From 8e77dafd0497e91c6b4743e3381b75c96a091e24 Mon Sep 17 00:00:00 2001 From: Brooks Newberry Date: Tue, 22 Oct 2024 12:35:39 -0700 Subject: [PATCH] rke2-runtime signing and manifests (#7089) Signed-off-by: Brooks Newberry --- .github/workflows/release.yml | 85 ++++++++++++++++++++++----- Makefile | 4 ++ scripts/publish-image-runtime | 22 ++++--- scripts/publish-image-runtime-windows | 20 +++++++ scripts/publish-manifest-runtime | 4 ++ 5 files changed, 111 insertions(+), 24 deletions(-) create mode 100755 scripts/publish-image-runtime-windows diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4177ec388b..591f5c2ce8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,6 +42,9 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD - name: Package Images run: | @@ -57,12 +60,37 @@ jobs: dapper -f Dockerfile --target dapper make test - name: Publish Image Runtime - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-image-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} - + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + + - name: Publish Image Runtime (Windows) + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime-windows + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + - name: Package windows images run: | GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make package-windows-images @@ -101,6 +129,9 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ; - name: Package Images run: | @@ -112,11 +143,20 @@ jobs: dapper -f Dockerfile --target dapper make scan-images - name: Publish Image Runtime - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-image-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-image-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} - name: Checksum run: | @@ -145,13 +185,26 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ; - name: Manifest - run: | - GITHUB_ACTION_TAG=${{ github.ref_name }} dapper -f Dockerfile --target dapper make publish-manifest-runtime - env: - DOCKER_USERNAME: ${{ env.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ env.DOCKER_PASSWORD }} + uses: rancher/ecm-distro-tools/actions/publish-image@master + with: + image: "rke2-runtime" + tag: ${{ github.ref_name }} + make-target: publish-manifest-runtime + + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} + dispatch: needs: [release-amd64, release-arm64] runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }},image=ubuntu22-full-x64,hdd=64 diff --git a/Makefile b/Makefile index 13cb6387ca..d34811176b 100644 --- a/Makefile +++ b/Makefile @@ -55,6 +55,10 @@ build-image-runtime: ## Build the runtime image publish-image-runtime: build-image-runtime ./scripts/publish-image-runtime +.PHONY: publish-image-runtime-windows +publish-image-runtime: build-image-runtime + ./scripts/publish-image-runtime-windows + .PHONY: validate validate: ## Run go fmt/vet ./scripts/validate diff --git a/scripts/publish-image-runtime b/scripts/publish-image-runtime index 16ef2821c8..ed152c6f37 100755 --- a/scripts/publish-image-runtime +++ b/scripts/publish-image-runtime @@ -5,11 +5,17 @@ cd $(dirname $0)/.. source ./scripts/version.sh -set +x -docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD -set -x - -docker image push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-${GOOS}-${GOARCH} -if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ]; then - docker image push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 -fi +DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build ${IID_FILE_FLAG} \ + --sbom=true \ + --attest type=provenance,mode=max \ + --build-arg TAG=${VERSION} \ + --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \ + --build-arg MAJOR=${VERSION_MAJOR} \ + --build-arg MINOR=${VERSION_MINOR} \ + --build-arg DAPPER_HOST_ARCH=${GOARCH} \ + --build-arg CACHEBUST="$(date +%s%N)" \ + --tag ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-${GOOS}-${GOARCH} \ + --target runtime \ + --file Dockerfile \ + --push \ + . diff --git a/scripts/publish-image-runtime-windows b/scripts/publish-image-runtime-windows new file mode 100755 index 0000000000..772b55bc7b --- /dev/null +++ b/scripts/publish-image-runtime-windows @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -ex + +cd $(dirname $0)/.. + +source ./scripts/version.sh + +DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build ${IID_FILE_FLAG} \ + --sbom=true \ + --attest type=provenance,mode=max \ + --build-arg TAG=${VERSION} \ + --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \ + --build-arg MAJOR=${VERSION_MAJOR} \ + --build-arg MINOR=${VERSION_MINOR} \ + --build-arg CACHEBUST="$(date +%s%N)" \ + --tag ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION}-windows-amd64 \ + --target windows-runtime \ + --file Dockerfile.windows \ + --push \ + . diff --git a/scripts/publish-manifest-runtime b/scripts/publish-manifest-runtime index 7364ea7eda..3cc3068d39 100755 --- a/scripts/publish-manifest-runtime +++ b/scripts/publish-manifest-runtime @@ -21,3 +21,7 @@ docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD set -x docker manifest push ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION} + +if [ -n "${IID_FILE}" ]; then + docker buildx imagetools inspect --format "{{json .Manifest}}" ${REPO}/${PROG}-runtime:${DOCKERIZED_VERSION} | jq -r '.digest' > ${IID_FILE} +fi