Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BEEEP] - Docker image for bws #305

Merged
merged 32 commits into from
Jan 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
deb77d6
add Dockerfile
tangowithfoxtrot Oct 24, 2023
35c975b
Merge branch 'master' into bws-docker-image
tangowithfoxtrot Oct 25, 2023
bca11e1
use `apt-get`
tangowithfoxtrot Oct 25, 2023
82ac965
first attempt at a build+publish workflow
tangowithfoxtrot Oct 27, 2023
7c99e3a
remove extra newline
tangowithfoxtrot Oct 27, 2023
eaae611
remove workflow call
tangowithfoxtrot Oct 30, 2023
d2ced2d
Update .github/workflows/build-cli-docker.yml
tangowithfoxtrot Oct 30, 2023
919fefa
remove unnecessary repo checkout logic
tangowithfoxtrot Oct 30, 2023
86ef399
remove workflow call if condition
tangowithfoxtrot Oct 30, 2023
4b6cb07
Add Dockerfile change trigger
tangowithfoxtrot Oct 30, 2023
45dbe1c
Add Dockerfile change trigger
tangowithfoxtrot Oct 30, 2023
5c12966
Update .github/workflows/build-cli-docker.yml
tangowithfoxtrot Oct 30, 2023
6f885b7
checking credential issue
tangowithfoxtrot Oct 30, 2023
e483457
trying a different secret
tangowithfoxtrot Oct 30, 2023
84d42bf
Fix branch name
michalchecinski Oct 31, 2023
806a81a
Fix branch
michalchecinski Oct 31, 2023
ad55dcc
switch to bookworm image
tangowithfoxtrot Oct 31, 2023
b5b8403
move dockerfile
tangowithfoxtrot Oct 31, 2023
cd06953
create `.dockerignore`
tangowithfoxtrot Oct 31, 2023
4761874
use new location for dockerfile
tangowithfoxtrot Oct 31, 2023
b5d1dc1
remove failing armv7 builds
tangowithfoxtrot Oct 31, 2023
c0077c4
Change secret for accessing aci
michalchecinski Nov 1, 2023
01d4f98
move dockerignore
tangowithfoxtrot Oct 31, 2023
e7b4a38
building _just_ the `bws` crate
tangowithfoxtrot Nov 1, 2023
408b338
Apply formatting suggestions
tangowithfoxtrot Nov 3, 2023
e362b14
Merge branch 'master' into bws-docker-image
tangowithfoxtrot Nov 3, 2023
6694fd8
run prettier
tangowithfoxtrot Nov 9, 2023
3a6b5f6
Update .github/workflows/build-cli-docker.yml
tangowithfoxtrot Nov 17, 2023
5114640
`npm run prettier` again
tangowithfoxtrot Nov 17, 2023
6d248d1
Apply suggestions for dockerignore and dockerfile
tangowithfoxtrot Nov 20, 2023
e0870a6
fix dockerignore locally; add Cargo.lock
tangowithfoxtrot Jan 11, 2024
ff39b87
Merge branch 'main' into bws-docker-image
tangowithfoxtrot Jan 11, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
163 changes: 163 additions & 0 deletions .github/workflows/build-cli-docker.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
---
name: Build bws Docker image

on:
push:
paths:
- "crates/bws/**"
tangowithfoxtrot marked this conversation as resolved.
Show resolved Hide resolved
workflow_dispatch:
inputs:
sdk_branch:
description: "Server branch name to deploy (examples: 'master', 'rc', 'feature/sm')"
type: string
default: master
pull_request:
paths:
- ".github/workflows/build-cli-docker.yml"
- "crates/bws/**"

tangowithfoxtrot marked this conversation as resolved.
Show resolved Hide resolved
env:
_AZ_REGISTRY: bitwardenprod.azurecr.io

jobs:
build-docker:
name: Build Docker image
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

tangowithfoxtrot marked this conversation as resolved.
Show resolved Hide resolved
- name: Check Branch to Publish
tangowithfoxtrot marked this conversation as resolved.
Show resolved Hide resolved
env:
PUBLISH_BRANCHES: "master,rc,hotfix-rc"
id: publish-branch-check
run: |
REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}

IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES

if [[ "${publish_branches[*]}" =~ "${REF}" ]]; then
echo "is_publish_branch=true" >> $GITHUB_ENV
else
echo "is_publish_branch=false" >> $GITHUB_ENV
fi

########## Set up Docker ##########
- name: Set up QEMU emulators
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

########## Login to Docker registries ##########
- name: Login to Azure - Prod Subscription
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

- name: Login to Azure ACR
run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}

- name: Login to Azure - CI Subscription
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

- name: Retrieve github PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"

- name: Setup Docker Trust
if: ${{ env.is_publish_branch == 'true' }}
uses: bitwarden/gh-actions/setup-docker-trust@082f5e05ed97c3601c6f3179250b1a761c4d647f
with:
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
azure-keyvault-name: "bitwarden-ci"

########## Generate image tag and build Docker image ##########
- name: Generate Docker image tag
id: tag
run: |
REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g") # slash safe branch name
if [[ "${IMAGE_TAG}" == "master" ]]; then
IMAGE_TAG=dev
elif [[ ("${IMAGE_TAG}" == "rc") || ("${IMAGE_TAG}" == "hotfix-rc") ]]; then
IMAGE_TAG=rc
fi

echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT

- name: Generate tag list
id: tag-list
env:
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }}
run: |
if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "rc") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG},bitwarden/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
else
echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
fi

- name: Build and push Docker image
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3.2.0
with:
context: .
file: crates/bws/Dockerfile
platforms: |
linux/amd64,
linux/arm64/v8
tangowithfoxtrot marked this conversation as resolved.
Show resolved Hide resolved
push: true
tags: ${{ steps.tag-list.outputs.tags }}
secrets: |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

- name: Log out of Docker and disable Docker Notary
if: ${{ env.is_publish_branch == 'true' }}
run: |
docker logout
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV

check-failures:
name: Check for failures
if: always()
runs-on: ubuntu-22.04
needs: build-docker
steps:
- name: Check if any job failed
if: |
github.ref == 'refs/heads/master'
|| github.ref == 'refs/heads/rc'
|| github.ref == 'refs/heads/hotfix-rc'
env:
BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }}
run: |
if [ "$BUILD_DOCKER_STATUS" = "failure" ]; then
exit 1
fi

- name: Login to Azure - CI subscription
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
if: failure()
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
if: failure()
with:
keyvault: "bitwarden-ci"
secrets: "devops-alerts-slack-webhook-url"

- name: Notify Slack on failure
uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
if: failure()
env:
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
with:
status: ${{ job.status }}
34 changes: 34 additions & 0 deletions crates/bws/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
###############################################
# Build stage #
###############################################
FROM --platform=$BUILDPLATFORM rust:1.73 AS build

# Docker buildx supplies the value for this arg
ARG TARGETPLATFORM

RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*

# Copy required project files
COPY . /app

# Build project
WORKDIR /app/crates/bws
RUN cargo build --release

###############################################
# App stage #
###############################################
FROM debian:bookworm-slim

ARG TARGETPLATFORM
LABEL com.bitwarden.product="bitwarden"

# Copy built project from the build stage
WORKDIR /usr/local/bin
COPY --from=build /app/target/release/bws .
COPY --from=build /etc/ssl/certs /etc/ssl/certs

ENTRYPOINT ["bws"]

4 changes: 4 additions & 0 deletions crates/bws/Dockerfile.dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
*
!crates/*
!Cargo.toml
!Cargo.lock