Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prepare RHEL workflow for secrets #1161

Merged
merged 2 commits into from
Feb 14, 2024
Merged

Prepare RHEL workflow for secrets #1161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e0e7341
Prepare RHEL workflow for secrets
dotneft Feb 14, 2024
d48373f
Fixed Dockerfile instructions
dotneft Feb 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 4 additions & 17 deletions .github/workflows/images_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,33 +87,20 @@ jobs:
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
os_list=$(jq -r '.["os-linux"] | keys | map(select(. != "rhel")) | [ .[] | tostring ] | @json' "$MATRIX_FILE")

echo "::group::Operating System List"
echo "$os_list"
echo "::endgroup::"

echo "list=$os_list" >> $GITHUB_OUTPUT

- name: Prepare Platform list
id: platform_list
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
platform_list=$(jq -r '.["os-linux"] | tostring | @json' "$MATRIX_FILE")

echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"

echo "list=$platform_list" >> $GITHUB_OUTPUT

- name: Prepare Database engine list
id: database
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "$MATRIX_FILE")
database_list=$(jq -r '[.components | values[].base ] | sort | unique | del(.. | select ( . == "" ) ) | @json' "$MATRIX_FILE")

echo "::group::Database List"
echo "$database_list"
Expand All @@ -126,7 +113,7 @@ jobs:
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE")
component_list=$(jq -r '.components | keys | @json' "$MATRIX_FILE")

echo "::group::Zabbix Component List"
echo "$component_list"
Expand Down Expand Up @@ -789,7 +776,7 @@ jobs:
MATRIX_BUILD: ${{ matrix.build }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\"" "$MATRIX_FILE")
BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE")

echo "::group::Base Build Image"
echo "$BUILD_BASE"
Expand Down
115 changes: 53 additions & 62 deletions .github/workflows/images_build_rhel.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ env:
IMAGES_PREFIX: "zabbix-"
BASE_BUILD_NAME: "build-base"

MATRIX_FILE: "build.json"
DOCKERFILES_DIRECTORY: "Dockerfiles"

OIDC_ISSUER: "https://token.actions.githubusercontent.com"
Expand All @@ -39,10 +40,12 @@ jobs:
permissions:
contents: read
outputs:
platforms: ${{ steps.platform_list.outputs.list }}
components: ${{ steps.components.outputs.list }}
is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
current_branch: ${{ steps.branch_info.outputs.current_branch }}
sha_short: ${{ steps.branch_info.outputs.sha_short }}
secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand All @@ -57,6 +60,42 @@ jobs:
with:
fetch-depth: 1

- name: Check ${{ env.MATRIX_FILE }} file
id: build_exists
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
if [[ ! -f "$MATRIX_FILE" ]]; then
echo "::error::File $MATRIX_FILE is missing"
exit 1
fi

- name: Prepare Platform list
id: platform_list
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
platform_list=$(jq -r '.["os-linux"].rhel | tostring | @json' "$MATRIX_FILE")

echo "::group::Platform List"
echo "$platform_list"
echo "::endgroup::"

echo "list=$platform_list" >> $GITHUB_OUTPUT

- name: Prepare Zabbix component list
id: components
env:
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
component_list=$(jq -r '.components |map_values(select(.rhel == true)) | keys | @json' "$MATRIX_FILE")

echo "::group::Zabbix Component List"
echo "$component_list"
echo "::endgroup::"

echo "list=$component_list" >> $GITHUB_OUTPUT

- name: Get branch info
id: branch_info
shell: bash
Expand All @@ -80,31 +119,16 @@ jobs:
echo "::group::Branch data"
echo "is_default_branch - $result"
echo "current_branch - $github_ref"
echo "secret_prefix=RHEL_${github_ref//.}"
echo "sha_short - $sha_short"
echo "::endgroup::"

echo "is_default_branch=$result" >> $GITHUB_OUTPUT
echo "current_branch=$github_ref" >> $GITHUB_OUTPUT
echo "secret_prefix=RHEL_${github_ref//.}" >> $GITHUB_OUTPUT
echo "sha_short=$sha_short" >> $GITHUB_OUTPUT


- name: Prepare Zabbix component list
id: components
env:
REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }}
CURRENT_BRANCH: ${{ steps.branch_info.outputs.current_branch }}
run: |
if [[ -z "$REDHAT_CERTIFY_CREDENTIALS" ]]; then
echo "::error::Missing RedHat Certification details"
exit 1
fi
component_list=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components | keys | @json")

echo "::group::Zabbix Component List"
echo "$component_list"
echo "::endgroup::"

echo "list=$component_list" >> $GITHUB_OUTPUT

build_base:
timeout-minutes: 30
Expand All @@ -114,7 +138,7 @@ jobs:
fail-fast: false
matrix:
build: [build-base]
arch: [X64, ARM64]
arch: ${{ fromJson(needs.init_build.outputs.platforms) }}
runs-on: [self-hosted, linux, "${{ matrix.arch }}"]
permissions:
contents: read
Expand Down Expand Up @@ -188,7 +212,7 @@ jobs:
fail-fast: false
matrix:
build: [build-mysql, build-sqlite3]
arch: [X64, ARM64]
arch: ${{ fromJson(needs.init_build.outputs.platforms) }}
runs-on: [self-hosted, linux, "${{ matrix.arch }}"]
permissions:
contents: read
Expand Down Expand Up @@ -278,7 +302,7 @@ jobs:
fail-fast: false
matrix:
build: ${{ fromJson(needs.init_build.outputs.components) }}
arch: [X64, ARM64]
arch: ${{ fromJson(needs.init_build.outputs.platforms) }}
runs-on: [self-hosted, linux, "${{ matrix.arch }}"]
permissions:
contents: read
Expand All @@ -299,56 +323,23 @@ jobs:
- name: Detect Build Base Image
id: build_base_image
env:
REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }}
MATRIX_BUILD: ${{ matrix.build }}
CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }}
MATRIX_FILE: ${{ env.MATRIX_FILE }}
run: |
BUILD_BASE=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".build_base")
BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE")

echo "::group::Build base image"
echo "build_base=$BUILD_BASE"
echo "::group::Base Build Image"
echo "$BUILD_BASE"
echo "::endgroup::"

echo "build_base=$BUILD_BASE" >> $GITHUB_OUTPUT

- name: Generate image name
id: image_name
env:
REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }}
MATRIX_BUILD: ${{ matrix.build }}
CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }}
run: |
IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".login")

echo "::add-mask::$IMAGE_NAME"
echo "image_name=$IMAGE_NAME" >> $GITHUB_OUTPUT

- name: Generate credentials
id: login_credentials
env:
REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }}
MATRIX_BUILD: ${{ matrix.build }}
CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }}
run: |
IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".login")
REGISTRY_PASSWORD=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".secret")

echo "::add-mask::$IMAGE_NAME"
echo "::add-mask::redhat-isv-containers+$IMAGE_NAME-robot"
echo "::add-mask::$REGISTRY_PASSWORD"

echo "username=$IMAGE_NAME" >> $GITHUB_OUTPUT
echo "password=$REGISTRY_PASSWORD" >> $GITHUB_OUTPUT
echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT

- name: Log in to Quay.io
uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env:
LOGIN: ${{ steps.login_credentials.outputs.username }}
PASSWORD: ${{ steps.login_credentials.outputs.password }}
with:
username: redhat-isv-containers+${{ env.LOGIN }}-robot
password: ${{ env.PASSWORD }}
username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', ${{ needs.init_build.outputs.secret_prefix }}, ${{ matrix.build }})]) }}
password: ${{ secrets[format('{0}_{1}_SECRET', ${{ needs.init_build.outputs.secret_prefix }}, ${{ matrix.build }})] }}
registry: ${{ env.REGISTRY }}
auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }}

Expand All @@ -363,7 +354,7 @@ jobs:
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ steps.image_name.outputs.image_name }}
images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', ${{ needs.init_build.outputs.secret_prefix }}, ${{ matrix.build }})]) }}
tags: |
type=semver,pattern={{version}}
type=sha
Expand Down Expand Up @@ -420,7 +411,7 @@ jobs:
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env:
PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }}
PFLT_CERTIFICATION_PROJECT_ID: ${{ steps.login_credentials.outputs.username }}
PFLT_CERTIFICATION_PROJECT_ID: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', ${{ needs.init_build.outputs.secret_prefix }}, ${{ matrix.build }})]) }}
PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }}
PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }}
PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }}
Expand Down
32 changes: 18 additions & 14 deletions build.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,25 +22,29 @@
"linux/amd64",
"linux/arm64",
"linux/ppc64le"
],
"rhel": [
"X64",
"ARM64"
]
},
"os-windows": {
"windows-2022": "ltsc2022",
"windows-2019": "ltsc2019"
},
"components": {
"agent": "build-mysql",
"agent2": "build-mysql",
"java-gateway": "build-mysql",
"proxy-mysql": "build-mysql",
"proxy-sqlite3": "build-sqlite3",
"server-mysql": "build-mysql",
"server-pgsql": "build-pgsql",
"snmptraps": "",
"web-apache-mysql": "build-mysql",
"web-apache-pgsql": "build-pgsql",
"web-nginx-mysql": "build-mysql",
"web-nginx-pgsql": "build-mysql",
"web-service": "build-mysql"
"agent": { "base" : "build-mysql", "rhel" : true },
"agent2": { "base" : "build-mysql", "rhel" : true },
"java-gateway": { "base" : "build-mysql", "rhel" : true },
"proxy-mysql": { "base" : "build-mysql", "rhel" : true },
"proxy-sqlite3": { "base" : "build-sqlite3", "rhel" : true },
"server-mysql": { "base" : "build-mysql", "rhel" : true },
"server-pgsql": { "base" : "build-pgsql", "rhel" : false },
"snmptraps": { "base" : "", "rhel" : true },
"web-apache-mysql": { "base" : "build-mysql", "rhel" : true },
"web-apache-pgsql": { "base" : "build-pgsql", "rhel" : false },
"web-nginx-mysql": { "base" : "build-mysql", "rhel" : true },
"web-nginx-pgsql": { "base" : "build-mysql", "rhel" : false },
"web-service": { "base" : "build-mysql", "rhel" : true }
}
}
}