8000 use pre-built base images (#5061) · nginx/kubernetes-ingress@ffdcf0f · GitHub
[go: up one dir, main page]
Skip to content

Commit ffdcf0f

Browse files
pdabelf5pdabelf5
authored
use pre-built base images (#5061)
1 parent 5aff19e commit ffdcf0f

File tree

6 files changed

+178
-45
lines changed

6 files changed

+178
-45
lines changed

.github/actions/smoke-tests/action.yaml

Lines changed: 22 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ inputs:
55
go-md5:
66
required: true
77
type: string
8+
base-image-md5:
9+
required: true
10+
type: string
811
k8s-version:
912
description: Kubernetes version to use
1013
required: false
@@ -67,18 +70,36 @@ runs:
6770
- name: Docker Buildx
6871
uses: docker/setup-buildx-action@v2
6972

73+
- name: Authenticate to Google Cloud
74+
id: auth
75+
uses: google-github-actions/auth@v2
76+
with:
77+
token_format: access_token
78+
workload_identity_provider: ${{ inputs.gcr-workload-identity-secret }}
79+
service_account: ${{ inputs.gcr-service-account-secret }}
80+
if: github.event.pull_request.head.repo.full_name == github.repository
81+
82+
- name: Login to GCR
83+
uses: docker/login-action@v3
84+
with:
85+
registry: gcr.io
86+
username: oauth2accesstoken
87+
password: ${{ steps.auth.outputs.access_token }}
88+
if: github.event.pull_request.head.repo.full_name == github.repository
89+
7090
- name: Build ${{ inputs.image }} Container
7191
uses: docker/build-push-action@v3
7292
with:
7393
file: build/Dockerfile
7494
context: "."
7595
cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && 628C ; '-nap' || '' }}
76-
target: goreleaser
96+
target: goreleaser${{ github.event.pull_request.head.repo.full_name == github.repository && '-prebuilt' || '' }}
7797
tags: "docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }}"
7898
load: true
7999
pull: true
80100
build-args: |
81101
BUILD_OS=${{ inputs.image }}
102+
PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/${{ contains(inputs.image, 'plus') && 'plus' || 'oss' }}:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ contains(inputs.marker, 'appprotect') && '-waf' || '' }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}
82103
IC_VERSION=CI
83104
${{ steps.ingress-type.outputs.modules != '' && format('NAP_MODULES={0}', steps.ingress-type.outputs.modules) || '' }}
84105
${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
@@ -105,23 +126,6 @@ runs:
105126
sed -i 's|server:.*|server: https://${{ steps.k8s.outputs.cluster_ip }}:6443|' ~/.kube/kind/config
106127
shell: bash
107128

108-
- name: Authenticate to Google Cloud
109-
id: auth
110-
uses: google-github-actions/auth@v2
111-
with:
112-
token_format: access_token
113-
workload_identity_provider: ${{ inputs.gcr-workload-identity-secret }}
114-
service_account: ${{ inputs.gcr-service-account-secret }}
115-
if: github.event.pull_request.head.repo.full_name == github.repository
116-
117-
- name: Login to GCR
118-
uses: docker/login-action@v3
119-
with:
120-
registry: gcr.io
121-
username: oauth2accesstoken
122-
password: ${{ steps.auth.outputs.access_token }}
123-
if: github.event.pull_request.head.repo.full_name == github.repository
124-
125129
- name: Build Test-Runner Container
126130
uses: docker/build-push-action@v3
127131
with:

.github/workflows/build-base-images.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ name: Build Base Images
22

33
on:
44
workflow_dispatch:
5+
workflow_call:
56
schedule:
67
- cron: "30 4 * * 1-5" # run Mon-Fri at 04:30 UTC
78

@@ -11,7 +12,7 @@ defaults:
1112

1213
concurrency:
1314
group: ${{ github.ref_name }}-base-image
14-
cancel-in-progress: true
15+
cancel-in-progress: false
1516

1617
permissions:
1718
contents: read

.github/workflows/build-oss.yml

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
go-md5:
1313
required: true
1414
type: string
15+
base-image-md5:
16+
required: false
17+
type: string
1518
tag:
1619
required: false
1720
type: string
@@ -95,6 +98,23 @@ jobs:
9598
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
9699
if: ${{ inputs.publish-image }}
97100

101+
- name: Authenticate to Google Cloud
102+
id: auth
103+
uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
104+
with:
105+
token_format: access_token
106+
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
107+
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
108+
if: github.event.pull_request.head.repo.full_name == github.repository
109+
110+
- name: Login to GCR
111+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
112+
with:
113+
registry: gcr.io
114+
username: oauth2accesstoken
115+
password: ${{ steps.auth.outputs.access_token }}
116+
if: github.event.pull_request.head.repo.full_name == github.repository
117+
98118
- name: Get short tag
99119
6284 id: tag
100120
run: |
@@ -143,7 +163,7 @@ jobs:
143163
context: "."
144164
cache-from: type=gha,scope=${{ inputs.image }}
145165
cache-to: type=gha,scope=${{ inputs.image }},mode=max
146-
target: goreleaser
166+
target: goreleaser${{ github.event.pull_request.head.repo.full_name == github.repository && '-prebuilt' || '' }}
147167
tags: ${{ steps.meta.outputs.tags }}
148168
labels: ${{ steps.meta.outputs.labels }}
149169
annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
@@ -156,6 +176,7 @@ jobs:
156176
provenance: false
157177
build-args: |
158178
BUILD_OS=${{ inputs.image }}
179+
PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }}
159180
IC_VERSION=${{ (github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-')) && 'CI' || steps.meta.outputs.version }}
160181
161182
- name: Certify Images

.github/workflows/build-plus.yml

Lines changed: 13 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ on:
1515
go-md5:
1616
required: true
1717
type: string
18+
base-image-md5:
19+
required: false
20+
type: string
1821
nap_modules:
1922
required: false
2023
type: string
@@ -67,15 +70,15 @@ jobs:
6770
token_format: access_token
6871
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
6972
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
70-
if: ${{ inputs.publish-image }}
73+
if: ${{ inputs.publish-image || github.event.pull_request.head.repo.full_name == github.repository }}
7174

7275
- name: Login to GCR
7376
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
7477
with:
7578
registry: gcr.io
7679
username: oauth2accesstoken
7780
password: ${{ steps.auth.outputs.access_token }}
78-
if: ${{ inputs.publish-image }}
81+
if: ${{ inputs.publish-image || github.event.pull_request.head.repo.full_name == github.repository }}
7982

8083
- name: Authenticate to Google Cloud Marketplace
8184
id: auth-mktpl
@@ -162,7 +165,7 @@ jobs:
162165
context: "."
163166
cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}
164167
cache-to: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},mode=max
165-
target: ${{ inputs.target }}
168+
target: ${{ inputs.target }}${{ github.event.pull_request.head.repo.full_name == github.repository && '-prebuilt' || '' }}
166169
tags: ${{ steps.meta.outputs.tags }}
167170
labels: ${{ steps.meta.outputs.labels }}
168171
annotations: ${{ inputs.publish-image && steps.meta.outputs.annotations || '' }}
@@ -175,6 +178,7 @@ jobs:
175178
provenance: false
176179
build-args: |
177180
BUILD_OS=${{ inputs.image }}
181+
PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ contains(inputs.nap_modules, 'waf') && '-waf' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}
178182
IC_VERSION=${{ github.ref_type == 'tag' && steps.meta.outputs.version || 'CI' }}
179183
${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', inputs.nap_modules) || '' }}
180184
${{ steps.nap_modules.outputs.modules != '' && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
@@ -218,31 +222,18 @@ jobs:
218222
Use this image instead of building your own.
219223
if: ${{ github.ref_type == 'tag' && contains(inputs.target, 'aws') }}
220224

221-
- name: Load image for Trivy
222-
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
223-
with:
224-
file: build/Dockerfile
225-
context: "."
226-
cache-from: type=gha,scope=${{ inputs.image }}
227-
target: ${{ inputs.target }}
228-
tags: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }}
229-
load: true
230-
build-args: |
231-
BUILD_OS=${{ inputs.image }}
232-
IC_VERSION=${{ github.ref_type == 'tag' && steps.meta.outputs.version || 'CI' }}
233-
${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', inputs.nap_modules) || '' }}
234-
${{ steps.nap_modules.outputs.modules != '' && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
235-
secrets: |
236-
"nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
237-
"nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
238-
${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
225+
- name: Extract image name for Trivy
226+
id: trivy-tag
227+
run: |
228+
tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '.tags[] | select(contains("f5-gcs-7899"))' )
229+
echo "tag=$tag" >> $GITHUB_OUTPUT
239230
if: ${{ inputs.publish-image }}
240231

241232
- name: Run Trivy vulnerability scanner
242233
uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0
243234
continue-on-error: true
244235
with:
245-
image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }}
236+
image-ref: ${{ steps.trivy-tag.outputs.tag }}
246237
format: "sarif"
247238
output: "trivy-results-${{ inputs.image }}.sarif"
248239
ignore-unfixed: "true"

.github/workflows/ci.yml

Lines changed: 74 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ jobs:
4444
binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
4545
ic_version: ${{ steps.vars.outputs.ic_version }}
4646
publish-images: ${{ steps.vars.outputs.publish }}
47+
docker_md5: ${{ steps.vars.outputs.docker_md5 }}
4748
steps:
4849
- name: Checkout Repository
4950
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -90,6 +91,8 @@ jobs:
9091
publish=true
9192
fi
9293
echo "publish=$publish" >> $GITHUB_OUTPUT
94+
docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }' )
95+
echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT
9396
cat $GITHUB_OUTPUT
9497
9598
- name: Fetch Cached Binary Artifacts
@@ -228,17 +231,63 @@ jobs:
228231
key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }}
229232
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
230233

234+
rebuild-base-images:
235+
name: Rebuild NIC Base images
236+
runs-on: ubuntu-22.04
237+
needs: checks
238+
permissions:
239+
contents: read
240+
id-token: write
241+
steps:
242+
- name: Checkout Repository
243+
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
244+
245+
- name: Docker Buildx
246+
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
247+
if: github.event.pull_request.head.repo.full_name == github.repository
248+
249+
- name: Authenticate to Google Cloud
250+
id: auth
251+
uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
252+
with:
253+
token_format: access_token
254+
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
255+
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
256+
if: github.event.pull_request.head.repo.full_name == github.repository
257+
258+
- name: Login to GCR
259+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
260+
with:
261+
registry: gcr.io
262+
username: oauth2accesstoken
263+
password: ${{ steps.auth.outputs.access_token }}
264+
if: github.event.pull_request.head.repo.full_name == github.repository
265+
266+
- name: Check if base images exist
267+
id: base_exists
268+
run: |
269+
docker manifest inspect gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ needs.checks.outputs.docker_md5 }}-debian
270+
echo "exists=$?" >> $GITHUB_OUTPUT
271+
if: github.event.pull_request.head.repo.full_name == github.repository
272+
273+
- name: Rebuild base images
274+
uses: ./.github/workflows/build-base-images.yml
275+
if: github.event.pull_request.head.repo.full_name == github.repository && steps.base_exists.outputs.exists != 0
276+
231277
helm-tests:
232278
name: Helm Tests
233279
runs-on: ubuntu-22.04
234-
needs: [checks, binaries]
280+
needs: [checks, binaries, rebuild-base-images]
235281
strategy:
236282
matrix:
237283
include:
238284
- image: debian
239285
type: oss
240286
- image: debian-plus
241287
type: plus
288+
permissions:
289+
contents: read
290+
id-token: write
242291
steps:
243292
- name: Checkout Repository
244293
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -252,18 +301,36 @@ jobs:
252301
- name: Docker Buildx
253302
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
254303

304+
- name: Authenticate to Google Cloud
305+
id: auth
306+
uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
307+
with:
308+
token_format: access_token
309+
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
310+
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
311+
if: github.event.pull_request.head.repo.full_name == github.repository
312+
313+
- name: Login to GCR
314+
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
315+
with:
316+
registry: gcr.io
317+
username: oauth2accesstoken
318+
password: ${{ steps.auth.outputs.access_token }}
319+
if: github.event.pull_request.head.repo.full_name == github.repository
320+
255321
- name: Build Docker Image ${{ matrix.image }}
256322
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
257323
with:
258324
file: build/Dockerfile
259325
context: "."
260326
cache-from: type=gha,scope=${{ matrix.image }}
261-
target: goreleaser
327+
target: goreleaser${{ github.event.pull_request.head.repo.full_name == github.repository && '-prebuilt' || '' }}
262328
tags: ${{ matrix.type }}:${{ github.sha }}
263329
pull: true
264330
load: true
265331
build-args: |
266332
BUILD_OS=${{ matrix.image }}
333+
PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/${{ contains(matrix.image, 'plus') && 'plus' || 'oss' }}:${{ needs.checks.outputs.docker_md5 }}-${{ matrix.image }}
267334
IC_VERSION=CI
268335
secrets: |
269336
${{ contains(matrix.type, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
@@ -316,7 +383,7 @@ jobs:
316383
setup-matrix:
317384
name: Setup Matrix for Smoke Tests
318385
runs-on: ubuntu-22.04
319-
needs: [binaries, checks]
386+
needs: [binaries, checks, rebuild-base-images]
320387
permissions:
321388
contents: read
322389
id-token: write
@@ -402,6 +469,7 @@ jobs:
402469
gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }}
403470
rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }}
404471
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
472+
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
405473
test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}"
406474

407475
- name: Upload Test Results
@@ -443,6 +511,7 @@ jobs:
443511
image: ${{ matrix.image }}
444512
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
445513
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
514+
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
446515
permissions:
447516
contents: read
448517
actions: read
@@ -470,6 +539,7 @@ jobs:
470539
image: ${{ matrix.image }}
471540
target: ${{ matrix.target }}
472541
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
542+
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
473543
release-url: ${{ needs.release-notes.outputs.release-url }}
474544
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
475545
permissions:
@@ -523,6 +593,7 @@ jobs:
523593
image: ${{ matrix.image }}
524594
target: ${{ matrix.target }}
525595
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
596+
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
526597
nap_modules: ${{ matrix.nap_modules }}
527598
release-url: ${{ needs.release-notes.outputs.release-url }}
528599
publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}

0 commit comments

Comments
 (0)
0