diff --git a/.github/actions/build-push-kotsadm-image/action.yml b/.github/actions/build-push-kotsadm-image/action.yml new file mode 100644 index 0000000000..bec83c14dc --- /dev/null +++ b/.github/actions/build-push-kotsadm-image/action.yml @@ -0,0 +1,80 @@ +name: 'Build and push kotsadm image' +description: 'Composite action for building and pushing kotsadm image' +inputs: + chainguard-gcp-wif-pool: + description: 'GCP workload identity pool for Chainguard' + required: true + + chainguard-gcp-sa: + description: 'GCP service account for Chainguard' + required: true + + chainguard-gcp-project-id: + description: 'GCP project ID for Chainguard' + required: true + + image-name: + description: 'Full destination kotsadm image name' + required: true + + git-tag: + description: 'Git tag' + required: true + + registry-username: + description: 'Username to login to registry' + default: '' + required: false + + registry-password: + description: 'Password to login to registry' + default: '' + required: false + +runs: + using: "composite" + steps: + - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 + with: + workload_identity_provider: ${{ inputs.chainguard-gcp-wif-pool }} + service_account: ${{ inputs.chainguard-gcp-sa }} + + - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 + with: + project_id: ${{ inputs.chainguard-gcp-project-id }} + + - name: setup packages + env: + BUCKET: replicated-apk-registry + shell: bash + run: | + mkdir ./packages/ + gsutil -m cp -R gs://$BUCKET/os/* ./packages/ + ls -lR ./packages/ + + - name: template melange and apko configs + shell: bash + run: | + export GIT_TAG=${{ inputs.git-tag }} + envsubst '${GIT_TAG}' < deploy/melange.yaml.tmpl > deploy/melange.yaml + envsubst '${GIT_TAG}' < deploy/apko.yaml.tmpl > deploy/apko.yaml + + - id: cache-dir + shell: bash + run: echo "cache_dir=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" + + - uses: chainguard-dev/actions/melange-build@main + with: + config: deploy/melange.yaml + archs: x86_64 + sign-with-temporary-key: true + cache-dir: ${{ steps.cache-dir.outputs.cache_dir }} + + - uses: chainguard-images/actions/apko-publish@main + with: + config: deploy/apko.yaml + archs: x86_64 + tag: ${{ inputs.image-name }} + vcs-url: true + generic-user: ${{ inputs.registry-username }} + generic-pass: ${{ inputs.registry-password }} diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index feb8a94071..42acbfac93 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -231,35 +231,6 @@ jobs: - name: test run: make ci-test - build-kotsadm: - runs-on: ubuntu-20.04 - needs: [ can-run-ci, build-web, deps-kots, generate-tag ] - steps: - - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - - - uses: actions/setup-go@v4 - with: - go-version: '^1.20.0' - cache: true - - - name: Download web artifact - uses: actions/download-artifact@v3 - with: - name: web - path: ./web/dist - - - name: Build - env: - GIT_TAG: ${{ needs.generate-tag.outputs.tag }} - run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make build - - - uses: actions/upload-artifact@v3 - with: - name: kotsadm - path: ./bin/kotsadm build-kots: runs-on: ubuntu-20.04 @@ -293,36 +264,20 @@ jobs: path: ./bin/kots - build-push-kotsadm-image: + build-kotsadm: runs-on: ubuntu-20.04 - needs: [ can-run-ci, build-kotsadm, build-kots ] + needs: [ can-run-ci, generate-tag ] + permissions: + id-token: write # required to be able to assume the GCP SA identity to pull Chainguard packages. steps: - - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - - - name: Download kots artifact - uses: actions/download-artifact@v3 - with: - name: kots - path: bin/ - - - name: Download kotsadm artifact - uses: actions/download-artifact@v3 + - uses: actions/checkout@v3 + - uses: ./.github/actions/build-push-kotsadm-image with: - name: kotsadm - path: bin/ - - - run: chmod +x bin/kots bin/kotsadm - - - name: build and push kotsadm for e2e - uses: docker/build-push-action@v5 - with: - tags: ttl.sh/automated-${{ github.run_id }}/kotsadm:24h - context: ./ - file: ./deploy/Dockerfile - push: true + chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }} + chainguard-gcp-sa: ${{ secrets.CHAINGUARD_GCP_SA }} + chainguard-gcp-project-id: ${{ secrets.CHAINGUARD_GCP_PROJECT_ID }} + image-name: ttl.sh/automated-${{ github.run_id }}/kotsadm:24h + git-tag: ${{ needs.generate-tag.outputs.tag }} build-kots-helm: @@ -536,7 +491,7 @@ jobs: validate-kurl-addon: runs-on: ubuntu-20.04 if: ${{ needs.kurl-addon-changes-filter.outputs.ok-to-test == 'true' }} - needs: [ can-run-ci, enable-tests, generate-tag, kurl-addon-changes-filter, build-kots, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-dex ] + needs: [ can-run-ci, enable-tests, generate-tag, kurl-addon-changes-filter, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-dex ] steps: - name: checkout uses: actions/checkout@v4 @@ -581,7 +536,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} allow-repeats: false - + cmx-versions: runs-on: ubuntu-20.04 needs: [ enable-tests, can-run-ci ] @@ -600,7 +555,7 @@ jobs: validate-existing-online-install-minimal: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] steps: - name: Checkout uses: actions/checkout@v4 @@ -635,7 +590,7 @@ jobs: validate-smoke-test: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, cmx-versions, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, cmx-versions, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -674,7 +629,7 @@ jobs: validate-minimal-rbac: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, cmx-versions, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, cmx-versions, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -786,7 +741,7 @@ jobs: validate-backup-and-restore: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, cmx-versions, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, cmx-versions, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -825,7 +780,7 @@ jobs: validate-no-required-config: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -865,7 +820,7 @@ jobs: validate-strict-preflight-checks: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -974,7 +929,7 @@ jobs: validate-config: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1014,7 +969,7 @@ jobs: validate-version-history-pagination: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1053,7 +1008,7 @@ jobs: validate-change-license: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1093,7 +1048,7 @@ jobs: validate-minimal-rbac-override: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, cmx-versions, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, cmx-versions, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1269,7 +1224,7 @@ jobs: validate-multi-namespace: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, cmx-versions, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, cmx-versions, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1381,7 +1336,7 @@ jobs: validate-kots-pull: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, cmx-versions, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, cmx-versions, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1491,7 +1446,7 @@ jobs: validate-app-version-label: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1649,7 +1604,7 @@ jobs: validate-helm-install-order: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, cmx-versions, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, cmx-versions, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1748,7 +1703,7 @@ jobs: validate-no-redeploy-on-restart: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -1870,7 +1825,7 @@ jobs: validate-kubernetes-installer-preflight: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -2007,7 +1962,7 @@ jobs: validate-kots-push-images-anonymous: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] steps: - name: Checkout uses: actions/checkout@v4 @@ -2028,7 +1983,7 @@ jobs: validate-kots-admin-console-generate-manifests: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -2223,7 +2178,7 @@ jobs: validate-min-kots-version: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-e2e, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite, generate-tag ] + needs: [ enable-tests, can-run-ci, build-e2e, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite, generate-tag ] env: APP_SLUG: min-kots-version strategy: @@ -2293,7 +2248,7 @@ jobs: validate-target-kots-version: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-e2e, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite, generate-tag ] + needs: [ enable-tests, can-run-ci, build-e2e, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite, generate-tag ] strategy: fail-fast: false matrix: @@ -2360,7 +2315,7 @@ jobs: validate-range-kots-version: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-e2e, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite, generate-tag ] + needs: [ enable-tests, can-run-ci, build-e2e, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite, generate-tag ] strategy: fail-fast: false matrix: @@ -2427,7 +2382,7 @@ jobs: validate-kots-upgrade: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, cmx-versions, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, cmx-versions, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -2566,7 +2521,7 @@ jobs: validate-kots-helm-release-secret-migration: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -2753,7 +2708,7 @@ jobs: validate-multi-app-backup-and-restore: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -2793,7 +2748,7 @@ jobs: validate-multi-app-install: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -2833,7 +2788,7 @@ jobs: validate-airgap-smoke-test: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-e2e, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -2874,7 +2829,7 @@ jobs: validate-remove-app: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -3053,7 +3008,7 @@ jobs: validate-registry-check: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -3148,7 +3103,7 @@ jobs: validate-native-helm-v2: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -3374,7 +3329,7 @@ jobs: validate-deployment-orchestration: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kots, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: @@ -3542,7 +3497,7 @@ jobs: validate-replicated-sdk: runs-on: ubuntu-20.04 - needs: [ enable-tests, can-run-ci, build-push-kotsadm-image, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] + needs: [ enable-tests, can-run-ci, build-kotsadm, build-kurl-proxy, build-migrations, push-minio, push-rqlite ] strategy: fail-fast: false matrix: diff --git a/.github/workflows/regression.yaml b/.github/workflows/regression.yaml index 0373bc1ccf..8f651aa58b 100644 --- a/.github/workflows/regression.yaml +++ b/.github/workflows/regression.yaml @@ -70,10 +70,10 @@ jobs: token: ${{ secrets.E2E_GH_PAT }} path: automation ref: main - - name: Download go_api artifact + - name: Download kots binary uses: actions/download-artifact@v3 with: - name: go_api + name: kots path: ./automation/jumpbox/bin - name: Download kotsadm image uses: actions/download-artifact@v3 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0c8b480a81..b387dc6686 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -142,11 +142,10 @@ jobs: - name: Build tagged release working-directory: ./kurl_proxy run: | - docker build --pull -f deploy/Dockerfile -t "kotsadm/kurl-proxy:$GIT_TAG" -t kotsadm/kurl-proxy:v0.0.0-nightly . + docker build --pull -f deploy/Dockerfile -t "kotsadm/kurl-proxy:$GIT_TAG" . docker push "kotsadm/kurl-proxy:$GIT_TAG" - docker push kotsadm/kurl-proxy:v0.0.0-nightly - build-go-api: + build-kots: runs-on: ubuntu-20.04 needs: [build-web, generate-tag] steps: @@ -169,32 +168,34 @@ jobs: with: name: web path: ./web/dist - - name: Build Go API + - name: Build KOTS env: GIT_TAG: ${{ needs.generate-tag.outputs.tag }} SCOPE_DSN_PUBLIC: "" - run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make ci-test kots build + run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make ci-test kots - name: Upload Go API artifact uses: actions/upload-artifact@v3 with: - name: go_api - path: ./bin + name: kots + path: ./bin/kots - release-go-api-tagged: + build-kotsadm: runs-on: ubuntu-20.04 - needs: [build-go-api, generate-tag] + needs: [generate-tag] + permissions: + id-token: write # required to be able to assume the GCP SA identity to pull Chainguard packages. steps: - name: Checkout - uses: actions/checkout@v4 - - name: Download go_api artifact - uses: actions/download-artifact@v3 + uses: actions/checkout@v3 + - uses: ./.github/actions/build-push-kotsadm-image with: - name: go_api - path: ./bin - - name: Add executable permissions - run: | - chmod a+x ./bin/kotsadm - chmod a+x ./bin/kots + chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }} + chainguard-gcp-sa: ${{ secrets.CHAINGUARD_GCP_SA }} + chainguard-gcp-project-id: ${{ secrets.CHAINGUARD_GCP_PROJECT_ID }} + image-name: index.docker.io/kotsadm/kotsadm:${{ needs.generate-tag.outputs.tag }} + git-tag: ${{ needs.generate-tag.outputs.tag }} + registry-username: ${{ secrets.DOCKERHUB_USER }} + registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} - uses: azure/docker-login@v1 env: DOCKER_CONFIG: ./.docker @@ -271,7 +272,7 @@ jobs: generate-kurl-addon: runs-on: ubuntu-20.04 - needs: [ generate-tag, build-kurl-proxy, build-schema-migrations, release-go-api-tagged ] + needs: [ generate-tag, build-kurl-proxy, build-schema-migrations, build-kots, build-kotsadm ] outputs: addon_package_url: ${{ steps.addon-generate.outputs.addon_package_url }} env: @@ -289,7 +290,7 @@ jobs: - name: download kots binary uses: actions/download-artifact@v3 with: - name: go_api + name: kots path: bin/ - name: prepare kots binary executable run: | @@ -301,6 +302,7 @@ jobs: addon_version: ${{ steps.vars.outputs.addon_version }} s3_prefix: "${{ github.ref_type != 'branch' && '' || 'test/' }}" kotsadm_binary_override: bin/kots.tar.gz + # only run validate-kurl-addon if changes to "deploy/kurl/kotsadm/template/**" kurl-addon-changes-filter: runs-on: ubuntu-20.04 @@ -315,6 +317,7 @@ jobs: kurl-addon: - 'deploy/kurl/kotsadm/template/**' - 'deploy/kurl/kotsadm/testgrid-os-spec.yaml' + validate-kurl-addon: runs-on: ubuntu-20.04 if: ${{ github.ref_type != 'branch' || needs.kurl-addon-changes-filter.outputs.ok-to-test == 'true' }} @@ -333,6 +336,7 @@ jobs: addon_package_url: "${{ needs.generate-kurl-addon.outputs.addon_package_url }}" priority: ${{ github.ref_type != 'branch' && '1' || '0' }} testgrid_api_token: ${{ secrets.TESTGRID_PROD_API_TOKEN }} + publish-kurl-addon: runs-on: ubuntu-20.04 if: ${{ github.ref_type != 'branch' }} @@ -377,7 +381,7 @@ jobs: build-airgap: runs-on: ubuntu-20.04 if: github.ref_type != 'branch' - needs: [release-go-api-tagged, goreleaser, build-schema-migrations, generate-tag] + needs: [build-kotsadm, goreleaser, build-schema-migrations, generate-tag] steps: - name: Download migrations uses: actions/download-artifact@v3 @@ -435,7 +439,7 @@ jobs: regression-test: if: github.ref_type == 'branch' - needs: [ regression-test-setup, generate-tag, build-go-api, release-go-api-tagged, generate-kurl-addon ] + needs: [ regression-test-setup, generate-tag, build-kots, build-kotsadm, generate-kurl-addon ] uses: ./.github/workflows/regression.yaml with: version_tag_old: ${{ needs.regression-test-setup.outputs.last_release_tag }} diff --git a/.gitignore b/.gitignore index 1c73beb175..7850f288c6 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,7 @@ kotsdata/ sbom/ cosign.key pkg/tests/pull/cases/*/results + +melange.rsa +melange.rsa.pub +packages/* diff --git a/Makefile b/Makefile index 1c0ee04e2f..b2c6216431 100644 --- a/Makefile +++ b/Makefile @@ -133,13 +133,8 @@ build-alpha: .PHONY: build-release build-release: - docker build --pull -f deploy/Dockerfile --build-arg version=${GIT_TAG} -t kotsadm/kotsadm:${GIT_TAG} . - docker push kotsadm/kotsadm:${GIT_TAG} mkdir -p bin/docker-archive/kotsadm - skopeo copy docker-daemon:kotsadm/kotsadm:${GIT_TAG} docker-archive:bin/docker-archive/kotsadm/${GIT_TAG} - - docker tag kotsadm/kotsadm:${GIT_TAG} kotsadm/kotsadm:v0.0.0-nightly - docker push kotsadm/kotsadm:v0.0.0-nightly + skopeo copy docker://kotsadm/kotsadm:${GIT_TAG} docker-archive:bin/docker-archive/kotsadm/${GIT_TAG} docker build --pull -f deploy/dex.Dockerfile -t kotsadm/dex:${DEX_TAG} --build-arg TAG=${DEX_TAG} . docker push kotsadm/dex:${DEX_TAG} diff --git a/deploy/apko.yaml.tmpl b/deploy/apko.yaml.tmpl new file mode 100644 index 0000000000..276ab70a76 --- /dev/null +++ b/deploy/apko.yaml.tmpl @@ -0,0 +1,58 @@ +contents: + repositories: + - https://packages.wolfi.dev/os + - ./packages/ + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + - ./melange.rsa.pub + packages: + - kotsadm-head # This is expected to be built locally by `melange`. + + # All currently supported kubectl versions. + # TODO: this requires manual intervention whenever there are new kubectl releases. + - kubectl-1.19 + - kubectl-1.20 + - kubectl-1.21 + - kubectl-1.22 + - kubectl-1.23 + - kubectl-1.24 + - kubectl-1.25 + - kubectl-1.26 + - kubectl-1.27 + - kubectl-1.28 + + - bash + - busybox + - curl + - git + - helm + - kustomize + - py3-dateutil + - py3-magic + - s3cmd + - wolfi-baselayout + +accounts: + groups: + - groupname: kotsadm + gid: 1001 + users: + - username: kotsadm + uid: 1001 + gid: 1001 + run-as: kotsadm + +environment: + VERSION: ${GIT_TAG} + KOTS_KUBECTL_BIN_DIR: /usr/local/bin + KOTS_HELM_BIN_DIR: /usr/local/bin + KOTS_KUSTOMIZE_BIN_DIR: /usr/local/bin + +entrypoint: + command: /kotsadm + +cmd: api + +archs: + - x86_64 + - aarch64 diff --git a/deploy/apko_melange_build.md b/deploy/apko_melange_build.md new file mode 100644 index 0000000000..c67583f632 --- /dev/null +++ b/deploy/apko_melange_build.md @@ -0,0 +1,54 @@ +# Building KOTS with apko + melange + +## What? + +This doc describes a non-production-ready process for building a minimal `kots` image using `melange` and `apko`: + +- [`melange`](https://github.com/chainguard-dev/melange) is a tool for reproducibly building APK packages from source +- [`apko`](https://github.com/chainguard-dev/apko) is a tool for reproducibly building container images from APK packages + +## Why? + +Building with `melange` and `apko` produces smaller, more reproducible images, which can be easier to operate and easier to keep free of vulnerabilities. + +## How? + +First, build the package from source, using `melange`. + +To start, if there isn't already a signing key for the package, we need to generate one: + +```sh +melange keygen +``` + +We only need to build for x86_64, which is faster than building for arm64 since it doesn't require qemu. + +```sh +melange build melange.yaml --arch=x86_64 +``` + +> 💡 Only building for your local platform makes builds faster, since it doesn't have to emulate with qemu. +> If you're on an arm64 machine (e.g., Apple Silicon), use `--arch=aarch64` here and below. + +Then, build the image from the newly built `kots` package, and the other packages needed by the image, using `apko`: + +```sh +apko publish apko.yaml ttl.sh/kots --arch=x86_64 +``` + +This will print the image to stdout, so you can run it: + +```sh +docker run $(apko publish ...) +``` + +### Presubmit GitHub Actions + +The above steps are automated in [GitHub Actions](./.github/actions/build-kotsadm-image/action.yml) as a presubmit check for PRs. + +The image this workflow produces is only meant for validation, and not meant for production use cases at this time. + +## Further Reading + +- https://edu.chainguard.dev/open-source/melange/overview/ +- https://edu.chainguard.dev/open-source/apko/overview/ diff --git a/deploy/melange.yaml.tmpl b/deploy/melange.yaml.tmpl new file mode 100644 index 0000000000..8f38f6553a --- /dev/null +++ b/deploy/melange.yaml.tmpl @@ -0,0 +1,88 @@ +package: + name: kotsadm-head + version: ${GIT_TAG} + epoch: 0 + description: Kotsadm package + copyright: + - license: Apache-2.0 + +environment: + contents: + repositories: + - https://packages.wolfi.dev/os + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + - ./packages/chainguard-enterprise.rsa.pub + packages: + - ca-certificates-bundle + - busybox + - git + - go + - nodejs + - yarn + environment: + GOMODCACHE: '/var/cache/melange' + +pipeline: + - runs: | + set -x + export DESTDIR="${{targets.destdir}}" + mkdir -p "${DESTDIR}" + + # Scripts etc. + mv deploy/assets/backup.sh "${DESTDIR}/backup.sh" + mv deploy/assets/restore-db.sh "${DESTDIR}/restore-db.sh" + mv deploy/assets/restore-s3.sh "${DESTDIR}/restore-s3.sh" + mv deploy/assets/restore.sh "${DESTDIR}/restore.sh" + mv deploy/assets/migrate-s3.sh "${DESTDIR}/migrate-s3.sh" + mv deploy/assets/fs-minio-check.sh "${DESTDIR}/fs-minio-check.sh" + mv deploy/assets/fs-minio-reset.sh "${DESTDIR}/fs-minio-reset.sh" + mv deploy/assets/fs-minio-keys-sha.sh "${DESTDIR}/fs-minio-keys-sha.sh" + mv deploy/assets/s3-bucket-create.sh "${DESTDIR}/s3-bucket-create.sh" + mv deploy/assets/s3-bucket-head.sh "${DESTDIR}/s3-bucket-head.sh" + mv deploy/assets/kots-upgrade.sh "${DESTDIR}/kots-upgrade.sh" + mv deploy/assets/postgres "${DESTDIR}/postgres" + + # kotsadm and kots binaries + export VERSION=${{package.version}} + export GIT_TAG=${{package.version}} + + # Set environment variables from repository + source .image.env + + KOTS_KUBECTL_BIN_DIR=/usr/local/bin + KOTS_KUSTOMIZE_BIN_DIR=/usr/local/bin + KOTS_HELM_BIN_DIR=/usr/local/bin + + # TODO: fix pact build error on arm https://github.com/pact-foundation/pact-js-core/issues/264 + export PACT_SKIP_BINARY_INSTALL=true + + # Configure Yarn + yarn install --pure-lockfile --network-concurrency 1 + + make -C web deps build-kotsadm + make kots build + + mv bin/kotsadm "${DESTDIR}/kotsadm" + mv bin/kots "${DESTDIR}/kots" + + # TODO: this requires manual intervention whenever helm bumps its major version + ln -s /usr/bin/helm ${DESTDIR}/usr/local/bin/helm + ln -s /usr/bin/helm ${DESTDIR}/usr/local/bin/helm3 + + # TODO: this requires manual intervention whenever kustomize bumps its major version + ln -s /usr/bin/kustomize ${DESTDIR}/usr/local/bin/kustomize + ln -s /usr/bin/kustomize ${DESTDIR}/usr/local/bin/kustomize5 + + # TODO: this requires manual intervention whenever kubectl bumps its major version + ln -s /usr/bin/kubectl-1.19 ${DESTDIR}/usr/local/bin/kubectl-v1.19 + ln -s /usr/bin/kubectl-1.20 ${DESTDIR}/usr/local/bin/kubectl-v1.20 + ln -s /usr/bin/kubectl-1.21 ${DESTDIR}/usr/local/bin/kubectl-v1.21 + ln -s /usr/bin/kubectl-1.22 ${DESTDIR}/usr/local/bin/kubectl-v1.22 + ln -s /usr/bin/kubectl-1.23 ${DESTDIR}/usr/local/bin/kubectl-v1.23 + ln -s /usr/bin/kubectl-1.24 ${DESTDIR}/usr/local/bin/kubectl-v1.24 + ln -s /usr/bin/kubectl-1.25 ${DESTDIR}/usr/local/bin/kubectl-v1.25 + ln -s /usr/bin/kubectl-1.26 ${DESTDIR}/usr/local/bin/kubectl-v1.26 + ln -s /usr/bin/kubectl-1.27 ${DESTDIR}/usr/local/bin/kubectl-v1.27 + ln -s /usr/bin/kubectl-1.28 ${DESTDIR}/usr/local/bin/kubectl-v1.28 + ln -s /usr/bin/kubectl-1.28 ${DESTDIR}/usr/local/bin/kubectl diff --git a/migrations/Makefile b/migrations/Makefile index 79ffcee70d..011acb5480 100644 --- a/migrations/Makefile +++ b/migrations/Makefile @@ -9,10 +9,7 @@ schema-alpha: build_schema .PHONY: schema-release schema-release: IMAGE = kotsadm/${PROJECT_NAME}:${GIT_TAG} -schema-release: NIGHTLY_IMAGE = kotsadm/${PROJECT_NAME}:v0.0.0-nightly schema-release: build_schema - docker tag ${IMAGE} ${NIGHTLY_IMAGE} - docker push ${NIGHTLY_IMAGE} mkdir -p bin/docker-archive/${PROJECT_NAME} skopeo copy docker-daemon:kotsadm/${PROJECT_NAME}:${GIT_TAG} docker-archive:bin/docker-archive/${PROJECT_NAME}/${GIT_TAG} mkdir -p bin/docker-archive/rqlite