From 2c9be07f943f7cec8be02982c9ef0250c9c645ba Mon Sep 17 00:00:00 2001 From: Brooks Newberry Date: Mon, 21 Oct 2024 09:11:57 -0700 Subject: [PATCH] rke2-runtime signing and manifests Signed-off-by: Brooks Newberry --- .github/workflows/release.yml | 85 ++++++++++++++++++++++----- Makefile | 4 ++ scripts/publish-image-runtime | 26 +++++--- scripts/publish-image-runtime-windows | 24 ++++++++ scripts/setup-docker-builder | 11 ++++ 5 files changed, 126 insertions(+), 24 deletions(-) create mode 100755 scripts/publish-image-runtime-windows create mode 100755 scripts/setup-docker-builder diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4177ec388b..591f5c2ce8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,6 +42,9 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD - name: Package Images run: | @@ -57,12 +60,37 @@ jobs: dapper -f Dockerfile --target dapper make test - name: Publish Image Runtime - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-image-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} - + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + + - name: Publish Image Runtime (Windows) + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime-windows + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + - name: Package windows images run: | GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make package-windows-images @@ -101,6 +129,9 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ; - name: Package Images run: | @@ -112,11 +143,20 @@ jobs: dapper -f Dockerfile --target dapper make scan-images - name: Publish Image Runtime - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-image-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} - name: Checksum run: | @@ -145,13 +185,26 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ; - name: Manifest - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-manifest-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-manifest-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + dispatch: needs: [release-amd64, release-arm64] runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }},image=ubuntu22-full-x64,hdd=64 diff --git a/Makefile b/Makefile index 13cb6387ca..d34811176b 100644 --- a/Makefile +++ b/Makefile @@ -55,6 +55,10 @@ build-image-runtime: ## Build the runtime image publish-image-runtime: build-image-runtime ./scripts/publish-image-runtime +.PHONY: publish-image-runtime-windows +publish-image-runtime: build-image-runtime + ./scripts/publish-image-runtime-windows + .PHONY: validate validate: ## Run go fmt/vet ./scripts/validate diff --git a/scripts/publish-image-runtime b/scripts/publish-image-runtime index 16ef2821c8..079a17d9d8 100755 --- a/scripts/publish-image-runtime +++ b/scripts/publish-image-runtime @@ -5,11 +5,21 @@ cd $(dirname $0)/.. source ./scripts/version.sh -set +x -docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD -set -x - -docker image push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-${GOOS}-${GOARCH} -if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ]; then - docker image push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 -fi +./scripts/setup-docker-builder + +DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build ${IID_FILE_FLAG} \ + --builder ${PROG} \ + --output type=docker \ + --sbom=true \ + --attest type=provenance,mode=max \ + --build-arg TAG=${VERSION} \ + --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \ + --build-arg MAJOR=${VERSION_MAJOR} \ + --build-arg MINOR=${VERSION_MINOR} \ + --build-arg DAPPER_HOST_ARCH=${GOARCH} \ + --build-arg CACHEBUST="$(date +%s%N)" \ + --tag ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-${GOOS}-${GOARCH} \ + --target runtime \ + --file Dockerfile \ + --push \ + . diff --git a/scripts/publish-image-runtime-windows b/scripts/publish-image-runtime-windows new file mode 100755 index 0000000000..148ccf1a89 --- /dev/null +++ b/scripts/publish-image-runtime-windows @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +set -ex + +cd $(dirname $0)/.. + +source ./scripts/version.sh + +./scripts/setup-docker-builder + +DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build ${IID_FILE_FLAG} \ + --builder ${PROG} \ + --output type=docker \ + --sbom=true \ + --attest type=provenance,mode=max \ + --build-arg TAG=${VERSION} \ + --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \ + --build-arg MAJOR=${VERSION_MAJOR} \ + --build-arg MINOR=${VERSION_MINOR} \ + --build-arg CACHEBUST="$(date +%s%N)" \ + --tag ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 \ + --target windows-runtime \ + --file Dockerfile.windows \ + --push \ + . diff --git a/scripts/setup-docker-builder b/scripts/setup-docker-builder new file mode 100755 index 0000000000..9c990b8747 --- /dev/null +++ b/scripts/setup-docker-builder @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -ex + +source ./scripts/version.sh + +BUILDER=${PROG} + +docker buildx use ${BUILDER}|| \ + docker buildx create --name=${BUILDER} --platform=linux/amd64,linux/arm64 + +docker buildx use ${BUILDER}