Skip to content

Commit

Permalink
envoy: Cut the stable branch for 1.30
Browse files Browse the repository at this point in the history 
Signed-off-by: Tam Mach <tam.mach@cilium.io>
  • Loading branch information
@sayboras
sayboras committed Nov 15, 2024
1 parent 97edc28 commit 3b4864f
Show file tree
Hide file tree
Showing 6 changed files with 593 additions and 616 deletions.
248 changes: 124 additions & 124 deletions .github/workflows/build-envoy-image-ci.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: CI Build & Push
on:
pull_request_target:
types: [opened, synchronize, reopened]
types: [ opened, synchronize, reopened ]

permissions:
# To be able to access the repository with `actions/checkout`
Expand All @@ -15,126 +15,126 @@ jobs:
name: Build and push multi-arch images
runs-on: ubuntu-latest-64-cores-256gb
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

- name: Cache Docker layers
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: /tmp/buildx-cache
key: docker-cache-${{ github.head_ref }}
restore-keys: docker-cache-main

- name: Login to quay.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }}
password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }}

- name: Checkout PR
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false

- name: Prep for build
run: |
echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION
echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV
echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV
echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV
- name: Checking if cilium-envoy-builder image exists
id: cilium-builder-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
fi
- name: PR Multi-arch build & push of Builder image (dev)
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
id: docker_build_builder_ci
with:
provenance: false
context: .
file: ./Dockerfile.builder
platforms: linux/amd64,linux/arm64
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}

- name: CI Builder Image Digest
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
shell: bash
run: |
echo "Digests:"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}"
- name: PR Multi-arch build & push of cilium-envoy
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: docker_build_ci
with:
provenance: false
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
build-args: |
BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest
BAZEL_BUILD_OPTS=--remote_upload_local_results=false
cache-from: type=local,src=/tmp/buildx-cache
cache-to: type=local,dest=/tmp/buildx-cache,mode=max
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}

- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- name: Sign Container Image
run: |
cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
- name: Install Bom
shell: bash
env:
# renovate: datasource=github-releases depName=kubernetes-sigs/bom
BOM_VERSION: v0.6.0
run: |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
sudo mv ./bom /usr/local/bin/bom
sudo chmod +x /usr/local/bin/bom
- name: Generate SBOM
shell: bash
# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
run: |
bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}
- name: Attach SBOM to container images
run: |
cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
- name: Sign SBOM Image
run: |
docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom"
docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}"
- name: Envoy binary version check
shell: bash
run: |
envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version)
expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//')
echo ${envoy_version}
[[ "${envoy_version}" == *"${{ github.event.pull_request.head.sha }}/$expected_version"* ]]
- name: CI Image Digest
shell: bash
run: |
echo "Digests:"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

- name: Cache Docker layers
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: /tmp/buildx-cache
key: docker-cache-${{ github.head_ref }}
restore-keys: docker-cache-main

- name: Login to quay.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }}
password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }}

- name: Checkout PR
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false

- name: Prep for build
run: |
echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION
echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV
echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV
echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV
- name: Checking if cilium-envoy-builder image exists
id: cilium-builder-tag-in-repositories
shell: bash
run: |
if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then
echo exists="true" >> $GITHUB_OUTPUT
else
echo exists="false" >> $GITHUB_OUTPUT
fi
- name: PR Multi-arch build & push of Builder image (dev)
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
id: docker_build_builder_ci
with:
provenance: false
context: .
file: ./Dockerfile.builder
platforms: linux/amd64,linux/arm64
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}

- name: CI Builder Image Digest
if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
shell: bash
run: |
echo "Digests:"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}"
- name: PR Multi-arch build & push of cilium-envoy
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: docker_build_ci
with:
provenance: false
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
build-args: |
BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}
ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ github.base_ref }}-archive-latest
BAZEL_BUILD_OPTS=--remote_upload_local_results=false
cache-from: type=local,src=/tmp/buildx-cache
cache-to: type=local,dest=/tmp/buildx-cache,mode=max
push: true
tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}

- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- name: Sign Container Image
run: |
cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
- name: Install Bom
shell: bash
env:
# renovate: datasource=github-releases depName=kubernetes-sigs/bom
BOM_VERSION: v0.6.0
run: |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom
sudo mv ./bom /usr/local/bin/bom
sudo chmod +x /usr/local/bin/bom
- name: Generate SBOM
shell: bash
# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
run: |
bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}
- name: Attach SBOM to container images
run: |
cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }}
- name: Sign SBOM Image
run: |
docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}"
image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom"
docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}"
- name: Envoy binary version check
shell: bash
run: |
envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version)
expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//')
echo ${envoy_version}
[[ "${envoy_version}" == *"${{ github.event.pull_request.head.sha }}/$expected_version"* ]]
- name: CI Image Digest
shell: bash
run: |
echo "Digests:"
echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}"
Loading

0 comments on commit 3b4864f

Please sign in to comment.