From 8139b025740feb1eb85a3c2a4525a2e391529f47 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Tue, 26 Sep 2023 13:20:16 +1300 Subject: [PATCH] feat: sync datadog agent to ECR vendors the datadog agent image to an ECR --- .github/workflows/sync.yml | 21 +++++++++++++ README.md | 60 ++++++++++++++++++++------------------ config.yaml | 6 ++-- 3 files changed, 56 insertions(+), 31 deletions(-) diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index 7294d78..5598eb4 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -46,6 +46,27 @@ jobs: - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + - id: determine-uses-ecr + env: + DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} + run: | + if echo "$DESTINATION" | grep -q -E '[0-9]{12}.dkr.ecr.ap-southeast-2.amazonaws.com/.*'; then + echo "ecr="$(echo "$DESTINATION" | cut -d'/' -f1)"" >> $GITHUB_OUTPUT + fi + - name: Configure AWS Credentials + if: ${{ steps.determine-uses-ecr.outputs.ecr != '' }} + uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v2.0.0 + with: + aws-region: ap-southeast-2 + role-to-assume: arn:aws:iam::862640294325:role/github-actions-geonet-ecr-push + role-duration-seconds: 3600 + role-session-name: github-actions-GeoNet--base-images + - name: login to ECR + if: ${{ steps.determine-uses-ecr.outputs.ecr != '' }} + env: + ECR: ${{ steps.determine-uses-ecr.outputs.ecr }} + run: | + aws ecr get-login-password --region ap-southeast-2 | crane auth login "$ECR" -u AWS --password-stdin - name: get-digests if: ${{ fromJSON(toJSON(matrix)).always != true }} id: get-digests diff --git a/README.md b/README.md index 5df0bcf..ff9bcb9 100644 --- a/README.md +++ b/README.md @@ -41,35 +41,37 @@ The repo is mostly concerned with base images or images used in build processes. list of vendored base images -| Image | Description | -|----------------------------------------------------|--------------------------------------------------------------------------------| -| ghcr.io/geonet/base-images/alpine | standard Alpine base image | -| ghcr.io/geonet/base-images/datadog/agent | datadog agent | -| ghcr.io/geonet/base-images/debian | standard Debian slim image | -| ghcr.io/geonet/base-images/git | Alpine with git installed | -| ghcr.io/geonet/base-images/git-ssh | Alpine with git and ssh installed | -| ghcr.io/geonet/base-images/go | a minimal image for building Go applications | -| ghcr.io/geonet/base-images/hadolint/hadolint | a Dockerfile linter | -| ghcr.io/geonet/base-images/hashicorp/terraform | Terraform image | -| ghcr.io/geonet/base-images/mkdocs_plus | a custom build image for docs | -| ghcr.io/geonet/base-images/nginx | minimal nginx image | -| ghcr.io/geonet/base-images/node | Alpine based node image | -| ghcr.io/geonet/base-images/python | Alpine and Debian base Python images | -| ghcr.io/geonet/base-images/siderolabs-conform | conform policy for pull request commits | -| ghcr.io/geonet/base-images/static | scratch with timezone and ca-certificate data pre-installed. Great for Go apps | -| ghcr.io/geonet/base-images/texlive | a latex image | -| ghcr.io/geonet/base-images/ubi8 | Red Hat Universal Base Image 8 | -| ghcr.io/geonet/base-images/ubi8-minimal | Red Hat Universal Base Image 8 minimal | -| ghcr.io/geonet/base-images/centos | Centos 7 and stream variants available as tags eg :centos7 :stream8 | -| ghcr.io/geonet/base-images/chart-centos7 | Centos 7 base image updated to add extract packages needed for the chart app | -| ghcr.io/geonet/base-images/curl | A minimal image only containing curl | -| ghcr.io/geonet/base-images/owasp/zap2docker-stable | An image to run OWASP's Zed Attack Proxy security web scanner | -| ghcr.io/geonet/base-images/alpine-xslt | Alpine with libxslt for XML parsing | -| ghcr.io/geonet/base-images/alpine-gdal | Alpine with gdal for raster and vector geospatial data formats | -| ghcr.io/geonet/base-images/fedora | fedora for build tasks | -| ghcr.io/geonet/base-images/fedora-coreos | fedora coreos for edge devices | -| ghcr.io/geonet/base-images/alpine-iputils | includes tools like ping | -| ghcr.io/geonet/base-images/shellcheck | shellcheck bash scripts | +| Image | Description | +|-----------------------------------------------------------------|--------------------------------------------------------------------------------| +| ghcr.io/geonet/base-images/alpine | standard Alpine base image | +| ghcr.io/geonet/base-images/datadog/agent | datadog agent | +| ghcr.io/geonet/base-images/debian | standard Debian slim image | +| ghcr.io/geonet/base-images/git | Alpine with git installed | +| ghcr.io/geonet/base-images/git-ssh | Alpine with git and ssh installed | +| ghcr.io/geonet/base-images/go | a minimal image for building Go applications | +| ghcr.io/geonet/base-images/hadolint/hadolint | a Dockerfile linter | +| ghcr.io/geonet/base-images/hashicorp/terraform | Terraform image | +| ghcr.io/geonet/base-images/mkdocs_plus | a custom build image for docs | +| ghcr.io/geonet/base-images/nginx | minimal nginx image | +| ghcr.io/geonet/base-images/node | Alpine based node image | +| ghcr.io/geonet/base-images/python | Alpine and Debian base Python images | +| ghcr.io/geonet/base-images/siderolabs-conform | conform policy for pull request commits | +| ghcr.io/geonet/base-images/static | scratch with timezone and ca-certificate data pre-installed. Great for Go apps | +| ghcr.io/geonet/base-images/texlive | a latex image | +| ghcr.io/geonet/base-images/ubi8 | Red Hat Universal Base Image 8 | +| ghcr.io/geonet/base-images/ubi8-minimal | Red Hat Universal Base Image 8 minimal | +| ghcr.io/geonet/base-images/centos | Centos 7 and stream variants available as tags eg :centos7 :stream8 | +| ghcr.io/geonet/base-images/chart-centos7 | Centos 7 base image updated to add extract packages needed for the chart app | +| ghcr.io/geonet/base-images/curl | A minimal image only containing curl | +| ghcr.io/geonet/base-images/owasp/zap2docker-stable | An image to run OWASP's Zed Attack Proxy security web scanner | +| ghcr.io/geonet/base-images/alpine-xslt | Alpine with libxslt for XML parsing | +| ghcr.io/geonet/base-images/alpine-gdal | Alpine with gdal for raster and vector geospatial data formats | +| ghcr.io/geonet/base-images/fedora | fedora for build tasks | +| ghcr.io/geonet/base-images/fedora-coreos | fedora coreos for edge devices | +| ghcr.io/geonet/base-images/alpine-iputils | includes tools like ping | +| ghcr.io/geonet/base-images/shellcheck | shellcheck bash scripts | +| 862640294325.dkr.ecr.ap-southeast-2.amazonaws.com/datadog-agent | datadog agent for use in ECS | + for tags, check [config.yaml](./config.yaml). diff --git a/config.yaml b/config.yaml index bd7568c..a30175e 100644 --- a/config.yaml +++ b/config.yaml @@ -9,8 +9,8 @@ sync: destination: ghcr.io/geonet/base-images/ubi8:8.8 - source: docker.io/redhat/ubi8-minimal:8.8@sha256:621f5245fb3e8597a626163cdf1229e1f8311e07ab71bb1e9332014b51c59f9c destination: ghcr.io/geonet/base-images/ubi8-minimal:8.8 - - source: docker.io/datadog/agent:7@sha256:b9e11fd44fec2dc6f42d7d8eeafb29dc16bc185af37c395b9c3864b1402134d0 - destination: ghcr.io/geonet/base-images/datadog/agent:7 + - source: docker.io/datadog/agent:7.47.1@sha256:364b90eb9da1925a4b8a1dca501a9a8e8cd5e8455733a16857284c49d4bf8467 + destination: ghcr.io/geonet/base-images/datadog/agent:7.47.1 - source: docker.io/library/debian:bookworm-slim@sha256:d8f9d38c21495b04d1cca99805fbb383856e19794265684019bf193c3b7d67f9 destination: ghcr.io/geonet/base-images/debian:bookworm-slim - source: docker.io/hadolint/hadolint:v2.12.0-alpine@sha256:3c206a451cec6d486367e758645269fd7d696c5ccb6ff59d8b03b0e45268a199 @@ -61,6 +61,8 @@ sync: destination: ghcr.io/geonet/base-images/owasp/zap2docker-stable:2.11.1 - source: docker.io/koalaman/shellcheck-alpine:v0.9.0@sha256:e19ed93c22423970d56568e171b4512c9244fc75dd9114045016b4a0073ac4b7 destination: ghcr.io/geonet/base-images/shellcheck:v0.9.0 + - source: docker.io/datadog/agent:7.47.1@sha256:364b90eb9da1925a4b8a1dca501a9a8e8cd5e8455733a16857284c49d4bf8467 + destination: 862640294325.dkr.ecr.ap-southeast-2.amazonaws.com/datadog-agent:7.47.1 # this ecr does not exist yet build: # NOTES # - uses dirname of source as context for build