From ef2a3c041bf6c9bb8de552083348aa3da01bbaec Mon Sep 17 00:00:00 2001 From: Philipp Strube Date: Mon, 9 Dec 2024 05:52:31 +0100 Subject: [PATCH 1/3] Update CLI versions in container --- oci/Dockerfile | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/oci/Dockerfile b/oci/Dockerfile index d59aa03b..b0127841 100644 --- a/oci/Dockerfile +++ b/oci/Dockerfile @@ -1,8 +1,8 @@ # # # Image versions -ARG BASE_BUILDER=python:3.11 -ARG BASE_IMAGE=python:3.11-slim +ARG BASE_BUILDER=python:3.13 +ARG BASE_IMAGE=python:3.13-slim # @@ -26,10 +26,10 @@ FROM builder AS common-builder ARG TARGETARCH # https://github.com/kubernetes/kubernetes/releases -ARG KUBECTL_VERSION=v1.28.5 +ARG KUBECTL_VERSION=v1.31.3 # https://github.com/kubernetes-sigs/kustomize/releases -ARG KUSTOMIZE_VERSION=v5.3.0 +ARG KUSTOMIZE_VERSION=v5.5.0 # https://www.terraform.io/downloads.html # 1.5.x is the last OSS Terraform @@ -66,7 +66,7 @@ FROM builder AS aws-builder ARG TARGETARCH # https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst -ARG AWS_CLI_VERSION=2.15.8 +ARG AWS_CLI_VERSION=2.22.12 RUN mkdir -p /opt/aws/bin @@ -86,7 +86,7 @@ FROM builder AS gcp-builder ARG TARGETARCH # https://cloud.google.com/sdk/docs/release-notes -ARG GOOGLE_CLOUD_SDK_VERSION=458.0.1 +ARG GOOGLE_CLOUD_SDK_VERSION=502.0.0 RUN echo "GOOGLE_CLOUD_SDK_VERSION: ${GOOGLE_CLOUD_SDK_VERSION}" \ && arch=`echo ${TARGETARCH} | sed -e 's/amd64/x86_64/' -e 's/arm64/arm/'` \ @@ -104,7 +104,7 @@ RUN /opt/google/bin/gcloud components install gke-gcloud-auth-plugin FROM builder AS azure-builder # https://docs.microsoft.com/en-us/cli/azure/release-notes-azure-cli?tabs=azure-cli -ARG AZURE_CLI_VERSION=2.55.0 +ARG AZURE_CLI_VERSION=2.67.0 RUN apt-get update && apt-get install -y \ libffi-dev @@ -122,12 +122,12 @@ RUN echo "AZURE_CLI_VERSION: ${AZURE_CLI_VERSION}" \ # # # KinD builder -FROM builder as kind-builder +FROM builder AS kind-builder ARG TARGETARCH # https://docs.docker.com/engine/release-notes/ -ARG DOCKER_CLI_VERSION=24.0.7 +ARG DOCKER_CLI_VERSION=27.3.1 RUN mkdir -p /opt/bin @@ -166,13 +166,13 @@ ENV PATH=/opt/bin:$PATH WORKDIR /infra ENTRYPOINT ["/opt/bin/entrypoint"] -CMD bash +CMD ["bash"] # # # Build starters and provider cache -FROM final-base as dist-helper-build +FROM final-base AS dist-helper-build COPY common /common @@ -218,7 +218,7 @@ RUN cd build_artifacts &&\ # # # Dist artifacts -FROM alpine as dist-helper +FROM alpine AS dist-helper COPY --from=dist-helper-build /quickstart/_dist /quickstart/_dist From 0fa35d3c7cb49762ea03dd617f4e4a01a545c718 Mon Sep 17 00:00:00 2001 From: Philipp Strube Date: Mon, 9 Dec 2024 05:52:49 +0100 Subject: [PATCH 2/3] Update GitHub actions versions --- .github/workflows/main.yml | 99 +++++++++++++++++++------------------- 1 file changed, 49 insertions(+), 50 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cf1b88f4..bbc30fa7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,29 +12,29 @@ jobs: runs-on: ubuntu-latest steps: - - name: 'Checkout' - uses: actions/checkout@v3 + - name: "Checkout" + uses: actions/checkout@v4 - - name: 'Setup buildx' - uses: docker/setup-buildx-action@v2 + - name: "Setup buildx" + uses: docker/setup-buildx-action@v3 with: install: true - - name: 'Docker login' - uses: docker/login-action@v2 + - name: "Docker login" + uses: docker/login-action@v3 with: username: kbstci password: ${{ secrets.DOCKER_AUTH }} - - name: 'Build artifacts' + - name: "Build artifacts" env: DOCKER_PUSH: true GIT_SHA: ${{ github.sha }} GIT_REF: ${{ github.ref }} run: make dist - - name: 'Upload artifacts' - uses: actions/upload-artifact@v3 + - name: "Upload artifacts" + uses: actions/upload-artifact@v4 with: name: test-artifacts path: ./quickstart/_dist @@ -44,13 +44,13 @@ jobs: needs: [build-test-artifacts] strategy: matrix: - starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"] + starter: ["multi-cloud", "aks", "eks", "gke", "kind"] permissions: id-token: write # needed for keyless signing steps: - - name: 'Free disk space' + - name: "Free disk space" # https://github.com/actions/runner-images/issues/2840#issuecomment-790492173 run: | sudo rm -rf /usr/share/dotnet @@ -58,25 +58,25 @@ jobs: sudo rm -rf /usr/local/share/boost sudo rm -rf $AGENT_TOOLSDIRECTORY - - name: 'Checkout' - uses: actions/checkout@v3 + - name: "Checkout" + uses: actions/checkout@v4 - - name: 'Download test-artifacts' - uses: actions/download-artifact@v3 + - name: "Download test-artifacts" + uses: actions/download-artifact@v4 with: name: test-artifacts path: ./quickstart/_dist - name: Install Cosign - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.7.0 - - name: 'Setup buildx' - uses: docker/setup-buildx-action@v2 + - name: "Setup buildx" + uses: docker/setup-buildx-action@v3 with: install: true - - name: 'Docker login' - uses: docker/login-action@v2 + - name: "Docker login" + uses: docker/login-action@v3 with: username: kbstci password: ${{ secrets.DOCKER_AUTH }} @@ -87,7 +87,7 @@ jobs: DOCKER_TARGET: ${{ matrix.starter }} run: make build - - name: 'Sign Images' + - name: "Sign Images" env: COSIGN_EXPERIMENTAL: true run: | @@ -99,26 +99,26 @@ jobs: strategy: fail-fast: false matrix: - starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"] + starter: ["multi-cloud", "aks", "eks", "gke", "kind"] steps: - - name: 'Download test-artifacts' - uses: actions/download-artifact@v3 + - name: "Download test-artifacts" + uses: actions/download-artifact@v4 with: name: test-artifacts path: ./quickstart/_dist - - name: 'Unzip ${{ matrix.starter }} quickstart' + - name: "Unzip ${{ matrix.starter }} quickstart" run: | unzip quickstart/_dist/kubestack-starter-${{ matrix.starter }}-*.zip - - name: 'Docker login' - uses: docker/login-action@v2 + - name: "Docker login" + uses: docker/login-action@v3 with: username: kbstci password: ${{ secrets.DOCKER_AUTH }} - - name: 'Docker build' + - name: "Docker build" env: DOCKER_BUILDKIT: 1 working-directory: ./kubestack-starter-${{ matrix.starter }} @@ -132,7 +132,7 @@ jobs: docker tag $SOURCE_IMAGE $TARGET_IMAGE docker build -t test-image:${{ github.sha }} . - - name: 'Configure Kubestack for ${{ matrix.starter }}' + - name: "Configure Kubestack for ${{ matrix.starter }}" working-directory: ./kubestack-starter-${{ matrix.starter }} run: | # ALL: set name_prefix @@ -159,7 +159,7 @@ jobs: # GKE: set cluster_node_locations sed -i 's/cluster_node_locations = ""/cluster_node_locations = "europe-west1-b,europe-west1-c,europe-west1-d"/g' gke_zero_cluster.tf || true - - name: 'Terraform init' + - name: "Terraform init" working-directory: ./kubestack-starter-${{ matrix.starter }} run: | docker run --rm \ @@ -167,7 +167,7 @@ jobs: test-image:${{ github.sha }} \ terraform init - - name: 'Terraform workspace new ops' + - name: "Terraform workspace new ops" working-directory: ./kubestack-starter-${{ matrix.starter }} run: | docker run --rm \ @@ -175,7 +175,7 @@ jobs: test-image:${{ github.sha }} \ terraform workspace new ops - - name: 'Terraform validate' + - name: "Terraform validate" working-directory: ./kubestack-starter-${{ matrix.starter }} run: | docker run --rm \ @@ -183,7 +183,7 @@ jobs: test-image:${{ github.sha }} \ terraform validate - - name: 'Terraform plan' + - name: "Terraform plan" working-directory: ./kubestack-starter-${{ matrix.starter }} env: KBST_AUTH_AWS: ${{ secrets.KBST_AUTH_AWS }} @@ -203,28 +203,27 @@ jobs: runs-on: ubuntu-latest needs: [test] - strategy: matrix: - starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"] + starter: ["multi-cloud", "aks", "eks", "gke", "kind"] steps: - - name: 'Download test-artifacts' - uses: actions/download-artifact@v3 + - name: "Download test-artifacts" + uses: actions/download-artifact@v4 with: name: test-artifacts path: ./quickstart/_dist - name: Install Cosign - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.7.0 - - name: 'Docker login' - uses: docker/login-action@v2 + - name: "Docker login" + uses: docker/login-action@v3 with: username: kbstci password: ${{ secrets.DOCKER_AUTH }} - - name: 'Docker push' + - name: "Docker push" # cosign copy copies the images and the signature from one place to another # then we dont need to sign again the same image env: @@ -246,27 +245,27 @@ jobs: strategy: matrix: - starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"] + starter: ["multi-cloud", "aks", "eks", "gke", "kind"] steps: - - name: 'Download test-artifacts' - uses: actions/download-artifact@v3 + - name: "Download test-artifacts" + uses: actions/download-artifact@v4 with: name: test-artifacts path: ./quickstart/_dist - name: Install Cosign - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.7.0 - - id: 'auth' - uses: 'google-github-actions/auth@v1' + - id: "auth" + uses: google-github-actions/auth@v2 with: credentials_json: ${{ secrets.GCLOUD_AUTH }} - - name: 'Setup gcloud' - uses: google-github-actions/setup-gcloud@v1 + - name: "Setup gcloud" + uses: google-github-actions/setup-gcloud@v2 - - name: 'Publish ${{ matrix.starter }} starter' + - name: "Publish ${{ matrix.starter }} starter" env: COSIGN_EXPERIMENTAL: true run: | From 3be48231c20e9c82d79a438c949fca1f8ebfcc07 Mon Sep 17 00:00:00 2001 From: Philipp Strube Date: Mon, 9 Dec 2024 06:29:03 +0100 Subject: [PATCH 3/3] Migrate pipeline to ghcr.io --- .github/workflows/main.yml | 42 ++++++++++++++++++---- Makefile | 12 +++---- quickstart/build_artifacts/dist.py | 57 +++++++++++++++--------------- 3 files changed, 70 insertions(+), 41 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bbc30fa7..aeee89a1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,12 +20,19 @@ jobs: with: install: true - - name: "Docker login" + - name: "Docker login docker.io" uses: docker/login-action@v3 with: username: kbstci password: ${{ secrets.DOCKER_AUTH }} + - name: "Docker login ghcr.io" + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: "Build artifacts" env: DOCKER_PUSH: true @@ -75,12 +82,19 @@ jobs: with: install: true - - name: "Docker login" + - name: "Docker login docker.io" uses: docker/login-action@v3 with: username: kbstci password: ${{ secrets.DOCKER_AUTH }} + - name: "Docker login ghcr.io" + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build ${{ matrix.starter }} image env: DOCKER_PUSH: true @@ -91,7 +105,7 @@ jobs: env: COSIGN_EXPERIMENTAL: true run: | - cosign sign --yes -a GIT_HASH=${{ github.sha }} -a GIT_REF=${{ github.ref }} kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }} + cosign sign --yes -a GIT_HASH=${{ github.sha }} -a GIT_REF=${{ github.ref }} ghcr.io/kbst/terraform-kubestack/dev:test-${{ github.sha }}-${{ matrix.starter }} test: runs-on: ubuntu-latest @@ -112,12 +126,19 @@ jobs: run: | unzip quickstart/_dist/kubestack-starter-${{ matrix.starter }}-*.zip - - name: "Docker login" + - name: "Docker login docker.io" uses: docker/login-action@v3 with: username: kbstci password: ${{ secrets.DOCKER_AUTH }} + - name: "Docker login ghcr.io" + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: "Docker build" env: DOCKER_BUILDKIT: 1 @@ -126,7 +147,7 @@ jobs: # to kubestack/framework after they have been tested # but the Dockerfiles in the artifact have the target image name run: | - SOURCE_IMAGE=kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }} + SOURCE_IMAGE=ghcr.io/kbst/terraform-kubestack/dev:test-${{ github.sha }}-${{ matrix.starter }} docker pull $SOURCE_IMAGE TARGET_IMAGE=$(cat Dockerfile | sed 's/FROM //') docker tag $SOURCE_IMAGE $TARGET_IMAGE @@ -217,19 +238,26 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.7.0 - - name: "Docker login" + - name: "Docker login docker.io" uses: docker/login-action@v3 with: username: kbstci password: ${{ secrets.DOCKER_AUTH }} + - name: "Docker login ghcr.io" + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: "Docker push" # cosign copy copies the images and the signature from one place to another # then we dont need to sign again the same image env: COSIGN_EXPERIMENTAL: true run: | - SOURCE_IMAGE=kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }} + SOURCE_IMAGE=ghcr.io/kbst/terraform-kubestack/dev:test-${{ github.sha }}-${{ matrix.starter }} TARGET_IMAGE=$(cat quickstart/_dist/kubestack-starter-${{ matrix.starter }}/Dockerfile | sed 's/FROM //') echo "Source image $SOURCE_IMAGE will be pushed to $TARGET_IMAGE" cosign copy $SOURCE_IMAGE $TARGET_IMAGE diff --git a/Makefile b/Makefile index d706144f..221f5ce3 100644 --- a/Makefile +++ b/Makefile @@ -8,9 +8,9 @@ DOCKER_TARGET ?= multi-cloud ifeq ("${DOCKER_PUSH}", "true") BUILD_PLATFORM := --platform linux/arm64,linux/amd64 -BUILD_CACHE_DIST := --cache-to type=registry,mode=max,ref=kubestack/framework-dev:buildcache-dist-helper,push=${DOCKER_PUSH} +BUILD_CACHE_DIST := --cache-to type=registry,mode=max,ref=ghcr.io/kbst/terraform-kubestack/dev:buildcache-dist-helper,push=${DOCKER_PUSH} BUILD_OUTPUT := --output type=registry,push=${DOCKER_PUSH} -BUILD_CACHE := --cache-to type=registry,mode=max,ref=kubestack/framework-dev:buildcache-${DOCKER_TARGET},push=${DOCKER_PUSH} +BUILD_CACHE := --cache-to type=registry,mode=max,ref=ghcr.io/kbst/terraform-kubestack/dev:buildcache-${DOCKER_TARGET},push=${DOCKER_PUSH} else BUILD_PLATFORM := BUILD_OUTPUT := --output type=docker @@ -24,7 +24,7 @@ dist: --build-arg GIT_SHA=${GIT_SHA} \ --file oci/Dockerfile \ --output type=docker \ - --cache-from type=registry,ref=kubestack/framework-dev:buildcache-dist-helper \ + --cache-from type=registry,ref=ghcr.io/kbst/terraform-kubestack/dev:buildcache-dist-helper \ ${BUILD_CACHE_DIST} \ --progress plain \ -t dist-helper:latest \ @@ -47,11 +47,11 @@ build: --build-arg GIT_SHA=${GIT_SHA} \ --file oci/Dockerfile \ ${BUILD_OUTPUT} \ - --cache-from type=registry,ref=kubestack/framework-dev:buildcache-${DOCKER_TARGET} \ + --cache-from type=registry,ref=ghcr.io/kbst/terraform-kubestack/dev:buildcache-${DOCKER_TARGET} \ ${BUILD_CACHE} \ --progress plain \ --target ${DOCKER_TARGET} \ - -t kubestack/framework-dev:test-$(GIT_SHA)-${DOCKER_TARGET} \ + -t ghcr.io/kbst/terraform-kubestack/dev:test-$(GIT_SHA)-${DOCKER_TARGET} \ . validate: .init @@ -97,7 +97,7 @@ shell: .check-container -e KBST_AUTH_GCLOUD \ -e HOME=/infra/tests/.user \ --workdir /infra/tests \ - kubestack/framework-dev:test-$(GIT_SHA)-${DOCKER_TARGET} \ + ghcr.io/kbst/terraform-kubestack/dev:test-$(GIT_SHA)-${DOCKER_TARGET} \ sleep infinity .stop-container: diff --git a/quickstart/build_artifacts/dist.py b/quickstart/build_artifacts/dist.py index b2167557..c4278221 100755 --- a/quickstart/build_artifacts/dist.py +++ b/quickstart/build_artifacts/dist.py @@ -7,9 +7,9 @@ from jinja2 import Environment, FileSystemLoader -SRCDIR = '../src' -DISTDIR = '../_dist' -ARTIFACT_PREFIX = 'kubestack-starter-' +SRCDIR = "../src" +DISTDIR = "../_dist" +ARTIFACT_PREFIX = "kubestack-starter-" def replace_template(dist_path, file_name, context): @@ -17,17 +17,17 @@ def replace_template(dist_path, file_name, context): template = jinja.get_template(file_name) data = template.render(context) - with open(f'{dist_path}/{file_name}', 'w') as f: + with open(f"{dist_path}/{file_name}", "w") as f: f.write(data) # always include newline at end of file - f.write('\n') + f.write("\n") def dist(version, image_name, configuration): - configuration_src = f'{SRCDIR}/configurations/{configuration}' - configuration_dist = f'{DISTDIR}/{ARTIFACT_PREFIX}{configuration}' - manifests_src = f'{SRCDIR}/manifests' - manifests_dist = f'{configuration_dist}/manifests' + configuration_src = f"{SRCDIR}/configurations/{configuration}" + configuration_dist = f"{DISTDIR}/{ARTIFACT_PREFIX}{configuration}" + manifests_src = f"{SRCDIR}/manifests" + manifests_dist = f"{configuration_dist}/manifests" # Clean DISTDIR if isdir(configuration_dist): @@ -38,37 +38,37 @@ def dist(version, image_name, configuration): copytree(manifests_src, manifests_dist) # Replace templated version variables in *.tf files - for tf_file in [n for n in listdir(configuration_dist) - if n.endswith('.tf')]: - replace_template(configuration_dist, tf_file, - {'version': version}) + for tf_file in [n for n in listdir(configuration_dist) if n.endswith(".tf")]: + replace_template(configuration_dist, tf_file, {"version": version}) # Replace templated variables in Dockerfiles - dockerfiles = ['Dockerfile', 'Dockerfile.loc'] + dockerfiles = ["Dockerfile", "Dockerfile.loc"] for dockerfile in dockerfiles: if exists(join(configuration_dist, dockerfile)): - replace_template(configuration_dist, - dockerfile, - {'image_name': image_name, 'image_tag': version}) + replace_template( + configuration_dist, + dockerfile, + {"image_name": image_name, "image_tag": version}, + ) def compress(version, configuration): - starter = f'{ARTIFACT_PREFIX}{configuration}' - archive = f'{DISTDIR}/{starter}-{version}' - make_archive(archive, 'zip', DISTDIR, starter) + starter = f"{ARTIFACT_PREFIX}{configuration}" + archive = f"{DISTDIR}/{starter}-{version}" + make_archive(archive, "zip", DISTDIR, starter) if __name__ == "__main__": # Use tag as version, fallback to commit sha - version = environ.get('GIT_SHA') + version = environ.get("GIT_SHA") # Non tagged images go to a different image repository - image_name = 'kubestack/framework-dev' + image_name = "ghcr.io/kbst/terraform-kubestack/dev" - gitref = environ.get('GIT_REF') - if gitref.startswith('refs/tags/'): - version = gitref.replace('refs/tags/', '') + gitref = environ.get("GIT_REF") + if gitref.startswith("refs/tags/"): + version = gitref.replace("refs/tags/", "") # Tagged releases go to main image repository - image_name = 'kubestack/framework' + image_name = "kubestack/framework" try: target = argv[1] @@ -76,8 +76,9 @@ def compress(version, configuration): print("positional arg: 'target' missing:") exit("usage dist.py [dist | compress]") - configurations = [n for n in listdir(f'{SRCDIR}/configurations') - if not n.startswith('_')] + configurations = [ + n for n in listdir(f"{SRCDIR}/configurations") if not n.startswith("_") + ] if target not in ["dist", "compress"]: exit("usage dist.py [dist | compress]")