Allow CI for external contributors

.github/actions/download-docker/action.yml

@@ -0,0 +1,18 @@
+name: setup-deps
+description: "Load Docker image"
+
+# Empty comment, please ignore this
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download image
+      uses: actions/download-artifact@v3
+      with:
+        name: docker.image
+        path: /tmp/docker-img
+    - name: Load image
+      shell: bash
+      run: |
+        ls -l /tmp/docker-img
+        make DEV_REGISTRY=localhost:5000 IMPORT_FILE=/tmp/docker-img/docker-img docker-import

.github/actions/drop-registry/action.yml

@@ -0,0 +1,30 @@
+name: 'Drop Registry'
+description: >-
+  Drop the internal registry, so that the after-job checks will not complain.
+runs:
+  using: "composite"
+  steps:
+    - name: "Drop registry"
+      shell: bash
+      run: |
+        if [[ -n "$(docker container list --all --quiet)" ]]; then
+            for container in $(docker container list --all --format '{{.ID}},{{.Image}}'); do
+                id=$(echo "$container" | cut -d, -f1)
+                image=$(echo "$container" | cut -d, -f2)
+                if [[ "$image" == registry:* ]]; then
+                    # echo "DOCKER CONTAINER:"
+                    # docker inspect "$id"
+
+                    volnames=$(docker inspect --format='{{ range $m := .Mounts}}{{$m.Name}}{{"\n"}}{{end}}' "$id")
+
+                    echo "Dropping registry container $id ($image)"
+                    docker kill "$id" && docker container rm "$id"
+
+                    for volname in $volnames; do
+                        echo "Dropping volume $volname"
+                        docker volume rm "$volname"
+                    done
+                fi
+            done
+        fi
+

.github/actions/setup-deps/action.yml

@@ -4,11 +4,11 @@ description: "Install Go and Python"
 runs:
   using: "composite"
   steps:
-    - name: "Install bsdtar (libarchive-tools)"
+    - name: "Install bsdtar (libarchive-tools) and jq"
       shell: bash
       run: |
         sudo apt-get update -y
-        sudo apt-get install -y libarchive-tools
+        sudo apt-get install -y libarchive-tools jq
     - name: "Install Python requirements with pip"
       uses: BSFishy/pip-action@v1
       with:

.github/workflows/execute-tests-and-promote.yml

@@ -18,6 +18,12 @@ jobs:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
+      - name: Git Describe
+        run: |
+          for sha in $(git log --format="%H" -10)
+          do
+              echo "$sha $(git describe --tags $sha) -- $(git describe --tags --match chart/)"
+          done
       - name: Install Deps
         uses: ./.github/actions/setup-deps
       - shell: bash
@@ -46,12 +52,6 @@ jobs:
             install -m700 -d ~/.ssh
             install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}'
           fi
-      - name: "Docker Login"
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ (!startsWith(secrets.RELEASE_REGISTRY, 'docker.io/')) && secrets.RELEASE_REGISTRY || null }}
-          username: ${{ secrets.GH_DOCKER_RELEASE_USERNAME }}
-          password: ${{ secrets.GH_DOCKER_RELEASE_TOKEN }}
       - name: "'make generate'"
         shell: bash
         run: |
@@ -69,6 +69,13 @@ jobs:
 
   check-envoy-version: #########################################################
     runs-on: ubuntu-latest
+    needs:
+    - build
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     env:
       # See docker/base-python.docker.gen
       BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
@@ -84,20 +91,20 @@ jobs:
             install -m700 -d ~/.ssh
             install -m600 /dev/stdin ~/.ssh/id_rsa <<<'${{ secrets.GHA_SSH_KEY }}'
           fi
-      - name: "Docker Login"
-        # This is important if ENVOY_DOCKER_REPO is a private repo.
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
-          username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
-          password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
+      - name: Pull Docker image
+        uses: ./.github/actions/download-docker
       - run: make check-envoy-version
+      - name: "Drop registry"
+        uses: ./.github/actions/drop-registry
+        if: always()
       - uses: ./.github/actions/after-job
         if: always()
 
   # Tests ######################################################################
   check-gotest:
     runs-on: ubuntu-latest
+    needs:
+    - build
     env:
       # See docker/base-python.docker.gen
       BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
@@ -107,12 +114,8 @@ jobs:
           fetch-depth: 0
       - name: Install Deps
         uses: ./.github/actions/setup-deps
-      - name: "Docker Login"
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
-          username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
-          password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
+      - name: Pull Docker image
+        uses: ./.github/actions/download-docker
       - name: make gotest
         shell: bash
         run: |
@@ -123,6 +126,8 @@ jobs:
         if: always()
   check-pytest:
     runs-on: ubuntu-latest
+    needs:
+    - build
     env:
       # See docker/base-python.docker.gen
       BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
@@ -152,12 +157,8 @@ jobs:
           fetch-depth: 0
       - name: Install Deps
         uses: ./.github/actions/setup-deps
-      - name: "Docker Login"
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
-          username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
-          password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
+      - name: Pull Docker image
+        uses: ./.github/actions/download-docker
       - name: make pytest-${{ matrix.test }}
         run: |
           export USE_LOCAL_K3S_CLUSTER=1
@@ -179,6 +180,13 @@ jobs:
     # pytest-unit is separate from pytests (above) because we know for certain that no cluster is needed.
     # XXX This is pretty much a crock.
     runs-on: ubuntu-latest
+    needs:
+    - build
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     env:
       # See docker/base-python.docker.gen
       BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
@@ -193,12 +201,8 @@ jobs:
           fetch-depth: 0
       - name: Install Deps
         uses: ./.github/actions/setup-deps
-      - name: "Docker Login"
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
-          username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
-          password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
+      - name: Pull Docker image
+        uses: ./.github/actions/download-docker
       - name: make pytest-${{ matrix.test }}
         run: |
           sudo sysctl -w fs.file-max=1600000
@@ -209,13 +213,18 @@ jobs:
           export DEV_KUBECONFIG=~/.kube/config
           export DEV_REGISTRY=${{ secrets.DEV_REGISTRY }}
           export PYTEST_ARGS=' --cov-branch --cov=ambassador --cov-report html:/tmp/cov_html '
-          make pytest-${{ matrix.test }}
+          make pytest-${{ matrix.test }} > /tmp/test-logs/pytest-unit.log 2>&1
+      - name: "Drop registry"
+        uses: ./.github/actions/drop-registry
+        if: always()
       - uses: ./.github/actions/after-job
         if: always()
         with:
           jobname: check-pytest-${{ matrix.test }}
   check-chart:
     runs-on: ubuntu-latest
+    needs:
+    - build
     env:
       DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }}
       # See docker/base-python.docker.gen
@@ -225,53 +234,60 @@ jobs:
       DOCKER_BUILD_USERNAME: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
       DOCKER_BUILD_PASSWORD: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
     steps:
-      - uses: docker/login-action@v1
-        with:
-          registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
-          username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
-          password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Install Deps
         uses: ./.github/actions/setup-deps
+      - name: Pull Docker image
+        uses: ./.github/actions/download-docker
       - name: make test-chart
         run: |
           make ci/setup-k3d K3D_CLUSTER_NAME=amb-ci
           export DEV_KUBECONFIG=~/.kube/config
-
+  
           make test-chart
       - uses: ./.github/actions/after-job
         if: always()
 
   build: #######################################################################
     runs-on: ubuntu-latest
     env:
-      DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.GH_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.GH_AWS_SECRET_ACCESS_KEY }}
+      AWS_EC2_METADATA_DISABLED: true
+      AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
+      # DEV_REGISTRY: ${{ secrets.DEV_REGISTRY }}
       # See docker/base-python.docker.gen
       BASE_PYTHON_REPO: ${{ secrets.BASE_PYTHON_REPO }}
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     steps:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Install Deps
         uses: ./.github/actions/setup-deps
-      - name: "Docker Login"
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
-          username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
-          password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
-      - name: "make push"
-        shell: bash
-        run: |
-          make push
-      - name: "make push-dev"
+      - name: "Check git not dirty (from make push)"
+        uses: ./.github/actions/git-dirty-check
+      - name: "Build and export Docker image"
         shell: bash
         run: |
-          make push-dev
+          make DEV_REGISTRY=localhost:5000 EXPORT_FILE=/tmp/docker-img docker-export
+      - name: "Upload Docker image"
+        uses: actions/upload-artifact@v2
+        with:
+          name: docker.image
+          path: /tmp/docker-img
+          if-no-files-found: error
+      - name: "Drop registry"
+        uses: ./.github/actions/drop-registry
+        if: always()
       - uses: ./.github/actions/after-job
         if: always()
 

Makefile

@@ -31,8 +31,10 @@ ifneq ($(MAKECMDGOALS),$(OSS_HOME)/build-aux/go-version.txt)
     ,$(error CHART_VERSION variable is invalid: It must be a v8.* string, but is '$(CHART_VERSION)'))
   export CHART_VERSION
 
-  $(info [make] VERSION=$(VERSION))
-  $(info [make] CHART_VERSION=$(CHART_VERSION))
+  ifneq ($(MAKECMDGOALS),version)
+    $(info [make] VERSION=$(VERSION))
+    $(info [make] CHART_VERSION=$(CHART_VERSION))
+  endif
 endif
 
 # If SOURCE_DATE_EPOCH isn't set, AND the tree isn't dirty, then set

build-aux/check.mk

@@ -16,18 +16,24 @@ push-pytest-images: docker/kat-server.docker.push.remote
 test_svcs = auth shadow stats
 $(foreach svc,$(test_svcs),docker/.test-$(svc).docker.stamp): docker/.%.docker.stamp: docker/%/Dockerfile FORCE
 	docker build --iidfile=$@ $(<D)
+	@echo "" >> "$@"	# Make sure the ID file ends with a newline.
 clean: $(foreach svc,$(test_svcs),docker/test-$(svc).docker.clean)
 
 # kat-client.docker
 docker/kat-client.go.layer.tar: $(tools/ocibuild) $(tools/write-ifchanged) FORCE
+	@echo "==== docker/kat-client.go.layer.tar in check.mk, as $@: $^"
 	GOFLAGS=-mod=mod $(tools/ocibuild) layer gobuild ./cmd/kat-client | $(tools/write-ifchanged) $@
+
 docker/kat-client.fs.layer.tar: $(tools/ocibuild) $(tools/write-ifchanged) FORCE
+	@echo "==== docker/kat-client.fs.layer.tar in check.mk, as $@: $^"
 	{ $(tools/ocibuild) layer dir \
 	  --prefix=work \
 	  --chown-uid=0 --chown-uname=root \
 	  --chown-gid=0 --chown-uname=root \
 	  docker/kat-client; } | $(tools/write-ifchanged) $@
+
 docker/.kat-client.img.tar.stamp: $(tools/ocibuild) docker/base.img.tar docker/kat-client.go.layer.tar docker/kat-client.fs.layer.tar
+	@echo "==== docker/.kat-client.img.tar.stamp in check.mk, as $@: $^"
 	{ $(tools/ocibuild) image build \
 	  --base=docker/base.img.tar \
 	  --config.Cmd='sleep' --config.Cmd='3600' \