From 2187aa6cb02822c7dc3be7d2921fcefeac54b0b7 Mon Sep 17 00:00:00 2001 From: leongross <64152526+leongross@users.noreply.github.com> Date: Mon, 30 Jan 2023 16:58:49 +0100 Subject: [PATCH] ci: reproducible builds integration (#1108) * remove `-ko` suffix from workflows * integrate into `release.yaml` * adjust helm charts to use hard coded `ko` binary path --- .github/actions/build_ko/action.yml | 13 ++++-- .../actions/build_micro_service_ko/action.yml | 8 ++-- .../build-constellation-node-operator-ko.yml | 31 ------------- .../build-constellation-node-operator.yml | 4 +- .../workflows/build-joinservice-image-ko.yml | 39 ---------------- .github/workflows/build-joinservice-image.yml | 13 +++--- .../workflows/build-keyservice-image-ko.yml | 43 ------------------ .github/workflows/build-keyservice-image.yml | 11 +++-- .../build-verification-service-ko.yml | 37 ---------------- .../workflows/build-verification-service.yml | 5 +-- .github/workflows/release.yml | 44 ++++++++++++++++--- .../templates/deployment.yaml | 2 +- .../templates/deployment.yaml | 2 +- 13 files changed, 73 insertions(+), 179 deletions(-) delete mode 100644 .github/workflows/build-constellation-node-operator-ko.yml delete mode 100644 .github/workflows/build-joinservice-image-ko.yml delete mode 100644 .github/workflows/build-keyservice-image-ko.yml delete mode 100644 .github/workflows/build-verification-service-ko.yml diff --git a/.github/actions/build_ko/action.yml b/.github/actions/build_ko/action.yml index 82cfd8544..968b37b37 100644 --- a/.github/actions/build_ko/action.yml +++ b/.github/actions/build_ko/action.yml @@ -21,7 +21,7 @@ inputs: required: true pushTag: description: "Use this image tag" - required: false + required: true githubToken: description: "GitHub authorization token" required: true @@ -50,6 +50,12 @@ runs: id: pseudo-version uses: ./.github/actions/pseudo_version + - name: Setup Go environment + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: "1.19.5" + cache: true + - name: Set up ko uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 @@ -60,7 +66,7 @@ runs: KO_USER: ${{ github.actor }} KO_CONFIG_PATH: ${{ inputs.koConfig }} KO_PASSWORD: ${{ inputs.githubToken }} - KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/${{ inputs.name }}-ko + KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/constellation/${{ inputs.name }} run: | tags="" sbom="" @@ -91,7 +97,8 @@ runs: sbom="--sbom=none" fi - container_full=$(ko build ${{ inputs.koTarget }} --bare --tags ${tags} ${sbom}) + echo "Building container image with tags: ${tags}" + container_full=$(ko build ${{ inputs.koTarget }} --bare --tags "${tags}" ${sbom}) container_image=$(echo $container_full | cut -d@ -f1) container_sha256=$(echo $container_full | cut -d: -f2) diff --git a/.github/actions/build_micro_service_ko/action.yml b/.github/actions/build_micro_service_ko/action.yml index a34ee5080..7c557b7d3 100644 --- a/.github/actions/build_micro_service_ko/action.yml +++ b/.github/actions/build_micro_service_ko/action.yml @@ -27,10 +27,10 @@ inputs: default: "false" cosignPublicKey: description: "Cosign public key" - required: false + required: true cosignPrivateKey: description: "Cosign private key" - required: false + required: true cosignPassword: description: "Password for Cosign private key" required: false @@ -50,11 +50,11 @@ runs: uses: ./.github/actions/build_ko with: name: ${{ inputs.name }} - koConfig: ${{ inputs.koConfig }} pseudoVersion: ${{ inputs.pseudoVersion }} + koConfig: ${{ inputs.koConfig }} koTarget: ${{ inputs.koTarget }} + pushTag: ${{ inputs.pushTag }} githubToken: ${{ inputs.GITHUB_TOKEN }} - pushTag: ci-test - name: Download ko Container Data id: download_container_data diff --git a/.github/workflows/build-constellation-node-operator-ko.yml b/.github/workflows/build-constellation-node-operator-ko.yml deleted file mode 100644 index a1f08aa4d..000000000 --- a/.github/workflows/build-constellation-node-operator-ko.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Build and upload constellation node operator image (KO) - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - -jobs: - build-constellation-node-operator: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - with: - ref: ${{ github.head_ref }} - - - name: Build and upload constellation-node-operator container image - uses: ./.github/actions/build_micro_service_ko - with: - name: node-operator - koTarget: ./operators/constellation-node-operator - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-constellation-node-operator.yml b/.github/workflows/build-constellation-node-operator.yml index c3987da8b..e999e2624 100644 --- a/.github/workflows/build-constellation-node-operator.yml +++ b/.github/workflows/build-constellation-node-operator.yml @@ -30,10 +30,10 @@ jobs: go-version: "1.19.5" - name: Build and upload constellation-node-operator container image - uses: ./.github/actions/build_operator + uses: ./.github/actions/build_micro_service_ko with: name: node-operator - sourceDir: operators/constellation-node-operator + koTarget: ./operators/constellation-node-operator githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} diff --git a/.github/workflows/build-joinservice-image-ko.yml b/.github/workflows/build-joinservice-image-ko.yml deleted file mode 100644 index f10c0f321..000000000 --- a/.github/workflows/build-joinservice-image-ko.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: Build and upload join service image (KO) -env: - REGISTRY: ghcr.io - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - -jobs: - build-join-service-ko: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - with: - ref: ${{ github.head_ref }} - - - name: Setup Go environment - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 - with: - go-version: "1.19.5" - - - name: Build and upload join service container image - id: build-and-upload - uses: ./.github/actions/build_micro_service_ko - with: - name: joinservice - koTarget: ./joinservice/cmd - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-joinservice-image.yml b/.github/workflows/build-joinservice-image.yml index 5e66c105f..8c2f0498d 100644 --- a/.github/workflows/build-joinservice-image.yml +++ b/.github/workflows/build-joinservice-image.yml @@ -1,4 +1,6 @@ -name: Build and upload join-service image +name: Build and upload join service image +env: + REGISTRY: ghcr.io on: workflow_dispatch: @@ -29,13 +31,12 @@ jobs: with: go-version: "1.19.5" - - name: Build and upload join-service container image + - name: Build and upload join service container image id: build-and-upload - uses: ./.github/actions/build_micro_service + uses: ./.github/actions/build_micro_service_ko with: - name: join-service - projectVersion: "0.0.0" - dockerfile: joinservice/Dockerfile + name: joinservice + koTarget: ./joinservice/cmd githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} diff --git a/.github/workflows/build-keyservice-image-ko.yml b/.github/workflows/build-keyservice-image-ko.yml deleted file mode 100644 index b52ce12b3..000000000 --- a/.github/workflows/build-keyservice-image-ko.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Build and upload KeyService image (KO) -env: - REGISTRY: ghcr.io - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - -jobs: - build-keyservice: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - with: - ref: ${{ github.head_ref }} - - - name: Setup Go environment - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 - with: - go-version: "1.19.5" - - - name: Set up ko - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - - - name: Build and upload KeyService container image - id: build-and-upload - uses: ./.github/actions/build_micro_service_ko - with: - name: key-service - koConfig: .ko.yaml - koTarget: ./keyservice/cmd - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-keyservice-image.yml b/.github/workflows/build-keyservice-image.yml index cb5d53a0f..dc0263ce9 100644 --- a/.github/workflows/build-keyservice-image.yml +++ b/.github/workflows/build-keyservice-image.yml @@ -1,4 +1,6 @@ name: Build and upload KeyService image +env: + REGISTRY: ghcr.io on: workflow_dispatch: @@ -29,13 +31,16 @@ jobs: with: go-version: "1.19.5" + - name: Set up ko + uses: imjasonh/setup-ko@9a31684920a610d5dbe8012888714d64706f9787 # tag=v0.6 + - name: Build and upload KeyService container image id: build-and-upload - uses: ./.github/actions/build_micro_service + uses: ./.github/actions/build_micro_service_ko with: name: key-service - projectVersion: "0.0.0" - dockerfile: keyservice/Dockerfile + koConfig: .ko.yaml + koTarget: ./kms/cmd githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} diff --git a/.github/workflows/build-verification-service-ko.yml b/.github/workflows/build-verification-service-ko.yml deleted file mode 100644 index 8b20b70fc..000000000 --- a/.github/workflows/build-verification-service-ko.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: Build and upload verification-service image (KO) - -on: - workflow_dispatch: - push: - branches: - - main - - "release/**" - -jobs: - build-verification-service: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - steps: - - name: Check out repository - id: checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - with: - ref: ${{ github.head_ref }} - - - name: Setup Go environment - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 - with: - go-version: "1.19.5" - - - name: Build and upload verification-service container image (KO) - id: build-and-upload - uses: ./.github/actions/build_micro_service_ko - with: - name: verification-service - koTarget: ./verify/cmd - githubToken: ${{ secrets.GITHUB_TOKEN }} - cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} - cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.github/workflows/build-verification-service.yml b/.github/workflows/build-verification-service.yml index 821ecb279..545807e9f 100644 --- a/.github/workflows/build-verification-service.yml +++ b/.github/workflows/build-verification-service.yml @@ -31,11 +31,10 @@ jobs: - name: Build and upload verification-service container image id: build-and-upload - uses: ./.github/actions/build_micro_service + uses: ./.github/actions/build_micro_service_ko with: name: verification-service - projectVersion: "0.0.0" - dockerfile: verify/Dockerfile + koTarget: ./verify/cmd githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 428530967..938e612d0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -115,6 +115,40 @@ jobs: git push origin "${BRANCH}" micro-services: + name: Build micro services + runs-on: ubuntu-22.04 + needs: [verify-inputs, prepare-release-branch] + strategy: + matrix: + koTarget: + [./joinservice/cmd, ./keyservice/cmd, ./verify/cmd, ./operators/constellation-node-operator] + include: + - koTarget: ./joinservice/cmd + name: join-service + - koTarget: ./keyservice/cmd + name: key-service + - koTarget: ./verify/cmd + name: verification-service + - koTarget: ./operators/constellation-node-operator + name: node-operator + steps: + - name: Checkout + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + with: + ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} + + - name: Build ${{ matrix.name }} micro service + uses: ./.github/actions/build_micro_service_ko + with: + koTarget: ${{ matrix.koTarget }} + name: ${{ matrix.name }} + pushTag: ${{ inputs.version }} + githubToken: ${{ secrets.GITHUB_TOKEN }} + cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} + cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} + cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} + + micro-services-metadata: name: Build micro services needs: [verify-inputs, prepare-release-branch] uses: ./.github/workflows/build-micro-service-manual.yml @@ -122,12 +156,8 @@ jobs: contents: read packages: write secrets: inherit - strategy: - matrix: - service: - [join-service, key-service, verification-service, qemu-metadata-api] with: - microService: ${{ matrix.service }} + microService: qemu-metadata-api imageTag: ${{ inputs.version }} version: ${{ needs.verify-inputs.outputs.WITHOUT_V }} ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} @@ -148,7 +178,7 @@ jobs: update-versions: name: Update container image versions - needs: [verify-inputs, micro-services, constellation-node-operator] + needs: [verify-inputs, micro-services] runs-on: ubuntu-22.04 permissions: contents: write @@ -182,7 +212,9 @@ jobs: yq eval -i ".version = \"${WITHOUT_V}\"" "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml" git add "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml" done + git add cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml + yq eval -i ".version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/operators/Chart.yaml for service in node-maintenance-operator constellation-operator; do yq eval -i "(.dependencies[] | select(.name == \"${service}\")).version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/operators/Chart.yaml diff --git a/cli/internal/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml b/cli/internal/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml index 42996246d..84e794988 100644 --- a/cli/internal/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml +++ b/cli/internal/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml @@ -51,7 +51,7 @@ spec: - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - - /manager + - /ko-app/v2 env: - name: KUBERNETES_CLUSTER_DOMAIN value: {{ .Values.kubernetesClusterDomain }} diff --git a/cli/internal/helm/charts/edgeless/operators/charts/node-maintenance-operator/templates/deployment.yaml b/cli/internal/helm/charts/edgeless/operators/charts/node-maintenance-operator/templates/deployment.yaml index 218de7451..8b050b685 100644 --- a/cli/internal/helm/charts/edgeless/operators/charts/node-maintenance-operator/templates/deployment.yaml +++ b/cli/internal/helm/charts/edgeless/operators/charts/node-maintenance-operator/templates/deployment.yaml @@ -48,7 +48,7 @@ spec: - --metrics-bind-address=:8080 - --leader-elect command: - - /manager + - /ko-app/v2 env: - name: OPERATOR_NAMESPACE valueFrom: