From 078dc33b1bd4dffe1c6c82ba5e1ad1dda50ad973 Mon Sep 17 00:00:00 2001 From: KevFan Date: Tue, 17 Sep 2024 14:23:18 +0100 Subject: [PATCH] feat: set quay image expiry to prevent overflow of images Signed-off-by: KevFan --- ...ild-images.yaml => build-images-base.yaml} | 39 +++++++++++-------- .github/workflows/build-images-main-sha.yaml | 14 +++++++ .github/workflows/build-images-main.yaml | 11 ++++++ Dockerfile | 5 +++ Makefile | 6 ++- bundle.Dockerfile | 4 ++ make/catalog.mk | 14 ++++++- 7 files changed, 74 insertions(+), 19 deletions(-) rename .github/workflows/{build-images.yaml => build-images-base.yaml} (89%) create mode 100644 .github/workflows/build-images-main-sha.yaml create mode 100644 .github/workflows/build-images-main.yaml diff --git a/.github/workflows/build-images.yaml b/.github/workflows/build-images-base.yaml similarity index 89% rename from .github/workflows/build-images.yaml rename to .github/workflows/build-images-base.yaml index 6400acd3..d1e1c806 100644 --- a/.github/workflows/build-images.yaml +++ b/.github/workflows/build-images-base.yaml @@ -1,10 +1,20 @@ name: Build and push images on: - push: - branches: - - 'main' - - 'master' + workflow_call: + inputs: + authorinoVersion: + description: Authorino version + required: true + default: latest + channels: + description: Bundle and catalog channels, comma separated + required: true + default: stable + quayImageExpiry: + description: When to expire the built quay images. The time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively, from the time the image is built. + default: never + type: string workflow_dispatch: inputs: authorinoVersion: @@ -15,15 +25,19 @@ on: description: Bundle and catalog channels, comma separated required: true default: stable + quayImageExpiry: + description: When to expire the built quay images. The time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively, from the time the image is built. + default: never + type: string env: - IMG_TAGS: ${{ github.sha }} + IMG_TAGS: ${{ inputs.authorinoVersion }} IMG_REGISTRY_HOST: quay.io IMG_REGISTRY_ORG: kuadrant - MAIN_BRANCH_NAME: main OPERATOR_NAME: authorino-operator BUILD_CONFIG_FILE: build.yaml LATEST_AUTHORINO_GITREF: ${{ vars.AUTHORINO_SHA != '' && vars.AUTHORINO_SHA || 'latest' }} + QUAY_IMAGE_EXPIRY: ${{ inputs.quayImageExpiry }} jobs: build: @@ -32,16 +46,6 @@ jobs: steps: - name: Check out code uses: actions/checkout@v3 - - name: Add latest tag - if: ${{ github.ref_name == env.MAIN_BRANCH_NAME }} - id: add-latest-tag - run: | - echo "IMG_TAGS=latest ${{ env.IMG_TAGS }}" >> $GITHUB_ENV - - name: Add branch tag - if: ${{ github.ref_name != env.MAIN_BRANCH_NAME }} - id: add-branch-tag - run: | - echo "IMG_TAGS=${GITHUB_REF_NAME/\//-} ${{ env.IMG_TAGS }}" >> $GITHUB_ENV - name: Set Operator version id: operator-version run: | @@ -69,6 +73,7 @@ jobs: GIT_SHA=${{ github.sha }} DIRTY=false DEFAULT_AUTHORINO_IMAGE=${{ env.DEFAULT_AUTHORINO_IMAGE }} + QUAY_IMAGE_EXPIRY=${{ inputs.quayImageExpiry }} containerfiles: | ./Dockerfile - name: Push Image @@ -143,6 +148,7 @@ jobs: platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le build-args: | version=${{ env.VERSION }} + QUAY_IMAGE_EXPIRY=${{ inputs.quayImageExpiry }} containerfiles: | ./bundle.Dockerfile - name: Push Image @@ -225,6 +231,7 @@ jobs: context: ./catalog dockerfiles: | ./catalog/${{ env.OPERATOR_NAME }}-catalog.Dockerfile + # The Quay image expiry label for the generated catalog Dockerfile is set via opm, using the value set in the QUAY_IMAGE_EXPIRY environment variable - name: Push Image if: ${{ !env.ACT }} id: push-to-quay diff --git a/.github/workflows/build-images-main-sha.yaml b/.github/workflows/build-images-main-sha.yaml new file mode 100644 index 00000000..2f792422 --- /dev/null +++ b/.github/workflows/build-images-main-sha.yaml @@ -0,0 +1,14 @@ +name: Build SHA image for main branch + +on: + push: + branches: ['main'] + +jobs: + workflow-build: + name: Calls build-images-base workflow + uses: ./.github/workflows/build-images-base.yaml + secrets: inherit + with: + authorinoVersion: ${{ github.sha }} + quayImageExpiry: 2w \ No newline at end of file diff --git a/.github/workflows/build-images-main.yaml b/.github/workflows/build-images-main.yaml new file mode 100644 index 00000000..0b68e8b8 --- /dev/null +++ b/.github/workflows/build-images-main.yaml @@ -0,0 +1,11 @@ +name: Build latest image for main branch + +on: + push: + branches: ['main'] + +jobs: + workflow-build: + name: Calls build-images-base workflow + uses: ./.github/workflows/build-images-base.yaml + secrets: inherit diff --git a/Dockerfile b/Dockerfile index 265428af..79099b27 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,4 +30,9 @@ WORKDIR / COPY --from=builder /workspace/manager . USER 1001 +# Quay image expiry +ARG QUAY_IMAGE_EXPIRY +ENV QUAY_IMAGE_EXPIRY=${QUAY_IMAGE_EXPIRY:-never} +LABEL quay.expires-after=$QUAY_IMAGE_EXPIRY + ENTRYPOINT ["/manager"] diff --git a/Makefile b/Makefile index 64735bfd..f73d5ec9 100644 --- a/Makefile +++ b/Makefile @@ -225,7 +225,7 @@ run: manifests generate fmt vet ## Run a controller from your host. docker-build: GIT_SHA=$(shell git rev-parse HEAD || echo "unknown") docker-build: DIRTY=$(shell $(PROJECT_DIR)/utils/check-git-dirty.sh || echo "unknown") docker-build: ## Build docker image with the manager. - docker build --build-arg VERSION=$(VERSION) --build-arg GIT_SHA=$(GIT_SHA) --build-arg DIRTY=$(DIRTY) --build-arg ACTUAL_DEFAULT_AUTHORINO_IMAGE=$(ACTUAL_DEFAULT_AUTHORINO_IMAGE) -t $(OPERATOR_IMAGE) . + docker build --build-arg VERSION=$(VERSION) --build-arg GIT_SHA=$(GIT_SHA) --build-arg DIRTY=$(DIRTY) --build-arg ACTUAL_DEFAULT_AUTHORINO_IMAGE=$(ACTUAL_DEFAULT_AUTHORINO_IMAGE) --build-arg QUAY_IMAGE_EXPIRY=$(QUAY_IMAGE_EXPIRY) -t $(OPERATOR_IMAGE) . docker-push: ## Push docker image with the manager. docker push ${OPERATOR_IMAGE} @@ -311,11 +311,13 @@ bundle-custom-modifications: # Set Openshift version in bundle Dockerfile @echo "" >> bundle.Dockerfile @echo "# Custom labels" >> bundle.Dockerfile + # Quay image expiry label + @echo "$$QUAY_EXPIRY_TIME_LABEL" >> bundle.Dockerfile @echo "LABEL $(OPENSHIFT_VERSIONS_ANNOTATION_KEY)=$(OPENSHIFT_SUPPORTED_VERSIONS)" >> bundle.Dockerfile .PHONY: bundle-build bundle-build: ## Build the bundle image. - docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . + docker build --build-arg QUAY_IMAGE_EXPIRY=$(QUAY_IMAGE_EXPIRY) -f bundle.Dockerfile -t $(BUNDLE_IMG) . .PHONY: bundle-push bundle-push: ## Push the bundle image. diff --git a/bundle.Dockerfile b/bundle.Dockerfile index 53e462f3..59579af8 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -20,4 +20,8 @@ COPY bundle/metadata /metadata/ COPY bundle/tests/scorecard /tests/scorecard/ # Custom labels +## Quay image expiry +ARG QUAY_IMAGE_EXPIRY +ENV QUAY_IMAGE_EXPIRY=${QUAY_IMAGE_EXPIRY:-never} +LABEL quay.expires-after=${QUAY_IMAGE_EXPIRY} LABEL com.redhat.openshift.versions=v4.12 diff --git a/make/catalog.mk b/make/catalog.mk index fe9e0ef4..0a2e911a 100644 --- a/make/catalog.mk +++ b/make/catalog.mk @@ -6,9 +6,21 @@ CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:$(IMAGE_TAG) CATALOG_FILE = $(PROJECT_DIR)/catalog/authorino-operator-catalog/operator.yaml CATALOG_DOCKERFILE = $(PROJECT_DIR)/catalog/authorino-operator-catalog.Dockerfile +# Quay image default expiry +QUAY_IMAGE_EXPIRY ?= never + +# A LABEL that can be appended to a generated Dockerfile to set the Quay image expiration through Docker arguments. +define QUAY_EXPIRY_TIME_LABEL +## Quay image expiry +ARG QUAY_IMAGE_EXPIRY +ENV QUAY_IMAGE_EXPIRY=$${QUAY_IMAGE_EXPIRY:-never} +LABEL quay.expires-after=$${QUAY_IMAGE_EXPIRY} +endef +export QUAY_EXPIRY_TIME_LABEL + $(CATALOG_DOCKERFILE): $(OPM) -mkdir -p $(PROJECT_DIR)/catalog/authorino-operator-catalog - cd $(PROJECT_DIR)/catalog && $(OPM) generate dockerfile authorino-operator-catalog + cd $(PROJECT_DIR)/catalog && $(OPM) generate dockerfile authorino-operator-catalog -l quay.expires-after=$(QUAY_IMAGE_EXPIRY) catalog-dockerfile: $(CATALOG_DOCKERFILE) ## Generate catalog dockerfile. $(CATALOG_FILE): $(OPM) $(YQ)