Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for image digests in helm charts #15186

Merged
merged 4 commits into from
Mar 8, 2021
Merged

Add support for image digests in helm charts #15186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9485abf
install: add digests into helm charts
aanm Mar 3, 2021
c764e94
.github: generate release files automatically
aanm Mar 2, 2021
9fb49ca
contrib/release: do not require images to be download locally
aanm Mar 2, 2021
516234d
.github: remove comments of GH action versions
aanm Mar 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions .github/workflows/images-legacy-hotfix-releases.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@ jobs:
dockerfile: ./cilium-docker-plugin.Dockerfile
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@154c24e1f33dbb5865a021c99f1318cfebf27b32 # v1.1.1
uses: docker/setup-buildx-action@154c24e1f33dbb5865a021c99f1318cfebf27b32

- name: Login to quay.io
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a # v1.8.0
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
with:
registry: quay.io
username: ${{ secrets.QUAY_DEVELOPER_USERNAME }}
Expand All @@ -55,10 +55,10 @@ jobs:
fi

- name: Checkout Source Code
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Release Build ${{ matrix.name }}
uses: docker/build-push-action@9379083e426e2e84abb80c8c091f5cdeb7d3fd7a # v2.2.2
uses: docker/build-push-action@9379083e426e2e84abb80c8c091f5cdeb7d3fd7a
id: docker_build_release
with:
context: .
Expand All @@ -80,7 +80,7 @@ jobs:

# Upload artifact digests
- name: Upload artifact digests
uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571 # v2
uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571
with:
name: image-digest ${{ matrix.name }}
path: image-digest
Expand All @@ -98,7 +98,7 @@ jobs:
mkdir -p image-digest/

- name: Download digests of all images built
uses: actions/download-artifact@4a7a711286f30c025902c28b541c10e147a9b843 # v2.0.8
uses: actions/download-artifact@4a7a711286f30c025902c28b541c10e147a9b843
with:
path: image-digest/

Expand Down
84 changes: 68 additions & 16 deletions .github/workflows/images-legacy-releases.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,89 +16,141 @@ jobs:
include:
- name: cilium
dockerfile: ./Dockerfile

- name: operator
dockerfile: ./cilium-operator.Dockerfile

- name: operator-aws
dockerfile: ./cilium-operator-aws.Dockerfile

- name: operator-azure
dockerfile: ./cilium-operator-azure.Dockerfile

- name: operator-generic
dockerfile: ./cilium-operator-generic.Dockerfile

- name: hubble-relay
dockerfile: ./hubble-relay.Dockerfile

- name: clustermesh-apiserver
dockerfile: ./clustermesh-apiserver.Dockerfile

- name: docker-plugin
dockerfile: ./cilium-docker-plugin.Dockerfile

steps:
- name: Set output
id: vars
run: echo ::set-output name=tag::${GITHUB_REF##*/}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@154c24e1f33dbb5865a021c99f1318cfebf27b32 # v1.1.1
uses: docker/setup-buildx-action@154c24e1f33dbb5865a021c99f1318cfebf27b32

- name: Checkout Stable Branch Source Code
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
- name: Login to DockerHub
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a # v1.8.0
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
with:
username: ${{ secrets.DOCKER_HUB_RELEASE_USERNAME }}
password: ${{ secrets.DOCKER_HUB_RELEASE_PASSWORD }}

- name: Login to quay.io
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a # v1.8.0
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME_RELEASE_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD_RELEASE_PASSWORD }}

- name: Getting image tag
id: tag
run: |
echo ::set-output name=tag::${GITHUB_REF##*/}

- name: Checkout Source Code
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

- name: Release Build ${{ matrix.name }}
uses: docker/build-push-action@4a531fa5a603bab87dfa56578bd82b28508c9547 # v2.2.2
uses: docker/build-push-action@9379083e426e2e84abb80c8c091f5cdeb7d3fd7a
id: docker_build_release
with:
context: .
file: ${{ matrix.dockerfile }}
push: true
tags: |
${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.vars.outputs.tag }}
quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.vars.outputs.tag }}
${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}
quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}
quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ github.sha }}
${{ github.repository_owner }}/${{ matrix.name }}:stable
quay.io/${{ github.repository_owner }}/${{ matrix.name }}:stable

- name: Image Release Digest
shell: bash
run: |
mkdir -p image-digest/
job_name=${{ matrix.name }}
job_name_capital=${job_name^^}
job_name_underscored=${job_name_capital//-/_}
echo "${job_name_underscored}_DIGEST := \"${{ steps.docker_build_release.outputs.digest }}\"" > image-digest/makefile-digest.txt

echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt
echo "" >> image-digest/${{ matrix.name }}.txt
echo "\`docker.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.vars.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
echo "\`quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.vars.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
echo "\`docker.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
echo "\`quay.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
echo "\`docker.io/${{ github.repository_owner }}/${{ matrix.name }}:stable@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
echo "\`quay.io/${{ github.repository_owner }}/${{ matrix.name }}:stable@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt
echo "" >> image-digest/${{ matrix.name }}.txt

# Upload artifact digests
- name: Upload artifact digests
uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571 # v2
uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571
with:
name: image-digest ${{ matrix.name }}
path: image-digest
retention-days: 1

image-digests:
if: ${{ github.repository == 'cilium/cilium' }}
name: Display Digests
runs-on: ubuntu-20.04
needs: build-and-push
steps:
- name: Getting image tag
id: tag
run: |
echo ::set-output name=tag::${GITHUB_REF##*/}

- name: Downloading Image Digests
shell: bash
run: |
mkdir -p image-digest/

- name: Download digests of all images built
uses: actions/download-artifact@4a7a711286f30c025902c28b541c10e147a9b843 # v2.0.8
uses: actions/download-artifact@4a7a711286f30c025902c28b541c10e147a9b843
with:
path: image-digest/

- name: Image Digests Output
shell: bash
run: |
cd image-digest/
find -type f | sort | xargs -d '\n' cat
find -type f -not -name "makefile-digest.txt" | sort | xargs -d '\n' cat > ../image-digest-output.txt

- name: Image Makefile Digests
shell: bash
run: |
cd image-digest/
echo "# File generated by .github/workflows/images-legacy-releases.yaml; DO NOT EDIT." > ../Makefile.digests
echo "# Copyright "$(date +'%Y')" Authors of Cilium" >> ../Makefile.digests
echo "# SPDX-License-Identifier: Apache-2.0" >> ../Makefile.digests
echo "" >> ../Makefile.digests
find -type f -name "makefile-digest.txt" | sort | xargs -d '\n' cat >> ../Makefile.digests

# Upload artifact digests
- name: Upload artifact digests
uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571
with:
name: image-digest-output.txt-${{ steps.tag.outputs.tag }}
path: image-digest-output.txt
retention-days: 1

# Upload artifact digests
- name: Upload artifact digests
uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571
with:
name: Makefile.digests-${{ steps.tag.outputs.tag }}
path: Makefile.digests
retention-days: 1
18 changes: 9 additions & 9 deletions .github/workflows/images-legacy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@ jobs:
dockerfile: ./cilium-docker-plugin.Dockerfile
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@154c24e1f33dbb5865a021c99f1318cfebf27b32 # v1.1.1
uses: docker/setup-buildx-action@154c24e1f33dbb5865a021c99f1318cfebf27b32
- name: Login to DockerHub to avoid rate limit
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a # v1.8.0
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
with:
username: ${{ secrets.DOCKER_HUB_USERNAME_CI }}
password: ${{ secrets.DOCKER_HUB_PASSWORD_CI }}
- name: Login to quay.io for CI
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a # v1.8.0
uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME_CI }}
Expand All @@ -51,10 +51,10 @@ jobs:
# v1.9 branch pushes
- name: Checkout v1.9 Branch Source Code
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: CI Build ${{ matrix.name }}
if: ${{ github.event_name != 'pull_request_target' }}
uses: docker/build-push-action@4a531fa5a603bab87dfa56578bd82b28508c9547 # v2.2.2
uses: docker/build-push-action@4a531fa5a603bab87dfa56578bd82b28508c9547
id: docker_build_ci_v1_9
with:
context: .
Expand All @@ -74,12 +74,12 @@ jobs:
# PR updates
- name: Checkout PR Source Code
if: ${{ github.event_name == 'pull_request_target' }}
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: CI Build ${{ matrix.name }}
if: ${{ github.event_name == 'pull_request_target' }}
uses: docker/build-push-action@4a531fa5a603bab87dfa56578bd82b28508c9547 # v2.2.2
uses: docker/build-push-action@4a531fa5a603bab87dfa56578bd82b28508c9547
id: docker_build_ci_pr
with:
context: .
Expand All @@ -96,7 +96,7 @@ jobs:

# Upload artifact digests
- name: Upload artifact digests
uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571 # v2
uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571
with:
name: image-digest ${{ matrix.name }}
path: image-digest
Expand All @@ -112,7 +112,7 @@ jobs:
run: |
mkdir -p image-digest/
- name: Download digests of all images built
uses: actions/download-artifact@4a7a711286f30c025902c28b541c10e147a9b843 # v2.0.8
uses: actions/download-artifact@4a7a711286f30c025902c28b541c10e147a9b843
with:
path: image-digest/

Expand Down
82 changes: 51 additions & 31 deletions contrib/release/pull-docker-manifests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,25 @@
# Copyright 2020 Authors of Cilium

DIR=$(dirname $(readlink -ne $BASH_SOURCE))
source $DIR/lib/common.sh
source "${DIR}/lib/common.sh"

CONTAINER_ENGINE=${CONTAINER_ENGINE:-docker}
IMAGES=(cilium clustermesh-apiserver docker-plugin hubble-relay operator operator-generic operator-aws operator-azure)
REGISTRIES=(docker.io quay.io)

repo="cilium/cilium"

usage() {
logecho "usage: $0 <VERSION>"
logecho "VERSION Target version"
logecho "usage: $0 <GH-USERNAME> <VERSION> <RUN-URL>"
logecho "GH-USERNAME GitHub username"
logecho "VERSION Target version"
logecho "RUN-URL GitHub URL with the RUN for the release images"
logecho " example: https://github.com/cilium/cilium/actions/runs/600920964"
logecho "GITHUB_TOKEN environment variable set with the scope public:repo"
logecho
logecho "--help Print this help message"
}

handle_args() {
if ! common::argc_validate 2; then
if ! common::argc_validate 4; then
usage 2>&1
common::exit 1
fi
Expand All @@ -27,39 +31,55 @@ handle_args() {
common::exit 0
fi

if ! echo "$1" | grep -q "[0-9]\+\.[0-9]\+\.[0-9]\+"; then
if ! echo "$2" | grep -q "[0-9]\+\.[0-9]\+\.[0-9]\+"; then
usage 2>&1
common::exit 1 "Invalid VERSION ARG \"$2\"; Expected X.Y.Z"
fi

if [ -z "${GITHUB_TOKEN}" ]; then
usage 2>&1
common::exit 1 "Invalid VERSION ARG \"$1\"; Expected X.Y.Z"
common::exit 1 "GITHUB_TOKEN not set!"
fi
}

get_digest_output() {
local username run_id file tmp_dir archive_download_url archive_download_url_zip

username="${1}"
run_id="${2}"
version="${3}"
file="${4}"
tmp_dir=$(mktemp -d)
archive_download_url=$(curl -SslH "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${repo}/actions/runs/${run_id}/artifacts" \
2>/dev/null | jq -r ".artifacts[] | select(.name == \"${file}-${version}\") | .archive_download_url")
archive_download_url_zip=$(curl -SslH "Accept: application/vnd.github.v3+json" \
-i -u "${username}:${GITHUB_TOKEN}" \
"${archive_download_url}" 2>/dev/null | tr -d '\r' | grep -E '^location:\.*' | sed 's/location:\ //g')
curl -Ssl "${archive_download_url_zip}" > "${tmp_dir}/${file}.zip"
unzip -p "${tmp_dir}/${file}.zip" "${file}" > "${tmp_dir}/${file}"
echo "${tmp_dir}/${file}"
}

main() {
handle_args "$@"
local username version run_url_id
username="${1}"
version="${2}"
run_url_id="$(basename "${3}")"

local ersion="$(echo $1 | sed 's/^v//')"
local version="v$ersion"

>&2 echo n "Fetching docker images for $version"
for image in ${IMAGES[@]}; do
for registry in ${REGISTRIES[@]}; do
>&2 $CONTAINER_ENGINE pull $registry/cilium/$image:$version
done
done
makefile_digest=$(get_digest_output "${username}" "${run_url_id}" "${version}" Makefile.digests)
>&2 echo "Adding image SHAs to install/kubernetes/Makefile.digests"
>&2 echo ""
cp "${makefile_digest}" "${DIR}/../../install/kubernetes/Makefile.digests"

>&2 echo "Generating manifest text for $version release notes"
>&2
echo "Docker Manifests"
echo "----------------"
for image in ${IMAGES[@]}; do
echo; echo "## $image"; echo
for registry in ${REGISTRIES[@]}; do
digest="$(docker inspect $registry/cilium/$image:$version | jq -r '.[0].RepoDigests[0]')"
if ! echo $digest | grep -q $registry; then
digest="$registry/$digest"
fi
echo "\`$digest\`"
done
done
>&2 echo "Generating manifest text for release notes"
>&2 echo ""
echo "Docker Manifests" > "${DIR}/../../digest-${version}.txt"
echo "----------------" >> "${DIR}/../../digest-${version}.txt"
image_digest_output=$(get_digest_output "${username}" "${run_url_id}" "${version}" image-digest-output.txt)
cat "${image_digest_output}" >> "${DIR}/../../digest-${version}.txt"
>&2 echo "Image digests available at ${DIR}/../../digest-${version}.txt"
}

main "$@"
Expand Down
Loading