Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-04-25 09:39:22 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: reproducible builds integration (#1108)

Browse Source 
* remove `-ko` suffix from workflows
* integrate into `release.yaml`
* adjust helm charts to use hard coded `ko` binary path
This commit is contained in:
leongross 2023-01-30 16:58:49 +01:00 committed by GitHub
parent 11e233e4be
commit 2187aa6cb0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 73 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.github/actions/build_ko/action.yml vendored
View File

@ -21,7 +21,7 @@ inputs:
required: true required: true
pushTag: pushTag:
description: "Use this image tag" description: "Use this image tag"
required: false required: true
githubToken: githubToken:
description: "GitHub authorization token" description: "GitHub authorization token"
required: true required: true
@ -50,6 +50,12 @@ runs:
id: pseudo-version id: pseudo-version
uses: ./.github/actions/pseudo_version uses: ./.github/actions/pseudo_version
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.5"
cache: true
- name: Set up ko - name: Set up ko
uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
@ -60,7 +66,7 @@ runs:
KO_USER: ${{ github.actor }} KO_USER: ${{ github.actor }}
KO_CONFIG_PATH: ${{ inputs.koConfig }} KO_CONFIG_PATH: ${{ inputs.koConfig }}
KO_PASSWORD: ${{ inputs.githubToken }} KO_PASSWORD: ${{ inputs.githubToken }}
KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/${{ inputs.name }}-ko KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/constellation/${{ inputs.name }}
run: | run: |
tags="" tags=""
sbom="" sbom=""
@ -91,7 +97,8 @@ runs:
sbom="--sbom=none" sbom="--sbom=none"
fi fi
container_full=$(ko build ${{ inputs.koTarget }} --bare --tags ${tags} ${sbom}) echo "Building container image with tags: ${tags}"
container_full=$(ko build ${{ inputs.koTarget }} --bare --tags "${tags}" ${sbom})
container_image=$(echo $container_full | cut -d@ -f1) container_image=$(echo $container_full | cut -d@ -f1)
container_sha256=$(echo $container_full | cut -d: -f2) container_sha256=$(echo $container_full | cut -d: -f2)

8
.github/actions/build_micro_service_ko/action.yml vendored
View File

@ -27,10 +27,10 @@ inputs:
default: "false" default: "false"
cosignPublicKey: cosignPublicKey:
description: "Cosign public key" description: "Cosign public key"
required: false required: true
cosignPrivateKey: cosignPrivateKey:
description: "Cosign private key" description: "Cosign private key"
required: false required: true
cosignPassword: cosignPassword:
description: "Password for Cosign private key" description: "Password for Cosign private key"
required: false required: false
@ -50,11 +50,11 @@ runs:
uses: ./.github/actions/build_ko uses: ./.github/actions/build_ko
with: with:
name: ${{ inputs.name }} name: ${{ inputs.name }}
koConfig: ${{ inputs.koConfig }}
pseudoVersion: ${{ inputs.pseudoVersion }} pseudoVersion: ${{ inputs.pseudoVersion }}
koConfig: ${{ inputs.koConfig }}
koTarget: ${{ inputs.koTarget }} koTarget: ${{ inputs.koTarget }}
pushTag: ${{ inputs.pushTag }}
githubToken: ${{ inputs.GITHUB_TOKEN }} githubToken: ${{ inputs.GITHUB_TOKEN }}
pushTag: ci-test
- name: Download ko Container Data - name: Download ko Container Data
id: download_container_data id: download_container_data

31
.github/workflows/build-constellation-node-operator-ko.yml vendored
View File

@ -1,31 +0,0 @@
name: Build and upload constellation node operator image (KO)
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
jobs:
build-constellation-node-operator:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ github.head_ref }}
- name: Build and upload constellation-node-operator container image
uses: ./.github/actions/build_micro_service_ko
with:
name: node-operator
koTarget: ./operators/constellation-node-operator
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

4
.github/workflows/build-constellation-node-operator.yml vendored
View File

@ -30,10 +30,10 @@ jobs:
go-version: "1.19.5" go-version: "1.19.5"
- name: Build and upload constellation-node-operator container image - name: Build and upload constellation-node-operator container image
uses: ./.github/actions/build_operator uses: ./.github/actions/build_micro_service_ko
with: with:
name: node-operator name: node-operator
sourceDir: operators/constellation-node-operator koTarget: ./operators/constellation-node-operator
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}

39
.github/workflows/build-joinservice-image-ko.yml vendored
View File

@ -1,39 +0,0 @@
name: Build and upload join service image (KO)
env:
REGISTRY: ghcr.io
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
jobs:
build-join-service-ko:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ github.head_ref }}
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.5"
- name: Build and upload join service container image
id: build-and-upload
uses: ./.github/actions/build_micro_service_ko
with:
name: joinservice
koTarget: ./joinservice/cmd
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

13
.github/workflows/build-joinservice-image.yml vendored
View File

@ -1,4 +1,6 @@
name: Build and upload join-service image name: Build and upload join service image
env:
REGISTRY: ghcr.io
on: on:
workflow_dispatch: workflow_dispatch:
@ -29,13 +31,12 @@ jobs:
with: with:
go-version: "1.19.5" go-version: "1.19.5"
- name: Build and upload join-service container image - name: Build and upload join service container image
id: build-and-upload id: build-and-upload
uses: ./.github/actions/build_micro_service uses: ./.github/actions/build_micro_service_ko
with: with:
name: join-service name: joinservice
projectVersion: "0.0.0" koTarget: ./joinservice/cmd
dockerfile: joinservice/Dockerfile
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}

43
.github/workflows/build-keyservice-image-ko.yml vendored
View File

@ -1,43 +0,0 @@
name: Build and upload KeyService image (KO)
env:
REGISTRY: ghcr.io
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
jobs:
build-keyservice:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ github.head_ref }}
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.5"
- name: Set up ko
uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: Build and upload KeyService container image
id: build-and-upload
uses: ./.github/actions/build_micro_service_ko
with:
name: key-service
koConfig: .ko.yaml
koTarget: ./keyservice/cmd
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

11
.github/workflows/build-keyservice-image.yml vendored
View File

@ -1,4 +1,6 @@
name: Build and upload KeyService image name: Build and upload KeyService image
env:
REGISTRY: ghcr.io
on: on:
workflow_dispatch: workflow_dispatch:
@ -29,13 +31,16 @@ jobs:
with: with:
go-version: "1.19.5" go-version: "1.19.5"
- name: Set up ko
uses: imjasonh/setup-ko@9a31684920a610d5dbe8012888714d64706f9787 # tag=v0.6
- name: Build and upload KeyService container image - name: Build and upload KeyService container image
id: build-and-upload id: build-and-upload
uses: ./.github/actions/build_micro_service uses: ./.github/actions/build_micro_service_ko
with: with:
name: key-service name: key-service
projectVersion: "0.0.0" koConfig: .ko.yaml
dockerfile: keyservice/Dockerfile koTarget: ./kms/cmd
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}

37
.github/workflows/build-verification-service-ko.yml vendored
View File

@ -1,37 +0,0 @@
name: Build and upload verification-service image (KO)
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
jobs:
build-verification-service:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Check out repository
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ github.head_ref }}
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.5"
- name: Build and upload verification-service container image (KO)
id: build-and-upload
uses: ./.github/actions/build_micro_service_ko
with:
name: verification-service
koTarget: ./verify/cmd
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

5
.github/workflows/build-verification-service.yml vendored
View File

@ -31,11 +31,10 @@ jobs:
- name: Build and upload verification-service container image - name: Build and upload verification-service container image
id: build-and-upload id: build-and-upload
uses: ./.github/actions/build_micro_service uses: ./.github/actions/build_micro_service_ko
with: with:
name: verification-service name: verification-service
projectVersion: "0.0.0" koTarget: ./verify/cmd
dockerfile: verify/Dockerfile
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}

44
.github/workflows/release.yml vendored
View File

@ -115,6 +115,40 @@ jobs:
git push origin "${BRANCH}" git push origin "${BRANCH}"
micro-services: micro-services:
name: Build micro services
runs-on: ubuntu-22.04
needs: [verify-inputs, prepare-release-branch]
strategy:
matrix:
koTarget:
[./joinservice/cmd, ./keyservice/cmd, ./verify/cmd, ./operators/constellation-node-operator]
include:
- koTarget: ./joinservice/cmd
name: join-service
- koTarget: ./keyservice/cmd
name: key-service
- koTarget: ./verify/cmd
name: verification-service
- koTarget: ./operators/constellation-node-operator
name: node-operator
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
- name: Build ${{ matrix.name }} micro service
uses: ./.github/actions/build_micro_service_ko
with:
koTarget: ${{ matrix.koTarget }}
name: ${{ matrix.name }}
pushTag: ${{ inputs.version }}
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
micro-services-metadata:
name: Build micro services name: Build micro services
needs: [verify-inputs, prepare-release-branch] needs: [verify-inputs, prepare-release-branch]
uses: ./.github/workflows/build-micro-service-manual.yml uses: ./.github/workflows/build-micro-service-manual.yml
@ -122,12 +156,8 @@ jobs:
contents: read contents: read
packages: write packages: write
secrets: inherit secrets: inherit
strategy:
matrix:
service:
[join-service, key-service, verification-service, qemu-metadata-api]
with: with:
microService: ${{ matrix.service }} microService: qemu-metadata-api
imageTag: ${{ inputs.version }} imageTag: ${{ inputs.version }}
version: ${{ needs.verify-inputs.outputs.WITHOUT_V }} version: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }} ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
@ -148,7 +178,7 @@ jobs:
update-versions: update-versions:
name: Update container image versions name: Update container image versions
needs: [verify-inputs, micro-services, constellation-node-operator] needs: [verify-inputs, micro-services]
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
contents: write contents: write
@ -182,7 +212,9 @@ jobs:
yq eval -i ".version = \"${WITHOUT_V}\"" "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml" yq eval -i ".version = \"${WITHOUT_V}\"" "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml"
git add "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml" git add "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml"
done done
git add cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml git add cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
yq eval -i ".version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/operators/Chart.yaml yq eval -i ".version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/operators/Chart.yaml
for service in node-maintenance-operator constellation-operator; do for service in node-maintenance-operator constellation-operator; do
yq eval -i "(.dependencies[] | select(.name == \"${service}\")).version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/operators/Chart.yaml yq eval -i "(.dependencies[] | select(.name == \"${service}\")).version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/operators/Chart.yaml

2
cli/internal/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml
View File

@ -51,7 +51,7 @@ spec:
- --metrics-bind-address=127.0.0.1:8080 - --metrics-bind-address=127.0.0.1:8080
- --leader-elect - --leader-elect
command: command:
- /manager - /ko-app/v2
env: env:
- name: KUBERNETES_CLUSTER_DOMAIN - name: KUBERNETES_CLUSTER_DOMAIN
value: {{ .Values.kubernetesClusterDomain }} value: {{ .Values.kubernetesClusterDomain }}

2
cli/internal/helm/charts/edgeless/operators/charts/node-maintenance-operator/templates/deployment.yaml
View File

@ -48,7 +48,7 @@ spec:
- --metrics-bind-address=:8080 - --metrics-bind-address=:8080
- --leader-elect - --leader-elect
command: command:
- /manager - /ko-app/v2
env: env:
- name: OPERATOR_NAMESPACE - name: OPERATOR_NAMESPACE
valueFrom: valueFrom: