From e0e7341bf7b209c18edbf70c2c8b3c1fcc7d0492 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Wed, 14 Feb 2024 14:02:04 +0900 Subject: [PATCH 1/2] Prepare RHEL workflow for secrets --- .github/workflows/images_build.yml | 21 +---- .github/workflows/images_build_rhel.yml | 112 +++++++++++------------- build.json | 32 ++++--- 3 files changed, 72 insertions(+), 93 deletions(-) diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 6f606f92c..7b997705e 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -87,7 +87,7 @@ jobs: env: MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - os_list=$(jq -r '.["os-linux"] | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") + os_list=$(jq -r '.["os-linux"] | keys | map(select(. != "rhel")) | [ .[] | tostring ] | @json' "$MATRIX_FILE") echo "::group::Operating System List" echo "$os_list" @@ -95,25 +95,12 @@ jobs: echo "list=$os_list" >> $GITHUB_OUTPUT - - name: Prepare Platform list - id: platform_list - env: - MATRIX_FILE: ${{ env.MATRIX_FILE }} - run: | - platform_list=$(jq -r '.["os-linux"] | tostring | @json' "$MATRIX_FILE") - - echo "::group::Platform List" - echo "$platform_list" - echo "::endgroup::" - - echo "list=$platform_list" >> $GITHUB_OUTPUT - - name: Prepare Database engine list id: database env: MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - database_list=$(jq -r '[.components | values[] ] | sort | unique | del(.. | select ( . == "" ) ) | [ .[] | tostring ] | @json' "$MATRIX_FILE") + database_list=$(jq -r '[.components | values[].base ] | sort | unique | del(.. | select ( . == "" ) ) | @json' "$MATRIX_FILE") echo "::group::Database List" echo "$database_list" @@ -126,7 +113,7 @@ jobs: env: MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - component_list=$(jq -r '.components | keys | [ .[] | tostring ] | @json' "$MATRIX_FILE") + component_list=$(jq -r '.components | keys | @json' "$MATRIX_FILE") echo "::group::Zabbix Component List" echo "$component_list" @@ -789,7 +776,7 @@ jobs: MATRIX_BUILD: ${{ matrix.build }} MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\"" "$MATRIX_FILE") + BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE") echo "::group::Base Build Image" echo "$BUILD_BASE" diff --git a/.github/workflows/images_build_rhel.yml b/.github/workflows/images_build_rhel.yml index d561bcc31..6e726cf06 100644 --- a/.github/workflows/images_build_rhel.yml +++ b/.github/workflows/images_build_rhel.yml @@ -21,6 +21,7 @@ env: IMAGES_PREFIX: "zabbix-" BASE_BUILD_NAME: "build-base" + MATRIX_FILE: "build.json" DOCKERFILES_DIRECTORY: "Dockerfiles" OIDC_ISSUER: "https://token.actions.githubusercontent.com" @@ -39,6 +40,7 @@ jobs: permissions: contents: read outputs: + platforms: ${{ steps.platform_list.outputs.list }} components: ${{ steps.components.outputs.list }} is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} current_branch: ${{ steps.branch_info.outputs.current_branch }} @@ -57,6 +59,42 @@ jobs: with: fetch-depth: 1 + - name: Check ${{ env.MATRIX_FILE }} file + id: build_exists + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + if [[ ! -f "$MATRIX_FILE" ]]; then + echo "::error::File $MATRIX_FILE is missing" + exit 1 + fi + + - name: Prepare Platform list + id: platform_list + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + platform_list=$(jq -r '.["os-linux"].rhel | tostring | @json' "$MATRIX_FILE") + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + + echo "list=$platform_list" >> $GITHUB_OUTPUT + + - name: Prepare Zabbix component list + id: components + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + component_list=$(jq -r '.components |map_values(select(.rhel == true)) | keys | @json' "$MATRIX_FILE") + + echo "::group::Zabbix Component List" + echo "$component_list" + echo "::endgroup::" + + echo "list=$component_list" >> $GITHUB_OUTPUT + - name: Get branch info id: branch_info shell: bash @@ -88,23 +126,6 @@ jobs: echo "sha_short=$sha_short" >> $GITHUB_OUTPUT - - name: Prepare Zabbix component list - id: components - env: - REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }} - CURRENT_BRANCH: ${{ steps.branch_info.outputs.current_branch }} - run: | - if [[ -z "$REDHAT_CERTIFY_CREDENTIALS" ]]; then - echo "::error::Missing RedHat Certification details" - exit 1 - fi - component_list=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components | keys | @json") - - echo "::group::Zabbix Component List" - echo "$component_list" - echo "::endgroup::" - - echo "list=$component_list" >> $GITHUB_OUTPUT build_base: timeout-minutes: 30 @@ -114,7 +135,7 @@ jobs: fail-fast: false matrix: build: [build-base] - arch: [X64, ARM64] + arch: ${{ fromJson(needs.init_build.outputs.platforms) }} runs-on: [self-hosted, linux, "${{ matrix.arch }}"] permissions: contents: read @@ -188,7 +209,7 @@ jobs: fail-fast: false matrix: build: [build-mysql, build-sqlite3] - arch: [X64, ARM64] + arch: ${{ fromJson(needs.init_build.outputs.platforms) }} runs-on: [self-hosted, linux, "${{ matrix.arch }}"] permissions: contents: read @@ -278,7 +299,7 @@ jobs: fail-fast: false matrix: build: ${{ fromJson(needs.init_build.outputs.components) }} - arch: [X64, ARM64] + arch: ${{ fromJson(needs.init_build.outputs.platforms) }} runs-on: [self-hosted, linux, "${{ matrix.arch }}"] permissions: contents: read @@ -299,56 +320,23 @@ jobs: - name: Detect Build Base Image id: build_base_image env: - REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }} MATRIX_BUILD: ${{ matrix.build }} - CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - BUILD_BASE=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".build_base") + BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE") - echo "::group::Build base image" - echo "build_base=$BUILD_BASE" + echo "::group::Base Build Image" + echo "$BUILD_BASE" echo "::endgroup::" - echo "build_base=$BUILD_BASE" >> $GITHUB_OUTPUT - - - name: Generate image name - id: image_name - env: - REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }} - MATRIX_BUILD: ${{ matrix.build }} - CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }} - run: | - IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".login") - - echo "::add-mask::$IMAGE_NAME" - echo "image_name=$IMAGE_NAME" >> $GITHUB_OUTPUT - - - name: Generate credentials - id: login_credentials - env: - REDHAT_CERTIFY_CREDENTIALS: ${{ secrets.REDHAT_CERTIFY_CREDENTIALS }} - MATRIX_BUILD: ${{ matrix.build }} - CURRENT_BRANCH: ${{ needs.init_build.outputs.current_branch }} - run: | - IMAGE_NAME=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".login") - REGISTRY_PASSWORD=$(jq --raw-output --argjson data "$REDHAT_CERTIFY_CREDENTIALS" -n "\$data.\"$CURRENT_BRANCH\".components.\"$MATRIX_BUILD\".secret") - - echo "::add-mask::$IMAGE_NAME" - echo "::add-mask::redhat-isv-containers+$IMAGE_NAME-robot" - echo "::add-mask::$REGISTRY_PASSWORD" - - echo "username=$IMAGE_NAME" >> $GITHUB_OUTPUT - echo "password=$REGISTRY_PASSWORD" >> $GITHUB_OUTPUT + echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT - name: Log in to Quay.io uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6 if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - env: - LOGIN: ${{ steps.login_credentials.outputs.username }} - PASSWORD: ${{ steps.login_credentials.outputs.password }} with: - username: redhat-isv-containers+${{ env.LOGIN }}-robot - password: ${{ env.PASSWORD }} + username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('RHEL_{0}_{1}_PROJECT', ${{ needs.init_build.outputs.current_branch }}, ${{ matrix.build }})]) }} + password: ${{ secrets[format('RHEL_{0}_{1}_SECRET', ${{ needs.init_build.outputs.current_branch }}, ${{ matrix.build }})] }} registry: ${{ env.REGISTRY }} auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} @@ -363,7 +351,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ steps.image_name.outputs.image_name }} + images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ format('redhat-isv-containers+{0}-robot', secrets[format('RHEL_{0}_{1}_PROJECT', ${{ needs.init_build.outputs.current_branch }}, ${{ matrix.build }})]) }} tags: | type=semver,pattern={{version}} type=sha @@ -420,7 +408,7 @@ jobs: if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} - PFLT_CERTIFICATION_PROJECT_ID: ${{ steps.login_credentials.outputs.username }} + PFLT_CERTIFICATION_PROJECT_ID: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('RHEL_{0}_{1}_PROJECT', ${{ needs.init_build.outputs.current_branch }}, ${{ matrix.build }})]) }} PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }} diff --git a/build.json b/build.json index 3a1a5ef9a..11e137493 100644 --- a/build.json +++ b/build.json @@ -22,6 +22,10 @@ "linux/amd64", "linux/arm64", "linux/ppc64le" + ], + "rhel": [ + "X64", + "ARM64" ] }, "os-windows": { @@ -29,18 +33,18 @@ "windows-2019": "ltsc2019" }, "components": { - "agent": "build-mysql", - "agent2": "build-mysql", - "java-gateway": "build-mysql", - "proxy-mysql": "build-mysql", - "proxy-sqlite3": "build-sqlite3", - "server-mysql": "build-mysql", - "server-pgsql": "build-pgsql", - "snmptraps": "", - "web-apache-mysql": "build-mysql", - "web-apache-pgsql": "build-pgsql", - "web-nginx-mysql": "build-mysql", - "web-nginx-pgsql": "build-mysql", - "web-service": "build-mysql" + "agent": { "base" : "build-mysql", "rhel" : true }, + "agent2": { "base" : "build-mysql", "rhel" : true }, + "java-gateway": { "base" : "build-mysql", "rhel" : true }, + "proxy-mysql": { "base" : "build-mysql", "rhel" : true }, + "proxy-sqlite3": { "base" : "build-sqlite3", "rhel" : true }, + "server-mysql": { "base" : "build-mysql", "rhel" : true }, + "server-pgsql": { "base" : "build-pgsql", "rhel" : false }, + "snmptraps": { "base" : "", "rhel" : true }, + "web-apache-mysql": { "base" : "build-mysql", "rhel" : true }, + "web-apache-pgsql": { "base" : "build-pgsql", "rhel" : false }, + "web-nginx-mysql": { "base" : "build-mysql", "rhel" : true }, + "web-nginx-pgsql": { "base" : "build-mysql", "rhel" : false }, + "web-service": { "base" : "build-mysql", "rhel" : true } } -} \ No newline at end of file +} From d48373fd9a48482714a080734f34e412023a0264 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Wed, 14 Feb 2024 14:10:07 +0900 Subject: [PATCH 2/2] Fixed Dockerfile instructions --- .github/workflows/images_build_rhel.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/images_build_rhel.yml b/.github/workflows/images_build_rhel.yml index 6e726cf06..f01e56755 100644 --- a/.github/workflows/images_build_rhel.yml +++ b/.github/workflows/images_build_rhel.yml @@ -45,6 +45,7 @@ jobs: is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} current_branch: ${{ steps.branch_info.outputs.current_branch }} sha_short: ${{ steps.branch_info.outputs.sha_short }} + secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }} steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -118,11 +119,13 @@ jobs: echo "::group::Branch data" echo "is_default_branch - $result" echo "current_branch - $github_ref" + echo "secret_prefix=RHEL_${github_ref//.}" echo "sha_short - $sha_short" echo "::endgroup::" echo "is_default_branch=$result" >> $GITHUB_OUTPUT echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "secret_prefix=RHEL_${github_ref//.}" >> $GITHUB_OUTPUT echo "sha_short=$sha_short" >> $GITHUB_OUTPUT @@ -335,8 +338,8 @@ jobs: uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6 if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} with: - username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('RHEL_{0}_{1}_PROJECT', ${{ needs.init_build.outputs.current_branch }}, ${{ matrix.build }})]) }} - password: ${{ secrets[format('RHEL_{0}_{1}_SECRET', ${{ needs.init_build.outputs.current_branch }}, ${{ matrix.build }})] }} + username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', ${{ needs.init_build.outputs.secret_prefix }}, ${{ matrix.build }})]) }} + password: ${{ secrets[format('{0}_{1}_SECRET', ${{ needs.init_build.outputs.secret_prefix }}, ${{ matrix.build }})] }} registry: ${{ env.REGISTRY }} auth_file_path: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} @@ -351,7 +354,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ format('redhat-isv-containers+{0}-robot', secrets[format('RHEL_{0}_{1}_PROJECT', ${{ needs.init_build.outputs.current_branch }}, ${{ matrix.build }})]) }} + images: ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', ${{ needs.init_build.outputs.secret_prefix }}, ${{ matrix.build }})]) }} tags: | type=semver,pattern={{version}} type=sha @@ -408,7 +411,7 @@ jobs: if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: PFLT_DOCKERCONFIG: /tmp/.docker_${{ matrix.build }}_${{ matrix.arch }}_${{ needs.init_build.outputs.sha_short }} - PFLT_CERTIFICATION_PROJECT_ID: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('RHEL_{0}_{1}_PROJECT', ${{ needs.init_build.outputs.current_branch }}, ${{ matrix.build }})]) }} + PFLT_CERTIFICATION_PROJECT_ID: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', ${{ needs.init_build.outputs.secret_prefix }}, ${{ matrix.build }})]) }} PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }}