diff --git a/.github/workflows/my-publish.yml b/.github/workflows/my-publish.yml new file mode 100644 index 0000000000..453d9e3bbd --- /dev/null +++ b/.github/workflows/my-publish.yml @@ -0,0 +1,109 @@ +# This is a GitHub workflow defining a set of jobs with a set of steps. +# ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions +# +name: Publish + +# Trigger the workflow's on pushed tags or commits to main/master branch. +on: + push: + branches: ["sakuraiyuta/build"] + tags: ["[0-9]+.[0-9]+.[0-9]+*"] + +jobs: + # Builds and pushes docker images to DockerHub and package the Helm chart and + # pushes it to sakuraiyuta/helm-chart@gh-pages where index.yaml represents the + # JupyterHub organization Helm chart repository. + # + # ref: https://github.com/sakuraiyuta/helm-chart + # ref: https://hub.docker.com/orgs/sakuraiyuta + # + publish: + if: github.repository == 'sakuraiyuta/zero-to-jupyterhub-k8s' + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + with: + # chartpress requires the full history + fetch-depth: 0 + path: main + - name: Build Images + uses: uraimo/run-on-arch-action@v2.0.5 + with: + arch: aarch64 + distro: ubuntu20.04 + setup: | + echo -e "\u001b[32m# run-on-arch-action: Setup\u001b[0m" + + echo -e "\u001b[32mQEMU Setup\u001b[0m" + echo 'EXTRA_OPTS="-L /usr/aarch64-linux-gnu"' | sudo tee /etc/qemu-binfmt.conf + sudo systemctl restart systemd-binfmt + sudo update-binfmts --enable + + install: | + echo -e "\u001b[32m# run-on-arch-action: Install\u001b[0m" + echo -e "\u001b[34mInstall apt packages\u001b[0m" + apt-get update -q -y >/dev/null + apt-get install -q -y python-is-python3 python3-pip curl git openssh-client >/dev/null + ln -s /usr/bin/pip3 /usr/bin/pip + + # This was setup by... + # 1. Generating a private/public key pair: + # ssh-keygen -t ed25519 -C "sakuraiyuta/zero-to-jupyterhub-k8s" -f /tmp/id_ed25519 + # 2. Registering the private key (/tmp/id_ed25519) as a secret for this + # repo: + # https://github.com/sakuraiyuta/zero-to-jupyterhub-k8s/settings/secrets/actions + # 3. Registering the public key (/tmp/id_ed25519.pub) as a deploy key + # with push rights for the sakuraiyuta/helm chart repo: + # https://github.com/sakuraiyuta/helm-chart/settings/keys + # + echo -e "\u001b[34mSetup push rights to sakuraiyuta/helm-chart\u001b[0m" + mkdir -p ~/.ssh + ssh-keyscan github.com >> ~/.ssh/known_hosts + echo "${{ secrets.JUPYTERHUB_HELM_CHART_DEPLOY_KEY }}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + run: | + echo -e "\u001b[32m# run-on-arch-action: Run\u001b[0m" + + echo -e "\u001b[34mInstall chart publishing dependencies (docker, chartpress, helm)\u001b[0m" + cd main/ + . ./ci/common + setup_helm + pip install --no-cache-dir chartpress pyyaml + curl -fsSL get.docker.com | CHANNEL=stable sh + + # This was setup by... + # 1. Creating a Docker Hub service account "jupyterhubbot" + # 2. Making the account part of the "bots" team, and granting that team + # permissions to push to the relevant images: + # https://hub.docker.com/orgs/jupyterhub/teams/bots/permissions + # 3. Registering the username and password as a secret for this repo: + # https://github.com/jupyterhub/zero-to-jupyterhub-k8s/settings/secrets/actions + # + echo -e "\u001b[34mSetup push rights to Docker Hub\u001b[0m" + docker login --username '${{ secrets.DOCKERHUB_USERNAME }}' --password '${{ secrets.DOCKERHUB_PASSWORD }}' + + # Having a user.email and user.name configured with git is required to + # make commits, which is something chartpress does when publishing. + # While Travis CI had a dummy user by default, GitHub Actions doesn't + # and require this explicitly setup. + echo -e "\u001b[34mConfigure a git user\u001b[0m" + git config --global user.email "github-actions@example.local" + git config --global user.name "GitHub Actions user" + + echo -e "\u001b[34mPublish images and chart with chartpress\u001b[0m" + # Create values.schema.yaml from schema.yaml. + ./tools/generate-json-schema.py + + # Append annotations to Chart.yaml with current images so that + # artifacthub.io can scan and provide vulnerability reports for them. + chartpress --no-build + ./tools/set-chart-yaml-annotations.py + + # Package the Helm chart and publish it to the gh-pages branch of + # the jupyterhub/helm-chart repo. + ./ci/publish + + env: | + GITHUB_REPOSITORY: "${{ github.repository }}" + HELM_VERSION: "v3.5.2" diff --git a/chartpress.yaml b/chartpress.yaml index 7b814ad989..95e770f18d 100644 --- a/chartpress.yaml +++ b/chartpress.yaml @@ -12,10 +12,10 @@ charts: - name: jupyterhub # Dev: imagePrefix can be useful to override if you want to trial something # locally developed in a remote k8s cluster. - imagePrefix: jupyterhub/k8s- + imagePrefix: sakuraiyuta/jupyterhub-k8s- repo: - git: jupyterhub/helm-chart - published: https://jupyterhub.github.io/helm-chart + git: sakuraiyuta/helm-chart + published: https://sakuraiyuta.github.io/helm-chart images: # hub, the container where JupyterHub, KubeSpawner, and the configured diff --git a/images/hub/Dockerfile b/images/hub/Dockerfile index 651f17112f..b0b869ae28 100644 --- a/images/hub/Dockerfile +++ b/images/hub/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 +FROM arm64v8/ubuntu:20.04 # VULN_SCAN_TIME=2021-02-26_00:07:23 @@ -20,6 +20,7 @@ RUN apt-get update && \ sqlite3 \ curl \ dnsutils \ + libpq-dev \ && \ rm -rf /var/lib/apt/lists/* diff --git a/images/image-awaiter/Dockerfile b/images/image-awaiter/Dockerfile index 8eeac1f8e9..1480d58eeb 100644 --- a/images/image-awaiter/Dockerfile +++ b/images/image-awaiter/Dockerfile @@ -1,16 +1,16 @@ # compile the code to an executable using an intermediary image -FROM golang:1.15 +FROM golang:1.15-alpine@sha256:d491730a043b10ac51ac7437dc1716a2082349addbf0c6510dc8ad4b8a5ce7c7 # VULN_SCAN_TIME= RUN mkdir -p /build/ COPY *.mod *.go *.sum /build/ WORKDIR /build -RUN CGO_ENABLED=0 GOOS=linux go build -ldflags '-w -s' -installsuffix cgo -a -o out/image-awaiter +RUN CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags '-w -s' -installsuffix cgo -a -o out/image-awaiter # present the result within a slimmed image -FROM scratch +FROM arm64v8/alpine:3 COPY --from=0 /build/out/image-awaiter /image-awaiter diff --git a/images/network-tools/Dockerfile b/images/network-tools/Dockerfile index a4fe8ae2c5..8ea1467d96 100644 --- a/images/network-tools/Dockerfile +++ b/images/network-tools/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3 +FROM arm64v8/alpine:3 # VULN_SCAN_TIME=1fad1460fc diff --git a/images/secret-sync/Dockerfile b/images/secret-sync/Dockerfile index 5f1865beaf..d4350260dc 100644 --- a/images/secret-sync/Dockerfile +++ b/images/secret-sync/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.8-alpine +FROM arm64v8/python:3.8-alpine # VULN_SCAN_TIME= diff --git a/images/singleuser-sample/Dockerfile b/images/singleuser-sample/Dockerfile index 48cc0e84ec..0730eb9419 100644 --- a/images/singleuser-sample/Dockerfile +++ b/images/singleuser-sample/Dockerfile @@ -1,4 +1,4 @@ -FROM jupyter/base-notebook:016833b15ceb +FROM sakuraiyuta/base-notebook:latest # Built from... https://hub.docker.com/r/jupyter/base-notebook/ # https://github.com/jupyter/docker-stacks/blob/master/base-notebook/Dockerfile # Built from... Ubuntu 18.04 diff --git a/jupyterhub/Chart.yaml b/jupyterhub/Chart.yaml index 447df2705f..d4fde6c9d4 100644 --- a/jupyterhub/Chart.yaml +++ b/jupyterhub/Chart.yaml @@ -1,7 +1,7 @@ # Chart.yaml v2 reference: https://helm.sh/docs/topics/charts/#the-chartyaml-file apiVersion: v2 name: jupyterhub -version: 0.0.1-set.by.chartpress +version: 0.11.1-aarch64 appVersion: 1.3.0 description: Multi-user Jupyter installation keywords: [jupyter, jupyterhub, z2jh] diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml index 4143816167..e30169e3b2 100644 --- a/jupyterhub/values.yaml +++ b/jupyterhub/values.yaml @@ -78,8 +78,8 @@ hub: extraVolumes: [] extraVolumeMounts: [] image: - name: jupyterhub/k8s-hub - tag: "set-by-chartpress" + name: sakuraiyuta/jupyterhub-k8s-hub + tag: "0.11.1-aarch64" pullPolicy: pullSecrets: [] resources: @@ -191,7 +191,7 @@ proxy: runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false image: - name: jupyterhub/configurable-http-proxy + name: sakuraiyuta/jupyterhub-configurable-http-proxy tag: 4.2.3 pullPolicy: pullSecrets: [] @@ -270,8 +270,8 @@ proxy: runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false image: - name: jupyterhub/k8s-secret-sync - tag: "set-by-chartpress" + name: sakuraiyuta/jupyterhub-k8s-secret-sync + tag: "0.11.1-aarch64" pullPolicy: pullSecrets: [] resources: {} @@ -310,8 +310,8 @@ singleuser: preferred: [] networkTools: image: - name: jupyterhub/k8s-network-tools - tag: "set-by-chartpress" + name: sakuraiyuta/jupyterhub-k8s-network-tools + tag: "0.11.1-aarch64" pullPolicy: pullSecrets: [] cloudMetadata: @@ -364,8 +364,8 @@ singleuser: volumeNameTemplate: volume-{username}{servername} storageAccessModes: [ReadWriteOnce] image: - name: jupyterhub/k8s-singleuser-sample - tag: "set-by-chartpress" + name: sakuraiyuta/jupyterhub-k8s-singleuser-sample + tag: "0.11.1-aarch64" pullPolicy: pullSecrets: [] startTimeout: 300 @@ -474,8 +474,8 @@ prePuller: enabled: true # image and the configuration below relates to the hook-image-awaiter Job image: - name: jupyterhub/k8s-image-awaiter - tag: "set-by-chartpress" + name: sakuraiyuta/jupyterhub-k8s-image-awaiter + tag: "0.11.1-aarch64" pullPolicy: pullSecrets: [] containerSecurityContext: