From 30b771cecb7375f979953431b16e5e6940fe97f5 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki <12999736+camaeel@users.noreply.github.com> Date: Thu, 10 Nov 2022 15:13:25 +0100 Subject: [PATCH] new image for kubectl (#23) * new image for kubectl --- ...er-publish.yml => docker-publish-jnlp.yml} | 2 +- .github/workflows/docker-publish-kubectl.yml | 107 ++++++++++++++++++ kubectl/Dockerfile | 15 +++ kubectl/Dockerfile_1.15.7 | 12 -- 4 files changed, 123 insertions(+), 13 deletions(-) rename .github/workflows/{docker-publish.yml => docker-publish-jnlp.yml} (99%) create mode 100644 .github/workflows/docker-publish-kubectl.yml create mode 100644 kubectl/Dockerfile delete mode 100644 kubectl/Dockerfile_1.15.7 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish-jnlp.yml similarity index 99% rename from .github/workflows/docker-publish.yml rename to .github/workflows/docker-publish-jnlp.yml index eb45f11..4ebc39f 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish-jnlp.yml @@ -1,4 +1,4 @@ -name: Docker +name: Docker jnlp # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by diff --git a/.github/workflows/docker-publish-kubectl.yml b/.github/workflows/docker-publish-kubectl.yml new file mode 100644 index 0000000..3afc720 --- /dev/null +++ b/.github/workflows/docker-publish-kubectl.yml @@ -0,0 +1,107 @@ +name: Docker - kubectl + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + push: + branches: [ master ] + # Publish semver tags as releases. + tags: [ 'kubectl-v*.*.*' ] + paths: + - 'kubectl/**' + - '.github/workflows/**' + pull_request: + branches: [ master ] + paths: + - 'kubectl/**' + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # IMAGE_PATH: jenkins-jnlp-slave + # github.repository as / + # IMAGE_NAME: ${{ github.repository }}/jenkins-jnlp-slave + + +jobs: + build: + strategy: + matrix: + image: [kubectl] + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@v2 + with: + cosign-release: 'v1.13.1' + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v2 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v2.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v4.0.1 + with: + images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }} + tags: | + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=match,pattern=kubectl-(v.*),group=1 + type=ref,event=branch + type=ref,event=pr + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v3.1.0 + with: + file: ${{ matrix.image }}/Dockerfile + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: cosign sign ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}@${{ steps.build-and-push.outputs.digest }} diff --git a/kubectl/Dockerfile b/kubectl/Dockerfile new file mode 100644 index 0000000..1643916 --- /dev/null +++ b/kubectl/Dockerfile @@ -0,0 +1,15 @@ +FROM alpine:latest + +ARG KUBECTL_VERSION=1.23.13 + +USER root + +RUN wget "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ + echo "$(wget -O - "https://dl.k8s.io/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256") kubectl" > kubectl.sha256 && \ + sha256sum -cw kubectl.sha256 && \ + install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl && \ + rm kubectl + +USER nobody +CMD ["/bin/sh"] +ENTRYPOINT [] diff --git a/kubectl/Dockerfile_1.15.7 b/kubectl/Dockerfile_1.15.7 deleted file mode 100644 index 1201698..0000000 --- a/kubectl/Dockerfile_1.15.7 +++ /dev/null @@ -1,12 +0,0 @@ -FROM ubuntu:18.04 as builder - -ARG KUBERNETES_VERSION=v1.15.7 - -RUN apt-get update && apt-get install -y curl -RUN curl -L https://dl.k8s.io/${KUBERNETES_VERSION}/kubernetes-client-linux-amd64.tar.gz -o /kubectl.tar.gz \ - && tar -zxvf /kubectl.tar.gz - -FROM scratch - -COPY --from=builder /kubernetes/client/bin/kubectl /kubectl -ENTRYPOINT ["/kubectl"]