-
Notifications
You must be signed in to change notification settings - Fork 55
259 lines (231 loc) · 12.3 KB
/
build-envoy-images-release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
name: Refresh test & build cache & build latest
on:
push:
branches:
- main
permissions:
# To be able to access the repository with `actions/checkout`
contents: read
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
id-token: write
jobs:
test-cache-refresh:
timeout-minutes: 360
name: Build test cache and push images
runs-on: ubuntu-latest-64-cores-256gb
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Enable Docker IPv6
run: |
modprobe -v ipv6
sudo sed -i -e '1s!^{!\{ "ipv6": true, "fixed-cidr-v6": "fd00::/80",!' /etc/docker/daemon.json || echo '{ "ipv6": true, "fixed-cidr-v6": "fd00::/80" }' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
- name: Login to quay.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_ENVOY_USERNAME }}
password: ${{ secrets.QUAY_ENVOY_PASSWORD }}
- name: Checkout source
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false
- name: Prep for build
run: |
echo "${{ github.sha }}" >SOURCE_VERSION
echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV
echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV
echo "BAZEL_VERSION=$(cat .bazelversion)" >> $GITHUB_ENV
echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder.tests | awk '{ print $3 }')" >> $GITHUB_ENV
- name: Checking if cilium-envoy-builder:test image exists
id: cilium-builder-test-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BAZEL_VERSION }}-${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
fi
- name: Multi-arch build & push of Builder image (test)
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
if: steps.cilium-builder-test-tag-in-repositories.outputs.exists == 'false'
id: docker_build_builder_test
with:
provenance: false
context: .
file: ./Dockerfile.builder.tests
platforms: linux/amd64,linux/arm64
push: true
tags: |
quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BAZEL_VERSION }}-${{ env.BUILDER_DOCKER_HASH }}
quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BAZEL_VERSION }}-latest
- name: Multi-arch update integration test archive
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
id: docker_tests_ci_build
with:
context: .
file: ./Dockerfile.tests
target: builder-archive
platforms: linux/amd64,linux/arm64
build-args: |
BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BAZEL_VERSION }}-${{ env.BUILDER_DOCKER_HASH }}
ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest
COPY_CACHE_EXT=.new
BAZEL_BUILD_OPTS="--jobs=HOST_CPUS*.75"
BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest
- name: Cache Docker layers
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: /tmp/buildx-cache
key: docker-cache-tests
- name: Clear cache
run: rm -rf /tmp/buildx-cache/*
- name: Run integration tests on amd64 to update docker cache
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
id: docker_tests_ci_cache_update
with:
provenance: false
context: .
file: ./Dockerfile.tests
platforms: linux/amd64
build-args: |
BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BAZEL_VERSION }}-${{ env.BUILDER_DOCKER_HASH }}
ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest
BAZEL_BUILD_OPTS=--remote_upload_local_results=false
BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3
cache-to: type=local,dest=/tmp/buildx-cache,mode=max
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy:latest-testlogs
build-cache-and-push-images:
timeout-minutes: 360
name: Build cache and push images
runs-on: ubuntu-latest-64-cores-256gb
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Login to quay.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_ENVOY_USERNAME }}
password: ${{ secrets.QUAY_ENVOY_PASSWORD }}
- name: Checkout source
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Prep for build
run: |
echo "${{ github.sha }}" >SOURCE_VERSION
echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV
echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV
echo "BAZEL_VERSION=$(cat .bazelversion)" >> $GITHUB_ENV
echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV
echo "SOURCE_TIMESTAMP=$(git log -1 --pretty=format:"%ct" .)" >> $GITHUB_ENV
- name: Checking if cilium-envoy-builder image exists
id: cilium-builder-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BAZEL_VERSION }}-${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
fi
- name: Multi-arch build & push of Builder image
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
id: docker_build_builder
with:
provenance: false
context: .
file: ./Dockerfile.builder
platforms: linux/amd64,linux/arm64
push: true
tags: |
quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BAZEL_VERSION }}-${{ env.BUILDER_DOCKER_HASH }}
quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BAZEL_VERSION }}-latest
- name: Multi-arch build & push of build artifact archive
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
context: .
file: ./Dockerfile
target: builder-archive
platforms: linux/amd64,linux/arm64
build-args: |
BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BAZEL_VERSION }}-${{ env.BUILDER_DOCKER_HASH }}
ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest
COPY_CACHE_EXT=.new
BAZEL_BUILD_OPTS="--jobs=HOST_CPUS*.75"
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest
- name: Cache Docker layers
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: /tmp/buildx-cache
key: docker-cache-main
- name: Clear cache
run: |
rm -rf /tmp/buildx-cache/*
docker buildx prune -f
- name: Multi-arch build & push main latest
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
id: docker_build_cd
with:
provenance: false
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
build-args: |
BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BAZEL_VERSION }}-${{ env.BUILDER_DOCKER_HASH }}
BAZEL_BUILD_OPTS=--remote_upload_local_results=false
ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest
cache-to: type=local,dest=/tmp/buildx-cache,mode=max
push: true
tags: |
quay.io/${{ github.repository_owner }}/cilium-envoy:latest
quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }}
quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_MINOR_RELEASE }}-${{ github.sha }}
quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ github.sha }}
quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ env.SOURCE_TIMESTAMP }}-${{ github.sha }}
- name: Install Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Sign Container Image
run: |
cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy@${{ steps.docker_build_cd.outputs.digest }}
- name: Install Bom
shell: bash
env:
# renovate: datasource=github-releases depName=kubernetes-sigs/bom
BOM_VERSION: v0.6.0
run: |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
sudo mv ./bom /usr/local/bin/bom
sudo chmod +x /usr/local/bin/bom
- name: Generate SBOM
shell: bash
run: |
bom generate -o sbom_cilium-envoy_${{ github.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }}
- name: Attach SBOM to container images
run: |
cosign attach sbom --sbom sbom_cilium-envoy_${{ github.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy@${{ steps.docker_build_cd.outputs.digest }}
- name: Sign SBOM Image
run: |
docker_build_cd_digest="${{ steps.docker_build_cd.outputs.digest }}"
image_name="quay.io/${{ github.repository_owner }}/cilium-envoy:${docker_build_cd_digest/:/-}.sbom"
docker_build_cd_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy@${docker_build_cd_sbom_digest}"
- name: Envoy binary version check
shell: bash
run: |
envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }} cilium-envoy --version)
expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//')
echo ${envoy_version}
[[ "${envoy_version}" == *"${{ github.sha }}/$expected_version"* ]]
- name: Release Image Digest
shell: bash
run: |
echo "Digests:"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_MINOR_RELEASE }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ env.SOURCE_TIMESTAMP }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}"