Build Base Images #503
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Base Images | |
| on: | |
| workflow_dispatch: | |
| workflow_call: | |
| schedule: | |
| - cron: "30 4 * * 1-5" # run Mon-Fri at 04:30 UTC | |
| defaults: | |
| run: | |
| shell: bash | |
| concurrency: | |
| group: ${{ github.ref_name }}-base-image | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| checks: | |
| name: Checks and variables | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| docker_md5: ${{ steps.vars.outputs.docker_md5 }} | |
| ic_version: ${{ steps.vars.outputs.ic_version }} | |
| image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }} | |
| image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }} | |
| image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| - name: Output Variables | |
| id: vars | |
| run: | | |
| ./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT | |
| source .github/data/version.txt | |
| echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT | |
| echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT | |
| echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT | |
| echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT | |
| cat $GITHUB_OUTPUT | |
| build-oss: | |
| name: Build OSS base images | |
| runs-on: ubuntu-24.04 | |
| needs: checks | |
| permissions: | |
| contents: read | |
| pull-requests: write # for scout report | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| with: | |
| platforms: arm64 | |
| - name: Azure login | |
| uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 | |
| with: | |
| client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} | |
| - name: Setup secrets | |
| id: secrets | |
| run: | | |
| echo "Setting secrets for job" | |
| GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$GCR_WORKLOAD_ID" | |
| echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT | |
| GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$GCR_SERVICE_ACCOUNT" | |
| echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} | |
| service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} | |
| - name: Login to GCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: gcr.io | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 | |
| with: | |
| images: | | |
| name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss | |
| flavor: | | |
| suffix=-${{ matrix.image }},onlatest=false | |
| tags: | | |
| type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} | |
| - name: Build Base Container | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| file: build/Dockerfile | |
| context: "." | |
| cache-from: type=gha,scope=${{ matrix.image }} | |
| cache-to: type=gha,scope=${{ matrix.image }},mode=max | |
| target: common | |
| tags: ${{ steps.meta.outputs.tags }} | |
| platforms: ${{ matrix.platforms }} | |
| pull: true | |
| push: true | |
| build-args: | | |
| BUILD_OS=${{ matrix.image }} | |
| IC_VERSION=${{ needs.checks.outputs.ic_version }} | |
| build-plus: | |
| name: Build Plus base images | |
| runs-on: ubuntu-24.04 | |
| needs: checks | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write # for scout report | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| - name: Azure login | |
| uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 | |
| with: | |
| client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} | |
| - name: Setup secrets | |
| id: secrets | |
| run: | | |
| echo "Setting secrets for job" | |
| GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$GCR_WORKLOAD_ID" | |
| echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT | |
| GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$GCR_SERVICE_ACCOUNT" | |
| echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT | |
| PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$PLUS_CREDS" | |
| IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') | |
| while read -r line; do | |
| echo "::add-mask::${line}" | |
| done <<< "${CERT}" | |
| echo $CERT > nginx-repo.crt | |
| IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') | |
| while read -r line; do | |
| echo "::add-mask::${line}" | |
| done <<< "${KEY}" | |
| echo $KEY > nginx-repo.key | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| with: | |
| platforms: arm64 | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} | |
| service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} | |
| - name: Login to GCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: gcr.io | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 | |
| with: | |
| images: | | |
| name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus | |
| flavor: | | |
| suffix=-${{ matrix.image }},onlatest=false | |
| tags: | | |
| type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} | |
| - name: Build Base Container | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| file: build/Dockerfile | |
| context: "." | |
| cache-from: type=gha,scope=${{ matrix.image }} | |
| cache-to: type=gha,scope=${{ matrix.image }},mode=max | |
| target: common | |
| tags: ${{ steps.meta.outputs.tags }} | |
| platforms: ${{ matrix.platforms }} | |
| pull: true | |
| push: true | |
| build-args: | | |
| BUILD_OS=${{ matrix.image }} | |
| IC_VERSION=${{ needs.checks.outputs.ic_version }} | |
| secret-files: | | |
| nginx-repo.crt=nginx-repo.crt | |
| nginx-repo.key=nginx-repo.key | |
| - name: Clean up secrets | |
| run: | | |
| rm -f nginx-repo.crt nginx-repo.key | |
| if: always() | |
| build-plus-nap: | |
| name: Build Plus NAP base images | |
| runs-on: ubuntu-24.04 | |
| needs: checks | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write # for scout report | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| - name: Azure login | |
| uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 | |
| with: | |
| client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} | |
| - name: Setup secrets | |
| id: secrets | |
| run: | | |
| echo "Setting secrets for job" | |
| GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$GCR_WORKLOAD_ID" | |
| echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT | |
| GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$GCR_SERVICE_ACCOUNT" | |
| echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT | |
| PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$PLUS_CREDS" | |
| IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') | |
| while read -r line; do | |
| echo "::add-mask::${line}" | |
| done <<< "${CERT}" | |
| echo $CERT > nginx-repo.crt | |
| IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') | |
| while read -r line; do | |
| echo "::add-mask::${line}" | |
| done <<< "${KEY}" | |
| echo $KEY > nginx-repo.key | |
| IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| while read -r line; do | |
| echo "::add-mask::${line}" | |
| done <<< "${RHEL_CREDS}" | |
| echo $RHEL_CREDS > rhel_license | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} | |
| service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} | |
| - name: Login to GCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: gcr.io | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: NAP modules | |
| id: nap_modules | |
| run: | | |
| [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.nap_modules }}" | |
| echo "modules=${modules}" >> $GITHUB_OUTPUT | |
| if: ${{ matrix.nap_modules != '' }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 | |
| with: | |
| images: | | |
| name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus | |
| flavor: | | |
| suffix=-${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }},onlatest=false | |
| tags: | | |
| type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} | |
| - name: Build Base Container | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| file: build/Dockerfile | |
| context: "." | |
| cache-from: type=gha,scope=${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }} | |
| cache-to: type=gha,scope=${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }},mode=max | |
| target: common | |
| tags: ${{ steps.meta.outputs.tags }} | |
| platforms: ${{ matrix.platforms }} | |
| pull: true | |
| push: true | |
| build-args: | | |
| BUILD_OS=${{ matrix.image }} | |
| IC_VERSION=${{ needs.checks.outputs.ic_version }} | |
| NAP_MODULES=${{ matrix.nap_modules }} | |
| secret-files: | | |
| nginx-repo.crt=nginx-repo.crt | |
| nginx-repo.key=nginx-repo.key | |
| ${{ contains(matrix.image, 'ubi') && 'rhel_license=rhel_license' || '' }} | |
| - name: Clean up secrets | |
| run: | | |
| rm -f nginx-repo.crt nginx-repo.key rhel_license | |
| if: always() |