diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 10938cc..0000000 --- a/.drone.yml +++ /dev/null @@ -1,156 +0,0 @@ ---- -kind: pipeline -name: default-linux-amd64 - -platform: - os: linux - arch: amd64 - -steps: -- name: prepare-amd64-binaries - image: ubuntu:20.04 - commands: - - apt-get -y update && apt-get -y install make curl tar - - make scripts/iptables-wrapper-installer.sh - when: - event: - - push - - pull_request - - tag - -- name: docker-publish-head - image: plugins/docker - settings: - build_args: - - ARCH=amd64 - - VERSION=${DRONE_BRANCH/release\//}-${DRONE_BUILD_NUMBER}-head - custom_dns: 1.1.1.1 - dockerfile: Dockerfile - tag: ${DRONE_BRANCH/release\//}-head-linux-amd64 - username: - from_secret: docker_username - password: - from_secret: docker_password - repo: rancher/hyperkube-base - when: - ref: - include: - - "refs/heads/master" - - "refs/heads/release/v*" - event: - - push - -- name: docker-publish - image: plugins/docker - settings: - build_args: - - ARCH=amd64 - - "VERSION=${DRONE_TAG}" - custom_dns: 1.1.1.1 - dockerfile: Dockerfile - username: - from_secret: docker_username - password: - from_secret: docker_password - repo: rancher/hyperkube-base - tag: "${DRONE_TAG}-linux-amd64" - when: - event: - - tag - ---- -kind: pipeline -name: default-linux-arm64 - -platform: - os: linux - arch: arm64 - -steps: -- name: prepare-arm64-binaries - image: ubuntu:20.04 - commands: - - apt-get -y update && apt-get -y install make curl tar - - make ARCH=arm64 scripts/iptables-wrapper-installer.sh - when: - event: - - push - - pull_request - - tag - -- name: docker-publish-head - image: plugins/docker - settings: - build_args: - - ARCH=arm64 - - VERSION=${DRONE_BRANCH/release\//}-${DRONE_BUILD_NUMBER}-head - custom_dns: 1.1.1.1 - dockerfile: Dockerfile - tag: ${DRONE_BRANCH/release\//}-head-linux-arm64 - username: - from_secret: docker_username - password: - from_secret: docker_password - repo: rancher/hyperkube-base - when: - ref: - include: - - "refs/heads/master" - - "refs/heads/release/v*" - event: - - push - -- name: docker-publish - image: plugins/docker - settings: - build_args: - - ARCH=arm64 - - "VERSION=${DRONE_TAG}" - custom_dns: 1.1.1.1 - dockerfile: Dockerfile - username: - from_secret: docker_username - password: - from_secret: docker_password - repo: rancher/hyperkube-base - tag: "${DRONE_TAG}-linux-arm64" - when: - event: - - tag - ---- -kind: pipeline -name: manifest - -steps: -- name: push-head-manifest - image: plugins/manifest - settings: - username: - from_secret: docker_username - password: - from_secret: docker_password - spec: manifest.tmpl - when: - ref: - include: - - "refs/heads/master" - - "refs/heads/release/v*" - event: - - push - -- name: push-manifest - image: plugins/manifest - settings: - username: - from_secret: docker_username - password: - from_secret: docker_password - spec: manifest.tmpl - when: - event: - - tag - -depends_on: -- default-linux-amd64 -- default-linux-arm64 diff --git a/.github/workflows/ci-on-pr.yaml b/.github/workflows/ci-on-pr.yaml new file mode 100644 index 0000000..cdfaffa --- /dev/null +++ b/.github/workflows/ci-on-pr.yaml @@ -0,0 +1,51 @@ +name: CI on Push and Pull Request + +on: + pull_request: + branches: + - master + push: + branches: + - master + +jobs: + test-prepare-binaries: + permissions: + contents: read + strategy: + matrix: + os: [linux] + arch: [ amd64, arm64 ] + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Prepare + run: | + make scripts/iptables-wrapper-installer.sh + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: rancher/hyperkube-base + flavor: | + latest=false + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: false + tags: "${{ steps.meta.outputs.tags }}" + platforms: "${{ matrix.os }}/${{ matrix.arch }}" + labels: "${{ steps.meta.outputs.labels }}" + build-args: | + ARCH="${{ matrix.arch }}" diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml new file mode 100644 index 0000000..5432a4c --- /dev/null +++ b/.github/workflows/fossa.yaml @@ -0,0 +1,30 @@ +name: Run Fossa Scan + +on: + push: + branches: + - "master" + # For manual scans. + workflow_dispatch: + +jobs: + fossa: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # needed for the Vault authentication + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Read FOSSA token + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY + + - name: FOSSA scan + uses: fossas/fossa-action@main + with: + api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }} + run-tests: false diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..e3a0209 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,131 @@ +name: Release + +on: + push: + tags: + - '*' + +env: + IMAGE: rancher/hyperkube-base + +jobs: + build-push-images: + permissions: + contents: read + id-token: write # needed for the Vault authentication + strategy: + fail-fast: true + matrix: + os: [linux] + arch: [amd64, arm64] + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Prepare + run: | + make scripts/iptables-wrapper-installer.sh + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE }} + flavor: | + latest=false + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKER_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} + + - name: Build and push Docker image + id: build + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: "${{ steps.meta.outputs.tags }}" + platforms: "${{ matrix.os }}/${{ matrix.arch }}" + labels: "${{ steps.meta.outputs.labels }}" + build-args: | + ARCH="${{ matrix.arch }}" + + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: "digests-${{ matrix.os }}-${{ matrix.arch }}" + path: /tmp/digests/* + if-no-files-found: error + retention-days: 7 + overwrite: true + + merge: + runs-on: ubuntu-latest + needs: + - build-push-images + permissions: + contents: read + id-token: write # needed for the Vault authentication + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE }} + flavor: | + latest=false + + - name: Load Secrets from Vault + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKER_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} + + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.IMAGE }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.meta.outputs.version }} diff --git a/.gitignore b/.gitignore index d6d96c8..98d2f26 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ scripts/iptables-wrapper-installer.sh +.idea diff --git a/Dockerfile b/Dockerfile index 2caae46..993736a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -77,6 +77,10 @@ RUN echo CACHEBUST>/dev/null \ /tmp/* \ /var/tmp/* -RUN /usr/sbin/iptables-wrapper-installer.sh +# iptables-wrapper-installer.sh uses `iptables-nft --version` to check whether iptables-nft exists, iptables-nft returns +# the error "protocol not supported" when being invoked in an emulated enviroment whose arch (for example, arm64) +# is differnt from the host (amd64). So we do the check ourselves before running iptables-wrapper-installer.sh. +RUN which iptables-legacy && which iptables-nft +RUN /usr/sbin/iptables-wrapper-installer.sh --no-sanity-check ENTRYPOINT ["/hyperkube"] diff --git a/manifest.tmpl b/manifest.tmpl deleted file mode 100644 index 3e5b403..0000000 --- a/manifest.tmpl +++ /dev/null @@ -1,12 +0,0 @@ -image: rancher/hyperkube-base:{{#if build.tag}}{{build.tag}}{{else}}{{replace "release/" "" build.branch }}-head{{/if}} -manifests: - - - image: rancher/hyperkube-base:{{#if build.tag}}{{build.tag}}{{else}}{{replace "release/" "" build.branch }}-head{{/if}}-linux-amd64 - platform: - architecture: amd64 - os: linux - - - image: rancher/hyperkube-base:{{#if build.tag}}{{build.tag}}{{else}}{{replace "release/" "" build.branch }}-head{{/if}}-linux-arm64 - platform: - architecture: arm64 - os: linux \ No newline at end of file