Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-order docker builds #5812

Merged
merged 8 commits into from
Jun 21, 2024
Merged

Re-order docker builds #5812

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
502533a
re-order docker builds
oseoin Jun 21, 2024
9703643
fix typo
oseoin Jun 21, 2024
92495f5
force build
oseoin Jun 21, 2024
c5a5922
fix plus base build and casing on AS
oseoin Jun 21, 2024
bdf0bf3
fix tag
oseoin Jun 21, 2024
5e33347
Merge branch 'main' into optimise-docker-build
oseoin Jun 21, 2024
1a5a747
Merge branch 'main' into optimise-docker-build
oseoin Jun 21, 2024
bd77f4e
remove force build
oseoin Jun 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 23 additions & 28 deletions .github/workflows/build-oss.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,15 +56,6 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ inputs.branch }}
fetch-depth: 0

- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm,arm64,ppc64le,s390x

- name: Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

- name: Authenticate to Google Cloud
id: auth
Expand Down Expand Up @@ -104,56 +95,60 @@ jobs:
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Check if base images exist
id: base_exists
- name: Check if images exist
id: images_exist
run: |
base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }}"
echo "image=${base_image}" >> $GITHUB_OUTPUT
if docker manifest inspect ${base_image}; then
echo "exists=true" >> $GITHUB_OUTPUT
echo "base_exists=true" >> $GITHUB_OUTPUT
fi
if docker manifest inspect ${{ steps.meta.outputs.tags }}; then
echo "target_exists=true" >> $GITHUB_OUTPUT
fi
if: ${{ inputs.authenticated && ! inputs.full-build }}

- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm,arm64,ppc64le,s390x
if: ${{ steps.images_exist.outputs.target_exists != 'true' }}

- name: Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
if: ${{ steps.images_exist.outputs.target_exists != 'true' }}

- name: Build Base Container
uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
with:
file: build/Dockerfile
context: "."
cache-to: type=gha,scope=${{ inputs.image }},mode=max
target: common
tags: ${{ steps.base_exists.outputs.image }}
tags: ${{ steps.images_exist.outputs.image }}
platforms: ${{ inputs.platforms }}
pull: true
push: true
no-cache: true
build-args: |
BUILD_OS=${{ inputs.image }}
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
if: ${{ inputs.authenticated && steps.base_exists.outputs.exists != 'true' }}

- name: Check if target image exists
id: target_exists
run: |
if docker pull ${{ steps.meta.outputs.tags }}; then
echo "exists=true" >> $GITHUB_OUTPUT
fi
if: ${{ inputs.authenticated && ! inputs.full-build }}
if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }}

- name: Debug values
run: |
echo "authenticated: ${{ inputs.authenticated }}"
echo "base_exists: ${{ steps.base_exists.outputs.exists }}"
echo "target_exists: ${{ steps.target_exists.outputs.exists }}"
echo "images_exist: ${{ steps.images_exist.outputs.base_exists }}"
echo "target_exists: ${{ steps.images_exist.outputs.target_exists }}"
echo "full-build: ${{ inputs.full-build }}"
echo "all: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}"

- name: Fetch Cached Artifacts
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ inputs.go-md5 }}
fail-on-cache-miss: true
if: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}

- name: Build Docker image
uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
Expand All @@ -175,9 +170,9 @@ jobs:
provenance: false
build-args: |
BUILD_OS=${{ inputs.image }}
${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_exists.outputs.image) }}
${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image) }}
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}

- name: Make directory for security scan results
run: |
Expand Down
53 changes: 24 additions & 29 deletions .github/workflows/build-plus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,6 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ inputs.branch }}
fetch-depth: 0

- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm64,s390x

- name: Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0

- name: Authenticate to Google Cloud
id: auth
Expand Down Expand Up @@ -109,24 +100,37 @@ jobs:
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Check if base images exist
id: base_exists
- name: Check if images exist
id: images_exist
run: |
base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}"
echo "image=${base_image}" >> $GITHUB_OUTPUT
if docker pull ${base_image}; then
echo "exists=true" >> $GITHUB_OUTPUT
if docker manifest inspect ${base_image}; then
echo "base_exists=true" >> $GITHUB_OUTPUT
fi
if docker manifest inspect ${{ steps.meta.outputs.tags }}; then
echo "target_exists=true" >> $GITHUB_OUTPUT
fi
if: ${{ inputs.authenticated && ! inputs.full-build }}

- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm,arm64,ppc64le,s390x
if: ${{ steps.images_exist.outputs.target_exists != 'true' }}

- name: Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
if: ${{ steps.images_exist.outputs.target_exists != 'true' }}

- name: Build Base Container
uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
with:
file: build/Dockerfile
context: "."
cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max
target: common
tags: ${{ steps.base_exists.outputs.image }}
tags: ${{ steps.images_exist.outputs.image }}
platforms: ${{ inputs.platforms }}
pull: true
push: true
Expand All @@ -139,31 +143,22 @@ jobs:
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
if: ${{ inputs.authenticated && steps.base_exists.outputs.exists != 'true' }}

- name: Check if target image exists
id: target_exists
run: |
if docker pull ${{ steps.meta.outputs.tags }}; then
echo "exists=true" >> $GITHUB_OUTPUT
fi
if: ${{ inputs.authenticated && ! inputs.full-build }}
if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }}

- name: Debug values
run: |
echo "authenticated: ${{ inputs.authenticated }}"
echo "base_exists: ${{ steps.base_exists.outputs.exists }}"
echo "target_exists: ${{ steps.target_exists.outputs.exists }}"
echo "images_exist: ${{ steps.images_exist.outputs.base_exists }}"
echo "target_exists: ${{ steps.images_exist.outputs.target_exists }}"
echo "full-build: ${{ inputs.full-build }}"
echo "all: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}"

- name: Fetch Cached Artifacts
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ inputs.go-md5 }}
fail-on-cache-miss: true
if: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}

- name: Build Docker image
uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
Expand All @@ -185,7 +180,7 @@ jobs:
provenance: false
build-args: |
BUILD_OS=${{ inputs.image }}
${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_exists.outputs.image ) }}
${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image ) }}
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
Expand All @@ -194,7 +189,7 @@ jobs:
"nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
"nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}

- name: Make directory for security scan results
run: |
Expand Down
40 changes: 20 additions & 20 deletions build/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@ ARG WAF_VERSION=v4


############################################# Base images containing libs for Opentracing and FIPS #############################################
FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0@sha256:d9f6f930b7bfcc026785aca49fdb96fbecdc517ebbdb893f6393ac78b247c8fb as opentracing-lib
FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c76384a775316c541995b145d4cef86d529934951319fd127f4d4fdb9ef7 as alpine-opentracing-lib
FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 as alpine-fips-3.17
FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc as alpine-fips-3.19
FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0@sha256:d9f6f930b7bfcc026785aca49fdb96fbecdc517ebbdb893f6393ac78b247c8fb AS opentracing-lib
FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c76384a775316c541995b145d4cef86d529934951319fd127f4d4fdb9ef7 AS alpine-opentracing-lib
FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17
FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19
FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal
FROM golang:1.22-alpine@sha256:32c85006b1edf29c097514e0c81a33334aa1450685a885c10657ec756dbb7703 as golang-builder
FROM golang:1.22-alpine@sha256:32c85006b1edf29c097514e0c81a33334aa1450685a885c10657ec756dbb7703 AS golang-builder


############################################# Base image for Alpine #############################################
Expand Down Expand Up @@ -57,7 +57,7 @@ COPY --link --chown=101:0 LICENSE /licenses/


############################################# NGINX files for NGINX Plus #############################################
FROM scratch as nginx-files
FROM scratch AS nginx-files
ARG IC_VERSION
ARG BUILD_OS
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -97,7 +97,7 @@ ADD --link --chown=101:0 --chmod=0755 build/scripts/agent.sh agent.sh


############################################# Patch Image #############################################
FROM ${IMAGE_NAME} as patched
FROM ${IMAGE_NAME} AS patched
ARG IMAGE_NAME
ARG IC_VERSION

Expand All @@ -112,7 +112,7 @@ USER 101


############################################# Base image for Alpine with NGINX Plus #############################################
FROM alpine:3.19@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 as alpine-plus
FROM alpine:3.19@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 AS alpine-plus
ARG NGINX_PLUS_VERSION

ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
Expand All @@ -131,7 +131,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \


############################################# Base image for Alpine with NGINX Plus and FIPS #############################################
FROM alpine-plus as alpine-plus-fips
FROM alpine-plus AS alpine-plus-fips
ARG NGINX_PLUS_VERSION

ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
Expand All @@ -144,7 +144,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \


############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS #############################################
FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc as alpine-plus-nap-fips
FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc AS alpine-plus-nap-fips
ARG NGINX_PLUS_VERSION
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -180,7 +180,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \


############################################# Base image for Alpine with NGINX Plus, App Protect WAFv5 and FIPS #############################################
FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc as alpine-plus-nap-v5-fips
FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc AS alpine-plus-nap-v5-fips
ARG NGINX_PLUS_VERSION
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -242,7 +242,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode


############################################# Base image for Debian with NGINX Plus and App Protect WAF/DoS #############################################
FROM debian-plus as debian-plus-nap
FROM debian-plus AS debian-plus-nap
ARG NAP_MODULES
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -286,7 +286,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
&& if [ -z "${NAP_MODULES##*dos*}" ]; then nap-dos.sh; fi

############################################# Base image for Debian with NGINX Plus and App Protect WAFv5/DoS #############################################
FROM debian-plus as debian-plus-nap-v5
FROM debian-plus AS debian-plus-nap-v5
ARG NAP_MODULES
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -338,7 +338,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode


############################################# Base image for UBI with NGINX Plus and App Protect WAF #############################################
FROM ubi-minimal as ubi-9-plus-nap
FROM ubi-minimal AS ubi-9-plus-nap
ARG NAP_MODULES
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -382,7 +382,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode


############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 #############################################
FROM ubi-minimal as ubi-9-plus-nap-v5
FROM ubi-minimal AS ubi-9-plus-nap-v5
ARG NAP_MODULES
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -427,7 +427,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode


############################################# Base image for UBI with NGINX Plus and App Protect WAF & DoS #############################################
FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d as ubi-8-plus-nap
FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap
ARG NAP_MODULES
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -491,7 +491,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode


############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 #############################################
FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d as ubi-8-plus-nap-v5
FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap-v5
ARG NAP_MODULES
ARG NGINX_AGENT
ARG NGINX_PLUS_VERSION
Expand Down Expand Up @@ -539,7 +539,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode


############################################# Create common files, permissions and setcap #############################################
FROM ${BUILD_OS} as common
FROM ${BUILD_OS} AS common

ARG BUILD_OS
ARG IC_VERSION
Expand Down Expand Up @@ -773,9 +773,9 @@ USER 101


############################################# Create image with nginx-ingress extracted from image on Docker Hub #############################################
FROM nginx/nginx-ingress:${DOWNLOAD_TAG} as kic
FROM nginx/nginx-ingress:${DOWNLOAD_TAG} AS kic

FROM common as download
FROM common AS download

LABEL org.nginx.kic.image.build.version="binaries"

Expand Down
Loading