feat: image factory docker workflow (#12)

Merge after: #9 - Test image factory container build workflow added - Customer tests are still missing - Workflow call from customer repo: https://github.com/comsysto/wp10-image-factory-user/actions/runs/10980125334 REMARK: Runners are running in my development VM in public subnet. It can be moved to air-gapped env as soon as we enable access to ACR. --------- Co-authored-by: Silvija Tovernic <[email protected]> Co-authored-by: Marko Paulic <[email protected]>
comsysto · Sep 23, 2024 · 8a2875c · 8a2875c
1 parent e90ca3d
commit 8a2875c
Show file tree

Hide file tree

Showing 3 changed files with 126 additions and 25 deletions.
diff --git a/.github/workflows/docker-build-if-runner.yml b/.github/workflows/docker-build-if-runner.yml
@@ -14,7 +14,7 @@ jobs:
     env:  
       IMAGE_NAME: "image-factory-runner"
       IMAGE_TAG: "${{ github.run_number }}"
-      REGISTRY: ${{ secrets.REGISTRY }}
+      REGISTRY: ${{ vars.REGISTRY }}
 
     steps:
       - name: Checkout Repository
@@ -23,7 +23,7 @@ jobs:
       - name: Log in to Azure Container Registry
         uses: azure/docker-login@v1
         with:
-          login-server: ${{ secrets.REGISTRY }}
+          login-server: ${{ vars.REGISTRY }}
           username: ${{ secrets.ACR_USERNAME }}
           password: ${{ secrets.ACR_PASSWORD }}
 

diff --git a/.github/workflows/reusable-workflow-docker-image.yml b/.github/workflows/reusable-workflow-docker-image.yml
@@ -12,17 +12,24 @@ on:
       platform:
         required: true
         type: string
+    secrets:
+      ACR_USERNAME:
+        required: true
+      ACR_PASSWORD:
+        required: true
+      REGISTRY:
+        required: true
 
 jobs:
   build-container-image:
     runs-on: self-hosted
 
     env:
+      REGISTRY: ${{ secrets.REGISTRY }}
+      PLATFORM: ${{ inputs.platform }}
       IMAGE_NAME: ${{ inputs.image-name }}
       IMAGE_TAG: "${{ github.run_number }}"
-      REGISTRY: ${{ secrets.REGISTRY }}
       DOCKER_DIR: ${{ inputs.docker-dir }}
-      PLATFORM: ${{ inputs.platform }}
 
     steps:
       - name: Checkout Repository
@@ -36,6 +43,13 @@ jobs:
             exit 1
           fi
 
+      - name: Log in to Azure Container Registry
+        uses: azure/docker-login@v1
+        with:
+          login-server: ${{ secrets.REGISTRY }}
+          username: ${{ secrets.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+
       - name: Build Container Image
         run: |
           echo "Building image: $REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
@@ -46,32 +60,26 @@ jobs:
           echo "Pushing image: $REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
           podman push $REGISTRY/$IMAGE_NAME:$IMAGE_TAG      
 
-      - name: Check image with Trivy
-        shell: bash
-        run: |
-          mkdir build-artifacts
-          echo "=======> Print image for trivy scan:"
-          echo "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
-          echo ""=======> Print available images:"
-          podman image ls
-          echo ""=======> Scan image with trivy:"
-          trivy image wp10tfdevacr.azurecr.io/$IMAGE_NAME:$IMAGE_TAG >> build-artifacts/vuln-scan.txt
-          
-          # cat build-artifacts/vuln-scan.txt
-          # trivy image --format spdx ubuntu:rolling >> build-artifacts/sbom-spdx.txt
-          # trivy image --format cyclonedx ubuntu:rolling >> build-artifacts/sbom-cyclonedx.txt
-
-      - name: Upload Artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: build-artifacts
-          path: build-artifacts/*
-
       - name: Tag and push Docker image as latest
         # if: github.ref == 'refs/heads/main' # TODO: uncomment once we are done with development
         run: |
+          echo "Pushing image: $REGISTRY/$IMAGE_NAME:$IMAGE_TAG with as latest"
           podman tag $REGISTRY/$IMAGE_NAME:$IMAGE_TAG $REGISTRY/$IMAGE_NAME:latest
           podman push $REGISTRY/$IMAGE_NAME:latest
+  
+      - name: Scan image for vulnerabilites
+        run: |
+          mkdir build-artifacts
+          trivy image $REGISTRY/$IMAGE_NAME:$IMAGE_TAG > build-artifacts/vuln-scan.txt
 
+      - name: Generate SBOM
+        run: |
+          trivy image --format spdx $REGISTRY/$IMAGE_NAME:$IMAGE_TAG > build-artifacts/sbom-spdx.txt
+          trivy image --format cyclonedx $REGISTRY/$IMAGE_NAME:$IMAGE_TAG > build-artifacts/sbom-cyclonedx.txt
 
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-scan-results
+          path: build-artifacts/*
 
diff --git a/.github/workflows/reusable-workflow-packer-image.yml b/.github/workflows/reusable-workflow-packer-image.yml
@@ -0,0 +1,93 @@
+name: Reusable workflow - build packer VM
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        required: true
+        type: string
+
+jobs:
+  packer-build:
+    runs-on: self-hosted
+
+    env:
+      AZ_CLI_VERSION: 2.64.0
+      PACKER_VERSION: 1.9.4
+
+      # AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+      # AZURE_RESOURCE_GROUP:  ${{ vars.AZURE_RESOURCE_GROUP }}
+      # AZURE_ACG:  ${{ vars.AZURE_ACG }}
+      # AZURE_CREDENTIALS: |
+      #   {
+      #     "clientId": "${{ secrets.AZURE_CLIENT_ID }}",
+      #     "clientSecret": "${{ secrets.AZURE_CLIENT_SECRET }}",
+      #     "subscriptionId": "${{ secrets.AZURE_SUBSCRIPTION_ID }}",
+      #     "tenantId": "${{ secrets.AZURE_TENANT_ID }}"
+      #   }
+
+      # IMAGE_PUBLISHER: "wp10-image-factory"
+      # IMAGE_OFFER: "wp10-image-factory-vm"
+      # IMAGE_SKU: "v1"
+      # IMAGE_OS_TYPE: "linux"
+      # IMAGE_VERSION: "${{ github.run_number }}"
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      # - name: Azure Login
+      #   uses: azure/login@v2
+      #   with:
+      #     creds: ${{ env.AZURE_CREDENTIALS }}
+
+      # - name: Create Azure Image Definition
+      #   uses: azure/cli@v2
+      #   with:
+      #     azcliversion: ${{ env.AZ_CLI_VERSION }}
+      #     inlineScript: |
+      #       set +e
+      #       az sig image-definition show \
+      #         --resource-group "$AZURE_RESOURCE_GROUP" \
+      #         --gallery-name "$AZURE_ACG" \
+      #         --gallery-image-definition "{{ inputs.image-name }}" \
+      #         --query "name" -o tsv
+      #       az_exit_code=$?
+      #       set -e
+      #       if [ $az_exit_code -eq 3 ]; then
+      #         echo "Image definition does not exist. Creating it..."
+      #         az sig image-definition create \
+      #           --resource-group "$AZURE_RESOURCE_GROUP" \
+      #           --gallery-name "$AZURE_ACG" \
+      #           --gallery-image-definition "{{ inputs.image-name }} \
+      #           --publisher "$IMAGE_PUBLISHER" \
+      #           --offer "$IMAGE_OFFER" \
+      #           --sku "$IMAGE_SKU" \
+      #           --os-type "$IMAGE_OS_TYPE"
+      #       else
+      #         echo "Image definition '{{ inputs.image-name }}' already exists."
+      #       fi
+
+      # - name: Template Packer vars file
+      #   uses: cuchi/[email protected]
+      #   with:
+      #     template: images/packer/image-factory-vm/values.auto.pkrvars.hcl.j2
+      #     output_file: images/packer/image-factory-vm/values.auto.pkrvars.hcl
+
+      # - name: Setup Packer
+      #   uses: hashicorp/setup-packer@main
+      #   with:
+      #     version: ${{ env.PACKER_VERSION }}
+
+      # - name: Packer Init
+      #   run: packer init images/packer/image-factory-vm
+
+      # - name: Packer Build
+      #   run: |
+      #     packer build \
+      #       -var "client_id=${{ secrets.AZURE_CLIENT_ID }}" \
+      #       -var "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \
+      #       -var "tenant_id=${{ secrets.AZURE_TENANT_ID }}" \
+      #       -var "subscription_id=${{ secrets.AZURE_SUBSCRIPTION_ID }}" \
+      #       images/packer/image-factory-vm
+