Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop dependency on monopod, convert all images to terraform #32

Merged
merged 4 commits into from
Jun 8, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 0 additions & 22 deletions .github/workflows/digestabot.yaml

This file was deleted.

87 changes: 48 additions & 39 deletions .github/workflows/presubmit-build.yaml
Original file line number Diff line number Diff line change
@@ -1,55 +1,64 @@
on:
pull_request:
jobs:
presubmit-matrix:
generate-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.generate-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- id: files
uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1
with:
format: csv
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
repository: chainguard-images/images
- id: generate-matrix
uses: ./.github/actions/generate-matrix
with:
modified-files: ${{ steps.files.outputs.all }}
repository: chainguard-images/images
presubmit-build:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- id: generate-matrix
run: |
set -x
# TODO: set ONLY env var based on changed files
matrix="$(ONLY="${{ inputs.only }}" ./hack/matrix.sh)"
echo "matrix=${matrix}" >> $GITHUB_OUTPUT
build:
runs-on: ubuntu-latest
needs: presubmit-matrix
needs: generate-matrix
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.presubmit-matrix.outputs.matrix) }}
matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
permissions:
id-token: write
packages: write
contents: read
steps:

# Setup required tooling etc.
- name: Setup QEMU
if: ${{ matrix.melangeConfig != '' }}
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: '1.3.*'
terraform_wrapper: false

# Checkout this repo's source code
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

# Build custom package using melange (if specified)
- id: melange
if: ${{ matrix.melangeConfig != '' }}
uses: chainguard-dev/actions/melange-build@main
with:
repository: chainguard-images/images
- name: Add additional inputs
id: augmented-inputs
multi-config: ${{ matrix.melangeConfig }}
empty-workspace: false
workdir: images/${{ matrix.imageName }}
sign-with-temporary-key: true
archs: x86_64,aarch64

# Setup local registry
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000

# Build and push image using terraform-provider-apko
- name: Build image with apko/terraform
env:
EXTRA_INPUT_APKO_IMAGE: ghcr.io/wolfi-dev/apko:latest@sha256:94c1512d9c359148059a13cb8df972d15f196e5901f0132238d0376e0bfb597c
TF_VAR_target_repository: localhost:5000/${{ matrix.imageName }}
run: |
# convert env vars beginning with "EXTRA_INPUT_"
# to camelcased input variables passed to next step
set -x
echo '${{ toJSON(matrix) }}' > inputs.json
for kv in `env | grep '^EXTRA_INPUT_' | sed 's/^EXTRA_INPUT_//'`; do
k="$(echo "${kv}" | cut -d "=" -f1 | tr '[:upper:]' '[:lower:]' | sed -r 's/(.)_+(.)/\1\U\2/g;s/^[a-z]/\U&/' | sed 's/.*/\l&/')"
v="$(echo "${kv}" | cut -d "=" -f2)"
cat inputs.json | jq -c '. + {'${k}': "'${v}'"}' > inputs.json.tmp
mv inputs.json.tmp inputs.json
done
echo "augmented-inputs=$(cat inputs.json | tr -d '\n')" >> $GITHUB_OUTPUT
- uses: ./.github/actions/build-image
with: ${{ fromJSON(steps.augmented-inputs.outputs.augmented-inputs) }}
presubmit-roundup:
runs-on: ubuntu-latest
needs: presubmit-build
steps:
- run: |
echo "all matrix jobs completed"
cd images/${{ matrix.imageName }}/
terraform init
terraform apply -auto-approve
103 changes: 39 additions & 64 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,58 +18,13 @@ jobs:
outputs:
matrix: ${{ steps.generate-matrix.outputs.matrix }}
steps:

# On push to main branch, only build images necessary
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
if: ${{ github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' }}
- id: files
if: ${{ github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' }}
uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1
with:
format: csv

# Checkout public repo to get actions
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
repository: chainguard-images/images

# For nightly builds, build every image
- id: generate-matrix-schedule
if: ${{ github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.only == '' ) }}
uses: ./.github/actions/generate-matrix
with:
repository: chainguard-images/images

# On push to main branch, only build images necessary
- id: generate-matrix-main
if: ${{ github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' }}
uses: ./.github/actions/generate-matrix
with:
repository: chainguard-images/images
modified-files: ${{ steps.files.outputs.all }}

# For manual builds, build only the image requested
- id: generate-matrix-manual
if: ${{ github.event_name == 'workflow_dispatch' && inputs.only != '' }}
uses: ./.github/actions/generate-matrix
with:
repository: chainguard-images/images
modified-files: images/${{ inputs.only }}/image.yaml

# Generate the final matrix for build based on the above
- id: generate-matrix
run: |
set -x
trap "rm -f matrix.json matrix-unique-images.json" EXIT
echo '${{ steps.generate-matrix-manual.outputs.matrix }}' > matrix.json
[[ "$(cat matrix.json)" != "" ]] || echo '${{ steps.generate-matrix-schedule.outputs.matrix }}' > matrix.json
[[ "$(cat matrix.json)" != "" ]] || echo '${{ steps.generate-matrix-main.outputs.matrix }}' > matrix.json
echo "matrix=$(cat matrix.json)" >> $GITHUB_OUTPUT
echo '${{ steps.generate-matrix-manual.outputs.matrix-unique-images }}' > matrix-unique-images.json
[[ "$(cat matrix-unique-images.json)" != "" ]] || echo '${{ steps.generate-matrix-schedule.outputs.matrix-unique-images }}' > matrix-unique-images.json
[[ "$(cat matrix-unique-images.json)" != "" ]] || echo '${{ steps.generate-matrix-main.outputs.matrix-unique-images }}' > matrix-unique-images.json
echo "matrix-unique-images=$(cat matrix-unique-images.json)" >> $GITHUB_OUTPUT

# TODO: set ONLY env var based on changed files
matrix="$(ONLY="${{ inputs.only }}" ./hack/matrix.sh)"
echo "matrix=${matrix}" >> $GITHUB_OUTPUT
build:
runs-on: ubuntu-latest
needs: generate-matrix
Expand All @@ -81,24 +36,44 @@ jobs:
packages: write
contents: read
steps:

# Setup required tooling etc.
- name: Setup QEMU
if: ${{ matrix.melangeConfig != '' }}
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: '1.3.*'
terraform_wrapper: false

# Checkout this repo's source code
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

# Build custom package using melange (if specified)
- id: melange
if: ${{ matrix.melangeConfig != '' }}
uses: chainguard-dev/actions/melange-build@main
with:
repository: chainguard-images/images
- name: Add additional inputs
id: augmented-inputs
multi-config: ${{ matrix.melangeConfig }}
empty-workspace: false
workdir: images/${{ matrix.imageName }}
sign-with-temporary-key: true
archs: x86_64,aarch64

# Auth to GitHub Container Registry (ghcr.io)
- name: Login to registry
run: |
set -x
echo "${{ github.token }}" | docker login \
-u "${{ github.repository_owner }}" \
--password-stdin ghcr.io

# Build and push image using terraform-provider-apko
- name: Build image with apko/terraform
env:
EXTRA_INPUT_APKO_IMAGE: ghcr.io/wolfi-dev/apko:latest@sha256:94c1512d9c359148059a13cb8df972d15f196e5901f0132238d0376e0bfb597c
TF_VAR_target_repository: ghcr.io/${{ github.repository_owner }}/${{ matrix.imageName }}
run: |
# convert env vars beginning with "EXTRA_INPUT_"
# to camelcased input variables passed to next step
set -x
echo '${{ toJSON(matrix) }}' > inputs.json
for kv in `env | grep '^EXTRA_INPUT_' | sed 's/^EXTRA_INPUT_//'`; do
k="$(echo "${kv}" | cut -d "=" -f1 | tr '[:upper:]' '[:lower:]' | sed -r 's/(.)_+(.)/\1\U\2/g;s/^[a-z]/\U&/' | sed 's/.*/\l&/')"
v="$(echo "${kv}" | cut -d "=" -f2)"
cat inputs.json | jq -c '. + {'${k}': "'${v}'"}' > inputs.json.tmp
mv inputs.json.tmp inputs.json
done
echo "augmented-inputs=$(cat inputs.json | tr -d '\n')" >> $GITHUB_OUTPUT
- uses: ./.github/actions/release-image
with: ${{ fromJSON(steps.augmented-inputs.outputs.augmented-inputs) }}
cd images/${{ matrix.imageName }}/
terraform init
terraform apply -auto-approve
7 changes: 7 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
**/.terraform*
**/terraform*
**/melange.rsa*
**/packages/
**/*.tar
**/*.cdx
**/*.spdx.json
17 changes: 17 additions & 0 deletions hack/matrix.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/usr/bin/env bash

# This script is used in .github/workflows/release.yaml
# to dynamically generate a build matrix based on repo contents

set -e
matrix='{"include":[]}'
for name in `find images -mindepth 1 -maxdepth 1 -type d | sed 's|images/||' | sort | xargs`; do
[[ "${ONLY}" == "" || "${ONLY}" == "${name}" ]] || continue
entry='{imageName: "'${name}'"}'
melange_config="$(cd images/${name} && find . -name '*.melange.yaml' | sed 's|./||')"
if [[ "${melange_config}" != "" ]]; then
entry="{imageName: \"${name}\", melangeConfig: \"${melange_config}\"}"
fi
matrix="$(echo "${matrix}" | jq -c ".include += [${entry}]")"
done
echo "${matrix}"
26 changes: 26 additions & 0 deletions hack/melange-build.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/usr/bin/env bash

# This script is used for local development
# to generate the packages/ for a specific image
# using melange

set -e

IMAGE="${1}"

if [[ "${IMAGE}" == "" ]]; then
echo "usage: ./melange-build.sh <image>"
exit 1
fi

if [[ ! -f melange.rsa ]]; then
melange keygen
fi

cd "images/${IMAGE}"

melange build \
--arch amd64,arm64 \
--signing-key ../../melange.rsa \
--out-dir ../../packages/ \
configs/*.melange.yaml
4 changes: 1 addition & 3 deletions images/alpine-base/configs/latest.apko.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
packages:
- alpine-baselayout-data
- alpine-release
- alpine-release==3 # TODO: unlock this, some issue using terraform
jdolitsky marked this conversation as resolved.
Show resolved Hide resolved
- apk-tools
- busybox
- libc-utils
4 changes: 0 additions & 4 deletions images/alpine-base/image.yaml

This file was deleted.

35 changes: 35 additions & 0 deletions images/alpine-base/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
terraform {
required_providers {
apko = { source = "chainguard-dev/apko" }
oci = { source = "chainguard-dev/oci" }
}
}

variable "target_repository" {
description = "The docker repo into which the image and attestations should be published."
}

provider "apko" {
extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"]
extra_keyring = []
jdolitsky marked this conversation as resolved.
Show resolved Hide resolved
default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"]
mattmoor marked this conversation as resolved.
Show resolved Hide resolved
}

module "latest" {
source = "../../tflib/publisher"
target_repository = var.target_repository
config = file("${path.module}/configs/latest.apko.yaml")
extra_packages = []
jdolitsky marked this conversation as resolved.
Show resolved Hide resolved
}

module "test-latest" {
source = "./tests"
digest = module.latest.image_ref
}

resource "oci_tag" "version-tags" {
depends_on = [ module.test-latest ]
for_each = toset(["latest"])
jdolitsky marked this conversation as resolved.
Show resolved Hide resolved
digest_ref = module.latest.image_ref
tag = "${each.key}"
jdolitsky marked this conversation as resolved.
Show resolved Hide resolved
}
File renamed without changes.
14 changes: 14 additions & 0 deletions images/alpine-base/tests/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
terraform {
required_providers {
oci = { source = "chainguard-dev/oci" }
}
}

variable "digest" {
description = "The image digest to run tests over."
}

data "oci_exec_test" "echo" {
digest = var.digest
script = "${path.module}/01-echo.sh"
}
8 changes: 0 additions & 8 deletions images/apko/configs/latest.apko.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
contents:
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
repositories:
- https://packages.wolfi.dev/os
packages:
- alpine-keys
- ca-certificates-bundle
Expand All @@ -19,7 +15,3 @@ work-dir: /work
entrypoint:
command: /usr/bin/apko
cmd: --help

archs:
- x86_64
- aarch64
7 changes: 0 additions & 7 deletions images/apko/image.yaml

This file was deleted.

Loading