From ccb01435e45f4ce6ce36851a2b4fb404ca23929a Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Thu, 7 Dec 2023 08:53:41 +1300 Subject: [PATCH 1/9] Add release workflow to publish docker image --- .github/workflows/artifacts.yaml | 175 ++++++++++++++++++++++++++++ .github/workflows/k8s.yml | 1 - .github/workflows/pull_request.yaml | 19 +++ .github/workflows/release.yaml | 20 ++++ 4 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/artifacts.yaml create mode 100644 .github/workflows/pull_request.yaml create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml new file mode 100644 index 0000000..cf93088 --- /dev/null +++ b/.github/workflows/artifacts.yaml @@ -0,0 +1,175 @@ +name: Artifacts + +on: + workflow_call: + inputs: + publish: + description: Publish artifacts to the artifact store + default: false + required: false + type: boolean + outputs: + container-image-name: + description: Container image name + value: ${{ jobs.container-image.outputs.name }} + container-image-digest: + description: Container image digest + value: ${{ jobs.container-image.outputs.digest }} + container-image-ref: + description: Container image ref + value: ${{ jobs.container-image.outputs.ref }} + +permissions: + contents: read + +jobs: + container-image: + name: Container image + runs-on: ubuntu-latest + + strategy: + matrix: + variant: + - alpine + - distroless + + permissions: + contents: read + packages: write + id-token: write + security-events: write + + outputs: + name: ${{ steps.image-name.outputs.value }} + digest: ${{ steps.build.outputs.digest }} + ref: ${{ steps.image-ref.outputs.value }} + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Set up Syft + uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 + + - name: Set image name + id: image-name + run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" + + - name: Gather build metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: | + ${{ steps.image-name.outputs.value }} + dexidp/dex + flavor: | + latest = false + tags: | + type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }} + type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }} + type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }} + type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }} + type=ref,event=branch,suffix=-${{ matrix.variant }} + type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }} + type=semver,pattern={{raw}},suffix=-${{ matrix.variant }} + type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }} + labels: | + org.opencontainers.image.documentation=https://dexidp.io/docs/ + + # Multiple exporters are not supported yet + # See https://github.com/moby/buildkit/pull/2760 + - name: Determine build output + uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 + id: build-output + with: + cond: ${{ inputs.publish }} + if_true: type=image,push=true + if_false: type=oci,dest=image.tar + + - name: Login to GitHub Container Registry + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} + if: inputs.publish + + - name: Build and push image + id: build + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + platforms: linux/amd64,linux/arm/v7,linux/arm64 + tags: ${{ steps.meta.outputs.tags }} + build-args: | + BASE_IMAGE=${{ matrix.variant }} + VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} + COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + labels: ${{ steps.meta.outputs.labels }} + # cache-from: type=gha + # cache-to: type=gha,mode=max + outputs: ${{ steps.build-output.outputs.value }} + # push: ${{ inputs.publish }} + + - name: Set image ref + id: image-ref + run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" + + - name: Fetch image + run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar + if: inputs.publish + + # Uncomment the following lines for debugging: + # - name: Upload image as artifact + # uses: actions/upload-artifact@v3 + # with: + # name: "[${{ github.job }}] OCI tarball" + # path: image.tar + + - name: Extract OCI tarball + run: | + mkdir -p image + tar -xf image.tar -C image + + # - name: List tags + # run: skopeo --insecure-policy list-tags oci:image + # + # # See https://github.com/anchore/syft/issues/1545 + # - name: Extract image from multi-arch image + # run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar + # + # - name: Generate SBOM + # run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar + # + # - name: Upload SBOM as artifact + # uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + # with: + # name: "[${{ github.job }}] SBOM" + # path: sbom-spdx.json + # retention-days: 5 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 + with: + input: image + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results as artifact + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: "[${{ github.job }}] Trivy scan results" + path: trivy-results.sarif + retention-days: 5 + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + with: + sarif_file: trivy-results.sarif diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml index a7ad3f1..e6b5906 100644 --- a/.github/workflows/k8s.yml +++ b/.github/workflows/k8s.yml @@ -2,7 +2,6 @@ name: k8s-lint on: push: branches: - - master - main pull_request: jobs: diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml new file mode 100644 index 0000000..8e3c9ad --- /dev/null +++ b/.github/workflows/pull_request.yaml @@ -0,0 +1,19 @@ +name: Release + +on: + pull_request: + +permissions: + contents: read + +jobs: + build-image: + name: Artifacts + uses: ./.github/workflows/artifacts.yaml + with: + publish: false + permissions: + contents: read + packages: write + id-token: write + security-events: write diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..fb66f50 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,20 @@ +name: Release + +on: + push: + tags: [ "*" ] + +permissions: + contents: read + +jobs: + artifacts: + name: Artifacts + uses: ./.github/workflows/artifacts.yaml + with: + publish: true + permissions: + contents: read + packages: write + id-token: write + security-events: write From 791d3aff171a681d2099fd2900423d1484843a6b Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Thu, 7 Dec 2023 09:36:25 +1300 Subject: [PATCH 2/9] Simplify release, troubleshoot e2e, update refs --- .github/workflows/artifacts.yaml | 35 ++---------------------- .github/workflows/k8s.yml | 3 +- charts/dex-k8s-authenticator/values.yaml | 2 +- docs/eks.md | 2 +- 4 files changed, 7 insertions(+), 35 deletions(-) diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index cf93088..78937a1 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -31,7 +31,7 @@ jobs: matrix: variant: - alpine - - distroless +# - distroless permissions: contents: read @@ -54,9 +54,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - name: Set up Syft - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - - name: Set image name id: image-name run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" @@ -80,7 +77,7 @@ jobs: type=semver,pattern={{raw}},suffix=-${{ matrix.variant }} type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }} labels: | - org.opencontainers.image.documentation=https://dexidp.io/docs/ + org.opencontainers.image.documentation=https://github.com/sl1pm4t/dex-k8s-authenticator # Multiple exporters are not supported yet # See https://github.com/moby/buildkit/pull/2760 @@ -116,16 +113,12 @@ jobs: # cache-from: type=gha # cache-to: type=gha,mode=max outputs: ${{ steps.build-output.outputs.value }} - # push: ${{ inputs.publish }} + push: ${{ inputs.publish }} - name: Set image ref id: image-ref run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" - - name: Fetch image - run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar - if: inputs.publish - # Uncomment the following lines for debugging: # - name: Upload image as artifact # uses: actions/upload-artifact@v3 @@ -133,28 +126,6 @@ jobs: # name: "[${{ github.job }}] OCI tarball" # path: image.tar - - name: Extract OCI tarball - run: | - mkdir -p image - tar -xf image.tar -C image - - # - name: List tags - # run: skopeo --insecure-policy list-tags oci:image - # - # # See https://github.com/anchore/syft/issues/1545 - # - name: Extract image from multi-arch image - # run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar - # - # - name: Generate SBOM - # run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar - # - # - name: Upload SBOM as artifact - # uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - # with: - # name: "[${{ github.job }}] SBOM" - # path: sbom-spdx.json - # retention-days: 5 - - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 with: diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml index e6b5906..046b272 100644 --- a/.github/workflows/k8s.yml +++ b/.github/workflows/k8s.yml @@ -20,6 +20,7 @@ jobs: kubeconform: latest kubeval: latest helm: latest + stern: latest jq: latest yq: latest @@ -69,7 +70,7 @@ jobs: run: | helm install -f /tmp/dex-k8s-auth-overrides.yaml dex-k8s-authenticator ./charts/dex-k8s-authenticator kubectl describe deployment dex-k8s-authenticator - kubectl rollout status deploy dex-k8s-authenticator -w + kubectl rollout status deploy dex-k8s-authenticator -w || (kubectl get po && stern --no-follow dex-k8s-authenticator) - name: test run: | diff --git a/charts/dex-k8s-authenticator/values.yaml b/charts/dex-k8s-authenticator/values.yaml index bdf89b9..0f73fce 100644 --- a/charts/dex-k8s-authenticator/values.yaml +++ b/charts/dex-k8s-authenticator/values.yaml @@ -7,7 +7,7 @@ global: replicaCount: 1 image: - repository: sl1pm4t/dex-k8s-authenticator + repository: ghcr.io/sl1pm4t/dex-k8s-authenticator tag: 2.0.0 pullPolicy: Always diff --git a/docs/eks.md b/docs/eks.md index cba3939..a90bbea 100644 --- a/docs/eks.md +++ b/docs/eks.md @@ -21,7 +21,7 @@ Required Charts - nginx-ingress-controller - https://github.com/helm/charts/tree/master/stable/nginx-ingress - dex - https://github.com/helm/charts/tree/master/stable/dex - kube-oidc-proxy - https://github.com/jetstack/kube-oidc-proxy/tree/master/deploy/charts/kube-oidc-proxy -- dex-k8s-authenticator - https://github.com/sl1pm4t/dex-k8s-authenticator/tree/master/charts +- dex-k8s-authenticator - https://github.com/sl1pm4t/dex-k8s-authenticator/tree/main/charts You should also setup a DNS record that points to your nginx controller (load-balancer), and setup an AWS ACM certificate. From 00e19833076f5d0a6956d7eb816df7f0627b5aa1 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Thu, 7 Dec 2023 10:52:12 +1300 Subject: [PATCH 3/9] CI fixes --- .github/workflows/artifacts.yaml | 25 ------------------------- .github/workflows/k8s.yml | 5 +++++ 2 files changed, 5 insertions(+), 25 deletions(-) diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index 78937a1..6fb6e48 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -119,28 +119,3 @@ jobs: id: image-ref run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" - # Uncomment the following lines for debugging: - # - name: Upload image as artifact - # uses: actions/upload-artifact@v3 - # with: - # name: "[${{ github.job }}] OCI tarball" - # path: image.tar - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 - with: - input: image - format: sarif - output: trivy-results.sarif - - - name: Upload Trivy scan results as artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: "[${{ github.job }}] Trivy scan results" - path: trivy-results.sarif - retention-days: 5 - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 - with: - sarif_file: trivy-results.sarif diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml index 046b272..cda657a 100644 --- a/.github/workflows/k8s.yml +++ b/.github/workflows/k8s.yml @@ -41,6 +41,11 @@ jobs: steps: - uses: actions/checkout@v4 + - uses: alexellis/arkade-get@master + with: + kubectl: latest + stern: latest + - name: setup-kind uses: helm/kind-action@v1.5.0 with: From 64ab1b8ae4613f3351690399e0c42b5d532c49f5 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Thu, 7 Dec 2023 23:08:49 +1300 Subject: [PATCH 4/9] troubleshooting --- .github/workflows/k8s.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml index cda657a..67f301c 100644 --- a/.github/workflows/k8s.yml +++ b/.github/workflows/k8s.yml @@ -75,7 +75,7 @@ jobs: run: | helm install -f /tmp/dex-k8s-auth-overrides.yaml dex-k8s-authenticator ./charts/dex-k8s-authenticator kubectl describe deployment dex-k8s-authenticator - kubectl rollout status deploy dex-k8s-authenticator -w || (kubectl get po && stern --no-follow dex-k8s-authenticator) + kubectl rollout status deploy dex-k8s-authenticator -w || (stern --no-follow dex-k8s-authenticator) - name: test run: | From bfb5cef0cf660514b500b1c4cf887cebf417a255 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Fri, 8 Dec 2023 08:29:14 +1300 Subject: [PATCH 5/9] fix dex e2e overrides for new chart --- tests/e2e/helm/dex-overrides.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/e2e/helm/dex-overrides.yaml b/tests/e2e/helm/dex-overrides.yaml index 57a1999..4ebb6f0 100644 --- a/tests/e2e/helm/dex-overrides.yaml +++ b/tests/e2e/helm/dex-overrides.yaml @@ -3,7 +3,9 @@ service: type: NodePort port: 5556 - nodePort: 30001 + ports: + http: + nodePort: 30001 ingress: enabled: true From 60386c5eeed022a0028f49092a22152806b95b02 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Fri, 8 Dec 2023 08:38:28 +1300 Subject: [PATCH 6/9] troubleshoot e2e --- .github/workflows/k8s.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml index 67f301c..912bac9 100644 --- a/.github/workflows/k8s.yml +++ b/.github/workflows/k8s.yml @@ -75,10 +75,12 @@ jobs: run: | helm install -f /tmp/dex-k8s-auth-overrides.yaml dex-k8s-authenticator ./charts/dex-k8s-authenticator kubectl describe deployment dex-k8s-authenticator - kubectl rollout status deploy dex-k8s-authenticator -w || (stern --no-follow dex-k8s-authenticator) + kubectl rollout status deploy dex-k8s-authenticator -w - name: test run: | - kubectl get pods - export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") - curl -Lsf "http://${NODE_IP}:30000/login/my-cluster" | grep "Log in to Your Account" + kubectl get pods + export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") + echo $NODE_IP + curl -Lsf "http://${NODE_IP}:30000/login/my-cluster" + curl -Lsf "http://${NODE_IP}:30000/login/my-cluster" | grep "Log in to Your Account" From 9da367abbf794e5bfeb344bb0b2dfdec0389820c Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Fri, 8 Dec 2023 09:14:44 +1300 Subject: [PATCH 7/9] Install curl --- .github/workflows/k8s.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml index 912bac9..179623b 100644 --- a/.github/workflows/k8s.yml +++ b/.github/workflows/k8s.yml @@ -46,6 +46,9 @@ jobs: kubectl: latest stern: latest + - name: Install curl + run: sudo apt-get install -y curl + - name: setup-kind uses: helm/kind-action@v1.5.0 with: From f86ec17bc2f9568e7e6927a43cb7c8b92ebd0587 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Fri, 8 Dec 2023 09:32:39 +1300 Subject: [PATCH 8/9] troubleshooting --- .github/workflows/k8s.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml index 179623b..e020a7c 100644 --- a/.github/workflows/k8s.yml +++ b/.github/workflows/k8s.yml @@ -47,7 +47,7 @@ jobs: stern: latest - name: Install curl - run: sudo apt-get install -y curl + run: sudo apt-get install -y curl net-tools - name: setup-kind uses: helm/kind-action@v1.5.0 @@ -83,7 +83,10 @@ jobs: - name: test run: | kubectl get pods + kubectl get services + sleep 5 + netstat -anp | grep LISTEN export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") echo $NODE_IP - curl -Lsf "http://${NODE_IP}:30000/login/my-cluster" + curl -L -v "http://${NODE_IP}:30000/login/my-cluster" curl -Lsf "http://${NODE_IP}:30000/login/my-cluster" | grep "Log in to Your Account" From 2eb5cf45def5114deeeb4df0efca1d4b03ab821f Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Fri, 8 Dec 2023 10:04:07 +1300 Subject: [PATCH 9/9] Add readiness probe delay and revert troubleshoot --- .github/workflows/k8s.yml | 11 +++-------- .../dex-k8s-authenticator/templates/deployment.yaml | 1 + 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml index e020a7c..d3c0a6d 100644 --- a/.github/workflows/k8s.yml +++ b/.github/workflows/k8s.yml @@ -46,8 +46,8 @@ jobs: kubectl: latest stern: latest - - name: Install curl - run: sudo apt-get install -y curl net-tools +# - name: Install curl +# run: sudo apt-get install -y curl - name: setup-kind uses: helm/kind-action@v1.5.0 @@ -82,11 +82,6 @@ jobs: - name: test run: | - kubectl get pods - kubectl get services - sleep 5 - netstat -anp | grep LISTEN + kubectl get pods export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") - echo $NODE_IP - curl -L -v "http://${NODE_IP}:30000/login/my-cluster" curl -Lsf "http://${NODE_IP}:30000/login/my-cluster" | grep "Log in to Your Account" diff --git a/charts/dex-k8s-authenticator/templates/deployment.yaml b/charts/dex-k8s-authenticator/templates/deployment.yaml index 8a6309b..a974d34 100644 --- a/charts/dex-k8s-authenticator/templates/deployment.yaml +++ b/charts/dex-k8s-authenticator/templates/deployment.yaml @@ -48,6 +48,7 @@ spec: path: {{ template "dex-k8s-authenticator.healthCheckPath" . }} port: http readinessProbe: + initialDelaySeconds: 20 httpGet: path: {{ template "dex-k8s-authenticator.healthCheckPath" . }} port: http