docker/release: Add README updates (#25786)

Signed-off-by: Ryan Northey <ryan@synca.io>
envoyproxy · Mar 15, 2023 · fd2dc3d · fd2dc3d
1 parent 8fea79d
commit fd2dc3d
Show file tree

Hide file tree

Showing 7 changed files with 236 additions and 0 deletions.
diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
@@ -647,6 +647,14 @@ stages:
         GCP_SERVICE_ACCOUNT_KEY: $(GcpServiceAccountKey)
       displayName: "Generate docs"
 
+    - script: |
+        ci/run_envoy_docker.sh 'bazel run //tools/distribution:update_dockerhub_repository'
+      displayName: "Publish Dockerhub description and README"
+      env:
+        DOCKERHUB_USERNAME: $(DockerUsername)
+        DOCKERHUB_PASSWORD: $(DockerPassword)
+      condition: eq(variables['isMain'], 'true')
+
     - script: |
         ci/run_envoy_docker.sh 'ci/upload_gcs_artifact.sh /source/generated/docs docs'
       displayName: "Upload Docs to GCS"

diff --git a/distribution/dockerhub/BUILD b/distribution/dockerhub/BUILD
@@ -0,0 +1,14 @@
+load("//bazel:envoy_build_system.bzl", "envoy_package")
+load("//tools/base:envoy_python.bzl", "envoy_gencontent")
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+envoy_gencontent(
+    name = "readme",
+    srcs = ["@envoy_repo//:project"],
+    output = "readme.md",
+    template = ":readme.md.tpl",
+    yaml_srcs = [":readme.yaml"],
+)
diff --git a/distribution/dockerhub/envoy-icon.png b/distribution/dockerhub/envoy-icon.png
diff --git a/distribution/dockerhub/readme.md.tpl b/distribution/dockerhub/readme.md.tpl
@@ -0,0 +1,82 @@
+
+# ![{{ envoy.title }}]({{ envoy.logo }}) {{ envoy.title }}
+
+## Quick reference
+
+- **Maintained by**:
+
+    [{{ envoy.maintained_by }}]({{ envoy.project_url }}).
+
+- **Where to get help**:
+
+    [Official documentation]({{ envoy.docs_url }}), [the Envoy community Slack]({{ envoy.slack_url}}).
+
+## Supported tags and respective `Dockerfile` links
+
+{% for version in stable_versions %}
+- [v{{ version }}-latest](https://github.com/envoyproxy/envoy/blob/release/v{{ version }}/ci/Dockerfile-envoy)
+{% endfor %}
+- [dev](https://github.com/envoyproxy/envoy/blob/release/main/ci/Dockerfile-envoy)
+
+
+## Quick reference (cont.)
+
+- Where to file issues:
+  {{ envoy.issues_url }}
+
+- Supported architectures:
+{% for arch in architectures %}
+  `{{ arch }}`
+{% endfor %}
+
+## Image variants
+
+For stable Envoy versions images are created for the version and the latest of that minor version.
+
+For example, if the latest version in the `1.73.x` series is `1.73.7` then images are created for:
+
+- `envoyproxy/envoy:v1.73.7`
+- `envoyproxy/envoy:v1.73-latest`
+
+A similar strategy is used to create images for each of the versioned variants.
+
+### `envoyproxy/envoy:<version>`
+
+These images contain just the core Envoy binary built upon an Ubuntu base image.
+
+### `envoyproxy/envoy:contrib-<version>`
+
+These images contain the Envoy binary built with all contrib extensions.
+
+### `envoyproxy/envoy:distroless-<version>`
+
+These images contain just the core Envoy binary built upon a [distroless](https://github.com/GoogleContainerTools/distroless)
+(`nonroot`/`nossl`) base image.
+
+These images are the most efficient and secure way to deploy Envoy in a container.
+
+### `envoyproxy/envoy:tools-<version>`
+
+These images contain tools that are separate from the proxy binary but are useful in supporting systems
+such as CI, configuration generation pipelines, etc
+
+### `envoyproxy/envoy:debug-<version>`/`envoyproxy/envoy:<variant>-debug-<version>`
+
+These images are built for each of the variants, but with an Envoy binary containing debug symbols.
+
+### `envoyproxy/envoy:dev`/`envoyproxy/envoy:dev-<SHA>`/`envoyproxy/envoy:<variant>-dev`/`envoyproxy/envoy:<variant>-dev-<SHA>`
+
+Development images are created from the `main` branch by Envoy's continuous integration, and are tagged with the `dev` suffix.
+
+Images are created for each of the versioned variants.
+
+For each variant, images are tagged with just the `dev` suffix and with the `dev-<SHA>` suffix, where the `SHA` is the commit
+in Envoy `main` from which it was created.
+
+For example, after a build at commit `7c1c4a0e`, an image will be created for `envoyproxy/envoy:dev-7c1c4a0e10a7a0771ac06ce8cf8fa2c6ce86281b`
+and the image `envoyproxy/envoy:dev` will be tagged to it until the next build.
+
+### `envoyproxy/envoy:google-vrp-<version>`
+
+These images contain tools for testing and researching vulnerabilities as part of the [Google
+Vulnerability Reward Program (VRP)](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/google_vrp.html)
diff --git a/distribution/dockerhub/readme.yaml b/distribution/dockerhub/readme.yaml
@@ -0,0 +1,14 @@
+envoy:
+  title: Envoy proxy server
+  maintained_by: The Envoy community
+  # TODO(phlax): shift/use icon to/from website
+  logo: https://github.com/envoyproxy/envoy/raw/main/distribution/dockerhub/envoy-icon.png
+  # logo: https://github.com/envoyproxy/envoy/raw/1e2bf2096f9952398caef687f14e3ea86de6cfd4/distribution/dockerhub/envoy-icon.png
+  project_url: https://github.com/envoyproxy/envoy
+  issues_url: https://github.com/envoyproxy/envoy/issues
+  docs_url: https://www.envoyproxy.io/docs
+  slack_url: https://envoyproxy.slack.com/
+
+architectures:
+- amd64
+- arm64
diff --git a/tools/distribution/BUILD b/tools/distribution/BUILD
@@ -1,5 +1,6 @@
 load("//bazel:envoy_build_system.bzl", "envoy_package")
 load("//tools/base:envoy_python.bzl", "envoy_entry_point")
+load("@base_pip3//:requirements.bzl", "requirement")
 
 licenses(["notice"])  # Apache 2
 
@@ -19,3 +20,14 @@ envoy_entry_point(
     name = "verify",
     pkg = "envoy.distribution.verify",
 )
+
+py_binary(
+    name = "update_dockerhub_repository",
+    srcs = ["update_dockerhub_repository.py"],
+    data = ["//distribution/dockerhub:readme.md"],
+    deps = [
+        requirement("aio.core"),
+        requirement("aio.run.runner"),
+        requirement("aiohttp"),
+    ],
+)
diff --git a/tools/distribution/update_dockerhub_repository.py b/tools/distribution/update_dockerhub_repository.py
@@ -0,0 +1,106 @@
+import argparse
+import os
+import pathlib
+import sys
+
+from typing import Dict, Optional
+
+import aiohttp
+
+from aio.core.functional import async_property
+from aio.run import runner
+
+DOCKER_REGISTRY_API = "https://hub.docker.com/v2/repositories/"
+ENVOY_DEFAULT_DESCRIPTION = "Cloud-native high-performance edge/middle/service proxy"
+
+# TODO(phlax): move this to pytooling
+
+
+class DockerhubUpdateError(Exception):
+    pass
+
+
+class DockerhubAPI:
+
+    def __init__(
+            self,
+            repo: str,
+            username: str,
+            password: str,
+            session: aiohttp.ClientSession = None) -> None:
+        self.repo = repo
+        self.username = username
+        self.password = password
+        self._session = session
+
+    @async_property
+    async def auth_headers(self) -> Dict:
+        return dict(Authorization=f"Bearer {await self.jwt_token}")
+
+    @property
+    def auth_payload(self) -> Dict:
+        return dict(username=self.username, password=self.password)
+
+    @property
+    def auth_url(self) -> str:
+        return "https://hub.docker.com/v2/users/login"
+
+    @async_property(cache=True)
+    async def jwt_token(self) -> str:
+        async with aiohttp.ClientSession() as session:
+            async with session.post(self.auth_url, json=self.auth_payload) as resp:
+                return (await resp.json())["token"]
+
+    @property
+    def repo_url(self) -> str:
+        return f"{DOCKER_REGISTRY_API}{self.repo}"
+
+    @async_property(cache=True)
+    async def session(self) -> aiohttp.ClientSession:
+        return self._session or aiohttp.ClientSession(headers=await self.auth_headers)
+
+    async def update_repository(self, description: str = None, readme: str = None) -> Dict:
+        request = (await self.session).patch(
+            self.repo_url, json=dict(description=description, full_description=readme))
+        async with request as resp:
+            if resp.status != 200:
+                raise DockerhubUpdateError(await resp.json())
+            return await resp.json()
+
+
+class DockerhubRepositoryRunner(runner.Runner):
+
+    @property
+    def description(self) -> str:
+        return self.args.description
+
+    @property
+    def dockerhub(self) -> DockerhubAPI:
+        return DockerhubAPI(self.args.repo, self.args.user, os.environ["DOCKERHUB_PASSWORD"])
+
+    @property
+    def readme(self) -> str:
+        return self.readme_path.read_text()
+
+    @property
+    def readme_path(self) -> pathlib.Path:
+        return pathlib.Path(self.args.readme_file)
+
+    def add_arguments(self, parser: argparse.ArgumentParser) -> None:
+        parser.add_argument("--repo", default="envoyproxy/envoy")
+        parser.add_argument("--user", default="envoyproxydockerbot")
+        parser.add_argument("--description", default=ENVOY_DEFAULT_DESCRIPTION)
+        parser.add_argument("--readme-file", default="distribution/dockerhub/readme.md")
+        super().add_arguments(parser)
+
+    async def run(self) -> None:
+        await self.dockerhub.update_repository(description=self.description, readme=self.readme)
+        print(f"Repo ({self.args.repo}) updated")
+
+
+def main(*args) -> Optional[int]:
+    return DockerhubRepositoryRunner(*args)()
+
+
+if __name__ == "__main__":
+    sys.exit(main(*sys.argv[1:]))