nginxinc · lucacome · Sep 29, 2021 · Sep 29, 2021
diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml
@@ -11,7 +11,6 @@ defaults:
 
 env:
   DOCKER_BUILDKIT: 1
-  K8S_VERSION: 1.21.1
   K8S_TIMEOUT: 75s
 
 jobs:
@@ -22,9 +21,9 @@ jobs:
     outputs:
       kic-tag: ${{ steps.kic.outputs.tag }}
       versions: ${{ steps.versions.outputs.matrix }}
-      nginx_version: ${{ steps.versions.outputs.nginx_version }}
       sha_short: ${{ steps.vars.outputs.sha }}
       go_version: ${{ steps.vars.outputs.go_version }}
+      k8s_version: ${{ steps.vars.outputs.k8s_version }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v2
@@ -36,21 +35,22 @@ jobs:
           tag=$(git tag --sort=-version:refname | head -n1)
           echo "::set-output name=tag::${tag//v}"
       - name: Checkout Repository at ${{ steps.kic.outputs.tag }}
-        run: |
-          git checkout v${{ steps.kic.outputs.tag }}
+        uses: actions/checkout@v2
+        with:
+          ref: v${{ steps.kic.outputs.tag }}
       - name: Set NGINX versions
         id: versions
         run: |
           nginx=library/$(grep -m1 "FROM nginx:" < build/Dockerfile | awk -F" " '{print $2}')
           nginx_alpine=library/nginx:$(grep -m1 "FROM.*nginx.*alpine" < build/Dockerfile | awk -F"[ :]" '{print $3}')
           nginx_ubi=$(grep "FROM redhat" < build/Dockerfile | awk -F" " '{print $2}')
           echo "::set-output name=matrix::[{\"version\": \"${nginx}\", \"distro\": \"debian\"}, {\"version\": \"${nginx_alpine}\", \"distro\": \"alpine\"}, {\"version\": \"${nginx_ubi}\", \"distro\": \"ubi\"}]"
-          echo "::set-output name=nginx_version::$(cat build/Dockerfile | grep -m1 "FROM nginx:" | cut -d":" -f2 | cut -d" " -f1)"
       - name: Set other variables
         id: vars
         run: |
           echo "::set-output name=sha::$(echo ${GITHUB_SHA} | cut -c1-7)"
           echo "::set-output name=go_version::$(grep "go 1." go.mod | cut -d " " -f 2)"
+          echo "::set-output name=k8s_version::$(grep "K8S_VERSION:" .github/workflows/ci.yml | awk -F" " '{print $2}')"
 
   check:
     name: Check if updates are needed
@@ -118,22 +118,20 @@ jobs:
     strategy:
       matrix:
         include:
-          - tags: |
-              nginx/nginx-ingress:${{ needs.variables.outputs.kic-tag }}
-              nginx/nginx-ingress:latest
-            type: debian
+          - image: debian
+            marker: ingresses
             platforms: linux/arm,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x
             needs-updating: ${{ needs.check.outputs.needs-updating-debian }}
-          - tags: |
-              nginx/nginx-ingress:${{ needs.variables.outputs.kic-tag }}-alpine
-              nginx/nginx-ingress:alpine
-            type: alpine
+          - image: alpine
+            marker: vsr
             platforms: linux/arm,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x
             needs-updating: ${{ needs.check.outputs.needs-updating-alpine }}
-          - tags: |
-              nginx/nginx-ingress:${{ needs.variables.outputs.kic-tag }}-ubi
-              nginx/nginx-ingress:ubi
-            type: ubi
+          - image: opentracing
+            marker: vs
+            platforms: linux/arm,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x
+            needs-updating: ${{ needs.check.outputs.needs-updating-debian }}
+          - image: ubi
+            marker: ts
             platforms: linux/arm64,linux/amd64
             needs-updating: ${{ needs.check.outputs.needs-updating-ubi }}
     steps:
@@ -148,85 +146,53 @@ jobs:
           path: ${{ github.workspace }}/dist
           key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}
         if: ${{ matrix.needs-updating == 'true' }}
-      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
-        with:
-          platforms: arm,arm64,ppc64le,s390x
-        if: ${{ matrix.needs-updating == 'true' }}
-      - name: Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        if: ${{ matrix.needs-updating == 'true' }}
-      - name: Build ${{ matrix.type }} Container for tests
-        uses: docker/build-push-action@v2
-        with:
-          file: build/Dockerfile
-          context: '.'
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          target: goreleaser
-          tags: ${{ matrix.type }}:${{ github.sha }}
-          load: true
-          build-args: |
-            BUILD_OS=${{ matrix.type }}
-            NGINX_VERSION=${{ needs.variables.outputs.nginx_version }}
-        if: ${{ matrix.needs-updating == 'true' }}
-      - name: Build Test-Runner Container
-        uses: docker/build-push-action@v2
-        with:
-          file: tests/docker/Dockerfile
-          context: '.'
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: test-runner:${{ github.sha }}
-          load: true
-        if: ${{ matrix.needs-updating == 'true' }}
-      - name: Deploy Kubernetes
-        id: k8s
-        run: |
-          kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ env.K8S_VERSION }} --config ${{ github.workspace }}/tests/ci-files/ci-kind-config.yaml --kubeconfig kube-${{ github.run_id }} --wait ${{ env.K8S_TIMEOUT }}
-          kind load docker-image ${{ matrix.type }}:${{ github.sha }} --name ${{ github.run_id }}
-          echo ::set-output name=cluster_ip::$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${{ github.run_id }}-control-plane)
-          echo ::set-output name=cluster::$(echo 'nginx-${{ matrix.type }}-vs')
-        if: ${{ matrix.needs-updating == 'true' }}
-      - name: Setup Kubeconfig
-        run: |
-          sed -i 's|server:.*|server: https://${{ steps.k8s.outputs.cluster_ip }}:6443|' kube-${{ github.run_id }}
-        if: ${{ matrix.needs-updating == 'true' }}
       - name: Run Smoke Tests
-        run: |
-          touch tests-${{ steps.k8s.outputs.cluster }}.html
-          docker run --rm \
-          --name test-runner-${{ github.run_id }} \
-          --network=kind \
-          -v ${{ github.workspace }}/tests/tests-${{ steps.k8s.outputs.cluster }}.html:/workspace/tests/tests-${{ steps.k8s.outputs.cluster }}.html \
-          -v ${{ github.workspace }}/kube-${{ github.run_id }}:/root/.kube/config test-runner:${{ github.sha }} \
-          --context=kind-${{ github.run_id }} \
-          --image=${{ matrix.type }}:${{ github.sha }} \
-          --image-pull-policy=Never \
-          --ic-type=nginx-ingress \
-          --service=nodeport --node-ip=${{ steps.k8s.outputs.cluster_ip }} \
-          --html=tests-${{ steps.k8s.outputs.cluster }}.html \
-          --self-contained-html \
-          --show-ic-logs=yes --profile \
-          -m vs
-        working-directory: ./tests
+        id: smoke-tests
+        uses: ./.github/actions/smoke-tests
+        with:
+          image: ${{ matrix.image }}
+          marker: ${{ matrix.marker }}
+          k8s-version: ${{ needs.variables.outputs.k8s_version }}
         if: ${{ matrix.needs-updating == 'true' }}
       - name: Upload Test Results
         uses: actions/upload-artifact@v2
         with:
-          name: test-results-${{ steps.k8s.outputs.cluster }}
-          path: ${{ github.workspace }}/tests/tests-${{ steps.k8s.outputs.cluster }}.html
+          name: ${{ steps.smoke-tests.outputs.test-results-name }}
+          path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html
         if: always()
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: arm,arm64,ppc64le,s390x
+        if: ${{ matrix.needs-updating == 'true' }}
       - name: DockerHub Login
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
         if: ${{ matrix.needs-updating == 'true' }}
-      - name: Get date
-        id: var
+      - name: Get short tag
+        id: tag
         run: |
-          echo "::set-output name=date::$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+          version=${{ needs.variables.outputs.kic-tag }}
+          short="${version%.*}"
+          echo "::set-output name=short::$short"
+        if: ${{ matrix.needs-updating == 'true' }}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: nginx/nginx-ingress
+          flavor: |
+            latest=true
+            suffix=${{ matrix.image != 'debian' && '-' || '' }}${{ matrix.image != 'debian' && matrix.image != 'opentracing' && matrix.image || '' }}${{ matrix.image == 'opentracing' && 'ot' || '' }},onlatest=true
+          tags: |
+            type=raw,value=${{ needs.variables.outputs.kic-tag }}
+            type=raw,value=${{ steps.tag.outputs.short }}
+          labels: |
+            org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes
+            org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
+            org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
         if: ${{ matrix.needs-updating == 'true' }}
       - name: Push to Dockerhub
         id: push
@@ -237,16 +203,37 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           target: goreleaser
-          tags: ${{ matrix.tags }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           platforms: ${{ matrix.platforms }}
           push: true
           build-args: |
-            BUILD_OS=${{ matrix.type }}
-            IC_VERSION=v${{ needs.variables.outputs.kic-tag }}-${{ needs.variables.outputs.sha_short }}
-            NGINX_VERSION=${{ needs.variables.outputs.nginx_version }}
-            DATE=${{ steps.var.outputs.date }}
-            GIT_COMMIT=${{ github.sha }}
+            BUILD_OS=${{ matrix.image }}
+            IC_VERSION=v${{ needs.variables.outputs.kic-tag }}
+        if: ${{ matrix.needs-updating == 'true' }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        continue-on-error: true
+        with:
+          image-ref: nginx/nginx-ingress:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results-${{ matrix.image }}.sarif'
+          ignore-unfixed: 'true'
         if: ${{ matrix.needs-updating == 'true' }}
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        continue-on-error: true
+        with:
+          sarif_file: 'trivy-results-${{ matrix.image }}.sarif'
+        if: ${{ matrix.needs-updating == 'true' }}
+      - name: Upload Scan Results
+        uses: actions/upload-artifact@v2
+        continue-on-error: true
+        with:
+          name: 'trivy-results-${{ matrix.image }}.sarif'
+          path: 'trivy-results-${{ matrix.image }}.sarif'
+        if: always()
       - name: Get variables for Slack
         id: slack
         run: |
@@ -266,7 +253,7 @@ jobs:
                 color: "good",
                 fields: [{
                   title: "Docker Image",
-                  value: "<https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=${{ needs.variables.outputs.kic-tag }}|nginx/nginx-ingress:${{ matrix.tag }}>",
+                  value: "<https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=${{ needs.variables.outputs.kic-tag }}|nginx/nginx-ingress:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}>",
                   short: true
                 },
                 {