diff --git a/.github/actions/setup-melange/action.yml b/.github/actions/setup-melange/action.yml deleted file mode 100644 index 74c18778c..000000000 --- a/.github/actions/setup-melange/action.yml +++ /dev/null @@ -1,100 +0,0 @@ -# Borrowed from https://github.com/chainguard-dev/actions/blob/29fb6e979a0b3efc79748a17e8cec08d0594cbfd/setup-melange/action.yaml -# with the addition of making the setup-go step optional. - -name: 'Setup melange' -description: | - Sets up melange, so it can run in an Ubuntu environment. - -inputs: - version: - description: 'Version of melange to install (tip, latest-release, v0.5.5, etc.)' - required: true - default: 'latest-release' - setup-go: - description: 'Whether to set up go' - required: false - default: 'true' - -runs: - using: 'composite' - - steps: - - name: 'Install qemu emulator binaries' - shell: bash - run: | - sudo apt update && sudo apt install -y qemu-user-static - - uses: actions/setup-go@v5 - if: ${{ inputs.setup-go == 'true' }} - with: - go-version: '1.23' - - name: 'Install dependencies' - shell: bash - run: | - sudo apt install -y build-essential git jq - # TODO: the bubblewrap package available from "apt install" - # is outdated and missing newer features such as --clearenv flag, - # so instead we download the wolfi .apk and use the binary in there - - name: 'Install dependencies (bubblewrap)' - shell: bash - run: | - sudo apt install -y libcap-dev meson ninja-build - git clone https://github.com/containers/bubblewrap - pushd bubblewrap - meson --prefix=/usr -Drequire_userns=true . output - cd output - ninja - sudo ninja install - popd - rm -rf bubblewrap - - - name: 'Install melange' - if: - shell: bash - run: | - set -ex - - # Install melange: - # - if version is "tip", install from tip of main. - # - if version is "latest-release", look up latest release. - # - otherwise, install the specified version. - case ${{ inputs.version }} in - tip) - TMP_CLONE_DIR="$(mktemp -d)" - git clone https://github.com/chainguard-dev/melange "${TMP_CLONE_DIR}" - pushd "${TMP_CLONE_DIR}" - make melange - sudo env "PATH=$PATH" make install - popd - rm -rf "${TMP_CLONE_DIR}" - ;; - latest-release) - tag=$(curl -s -u "username:${{ github.token }}" https://api.github.com/repos/chainguard-dev/melange/releases/latest | jq -r '.tag_name') - ;; - *) - tag="${{ inputs.version }}" - esac - - if [[ ! -z ${tag} ]]; then - case "$(echo $RUNNER_ARCH | awk '{print tolower($0)}')" in - x86|x64) ARCH=amd64;; - arm64) ARCH=arm64;; - *) - echo Unsupported RUNNER_ARCH \"$RUNNER_ARCH\" - exit -1 - ;; - esac - case "$(echo $RUNNER_OS | awk '{print tolower($0)}')" in - "linux") OS=linux;; - "macos") OS=osx;; - *) - echo Unsupported RUNNER_OS \"$RUNNER_OS\" - exit -1 - ;; - esac - - without_v=${tag#"v"} - echo "Installing melange @ ${tag}" - curl -fsL https://github.com/chainguard-dev/melange/releases/download/${tag}/melange_${without_v}_${OS}_${ARCH}.tar.gz | sudo tar xzf - --strip-components=1 -C /usr/local/bin - fi - - melange version diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ce7f4aa10..4c7b422fa 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -122,19 +122,6 @@ jobs: go-version-file: go.mod cache-dependency-path: "**/*.sum" - - name: Cache melange - uses: actions/cache@v4 - with: - path: | - local-artifact-mirror/cache/.melange-cache - operator/cache/.melange-cache - key: melange-cache - - - name: Setup melange - uses: ./.github/actions/setup-melange - with: - setup-go: false - - name: Install dagger run: | curl -fsSL https://dl.dagger.io/dagger/install.sh | sh @@ -203,19 +190,6 @@ jobs: go-version-file: go.mod cache-dependency-path: "**/*.sum" - - name: Cache melange - uses: actions/cache@v4 - with: - path: | - local-artifact-mirror/cache/.melange-cache - operator/cache/.melange-cache - key: melange-cache - - - name: Setup melange - uses: ./.github/actions/setup-melange - with: - setup-go: false - - name: Install dagger run: | curl -fsSL https://dl.dagger.io/dagger/install.sh | sh @@ -282,19 +256,6 @@ jobs: go-version-file: go.mod cache-dependency-path: "**/*.sum" - - name: Cache melange - uses: actions/cache@v4 - with: - path: | - local-artifact-mirror/cache/.melange-cache - operator/cache/.melange-cache - key: melange-cache - - - name: Setup melange - uses: ./.github/actions/setup-melange - with: - setup-go: false - - name: Install dagger run: | curl -fsSL https://dl.dagger.io/dagger/install.sh | sh diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 9e34851b2..15d285a84 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -28,17 +28,6 @@ jobs: with: fetch-depth: 0 # fetch all history so that we can get the previous tag - - name: Cache Melange - uses: actions/cache@v4 - with: - path: | - local-artifact-mirror/cache/.melange-cache - operator/cache/.melange-cache - key: melange-cache - - - name: Setup melange - uses: ./.github/actions/setup-melange - - name: Install dagger run: | curl -fsSL https://dl.dagger.io/dagger/install.sh | sh diff --git a/.github/workflows/release-prod.yaml b/.github/workflows/release-prod.yaml index aee65473d..e4f07f10c 100644 --- a/.github/workflows/release-prod.yaml +++ b/.github/workflows/release-prod.yaml @@ -59,16 +59,6 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Cache Melange - uses: actions/cache@v4 - with: - path: | - operator/cache/.melange-cache - key: melange-cache - - - name: Setup melange - uses: ./.github/actions/setup-melange - - name: Install dagger run: | curl -fsSL https://dl.dagger.io/dagger/install.sh | sh @@ -77,11 +67,11 @@ jobs: - name: Build and push operator image id: operator-image env: - REGISTRY: docker.io - USERNAME: ${{ secrets.DOCKERHUB_USER }} - PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} + REGISTRY_SERVER: docker.io + REGISTRY_USERNAME: ${{ secrets.DOCKERHUB_USER }} + REGISTRY_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} run: | - make -C operator apko apko-login build-and-push-operator-image \ + make -C operator build-and-push-operator-image \ PACKAGE_VERSION=${{ needs.get-tag.outputs.tag-name }} echo "image=$(cat operator/build/image)" >> $GITHUB_OUTPUT @@ -114,16 +104,6 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Cache Melange - uses: actions/cache@v4 - with: - path: | - local-artifact-mirror/cache/.melange-cache - key: melange-cache - - - name: Setup melange - uses: ./.github/actions/setup-melange - - name: Install dagger run: | curl -fsSL https://dl.dagger.io/dagger/install.sh | sh @@ -132,11 +112,11 @@ jobs: - name: Build and push local-artifact-mirror image id: local-artifact-mirror env: - REGISTRY: docker.io - USERNAME: ${{ secrets.DOCKERHUB_USER }} - PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} + REGISTRY_SERVER: docker.io + REGISTRY_USERNAME: ${{ secrets.DOCKERHUB_USER }} + REGISTRY_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} run: | - make -C local-artifact-mirror apko apko-login build-and-push-local-artifact-mirror-image \ + make -C local-artifact-mirror build-and-push-local-artifact-mirror-image \ PACKAGE_VERSION=${{ needs.get-tag.outputs.tag-name }} echo "image=$(cat local-artifact-mirror/build/image)" >> $GITHUB_OUTPUT diff --git a/dagger/chainguard.go b/dagger/chainguard.go index 6f2b24bc0..2a6891ec2 100644 --- a/dagger/chainguard.go +++ b/dagger/chainguard.go @@ -98,6 +98,7 @@ func (m *chainguard) apkoPublish( From(fmt.Sprintf("cgr.dev/chainguard/apko:%s", imageTag)). WithDirectory("/workspace", src). WithFile("/workspace/apko.yaml", apkoFile). + WithEnvVariable("DOCKER_CONFIG", "/workspace/.docker"). WithWorkdir("/workspace"). WithExec( []string{ @@ -109,3 +110,27 @@ func (m *chainguard) apkoPublish( return c } + +func (m *chainguard) apkoLogin( + src *dagger.Directory, + registryServer string, + registryUsername string, + registryPassword string, + // +default="latest" + imageTag string, +) *dagger.Container { + c := dag.Container(). + From(fmt.Sprintf("cgr.dev/chainguard/apko:%s", imageTag)). + WithDirectory("/workspace", src). + WithEnvVariable("DOCKER_CONFIG", "/workspace/.docker"). + WithWorkdir("/workspace"). + WithExec([]string{ + "apko", "login", registryServer, + "--username", registryUsername, + "--password-stdin", + }, dagger.ContainerWithExecOpts{ + Stdin: registryPassword, + }) + + return c +} diff --git a/dagger/localartifactmirror.go b/dagger/localartifactmirror.go index 20449580f..c1b76cd51 100644 --- a/dagger/localartifactmirror.go +++ b/dagger/localartifactmirror.go @@ -72,6 +72,10 @@ func (m *EmbeddedCluster) PublishLocalArtifactMirrorImage( WithFile("melange.rsa.pub", pkgBuild.File("melange.rsa.pub")). WithDirectory("packages", pkgBuild.Directory("packages")) + if m.RegistryAuth != nil { + dir = dir.WithDirectory("/workspace/.docker", m.RegistryAuth) + } + publish := m.apkoPublish( dir, apkoFile, diff --git a/dagger/main.go b/dagger/main.go index 090aa1e3a..e61780861 100644 --- a/dagger/main.go +++ b/dagger/main.go @@ -1,6 +1,10 @@ package main -import "dagger/embedded-cluster/internal/dagger" +import ( + "context" + "dagger/embedded-cluster/internal/dagger" + "fmt" +) const ( APKOImageVersion = "latest" @@ -8,10 +12,27 @@ const ( ) type EmbeddedCluster struct { + RegistryAuth *dagger.Directory + common chainguard } +func (m *EmbeddedCluster) WithRegistryLogin( + ctx context.Context, + server string, + username string, + password *dagger.Secret, +) (*EmbeddedCluster, error) { + plain, err := password.Plaintext(ctx) + if err != nil { + return nil, fmt.Errorf("get registry password from secret: %w", err) + } + c := m.apkoLogin(dag.Directory(), server, username, plain, APKOImageVersion) + m.RegistryAuth = c.Directory("/workspace/.docker") + return m, nil +} + // directoryWithCommonGoFiles sets up the filesystem with only what we need to build for improved // caching. func directoryWithCommonGoFiles(dir *dagger.Directory, src *dagger.Directory) *dagger.Directory { diff --git a/dagger/operator.go b/dagger/operator.go index 7591a18ca..4c9568eed 100644 --- a/dagger/operator.go +++ b/dagger/operator.go @@ -72,7 +72,11 @@ func (m *EmbeddedCluster) PublishOperatorImage( WithFile("melange.rsa.pub", pkgBuild.File("melange.rsa.pub")). WithDirectory("packages", pkgBuild.Directory("packages")) - build := m.apkoPublish( + if m.RegistryAuth != nil { + dir = dir.WithDirectory("/workspace/.docker", m.RegistryAuth) + } + + publish := m.apkoPublish( dir, apkoFile, image, @@ -80,7 +84,7 @@ func (m *EmbeddedCluster) PublishOperatorImage( APKOImageVersion, ) - return build.Stdout(ctx) + return publish.Stdout(ctx) } // Builds the operator package with Melange. diff --git a/local-artifact-mirror/Makefile b/local-artifact-mirror/Makefile index 9b508806a..45e13256f 100644 --- a/local-artifact-mirror/Makefile +++ b/local-artifact-mirror/Makefile @@ -62,11 +62,25 @@ build-and-push-local-artifact-mirror-image: .PHONY: build-and-push-local-artifact-mirror-image-chainguard build-and-push-local-artifact-mirror-image-chainguard: mkdir -p build - dagger call publish-local-artifact-mirror-image \ - --ec-version $(PACKAGE_VERSION) \ - --repo $(IMAGE_NAME) \ - --arch $(ARCH) \ - > build/digest +ifdef REGISTRY_SERVER + dagger call \ + with-registry-login \ + --server $(REGISTRY_SERVER) \ + --username $(REGISTRY_USERNAME) \ + --password env:REGISTRY_PASSWORD \ + publish-local-artifact-mirror-image \ + --ec-version $(PACKAGE_VERSION) \ + --repo $(IMAGE_NAME) \ + --arch $(ARCH) \ + > build/digest +else + dagger call \ + publish-local-artifact-mirror-image \ + --ec-version $(PACKAGE_VERSION) \ + --repo $(IMAGE_NAME) \ + --arch $(ARCH) \ + > build/digest +endif @$(MAKE) apko-output-image IMAGE="$(IMAGE_NAME):$(call image-tag,$(PACKAGE_VERSION))" .PHONY: build-and-push-local-artifact-mirror-image-dockerfile diff --git a/operator/Makefile b/operator/Makefile index 73bd31bc7..fb4fea9e4 100644 --- a/operator/Makefile +++ b/operator/Makefile @@ -178,11 +178,25 @@ build-and-push-operator-image: .PHONY: build-and-push-operator-image-chainguard build-and-push-operator-image-chainguard: mkdir -p build - dagger call publish-operator-image \ - --ec-version $(PACKAGE_VERSION) \ - --repo $(IMAGE_NAME) \ - --arch $(ARCH) \ - > build/digest +ifdef REGISTRY_SERVER + dagger call \ + with-registry-login \ + --server $(REGISTRY_SERVER) \ + --username $(REGISTRY_USERNAME) \ + --password env:REGISTRY_PASSWORD \ + publish-operator-image \ + --ec-version $(PACKAGE_VERSION) \ + --repo $(IMAGE_NAME) \ + --arch $(ARCH) \ + > build/digest +else + dagger call \ + publish-operator-image \ + --ec-version $(PACKAGE_VERSION) \ + --repo $(IMAGE_NAME) \ + --arch $(ARCH) \ + > build/digest +endif @$(MAKE) apko-output-image IMAGE="$(IMAGE_NAME):$(call image-tag,$(PACKAGE_VERSION))" .PHONY: build-and-push-operator-image-dockerfile diff --git a/scripts/ci-build-deps.sh b/scripts/ci-build-deps.sh index f9a7e501b..9f5f0d5ca 100755 --- a/scripts/ci-build-deps.sh +++ b/scripts/ci-build-deps.sh @@ -16,12 +16,6 @@ function init_vars() { require EC_VERSION "${EC_VERSION:-}" } -function deps() { - if [ "$USE_CHAINGUARD" == "1" ]; then - make melange apko - fi -} - function local_artifact_mirror() { make -C local-artifact-mirror build-ttl.sh cp local-artifact-mirror/build/image "local-artifact-mirror/build/image-$EC_VERSION" @@ -36,7 +30,6 @@ function operator() { function main() { init_vars - deps local_artifact_mirror operator }