Skip to content

drewbernetes/baski-action

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Baski Action - Build And Scan Kubernetes Images

Description

A composite Action for remotely building an image using the kubernetes-image-builder repo. It uses Baski under the hood to build the images and scan them.

When the baski configuration changes, there will be a new release of the action to coincide, otherwise the action will remain compatible.

Scope

⚠️Currently in beta at the moment.

Prerequisites

Update the Changelog

Get yourself a GitHub access token with permissions to read the repository, if you don't already have one.

gh auth login
gh auth token

Run git cliff

export GITHUB_TOKEN=<token> # You can also add this to your ~/.bashrc or ~/.zshrc etc
git cliff -o

It's worth noting that --bump will update the changelog with what it thinks will be the next release. Make sure to check this and ensure your next tag matches this value. The rules are:

  • The default is patch. Generally speaking this would bea fix, docs, chore etc. (see conventional commits)
  • If feat: exists in the commit, then a minor version increase will happen.
  • If BREAKING CHANGE: exists in the commit, then it will be a major version bump.
  • If --bump is not added, it will result in an [unreleased] changelog entry instead of a tagged one.

Once tested and validated using your branch, get the next available tag by running the following command, and incrementing by one. e.g if this output v0.1.31, you should use v0.1.32.

git tag | sort -V | tail -n1

TODO

  • Probably loads, but this will do for now!

License

The scripts and documentation in this project are released under the Apache v2 License.

Usage

- uses: <baski-action>@<v0.1.0>
  with:
    task-type:
    # Comma delimited list of Baski tasks to run. build, scan or sign are valid options - you can also use 'all' to signal all of the tasks.
    #
    # Required: false
    # Default: all

    infra-type:
    # openstack is currently supported, kubevirt is in progress
    #
    # Required: true
    # Default: openstack

    openstack-auth-url:
    # The authentication endpoint of OpenStack to send requests to.
    #
    # Required: false
    # Default: ""

    openstack-username:
    # The username to authenticate with - required if not using application credentials.
    #
    # Required: false
    # Default: ""

    openstack-password:
    # The password to authenticate with - required if not using application credentials.
    #
    # Required: false
    # Default: ""

    openstack-application-credential-id:
    # The application credential id to authenticate with - required if not using username/password combination.
    #
    # Required: false
    # Default: ""

    openstack-application-credential-secret:
    # The application credential secret to authenticate with - required if not using username/password combination.
    #
    # Required: false
    # Default: ""

    openstack-project-name:
    # The name of the Openstack project.
    #
    # Required: false
    # Default: ""

    openstack-project-id:
    # The ID of the Openstack project.
    #
    # Required: false
    # Default: ""

    openstack-user-domain-name:
    # The name of the UserDomainName.
    #
    # Required: false
    # Default: Default

    openstack-region:
    # The name of the region to deploy to.
    #
    # Required: false
    # Default: RegionOne

    openstack-identity-api-version:
    # The Identity API Version for OpenStack.
    #
    # Required: false
    # Default: 3

    openstack-interface:
    # The name of the interface.
    #
    # Required: false
    # Default: public

    openstack-network-id:
    # The ID of the network to use to use to build the scanning system.
    #
    # Required: false
    # Default: ""

    openstack-source-image-id:
    # The ID of the source image to use for the image build.
    #
    # Required: false
    # Default: ""

    openstack-flavor-name:
    # The OpenStack instance flavor to use to build the image.
    #
    # Required: false
    # Default: ""

    openstack-attach-config-drive:
    # Whether to enable to config drive in OpenStack. Useful if building an instance with an external IP attached.
    #
    # Required: false
    # Default: false

    openstack-use-floating-ip:
    # Enable to use floating IPs on the build instance.
    #
    # Required: false
    # Default: true

    openstack-floating-ip-network-name:
    # If using a floating IP configuration, add the network name here to which the floating IP will be acquired from. (Usually the provider network).
    #
    # Required: false
    # Default: Internet

    openstack-security-group:
    # The security group in OpenStack to assign to the VM that will build the image - requires SSH access.
    #
    # Required: false
    # Default: default

    openstack-image-visibility:
    # Set the image visibility once it has been created. Usually required admin permissions of sorts. Ensure you have this before setting this as the whole process will fail if permissions are not set.
    #
    # Required: false
    # Default: private

    openstack-image-disk-format:
    # The format of the image on OpenStack. Your openstack instance must support this.
    #
    # Required: false
    # Default: raw

    openstack-use-blockstorage-volume:
    # Sets the parameter block_storage_volume in the OpenStack Packer config.
    #
    # Required: false
    # Default: false

    openstack-ssh-keypair-name:
    # Use an existing SSH KeyPair from OpenStack - one will be autogenerated if not set.
    #
    # Required: false
    # Default: ""

    openstack-ssh-privatekey-file:
    # If using a ssh-keypair-name, a private key is required. In an automation environment, this is not recommended due to the potential exposure of a key.
    #
    # Required: false
    # Default: ""

    openstack-volume-type:
    # The volume type to use in OpenStack.
    #
    # Required: false
    # Default: ""

    openstack-volume-size:
    # The size of the storage volume in OpenStack.
    #
    # Required: false
    # Default: ""

    openstack-metadata-prefix:
    # Metadata-prefix will be used to prefix any metadata. This can be left blank if not required but if your metadata requires a prefix like `baski:k8s-version`, this is the place to add it.
    #
    # Required: false
    # Default: ""

    k8s-kubeconfig-path:
    # Path to the kubeconfig that will be used to generate the PVC for Kubevirt
    #
    # Required: false
    # Default: ""

    s3-endpoint:
    # The endpoint of S3.
    #
    # Required: false
    # Default: ""

    s3-access:
    # The access key used to access S3s.
    #
    # Required: false
    # Default: ""

    s3-secret:
    # The secret key used to access S3.
    #
    # Required: false
    # Default: ""

    s3-region:
    # The S3 region.
    #
    # Required: false
    # Default: us-east-1

    s3-is-ceph:
    # If the S3 endpoint is ceph based, for example behind OpenStack, this should be set to true.
    #
    # Required: false
    # Default: ""

    build-verbose:
    # Enables verbose mode.
    #
    # Required: false
    # Default: false

    build-os:
    # The OS to build. Currently supports ubuntu-2204 and ubuntu-2404.
    #
    # Required: false
    # Default: ubuntu-2204

    build-image-prefix:
    # The prefix to apply to the image name.
    #
    # Required: false
    # Default: ""

    build-image-builder-repo:
    # The to use for building Kubernetes images.
    #
    # Required: false
    # Default: https://github.com/kubernetes-sigs/image-builder.git

    build-image-builder-repo-branch:
    # The branch to use fir iamge builds.
    #
    # Required: false
    # Default: main

    build-containerd-version:
    # The containerd version to deploy into the image.
    #
    # Required: false
    # Default: 1.7.21

    build-containerd-sha256:
    # The sha256 of containerd.
    #
    # Required: false
    # Default: 3d1fcdfd0b141f4dc4916b7aee7f9a7773dc344baffc8954e1ca66b1adc5c120

    build-crictl-version:
    # The crictl version to deploy into the image.
    #
    # Required: false
    # Default: 1.30.1

    build-cni-version:
    # The CNI version to deploy into the image.
    #
    # Required: false
    # Default: 1.2.0

    build-cni-deb-version:
    # The CNI .DEB version to deploy into the image.
    #
    # Required: false
    # Default: 1.4.0-2.1

    build-k8s-version:
    # The Kubernetes version to deploy into the image.
    #
    # Required: false
    # Default: 1.30.4

    build-k8s-deb-version:
    # The Kubernetes .DEB version to deploy into the image.
    #
    # Required: false
    # Default: 1.30.4-1.1

    build-extra-debs:
    # A space-separated list of any additional (Debian / Ubuntu) packages to install.
    #
    # Required: false
    # Default: ""

    build-add-trivy:
    # Install Trivy into the image.
    #
    # Required: false
    # Default: false

    build-add-falco:
    # Install Falco into the image.
    #
    # Required: false
    # Default: false

    build-additional-images:
    # A comma delimited list of container images that should be added to the final image.
    #
    # Required: false
    # Default: ""

    build-additional-metadata:
    # A comma delimited list of metadata that should be added to the image.
    #
    # Required: false
    # Default: ""

    build-enable-gpu-support:
    # Enable the installation of GPU drivers - requires additional settings.
    #
    # Required: false
    # Default: false

    build-gpu-vendor:
    # Set the GPU vendor to install the correct drivers. AMD/NVIDIA.
    #
    # Required: false
    # Default: ""

    build-gpu-model-support:
    # The specified GPU model is added to the metadata of the image.
    #
    # Required: false
    # Default: ""

    build-gpu-instance-support:
    # The specified instance type is added to the image metadata.
    #
    # Required: false
    # Default: ""

    build-amd-driver-version:
    # The AMD driver version to install.
    #
    # Required: false
    # Default: ""

    build-amd-driver-deb-version:
    # The AMD .DEB version of the driver to install.
    #
    # Required: false
    # Default: ""

    build-amd-usecase:
    # dkms
    #
    # Required: false
    # Default: ""

    build-nvidia-driver-version:
    # The NVIDIA Driver version you are installing. This is currently only used to set the image name.
    #
    # Required: false
    # Default: ""

    build-nvidia-bucket:
    # The bucket name that the NVIDIA components are downloaded from.
    #
    # Required: false
    # Default: ""

    build-nvidia-installer-location:
    # The NVIDIA installer location in the bucket - this must be acquired from NVIDIA and uploaded to your bucket.
    #
    # Required: false
    # Default: ""

    build-nvidia-tok-location:
    # The NVIDIA .tok file location in the bucket - this must be acquired from NVIDIA and uploaded to your bucket.
    #
    # Required: false
    # Default: ""

    build-nvidia-gridd-feature-type:
    # The gridd feature type - See https://docs.nvidia.com/license-system/latest/nvidia-license-system-quick-start-guide/index.html#configuring-nls-licensed-client-on-linux for more information.
    #
    # Required: false
    # Default: 4

    scan-type:
    # Define the scan type. single or multiple
    #
    # Required: false
    # Default: single

    scan-single-image-id:
    # If scanning a single image, enter the Id of it here.
    #
    # Required: false
    # Default: ""

    scan-multiple-image-search:
    # The search prefix to locate images.
    #
    # Required: false
    # Default: kmi-

    scan-multiple-concurrency:
    # How many concurrent scans to run.
    #
    # Required: false
    # Default: 2

    scan-flavor-name:
    # The instance flavor to use to scan the image.
    #
    # Required: false
    # Default: ""

    scan-auto-delete-image:
    # Whether to delete the image should a CVE check fail.
    #
    # Required: false
    # Default: false

    scan-skip-cve-check:
    # Whether to run a CVE check after the scan runs. This will cause a pipeline to fail if a vulnerability is found and meets the threshold defined in the two options below.
    #
    # Required: false
    # Default: false

    scan-min-severity-type:
    # The type of CVE Severity to check for. NONE, LOW, MEDIUM, HIGH and CRITICAL are supported. The value entered here is the minimum it will check for along with anything higher.
    #
    # Required: false
    # Default: MEDIUM

    scan-bucket:
    # The bucket used to locate a trivyignore file.
    #
    # Required: false
    # Default: ""

    scan-trivyignore-path:
    # The path in the bucket where the trivyignore file is located.
    #
    # Required: false
    # Default: ""

    scan-trivyignore-filename:
    # The name of the trivyignore file in the bucket.
    #
    # Required: false
    # Default: trivyignore

    scan-trivyignore-list:
    # A comma delimited list of CVEs to ignore. This will be appended to the trivyignore file from the scan bucket if one is provided.
    #
    # Required: false
    # Default: ""

    sign-vault-url:
    # The endpoint address of vault from which the keys will be pulled for signing the image.
    #
    # Required: false
    # Default: ""

    sign-vault-token:
    # The token for accessing vault.
    #
    # Required: false
    # Default: ""

    sign-vault-mount-path:
    # The mount path in vault which contains the secret with the signing key.
    #
    # Required: false
    # Default: ""

    sign-vault-secret-name:
    # The name of the secret in the mount path that contains the signing key.
    #
    # Required: false
    # Default: ""

    sign-image-id:
    # The ID of the image to sign.
    #
    # Required: false
    # Default: ""

Inputs

name description required default
task-type

Comma delimited list of Baski tasks to run. build, scan or sign are valid options - you can also use 'all' to signal all of the tasks.

false all
infra-type

openstack is currently supported, kubevirt is in progress

true openstack
openstack-auth-url

The authentication endpoint of OpenStack to send requests to.

false ""
openstack-username

The username to authenticate with - required if not using application credentials.

false ""
openstack-password

The password to authenticate with - required if not using application credentials.

false ""
openstack-application-credential-id

The application credential id to authenticate with - required if not using username/password combination.

false ""
openstack-application-credential-secret

The application credential secret to authenticate with - required if not using username/password combination.

false ""
openstack-project-name

The name of the Openstack project.

false ""
openstack-project-id

The ID of the Openstack project.

false ""
openstack-user-domain-name

The name of the UserDomainName.

false Default
openstack-region

The name of the region to deploy to.

false RegionOne
openstack-identity-api-version

The Identity API Version for OpenStack.

false 3
openstack-interface

The name of the interface.

false public
openstack-network-id

The ID of the network to use to use to build the scanning system.

false ""
openstack-source-image-id

The ID of the source image to use for the image build.

false ""
openstack-flavor-name

The OpenStack instance flavor to use to build the image.

false ""
openstack-attach-config-drive

Whether to enable to config drive in OpenStack. Useful if building an instance with an external IP attached.

false false
openstack-use-floating-ip

Enable to use floating IPs on the build instance.

false true
openstack-floating-ip-network-name

If using a floating IP configuration, add the network name here to which the floating IP will be acquired from. (Usually the provider network).

false Internet
openstack-security-group

The security group in OpenStack to assign to the VM that will build the image - requires SSH access.

false default
openstack-image-visibility

Set the image visibility once it has been created. Usually required admin permissions of sorts. Ensure you have this before setting this as the whole process will fail if permissions are not set.

false private
openstack-image-disk-format

The format of the image on OpenStack. Your openstack instance must support this.

false raw
openstack-use-blockstorage-volume

Sets the parameter blockstoragevolume in the OpenStack Packer config.

false false
openstack-ssh-keypair-name

Use an existing SSH KeyPair from OpenStack - one will be autogenerated if not set.

false ""
openstack-ssh-privatekey-file

If using a ssh-keypair-name, a private key is required. In an automation environment, this is not recommended due to the potential exposure of a key.

false ""
openstack-volume-type

The volume type to use in OpenStack.

false ""
openstack-volume-size

The size of the storage volume in OpenStack.

false ""
openstack-metadata-prefix

Metadata-prefix will be used to prefix any metadata. This can be left blank if not required but if your metadata requires a prefix like baski:k8s-version, this is the place to add it.

false ""
k8s-kubeconfig-path

Path to the kubeconfig that will be used to generate the PVC for Kubevirt

false ""
s3-endpoint

The endpoint of S3.

false ""
s3-access

The access key used to access S3s.

false ""
s3-secret

The secret key used to access S3.

false ""
s3-region

The S3 region.

false us-east-1
s3-is-ceph

If the S3 endpoint is ceph based, for example behind OpenStack, this should be set to true.

false ""
build-verbose

Enables verbose mode.

false false
build-os

The OS to build. Currently supports ubuntu-2204 and ubuntu-2404.

false ubuntu-2204
build-image-prefix

The prefix to apply to the image name.

false ""
build-image-builder-repo

The to use for building Kubernetes images.

false https://github.com/kubernetes-sigs/image-builder.git
build-image-builder-repo-branch

The branch to use fir iamge builds.

false main
build-containerd-version

The containerd version to deploy into the image.

false 1.7.21
build-containerd-sha256

The sha256 of containerd.

false 3d1fcdfd0b141f4dc4916b7aee7f9a7773dc344baffc8954e1ca66b1adc5c120
build-crictl-version

The crictl version to deploy into the image.

false 1.30.1
build-cni-version

The CNI version to deploy into the image.

false 1.2.0
build-cni-deb-version

The CNI .DEB version to deploy into the image.

false 1.4.0-2.1
build-k8s-version

The Kubernetes version to deploy into the image.

false 1.30.4
build-k8s-deb-version

The Kubernetes .DEB version to deploy into the image.

false 1.30.4-1.1
build-extra-debs

A space-separated list of any additional (Debian / Ubuntu) packages to install.

false ""
build-add-trivy

Install Trivy into the image.

false false
build-add-falco

Install Falco into the image.

false false
build-additional-images

A comma delimited list of container images that should be added to the final image.

false ""
build-additional-metadata

A comma delimited list of metadata that should be added to the image.

false ""
build-enable-gpu-support

Enable the installation of GPU drivers - requires additional settings.

false false
build-gpu-vendor

Set the GPU vendor to install the correct drivers. AMD/NVIDIA.

false ""
build-gpu-model-support

The specified GPU model is added to the metadata of the image.

false ""
build-gpu-instance-support

The specified instance type is added to the image metadata.

false ""
build-amd-driver-version

The AMD driver version to install.

false ""
build-amd-driver-deb-version

The AMD .DEB version of the driver to install.

false ""
build-amd-usecase

dkms

false ""
build-nvidia-driver-version

The NVIDIA Driver version you are installing. This is currently only used to set the image name.

false ""
build-nvidia-bucket

The bucket name that the NVIDIA components are downloaded from.

false ""
build-nvidia-installer-location

The NVIDIA installer location in the bucket - this must be acquired from NVIDIA and uploaded to your bucket.

false ""
build-nvidia-tok-location

The NVIDIA .tok file location in the bucket - this must be acquired from NVIDIA and uploaded to your bucket.

false ""
build-nvidia-gridd-feature-type

The gridd feature type - See https://docs.nvidia.com/license-system/latest/nvidia-license-system-quick-start-guide/index.html#configuring-nls-licensed-client-on-linux for more information.

false 4
scan-type

Define the scan type. single or multiple

false single
scan-single-image-id

If scanning a single image, enter the Id of it here.

false ""
scan-multiple-image-search

The search prefix to locate images.

false kmi-
scan-multiple-concurrency

How many concurrent scans to run.

false 2
scan-flavor-name

The instance flavor to use to scan the image.

false ""
scan-auto-delete-image

Whether to delete the image should a CVE check fail.

false false
scan-skip-cve-check

Whether to run a CVE check after the scan runs. This will cause a pipeline to fail if a vulnerability is found and meets the threshold defined in the two options below.

false false
scan-min-severity-type

The type of CVE Severity to check for. NONE, LOW, MEDIUM, HIGH and CRITICAL are supported. The value entered here is the minimum it will check for along with anything higher.

false MEDIUM
scan-bucket

The bucket used to locate a trivyignore file.

false ""
scan-trivyignore-path

The path in the bucket where the trivyignore file is located.

false ""
scan-trivyignore-filename

The name of the trivyignore file in the bucket.

false trivyignore
scan-trivyignore-list

A comma delimited list of CVEs to ignore. This will be appended to the trivyignore file from the scan bucket if one is provided.

false ""
sign-vault-url

The endpoint address of vault from which the keys will be pulled for signing the image.

false ""
sign-vault-token

The token for accessing vault.

false ""
sign-vault-mount-path

The mount path in vault which contains the secret with the signing key.

false ""
sign-vault-secret-name

The name of the secret in the mount path that contains the signing key.

false ""
sign-image-id

The ID of the image to sign.

false ""

Outputs

name description
new-image-id

The image ID of the image that's been built