add ORAS end of life annotation and cleanup

Author: hgarvison

.github/workflows/_cleanup.yml

@@ -86,27 +86,31 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
+      - name: Set Azure Registry
+        run: |
+          echo "AZURE_REG_NAME=${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }}" >> $GITHUB_ENV
+          
+      - name: Log in to Azure Container Registry
+        run: az acr login --name $AZURE_REG_NAME
+
       - name: Cleanup Hello World ACI Images
         if: ${{ inputs.test-name == 'hello-world-aci' }}
         run: |
           # adding || true so that it doesn't fail if the image doesn't exist (i.e. helloworld didn't run)
-          az acr login --name ${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }}
-          az acr repository delete --name ${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }} --image private/${{ github.actor }}/acc/samples/aci/helloworld:${{ github.sha }} --yes || true
+          az acr repository delete --name $AZURE_REG_NAME --image private/${{ github.actor }}/acc/samples/aci/helloworld:${{ github.sha }} --yes || true
 
       - name: Cleanup Hello World AKS Images
         if: ${{ inputs.test-name == 'hello-world-aks' }}
         run: |
           # adding || true so that it doesn't fail if the image doesn't exist (i.e. helloworld didn't run)
-          az acr login --name ${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }}
-          az acr repository delete --name ${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }} --image private/${{ github.actor }}/acc/samples/aks/helloworld:${{ github.sha }} --yes || true
+          az acr repository delete --name $AZURE_REG_NAME --image private/${{ github.actor }}/acc/samples/aks/helloworld:${{ github.sha }} --yes || true
 
       - name: Cleanup Kafka Images
         if: ${{ inputs.test-name == 'kafka' }}
         run: |
           # adding || true so that it doesn't fail if the image doesn't exist (i.e. kafka didn't run)
-          az acr login --name ${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }}
-          az acr repository delete --name ${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }} --image private/${{ github.actor }}/acc/samples/kafka/consumer:${{ github.sha }} --yes || true
-          az acr repository delete --name ${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }} --image private/${{ github.actor }}/acc/samples/kafka/producer:${{ github.sha }} --yes || true
+          az acr repository delete --name $AZURE_REG_NAME --image private/${{ github.actor }}/acc/samples/kafka/consumer:${{ github.sha }} --yes || true
+          az acr repository delete --name $AZURE_REG_NAME --image private/${{ github.actor }}/acc/samples/kafka/producer:${{ github.sha }} --yes || true
 
   cleanup-cluster:
     name: Clean Up Cluster

.github/workflows/_deploy_aci.yml

@@ -9,7 +9,7 @@ on:
         type: string
       helloworld-image:
         description: "Hello World ACI Image"
-        default: "mcr.microsoft.com/acc/samples/aci/helloworld:2.9"
+        default: "mcr.microsoft.com/acc/samples/aci/helloworld:2.10"
         required: true
         type: string
       debug:
@@ -25,7 +25,7 @@ on:
         type: string
       helloworld-image:
         description: "Hello World ACI Image"
-        default: "mcr.microsoft.com/acc/samples/aci/helloworld:2.9"
+        default: "mcr.microsoft.com/acc/samples/aci/helloworld:2.10"
         required: true
         type: string
       debug:
@@ -52,15 +52,13 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Login to Public Azure Container Registry
-        if: github.event_name != 'pull_request'
+      - name: Set Azure Registry
         run: |
-          az acr login --name ${{ secrets.AZURE_REGISTRY_NAME }}
+          echo "AZURE_REG_NAME=${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }}" >> $GITHUB_ENV
+          echo "AZURE_REG_URL=${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_URL || secrets.AZURE_REGISTRY_URL }}" >> $GITHUB_ENV
 
-      - name: Login to Test Azure Container Registry
-        if: github.event_name == 'pull_request'
-        run: |
-          az acr login --name ${{ secrets.TEST_AZURE_REGISTRY_NAME }}
+      - name: Log in to Azure Container Registry
+        run: az acr login --name $AZURE_REG_NAME
 
       - name: Install Dependencies
         id: install-dependencies
@@ -78,9 +76,9 @@ jobs:
         run: |
             # check if official image
             if [[ "${{ inputs.helloworld-image }}" == *"mcr.microsoft.com"* ]]; then
-              echo HELLO_WORLD_IMAGE='${{ inputs.helloworld-image }}' >> $GITHUB_ENV
+              echo "HELLO_WORLD_IMAGE=${{ inputs.helloworld-image }}" >> $GITHUB_ENV
             else
-              echo HELLO_WORLD_IMAGE='${{ (github.event_name != 'pull_request' && secrets.AZURE_REGISTRY_URL) || secrets.TEST_AZURE_REGISTRY_URL }}'/'${{ inputs.helloworld-image }}' >> $GITHUB_ENV
+              echo "HELLO_WORLD_IMAGE=$AZURE_REG_URL/${{ inputs.helloworld-image }}" >> $GITHUB_ENV
             fi
 
       - name: Substitute Environment Variables

.github/workflows/_deploy_helloworld_aks_test.yml

@@ -31,13 +31,13 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Log in to Public Azure Container Registry
-        if: github.event_name != 'pull_request'
-        run: az acr login --name ${{ secrets.AZURE_REGISTRY_NAME }}
+      - name: Set Azure Registry
+        run: |
+          echo "AZURE_REG_NAME=${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }}" >> $GITHUB_ENV
+          echo "AZURE_REG_URL=${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_URL || secrets.AZURE_REGISTRY_URL }}" >> $GITHUB_ENV
 
-      - name: Log in to Test Azure Container Registry
-        if: github.event_name == 'pull_request'
-        run: az acr login --name ${{ secrets.TEST_AZURE_REGISTRY_NAME }}
+      - name: Log in to Azure Container Registry
+        run: az acr login --name $AZURE_REG_NAME
 
       - name: Install Dependencies
         id: install-dependencies
@@ -60,9 +60,9 @@ jobs:
         run: |
             # check if official image
             if [[ "${{ inputs.helloworld-image }}" == *"mcr.microsoft.com"* ]]; then
-              echo HELLO_WORLD_IMAGE='${{ inputs.helloworld-image }}' >> $GITHUB_ENV
+              echo "HELLO_WORLD_IMAGE=${{ inputs.helloworld-image }}" >> $GITHUB_ENV
             else
-              echo HELLO_WORLD_IMAGE='${{ (github.event_name != 'pull_request' && secrets.AZURE_REGISTRY_URL) || secrets.TEST_AZURE_REGISTRY_URL }}'/'${{ inputs.helloworld-image }}' >> $GITHUB_ENV
+              echo "HELLO_WORLD_IMAGE=$AZURE_REG_URL/${{ inputs.helloworld-image }}" >> $GITHUB_ENV
             fi
 
       - name: Substitute Environment Variables

.github/workflows/_deploy_kafka_test.yml

@@ -42,13 +42,13 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Log in to Public Azure Container Registry
-        if: github.event_name != 'pull_request'
-        run: az acr login --name ${{ secrets.AZURE_REGISTRY_NAME }}
+      - name: Set Azure Registry
+        run: |
+          echo "AZURE_REG_NAME=${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_NAME || secrets.AZURE_REGISTRY_NAME }}" >> $GITHUB_ENV
+          echo "AZURE_REG_URL=${{ github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_URL || secrets.AZURE_REGISTRY_URL }}" >> $GITHUB_ENV
 
-      - name: Log in to Test Azure Container Registry
-        if: github.event_name == 'pull_request'
-        run: az acr login --name ${{ secrets.TEST_AZURE_REGISTRY_NAME }}
+      - name: Log in to Azure Container Registry
+        run: az acr login --name $AZURE_REG_NAME
 
       - name: Install Dependencies
         id: install-dependencies
@@ -74,8 +74,8 @@ jobs:
           CLUSTER_NAME: ${{ inputs.cluster-name }}
           RESOURCE_GROUP: ${{ vars.RESOURCE_GROUP }}
           SIDECAR_IMAGE: ${{ inputs.key-release-image }}
-          CONSUMER_IMAGE: ${{ (github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_URL) || secrets.AZURE_REGISTRY_URL }}/${{ inputs.consumer-image }}
-          PRODUCER_IMAGE: ${{ (github.event_name == 'pull_request' && secrets.TEST_AZURE_REGISTRY_URL) || secrets.AZURE_REGISTRY_URL }}/${{ inputs.producer-image }}
+          CONSUMER_IMAGE: ${{ env.AZURE_REG_URL }}/${{ inputs.consumer-image }}
+          PRODUCER_IMAGE: ${{ env.AZURE_REG_URL }}/${{ inputs.producer-image }}
         id: run-workload
         run: |
           az aks get-credentials --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP  --overwrite-existing

.github/workflows/_push_image.yml

@@ -44,20 +44,23 @@ jobs:
         with:
           version: v0.18.0
 
+      - name: Download ORAS CLI
+        uses: oras-project/setup-oras@v1
+
       - name: Log into Azure
         uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Log in to Public Azure Container Registry
-        if: ${{ inputs.repo_type == 'public' }}
-        run: az acr login --name ${{ secrets.AZURE_REGISTRY_NAME }}
+      - name: Set Azure Registry
+        run: |
+          echo "AZURE_REG_NAME=${{ inputs.repo_type == 'public' && secrets.AZURE_REGISTRY_NAME || inputs.repo_type == 'private' && secrets.TEST_AZURE_REGISTRY_NAME }}" >> $GITHUB_ENV
+          echo "AZURE_REG_URL=${{ inputs.repo_type == 'public' && secrets.AZURE_REGISTRY_URL || inputs.repo_type == 'private' && secrets.TEST_AZURE_REGISTRY_URL }}" >> $GITHUB_ENV
 
-      - name: Log in to Test Azure Container Registry
-        if: ${{ inputs.repo_type == 'private' }}
-        run: az acr login --name ${{ secrets.TEST_AZURE_REGISTRY_NAME }}
+      - name: Log in to Azure Container Registry
+        run: az acr login --name $AZURE_REG_NAME
 
       - name: Build and Push Docker Image
         uses: docker/build-push-action@v5
@@ -66,11 +69,20 @@ jobs:
           context: ${{ inputs.docker_context }}
           file: ${{ inputs.dockerfile_path }}/Dockerfile
           push: true
-          tags: ${{ inputs.repo_type == 'public' && secrets.AZURE_REGISTRY_URL || inputs.repo_type == 'private' && secrets.TEST_AZURE_REGISTRY_URL }}/${{ inputs.image }}:${{inputs.tag}}
+          tags: ${{ env.AZURE_REG_URL }}/${{ inputs.image }}:${{ inputs.tag }}
 
       - name: Generate Artifact Attestation
         uses: actions/attest-build-provenance@v1
         with:
-          subject-name: ${{ inputs.repo_type == 'public' && secrets.AZURE_REGISTRY_URL || inputs.repo_type == 'private' && secrets.TEST_AZURE_REGISTRY_URL }}/${{ inputs.image }}
+          subject-name: ${{ env.AZURE_REG_URL }}/${{ inputs.image }}
           subject-digest: '${{steps.build-image.outputs.digest}}'
-          push-to-registry: true
+          push-to-registry: true
+
+      - name: Add End of Life Annotation
+        run: |
+          #get EOL date one month from now
+          EOL_DATE=$(date -u -d "+1 month" +"%Y-%m-%dT%H:%M:%SZ")
+
+          oras attach --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
+            --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$EOL_DATE" \
+            $AZURE_REG_URL/${{ inputs.image }}@${{steps.build-image.outputs.digest}}

.github/workflows/helloworld_aci_test.yml

@@ -14,7 +14,7 @@ on:
     inputs:
       helloworld-image:
         description: "Hello World ACI Image"
-        default: "mcr.microsoft.com/acc/samples/aci/helloworld:2.9"
+        default: "mcr.microsoft.com/acc/samples/aci/helloworld:2.10"
         required: true
         type: string
       debug:

.github/workflows/helloworld_aks_test.yml

@@ -14,7 +14,7 @@ on:
     inputs:
       helloworld-image:
         description: "Hello World AKS Image"
-        default: "mcr.microsoft.com/acc/samples/aks/helloworld:1.7"
+        default: "mcr.microsoft.com/acc/samples/aks/helloworld:1.8"
         required: true
         type: string
       debug:

.github/workflows/kafka_demo_test.yml

@@ -28,12 +28,12 @@ on:
         type: string
       consumer-image:
         description: "Consumer Image"
-        default: "public/acc/samples/kafka/consumer:2.0"
+        default: "public/acc/samples/kafka/consumer:3.0"
         required: true
         type: string
       producer-image:
         description: "Producer Image"
-        default: "public/acc/samples/kafka/producer:2.0"
+        default: "public/acc/samples/kafka/producer:3.0"
         required: true
         type: string
   merge_group:

hello-world/ACI/app/Dockerfile

@@ -12,7 +12,7 @@ WORKDIR /app
 
 # copy all files from this folder to working directory (ignores files in .dockerignore)
 ARG BUILD_DIR=~/confidential-container-demos/hello-world/ACI/app
-COPY --from=build ${BUILD_DIR}/Dockerfile ${BUILD_DIR}/main.py ${BUILD_DIR}/verbose-report /app/
+COPY --from=build ${BUILD_DIR}/. /app/
 
 RUN chmod +x verbose-report
 

hello-world/ACI/arm-template.json

@@ -18,7 +18,7 @@
     },
     "image": {
       "type": "string",
-      "defaultValue": "mcr.microsoft.com/acc/samples/aci/helloworld:2.9",
+      "defaultValue": "mcr.microsoft.com/acc/samples/aci/helloworld:2.10",
       "metadata": {
         "description": "Container image to deploy. Should be of the form repoName/imagename:tag for images stored in public Docker Hub, or a fully qualified URI for other registries. Images from private registries require additional registry credentials."
       }

hello-world/AKS/README.md

@@ -6,7 +6,7 @@ This sample is a basic Python application used to demonstrate Confidential Pods
 
 ![Hello World Hardware Report](./media/hello-world-cc.png)
 
-The container is hosted publicly on [Azure Container Registry](mcr.microsoft.com/acc/samples/aks/helloworld:1.7).
+The container is hosted publicly on [Azure Container Registry](mcr.microsoft.com/acc/samples/aks/helloworld:1.8).
 
 ## Getting Started
 

hello-world/AKS/helloworld.yaml

@@ -7,7 +7,7 @@ metadata:
   name: helloworld
 spec:
   containers:
-    - image: "mcr.microsoft.com/acc/samples/aks/helloworld:1.7"
+    - image: "mcr.microsoft.com/acc/samples/aks/helloworld:1.8"
       command:
         - python3
         - main.py

kafka/README.md

@@ -159,7 +159,7 @@ NOTE: Only the subscription owner can setup role access for AKV/mHSM, so if you
 
 ```bash
 export SIDECAR_IMAGE="mcr.microsoft.com/aci/2.10"
-export CONSUMER_IMAGE="mcr.microsoft.com/acc/samples/kafka/consumer:2.0"
+export CONSUMER_IMAGE="mcr.microsoft.com/acc/samples/kafka/consumer:3.0"
 SIDECAR_IMAGE=$(echo $SIDECAR_IMAGE | sed 's/\//\\\//g')
 CONSUMER_IMAGE=$(echo $CONSUMER_IMAGE | sed 's/\//\\\//g')
 export LOG_FILE="log.txt"
@@ -214,7 +214,7 @@ az keyvault key list --vault-name <Name of AKV> -o table | grep kafka-demo-pipel
 #### Generate Producer Pod YAML Files (Only If Using Azure Event Hub Resource)
 
 ```bash
-export PRODUCER_IMAGE="mcr.microsoft.com/acc/samples/kafka/producer:2.0"
+export PRODUCER_IMAGE="mcr.microsoft.com/acc/samples/kafka/producer:3.0"
 PRODUCER_IMAGE=$(echo $PRODUCER_IMAGE | sed 's/\//\\\//g')
 sed -i 's/$EVENTHUB_NAMESPACE/'"$EVENTHUB_NAMESPACE"'/g; s/$EVENTHUB/'"$EVENTHUB"'/g; s/$LOG_FILE/'"$LOG_FILE"'/g; s/$PRODUCER_IMAGE/'"$PRODUCER_IMAGE"'/g ' producer/producer.yaml