Add release workflow to publish docker image

.github/workflows/artifacts.yaml

@@ -0,0 +1,121 @@
+name: Artifacts
+
+on:
+  workflow_call:
+    inputs:
+      publish:
+        description: Publish artifacts to the artifact store
+        default: false
+        required: false
+        type: boolean
+    outputs:
+      container-image-name:
+        description: Container image name
+        value: ${{ jobs.container-image.outputs.name }}
+      container-image-digest:
+        description: Container image digest
+        value: ${{ jobs.container-image.outputs.digest }}
+      container-image-ref:
+        description: Container image ref
+        value: ${{ jobs.container-image.outputs.ref }}
+
+permissions:
+  contents: read
+
+jobs:
+  container-image:
+    name: Container image
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        variant:
+          - alpine
+#          - distroless
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write
+
+    outputs:
+      name: ${{ steps.image-name.outputs.value }}
+      digest: ${{ steps.build.outputs.digest }}
+      ref: ${{ steps.image-ref.outputs.value }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      - name: Set image name
+        id: image-name
+        run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
+
+      - name: Gather build metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: |
+            ${{ steps.image-name.outputs.value }}
+            dexidp/dex
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
+            type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }}
+            type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
+            type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }}
+            type=ref,event=branch,suffix=-${{ matrix.variant }}
+            type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }}
+            type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
+            type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }}
+          labels: |
+            org.opencontainers.image.documentation=https://github.com/sl1pm4t/dex-k8s-authenticator
+
+      # Multiple exporters are not supported yet
+      # See https://github.com/moby/buildkit/pull/2760
+      - name: Determine build output
+        uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
+        id: build-output
+        with:
+          cond: ${{ inputs.publish }}
+          if_true: type=image,push=true
+          if_false: type=oci,dest=image.tar
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+        if: inputs.publish
+
+      - name: Build and push image
+        id: build
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            BASE_IMAGE=${{ matrix.variant }}
+            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+            COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
+            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
+          labels: ${{ steps.meta.outputs.labels }}
+          # cache-from: type=gha
+          # cache-to: type=gha,mode=max
+          outputs: ${{ steps.build-output.outputs.value }}
+          push: ${{ inputs.publish }}
+
+      - name: Set image ref
+        id: image-ref
+        run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
+

.github/workflows/k8s.yml

@@ -2,7 +2,6 @@ name: k8s-lint
 on:
   push:
     branches:
-      - master
       - main
   pull_request:
 jobs:
@@ -21,6 +20,7 @@ jobs:
           kubeconform: latest
           kubeval: latest
           helm: latest
+          stern: latest
           jq: latest
           yq: latest
 
@@ -41,6 +41,14 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: alexellis/arkade-get@master
+        with:
+          kubectl: latest
+          stern: latest
+
+#      - name: Install curl
+#        run: sudo apt-get install -y curl
+
       - name: setup-kind
         uses: helm/[email protected]
         with:
@@ -74,6 +82,6 @@ jobs:
 
       - name: test
         run: |
-            kubectl get pods 
-            export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
-            curl -Lsf "http://${NODE_IP}:30000/login/my-cluster" | grep "Log in to Your Account"
+          kubectl get pods
+          export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
+          curl -Lsf "http://${NODE_IP}:30000/login/my-cluster" | grep "Log in to Your Account"

.github/workflows/pull_request.yaml

@@ -0,0 +1,19 @@
+name: Release
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  build-image:
+    name: Artifacts
+    uses: ./.github/workflows/artifacts.yaml
+    with:
+      publish: false
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write

.github/workflows/release.yaml

@@ -0,0 +1,20 @@
+name: Release
+
+on:
+  push:
+    tags: [ "*" ]
+
+permissions:
+  contents: read
+
+jobs:
+  artifacts:
+    name: Artifacts
+    uses: ./.github/workflows/artifacts.yaml
+    with:
+      publish: true
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write

charts/dex-k8s-authenticator/templates/deployment.yaml

@@ -48,6 +48,7 @@ spec:
             path: {{ template "dex-k8s-authenticator.healthCheckPath" . }}
             port: http
         readinessProbe:
+          initialDelaySeconds: 20
           httpGet:
             path: {{ template "dex-k8s-authenticator.healthCheckPath" . }}
             port: http

charts/dex-k8s-authenticator/values.yaml

@@ -7,7 +7,7 @@ global:
 replicaCount: 1
 
 image:
-  repository: sl1pm4t/dex-k8s-authenticator
+  repository: ghcr.io/sl1pm4t/dex-k8s-authenticator
   tag: 2.0.0
   pullPolicy: Always
 

docs/eks.md

@@ -21,7 +21,7 @@ Required Charts
 - nginx-ingress-controller - https://github.com/helm/charts/tree/master/stable/nginx-ingress
 - dex - https://github.com/helm/charts/tree/master/stable/dex
 - kube-oidc-proxy - https://github.com/jetstack/kube-oidc-proxy/tree/master/deploy/charts/kube-oidc-proxy
-- dex-k8s-authenticator - https://github.com/sl1pm4t/dex-k8s-authenticator/tree/master/charts
+- dex-k8s-authenticator - https://github.com/sl1pm4t/dex-k8s-authenticator/tree/main/charts
 
 You should also setup a DNS record that points to your nginx controller (load-balancer), and setup an AWS ACM certificate.
 

tests/e2e/helm/dex-overrides.yaml

@@ -3,7 +3,9 @@
 service:
   type: NodePort
   port: 5556
-  nodePort: 30001
+  ports:
+    http:
+      nodePort: 30001
 
 ingress:
   enabled: true