diff --git a/.github/actions/vendor-docker-image/action.yml b/.github/actions/vendor-docker-image/action.yml deleted file mode 100644 index 4e164e24..00000000 --- a/.github/actions/vendor-docker-image/action.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: Vendor Docker Image -description: Extracts Docker image details from the local Helm chart and pushes it to Quay -inputs: - query: - required: true - description: YQ query that points to the image definition inside the values.yaml file - modifier: - required: false - description: Modify "repo/image:tag" with a stream command before tag and push - username: - required: true - description: Quay registry username - password: - required: true - description: Quay registry password -runs: - using: composite - steps: - - id: image_source - name: Extract image details from Helm values - uses: mikefarah/yq@v4.43.1 - with: - cmd: yq '${{ inputs.query }} | .repository + ":" + .tag' deployments/helm/hephaestus/values.yaml - - - id: image_fields - name: Process image fields - shell: bash - run: | - input="${{ steps.image_source.outputs.result }}" - if [[ -n "${{ inputs.modifier }}" ]]; then - input="$(echo $input | ${{ inputs.modifier }})" - fi - output="$(echo $input | awk -F/ '{print $NF}')" - - echo "source=$input" >> $GITHUB_OUTPUT - echo "destination=$output" >> $GITHUB_OUTPUT - - - name: Login to container registry - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ inputs.username }} - password: ${{ inputs.password }} - - - name: Tag and push image - uses: akhilerm/tag-push-action@v2.2.0 - with: - src: ${{ steps.image_fields.outputs.source }} - dst: quay.io/domino/${{ steps.image_fields.outputs.destination }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 20d5bea5..897a4508 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -78,95 +78,6 @@ jobs: password: ${{ secrets.QUAY_PASSWORD }} platforms: ${{ env.BUILD_PLATFORMS }} - vendor-buildkit-rootless: - runs-on: ubuntu-latest - needs: build - if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') - steps: - - name: Checkout - uses: actions/checkout@v4 - - - id: image_tag - name: Extract image details from Helm values - uses: mikefarah/yq@v4.43.1 - with: - cmd: yq '.buildkit.rootlessImage.tag' deployments/helm/hephaestus/values.yaml - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to container registry - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - - name: Build and push rootless Buildkit image to Quay - uses: docker/build-push-action@v5 - with: - push: true - target: rootless - context: build/buildkit - platforms: ${{ env.BUILD_PLATFORMS }} - build-args: BUILDKIT_TAG=${{ steps.image_tag.outputs.result }} - tags: quay.io/domino/buildkit:${{ steps.image_tag.outputs.result }} - - vendor-buildkit: - runs-on: ubuntu-latest - needs: build - if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') - steps: - - name: Checkout - uses: actions/checkout@v4 - - - id: image_tag - name: Extract image details from Helm values - uses: mikefarah/yq@v4.43.1 - with: - cmd: yq '.buildkit.image.tag' deployments/helm/hephaestus/values.yaml - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to container registry - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - - name: Build and push rootless Buildkit image to Quay - uses: docker/build-push-action@v5 - with: - push: true - target: root - context: build/buildkit - platforms: ${{ env.BUILD_PLATFORMS }} - build-args: BUILDKIT_TAG=${{ steps.image_tag.outputs.result }} - tags: quay.io/domino/buildkit:${{ steps.image_tag.outputs.result }} - - vendor-vector: - runs-on: ubuntu-latest - needs: build - if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Push Vector image to Quay - uses: ./.github/actions/vendor-docker-image - with: - query: ".controller.vector.image" - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - helm: runs-on: ubuntu-latest needs: docker diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml deleted file mode 100644 index 8722ea14..00000000 --- a/.github/workflows/security.yml +++ /dev/null @@ -1,105 +0,0 @@ -name: Image Security Updates - -on: - schedule: - - cron: "0 4 * * 1" - workflow_dispatch: - inputs: - immutable: - type: boolean - description: Generate stable image tags - buildkitVersion: - type: string - description: Override version defined in Helm chart - -jobs: - process-input: - name: Process input - runs-on: ubuntu-latest - outputs: - buildkit_src_tag: ${{ steps.image_tags.outputs.buildkit_src_tag }} - buildkit_dst_tag: ${{ steps.image_tags.outputs.buildkit_dst_tag }} - buildkit_rootless_src_tag: ${{ steps.image_tags.outputs.buildkit_rootless_src_tag }} - buildkit_rootless_dst_tag: ${{ steps.image_tags.outputs.buildkit_rootless_dst_tag }} - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Validate user input - if: github.event.inputs.buildkitVersion != '' - run: curl --head --fail https://hub.docker.com/v2/repositories/moby/buildkit/tags/${{ inputs.buildkitVersion }} - - - id: buildkit_tag - name: Extract image tag from Helm values - uses: mikefarah/yq@v4.43.1 - with: - cmd: test -n "${{ inputs.buildkitVersion }}" && echo "${{ inputs.buildkitVersion }}" || yq '.buildkit.image.tag' deployments/helm/hephaestus/values.yaml | sed 's/-rootless//' - - - id: image_tags - name: Construct image tags - run: | - IMMUTABLE_SUFFIX="$([[ "${{ inputs.immutable }}" == "true" ]] && echo "-$(date +%Y%m%d%H%M%S)" || echo "")" - BUILDKIT_INPUT_TAG="${{ steps.buildkit_tag.outputs.result }}" - BUILDKIT_OUTPUT_TAG="$BUILDKIT_INPUT_TAG$IMMUTABLE_SUFFIX" - BUILDKIT_ROOTLESS_INPUT_TAG="$BUILDKIT_INPUT_TAG-rootless" - BUILDKIT_ROOTLESS_OUTPUT_TAG="$BUILDKIT_ROOTLESS_INPUT_TAG$IMMUTABLE_SUFFIX" - - echo "buildkit_src_tag=$BUILDKIT_INPUT_TAG" >> $GITHUB_OUTPUT - echo "buildkit_dst_tag=$BUILDKIT_OUTPUT_TAG" >> $GITHUB_OUTPUT - echo "buildkit_rootless_src_tag=$BUILDKIT_ROOTLESS_INPUT_TAG" >> $GITHUB_OUTPUT - echo "buildkit_rootless_dst_tag=$BUILDKIT_ROOTLESS_OUTPUT_TAG" >> $GITHUB_OUTPUT - - buildkit: - name: Buildkit - runs-on: ubuntu-latest - needs: [process-input] - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to container registry - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - - name: Build and push image to Quay - uses: docker/build-push-action@v5 - with: - push: true - target: root - context: build/buildkit - build-args: BUILDKIT_TAG=${{ needs.process-input.outputs.buildkit_src_tag }} - tags: quay.io/domino/buildkit:${{ needs.process-input.outputs.buildkit_dst_tag }} - - - buildkit-rootless: - name: Buildkit Rootless - runs-on: ubuntu-latest - needs: [process-input] - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to container registry - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - - name: Build and push image to Quay - uses: docker/build-push-action@v5 - with: - push: true - target: rootless - context: build/buildkit - build-args: BUILDKIT_TAG=${{ needs.process-input.outputs.buildkit_rootless_src_tag }} - tags: quay.io/domino/buildkit:${{ needs.process-input.outputs.buildkit_rootless_dst_tag }} diff --git a/build/README.md b/build/README.md deleted file mode 100644 index 7a15b77f..00000000 --- a/build/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Build Images - -Any custom changes made to community images should be added here, built using -the GitHub workflow, and pushed to the appropriate location. - -## Buildkit - -All buildkit images have had their APK dependencies upgraded, and the rootless -image has been modified to expand the uid/gid map range and accommodate -environments where Istio is running. diff --git a/build/buildkit/Dockerfile b/build/buildkit/Dockerfile deleted file mode 100644 index 25b2abee..00000000 --- a/build/buildkit/Dockerfile +++ /dev/null @@ -1,30 +0,0 @@ -ARG BUILDKIT_TAG - -FROM moby/buildkit:${BUILDKIT_TAG} AS root -RUN apk update && \ - apk upgrade && \ - rm -rf /var/cache/apk - -FROM moby/buildkit:${BUILDKIT_TAG} AS rootless -ARG ISTIO_GID=1337 -ARG UID=1000 -USER root -RUN apk update && \ - apk upgrade && \ - rm -rf /var/cache/apk - -# You can ignore "deluser: can't find user in /etc/group" -RUN deluser user && \ - adduser -u $UID -D user && \ - chown -R user:user /home/user && \ - mkdir -p /run/user/$UID && \ - chown user:root /run/user/$UID - -ENV XDG_RUNTIME_DIR=/run/user/$UID -ENV BUILDKIT_HOST=unix:///run/user/$UID/buildkit/buildkitd.sock - -RUN addgroup -S -g $ISTIO_GID istio && \ - addgroup user istio && \ - echo user:100000:150000 | tee /etc/subuid | tee /etc/subgid && \ - echo user:$ISTIO_GID:1 >> /etc/subgid -USER $UID:$UID