diff --git a/.github/linters/.yaml-lint.yml b/.github/linters/.yaml-lint.yml index f6236e3..96705d6 100644 --- a/.github/linters/.yaml-lint.yml +++ b/.github/linters/.yaml-lint.yml @@ -8,7 +8,7 @@ ignore: | rules: truthy: - allowed-values: ['true', 'false'] + allowed-values: ["true", "false"] check-keys: false level: error line-length: disable diff --git a/.github/workflows/container-test.yml b/.github/workflows/container-test.yml deleted file mode 100644 index 51d483a..0000000 --- a/.github/workflows/container-test.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: "Container build and test" -on: [push, pull_request, workflow_call] -permissions: read-all - -jobs: - podman-build: - name: Utility Container Build - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v5 - with: - persist-credentials: false - - - name: Utility Container Build - run: make manifest podman-build-amd64 - - - name: Run Container tests - run: make test-amd64 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 4f3eff6..e232e87 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,40 +1,74 @@ ---- -name: Docker build and push to quay - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -permissions: read-all +name: Build (amd64 and arm64) and push to quay registries on: push: - branches: ['main', 'v1'] - # Publish semver tags as releases. - tags: ['v*.*.*'] + branches: ["main"] + tags: ["v*.*.*"] pull_request: branches: ["main"] workflow_dispatch: -env: - # Use docker.io for Docker Hub if empty - REGISTRY: quay.io - # The following is stored in a per-repo env config variable - # github.repository as / - # QUAY_IMAGE_NAME: hybridcloudpatterns/imperative-container + repository_dispatch: + types: [dependency-updated] + +permissions: + contents: read +env: + REGISTRY: localhost + NAME: imperative-container + TAG: ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || (github.ref_name == 'main' && 'latest' || github.ref_name) }} jobs: - test: - uses: ./.github/workflows/container-test.yml + build-container: + strategy: + matrix: + include: + - targetarch: amd64 + runner: ubuntu-latest + - targetarch: arm64 + runner: ubuntu-24.04-arm + + runs-on: ${{ matrix.runner }} + permissions: + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v5 + with: + persist-credentials: false + + - name: Build container and save tarball + env: + CONTAINER: ${{ env.NAME }}:${{ env.TAG }} + TARGETARCH: ${{ matrix.targetarch }} + run: | + make "${TARGETARCH}" + buildah push "${CONTAINER}-${TARGETARCH}" "docker-archive:/tmp/image-${TARGETARCH}.tar:${CONTAINER}-${TARGETARCH}" + + - name: Upload image artifact + uses: actions/upload-artifact@v4 + with: + name: image-${{ matrix.targetarch }}-${{ github.run_id }} + path: /tmp/image-${{ matrix.targetarch }}.tar + retention-days: 1 + + push-multiarch-manifest: + needs: [build-container] + if: github.event_name != 'pull_request' + strategy: + matrix: + include: + - upload_registry: quay.io/validatedpatterns + legacy: false + - upload_registry: quay.io/hybridcloudpatterns + legacy: true - build-container-and-push: - needs: [test] runs-on: ubuntu-latest permissions: contents: read - packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write @@ -45,71 +79,57 @@ jobs: with: persist-credentials: false - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - with: - cosign-release: 'v2.2.4' - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + - name: Download AMD64 image + uses: actions/download-artifact@v5 with: - registry: ${{ env.REGISTRY }} - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - # We add the latest tag only when we are on the main branch - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + name: image-amd64-${{ github.run_id }} + path: /tmp + + - name: Download ARM64 image + uses: actions/download-artifact@v5 with: - images: ${{ env.REGISTRY }}/${{ vars.QUAY_IMAGE_NAME || 'hybridcloudpatterns/imperative-container' }} - flavor: | - latest=${{ github.ref == 'refs/heads/main' }} - - # https://github.com/docker/build-push-action - # Build Docker image with Buildx. We always disable the cache as - # it sometimes would not pull the new git changes for the cluster_utils,v1 - # We only push to an actual registry when it is not a pull request (merge/push) - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + name: image-arm64-${{ github.run_id }} + path: /tmp + + - name: Load tarballs into local containers-storage + run: | + buildah pull docker-archive:/tmp/image-amd64.tar + buildah pull docker-archive:/tmp/image-arm64.tar + + - name: Log into Quay + env: + USERNAME: ${{ matrix.legacy && secrets.LEGACY_QUAY_USERNAME || secrets.QUAY_USERNAME }} + PASSWORD: ${{ matrix.legacy && secrets.LEGACY_QUAY_PASSWORD || secrets.QUAY_PASSWORD }} + run: | + buildah login -u "${USERNAME}" -p "${PASSWORD}" quay.io + + # The compressed manifest in Quay has a different digest than the local so we + # need to use skopeo to retrieve the correct digest for signing + - name: Create manifest and push to Quay + id: manifest-push + env: + UPLOADREGISTRY: ${{ matrix.upload_registry }} + CONTAINER: ${{ env.NAME }}:${{ env.TAG }} + run: | + make manifest + buildah manifest add --arch=amd64 "${REGISTRY}/${CONTAINER}" "${REGISTRY}/${CONTAINER}-amd64" + buildah manifest add --arch=arm64 "${REGISTRY}/${CONTAINER}" "${REGISTRY}/${CONTAINER}-arm64" + make upload + DIGEST=$(skopeo inspect --format "{{.Digest}}" "docker://${UPLOADREGISTRY}/${CONTAINER}") + echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" + + - name: Install cosign + uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 with: - context: . - file: Containerfile - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - no-cache: true - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image when not a PR - if: ${{ github.event_name != 'pull_request' }} + cosign-release: "v2.2.4" + + # Cosign expects the docker config.json for registry authentication so we must + # copy it from buildah + - name: Sign the published Docker image env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I "{}" cosign sign --yes "{}@${DIGEST}" + CONTAINER: ${{ env.NAME }}:${{ env.TAG }} + DIGEST: ${{ steps.manifest-push.outputs.digest }} + UPLOADREGISTRY: ${{ matrix.upload_registry }} + run: | + cat "${XDG_RUNTIME_DIR}/containers/auth.json" > ~/.docker/config.json + cosign sign --yes "${UPLOADREGISTRY}/${CONTAINER}@${DIGEST}" diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml index 56738bf..694d644 100644 --- a/.github/workflows/superlinter.yml +++ b/.github/workflows/superlinter.yml @@ -1,40 +1,15 @@ ---- name: Super linter -on: [push, pull_request] -permissions: read-all +on: + pull_request: + branches: [main] -jobs: - build: - # Name the Job - name: Super linter - # Set the agent to run on - runs-on: ubuntu-latest - - steps: - - name: Checkout Code - uses: actions/checkout@v5 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - persist-credentials: false +permissions: + contents: read - ################################ - # Run Linter against code base # - ################################ - - name: Lint Code Base - uses: super-linter/super-linter/slim@v8 - env: - VALIDATE_ALL_CODEBASE: true - DEFAULT_BRANCH: main - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # These are the validation we disable atm - VALIDATE_GITHUB_ACTIONS_ZIZMOR: false - VALIDATE_MARKDOWN_PRETTIER: false - VALIDATE_NATURAL_LANGUAGE: false - VALIDATE_SHELL_SHFMT: false - VALIDATE_TRIVY: false - VALIDATE_YAML_PRETTIER: false - # VALIDATE_DOCKERFILE_HADOLINT: false - # VALIDATE_NATURAL_LANGUAGE: false - # VALIDATE_TEKTON: false +jobs: + lint: + uses: validatedpatterns/github-actions-library/.github/workflows/superlinter.yml@v1 + with: + sl_env: | + VALIDATE_TRIVY=false diff --git a/Makefile b/Makefile index 08ce5e0..3d22339 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ build: manifest podman-build test ## Build the container locally (all arches) an amd64: manifest podman-build-amd64 test-amd64 ## Build and test the container on amd64 .PHONY: arm64 -arm64: manifest podman-build-amd64 test-amd64 ## Build and test the container on amd64 +arm64: manifest podman-build-arm64 test-arm64 ## Build and test the container on amd64 .PHONY: manifest manifest: ## creates the buildah manifest for multi-arch images diff --git a/README.md b/README.md index 7777aac..517fbc1 100644 --- a/README.md +++ b/README.md @@ -8,29 +8,32 @@ An imperative container for simplified execution of imperative commands in each This container provides a focused environment with essential tools for executing imperative commands and automation tasks in Validated Patterns. It includes Ansible, Kubernetes tools, and other utilities needed for pattern implementation and management. - ## Installed Software -| name | type |version| -|:----------------:|:--------:|:-----:| -|ansible |pip |2.16.14| -|ansible.posix |collection|2.1.0 | -|ansible-runner |pip |2.4.1 | -|ansible.utils |collection|6.0.0 | -|community.general |collection|11.2.1 | -|community.okd |collection|5.0.0 | -|git-core |package |2.47.3 | -|gzip |package |1.12 | -|jmespath |pip |1.0.1 | -|jq |package |1.6 | -|kubernetes.core |collection|6.1.0 | -|kubernetes |pip |33.1.0 | -|make |package |4.3 | -|openshift |binary |4.16.14| -|python3-pip |package |21.3.1 | -|python |package |3.11.11| -|rhvp.cluster_utils|collection|1.1.0 | -|sshpass |package |1.09 | + + +| name | type | version | +| :----------------: | :--------: | :-----: | +| ansible | pip | 2.16.14 | +| ansible.posix | collection | 2.1.0 | +| ansible-runner | pip | 2.4.1 | +| ansible.utils | collection | 6.0.0 | +| community.general | collection | 11.3.0 | +| community.okd | collection | 5.0.0 | +| git-core | package | 2.47.3 | +| gzip | package | 1.12 | +| jmespath | pip | 1.0.1 | +| jq | package | 1.6 | +| kubernetes.core | collection | 6.1.0 | +| kubernetes | pip | 34.1.0 | +| make | package | 4.3 | +| openshift | binary | 4.16.14 | +| python3-pip | package | 21.3.1 | +| python | package | 3.11.11 | +| rhvp.cluster_utils | collection | 1.1.0 | +| sshpass | package | 1.09 | + + ## Usage @@ -68,14 +71,17 @@ podman run --rm -it --net=host \ ## Troubleshooting **Permission issues with volume mounts** + - Ensure the `--security-opt label=disable` flag is used when running the container. - Check that your user has read/write access to the mounted directories. **Network connectivity issues** + - Use `--net=host` for full network access. - For restricted environments, configure appropriate network policies. **Missing tools or outdated versions** + - Check the installed software table above for current versions. - Consider building a custom image if you need different tool versions. diff --git a/default-cmd.sh b/default-cmd.sh index 727abc1..c4331e4 100755 --- a/default-cmd.sh +++ b/default-cmd.sh @@ -1,12 +1,12 @@ #!/bin/bash echo -e \ -" - 1 Welcome to the Validate Pattern utility container - 111 It contains all the needed components to install a pattern. - 1 1 - 111 111 Please run the following for more information: + " + 1 Welcome to the Validated Patterns imperative container. + 111 It contains all the needed components for running + 1 1 common imperative commands. + 111 111 1 1 - 111 111 \\x1b[36m./pattern.sh make help\\x1b[m + 111 111 1 1 1 1 111 111 111 111 "