Makefile.build

# Included by Makefile.
# Rules related to building nomos and docker images.

###################################
# Build environment
###################################

# Pulls the cached buildenv docker image from GCR.
# Builds the image if it does not exist to enable testing with a new image
# version before publishing.
pull-buildenv:
	@docker image inspect $(BUILDENV_IMAGE) &> /dev/null \
	|| docker pull $(BUILDENV_IMAGE) || $(MAKE) build-buildenv

build-buildenv: build/buildenv/Dockerfile
	@echo "+++ Creating the docker container for $(BUILDENV_IMAGE)"
	@docker buildx build $(DOCKER_BUILD_QUIET) \
		build/buildenv \
		-t $(BUILDENV_IMAGE) \
		$(DOCKER_BUILD_ARGS)

push-buildenv: build-buildenv
	@gcloud $(GCLOUD_QUIET) auth configure-docker $(firstword $(subst /, ,$(BUILDENV_IMAGE)))
	@docker push $(BUILDENV_IMAGE)
	@docker tag $(BUILDENV_IMAGE) $(BUILDENV_SHA_IMAGE)
	@docker push $(BUILDENV_SHA_IMAGE)

###################################
# Docker images
###################################

.PHONY: build
build: $(OUTPUT_DIR) pull-buildenv
	@echo "+++ Build setup done"

# NOTE: this rule depends on OUTPUT_DIR because buildenv needs those dirs to
# exist in order to work.
PLATFORMS := linux_amd64 linux_arm64 darwin_amd64 darwin_arm64 windows_amd64
build-cli: pull-buildenv buildenv-dirs
	@echo "+++ Compiling Nomos binaries for $(PLATFORMS)"
	@echo "+++ Compiling with VERSION: $(VERSION)"
	@mkdir -p $(addprefix $(OUTPUT_DIR)/go/bin/,$(PLATFORMS))
	@docker run $(DOCKER_RUN_ARGS) ./scripts/build.sh \
		--version $(VERSION) \
		$(PLATFORMS)

.PHONY: copy-cli
copy-cli: buildenv-dirs
	@cp $(OUTPUT_DIR)/go/bin/$(shell go env GOOS)_$(shell go env GOARCH)/nomos $(OUTPUT_DIR)/go/bin/nomos
	@chmod 755 $(OUTPUT_DIR)/go/bin/nomos

# Targets for building individual images
BUILD_IMAGE_TARGETS := $(patsubst %,__build-image-%,$(IMAGES))

.PHONY: $(BUILD_IMAGE_TARGETS)
$(BUILD_IMAGE_TARGETS): "$(HELM)" "$(KUSTOMIZE)"
	@echo "+++ Building the $(subst __build-image-,,$@) image: $(call gen_image_tag,$(subst __build-image-,,$@))"
	@docker buildx build $(DOCKER_BUILD_QUIET) \
		--target $(subst __build-image-,,$@) \
		-t $(call gen_image_tag,$(subst __build-image-,,$@)) \
		-f build/all/Dockerfile \
		$(DOCKER_BUILD_ARGS) \
		.

# Build Config Sync docker images
.PHONY: build-images
build-images: $(BUILD_IMAGE_TARGETS)

# Deprecated alias of build-images. Remove this once unused.
.PHONY: build-images-multirepo
build-images-multirepo: build-images

.PHONY: auth-docker
auth-docker:
	@echo "+++ Using account:"
	gcloud config get-value account
	@gcloud $(GCLOUD_QUIET) auth configure-docker $(firstword $(subst /, ,$(REGISTRY)))

# Targets for pushing individual images
PUSH_IMAGE_TARGETS := $(patsubst %,__push-image-%,$(IMAGES))

.PHONY: $(PUSH_IMAGE_TARGETS)
$(PUSH_IMAGE_TARGETS): auth-docker
	docker push $(call gen_image_tag,$(subst __push-image-,,$@))

# Pushes Config Sync docker images to REGISTRY.
.PHONY: push-images
push-images: $(PUSH_IMAGE_TARGETS)

# Deprecated alias of push-images. Remove this once unused.
.PHONY: push-images-multirepo
push-images-multirepo: push-images

# Targets for pulling individual images
PULL_IMAGE_TARGETS := $(patsubst %,__pull-image-%,$(IMAGES))

.PHONY: $(PULL_IMAGE_TARGETS)
$(PULL_IMAGE_TARGETS): auth-docker
	docker pull $(call gen_image_tag,$(subst __pull-image-,,$@))

# Pulls all Config Sync images from REGISTRY
.PHONY: pull-images
pull-images: $(PULL_IMAGE_TARGETS)

# Deprecated alias of pull-images. Remove this once unused.
.PHONY: pull-images-multirepo
pull-images-multirepo: pull-images

# Targets for retagging individual images
RETAG_IMAGE_TARGETS := $(patsubst %,__retag-image-%,$(IMAGES))

.PHONY: $(RETAG_IMAGE_TARGETS)
$(RETAG_IMAGE_TARGETS):
	docker tag $(OLD_REGISTRY)/$(subst __retag-image-,,$@):$(OLD_IMAGE_TAG) $(call gen_image_tag,$(subst __retag-image-,,$@))

# Retags previously built Config Sync images
.PHONY: retag-images
retag-images: $(RETAG_IMAGE_TARGETS)

# Deprecated alias of retag-images. Remove this once unused.
.PHONY: retag-images-multirepo
retag-images-multirepo: retag-images

###################################
# Config Sync manifest
###################################

# Build Config Sync manifests for ACM operator and OSS.
.PHONY: build-manifests
build-manifests: build-manifests-operator build-manifests-oss package-kustomize-bundle

# Build Config Sync manifests for OSS installations
.PHONY: build-manifests-oss
build-manifests-oss: "$(ADDLICENSE)" "$(KUSTOMIZE)" $(OUTPUT_DIR)
	@ echo "+++ Generating manifests in $(OSS_MANIFEST_STAGING_DIR)"
	@ echo " Using tags: $(REGISTRY)/*:$(IMAGE_TAG)"
	@ rm -f $(OSS_MANIFEST_STAGING_DIR)/*
	@ "$(KUSTOMIZE)" build --load-restrictor=LoadRestrictionsNone manifests/oss \
		| sed \
			-e "s|RECONCILER_IMAGE_NAME|$(call gen_image_tag,$(RECONCILER_IMAGE))|g" \
			-e "s|OCI_SYNC_IMAGE_NAME|$(call gen_image_tag,$(OCI_SYNC_IMAGE))|g" \
			-e "s|HELM_SYNC_IMAGE_NAME|$(call gen_image_tag,$(HELM_SYNC_IMAGE))|g" \
			-e "s|HYDRATION_CONTROLLER_IMAGE_NAME|$(call gen_image_tag,$(HYDRATION_CONTROLLER_IMAGE))|g" \
			-e "s|RECONCILER_MANAGER_IMAGE_NAME|$(call gen_image_tag,$(RECONCILER_MANAGER_IMAGE))|g" \
			-e "s|ASKPASS_IMAGE_NAME|$(call gen_image_tag,$(ASKPASS_IMAGE))|g" \
			-e "s|RESOURCE_GROUP_CONTROLLER_IMAGE_NAME|$(call gen_image_tag,$(RESOURCE_GROUP_IMAGE))|g" \
			-e "s|GIT_SYNC_IMAGE_NAME|$(GIT_SYNC_IMAGE_NAME)|g" \
			-e "s|OTELCONTRIBCOL_IMAGE_NAME|$(OTELCONTRIBCOL_IMAGE_NAME)|g" \
		> $(OSS_MANIFEST_STAGING_DIR)/config-sync-manifest.yaml
	@ "$(ADDLICENSE)" $(OSS_MANIFEST_STAGING_DIR)/config-sync-manifest.yaml

	@ # Additional optional OSS manifests
	@ cat "manifests/templates/admission-webhook.yaml" \
		| sed -e "s|WEBHOOK_IMAGE_NAME|$(call gen_image_tag,$(ADMISSION_WEBHOOK_IMAGE))|g" \
		> $(OSS_MANIFEST_STAGING_DIR)/admission-webhook.yaml

	@ echo "+++ Manifests generated in $(OSS_MANIFEST_STAGING_DIR)"

# Build Config Sync manifests for ACM operator
.PHONY: build-manifests-operator
build-manifests-operator: "$(ADDLICENSE)" "$(KUSTOMIZE)" $(OUTPUT_DIR)
	@ echo "+++ Generating manifests in $(NOMOS_MANIFEST_STAGING_DIR)"
	@ echo " Using tags: $(REGISTRY)/*:$(IMAGE_TAG)"
	@ rm -f $(NOMOS_MANIFEST_STAGING_DIR)/*
	@ "$(KUSTOMIZE)" build --load-restrictor=LoadRestrictionsNone manifests/operator \
		| sed \
			-e "s|RECONCILER_IMAGE_NAME|$(call gen_image_tag,$(RECONCILER_IMAGE))|g" \
			-e "s|OCI_SYNC_IMAGE_NAME|$(call gen_image_tag,$(OCI_SYNC_IMAGE))|g" \
			-e "s|HELM_SYNC_IMAGE_NAME|$(call gen_image_tag,$(HELM_SYNC_IMAGE))|g" \
			-e "s|HYDRATION_CONTROLLER_IMAGE_NAME|$(call gen_image_tag,$(HYDRATION_CONTROLLER_IMAGE))|g" \
			-e "s|RECONCILER_MANAGER_IMAGE_NAME|$(call gen_image_tag,$(RECONCILER_MANAGER_IMAGE))|g" \
			-e "s|WEBHOOK_IMAGE_NAME|$(call gen_image_tag,$(ADMISSION_WEBHOOK_IMAGE))|g" \
			-e "s|ASKPASS_IMAGE_NAME|$(call gen_image_tag,$(ASKPASS_IMAGE))|g" \
			-e "s|RESOURCE_GROUP_CONTROLLER_IMAGE_NAME|$(call gen_image_tag,$(RESOURCE_GROUP_IMAGE))|g" \
			-e "s|GIT_SYNC_IMAGE_NAME|$(GIT_SYNC_IMAGE_NAME)|g" \
			-e "s|OTELCONTRIBCOL_IMAGE_NAME|$(OTELCONTRIBCOL_IMAGE_NAME)|g" \
		> $(NOMOS_MANIFEST_STAGING_DIR)/config-sync-manifest.yaml
	@ "$(ADDLICENSE)" $(NOMOS_MANIFEST_STAGING_DIR)/config-sync-manifest.yaml

	@ echo "+++ Manifests generated in $(NOMOS_MANIFEST_STAGING_DIR)"

# config-sync-manifest-no-push creates the config-sync-manifest.yaml and builds images without pushing
.PHONY: config-sync-manifest-no-push
config-sync-manifest-no-push: $(OUTPUT_DIR) build-images build-manifests

# config-sync-manifest creates config sync manifest and pushes its docker images
.PHONY: config-sync-manifest
config-sync-manifest: config-sync-manifest-no-push push-images

.PHONY: docker-registry
docker-registry: "$(KIND)"
	@bash scripts/docker-registry.sh

# config-sync-manifest-local builds config sync for local testing in kind.
# starts local docker registry and pushes images to the local registry
.PHONY: config-sync-manifest-local
config-sync-manifest-local: REGISTRY := localhost:5000
config-sync-manifest-local: docker-registry config-sync-manifest

###################################
# Kustomize bundle
###################################

KUSTOMIZATION_TARBALL ?= config-sync.tar.gz

# Packages the kustomization file into a tarball alongside the built config sync
# manifests. Assumes the Config Sync manifests are already built in the output dir.
.PHONY: package-kustomize-bundle
package-kustomize-bundle:
	mkdir -p $(OUTPUT_DIR)/tmp/kustomization/manifests
	cp $(OSS_MANIFEST_STAGING_DIR)/* $(OUTPUT_DIR)/tmp/kustomization/manifests
	cp ./installation/* $(OUTPUT_DIR)/tmp/kustomization
	sed -i \
		-e "s|CONFIG_SYNC_MANIFEST|./manifests/config-sync-manifest.yaml|g" \
		-e "s|ADMISSION_WEBHOOK_MANIFEST|./manifests/admission-webhook.yaml|g" \
		$(OUTPUT_DIR)/tmp/kustomization/kustomization.yaml
	sed -i \
		-e "s|CONFIG_SYNC_REGISTRY|$(REGISTRY)|g" \
		$(OUTPUT_DIR)/tmp/kustomization/README.md
	cd $(OUTPUT_DIR)/tmp/kustomization && tar -czvf $(OSS_MANIFEST_STAGING_DIR)/$(KUSTOMIZATION_TARBALL) .
	rm -rf $(OUTPUT_DIR)/tmp/kustomization

###################################
# E2E Git Server
###################################

# NOTE: when updating the git-server version, update
# e2e/nomostest/git-server.go to reflect the version change
GIT_SERVER_DOCKER := $(OUTPUT_DIR)/git-server-docker
GIT_SERVER_RELEASE := v1.0.0
GIT_SERVER_IMAGE := $(TEST_INFRA_REGISTRY)/git-server:$(INFRA_IMAGE_PREFIX)-$(GIT_SERVER_RELEASE)-$(shell git rev-parse --short HEAD)
# Creates docker image for the test git-server from github source
.PHONY: build-git-server
build-git-server:
	@echo "+++ Building $(GIT_SERVER_IMAGE)"
	@mkdir -p $(OUTPUT_DIR)
	@rm -rf $(GIT_SERVER_DOCKER)
	@git clone https://github.com/jkarlosb/git-server-docker.git $(GIT_SERVER_DOCKER)
	@cd $(GIT_SERVER_DOCKER) && git checkout $(GIT_SERVER_RELEASE)
	# Git v2.28.0+ supports using a different initial branch other than `master`.
	# Use `alpine:3.19` as the base image to get Git with version 2.43.0.
	@sed -i 's/FROM alpine:3.4/FROM alpine:3.19/g' $(GIT_SERVER_DOCKER)/Dockerfile
	@docker buildx build $(DOCKER_BUILD_QUIET) \
			$(GIT_SERVER_DOCKER) \
			-t $(GIT_SERVER_IMAGE)

.PHONY: push-git-server
push-git-server:
	@echo "+++ Pushing $(GIT_SERVER_IMAGE)"
	@gcloud $(GCLOUD_QUIET) auth configure-docker $(firstword $(subst /, ,$(GIT_SERVER_IMAGE)))
	@docker push $(GIT_SERVER_IMAGE)

# NOTE: when updating the git-server version, update
# e2e/nomostest/git-server.go to reflect the version change
E2E_TEST_IMAGE_HTTP_GIT_SERVER_TAG := $(INFRA_IMAGE_PREFIX)-v1.0.0-$(shell git rev-parse --short HEAD)
E2E_TEST_IMAGE_HTTP_GIT_SERVER := $(TEST_INFRA_REGISTRY)/http-git-server:$(E2E_TEST_IMAGE_HTTP_GIT_SERVER_TAG)
# Builds the container used by e2e tests to test git over HTTPS.
.PHONY: build-http-git-server
build-http-git-server:
	@echo "+++ Building $(E2E_TEST_IMAGE_HTTP_GIT_SERVER)"
	docker buildx build \
		-t $(E2E_TEST_IMAGE_HTTP_GIT_SERVER) \
		test/docker/http-git-server/

.PHONY: push-http-git-server
push-http-git-server:
	@echo "+++ Pushing $(E2E_TEST_IMAGE_HTTP_GIT_SERVER)"
	@gcloud $(GCLOUD_QUIET) auth configure-docker $(firstword $(subst /, ,$(E2E_TEST_IMAGE_HTTP_GIT_SERVER)))
	@docker push $(E2E_TEST_IMAGE_HTTP_GIT_SERVER)

# Used by the vulnerability scanning periodic prow job.
VULNERABILITY_SCANNER_VERSION := $(INFRA_VERSION)-go$(GOLANG_IMAGE_VERSION)-gcloud$(GCLOUD_IMAGE_VERSION)
VULNERABILITY_SCANNER_IMAGE := $(TEST_INFRA_REGISTRY)/vulnerability-scanner:$(VULNERABILITY_SCANNER_VERSION)
# The vuln-scanner image is also tagged with a git sha so that it can be traced
# back to commit it was built from.
VULNERABILITY_SCANNER_SHA_IMAGE := $(TEST_INFRA_REGISTRY)/vulnerability-scanner:$(INFRA_IMAGE_VERSION)
.PHONY: build-vulnerability-scanner
build-vulnerability-scanner:
	@echo "+++ Building $(VULNERABILITY_SCANNER_IMAGE)"
	docker buildx build \
		-t $(VULNERABILITY_SCANNER_IMAGE) \
		$(DOCKER_BUILD_ARGS) \
		build/prow/vulnerability-scanner/

# Push vulnerability-scanner image to registry. This is done automatically by
# the postsubmit whenever one of the input images changes.
.PHONY: push-vulnerability-scanner
push-vulnerability-scanner:
	@echo "+++ Pushing $(VULNERABILITY_SCANNER_IMAGE)"
	@gcloud $(GCLOUD_QUIET) auth configure-docker $(firstword $(subst /, ,$(VULNERABILITY_SCANNER_IMAGE)))
	docker push $(VULNERABILITY_SCANNER_IMAGE)
	docker tag $(VULNERABILITY_SCANNER_IMAGE) $(VULNERABILITY_SCANNER_SHA_IMAGE)
	docker push $(VULNERABILITY_SCANNER_SHA_IMAGE)

##################################################
# E2E OCI signature verification webhook server
# Only run when changes are made to
# test/docker/presync-webhook-server
##################################################

E2E_TEST_IMAGE_OCI_SIGNATURE_VERIFICATION_SERVER := $(TEST_INFRA_REGISTRY)/oci-signature-verification-server:v1.0.0-$(shell git rev-parse --short HEAD)
# Builds the container used by e2e tests to test OCI image signature verification.
.PHONY: build-oci-signature-verification-server
build-oci-signature-verification-server:
	@echo "+++ Building $(E2E_TEST_IMAGE_OCI_SIGNATURE_VERIFICATION_SERVER)"
	docker buildx build \
		--build-arg GOLANG_IMAGE=$(GOLANG_IMAGE) \
		-t $(E2E_TEST_IMAGE_OCI_SIGNATURE_VERIFICATION_SERVER) \
		test/docker/presync-webhook-server/

.PHONY: push-oci-signature-verification-server
push-oci-signature-verification-server:
	@echo "+++ Pushing $(E2E_TEST_IMAGE_OCI_SIGNATURE_VERIFICATION_SERVER)"
	@gcloud $(GCLOUD_QUIET) auth configure-docker $(firstword $(subst /, ,$(E2E_TEST_IMAGE_OCI_SIGNATURE_VERIFICATION_SERVER)))
	@docker push $(E2E_TEST_IMAGE_OCI_SIGNATURE_VERIFICATION_SERVER)

.PHONY: deploy
deploy:
	kubectl apply -f $(OSS_MANIFEST_STAGING_DIR)/config-sync-manifest.yaml