From d7e27c887ff10caa988b8c2b98fc3951a608aafa Mon Sep 17 00:00:00 2001 From: KevFan Date: Wed, 18 Oct 2023 14:57:39 +0100 Subject: [PATCH] workflow: push by digest --- .github/workflows/build-image.yaml | 84 ++++++++++++++++++++++++------ .github/workflows/e2e.yaml | 4 +- Dockerfile.aarch64 | 52 ++++++++++++++++++ 3 files changed, 123 insertions(+), 17 deletions(-) create mode 100644 Dockerfile.aarch64 diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index e751286d..00923b95 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -19,9 +19,9 @@ jobs: strategy: fail-fast: false matrix: - platform: - - linux/amd64 - - linux/arm64 + dockerfile: + - Dockerfile + - Dockerfile.aarch64 steps: - name: Check out code uses: actions/checkout@v4 @@ -35,12 +35,12 @@ jobs: with: images: | ${{ env.IMG_REGISTRY_HOST}}/${{ env.IMG_REGISTRY_ORG }}/limitador - tags: | - type=raw,value=${{ github.sha }} - # set latest tag for main branch - type=raw,value=latest,enable=${{ github.ref_name == env.MAIN_BRANCH_NAME }} - # set branch name tag for non-main branches - type=raw,value=${{ github.ref_name }},enable=${{ github.ref_name != env.MAIN_BRANCH_NAME }} +# tags: | +# type=raw,value=${{ github.sha }} +# # set latest tag for main branch +# type=raw,value=latest,enable=${{ github.ref_name == env.MAIN_BRANCH_NAME }} +# # set branch name tag for non-main branches +# type=raw,value=${{ github.ref_name }},enable=${{ github.ref_name != env.MAIN_BRANCH_NAME }} - name: Login to container registry uses: docker/login-action@v2 with: @@ -52,15 +52,31 @@ jobs: uses: docker/build-push-action@v5 with: context: . - tags: ${{ steps.meta.outputs.tags }} +# tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} # build-args: | # GITHUB_SHA=${{ github.sha }} - cache-from: type=gha,scope=${{ matrix.platform == 'linux/amd64' && 'build-amd' || 'build-arm'}} - cache-to: type=gha,mode=max,scope=${{ matrix.platform == 'linux/amd64' && 'build-amd' || 'build-arm'}} - load: true - - name: Smoke Test + cache-from: type=gha,scope=${{ matrix.dockerfile == 'Dockerfile' && 'build-amd' || 'build-arm'}} + cache-to: type=gha,mode=max,scope=${{ matrix.dockerfile == 'Dockerfile' && 'build-amd' || 'build-arm'}} + outputs: type=image,name=${{ env.IMG_REGISTRY_HOST}}/${{ env.IMG_REGISTRY_ORG }}/limitador,push-by-digest=true,name-canonical=true,push=true + dockerfiles: | + ${{ matrix.dockerfile }} +# push: true +# - name: Smoke Test +# run: | +# docker run --rm -t ${{ env.IMG_REGISTRY_HOST}}/${{ env.IMG_REGISTRY_ORG }}/limitador:${{ github.sha }} limitador-server --help + - name: Export digest run: | - docker run --rm -t ${{ env.IMG_REGISTRY_HOST}}/${{ env.IMG_REGISTRY_ORG }}/limitador:${{ github.sha }} limitador-server --help + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + - name: Upload digest + uses: actions/upload-artifact@v3 + with: + name: digests + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 # - name: Push Image # if: ${{ !env.ACT }} # id: push-to-quay @@ -74,3 +90,41 @@ jobs: # - name: Print Image URL # run: | # echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" + merge: + runs-on: ubuntu-latest + needs: + - build + steps: + - name: Download digests + uses: actions/download-artifact@v3 + with: + name: digests + path: /tmp/digests + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.IMG_REGISTRY_HOST}}/${{ env.IMG_REGISTRY_ORG }}/limitador + tags: | + type=raw,value=${{ github.sha }} + # set latest tag for main branch + type=raw,value=latest,enable=${{ github.ref_name == env.MAIN_BRANCH_NAME }} + # set branch name tag for non-main branches + type=raw,value=${{ github.ref_name }},enable=${{ github.ref_name != env.MAIN_BRANCH_NAME }} + - name: Login to container registry + uses: docker/login-action@v2 + with: + username: ${{ secrets.IMG_REGISTRY_USERNAME }} + password: ${{ secrets.IMG_REGISTRY_TOKEN }} + registry: ${{ env.IMG_REGISTRY_HOST }} + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.IMG_REGISTRY_HOST}}/${{ env.IMG_REGISTRY_ORG }}/limitador@sha256:%s ' *) + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.IMG_REGISTRY_HOST}}/${{ env.IMG_REGISTRY_ORG }}/limitador:${{ steps.meta.outputs.version }} \ No newline at end of file diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index cd276d51..83af14a6 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -30,8 +30,8 @@ jobs: with: context: . tags: ${{ steps.meta.outputs.tags }} - cache-from: type=gha,scope=e2e - cache-to: type=gha,mode=max,scope=e2e + cache-from: type=gha + cache-to: type=gha,mode=max load: true - name: Create k8s Kind Cluster uses: helm/kind-action@v1.8.0 diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 new file mode 100644 index 00000000..6eb3d071 --- /dev/null +++ b/Dockerfile.aarch64 @@ -0,0 +1,52 @@ +# ------------------------------------------------------------------------------ +# Build Stage cross compiling +# ------------------------------------------------------------------------------ + +FROM rust:1.72 as limitador-build + +RUN apt update && apt upgrade -y +RUN apt install -y protobuf-compiler clang +RUN apt install -y g++-aarch64-linux-gnu libc6-dev-arm64-cross + +RUN rustup target add aarch64-unknown-linux-gnu +RUN rustup toolchain install stable-aarch64-unknown-linux-gnu + +WORKDIR /usr/src/limitador + +ARG GITHUB_SHA +ENV GITHUB_SHA=${GITHUB_SHA:-unknown} +ENV RUSTFLAGS="-C target-feature=-crt-static" + +COPY . . + +ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc \ + CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc \ + CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++ + +RUN cargo build --release --target aarch64-unknown-linux-gnu + +# ------------------------------------------------------------------------------ +# Run Stage +# ------------------------------------------------------------------------------ + +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.7 + +# shadow-utils is required for `useradd` +RUN PKGS="libgcc libstdc++ shadow-utils" \ + && microdnf --assumeyes install --nodocs $PKGS \ + && rpm --verify --nogroup --nouser $PKGS \ + && microdnf -y clean all +RUN useradd -u 1000 -s /bin/sh -m -d /home/limitador limitador + +WORKDIR /home/limitador/bin/ +ENV PATH="/home/limitador/bin:${PATH}" + +COPY --from=limitador-build /usr/src/limitador/limitador-server/examples/limits.yaml ../ +COPY --from=limitador-build /usr/src/limitador/target/aarch64-unknown-linux-gnu/release/limitador-server ./limitador-server + +RUN chown -R limitador:root /home/limitador \ + && chmod -R 750 /home/limitador + +USER limitador + +CMD ["limitador-server"] \ No newline at end of file