build kotsadm-migrations, rqlite, minio, and dex with apko and melange (

#4210)

* build kotsadm-migrations, rqlite, minio, and dex with apko and melange

.github/actions/build-push-image-with-apko/action.yml

@@ -0,0 +1,45 @@
+name: 'Build and push images with apko'
+description: 'Composite action for building and pushing images with apko'
+inputs:
+  apko-config:
+    description: 'Path to apko config'
+    required: true
+
+  image-name:
+    description: 'Full destination image name'
+    required: true
+
+  registry-username:
+    description: 'Username to login to registry'
+    default: ''
+    required: false
+
+  registry-password:
+    description: 'Password to login to registry'
+    default: ''
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - id: check-image-exists
+      shell: bash
+      run: |
+        set -euo pipefail
+        if docker manifest inspect ${{ inputs.image-name }} > /dev/null 2>&1; then
+          echo "Image already exists. Will not overwrite."
+          echo "image-exists=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "Image does not exist. Will build and push."
+          echo "image-exists=false" >> "$GITHUB_OUTPUT"
+        fi
+
+    - uses: chainguard-images/actions/apko-publish@main
+      if: ${{ steps.check-image-exists.outputs.image-exists == 'false' }}
+      with:
+        config: ${{ inputs.apko-config }}
+        archs: x86_64
+        tag: ${{ inputs.image-name }}
+        vcs-url: true
+        generic-user: ${{ inputs.registry-username }}
+        generic-pass: ${{ inputs.registry-password }}

.github/actions/build-push-kotsadm-migrations-image/action.yml

@@ -0,0 +1,62 @@
+name: 'Build and push kotsadm-migrations image'
+description: 'Composite action for building and pushing kotsadm-migrations image'
+inputs:
+  image-name:
+    description: 'Full destination kotsadm-migrations image name'
+    required: true
+
+  git-tag:
+    description: 'Git tag'
+    required: true
+
+  registry-username:
+    description: 'Username to login to registry'
+    default: ''
+    required: false
+
+  registry-password:
+    description: 'Password to login to registry'
+    default: ''
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: load environment variables from .image.env
+      uses: falti/dotenv-action@v1
+      id: dotenv
+      with:
+        path: .image.env
+
+    - uses: shrink/actions-docker-extract@v3
+      with:
+        image: schemahero/schemahero:${{ steps.dotenv.outputs.SCHEMAHERO_TAG }}
+        path: /schemahero
+        destination: migrations
+
+    - name: template melange and apko configs
+      shell: bash
+      run: |
+        export GIT_TAG=${{ inputs.git-tag }}
+        envsubst '${GIT_TAG}' < migrations/deploy/melange.yaml.tmpl > migrations/deploy/melange.yaml
+        envsubst '${GIT_TAG}' < migrations/deploy/apko.yaml.tmpl > migrations/deploy/apko.yaml
+
+    - id: cache-dir
+      shell: bash
+      run: echo "cache_dir=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+    - uses: chainguard-dev/actions/melange-build@main
+      with:
+        config: migrations/deploy/melange.yaml
+        archs: x86_64
+        sign-with-temporary-key: true
+        cache-dir: ${{ steps.cache-dir.outputs.cache_dir }}
+
+    - uses: chainguard-images/actions/apko-publish@main
+      with:
+        config: migrations/deploy/apko.yaml
+        archs: x86_64
+        tag: ${{ inputs.image-name }}
+        vcs-url: true
+        generic-user: ${{ inputs.registry-username }}
+        generic-pass: ${{ inputs.registry-password }}

.github/workflows/alpha.yaml

@@ -19,31 +19,60 @@ jobs:
         uses: ./.github/actions/version-tag
 
 
-  build-schema-migrations:
+  build-kotsadm-migrations:
+    runs-on: ubuntu-20.04
+    needs: [generate-tag]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-push-kotsadm-migrations-image
+        with:
+          image-name: index.docker.io/kotsadm/kotsadm-migrations:alpha
+          git-tag: ${{ needs.generate-tag.outputs.tag }}
+          registry-username: ${{ secrets.DOCKERHUB_USER }}
+          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+
+  build-rqlite:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-push-image-with-apko
+        with:
+          apko-config: deploy/rqlite/apko.yaml
+          image-name: index.docker.io/kotsadm/rqlite:alpha
+          registry-username: ${{ secrets.DOCKERHUB_USER }}
+          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+
+  build-minio:
     runs-on: ubuntu-20.04
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-push-image-with-apko
+        with:
+          apko-config: deploy/minio/apko.yaml
+          image-name: index.docker.io/kotsadm/minio:alpha
+          registry-username: ${{ secrets.DOCKERHUB_USER }}
+          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-    - uses: azure/docker-login@v1
-      env:
-        DOCKER_CONFIG: ./migrations/.docker
-      with:
-        username: ${{ secrets.DOCKERHUB_USER }}
-        password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-    - name: Build
-      env:
-        DOCKER_CONFIG: ./.docker
-      run: |
-        mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C migrations schema-alpha
+  build-dex:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-push-image-with-apko
+        with:
+          apko-config: deploy/dex/apko.yaml
+          image-name: index.docker.io/kotsadm/dex:alpha
+          registry-username: ${{ secrets.DOCKERHUB_USER }}
+          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
 
   build-kotsadm:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
     permissions:
-      id-token: write # required to be able to assume the GCP SA identity to pull Chainguard packages.
+      id-token: write # required to be able to assume the GCP SA identity to pull private Chainguard packages.
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/build-push-kotsadm-image
@@ -84,7 +113,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}"
+          image-ref: "docker.io/kotsadm/rqlite:alpha"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'rqlite-scan-output.sarif'
@@ -111,7 +140,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "minio/minio:${{ steps.dotenv.outputs.minio_tag }}"
+          image-ref: "docker.io/kotsadm/minio:alpha"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'minio-scan-output.sarif'
@@ -139,7 +168,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "ghcr.io/dexidp/dex:${{ steps.dotenv.outputs.dex_tag }}"
+          image-ref: "docker.io/kotsadm/dex:alpha"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'dex-scan-output.sarif'
@@ -225,9 +254,9 @@ jobs:
           sarif_file: kotsadm-scan-output.sarif
 
 
-  scan_migrations:
+  scan_kotsadm_migrations:
     runs-on: ubuntu-20.04
-    needs: [build-schema-migrations]
+    needs: [build-kotsadm-migrations]
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/build-test.yaml

@@ -268,7 +268,7 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [ can-run-ci, generate-tag ]
     permissions:
-      id-token: write # required to be able to assume the GCP SA identity to pull Chainguard packages.
+      id-token: write # required to be able to assume the GCP SA identity to pull private Chainguard packages.
     steps:
       - uses: actions/setup-go@v4
         with:
@@ -383,7 +383,7 @@ jobs:
 
   build-migrations:
     runs-on: ubuntu-20.04
-    needs: [ can-run-ci ]
+    needs: [ can-run-ci, generate-tag ]
     steps:
       - name: setup env
         run: |
@@ -399,20 +399,10 @@ jobs:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
 
-      - name: load environment variables from .image.env
-        uses: falti/dotenv-action@v1
-        id: dotenv
-        with:
-          path: .image.env
-
-      - name: build and push migrations for e2e
-        uses: docker/build-push-action@v5
+      - uses: ./.github/actions/build-push-kotsadm-migrations-image
         with:
-          tags: ttl.sh/automated-${{ github.run_id }}/kotsadm-migrations:24h
-          context: ./migrations
-          file: ./migrations/deploy/Dockerfile
-          push: true
-          build-args: SCHEMAHERO_TAG=${{ steps.dotenv.outputs.schemahero_tag }}
+          image-name: ttl.sh/automated-${{ github.run_id }}/kotsadm-migrations:24h
+          git-tag: ${{ needs.generate-tag.outputs.tag }}
 
 
   push-minio:
@@ -427,11 +417,10 @@ jobs:
         with:
           path: .image.env
 
-      - name: push minio for e2e
-        run: |
-          docker pull minio/minio:${{ steps.dotenv.outputs.minio_tag }}
-          docker tag minio/minio:${{ steps.dotenv.outputs.minio_tag }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
-          docker push ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.minio_tag }}
+      - uses: ./.github/actions/build-push-image-with-apko
+        with:
+          apko-config: deploy/minio/apko.yaml
+          image-name: ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
 
 
   push-rqlite:
@@ -446,11 +435,10 @@ jobs:
         with:
           path: .image.env
 
-      - name: push rqlite for CI
-        run: |
-          docker pull rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
-          docker tag rqlite/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
-          docker push ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+      - uses: ./.github/actions/build-push-image-with-apko
+        with:
+          apko-config: deploy/rqlite/apko.yaml
+          image-name: ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
 
 
   push-dex:
@@ -465,10 +453,10 @@ jobs:
         with:
           path: .image.env
 
-      - name: push dex for CI
-        run: |
-          docker build --pull -f deploy/dex.Dockerfile -t ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }} --build-arg TAG=${{ steps.dotenv.outputs.DEX_TAG }} .
-          docker push ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+      - uses: ./.github/actions/build-push-image-with-apko
+        with:
+          apko-config: deploy/dex/apko.yaml
+          image-name: ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
 
 
   # only run validate-kurl-addon if changes to "deploy/kurl/kotsadm/template/**"

.github/workflows/regression.yaml

@@ -90,15 +90,10 @@ jobs:
         with:
           name: kots
           path: ./automation/jumpbox/bin
-      - name: Download kotsadm image
+      - name: Download kotsadm release
         uses: actions/download-artifact@v3
         with:
-          name: kotsadm-image
-          path: ./automation/jumpbox/docker-archive
-      - name: Download migrations
-        uses: actions/download-artifact@v3
-        with:
-          name: migrations-image
+          name: kotsadm-release
           path: ./automation/jumpbox/docker-archive
       - name: Make kotsadm airgap archive with minio image
         working-directory: automation/jumpbox