From bc10c865e493f7f4469bbf94cb20dc20e23dcff4 Mon Sep 17 00:00:00 2001 From: Ryan Cragun Date: Mon, 7 Oct 2024 11:55:35 -0600 Subject: [PATCH] containerize: use latest docker action Use the latest Docker action to ensure correct arm64 container builds Signed-off-by: Ryan Cragun --- .github/actions/containerize/action.yml | 78 +++++++++++++++---------- 1 file changed, 46 insertions(+), 32 deletions(-) diff --git a/.github/actions/containerize/action.yml b/.github/actions/containerize/action.yml index e269298e52b70..c0809d3afd6fe 100644 --- a/.github/actions/containerize/action.yml +++ b/.github/actions/containerize/action.yml @@ -10,31 +10,24 @@ description: | inputs: docker: - type: boolean description: | Package the binary into a Docker container suitable for the Docker and AWS registries. We'll automatically determine the correct tags and target depending on the vault edition. - default: true + default: 'true' goarch: - type: string description: The Go GOARCH value environment variable to set during the build. goos: - type: string description: The Go GOOS value environment variable to set during the build. redhat: - type: boolean description: Package the binary into a UBI container suitable for the Redhat Quay registry. - default: false + default: 'false' vault-binary-path: - type: string description: The path to the vault binary. default: dist/vault vault-edition: - type: string description: The edition of vault to build. default: ce vault-version: - type: string description: The vault version. outputs: @@ -48,31 +41,52 @@ runs: - id: vars shell: bash run: | - if [[ '${{ inputs.vault-edition }}' =~ 'ce' ]]; then - # CE containers - container_version='${{ inputs.vault-version }}' - docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}' - docker_container_target='default' - redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi' - redhat_container_target='ubi' - else - # Ent containers - container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}' - - if [[ '${{ inputs.vault-edition }}' =~ 'fips' ]]; then - # Ent FIPS 140-2 containers - docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}' - docker_container_target='ubi-fips' - redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' - redhat_container_target='ubi-fips' - else - # All other Ent containers + case '${{ inputs.vault-edition }}' in + "ce") + container_version='${{ inputs.vault-version }}' + docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}' + docker_container_target='default' + redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi' + redhat_container_target='ubi' + ;; + "ent") + container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}' docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}' docker_container_target='default' redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' redhat_container_target='ubi' - fi - fi + ;; + "ent.hsm") + container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}' + docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}' + docker_container_target='ubi-hsm' + redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' + redhat_container_target='ubi-hsm' + ;; + "ent.hsm.fips1402") + container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}' + docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}' + docker_container_target='ubi-hsm-fips' + redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' + redhat_container_target='ubi-hsm-fips' + ;; + "ent.fips1402") + # NOTE: For compatibility we still publish the ent.fips1402 containers to different + # namespaces. All ent, ent.hsm, and ent.hsm.fips1402 containers are released in the + # enterprise namespaces. After we've updated the upstream docker action to support + # multiple tags we can start to tag images with both namespaces, publish to both, and + # eventually sunset the fips1402 specific namespaces. + container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}' + docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}' + docker_container_target='ubi-fips' + redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' + redhat_container_target='ubi-fips' + ;; + *) + echo "Cannot generate container tags for unknown vault edition: ${{ inputs.vault-edition }}" 2>&1 + exit 1 + ;; + esac { echo "container-version=${container_version}" echo "docker-container-tags=${docker_container_tags}" @@ -90,7 +104,7 @@ runs: [[ ! -d "$dest_dir" ]] && mkdir -p "$dest_dir" [[ ! -f "$dest_path" ]] && cp ${{ inputs.vault-binary-path }} "${dest_path}" - if: inputs.docker == 'true' - uses: hashicorp/actions-docker-build@v2 + uses: hashicorp/actions-docker-build@f22d5ac7d36868afaa4be1cc1203ec1b5865cadd with: arch: ${{ inputs.goarch }} do_zip_extract_step: 'false' # Don't download and extract an already present binary @@ -99,7 +113,7 @@ runs: revision: ${{ steps.vars.outputs.revision }} version: ${{ steps.vars.outputs.container-version }} - if: inputs.redhat == 'true' - uses: hashicorp/actions-docker-build@v2 + uses: hashicorp/actions-docker-build@f22d5ac7d36868afaa4be1cc1203ec1b5865cadd with: arch: ${{ inputs.goarch }} do_zip_extract_step: 'false' # Don't download and extract an already present binary