diff --git a/.github/workflows/chart.yml b/.github/workflows/chart.yml index 598d9bd1..b9be0da6 100644 --- a/.github/workflows/chart.yml +++ b/.github/workflows/chart.yml @@ -15,7 +15,7 @@ permissions: jobs: publish-helm-chart: if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts') - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a608f127..3442849a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,13 +21,13 @@ jobs: uses: actions/checkout@v4 - name: Initialize CodeQL - uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a + uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a + uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a + uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c diff --git a/.github/workflows/create-release-pull-request.yml b/.github/workflows/create-release-pull-request.yml index 2bdab2ba..bc20fe87 100644 --- a/.github/workflows/create-release-pull-request.yml +++ b/.github/workflows/create-release-pull-request.yml @@ -6,6 +6,10 @@ on: release_version: description: 'Which version are we creating a release pull request for?' required: true + init_container_version: + description: 'Which init container version are we creating a release pull request for?' + required: true + default: v0.3.0 based_on_branch: description: 'Which branch should we base the release pull request on?' required: true @@ -19,12 +23,14 @@ permissions: jobs: create-release-pull-request: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: validate version run: | echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$' - echo "${{ github.event.inputs.based_on_branch }}" | grep -E '^(master|release-[0-9]+\.[0-9]+)$' + echo "${{ github.event.inputs.init_container_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$' + echo "${{ github.event.inputs.based_on_branch }}" | grep -E '^(master|release-[0-9]+\.[0-9]+\.[0-9]+-[0-9]+\.[0-9]+\.[0-9]+)$' + - uses: actions/checkout@v4 with: submodules: true @@ -37,10 +43,11 @@ jobs: run: make release-manifest env: VERSION: "${{ github.event.inputs.release_version }}" + INIT_CONTAINER_VERSION: "${{ github.event.inputs.init_container_version }}" - name: Create release pull request uses: peter-evans/create-pull-request@v6 with: commit-message: "release: update manifest and helm charts for ${{ github.event.inputs.release_version }}" title: "release: update manifest and helm charts for ${{ github.event.inputs.release_version }}" - branch: "release-${{ github.event.inputs.release_version }}" + branch: "release-${{ github.event.inputs.release_version }}-${{ github.event.inputs.init_container_version }}" base: ${{ github.event.inputs.based_on_branch }} diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index bd680ced..a41e8936 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -1,9 +1,7 @@ -name: Create release & Publish the image +name: Create release on: - workflow_dispatch: pull_request: branches: - - master - release-** types: [ closed ] @@ -11,36 +9,59 @@ permissions: contents: write packages: write actions: read - deployments: read pull-requests: read env: REGISTRY: ghcr.io # Common versions GO_VERSION: '1.20' - IMAGE_NAME: 'virtual-kubelet' - INIT_IMAGE_NAME: 'init-validation' jobs: create-release: if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts') - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest + outputs: + tag: ${{ steps.get-tag.outputs.tag }} steps: - name: Set up Go ${{ env.GO_VERSION }} uses: actions/setup-go@v5 with: go-version: ${{ env.GO_VERSION }} + - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 submodules: true + - id: get-tag name: Get tag - run: echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT - - name: Create tag run: | - git tag ${{ steps.get-tag.outputs.tag }} + echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr '-' '\n' | grep 'v[0-9]\.[0-9]\.[0-9]' | head -n 1)" >> $GITHUB_OUTPUT + + - id: check-tag + name: Check for Tag + run: | + TAG=$(echo ${{ github.event.pull_request.head.ref }} | tr '-' '\n' | grep 'v[0-9]\.[0-9]\.[0-9]' | head -n 1)" >> $GITHUB_OUTPUT + + if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then + echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT + else + echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT + fi + + - name: 'Create tag' + if: steps.check-tag.outputs.create_tag == 'true' + uses: actions/github-script@v7 + with: + script: | + github.rest.git.createRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}', + sha: context.sha + }) + - name: Goreleaser uses: goreleaser/goreleaser-action@v6 with: @@ -50,7 +71,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} export-registry: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest + needs: + - create-release outputs: registry: ${{ steps.export.outputs.registry }} steps: @@ -59,65 +82,16 @@ jobs: # registry must be in lowercase echo "::set-output name=registry::$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" - publish-images: - if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts') - needs: - - export-registry - - create-release - env: - REGISTRY: ${{ needs.export-registry.outputs.registry }} - INIT_IMG_TAG : 0.2.0 - runs-on: ubuntu-20.04 - steps: - - id: get-tag - name: Get tag - run: echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT - - uses: actions/checkout@v4 - with: - submodules: true - fetch-depth: 0 - ref: ${{ steps.get-tag.outputs.tag }} - - name: Login to ${{ env.REGISTRY }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Set Image tag - run: | - ver=${{ steps.get-tag.outputs.tag }} - echo "IMG_TAG=${ver#"v"}" >> $GITHUB_ENV - - name: Build and push image - run: | - OUTPUT_TYPE=type=registry make docker-build-image - OUTPUT_TYPE=type=registry make docker-build-init-image - env: - VERSION: ${{ env.IMG_TAG }} - - - name: Scan ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - timeout: '5m0s' - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + publish-image: + needs: [export-registry] + uses: ./.github/workflows/publish-image.yml + with: + registry: ${{ needs.export-registry.outputs.registry }} + release_version: echo ${{ github.event.pull_request.head.ref }} | tr '-' '\n' | grep 'v[0-9]\.[0-9]\.[0-9]' | head -n 1 - - name: Scan ${{ env.REGISTRY }}/${{ env.INIT_IMAGE_NAME }}:${{ env.INIT_IMG_TAG }} - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ env.INIT_IMAGE_NAME }}:${{ env.INIT_IMG_TAG }} - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - timeout: '5m0s' - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + publish-init-validation-image: + needs: [export-registry] + uses: ./.github/workflows/publish-init-container-image.yml + with: + registry: ${{ needs.export-registry.outputs.registry }} + init_container_version: echo ${{ github.event.pull_request.head.ref }} | tr '-' '\n' | grep 'v[0-9]\.[0-9]\.[0-9]' | sed -n '2p' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7b870940..6b29054b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -19,7 +19,7 @@ env: jobs: lint: name: "Lint & Format" - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest timeout-minutes: 10 permissions: contents: read diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml new file mode 100644 index 00000000..63d8b4d8 --- /dev/null +++ b/.github/workflows/publish-image.yml @@ -0,0 +1,57 @@ +name: Publish the Azure Virtual Kubelet image +on: + workflow_call: + inputs: + registry: + description: 'Which registry are we pushing the image to?' + required: true + release_version: + description: 'Which version are we creating an image for?' + required: true + +permissions: + contents: write + packages: write + actions: read + +env: + REGISTRY: ghcr.io + # Common versions + GO_VERSION: '1.20' + IMAGE_NAME: 'virtual-kubelet' + +jobs: + publish-images: + env: + REGISTRY: ${{ github.event.client_payload.registry }} + runs-on: ubuntu-latest + steps: + - name: Login to ${{ env.REGISTRY }} + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Set Image tag + run: | + ver=${{ github.event.client_payload.release_version }} + echo "IMG_TAG=${ver#"v"}" >> $GITHUB_ENV + - name: Build and push image + run: | + OUTPUT_TYPE=type=registry make docker-build-image + env: + VERSION: ${{ env.IMG_TAG }} + + - name: Scan ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}" + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + timeout: '5m0s' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/publish-init-container-image.yml b/.github/workflows/publish-init-container-image.yml new file mode 100644 index 00000000..82a55d50 --- /dev/null +++ b/.github/workflows/publish-init-container-image.yml @@ -0,0 +1,65 @@ +name: Publish the init validation image +on: + workflow_call: + inputs: + registry: + description: 'Which registry are we pushing the image to?' + required: true + init_container_version: + description: 'Which init container version are we creating an image for?' + required: true + default: v0.3.0 + +permissions: + contents: write + packages: write + actions: read + +env: + REGISTRY: ghcr.io + # Common versions + GO_VERSION: '1.20' + INIT_IMAGE_NAME: 'init-validation' + +jobs: + publish-init-images: + env: + REGISTRY: ${{ github.event.client_payload.registry }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 0 + ref: ${{ steps.get-tag.outputs.tag }} + + - name: Login to ${{ env.REGISTRY }} + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set Image tag + run: | + ver=${{ steps.get-tag.outputs.tag }} + echo "INIT_IMG_TAG=${ver#"v"}" >> $GITHUB_ENV + - name: Build and push image + run: | + OUTPUT_TYPE=type=registry make docker-build-init-image + env: + INIT_CONTAINER_VERSION: ${{ env.INIT_IMG_TAG }} + + - name: Scan ${{ env.REGISTRY }}/${{ env.INIT_IMAGE_NAME }}:${{ env.INIT_IMG_TAG }} + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.REGISTRY }}/${{ env.INIT_IMAGE_NAME }}:${{ env.INIT_IMG_TAG }}" + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + timeout: '5m0s' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ec926724..b2a17c74 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -26,7 +26,7 @@ permissions: jobs: unit-tests: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest environment: test steps: - name: Set up Go ${{ env.GO_VERSION }} diff --git a/Makefile b/Makefile index 340aa1e0..72613339 100644 --- a/Makefile +++ b/Makefile @@ -35,7 +35,7 @@ E2E_CLUSTER_NAME := $(CLUSTER_NAME) OUTPUT_TYPE ?= type=docker BUILDPLATFORM ?= linux/amd64 IMG_TAG ?= $(subst v,,$(VERSION)) -INIT_IMG_TAG ?= 0.2.0 +INIT_IMG_TAG ?= $(INIT_CONTAINER_VERSION) BUILD_DATE ?= $(shell date '+%Y-%m-%dT%H:%M:%S') VERSION_FLAGS := "-ldflags=-X main.buildVersion=$(IMG_TAG) -X main.buildTime=$(BUILD_DATE)" @@ -161,8 +161,11 @@ test-loganalytics-json: .PHONY: release-manifest release-manifest: @sed -i -e 's/^VERSION ?= .*/VERSION ?= ${VERSION}/' ./Makefile + @sed -i -e 's/^INIT_IMG_TAG ?= .*/INIT_IMG_TAG ?= ${INIT_IMG_TAG}/' ./Makefile @sed -i -e "s/version: .*/version: ${IMG_TAG}/" ./charts/virtual-kubelet/Chart.yaml @sed -i -e "s/tag: .*/tag: ${IMG_TAG}/" ./charts/virtual-kubelet/values.yaml + @sed -i -e "s/initTag: .*/initTag: ${INIT_IMG_TAG}/" ./charts/virtual-kubelet/values.yaml @sed -i -e 's/RELEASE_TAG=.*/RELEASE_TAG=${IMG_TAG}/' ./charts/virtual-kubelet/README.md @sed -i -e 's/RELEASE_TAG=.*/RELEASE_TAG=${IMG_TAG}/' ./docs/UPGRADE-README.md + @sed -i -e 's/INIT_IMG_TAG=.*/INIT_IMG_TAG=${INIT_IMG_TAG}/' ./docs/UPGRADE-README.md @sed -i -e 's/RELEASE_TAG=.*/RELEASE_TAG=${IMG_TAG}/' README.md diff --git a/charts/virtual-kubelet/README.md b/charts/virtual-kubelet/README.md index eff03e56..481a6723 100644 --- a/charts/virtual-kubelet/README.md +++ b/charts/virtual-kubelet/README.md @@ -60,10 +60,10 @@ The following table lists the configurable parameters of the azure-aci chart and | image.repository | Image repository. | `mcr.microsoft.com` | | image.name | Image name. | `oss/virtual-kubelet/virtual-kubelet` | | image.tag | Image release version/tag. | `latest` | -| image.pullPolicy | Image pull policy. | `IfNotPresent` | +| image.pullPolicy | Image pull policy. | `IfNotPresent` | | initImage.name | Init container image name. | `oss/virtual-kubelet/init-validation` | | initImage.initTag | Init container image release version/tag. | `0.2.0` | -| initImage.pullPolicy | Init container image pull policy. | `IfNotPresent` | +| initImage.pullPolicy | Init container image pull policy. | `IfNotPresent` | | nodeName | The node name that will be assigned to be the VK one. | `virtual-node-aci-linux-helm` | | nodeOsType | The node/VM type. Values should be `Windows` or `Linux`. | `Linux` | | monitoredNamespace | Kubernetes namespace. default values means monitor `all` | `""` | diff --git a/docs/UPGRADE-README.md b/docs/UPGRADE-README.md index 5271b0ad..7b7a1685 100644 --- a/docs/UPGRADE-README.md +++ b/docs/UPGRADE-README.md @@ -25,6 +25,7 @@ export CHART_NAME=virtual-kubelet-azure-aci-upgrade export VK_RELEASE=$CHART_NAME-$RELEASE_TAG export NODE_NAME=virtual-kubelet-aci-$RELEASE_TAG export CHART_URL=https://github.com/virtual-kubelet/azure-aci/raw/gh-pages/charts/$VK_RELEASE.tgz +export INIT_IMG_TAG=0.2.0 export MASTER_URI=$(kubectl cluster-info | awk '/Kubernetes control plane/{print $7}' | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g") export IMG_URL=mcr.microsoft.com export IMG_REPO=oss/virtual-kubelet/virtual-kubelet @@ -62,6 +63,7 @@ helm install "$CHART_NAME" "$CHART_URL" \ --set image.repository=$IMG_URL \ --set image.name=$IMG_REPO \ --set image.tag=$IMG_TAG \ + --set initImage.initImage=$INIT_IMG_TAG \ --set providers.azure.masterUri=$MASTER_URI \ --set providers.azure.vnet.enabled=$ENABLE_VNET \ --set providers.azure.vnet.subnetName=$VIRTUAL_NODE_SUBNET_NAME \