From 72666f6148c5efb4f11f567c3c6ec0e06c9a18bd Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Thu, 29 Feb 2024 17:39:45 +1100 Subject: [PATCH] Backport 6.x changes to 5.x (#251) --- .github/workflows/build-deploy.yml | 21 +++++++++- .../workflows/vulnerability-scan-build.yml | 2 +- .../workflows/vulnerability-scan-schedule.yml | 6 +-- gh-actions-bake.hcl | 10 ++++- images/awx-ee/README.md | 10 ++--- images/awx-ee/docker-bake.hcl | 12 +++--- images/awx-ee/execution-environment.yml | 40 +++++++++++++------ images/mailhog/README.md | 2 +- images/nginx/README.md | 2 +- images/node/README.md | 2 +- images/php/Dockerfile.cli | 6 ++- images/php/Dockerfile.fpm | 6 ++- images/php/README.md | 2 +- 13 files changed, 81 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build-deploy.yml b/.github/workflows/build-deploy.yml index 2fad1d606..3773f9595 100644 --- a/.github/workflows/build-deploy.yml +++ b/.github/workflows/build-deploy.yml @@ -21,10 +21,10 @@ jobs: images: ${{ fromJson(vars.IMAGES) }} steps: - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - uses: actions/checkout@v3 @@ -53,6 +53,23 @@ jobs: org.opencontainers.image.title=${{ matrix.images }} org.opencontainers.image.description=${{ matrix.images }} image for Bay container platform + - name: Create the AWX-EE context + if: matrix.images == 'awx-ee' + run: | + pip install --upgrade ansible-builder + ansible-builder create \ + --output-filename Dockerfile \ + --verbosity 3 + working-directory: ./images/awx-ee + + - name: Upload AWX-EE context for review + if: matrix.images == 'awx-ee' + uses: actions/upload-artifact@v4 + with: + name: awx-ee-context + path: ./images/awx-ee/context + retention-days: 1 + - name: Build and push the images uses: docker/bake-action@v3.1.0 with: diff --git a/.github/workflows/vulnerability-scan-build.yml b/.github/workflows/vulnerability-scan-build.yml index 2b63e789e..4fc8524cd 100644 --- a/.github/workflows/vulnerability-scan-build.yml +++ b/.github/workflows/vulnerability-scan-build.yml @@ -21,7 +21,7 @@ jobs: echo "SANITISED-REF-NAME=${{ github.ref_name }}" | tr '/' '-' >> "$GITHUB_OUTPUT" - name: Scan for vulnerabilities id: scan - uses: crazy-max/ghaction-container-scan@v2 + uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ steps.sanitise-ref-name.outputs.SANITISED-REF-NAME }} dockerfile: ./images/${{ matrix.images }} diff --git a/.github/workflows/vulnerability-scan-schedule.yml b/.github/workflows/vulnerability-scan-schedule.yml index 3fc9cbac8..4b99764c5 100644 --- a/.github/workflows/vulnerability-scan-schedule.yml +++ b/.github/workflows/vulnerability-scan-schedule.yml @@ -4,7 +4,7 @@ env: REGISTRY: ghcr.io on: schedule: - - cron: '14 0 * * 4' + - cron: '0 22 * * 3' jobs: vulnerability-scan-schedule: if: github.event_name == 'schedule' @@ -35,7 +35,7 @@ jobs: steps: - name: Scan for vulnerabilities id: scan - uses: crazy-max/ghaction-container-scan@v2 + uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{matrix.branches}} dockerfile: ./images/${{ matrix.images }} @@ -43,4 +43,4 @@ jobs: if: ${{ steps.scan.outputs.sarif != '' }} uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: ${{ steps.scan.outputs.sarif }} \ No newline at end of file + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/gh-actions-bake.hcl b/gh-actions-bake.hcl index ad5da0008..e76a671c4 100755 --- a/gh-actions-bake.hcl +++ b/gh-actions-bake.hcl @@ -86,4 +86,12 @@ target "ripple-static" { "org.opencontainers.image.description" = "Ripple static site generator image optimised for the Bay container platform" } } - +target "awx-ee" { + inherits = ["docker-metadata-action"] + context = "${CONTEXT}/awx-ee/context" + platforms = ["linux/amd64", "linux/arm64"] + args = { + PYCMD = "/usr/local/bin/python3" + PKGMGR = "/usr/bin/apt-get" + } +} diff --git a/images/awx-ee/README.md b/images/awx-ee/README.md index 654f47fd2..cc559f5b5 100644 --- a/images/awx-ee/README.md +++ b/images/awx-ee/README.md @@ -9,7 +9,7 @@ The AWX execution environment is a container image that AWX will use to execute - `requirements.txt`: Defined python dependencies - `requirements.yml`: Ansible collections to install -AWX has `singledigital/awx-ee:latest` added as an execution environment with a pull policy of always, when the image is updated kuberenetes will pull a new image to run the plays in. +AWX has `ghcr.io/dpc-sdp/bay/awx-ee:5.x` added as an execution environment with a pull policy of always, when the image is updated kuberenetes will pull a new image to run the plays in. ## Dependencies @@ -20,7 +20,7 @@ AWX has `singledigital/awx-ee:latest` added as an execution environment with a p Commands run from this directory if you have ansible-builder installed locally. ``` -$ ansible-builder build --tag singledigital/awx-ee:latest --container-runtime docker +$ ansible-builder build --tag ghcr.io/dpc-sdp/bay/awx-ee:5.x --container-runtime docker ``` OR run with docker. @@ -31,14 +31,14 @@ $ docker run --rm -it \ -v $(pwd):/data \ -w /data \ quay.io/ansible/ansible-builder:latest \ - ansible-builder build --tag singledigital/awx-ee:latest --container-runtime docker + ansible-builder build --tag ghcr.io/dpc-sdp/bay/awx-ee:5.x --container-runtime docker # Build the image -$ docker build -f context/Dockerfile -t singledigital/awx-ee:latest context +$ docker build -f context/Dockerfile -t ghcr.io/dpc-sdp/bay/awx-ee:5.x context ``` ## Deploying the image ``` -$ docker push singledigital/awx-ee:latest +$ docker push ghcr.io/dpc-sdp/bay/awx-ee:5.x ``` diff --git a/images/awx-ee/docker-bake.hcl b/images/awx-ee/docker-bake.hcl index 038066213..363fbfd8a 100644 --- a/images/awx-ee/docker-bake.hcl +++ b/images/awx-ee/docker-bake.hcl @@ -7,17 +7,15 @@ variable "IMAGE_TAG" { } group "default" { - targets = ["ee"] + targets = ["awx-ee"] } -target "ee" { +target "docker-metadata-action" {} + +target "awx-ee" { + inherits = ["docker-metadata-action"] context = "./context" - dockerfile = "Dockerfile" platforms = ["linux/amd64", "linux/arm64"] - tags = [ - // "singledigital/awx-ee:${IMAGE_TAG}", - "${GHCR}/dpc-sdp/bay/awx-ee:${IMAGE_TAG}" - ] args = { PYCMD = "/usr/local/bin/python3" PKGMGR = "/usr/bin/apt-get" diff --git a/images/awx-ee/execution-environment.yml b/images/awx-ee/execution-environment.yml index f9d877ca7..ccb8ccac3 100644 --- a/images/awx-ee/execution-environment.yml +++ b/images/awx-ee/execution-environment.yml @@ -19,17 +19,20 @@ additional_build_steps: append_base: [] prepend_final: - - LABEL org.opencontainers.image.authors="Digital Victoria" - - LABEL org.opencontainers.image.description="Provides an AWX execution environment image optimised for use with SDP." - - LABEL org.opencontainers.image.source="https://github.com/dpc-sdp/bay/blob/5.x/images/awx-ee/context/Dockerfile" + - LABEL maintainer="Digital Victoria" + - LABEL org.opencontainers.image.title="SDP AWX Execution Environment image." + - LABEL org.opencontainers.image.description="Provides an AWX execution environment image optimised for use with SDP. Built with ansible-builder." + - LABEL org.opencontainers.image.source="https://github.com/dpc-sdp/bay/blob/5.x/images/awx-ee/" - ARG LAGOON_CLI_VERSION=v0.15.4 - - ARG NVM_INSTALL_VERSION=v0.39.1 - - ARG NODE_VERSION=v14.15.1 + - ARG NVM_INSTALL_VERSION=v0.39.7 + - ARG NODE_VERSION=v18.17.0 + - ARG NVM_DIR="/runner/.nvm" + - ARG PHP_VERSION="8.2" append_final: - | # Required dependencies. RUN set -eux; \ - apt-get update && apt-get install -y \ + apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \ git git-lfs \ jq \ rsync \ @@ -39,10 +42,12 @@ additional_build_steps: - | # Install php & composer. RUN set -eux; \ curl -sSL https://packages.sury.org/php/README.txt | bash -x; \ - apt-get update && apt-get install -y \ - php8.2-cli \ - php8.2-gd \ - php8.2-zip; \ + apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \ + php${PHP_VERSION}-cli \ + php${PHP_VERSION}-curl \ + php${PHP_VERSION}-gd \ + php${PHP_VERSION}-xml \ + php${PHP_VERSION}-zip; \ rm -rf /var/lib/apt/lists/*; - | # Install cli tools. @@ -66,11 +71,20 @@ additional_build_steps: - RUN tar -C /tmp -xvf /tmp/gojq_v0.12.4_linux_amd64.tar.gz - RUN chmod +x /tmp/gojq_v0.12.4_linux_amd64/gojq - RUN mv /tmp/gojq_v0.12.4_linux_amd64/gojq /usr/local/bin - - RUN touch $HOME/.bashrc && chmod +x $HOME/.bashrc - - RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_INSTALL_VERSION/install.sh | bash + - RUN touch /runner/.bashrc && chmod +x /runner/.bashrc + - RUN mkdir -p /runner/.nvm && chgrp 0 /runner/.nvm && chmod -R ug+rwx /runner/.nvm + - RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_INSTALL_VERSION/install.sh | PROFILE="/runner/.bashrc" bash - RUN curl -L "https://get.helm.sh/helm-v3.12.2-linux-amd64.tar.gz" -o /tmp/helm && tar -xvf /tmp/helm -C /tmp && mv /tmp/linux-amd64/helm /usr/local/bin - RUN chmod +x /usr/local/bin/helm - RUN curl -L https://github.com/google/yamlfmt/releases/download/v0.10.0/yamlfmt_0.10.0_Linux_x86_64.tar.gz --output /tmp/yamlfmt_0.10.0_Linux_x86_64.tar.gz - RUN tar -C /tmp -xvf /tmp/yamlfmt_0.10.0_Linux_x86_64.tar.gz - RUN chmod +x /tmp/yamlfmt - - RUN mv /tmp/yamlfmt /usr/local/bin \ No newline at end of file + - RUN mv /tmp/yamlfmt /usr/local/bin + - | # Install GitHub gh cli tool + SHELL ["/bin/bash", "-c"] + RUN set -eux; \ + curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \ + && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \ + && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \ + && apt update \ + && DEBIAN_FRONTEND=noninteractive apt install gh -y \ No newline at end of file diff --git a/images/mailhog/README.md b/images/mailhog/README.md index 9e8edc6ce..dd6aef237 100644 --- a/images/mailhog/README.md +++ b/images/mailhog/README.md @@ -13,7 +13,7 @@ You can also use it in your Docker Compose stack with the following snippet: ``` services: mailhog: - image: singledigital/bay-mailhog:5.x + image: ghcr.io/dpc-sdp/bay/mailhog:5.x ports: - 1025 - 8025 diff --git a/images/nginx/README.md b/images/nginx/README.md index 3eb5eb642..960a5ae2b 100644 --- a/images/nginx/README.md +++ b/images/nginx/README.md @@ -18,7 +18,7 @@ You can also use it in your Docker Compose stack with the following snippet: ``` services: nginx: - image: singledigital/bay-nginx:5.x + image: ghcr.io/dpc-sdp/bay/nginx:5.x volumes: - path/to/app:/app ports: diff --git a/images/node/README.md b/images/node/README.md index 396fba7e3..827c59a59 100644 --- a/images/node/README.md +++ b/images/node/README.md @@ -14,7 +14,7 @@ You can also use it in your Docker Compose stack with the following snippet: ``` services: app: - image: singledigital/bay-node:5.x + image: ghcr.io/dpc-sdp/bay/node:5.x volumes: - path/to/app:/app ports: diff --git a/images/php/Dockerfile.cli b/images/php/Dockerfile.cli index d1399812c..1e3af5437 100644 --- a/images/php/Dockerfile.cli +++ b/images/php/Dockerfile.cli @@ -22,8 +22,10 @@ RUN wget -O /usr/local/bin/dockerize https://github.com/dpc-sdp/dockerize/releas RUN apk add redis --no-cache # Install bay-cli. -RUN wget "https://github.com/dpc-sdp/bay-cli/releases/download/v0.1.0/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_')" -O /bin/bay && \ - chmod +x /bin/bay +RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/v0.1.1/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz +RUN tar -C /tmp -xvf /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz +RUN chmod +x /tmp/bay +RUN mv /tmp/bay /bin/bay RUN mkdir /bay diff --git a/images/php/Dockerfile.fpm b/images/php/Dockerfile.fpm index 11c5f02c7..b268ace88 100644 --- a/images/php/Dockerfile.fpm +++ b/images/php/Dockerfile.fpm @@ -24,8 +24,10 @@ RUN apk add --no-cache tzdata \ && echo $TZ > /etc/timezone # Install bay-cli. -RUN wget "https://github.com/dpc-sdp/bay-cli/releases/download/v0.0.1/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_')" -O /bin/bay && \ - chmod +x /bin/bay +RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/v0.1.1/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz +RUN tar -C /tmp -xvf /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz +RUN chmod +x /tmp/bay +RUN mv /tmp/bay /bin/bay ONBUILD ARG BAY_DISABLE_FUNCTIONS=phpinfo,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,system,exec,shell_exec,passthru,phpinfo,show_source,highlight_file,popen,fopen_with_path,dbmopen,dbase_open,filepro,filepro_rowcount,filepro_retrieve,posix_mkfifo ONBUILD ARG BAY_UPLOAD_LIMIT=100M diff --git a/images/php/README.md b/images/php/README.md index c222f8761..71880274d 100644 --- a/images/php/README.md +++ b/images/php/README.md @@ -19,7 +19,7 @@ You can also use it in your Docker Compose stack with the following snippet: ``` services: nginx: - image: singledigital/bay-php-fpm:5.x + image: ghcr.io/dpc-sdp/bay/php-fpm:5.x volumes: - path/to/app:/app ports: