-      
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
-
-    - name: Login to DockerHub
-      uses: docker/login-action@v1 
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-    - name: Login to Quay
-      uses: docker/login-action@v1 
-      with:
-        registry: quay.io
-        username: ${{ secrets.QUAY_USERNAME }}
-        password: ${{ secrets.QUAY_TOKEN }}
-        
-    - name: Build and push
-      uses: docker/build-push-action@v2
-      with:
-        context: .
-        file: ./Dockerfile
-        platforms: linux/amd64,linux/arm,linux/arm64,linux/ppc64le
-        push: ${{ github.event_name != 'pull_request' }}
-        tags: ${{ steps.docker_meta.outputs.tags }}
-        labels: ${{ steps.docker_meta.outputs.labels }}
+      - uses: actions/checkout@v2
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run Golangci lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: latest
+          args: -E exportloopref,gofmt --timeout=30m
+
+      - name: Docker meta
+        id: docker_meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ github.repository }},quay.io/${{ github.repository }}
+          labels: |
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/${{ github.event.repository.default_branch }}/README.md
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Quay
+        uses: docker/login-action@v1
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm,linux/arm64,linux/ppc64le
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}

.github/workflows/scheduled-docker.yml

@@ -0,0 +1,59 @@
+name: "Scheduled: docker"
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run Golangci lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: latest
+          args: -E exportloopref,gofmt --timeout=30m
+
+      - name: Docker meta
+        id: docker_meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ github.repository }},quay.io/${{ github.repository }}
+          labels: |
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/${{ github.event.repository.default_branch }}/README.md
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Quay
+        uses: docker/login-action@v1
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm,linux/arm64,linux/ppc64le
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}

Dockerfile

@@ -1,25 +1,21 @@
-FROM golang:1.15 as build
+FROM golang:1.17-alpine as build
 
-WORKDIR /go/src/github.com/webdevops/kube-bootstrap-token-manager
-
-# Get deps (cached)
-COPY ./go.mod /go/src/github.com/webdevops/kube-bootstrap-token-manager
-COPY ./go.sum /go/src/github.com/webdevops/kube-bootstrap-token-manager
-COPY ./Makefile /go/src/github.com/webdevops/kube-bootstrap-token-manager
-RUN make dependencies
+RUN apk upgrade --no-cache --force
+RUN apk add --update build-base make git
 
+WORKDIR /go/src/github.com/webdevops/kube-bootstrap-token-manager
 # Compile
 COPY ./ /go/src/github.com/webdevops/kube-bootstrap-token-manager
+RUN make dependencies
 RUN make test
-RUN make lint
 RUN make build
 RUN ./kube-bootstrap-token-manager --help
 
 #############################################
 # FINAL IMAGE
 #############################################
-FROM gcr.io/distroless/base
+FROM gcr.io/distroless/static
 ENV LOG_JSON=1
 COPY --from=build /go/src/github.com/webdevops/kube-bootstrap-token-manager/kube-bootstrap-token-manager /
-USER 1000
+USER 1000:1000
 ENTRYPOINT ["/kube-bootstrap-token-manager"]

Makefile

@@ -1,7 +1,7 @@
 PROJECT_NAME		:= kube-bootstrap-token-manager
 GIT_TAG				:= $(shell git describe --dirty --tags --always)
 GIT_COMMIT			:= $(shell git rev-parse --short HEAD)
-LDFLAGS				:= -X "main.gitTag=$(GIT_TAG)" -X "main.gitCommit=$(GIT_COMMIT)" -extldflags "-static"
+LDFLAGS				:= -X "main.gitTag=$(GIT_TAG)" -X "main.gitCommit=$(GIT_COMMIT)" -linkmode external -extldflags "-static" -s -w
 
 FIRST_GOPATH			:= $(firstword $(subst :, ,$(shell go env GOPATH)))
 GOLANGCI_LINT_BIN		:= $(FIRST_GOPATH)/bin/golangci-lint
@@ -34,12 +34,20 @@ build-push-development:
 test:
 	go test ./...
 
+.PHONY: dependencies
+dependencies:
+	go mod vendor
+
 .PHONY: lint
 lint: $(GOLANGCI_LINT_BIN)
-	$(GOLANGCI_LINT_BIN) run -E exportloopref,gofmt --timeout=10m
+	$(GOLANGCI_LINT_BIN) run -E exportloopref,gofmt --timeout=30m
 
-.PHONY: dependencies
-dependencies: $(GOLANGCI_LINT_BIN)
+.PHONY: gosec
+gosec: $(GOSEC_BIN)
+	$(GOSEC_BIN) ./...
 
 $(GOLANGCI_LINT_BIN):
-	curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(FIRST_GOPATH)/bin v1.32.2
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
+
+$(GOSEC_BIN):
+	curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(FIRST_GOPATH)/bin v2.7.0

README.md

@@ -1,5 +1,4 @@
-Kubernetes node bootstrap token manager
-========================================
+# Kubernetes node bootstrap token manager
 
 [![license](https://img.shields.io/github/license/webdevops/kube-bootstrap-token-manager.svg)](https://github.com/webdevops/kube-bootstrap-token-manager/blob/master/LICENSE)
 [![DockerHub](https://img.shields.io/badge/DockerHub-webdevops%2Fkube--bootstrap--token--manager-blue)](https://hub.docker.com/r/webdevops/kube-bootstrap-token-manager/)
@@ -14,8 +13,7 @@ Azure:
 - (re)creates token inside Kubernetes and ensures it existence
 - Manages renewal if token is going to be expired
 
-Configuration
--------------
+## Configuration
 
 ```
 Usage:
@@ -52,10 +50,9 @@ Help Options:
   -h, --help                                           Show this help message
 ```
 
-for Azure API authentication (using ENV vars) see https://github.com/Azure/azure-sdk-for-go#authentication
+for Azure API authentication (using ENV vars) see https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication
 
-Metrics
--------
+## Metrics
 
  (see `:8080/metrics`)
 
@@ -67,7 +64,6 @@ Metrics
 | `bootstraptoken_sync_time`         | Timestamp of last sync                          |
 | `bootstraptoken_sync_count`        | Counter of sync                                 |
 
-Kubernetes deployment
----------------------
+## Kubernetes deployment
 
 see [deployment](/deployment)