From 6a1dea013a4f1effd9803fbf17542b74fcb24b1c Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 7 Mar 2024 14:23:53 +0000 Subject: [PATCH] nap modules base image (#5197) * pass empty nap_modules value --- .github/actions/smoke-tests/action.yaml | 2 +- .github/workflows/build-base-images.yml | 2 +- .github/workflows/build-oss.yml | 29 +++++++++++++++++- .github/workflows/build-plus.yml | 40 +++++++++++++++++++++++-- .github/workflows/ci.yml | 19 ++++++++---- 5 files changed, 80 insertions(+), 12 deletions(-) diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml index a3a538ef11..604b428b9d 100644 --- a/.github/actions/smoke-tests/action.yaml +++ b/.github/actions/smoke-tests/action.yaml @@ -96,7 +96,7 @@ runs: file: build/Dockerfile context: "." cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }} - target: goreleaser${{ ! inputs.forked-workflow && '-prebuilt' || '' }} + target: goreleaser${{ inputs.forked-workflow && '' || '-prebuilt' }} tags: "docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }}" load: true pull: true diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 66ad132805..155b5ace71 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -32,7 +32,7 @@ jobs: - name: Output Variables id: vars run: | - docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }' ) + docker_md5=$(find . -type f \( -name "Dockerfile" -o -name version.txt \) -not -path "./tests*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }') echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index bdf53a6c87..d30fd188e5 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -118,6 +118,33 @@ jobs: password: ${{ steps.auth.outputs.access_token }} if: ${{ ! inputs.forked-workflow }} + - name: Check if base images exist + id: base_exists + run: | + if docker manifest inspect gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }}; then + echo "exists=0" >> $GITHUB_OUTPUT + else + echo "exists=1" >> $GITHUB_OUTPUT + fi + if: ${{ ! inputs.forked-workflow }} + + - name: Build Base Container + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha,scope=${{ inputs.image }} + cache-to: type=gha,scope=${{ inputs.image }},mode=max + target: common + tags: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }} + platforms: ${{ inputs.platforms }} + pull: true + push: true + build-args: | + BUILD_OS=${{ inputs.image }} + IC_VERSION=${{ inputs.tag }} + if: ${{ ! inputs.forked-workflow && steps.base_exists.outputs.exists != 0 }} + - name: Get short tag id: tag run: | @@ -179,7 +206,7 @@ jobs: provenance: false build-args: | BUILD_OS=${{ inputs.image }} - PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }} + ${{ ! inputs.forked-workflow && format('PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:{0}-{1}', inputs.base-image-md5, inputs.image) || '' }} IC_VERSION=${{ (github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-')) && 'CI' || steps.meta.outputs.version }} - name: Certify Images diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 9d150d1ccf..c4e70af6b7 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -165,17 +165,51 @@ jobs: - name: NAP modules id: nap_modules run: | + [[ "${{ inputs.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ inputs.nap_modules }}" [[ "${{ inputs.nap_modules }}" == "waf,dos" ]] && modules="both" || modules="${{ inputs.nap_modules }}" echo "modules=${modules}" >> $GITHUB_OUTPUT + echo "name=${name}" >> $GITHUB_OUTPUT if: ${{ inputs.nap_modules != '' }} + - name: Check if base images exist + id: base_exists + run: | + if docker manifest inspect gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}; then + echo "exists=0" >> $GITHUB_OUTPUT + else + echo "exists=1" >> $GITHUB_OUTPUT + fi + if: ${{ ! inputs.forked-workflow }} + + - name: Build Base Container + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }} + cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max + target: common + tags: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }} + platforms: ${{ inputs.platforms }} + pull: true + push: true + build-args: | + BUILD_OS=${{ inputs.image }} + IC_VERSION=${{ github.ref_type == 'tag' && steps.meta.outputs.version || 'CI' }} + ${{ steps.nap_modules.outputs.modules != '' && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }} + secrets: | + "nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" + "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" + ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + if: ${{ ! inputs.forked-workflow && steps.base_exists.outputs.exists != 0 }} + - name: Build Plus Docker image uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: file: build/Dockerfile context: "." - cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }} - cache-to: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},mode=max + cache-from: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }} + cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max target: ${{ inputs.target }}${{ ! inputs.forked-workflow && '-prebuilt' || '' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -189,7 +223,7 @@ jobs: provenance: false build-args: | BUILD_OS=${{ inputs.image }} - PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ contains(inputs.nap_modules, 'waf') && '-waf' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }} + PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }} IC_VERSION=${{ github.ref_type == 'tag' && steps.meta.outputs.version || 'CI' }} ${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', inputs.nap_modules) || '' }} ${{ steps.nap_modules.outputs.modules != '' && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c85754cc60..724c3e8aa1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -94,7 +94,7 @@ jobs: publish=true fi echo "publish=$publish" >> $GITHUB_OUTPUT - docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }' ) + docker_md5=$(find . -type f \( -name "Dockerfile" -o -name version.txt \) -not -path "./tests*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }') echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT @@ -453,6 +453,13 @@ jobs: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: NAP modules + id: nap_modules + run: | + [[ "${{ matrix.images.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.images.nap_modules }}" + echo "modules=${modules}" >> $GITHUB_OUTPUT + if: ${{ matrix.images.nap_modules }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 @@ -473,7 +480,7 @@ jobs: - name: Check if base images exist id: base_exists run: | - if docker manifest inspect gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/${{ matrix.images.type }}:${{ needs.checks.outputs.docker_md5 }}-${{ matrix.images.image }}; then + if docker manifest inspect gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/${{ matrix.images.type }}:${{ needs.checks.outputs.docker_md5 }}-${{ matrix.images.image }}${{ matrix.images.nap_modules && format('-{0}', steps.nap_modules.outputs.modules) || '' }}; then echo "exists=0" >> $GITHUB_OUTPUT else echo "exists=1" >> $GITHUB_OUTPUT @@ -495,17 +502,17 @@ jobs: with: file: build/Dockerfile context: "." - cache-from: type=gha,scope=${{ matrix.images.image }} - cache-to: type=gha,scope=${{ matrix.images.image }},mode=max + cache-from: type=gha,scope=${{ matrix.images.image }}${{ matrix.images.nap_modules && format('-{0}', steps.nap_modules.outputs.modules) || '' }} + cache-to: type=gha,scope=${{ matrix.images.image }}${{ matrix.images.nap_modules && format('-{0}', steps.nap_modules.outputs.modules) || '' }},mode=max target: common - tags: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/${{ matrix.images.type }}:${{ needs.checks.outputs.docker_md5 }}-${{ matrix.images.image }} + tags: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/${{ matrix.images.type }}:${{ needs.checks.outputs.docker_md5 }}-${{ matrix.images.image }}${{ matrix.images.nap_modules && format('-{0}', steps.nap_modules.outputs.modules) || '' }} platforms: ${{ matrix.images.platforms }} pull: true push: true build-args: | BUILD_OS=${{ matrix.images.image }} IC_VERSION=${{ needs.checks.outputs.ic_version }} - NAP_MODULES=${{ matrix.images.nap_modules }} + ${{ contains(matrix.images.image, 'nap') && format('NAP_MODULES={0}', matrix.images.nap_modules) || '' }} secrets: | ${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} ${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }}