Skip to content

Commit

Permalink
Adding OCP4 multi-arch support
Browse files Browse the repository at this point in the history
Let's skip sbom, using a forked github action for now before we have metal-toolbox/container-push#77 landed.
Modified Dockerfile so we only build certain profiles for s390x and ppc64le.
Update github action to build for s390x and ppc64le.
  • Loading branch information
Vincent056 committed Jun 18, 2024
1 parent 27a0200 commit cd11134
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 16 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/k8s-content-pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ jobs:
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
push: true
platforms: 'linux/amd64'
platforms: 'linux/amd64,linux/ppc64le,linux/s390x'
- name: Get container info
id: container_info
run: |
Expand Down
50 changes: 41 additions & 9 deletions .github/workflows/k8s-content.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,44 @@ jobs:
contents: read
id-token: write
packages: write
uses: metal-toolbox/container-push/.github/workflows/container-push.yml@main
with:
name: k8scontent
tag: ${GITHUB_SHA}
latest: true
registry_org: complianceascode
dockerfile_path: ./Dockerfiles/ocp4_content
licenses: BSD
vendor: ComplianceAsCode authors
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Login to ghcr.io
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/complianceascode/k8scontent
flavor: |
latest=true
tags: |
type=raw,value=${GITHUB_SHA}
type=sha,format=long
labels: |
org.opencontainers.image.source=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
org.opencontainers.image.title=Kubernetes content
org.opencontainers.image.version=${GITHUB_SHA}
org.opencontainers.image.licenses='BSD-3-Clause'
org.opencontainers.image.vendor='Compliance Operator Authors'
- name: Build container images and push
id: docker_build
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfiles/ocp4_content
tags: ${GITHUB_SHA}
labels: true
push: true
platforms: 'linux/amd64,linux/ppc64le,linux/s390x'
47 changes: 41 additions & 6 deletions Dockerfiles/ocp4_content
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# This dockerfile builds the content in the current repo for OCP4

FROM registry.fedoraproject.org/fedora-minimal:latest as builder

WORKDIR /content
Expand All @@ -8,10 +6,47 @@ RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-j

COPY . .

RUN ./build_product --datastream-only --debug ocp4 rhcos4 eks
# Enable the default.profiles as they maintain a list rules to be added to the datastream
RUN find . -name "default\.profile" -exec sed -i 's/\(documentation_complete: \).*/\1true/' '{}' \;

# Enable only certain profiles on ppc64le and s390x
RUN if [ "$(uname -m)" == "x86_64" ]; then \
echo "Building OpenShift and RHCOS content for x86_64"; \
else echo "Building OpenShift content for $(uname -m)" && \
find . -name "*.profile" -exec sed -i 's/\(documentation_complete: \).*/\1false/' '{}' \; && \
sed -i 's/\(documentation_complete: \).*/\1true/' \
products/ocp4/profiles/pci-dss-node-3-2.profile \
products/ocp4/profiles/pci-dss-3-2.profile \
products/ocp4/profiles/pci-dss-node.profile \
products/ocp4/profiles/pci-dss.profile \
products/ocp4/profiles/cis-node.profile \
products/ocp4/profiles/cis.profile \
products/ocp4/profiles/cis-node-1-4.profile \
products/ocp4/profiles/cis-1-4.profile \
products/ocp4/profiles/cis-node-1-5.profile \
products/ocp4/profiles/cis-1-5.profile \
products/ocp4/profiles/moderate-node.profile \
products/ocp4/profiles/moderate.profile \
products/ocp4/profiles/moderate-node-rev-4.profile \
products/ocp4/profiles/moderate-rev-4.profile; \
fi


# OCPBUGS-32794: Ensure stability of rules shipped
# Before building the content we re-enable all profiles as hidden, this will include any rule selected
# by these profiles in the data stream without creating a profile for them.
RUN grep -lr 'documentation_complete: false' ./products | xargs -I '{}' \
sed -i -e 's/\(documentation_complete: \).*/\1true/' -e '/documentation_complete/a hidden: true' {}

# Build the OpenShift and RHCOS content for x86 architectures. Only build
# OpenShift content for ppc64le and s390x architectures since we're not
# including any RHCOS profiles on those architectures right now anyway.
RUN if [ "$(uname -m)" = "x86_64" ]; then \
./build_product ocp4 rhcos4 --datastream-only; \
else ./build_product ocp4 --datastream-only; \
fi

FROM registry.access.redhat.com/ubi8/ubi-micro:latest

WORKDIR /
COPY --from=builder /content/build/ssg-ocp4-ds.xml .
COPY --from=builder /content/build/ssg-rhcos4-ds.xml .
COPY --from=builder /content/build/ssg-eks-ds.xml .
COPY --from=builder /content/build/ssg-*-ds.xml .

0 comments on commit cd11134

Please sign in to comment.