Build kurl-proxy image with Chainguard (#4199)

* Build kurl-proxy image with Chainguard
replicatedhq · Dec 4, 2023 · 6b16bf6 · 6b16bf6
1 parent ec34da8
commit 6b16bf6
Show file tree

Hide file tree

Showing 6 changed files with 149 additions and 172 deletions.
diff --git a/.github/actions/build-push-kurl-proxy-image/action.yml b/.github/actions/build-push-kurl-proxy-image/action.yml
@@ -0,0 +1,50 @@
+name: 'Build and push kurl-proxy image'
+description: 'Composite action for building and pushing kurl-proxy image'
+inputs:
+  image-name:
+    description: 'Full destination kurl-proxy image name'
+    required: true
+
+  git-tag:
+    description: 'Git tag'
+    required: true
+
+  registry-username:
+    description: 'Username to login to registry'
+    default: ''
+    required: false
+
+  registry-password:
+    description: 'Password to login to registry'
+    default: ''
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: template melange and apko configs
+      shell: bash
+      run: |
+        export GIT_TAG=${{ inputs.git-tag }}
+        envsubst '${GIT_TAG}' < kurl_proxy/deploy/melange.yaml.tmpl > kurl_proxy/deploy/melange.yaml
+        envsubst '${GIT_TAG}' < kurl_proxy/deploy/apko.yaml.tmpl > kurl_proxy/deploy/apko.yaml
+
+    - id: cache-dir
+      shell: bash
+      run: echo "cache_dir=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+    - uses: chainguard-dev/actions/melange-build@main
+      with:
+        config: kurl_proxy/deploy/melange.yaml
+        archs: x86_64
+        sign-with-temporary-key: true
+        cache-dir: ${{ steps.cache-dir.outputs.cache_dir }}
+
+    - uses: chainguard-images/actions/apko-publish@main
+      with:
+        config: kurl_proxy/deploy/apko.yaml
+        archs: x86_64
+        tag: ${{ inputs.image-name }}
+        vcs-url: true
+        generic-user: ${{ inputs.registry-username }}
+        generic-pass: ${{ inputs.registry-password }}
diff --git a/.github/workflows/alpha.yaml b/.github/workflows/alpha.yaml
@@ -39,104 +39,6 @@ jobs:
         mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C migrations schema-alpha
 
 
-  build_web:
-    runs-on: ubuntu-20.04
-    needs: [generate-tag]
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Setup Node.js environment
-      uses: actions/setup-node@v4
-      with:
-        node-version: '18.x'
-    - name: Build web
-      env:
-        GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
-      run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C web deps build-kotsadm
-    - name: Upload web artifact
-      uses: actions/upload-artifact@v3
-      with:
-        name: web
-        path: ./web/dist
-
-
-  build_kurl_proxy:
-    runs-on: ubuntu-20.04
-    needs: [generate-tag]
-    steps:
-    - name: Setup Go
-      uses: actions/setup-go@v4
-      with:
-        go-version: '^1.20.0'
-
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Cache Go modules
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-kurlproxy-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-kurlproxy-
-
-    - name: Build kurl_proxy
-      env:
-        GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
-        SCOPE_DSN_PUBLIC: ""
-      run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C kurl_proxy test build
-      shell: bash
-
-    - name: Upload kurl_proxy artifact
-      uses: actions/upload-artifact@v3
-      with:
-        name: kurl_proxy
-        path: ./kurl_proxy/bin
-
-
-  build-kots:
-    runs-on: ubuntu-20.04
-    needs: [build_web, build_kurl_proxy, generate-tag]
-    steps:
-    - uses: actions/setup-go@v4
-      with:
-        go-version: '^1.20.0'
-
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Cache Go modules
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-kots-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-kots-
-
-    - name: Download web artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: web
-        path: ./web/dist
-
-    - name: Build Go API
-      env:
-        GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
-        SCOPE_DSN_PUBLIC: ""
-      run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make vet ci-test kots build
-      shell: bash
-
-    - name: Upload Go API artifact
-      uses: actions/upload-artifact@v3
-      with:
-        name: kots
-        path: ./bin
-
-
   build-kotsadm:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
@@ -155,32 +57,17 @@ jobs:
           registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
 
-  build_kurl_proxy_alpha:
+  build-kurl-proxy:
     runs-on: ubuntu-20.04
-    needs: [build_kurl_proxy, generate-tag]
+    needs: [generate-tag]
     steps:
-    - uses: azure/docker-login@v1
-      with:
-        username: ${{ secrets.DOCKERHUB_USER }}
-        password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Download kurl_proxy artifact
-      uses: actions/download-artifact@v3
-      with:
-        name: kurl_proxy
-        path: ./kurl_proxy/bin
-
-    - name: Add executable permissions
-      run: chmod a+x ./kurl_proxy/bin/kurl_proxy
-
-    - name: Build alpha release
-      env:
-        GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
-      run: |
-        mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C kurl_proxy build-alpha
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-push-kurl-proxy-image
+        with:
+          image-name: index.docker.io/kotsadm/kurl-proxy:alpha
+          git-tag: ${{ needs.generate-tag.outputs.tag }}
+          registry-username: ${{ secrets.DOCKERHUB_USER }}
+          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
 
   scan_rqlite:
@@ -267,7 +154,7 @@ jobs:
 
   scan_kurl_proxy:
     runs-on: ubuntu-20.04
-    needs: [build_kurl_proxy_alpha]
+    needs: [build-kurl-proxy]
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -270,7 +270,19 @@ jobs:
     permissions:
       id-token: write # required to be able to assume the GCP SA identity to pull Chainguard packages.
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '^1.20.0'
+          cache: true
+      - name: setup env
+        shell: bash
+        run: |
+          echo "GOPATH=$(go env GOPATH)" >> "$GITHUB_ENV"
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{github.event.pull_request.head.ref}}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
       - uses: ./.github/actions/build-push-kotsadm-image
         with:
           chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }}
@@ -342,11 +354,12 @@ jobs:
 
   build-kurl-proxy:
     runs-on: ubuntu-20.04
-    needs: [ can-run-ci ]
+    needs: [ can-run-ci, generate-tag ]
     steps:
       - uses: actions/setup-go@v4
         with:
           go-version: '^1.20.0'
+          cache: true
 
       - name: setup env
         run: |
@@ -362,25 +375,10 @@ jobs:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
 
-      - name: Cache Go modules
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-go-kurlproxy-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-kurlproxy-
-
-      - run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C kurl_proxy test build
-
-      - name: build and push kurl_proxy for e2e
-        uses: docker/build-push-action@v5
+      - uses: ./.github/actions/build-push-kurl-proxy-image
         with:
-          tags: ttl.sh/automated-${{ github.run_id }}/kurl-proxy:24h
-          context: ./kurl_proxy
-          file: ./kurl_proxy/deploy/Dockerfile
-          push: true
+          image-name: ttl.sh/automated-${{ github.run_id }}/kurl-proxy:24h
+          git-tag: ${{ needs.generate-tag.outputs.tag }}
 
 
   build-migrations:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -108,42 +108,19 @@ jobs:
   build-kurl-proxy:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
-    env:
-      GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
     steps:
     - uses: actions/setup-go@v4
       with:
         go-version: '^1.20.0'
+        cache: true
     - name: Checkout
       uses: actions/checkout@v4
-    - name: Cache Go modules
-      uses: actions/cache@v3
+    - uses: ./.github/actions/build-push-kurl-proxy-image
       with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-kurlproxy-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-kurlproxy-
-    - name: Build kurl_proxy
-      env:
-        GIT_TAG: ${{ needs.generate-tag.outputs.tag }}
-        SCOPE_DSN_PUBLIC: ""
-      run: mapfile -t envs < <(grep -v '#.*' < .image.env) && export "${envs[@]}" && make -C kurl_proxy test build
-    - name: Upload kurl_proxy artifact
-      uses: actions/upload-artifact@v3
-      with:
-        name: kurl_proxy
-        path: ./kurl_proxy/bin
-    - uses: azure/docker-login@v1
-      with:
-        username: ${{ secrets.DOCKERHUB_USER }}
-        password: ${{ secrets.DOCKERHUB_PASSWORD }}
-    - name: Build tagged release
-      working-directory: ./kurl_proxy
-      run: |
-        docker build --pull -f deploy/Dockerfile -t "kotsadm/kurl-proxy:$GIT_TAG" .
-        docker push "kotsadm/kurl-proxy:$GIT_TAG"
+        image-name: index.docker.io/kotsadm/kurl-proxy:${{ needs.generate-tag.outputs.tag }}
+        git-tag: ${{ needs.generate-tag.outputs.tag }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
   build-kots:
     runs-on: ubuntu-20.04

diff --git a/kurl_proxy/deploy/apko.yaml.tmpl b/kurl_proxy/deploy/apko.yaml.tmpl
@@ -0,0 +1,33 @@
+contents:
+  repositories:
+    - https://packages.wolfi.dev/os
+    - ./packages/
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+    - ./melange.rsa.pub
+  packages:
+    - kurl-proxy-head  # This is expected to be built locally by `melange`.
+    - bash
+    - busybox
+    - curl
+    - git
+    - wolfi-baselayout
+
+accounts:
+  groups:
+    - groupname: kotsadm
+      gid: 1001
+  users:
+    - username: kotsadm
+      uid: 1001
+      gid: 1001
+  run-as: kotsadm
+
+environment:
+  VERSION: ${GIT_TAG}
+
+cmd: /kurl_proxy
+
+archs:
+  - x86_64
+  - aarch64
diff --git a/kurl_proxy/deploy/melange.yaml.tmpl b/kurl_proxy/deploy/melange.yaml.tmpl
@@ -0,0 +1,32 @@
+package:
+  name: kurl-proxy-head
+  version: ${GIT_TAG}
+  epoch: 0
+  description: kurl-proxy package
+  copyright:
+    - license: Apache-2.0
+
+environment:
+  contents:
+    repositories:
+      - https://packages.wolfi.dev/os
+    keyring:
+      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+    packages:
+      - ca-certificates-bundle
+      - busybox
+      - git
+      - go
+  environment:
+    GOMODCACHE: '/var/cache/melange'
+
+pipeline:
+  - runs: |
+      set -x
+      export DESTDIR="${{targets.destdir}}"
+      mkdir -p "${DESTDIR}"
+
+      make -C kurl_proxy build
+
+      mv kurl_proxy/bin/kurl_proxy "${DESTDIR}/kurl_proxy"
+      mv kurl_proxy/assets "${DESTDIR}/assets"