mirror of
https://github.com/hashicorp/vault.git
synced 2025-12-25 11:21:11 +01:00
c8e6169d5d
* VAULT-31402: Add verification for all container images Add verification for all container images that are generated as part of the build. Before this change we only ever tested a limited subset of "default" containers based on Alpine Linux that we publish via the Docker hub and AWS ECR. Now we support testing all Alpine and UBI based container images. We also verify the repository and tag information embedded in each by deploying them and verifying the repo and tag metadata match our expectations. This does change the k8s scenario interface quite a bit. We now take in an archive image and set image/repo/tag information based on the scenario variants. To enable this I also needed to add `tar` to the UBI base image. It was already available in the Alpine image and is used to copy utilities to the image when deploying and configuring the cluster via Enos. Since some images contain multiple tags we also add samples for each image and randomly select which variant to test on a given PR. Signed-off-by: Ryan Cragun <me@ryan.ec>
124 lines
6.5 KiB
YAML
124 lines
6.5 KiB
YAML
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
---
|
|
name: Containerize Binary
|
|
description: |
|
|
Containerize vault binaries and annotate them with the correct registry tags. Artifacts will be
|
|
uploaded to the Github artifact store. This action is used for both CE and Ent and thus needs to
|
|
stay compatible for both repository contexts.
|
|
|
|
inputs:
|
|
docker:
|
|
description: |
|
|
Package the binary into a Docker container suitable for the Docker and AWS registries. We'll
|
|
automatically determine the correct tags and target depending on the vault edition.
|
|
default: 'true'
|
|
goarch:
|
|
description: The Go GOARCH value environment variable to set during the build.
|
|
goos:
|
|
description: The Go GOOS value environment variable to set during the build.
|
|
redhat:
|
|
description: Package the binary into a UBI container suitable for the Redhat Quay registry.
|
|
default: 'false'
|
|
vault-binary-path:
|
|
description: The path to the vault binary.
|
|
default: dist/vault
|
|
vault-edition:
|
|
description: The edition of vault to build.
|
|
default: ce
|
|
vault-version:
|
|
description: The vault version.
|
|
|
|
outputs:
|
|
vault-binary-path:
|
|
description: The location of the binary after containerization
|
|
value: ${{ inputs.vault-binary-path }}
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- id: vars
|
|
shell: bash
|
|
run: |
|
|
case '${{ inputs.vault-edition }}' in
|
|
"ce")
|
|
container_version='${{ inputs.vault-version }}'
|
|
docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}'
|
|
docker_container_target='default'
|
|
redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi'
|
|
redhat_container_target='ubi'
|
|
;;
|
|
"ent")
|
|
container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
|
|
docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
|
|
docker_container_target='default'
|
|
redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
|
|
redhat_container_target='ubi'
|
|
;;
|
|
"ent.hsm")
|
|
container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
|
|
docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
|
|
docker_container_target='ubi-hsm'
|
|
redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
|
|
redhat_container_target='ubi-hsm'
|
|
;;
|
|
"ent.hsm.fips1402")
|
|
container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
|
|
docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
|
|
docker_container_target='ubi-hsm-fips'
|
|
redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
|
|
redhat_container_target='ubi-hsm-fips'
|
|
;;
|
|
"ent.fips1402")
|
|
# NOTE: For compatibility we still publish the ent.fips1402 containers to different
|
|
# namespaces. All ent, ent.hsm, and ent.hsm.fips1402 containers are released in the
|
|
# enterprise namespaces. After we've updated the upstream docker action to support
|
|
# multiple tags we can start to tag images with both namespaces, publish to both, and
|
|
# eventually sunset the fips1402 specific namespaces.
|
|
container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
|
|
docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
|
|
docker_container_target='ubi-fips'
|
|
redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
|
|
redhat_container_target='ubi-fips'
|
|
;;
|
|
*)
|
|
echo "Cannot generate container tags for unknown vault edition: ${{ inputs.vault-edition }}" 2>&1
|
|
exit 1
|
|
;;
|
|
esac
|
|
{
|
|
echo "container-version=${container_version}"
|
|
echo "docker-container-tags=${docker_container_tags}"
|
|
echo "docker-container-target=${docker_container_target}"
|
|
echo "redhat-container-tags=${redhat_container_tags}"
|
|
echo "redhat-container-target=${redhat_container_target}"
|
|
echo "revision=$(make ci-get-revision)"
|
|
} | tee -a "$GITHUB_OUTPUT"
|
|
- if: inputs.docker == 'true' || inputs.redhat == 'true'
|
|
id: copy-binary
|
|
shell: bash
|
|
run: |
|
|
dest_path='dist/${{ inputs.goos }}/${{ inputs.goarch }}/vault'
|
|
dest_dir=$(dirname "$dest_path")
|
|
[[ ! -d "$dest_dir" ]] && mkdir -p "$dest_dir"
|
|
[[ ! -f "$dest_path" ]] && cp ${{ inputs.vault-binary-path }} "${dest_path}"
|
|
- if: inputs.docker == 'true'
|
|
uses: hashicorp/actions-docker-build@f22d5ac7d36868afaa4be1cc1203ec1b5865cadd
|
|
with:
|
|
arch: ${{ inputs.goarch }}
|
|
do_zip_extract_step: 'false' # Don't download and extract an already present binary
|
|
target: ${{ steps.vars.outputs.docker-container-target }}
|
|
tags: ${{ steps.vars.outputs.docker-container-tags }}
|
|
revision: ${{ steps.vars.outputs.revision }}
|
|
version: ${{ steps.vars.outputs.container-version }}
|
|
- if: inputs.redhat == 'true'
|
|
uses: hashicorp/actions-docker-build@f22d5ac7d36868afaa4be1cc1203ec1b5865cadd
|
|
with:
|
|
arch: ${{ inputs.goarch }}
|
|
do_zip_extract_step: 'false' # Don't download and extract an already present binary
|
|
redhat_tag: ${{ steps.vars.outputs.redhat-container-tags }}
|
|
target: ${{ steps.vars.outputs.redhat-container-target }}
|
|
revision: ${{ steps.vars.outputs.revision }}
|
|
version: ${{ steps.vars.outputs.container-version }}
|