Merge pull request #47955 from rancherbot/fleet-1731086590 #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build-docker-images | |
on: | |
push: | |
branches: | |
- "main" | |
- "release/v*" | |
tags: | |
- "v*" | |
env: | |
COMMIT: ${{ github.sha }} | |
REPOSITORY_OWNER: ${{ github.repository_owner }} | |
IMAGE: ${{ github.repository_owner }}/rancher | |
IMAGE_AGENT: ${{ github.repository_owner }}/rancher-agent | |
IMAGE_INSTALLER: ${{ github.repository_owner }}/system-agent-installer-rancher | |
REGISTRY: "docker.io" | |
GH_CLI_VERSION: 2.57.0 | |
jobs: | |
unit-tests: | |
uses: ./.github/workflows/unit-test.yml | |
build-publish-chart: | |
runs-on: org-${{ github.repository_owner_id }}-amd64-k8s | |
container: registry.suse.com/bci/bci-base:latest | |
needs: [push-images] | |
permissions: | |
contents: read | |
id-token: write | |
concurrency: | |
# if it is a tag run, use a default group to avoid concurrent runs, if it isn't use a unique group to allow concurrent runs | |
group: ${{ contains(github.ref, 'tags/') && 'build-chart-tag' || format('build-chart-{0}', github.job) }} | |
# instead of cancelling other runs, wait until they are finished | |
cancel-in-progress: false | |
env: | |
ARCH: amd64 | |
steps: | |
- name: install dependencies | |
shell: bash | |
run: zypper install -y git jq awk aws-cli | |
- name: Git safe directory | |
run: git config --global --add safe.directory "$PWD" | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Tag Env Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: install yq | |
uses: ./.github/actions/install-yq | |
with: | |
arch: ${{ env.ARCH }} | |
- id: env | |
name: Setup Dependencies Env Variables | |
uses: ./.github/actions/setup-build-env | |
- name: Install Helm dependencies | |
env: | |
HELM_URL: https://get.helm.sh/helm-${{ steps.env.outputs.HELM_VERSION }}-linux-amd64.tar.gz | |
HELM_UNITTEST_VERSION: ${{ steps.env.outputs.HELM_UNITTEST_VERSION }} | |
run: | | |
curl ${{ env.HELM_URL }} | tar xvzf - --strip-components=1 -C /tmp/ && \ | |
mv /tmp/helm /usr/bin/helm_v3 && \ | |
chmod +x /usr/bin/helm_v3 | |
helm_v3 plugin install https://github.com/helm-unittest/helm-unittest.git --version ${{ env.HELM_UNITTEST_VERSION }}; \ | |
- name: Build | |
run: ./scripts/chart/build chart | |
- name: Validate | |
run: ./scripts/chart/validate | |
- name: Test | |
run: ./scripts/chart/test | |
- name: Package | |
run: ./scripts/chart/package | |
- name: Upload chart | |
uses: actions/upload-artifact@v4 | |
with: | |
name: chart | |
path: ./bin/chart/* | |
if-no-files-found: error | |
retention-days: 4 | |
overwrite: true | |
- name: Load Secrets from Vault | |
if: github.event_name == 'push' && contains(github.ref, 'tags/') # Only run on tags | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/google-auth/rancher/credentials token | GOOGLE_AUTH ; | |
- name: Authenticate with Google Cloud | |
if: github.event_name == 'push' && contains(github.ref, 'tags/') # Only run on tags | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ env.GOOGLE_AUTH }} | |
- name: Upload | |
if: github.event_name == 'push' && contains(github.ref, 'tags/') # Only run on tags | |
uses: google-github-actions/upload-cloud-storage@v2 | |
with: | |
destination: releases.rancher.com/server-charts | |
path: ./bin/chart | |
parent: false | |
process_gcloudignore: false | |
predefinedAcl: publicRead | |
headers: |- | |
cache-control: public,no-cache,proxy-revalidate | |
build-server: | |
runs-on: runs-on,runner=4cpu-${{ matrix.os }}-${{ matrix.arch }},image=ubuntu22-full-${{ matrix.arch }},run-id=${{ github.run_id }} | |
strategy: | |
matrix: | |
os: [linux] | |
arch: [x64, arm64] | |
env: | |
ARCH: ${{ matrix.arch }} | |
steps: | |
- name: Arch environment variable | |
shell: bash | |
run: | | |
if [[ "$ARCH" == "x64" ]]; then | |
echo "ARCH=amd64" >> $GITHUB_ENV | |
fi | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: install yq | |
shell: bash | |
run: sudo snap install yq | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- id: env | |
name: Setup Dependencies Env Variables | |
uses: ./.github/actions/setup-build-env | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.IMAGE }} | |
flavor: | | |
latest=false | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Create k3s images file | |
uses: ./.github/actions/k3s-images | |
with: | |
k3s_version: ${{ steps.env.outputs.CATTLE_K3S_VERSION }} | |
- name: Download data.json | |
run: curl -sLf https://releases.rancher.com/kontainer-driver-metadata/${{ steps.env.outputs.CATTLE_KDM_BRANCH }}/data.json > ./data.json | |
- name: Build and export server | |
id: build | |
uses: docker/build-push-action@v5 | |
with: | |
push: false | |
build-args: | | |
"VERSION=${{ env.TAG }}" | |
"COMMIT=${{ env.COMMIT }}" | |
"RKE_VERSION=${{ steps.env.outputs.RKE_VERSION }}" | |
"ARCH=${{ env.ARCH }}" | |
"CATTLE_RANCHER_WEBHOOK_VERSION=${{ steps.env.outputs.CATTLE_RANCHER_WEBHOOK_VERSION }}" | |
"CATTLE_CSP_ADAPTER_MIN_VERSION=${{ steps.env.outputs.CATTLE_CSP_ADAPTER_MIN_VERSION }}" | |
"CATTLE_FLEET_VERSION=${{ steps.env.outputs.CATTLE_FLEET_VERSION }}" | |
tags: ${{ env.IMAGE }}:${{ env.TAG }}-${{ env.ARCH }} | |
context: . | |
platforms: "${{ matrix.os }}/${{ env.ARCH }}" | |
file: ./package/Dockerfile | |
labels: "${{ steps.meta.outputs.labels }}" | |
outputs: type=docker,dest=/tmp/rancher-${{ matrix.os }}-${{ env.ARCH }}.tar | |
- name: Upload image | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "rancher-${{ matrix.os }}-${{ env.ARCH }}" | |
path: /tmp/rancher-${{ matrix.os }}-${{ env.ARCH }}.tar | |
if-no-files-found: error | |
retention-days: 4 | |
overwrite: false | |
build-agent: | |
needs: [build-server] | |
strategy: | |
matrix: | |
os: [linux] | |
arch: [x64, arm64] | |
runs-on: runs-on,runner=4cpu-${{ matrix.os }}-${{ matrix.arch }},image=ubuntu22-full-${{ matrix.arch }},run-id=${{ github.run_id }} | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
env: | |
REGISTRY: "127.0.0.1:5000" | |
ARCH: ${{ matrix.arch }} | |
steps: | |
- name: Arch environment variable | |
shell: bash | |
run: | | |
if [[ "$ARCH" == "x64" ]]; then | |
echo "ARCH=amd64" >> $GITHUB_ENV | |
fi | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: install yq | |
shell: bash | |
run: sudo snap install yq | |
- id: env | |
name: Setup Dependencies Env Variables | |
uses: ./.github/actions/setup-build-env | |
- name: Setup TAG Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.IMAGE }} | |
flavor: | | |
latest=false | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
driver-opts: network=host | |
- name: Download rancher image | |
uses: actions/download-artifact@v4 | |
with: | |
name: "rancher-${{ matrix.os }}-${{ env.ARCH }}" | |
path: /tmp | |
- name: Load image | |
run: | | |
image_id=$(docker load --input /tmp/rancher-${{ matrix.os }}-${{ env.ARCH }}.tar 2>&1 | grep "Loaded image" | awk '{print $NF}') | |
if [ -z "$image_id" ]; then | |
echo "Error: Failed to load image from tarball!" | |
exit 1 | |
fi | |
docker tag "$image_id" ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }} | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }} | |
- name: Build agent | |
id: build | |
uses: docker/build-push-action@v5 | |
with: | |
push: false | |
build-args: | | |
"VERSION=${{ env.TAG }}" | |
"ARCH=${{ env.ARCH }}" | |
"RANCHER_TAG=${{ env.TAG }}" | |
"RANCHER_REPO=${{ env.REPOSITORY_OWNER }}" | |
"REGISTRY=${{ env.REGISTRY }}" | |
"CATTLE_RANCHER_WEBHOOK_VERSION=${{ steps.env.outputs.CATTLE_RANCHER_WEBHOOK_VERSION }}" | |
tags: ${{ env.IMAGE_AGENT }}:${{ env.TAG }}-${{ env.ARCH }} | |
context: . | |
platforms: "${{ matrix.os }}/${{ env.ARCH }}" | |
file: ./package/Dockerfile.agent | |
labels: "${{ steps.meta.outputs.labels }}" | |
outputs: type=docker,dest=/tmp/rancher-agent-${{ matrix.os }}-${{ env.ARCH }}.tar | |
- name: Upload image | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "rancher-agent-${{ matrix.os }}-${{ env.ARCH }}" | |
path: /tmp/rancher-agent-${{ matrix.os }}-${{ env.ARCH }}.tar | |
if-no-files-found: error | |
retention-days: 4 | |
overwrite: false | |
integration-tests: | |
needs: [build-agent] | |
uses: ./.github/workflows/integration-tests.yml | |
with: | |
parent_run_id: ${{ github.run_id }} | |
build-agent-windows: | |
needs: [integration-tests] | |
strategy: | |
matrix: | |
os: [windows] | |
version: [2019, 2022] | |
runs-on: ${{ matrix.os }}-${{ matrix.version }} | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: Load Secrets from Vault | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ env.DOCKER_PASSWORD }} | |
- name: Build Windows Server Image | |
run: | | |
docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-${{ matrix.version }} --build-arg VERSION=${{ env.TAG }} --build-arg SERVERCORE_VERSION=ltsc${{ matrix.version }} -f package/windows/Dockerfile.agent . | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-${{ matrix.version }} | |
shell: bash | |
push-images: | |
needs: [unit-tests, integration-tests] | |
strategy: | |
matrix: | |
os: [linux] | |
arch: [x64, arm64] | |
runs-on: runs-on,runner=2cpu-${{ matrix.os }}-${{ matrix.arch }},image=ubuntu22-full-${{ matrix.arch }},run-id=${{ github.run_id }} | |
permissions: | |
contents: read | |
id-token: write | |
env: | |
ARCH: ${{ matrix.arch }} | |
steps: | |
- name: Environment variables | |
shell: bash | |
run: | | |
if [[ "$ARCH" == "x64" ]]; then | |
echo "ARCH=amd64" >> $GITHUB_ENV | |
fi | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Download rancher image | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: "*-${{ matrix.os }}-${{ env.ARCH }}" | |
path: /tmp | |
merge-multiple: true | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: Load Secrets from Vault | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD | |
- name: Docker Registry Login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ env.DOCKER_PASSWORD }} | |
- name: Push server image | |
run: | | |
image_id=$(docker load --input /tmp/rancher-${{ matrix.os }}-${{ env.ARCH }}.tar 2>&1 | grep "Loaded image" | awk '{print $NF}') | |
if [ -z "$image_id" ]; then | |
echo "Error: Failed to load image from tarball!" | |
exit 1 | |
fi | |
docker tag "$image_id" ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}-${{ env.ARCH }} | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}-${{ env.ARCH }} | |
- name: Push agent image | |
run: | | |
image_agent_id=$(docker load --input /tmp/rancher-agent-${{ matrix.os }}-${{ env.ARCH }}.tar 2>&1 | grep "Loaded image" | awk '{print $NF}') | |
if [ -z "$image_agent_id" ]; then | |
echo "Error: Failed to load image from tarball!" | |
exit 1 | |
fi | |
docker tag "$image_agent_id" ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-${{ env.ARCH }} | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-${{ env.ARCH }} | |
merge-server-manifest: | |
runs-on: runs-on,runner=2cpu-linux-x64,image=ubuntu22-full-x64,run-id=${{ github.run_id }} | |
needs: [push-images] | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Load Secrets from Vault | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ env.DOCKER_PASSWORD }} | |
- name: Create manifest list and push | |
run: | | |
docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }} ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}-amd64 ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}-arm64 | |
- name: Create head manifest list and push | |
run: | | |
if [[ "${{ github.ref_name }}" == release/v* ]] || [[ "${{ github.ref_name }}" == "main" ]]; then | |
docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.HEAD_TAG }} ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}-amd64 ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}-arm64 | |
fi | |
- name: Inspect image | |
run: | | |
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }} | |
merge-agent-manifest: | |
runs-on: runs-on,runner=2cpu-linux-x64,image=ubuntu22-full-x64,run-id=${{ github.run_id }} | |
needs: [push-images, build-agent-windows] | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Load Secrets from Vault | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ env.DOCKER_PASSWORD }} | |
- name: Create manifest list and push | |
run: | | |
# docker manifest is used with windows images to maintain os.version in the manifest | |
docker manifest create ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }} \ | |
${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-2019 \ | |
${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-2022 | |
docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }} | |
# docker buildx imagetools create pushes to the registry by default, which is not the same behavior as docker manifest create | |
docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }} \ | |
--append ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-amd64 \ | |
--append ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-arm64 | |
if [[ "${{ github.ref_name }}" == release/v* ]] || [[ "${{ github.ref_name }}" == "main" ]]; then | |
docker manifest create ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.HEAD_TAG }} \ | |
${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-2019 \ | |
${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-windows-2022 | |
docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.HEAD_TAG }} | |
docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.HEAD_TAG }} \ | |
--append ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-amd64 \ | |
--append ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }}-arm64 | |
fi | |
- name: Inspect image | |
run: | | |
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_AGENT }}:${{ env.TAG }} | |
build-installer: | |
needs: [build-publish-chart, merge-server-manifest] | |
strategy: | |
matrix: | |
os: [linux] | |
arch: [x64, arm64] | |
runs-on: runs-on,runner=4cpu-${{ matrix.os }}-${{ matrix.arch }},image=ubuntu22-full-${{ matrix.arch }},run-id=${{ github.run_id }} | |
permissions: | |
contents: read | |
id-token: write | |
env: | |
ARCH: ${{ matrix.arch }} | |
steps: | |
- name: Environment variables | |
shell: bash | |
run: | | |
if [[ "$ARCH" == "x64" ]]; then | |
echo "ARCH=amd64" >> $GITHUB_ENV | |
fi | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.IMAGE }} | |
flavor: | | |
latest=false | |
- name: Load Secrets from Vault | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD | |
- name: Docker Registry Login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ env.DOCKER_PASSWORD }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Download chart | |
uses: actions/download-artifact@v4 | |
with: | |
name: chart | |
path: ./chart | |
- name: Build and export agent | |
id: build | |
uses: docker/build-push-action@v5 | |
with: | |
push: true | |
build-args: | | |
"VERSION=${{ env.TAG }}" | |
"ARCH=${{ matrix.arch }}" | |
"RANCHER_TAG=${{ env.TAG }}" | |
"RANCHER_REPO=${{ env.REPOSITORY_OWNER }}" | |
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-${{ env.ARCH }} | |
context: . | |
platforms: "${{ matrix.os }}/${{ env.ARCH }}" | |
file: ./package/Dockerfile.installer | |
labels: "${{ steps.meta.outputs.labels }}" | |
merge-installer-manifest: | |
runs-on: runs-on,runner=2cpu-linux-x64,image=ubuntu22-full-x64,run-id=${{ github.run_id }} | |
needs: [build-installer] | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.IMAGE_INSTALLER }} | |
flavor: | | |
latest=false | |
- name: Load Secrets from Vault | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; | |
secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ env.DOCKER_PASSWORD }} | |
- name: Create manifest list and push | |
run: | | |
docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE_INSTALLER }}:${{ env.TAG }} ${{ env.REGISTRY }}/${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-amd64 ${{ env.REGISTRY }}/${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-arm64 | |
if [[ "${{ github.ref_name }}" == release/v* ]]; then | |
docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE_INSTALLER }}:${{ env.HEAD_TAG }} ${{ env.REGISTRY }}/${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-amd64 ${{ env.REGISTRY }}/${{ env.IMAGE_INSTALLER }}:${{ env.TAG }}-arm64 | |
fi | |
- name: Inspect image | |
run: | | |
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_INSTALLER }}:${{ env.TAG }} | |
create-images-files: | |
if: github.event_name == 'push' && contains(github.ref, 'tags/') # Only run on tags | |
runs-on: runs-on,runner=2cpu-linux-x64,image=ubuntu22-full-x64,run-id=${{ github.run_id }} | |
permissions: | |
contents: write | |
id-token: write | |
env: | |
REGISTRY: "" | |
CHECKSUM_FILE: "sha256sum.txt" | |
ARTIFACTS_BASE_DIR: "bin" | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- id: env | |
name: Setup Dependencies Env Variables | |
uses: ./.github/actions/setup-build-env | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: '${{ steps.env.outputs.GO_VERSION }}' | |
- name: Download data.json | |
run: | | |
mkdir -p bin | |
curl -sLf https://releases.rancher.com/kontainer-driver-metadata/${{ steps.env.outputs.CATTLE_KDM_BRANCH }}/data.json > ./bin/data.json | |
cp ./bin/data.json ./bin/rancher-data.json | |
- name: Create k3s images file | |
uses: ./.github/actions/k3s-images | |
with: | |
k3s_version: ${{ steps.env.outputs.CATTLE_K3S_VERSION }} | |
- name: Create files | |
run: | | |
mkdir -p $HOME/bin | |
touch $HOME/bin/rancher-rke-k8s-versions.txt | |
- name: Create components and images files | |
shell: bash | |
run: ./scripts/create-components-images-files.sh | |
- name: Move rke-k8s version file | |
run: mv $HOME/bin/rancher-rke-k8s-versions.txt ./bin | |
- name: Read App Secrets | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ; | |
secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY | |
- name: Create App Token | |
uses: actions/create-github-app-token@v1 | |
id: app-token | |
with: | |
app-id: ${{ env.APP_ID }} | |
private-key: ${{ env.PRIVATE_KEY }} | |
- name: Generate sha256sum | |
shell: bash | |
env: | |
ARTIFACTS_TYPE: "components" | |
run: scripts/artifacts-hashes.sh | |
- name: Add release notes | |
env: | |
GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
run: | | |
NOTES=$(cat bin/rancher-components.txt) | |
gh release edit -R ${{ github.repository }} ${{ env.TAG }} --notes "$NOTES" | |
- name: Load Secrets from Vault | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader-access/credentials token | PRIME_ARTIFACTS_UPLOADER_ACCESS_KEY ; | |
secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader-secret/credentials token | PRIME_ARTIFACTS_UPLOADER_SECRET_KEY ; | |
- name: Upload artifacts to bucket | |
env: | |
AWS_ACCESS_KEY_ID: ${{ env.PRIME_ARTIFACTS_UPLOADER_ACCESS_KEY }} | |
AWS_SECRET_ACCESS_KEY: ${{ env.PRIME_ARTIFACTS_UPLOADER_SECRET_KEY }} | |
GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
run: | | |
set -ex | |
source scripts/artifacts-list.sh | |
if (( ${#ARTIFACTS[@]} == 0 ));then | |
>&2 echo "missing ARTIFACTS env var" | |
exit 1 | |
fi | |
for artifact in "${ARTIFACTS[@]}"; do | |
aws s3 cp "$ARTIFACTS_BASE_DIR/$artifact" "s3://prime-artifacts/rancher/${{ env.TAG }}/$artifact" | |
gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} "$ARTIFACTS_BASE_DIR/$artifact" --clobber | |
done | |
gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} "$ARTIFACTS_BASE_DIR/$CHECKSUM_FILE" --clobber | |
docker-image-digests: | |
if: github.event_name == 'push' && contains(github.ref, 'tags/') # Only run on tag | |
runs-on: org-${{ github.repository_owner_id }}-amd64-k8s | |
container: registry.suse.com/bci/bci-base:latest | |
needs: [create-images-files, merge-agent-manifest, merge-server-manifest] | |
permissions: | |
contents: write | |
id-token: write | |
env: | |
ARTIFACTS_BASE_DIR: "dist" | |
LINUX_AMD64_FILE: "rancher-images-digests-linux-amd64.txt" | |
LINUX_ARM64_FILE: "rancher-images-digests-linux-arm64.txt" | |
WINDOWS_2019_FILE: "rancher-images-digests-windows-ltsc2019.txt" | |
WINDOWS_2022_FILE: "rancher-images-digests-windows-ltsc2022.txt" | |
CHECKSUM_FILE: "images-digests-sha256sum.txt" | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: install dependencies | |
shell: bash | |
run: zypper install -y aws-cli wget jq | |
- name: install gh | |
shell: bash | |
run: | | |
mkdir -p /tmp/gh | |
curl -fsL https://github.com/cli/cli/releases/download/v${{ env.GH_CLI_VERSION }}/gh_${{ env.GH_CLI_VERSION }}_linux_amd64.tar.gz | tar xvzf - --strip-components=1 -C /tmp/gh | |
mv /tmp/gh/bin/gh /usr/bin/gh | |
chmod +x /usr/bin/gh | |
- name: Setup Environment Variables | |
uses: ./.github/actions/setup-tag-env | |
- name: Setup ecm-distro-tools | |
uses: rancher/[email protected] | |
with: | |
version: v0.42.0 | |
- name: Create base dir | |
shell: bash | |
run: mkdir -p "$ARTIFACTS_BASE_DIR" | |
- name: Generate linux docker digests | |
shell: bash | |
run: | | |
export LINUX_IMAGES_URL=https://github.com/${{ github.repository }}/releases/download/${{ env.TAG }}/rancher-images.txt | |
release generate rancher docker-images-digests --config "{}" --registry "${{ env.REGISTRY }}" --images-url "${LINUX_IMAGES_URL}" --output-file "$ARTIFACTS_BASE_DIR/$LINUX_AMD64_FILE" | |
cp "$ARTIFACTS_BASE_DIR/$LINUX_AMD64_FILE" "$ARTIFACTS_BASE_DIR/$LINUX_ARM64_FILE" | |
- name: Generate windows docker digests | |
shell: bash | |
run: | | |
export WINDOWS_IMAGES_URL=https://github.com/${{ github.repository }}/releases/download/${{ env.TAG }}/rancher-windows-images.txt | |
release generate rancher docker-images-digests --config "{}" --registry "${{ env.REGISTRY }}" --images-url "${WINDOWS_IMAGES_URL}" --output-file "$ARTIFACTS_BASE_DIR/$WINDOWS_2019_FILE" | |
cp "$ARTIFACTS_BASE_DIR/$WINDOWS_2019_FILE" "$ARTIFACTS_BASE_DIR/$WINDOWS_2022_FILE" | |
- name: Generate sha256sum file | |
shell: bash | |
env: | |
ARTIFACTS_TYPE: "digests" | |
run: scripts/artifacts-hashes.sh | |
- name: Read App Secrets | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ; | |
secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY | |
- name: Create App Token | |
uses: actions/create-github-app-token@v1 | |
id: app-token | |
with: | |
app-id: ${{ env.APP_ID }} | |
private-key: ${{ env.PRIVATE_KEY }} | |
- name: Upload digests | |
env: | |
GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
run: | | |
gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} "$ARTIFACTS_BASE_DIR/$LINUX_AMD64_FILE" --clobber | |
gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} "$ARTIFACTS_BASE_DIR/$LINUX_ARM64_FILE" --clobber | |
gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} "$ARTIFACTS_BASE_DIR/$WINDOWS_2019_FILE" --clobber | |
gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} "$ARTIFACTS_BASE_DIR/$WINDOWS_2022_FILE" --clobber | |
gh release upload -R ${{ env.REPOSITORY_OWNER }}/rancher ${{ env.TAG }} "$ARTIFACTS_BASE_DIR/$CHECKSUM_FILE" --clobber |