mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 15:09:39 -05:00
ci: reproducible builds integration (#1108)
* remove `-ko` suffix from workflows * integrate into `release.yaml` * adjust helm charts to use hard coded `ko` binary path
This commit is contained in:
parent
11e233e4be
commit
2187aa6cb0
13
.github/actions/build_ko/action.yml
vendored
13
.github/actions/build_ko/action.yml
vendored
@ -21,7 +21,7 @@ inputs:
|
||||
required: true
|
||||
pushTag:
|
||||
description: "Use this image tag"
|
||||
required: false
|
||||
required: true
|
||||
githubToken:
|
||||
description: "GitHub authorization token"
|
||||
required: true
|
||||
@ -50,6 +50,12 @@ runs:
|
||||
id: pseudo-version
|
||||
uses: ./.github/actions/pseudo_version
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
||||
with:
|
||||
go-version: "1.19.5"
|
||||
cache: true
|
||||
|
||||
- name: Set up ko
|
||||
uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
|
||||
|
||||
@ -60,7 +66,7 @@ runs:
|
||||
KO_USER: ${{ github.actor }}
|
||||
KO_CONFIG_PATH: ${{ inputs.koConfig }}
|
||||
KO_PASSWORD: ${{ inputs.githubToken }}
|
||||
KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/${{ inputs.name }}-ko
|
||||
KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/constellation/${{ inputs.name }}
|
||||
run: |
|
||||
tags=""
|
||||
sbom=""
|
||||
@ -91,7 +97,8 @@ runs:
|
||||
sbom="--sbom=none"
|
||||
fi
|
||||
|
||||
container_full=$(ko build ${{ inputs.koTarget }} --bare --tags ${tags} ${sbom})
|
||||
echo "Building container image with tags: ${tags}"
|
||||
container_full=$(ko build ${{ inputs.koTarget }} --bare --tags "${tags}" ${sbom})
|
||||
container_image=$(echo $container_full | cut -d@ -f1)
|
||||
container_sha256=$(echo $container_full | cut -d: -f2)
|
||||
|
||||
|
@ -27,10 +27,10 @@ inputs:
|
||||
default: "false"
|
||||
cosignPublicKey:
|
||||
description: "Cosign public key"
|
||||
required: false
|
||||
required: true
|
||||
cosignPrivateKey:
|
||||
description: "Cosign private key"
|
||||
required: false
|
||||
required: true
|
||||
cosignPassword:
|
||||
description: "Password for Cosign private key"
|
||||
required: false
|
||||
@ -50,11 +50,11 @@ runs:
|
||||
uses: ./.github/actions/build_ko
|
||||
with:
|
||||
name: ${{ inputs.name }}
|
||||
koConfig: ${{ inputs.koConfig }}
|
||||
pseudoVersion: ${{ inputs.pseudoVersion }}
|
||||
koConfig: ${{ inputs.koConfig }}
|
||||
koTarget: ${{ inputs.koTarget }}
|
||||
pushTag: ${{ inputs.pushTag }}
|
||||
githubToken: ${{ inputs.GITHUB_TOKEN }}
|
||||
pushTag: ci-test
|
||||
|
||||
- name: Download ko Container Data
|
||||
id: download_container_data
|
||||
|
@ -1,31 +0,0 @@
|
||||
name: Build and upload constellation node operator image (KO)
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
|
||||
jobs:
|
||||
build-constellation-node-operator:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- name: Build and upload constellation-node-operator container image
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: node-operator
|
||||
koTarget: ./operators/constellation-node-operator
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
@ -30,10 +30,10 @@ jobs:
|
||||
go-version: "1.19.5"
|
||||
|
||||
- name: Build and upload constellation-node-operator container image
|
||||
uses: ./.github/actions/build_operator
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: node-operator
|
||||
sourceDir: operators/constellation-node-operator
|
||||
koTarget: ./operators/constellation-node-operator
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
|
39
.github/workflows/build-joinservice-image-ko.yml
vendored
39
.github/workflows/build-joinservice-image-ko.yml
vendored
@ -1,39 +0,0 @@
|
||||
name: Build and upload join service image (KO)
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
|
||||
jobs:
|
||||
build-join-service-ko:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
||||
with:
|
||||
go-version: "1.19.5"
|
||||
|
||||
- name: Build and upload join service container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: joinservice
|
||||
koTarget: ./joinservice/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
13
.github/workflows/build-joinservice-image.yml
vendored
13
.github/workflows/build-joinservice-image.yml
vendored
@ -1,4 +1,6 @@
|
||||
name: Build and upload join-service image
|
||||
name: Build and upload join service image
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
@ -29,13 +31,12 @@ jobs:
|
||||
with:
|
||||
go-version: "1.19.5"
|
||||
|
||||
- name: Build and upload join-service container image
|
||||
- name: Build and upload join service container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: join-service
|
||||
projectVersion: "0.0.0"
|
||||
dockerfile: joinservice/Dockerfile
|
||||
name: joinservice
|
||||
koTarget: ./joinservice/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
|
43
.github/workflows/build-keyservice-image-ko.yml
vendored
43
.github/workflows/build-keyservice-image-ko.yml
vendored
@ -1,43 +0,0 @@
|
||||
name: Build and upload KeyService image (KO)
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
|
||||
jobs:
|
||||
build-keyservice:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
||||
with:
|
||||
go-version: "1.19.5"
|
||||
|
||||
- name: Set up ko
|
||||
uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
|
||||
|
||||
- name: Build and upload KeyService container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: key-service
|
||||
koConfig: .ko.yaml
|
||||
koTarget: ./keyservice/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
11
.github/workflows/build-keyservice-image.yml
vendored
11
.github/workflows/build-keyservice-image.yml
vendored
@ -1,4 +1,6 @@
|
||||
name: Build and upload KeyService image
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
@ -29,13 +31,16 @@ jobs:
|
||||
with:
|
||||
go-version: "1.19.5"
|
||||
|
||||
- name: Set up ko
|
||||
uses: imjasonh/setup-ko@9a31684920a610d5dbe8012888714d64706f9787 # tag=v0.6
|
||||
|
||||
- name: Build and upload KeyService container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: key-service
|
||||
projectVersion: "0.0.0"
|
||||
dockerfile: keyservice/Dockerfile
|
||||
koConfig: .ko.yaml
|
||||
koTarget: ./kms/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
|
@ -1,37 +0,0 @@
|
||||
name: Build and upload verification-service image (KO)
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- "release/**"
|
||||
|
||||
jobs:
|
||||
build-verification-service:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Check out repository
|
||||
id: checkout
|
||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- name: Setup Go environment
|
||||
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
||||
with:
|
||||
go-version: "1.19.5"
|
||||
|
||||
- name: Build and upload verification-service container image (KO)
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: verification-service
|
||||
koTarget: ./verify/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
@ -31,11 +31,10 @@ jobs:
|
||||
|
||||
- name: Build and upload verification-service container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: verification-service
|
||||
projectVersion: "0.0.0"
|
||||
dockerfile: verify/Dockerfile
|
||||
koTarget: ./verify/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
|
44
.github/workflows/release.yml
vendored
44
.github/workflows/release.yml
vendored
@ -115,6 +115,40 @@ jobs:
|
||||
git push origin "${BRANCH}"
|
||||
|
||||
micro-services:
|
||||
name: Build micro services
|
||||
runs-on: ubuntu-22.04
|
||||
needs: [verify-inputs, prepare-release-branch]
|
||||
strategy:
|
||||
matrix:
|
||||
koTarget:
|
||||
[./joinservice/cmd, ./keyservice/cmd, ./verify/cmd, ./operators/constellation-node-operator]
|
||||
include:
|
||||
- koTarget: ./joinservice/cmd
|
||||
name: join-service
|
||||
- koTarget: ./keyservice/cmd
|
||||
name: key-service
|
||||
- koTarget: ./verify/cmd
|
||||
name: verification-service
|
||||
- koTarget: ./operators/constellation-node-operator
|
||||
name: node-operator
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||
with:
|
||||
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
||||
|
||||
- name: Build ${{ matrix.name }} micro service
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
koTarget: ${{ matrix.koTarget }}
|
||||
name: ${{ matrix.name }}
|
||||
pushTag: ${{ inputs.version }}
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
||||
|
||||
micro-services-metadata:
|
||||
name: Build micro services
|
||||
needs: [verify-inputs, prepare-release-branch]
|
||||
uses: ./.github/workflows/build-micro-service-manual.yml
|
||||
@ -122,12 +156,8 @@ jobs:
|
||||
contents: read
|
||||
packages: write
|
||||
secrets: inherit
|
||||
strategy:
|
||||
matrix:
|
||||
service:
|
||||
[join-service, key-service, verification-service, qemu-metadata-api]
|
||||
with:
|
||||
microService: ${{ matrix.service }}
|
||||
microService: qemu-metadata-api
|
||||
imageTag: ${{ inputs.version }}
|
||||
version: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
|
||||
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
||||
@ -148,7 +178,7 @@ jobs:
|
||||
|
||||
update-versions:
|
||||
name: Update container image versions
|
||||
needs: [verify-inputs, micro-services, constellation-node-operator]
|
||||
needs: [verify-inputs, micro-services]
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: write
|
||||
@ -182,7 +212,9 @@ jobs:
|
||||
yq eval -i ".version = \"${WITHOUT_V}\"" "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml"
|
||||
git add "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml"
|
||||
done
|
||||
|
||||
git add cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
|
||||
|
||||
yq eval -i ".version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/operators/Chart.yaml
|
||||
for service in node-maintenance-operator constellation-operator; do
|
||||
yq eval -i "(.dependencies[] | select(.name == \"${service}\")).version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/operators/Chart.yaml
|
||||
|
@ -51,7 +51,7 @@ spec:
|
||||
- --metrics-bind-address=127.0.0.1:8080
|
||||
- --leader-elect
|
||||
command:
|
||||
- /manager
|
||||
- /ko-app/v2
|
||||
env:
|
||||
- name: KUBERNETES_CLUSTER_DOMAIN
|
||||
value: {{ .Values.kubernetesClusterDomain }}
|
||||
|
@ -48,7 +48,7 @@ spec:
|
||||
- --metrics-bind-address=:8080
|
||||
- --leader-elect
|
||||
command:
|
||||
- /manager
|
||||
- /ko-app/v2
|
||||
env:
|
||||
- name: OPERATOR_NAMESPACE
|
||||
valueFrom:
|
||||
|
Loading…
Reference in New Issue
Block a user