Specify terraform version

.circleci/config.yml

@@ -6,21 +6,39 @@ orbs:
 executors:
   vm:
     machine:
-      image: ubuntu-1604:202007-01
+      image: ubuntu-2004:202111-02
+    resource_class: large
     environment:
-      GOLANG_VERSION: 1.13.8
+      GOLANG_VERSION: 1.16.12
       NOTARY_VERSION: 0.6.1
-      KUBECTL_VERSION: 1.12.0
-      K3D_VERSION: 3.0.0
+      KUBECTL_VERSION: 1.21.5
+      K3D_VERSION: 4.4.8
       HELMFILE_VERSION: 0.129.3
-      TERRAFORM_VERSION: 0.12.13
+      HELM_VERSION: 3.3.1
+      TERRAFORM_VERSION: 1.1.2
+      GOPATH: /home/circleci/go
+      GO111MODULE: "on"
+      DOCKER_CLI_EXPERIMENTAL: enabled
+    working_directory: /home/circleci/go/src/github.com/patoarvizu/amphibian
+  vm-arm:
+    machine:
+      image: ubuntu-2004:202111-02
+    resource_class: arm.medium
+    environment:
+      GOLANG_VERSION: 1.16.12
+      NOTARY_VERSION: 0.6.1
+      KUBECTL_VERSION: 1.21.5
+      K3D_VERSION: 4.4.8
+      HELMFILE_VERSION: 0.129.3
+      HELM_VERSION: 3.3.1
+      TERRAFORM_VERSION: 1.1.2
       GOPATH: /home/circleci/go
       GO111MODULE: "on"
       DOCKER_CLI_EXPERIMENTAL: enabled
     working_directory: /home/circleci/go/src/github.com/patoarvizu/amphibian
 
 jobs:
-  build:
+  test:
     executor: vm
     steps:
     - checkout
@@ -39,7 +57,6 @@ jobs:
         name: Build image
         command: |
           docker buildx create --name cci-builder --use
-          wget https://releases.hashicorp.com/terraform/0.13.5/terraform_0.13.5_linux_amd64.zip
           docker buildx build --progress=plain --platform=linux/amd64 --load . -t patoarvizu/amphibian:latest
     - snyk/scan:
         docker-image-name: patoarvizu/amphibian:latest
@@ -61,8 +78,8 @@ jobs:
     - run:
         name: Install Helm
         command: |
-          wget https://get.helm.sh/helm-v3.3.1-linux-amd64.tar.gz
-          tar -zxvf helm-v3.3.1-linux-amd64.tar.gz
+          wget https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz
+          tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz
           chmod +x linux-amd64/helm
           sudo mv linux-amd64/helm /usr/local/bin/
     - run:
@@ -82,7 +99,7 @@ jobs:
         name: Setup environment
         command: |
           export KUBECONFIG=~/.k3d/k3s-default-config
-          k3d cluster create --port 8500:30058@server[0] --wait
+          k3d cluster create --image rancher/k3s:v1.21.8-k3s1 --port 8500:30058@server[0] # --k3s-server-arg "--kube-apiserver-arg=feature-gates=ServerSideApply=false"
           k3d image import patoarvizu/amphibian:latest
           cd test/consul && helmfile sync
           cd ../consul-service && helmfile sync
@@ -100,90 +117,232 @@ jobs:
         key: amphibian-golang-cache-{{ checksum "go.sum" }}
         paths:
           - /home/circleci/go/pkg/mod/cache
+
+  build-and-push-amd64-image:
+    executor: vm
+    steps:
+    - checkout
     - run:
         name: Install notary
         command: |
           curl -L https://github.com/theupdateframework/notary/releases/download/v${NOTARY_VERSION}/notary-Linux-amd64 -o notary
           chmod +x notary
           sudo mv notary /usr/local/bin
     - run:
-        name: Push image
+        name: Log in to Docker Hub
         command: |
           docker login --username $DOCKER_HUB_USER --password $DOCKER_HUB_ACCESS_TOKEN
+    - run:
+        name: Build and push amd64 image
+        command: |
+          docker buildx create --name cci-builder --use
           echo $ENCODED_NOTARY_ROLE_KEY | base64 -d > ${HOME}/amphibian-circleci.key
           export NOTARY_DELEGATION_PASSPHRASE=$NOTARY_ROLE_PASSPHRASE
           notary -s https://notary.docker.io -d ~/.docker/trust key import ${HOME}/amphibian-circleci.key --role amphibian-circleci
           export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
-          VERSION=${CIRCLE_TAG:-latest}
           OPERATOR_BUILD_ARGS="--build-arg GIT_COMMIT=$CIRCLE_SHA1 --build-arg GIT_TAG=$CIRCLE_TAG --build-arg COMMIT_TIMESTAMP=$(git log -1 --format=%at) --build-arg AUTHOR_EMAIL=$(git log -1 --format=%ae) --build-arg SIGNATURE_KEY=$(git log -1 --format=%GK)"
           export DOCKER_CONTENT_TRUST=1
-          wget https://releases.hashicorp.com/terraform/0.13.5/terraform_0.13.5_linux_amd64.zip
+          VERSION=${CIRCLE_TAG:-latest}
           docker buildx build --progress=plain --platform=linux/amd64 --load $OPERATOR_BUILD_ARGS . -t patoarvizu/amphibian:latest-amd64 -t patoarvizu/amphibian:$CIRCLE_SHA1-amd64 -t patoarvizu/amphibian:$VERSION-amd64
           docker push patoarvizu/amphibian:latest-amd64
           docker push patoarvizu/amphibian:$CIRCLE_SHA1-amd64
           docker push patoarvizu/amphibian:$VERSION-amd64
         no_output_timeout: 30m
-  push-multi-arch:
+
+  build-arm64-image:
+    executor: vm-arm
+    steps:
+    - checkout
+    - run:
+        name: Build arm64 image
+        command: |
+          docker buildx create --name cci-builder --use
+          OPERATOR_BUILD_ARGS="--build-arg GIT_COMMIT=$CIRCLE_SHA1 --build-arg GIT_TAG=$CIRCLE_TAG --build-arg COMMIT_TIMESTAMP=$(git log -1 --format=%at) --build-arg AUTHOR_EMAIL=$(git log -1 --format=%ae) --build-arg SIGNATURE_KEY=$(git log -1 --format=%GK)"
+          docker buildx build --progress=plain --platform=linux/arm64 --cache-to=type=local,dest=/tmp/latest-arm64-cache,mode=max $OPERATOR_BUILD_ARGS . -t patoarvizu/amphibian:latest-arm64
+    - persist_to_workspace:
+        root: /tmp/
+        paths:
+        - latest-arm64-cache
+
+  push-arm64-image:
     executor: vm
     steps:
     - checkout
+    - attach_workspace:
+        at: /tmp/
     - run:
         name: Install notary
         command: |
-          curl -L https://github.com/theupdateframework/notary/releases/download/v0.6.1/notary-Linux-amd64 -o notary
+          curl -L https://github.com/theupdateframework/notary/releases/download/v${NOTARY_VERSION}/notary-Linux-amd64 -o notary
           chmod +x notary
           sudo mv notary /usr/local/bin
     - run:
-        name: Push multi-arch images
+        name: Log in to Docker Hub
+        command: |
+          docker login --username $DOCKER_HUB_USER --password $DOCKER_HUB_ACCESS_TOKEN
+    - run:
+        name: Sign and push arm64 image
         command: |
           sudo apt-get update
           sudo apt-get install qemu-user -y
           docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
           docker buildx create --name cci-builder --use
-          docker login --username $DOCKER_HUB_USER --password $DOCKER_HUB_ACCESS_TOKEN
           echo $ENCODED_NOTARY_ROLE_KEY | base64 -d > ${HOME}/amphibian-circleci.key
           export NOTARY_DELEGATION_PASSPHRASE=$NOTARY_ROLE_PASSPHRASE
           notary -s https://notary.docker.io -d ~/.docker/trust key import ${HOME}/amphibian-circleci.key --role amphibian-circleci
           export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
           OPERATOR_BUILD_ARGS="--build-arg GIT_COMMIT=$CIRCLE_SHA1 --build-arg GIT_TAG=$CIRCLE_TAG --build-arg COMMIT_TIMESTAMP=$(git log -1 --format=%at) --build-arg AUTHOR_EMAIL=$(git log -1 --format=%ae) --build-arg SIGNATURE_KEY=$(git log -1 --format=%GK)"
           export DOCKER_CONTENT_TRUST=1
           VERSION=${CIRCLE_TAG:-latest}
-          wget https://releases.hashicorp.com/terraform/0.13.5/terraform_0.13.5_linux_arm.zip
-          wget https://releases.hashicorp.com/terraform/0.13.5/terraform_0.13.5_linux_arm64.zip
-          wget https://releases.hashicorp.com/terraform/0.13.5/terraform_0.13.5_linux_amd64.zip
-          docker buildx build --progress=plain --platform=linux/arm64 --load $OPERATOR_BUILD_ARGS . -t patoarvizu/amphibian:latest-arm64 -t patoarvizu/amphibian:$CIRCLE_SHA1-arm64 -t patoarvizu/amphibian:$VERSION-arm64
-          docker buildx build --progress=plain --platform=linux/arm/v7 --load $OPERATOR_BUILD_ARGS . -t patoarvizu/amphibian:latest-arm7 -t patoarvizu/amphibian:$CIRCLE_SHA1-arm7 -t patoarvizu/amphibian:$VERSION-arm7
+          docker buildx build --progress=plain --platform=linux/arm64 --cache-from=type=local,src=/tmp/latest-arm64-cache --load $OPERATOR_BUILD_ARGS . -t patoarvizu/amphibian:latest-arm64
+          docker tag patoarvizu/amphibian:latest-arm64 patoarvizu/amphibian:$CIRCLE_SHA1-arm64
+          docker tag patoarvizu/amphibian:latest-arm64 patoarvizu/amphibian:$VERSION-arm64
           docker push patoarvizu/amphibian:latest-arm64
           docker push patoarvizu/amphibian:$CIRCLE_SHA1-arm64
           docker push patoarvizu/amphibian:$VERSION-arm64
+        no_output_timeout: 60m
+
+  build-arm7-image:
+    executor: vm-arm
+    steps:
+    - checkout
+    - run:
+        name: Build arm7 image
+        command: |
+          docker buildx create --name cci-builder --use
+          OPERATOR_BUILD_ARGS="--build-arg GIT_COMMIT=$CIRCLE_SHA1 --build-arg GIT_TAG=$CIRCLE_TAG --build-arg COMMIT_TIMESTAMP=$(git log -1 --format=%at) --build-arg AUTHOR_EMAIL=$(git log -1 --format=%ae) --build-arg SIGNATURE_KEY=$(git log -1 --format=%GK)"
+          docker buildx build --progress=plain --platform=linux/arm/v7 --cache-to=type=local,dest=/tmp/latest-arm7-cache,mode=max $OPERATOR_BUILD_ARGS . -t patoarvizu/amphibian:latest-arm7
+    - persist_to_workspace:
+        root: /tmp/
+        paths:
+        - latest-arm7-cache
+
+  push-arm7-image:
+    executor: vm
+    steps:
+    - checkout
+    - attach_workspace:
+        at: /tmp/
+    - run:
+        name: Install notary
+        command: |
+          curl -L https://github.com/theupdateframework/notary/releases/download/v${NOTARY_VERSION}/notary-Linux-amd64 -o notary
+          chmod +x notary
+          sudo mv notary /usr/local/bin
+    - run:
+        name: Log in to Docker Hub
+        command: |
+          docker login --username $DOCKER_HUB_USER --password $DOCKER_HUB_ACCESS_TOKEN
+    - run:
+        name: Sign and push arm7 image
+        command: |
+          sudo apt-get update
+          sudo apt-get install qemu-user -y
+          docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+          docker buildx create --name cci-builder --use
+          echo $ENCODED_NOTARY_ROLE_KEY | base64 -d > ${HOME}/amphibian-circleci.key
+          export NOTARY_DELEGATION_PASSPHRASE=$NOTARY_ROLE_PASSPHRASE
+          notary -s https://notary.docker.io -d ~/.docker/trust key import ${HOME}/amphibian-circleci.key --role amphibian-circleci
+          export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
+          OPERATOR_BUILD_ARGS="--build-arg GIT_COMMIT=$CIRCLE_SHA1 --build-arg GIT_TAG=$CIRCLE_TAG --build-arg COMMIT_TIMESTAMP=$(git log -1 --format=%at) --build-arg AUTHOR_EMAIL=$(git log -1 --format=%ae) --build-arg SIGNATURE_KEY=$(git log -1 --format=%GK)"
+          export DOCKER_CONTENT_TRUST=1
+          VERSION=${CIRCLE_TAG:-latest}
+          docker buildx build --progress=plain --platform=linux/arm/v7 --cache-from=type=local,src=/tmp/latest-arm7-cache --load $OPERATOR_BUILD_ARGS . -t patoarvizu/amphibian:latest-arm7
+          docker tag patoarvizu/amphibian:latest-arm7 patoarvizu/amphibian:$CIRCLE_SHA1-arm7
+          docker tag patoarvizu/amphibian:latest-arm7 patoarvizu/amphibian:$VERSION-arm7
           docker push patoarvizu/amphibian:latest-arm7
           docker push patoarvizu/amphibian:$CIRCLE_SHA1-arm7
           docker push patoarvizu/amphibian:$VERSION-arm7
-          docker buildx build --progress=plain --platform=linux/amd64,linux/arm64,linux/arm/v7 --push $OPERATOR_BUILD_ARGS . -t patoarvizu/amphibian:latest -t patoarvizu/amphibian:$CIRCLE_SHA1 -t patoarvizu/amphibian:$VERSION
-          DIGEST=$(docker buildx imagetools inspect patoarvizu/amphibian:$CIRCLE_SHA1 | grep Digest | cut -d':' -f3)
-          LENGTH=$(( $(docker buildx imagetools inspect patoarvizu/amphibian:$CIRCLE_SHA1 --raw | wc -c) - 1 ))
+        no_output_timeout: 60m
+
+
+  push-combined-image:
+    executor: vm
+    steps:
+    - checkout
+    - run:
+        name: Install notary
+        command: |
+          curl -L https://github.com/theupdateframework/notary/releases/download/v${NOTARY_VERSION}/notary-Linux-amd64 -o notary
+          chmod +x notary
+          sudo mv notary /usr/local/bin
+    - run:
+        name: Log in to Docker Hub
+        command: |
+          docker login --username $DOCKER_HUB_USER --password $DOCKER_HUB_ACCESS_TOKEN
+    - run:
+        name: Sign and push combined image
+        command: |
+          docker buildx create --name cci-builder --use
+          echo $ENCODED_NOTARY_ROLE_KEY | base64 -d > ${HOME}/amphibian-circleci.key
+          export NOTARY_DELEGATION_PASSPHRASE=$NOTARY_ROLE_PASSPHRASE
+          notary -s https://notary.docker.io -d ~/.docker/trust key import ${HOME}/amphibian-circleci.key --role amphibian-circleci
+          export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
+          export DOCKER_CONTENT_TRUST=1
+          VERSION=${CIRCLE_TAG:-latest}
+          docker manifest create patoarvizu/amphibian:latest --amend patoarvizu/amphibian:latest-amd64 --amend patoarvizu/amphibian:latest-arm64 patoarvizu/amphibian:latest-arm7
+          docker manifest push patoarvizu/amphibian:latest
+          docker manifest create patoarvizu/amphibian:$CIRCLE_SHA1 --amend patoarvizu/amphibian:$CIRCLE_SHA1-amd64 --amend patoarvizu/amphibian:$CIRCLE_SHA1-arm64 patoarvizu/amphibian:$CIRCLE_SHA1-arm7
+          docker manifest push patoarvizu/amphibian:$CIRCLE_SHA1
+          docker manifest create patoarvizu/amphibian:$VERSION --amend patoarvizu/amphibian:$VERSION-amd64 --amend patoarvizu/amphibian:$VERSION-arm64 patoarvizu/amphibian:$VERSION-arm7
+          docker manifest push patoarvizu/amphibian:$VERSION
+          DIGEST=$(docker buildx imagetools inspect patoarvizu/amphibian:latest | grep Digest | cut -d':' -f3)
+          LENGTH=$(( $(docker buildx imagetools inspect patoarvizu/amphibian:latest --raw | wc -c) - 1 ))
           export NOTARY_AUTH=$(echo $DOCKER_HUB_USER:$DOCKER_HUB_ACCESS_TOKEN | base64)
           notary -s https://notary.docker.io -d ~/.docker/trust addhash -p docker.io/patoarvizu/amphibian latest $LENGTH --sha256 $DIGEST -r targets/releases
           notary -s https://notary.docker.io -d ~/.docker/trust addhash -p docker.io/patoarvizu/amphibian $CIRCLE_SHA1 $LENGTH --sha256 $DIGEST -r targets/releases
           notary -s https://notary.docker.io -d ~/.docker/trust addhash -p docker.io/patoarvizu/amphibian $VERSION $LENGTH --sha256 $DIGEST -r targets/releases
-        no_output_timeout: 30m
 
 workflows:
   version: 2
   build-operator:
     jobs:
-    - build:
+    - test:
+        context: authentication-tokens
+        filters:
+          tags:
+            only: /^v\d+\.\d+.\d+$/
+    - build-and-push-amd64-image:
+        requires:
+        - test
+        context: authentication-tokens
+        filters:
+          tags:
+            only: /^v\d+\.\d+.\d+$/
+    - build-arm64-image:
+        requires:
+        - test
+        filters:
+          tags:
+            only: /^v\d+\.\d+.\d+$/
+    - push-arm64-image:
+        requires:
+        - build-arm64-image
+        context: authentication-tokens
+        filters:
+          tags:
+            only: /^v\d+\.\d+.\d+$/
+    - build-arm7-image:
+        requires:
+        - test
+        filters:
+          tags:
+            only: /^v\d+\.\d+.\d+$/
+    - push-arm7-image:
+        requires:
+        - build-arm7-image
         context: authentication-tokens
         filters:
           tags:
             only: /^v\d+\.\d+.\d+$/
-    - push-multi-arch:
+    - push-combined-image:
         requires:
-        - build
+        - build-and-push-amd64-image
+        - push-arm64-image
+        - push-arm7-image
         context: authentication-tokens
         filters:
           branches:
             ignore: /^.*$/
-            only: /^main$/
           tags:
             only: /^v\d+\.\d+.\d+$/

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.13.15-alpine3.12 as builder
+FROM golang:1.16.12-alpine3.15 as builder
 ARG TARGETARCH
 ARG TARGETVARIANT
 
@@ -18,8 +18,6 @@ COPY controllers/ controllers/
 
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARM=$(if [ "$TARGETVARIANT" = "v7" ]; then echo "7"; fi) GOARCH=$TARGETARCH GO111MODULE=on go build -a -o manager main.go
-COPY terraform_0.13.5_linux_${TARGETARCH}.zip terraform.zip
-RUN unzip terraform.zip
 
 FROM gcr.io/distroless/static:nonroot-amd64
 
@@ -40,7 +38,6 @@ LABEL SIGNATURE_KEY=$SIGNATURE_KEY
 
 WORKDIR /
 COPY --from=builder /workspace/manager .
-COPY --from=builder /workspace/terraform /usr/local/bin/
 USER nonroot:nonroot
 
 ENTRYPOINT ["/manager"]

controllers/terraformstate_controller.go

@@ -136,14 +136,14 @@ func (r *TerraformStateReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err
 	defer outputsFile.Close()
 	outputsFile.Write(outputs.Bytes())
 
-	cmd := exec.Command("terraform", "apply", "-auto-approve")
+	cmd := exec.Command("/terraform-bin/terraform", "apply", "-auto-approve")
 	cmd.Dir = stateDir
 	err = cmd.Run()
 	if err != nil {
 		return ctrl.Result{}, err
 	}
 
-	cmd = exec.Command("terraform", "output", "-json")
+	cmd = exec.Command("/terraform-bin/terraform", "output", "-json")
 	cmd.Dir = stateDir
 	var out bytes.Buffer
 	cmd.Stdout = &out

docs/index.md

@@ -1,6 +1,6 @@
 # amphibian
 
-![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
+![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square)
 
 Amphibian
 
@@ -14,4 +14,9 @@ Amphibian
 | prometheusMonitoring.enable | bool | `false` | Create the `Service` and `ServiceMonitor` objects to enable Prometheus monitoring on the operator. |
 | rbac.clusterRoleSecretsAccessRules | list | `[{"apiGroups":[""],"resources":["secrets"],"verbs":["create","get","list","patch","update","watch"]}]` | List of `PolicyRule`s for accessing Kubernetes secrets, to be appended to the `amphibian-manager-role` cluster role. |
 | resources | object | `nil` | The resources requests/limits to be set on the deployment pod spec template. |
+| terraformBinary | object | `{"arch":"amd64","initContainerImage":"alpine:3.15.0","operatingSystem":"linux","version":"1.1.2"}` | Information about the `terraform` binary to inject into the main container. These values will be used to download the binary from `https://releases.hashicorp.com/terraform/<terraformVersion.version>/terraform_<terraformVersion.version>_<terraformVersion.operatingSystem>_<terraformVersion.arch>.zip`. |
+| terraformBinary.arch | string | `"amd64"` | The architecture for which to download the `terraform` binary. |
+| terraformBinary.initContainerImage | string | `"alpine:3.15.0"` | The image to use for the init container that installs the target `terraform` binary. |
+| terraformBinary.operatingSystem | string | `"linux"` | The operating system for which to download the `terraform` binary. |
+| terraformBinary.version | string | `"1.1.2"` | The version of the `terraform` binary. Note that it's not possible to use `latest`, or use "partial" versions (e.g. `1`, or `1.1`) so you have to specify the full version. |
 | watchNamespace | string | `""` | The value to be set on the `WATCH_NAMESPACE` environment variable. |