feat(back): #1351 deploy container manifest

- Add builtin - Add documentation Signed-off-by: Daniel Salazar <[email protected]>
fluidattacks · Jul 26, 2024 · 2342f91 · 2342f91
1 parent ce6be8d
commit 2342f91
Show file tree

Hide file tree

Showing 6 changed files with 253 additions and 0 deletions.
diff --git a/docs/src/api/builtins/deploy.md b/docs/src/api/builtins/deploy.md
@@ -250,6 +250,135 @@ Example:
     CI_REGISTRY_USER=user CI_REGISTRY_PASSWORD=123 m . /deployContainer/makesGitLab
     ```
 
+## deployContainerManifest
+
+Deploy a container manifest to a container registry
+using [manifest-tool](https://github.com/estesp/manifest-tool).
+
+Combine it with [deployContainer](#deploycontainer)
+for supporting multi-tag or multi-arch images.
+
+Types:
+
+- deployContainerManifest (`attrsOf targetType`):
+- targetType (`submodule`):
+    - config:
+        - image (`str`):
+            Path for the manifest that will be deployed.
+        - tags (`listOf str`):
+            List of secondary tags (aliases) for the image.
+        - manifests (`listOf manifestType`):
+            Already-existing images to be used by the new manifest.
+            Typically used for supporting multiple architectures.
+    - credentials:
+        - token (`str`):
+            Name of the environment variable
+            that stores the value of the registry token.
+        - user (`str`):
+            Name of the environment variable
+            that stores the value of the registry user.
+    - setup (`listOf package`): Optional.
+        [Makes Environment][makes_environment]
+        or [Makes Secrets][makes_secrets]
+        to `source` (as in Bash's `source`)
+        before anything else.
+        Defaults to `[ ]`.
+    - sign (`bool`): Optional.
+        Sign container image
+        with [Cosign](https://docs.sigstore.dev/cosign/overview/)
+        by using a
+        [OIDC keyless approach](https://docs.sigstore.dev/signing/quickstart/#keyless-signing-of-a-container).
+        Defaults to `false`.
+- manifestType (`submodule`):
+    - image: Path to the already-deployed image.
+    - platform:
+        - architecture (`str`):
+            Architecture of the image.
+        - os (`str`):
+            Operating system of the image.
+
+Example:
+
+=== "makes.nix"
+
+    ```nix
+    {
+      deployContainer = {
+        images = {
+          makesAmd64 = {
+            attempts = 3;
+            credentials = {
+              token = "GITHUB_TOKEN";
+              user = "GITHUB_ACTOR";
+            };
+            registry = "ghcr.io";
+            src = outputs."/container-image";
+            sign = true;
+            tag = "fluidattacks/makes/amd64:latest";
+          };
+          makesArm64 = {
+            attempts = 3;
+            credentials = {
+              token = "GITHUB_TOKEN";
+              user = "GITHUB_ACTOR";
+            };
+            registry = "ghcr.io";
+            src = outputs."/container-image";
+            sign = true;
+            tag = "fluidattacks/makes/arm64:latest";
+          };
+        };
+      };
+      deployContainerManifest = {
+        makes = {
+          config = {
+            image = "ghcr.io/dsalaza4/makes:latest";
+            tags = [ "24.02" ];
+            manifests = [
+              {
+                image = "ghcr.io/fluidattacks/makes/arm64:latest";
+                platform = {
+                  architecture = "arm64";
+                  os = "linux";
+                };
+              }
+              {
+                image = "ghcr.io/fluidattacks/makes/amd64:latest";
+                platform = {
+                  architecture = "amd64";
+                  os = "linux";
+                };
+              }
+            ];
+          };
+          credentials = {
+            token = "GITHUB_TOKEN";
+            user = "GITHUB_ACTOR";
+          };
+          sign = true;
+        };
+      };
+    }
+    ```
+
+=== "Invocation DockerHub"
+
+    ```bash
+    DOCKER_HUB_USER=user DOCKER_HUB_PASS=123 m . /deployContainerManifest/makes
+    ```
+
+=== "Invocation GitHub"
+
+    ```bash
+    GITHUB_ACTOR=user GITHUB_TOKEN=123 m . /deployContainerManifest/makes
+    ```
+
+=== "Invocation GitLab"
+
+    ```bash
+    CI_REGISTRY_USER=user CI_REGISTRY_PASSWORD=123 m . /deployContainerManifest/makes
+    ```
+
 ## deployTerraform
 
 Deploy Terraform code

diff --git a/src/args/agnostic.nix b/src/args/agnostic.nix
@@ -31,6 +31,8 @@ let
       chunks = import ./chunks/default.nix self;
       computeOnAwsBatch = import ./compute-on-aws-batch/default.nix self;
       deployContainer = import ./deploy-container/default.nix self;
+      deployContainerManifest =
+        import ./deploy-container-manifest/default.nix self;
       deployNomad = import ./deploy-nomad/default.nix self;
       deployTerraform = import ./deploy-terraform/default.nix self;
       inherit (__nixpkgs__.lib.strings) escapeShellArg;

diff --git a/src/args/deploy-container-manifest/default.nix b/src/args/deploy-container-manifest/default.nix
@@ -0,0 +1,16 @@
+{ __nixpkgs__, makeScript, toFileYaml, ... }:
+{ config, credentials, name, setup, sign }:
+makeScript {
+  replace = {
+    __argConfig__ = toFileYaml "manifest.yaml " config;
+    __argCredentialsToken__ = credentials.token;
+    __argCredentialsUser__ = credentials.user;
+    __argSign__ = sign;
+  };
+  entrypoint = ./entrypoint.sh;
+  inherit name;
+  searchPaths = {
+    bin = [ __nixpkgs__.cosign __nixpkgs__.manifest-tool __nixpkgs__.yq ];
+    source = setup;
+  };
+}
diff --git a/src/args/deploy-container-manifest/entrypoint.sh b/src/args/deploy-container-manifest/entrypoint.sh
@@ -0,0 +1,45 @@
+# shellcheck shell=bash
+
+function deploy {
+  local config="${1}"
+  local credentials_token="${2}"
+  local credentials_user="${3}"
+
+  : && info "Deploying container manifest: ${config}" \
+    && manifest-tool \
+      --password "${credentials_token}" \
+      --username "${credentials_user}" \
+      push from-spec "${config}"
+}
+
+function sign {
+  local sign="${1}"
+  local config="${2}"
+  local credentials_token="${3}"
+  local credentials_user="${4}"
+  local image
+
+  if [ "${sign}" = "1" ]; then
+    : && info "Signing container manifest" \
+      && image="$(yq -rec '.image' "${config}")" \
+      && cosign sign \
+        --yes=true \
+        --registry-username="${credentials_user}" \
+        --registry-password="${credentials_token}" \
+        "${image}"
+  else
+    : && info "Skipping signing container manifest"
+  fi
+}
+
+function main {
+  local config="__argConfig__"
+  local credentials_token="${__argCredentialsToken__}"
+  local credentials_user="${__argCredentialsUser__}"
+  local sign="__argSign__"
+
+  : && deploy "${config}" "${credentials_token}" "${credentials_user}" \
+    && sign "${sign}" "${config}" "${credentials_token}" "${credentials_user}"
+}
+
+main "${@}"
diff --git a/src/evaluator/modules/default.nix b/src/evaluator/modules/default.nix
@@ -6,6 +6,7 @@
     (import ./compute-on-aws-batch/default.nix args)
     (import ./dev/default.nix args)
     (import ./deploy-container/default.nix args)
+    (import ./deploy-container-manifest/default.nix args)
     (import ./deploy-nomad/default.nix args)
     (import ./deploy-terraform/default.nix args)
     (import ./dynamodb/default.nix args)

diff --git a/src/evaluator/modules/deploy-container-manifest/default.nix b/src/evaluator/modules/deploy-container-manifest/default.nix
@@ -0,0 +1,60 @@
+{ __toModuleOutputs__, deployContainerManifest, ... }:
+{ config, lib, ... }:
+let
+  makeOutput = name: args: {
+    name = "/deployContainerManifest/${name}";
+    value = deployContainerManifest {
+      inherit (args) config;
+      inherit (args) credentials;
+      inherit name;
+      inherit (args) setup;
+      inherit (args) sign;
+    };
+  };
+
+  manifestType = lib.types.submodule (_: {
+    options = {
+      image = lib.mkOption { type = lib.types.str; };
+      platform = {
+        architecture = lib.mkOption { type = lib.types.str; };
+        os = lib.mkOption { type = lib.types.str; };
+      };
+    };
+  });
+  configType = lib.types.submodule (_: {
+    options = {
+      image = lib.mkOption { type = lib.types.str; };
+      tags = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      manifests = lib.mkOption { type = lib.types.listOf manifestType; };
+    };
+  });
+  credentialsType = lib.types.submodule (_: {
+    options = {
+      token = lib.mkOption { type = lib.types.str; };
+      user = lib.mkOption { type = lib.types.str; };
+    };
+  });
+in {
+  options = {
+    deployContainerManifest = lib.mkOption {
+      default = { };
+      type = lib.types.attrsOf (lib.types.submodule (_: {
+        options = {
+          config = lib.mkOption { type = configType; };
+          credentials = lib.mkOption { type = credentialsType; };
+          setup = lib.mkOption {
+            default = [ ];
+            type = lib.types.listOf lib.types.package;
+          };
+          sign = lib.mkOption {
+            default = false;
+            type = lib.types.bool;
+          };
+        };
+      }));
+    };
+  };
+  config = {
+    outputs = __toModuleOutputs__ makeOutput config.deployContainerManifest;
+  };
+}