Skip to content

[cherry-pick] Docker image update d41d8cd9 #14959

[cherry-pick] Docker image update d41d8cd9

[cherry-pick] Docker image update d41d8cd9 #14959

Workflow file for this run

name: CI
on:
pull_request:
branches:
- main
- release-*
merge_group:
workflow_dispatch:
inputs:
force:
type: boolean
description: "Force rebuild"
required: false
default: false
defaults:
run:
shell: bash
concurrency:
group: ${{ github.ref_name }}-ci
cancel-in-progress: true
permissions:
contents: read
jobs:
checks:
name: Checks and variables
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write
outputs:
docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }}
k8s_latest: ${{ steps.vars.outputs.k8s_latest }}
go_path: ${{ steps.vars.outputs.go_path }}
go_code_md5: ${{ steps.vars.outputs.go_code_md5 }}
binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
chart_version: ${{ steps.vars.outputs.chart_version }}
ic_version: ${{ steps.vars.outputs.ic_version }}
docker_md5: ${{ steps.vars.outputs.docker_md5 }}
build_tag: ${{ steps.vars.outputs.build_tag }}
stable_tag: ${{ steps.vars.outputs.stable_tag }}
forked_workflow: ${{ steps.vars.outputs.forked_workflow }}
stable_image_exists: ${{ steps.stable_exists.outputs.exists }}
additional_tag: ${{ steps.vars.outputs.additional_tag }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Filter only docs changes
id: docs
run: |
files=$(git diff --name-only HEAD^ | egrep -v "^docs/" | egrep -v "^examples/" | egrep -v "^README.md")
if [ -z "$files" ]; then
echo "docs_only=true" >> $GITHUB_OUTPUT
else
echo "docs_only=false" >> $GITHUB_OUTPUT
fi
echo $files
cat $GITHUB_OUTPUT
shell: bash --noprofile --norc -o pipefail {0}
- name: Setup Golang Environment
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version-file: go.mod
- name: Output Variables
id: vars
run: |
kindest_latest=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags" \
| grep -o '"name": *"[^"]*' \
| grep -o '[^"]*$' \
| grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
| sort -rV \
| head -n 1 \
| sed 's/^.\{1\}//' \
| tr -d '\n')
echo "k8s_latest=$kindest_latest" >> $GITHUB_OUTPUT
echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT
source .github/data/version.txt
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT
echo "forked_workflow=${{ (github.event.pull_request && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) || github.repository != 'nginxinc/kubernetes-ingress' }}" >> $GITHUB_OUTPUT
./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT
./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT
./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT
./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT
ref=${{ github.ref_name }}
if [[ $ref =~ merge ]]; then
additional_tag="pr-${ref%*/merge}"
else
additional_tag="${ref//\//-}"
fi
echo "additional_tag=${additional_tag}" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- name: Fetch Cached Binary Artifacts
id: binary-cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }}
lookup-only: true
- name: Check if go.mod and go.sum are up to date
run: go mod tidy && git diff --exit-code -- go.mod go.sum
- name: Check if CRDs changed
run: make update-crds && git diff --name-only --exit-code config/crd/bases
- name: Check if Codegen changed
run: |
cd ../.. && mkdir -p github.com/nginxinc && mv kubernetes-ingress/kubernetes-ingress github.com/nginxinc/ && cd github.com/nginxinc/kubernetes-ingress
make update-codegen && git diff --name-only --exit-code pkg/**
cd ../../.. && mv github.com/nginxinc/kubernetes-ingress kubernetes-ingress/kubernetes-ingress
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
- name: Check if stable image exists
id: stable_exists
run: |
if docker pull gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:${{ steps.vars.outputs.stable_tag }}; then
echo "exists=true" >> $GITHUB_OUTPUT
fi
if: ${{ steps.vars.outputs.forked_workflow == 'false' }}
- name: Output variables
run: |
echo docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }}
echo k8s_latest: ${{ steps.vars.outputs.k8s_latest }}
echo go_path: ${{ steps.vars.outputs.go_path }}
echo go_code_md5: ${{ steps.vars.outputs.go_code_md5 }}
echo binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
echo chart_version: ${{ steps.vars.outputs.chart_version }}
echo ic_version: ${{ steps.vars.outputs.ic_version }}
echo docker_md5: ${{ steps.vars.outputs.docker_md5 }}
echo build_tag: ${{ steps.vars.outputs.build_tag }}
echo stable_tag: ${{ steps.vars.outputs.stable_tag }}
echo forked_workflow: ${{ steps.vars.outputs.forked_workflow }}
echo stable_image_exists: ${{ steps.stable_exists.outputs.exists }}
echo additional_tag: ${{ steps.vars.outputs.additional_tag }}
unit-tests:
name: Unit Tests
runs-on: ubuntu-22.04
needs: checks
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Golang Environment
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version-file: go.mod
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
- name: Run Tests
run: make cover
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
- name: Upload coverage to Codecov
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
with:
files: ./coverage.txt
token: ${{ secrets.CODECOV_TOKEN }} # required
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
release-notes:
name: Release Notes
runs-on: ubuntu-22.04
needs: [checks, unit-tests]
outputs:
release-url: ${{ steps.release-notes.outputs.release-url }}
permissions:
contents: write # for lucacome/draft-release
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Create/Update Draft
uses: lucacome/draft-release@8a63d32c79a171ae6048e614a8988f0ac3ed56d4 # v1.1.0
id: release-notes
with:
minor-label: "enhancement"
major-label: "change"
publish: ${{ github.ref_type == 'tag' && vars.OLD_RELEASE_FLOW == 'true' }}
collapse-after: 50
variables: |
helm-chart=${{ needs.checks.outputs.chart_version }}
notes-footer: |
## Upgrade
- For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking) or build your own image using the {{version}} source code.
- For Helm, use version {{helm-chart}} of the chart.
## Resources
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/charts/nginx-ingress
- Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator
if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }}
binaries:
name: Build Binaries
runs-on: ubuntu-22.04
needs: [checks, unit-tests]
permissions:
contents: write # for goreleaser/goreleaser-action to manage releases
id-token: write # for goreleaser/goreleaser-action to sign artifacts
issues: write # for goreleaser/goreleaser-action to close milestone
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Setup Golang Environment
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version-file: go.mod
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
- name: Build binaries
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
version: latest
args: build --snapshot --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOPATH: ${{ needs.checks.outputs.go_path }}
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
GORELEASER_CURRENT_TAG: "v${{ needs.checks.outputs.ic_version }}"
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
- name: Store Artifacts in Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }}
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
build-docker:
name: Build Docker OSS
needs: [binaries, checks]
strategy:
fail-fast: false
matrix:
image: [debian, alpine]
platforms:
["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"]
include:
- image: ubi
platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
uses: ./.github/workflows/build-oss.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }}
full-build: ${{ inputs.force && inputs.force || false }}
tag: ${{ needs.checks.outputs.build_tag }}
branch: ${{ github.head_ref && github.head_ref || github.ref }}
permissions:
contents: read
actions: read
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit
build-docker-plus:
name: Build Docker Plus
needs: [binaries, checks]
strategy:
fail-fast: false
matrix:
image: [debian-plus, alpine-plus, alpine-plus-fips]
platforms: ["linux/arm64, linux/amd64"]
target: [goreleaser, aws]
include:
- image: ubi-plus
platforms: "linux/arm64, linux/amd64, linux/s390x"
target: goreleaser
uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
branch: ${{ github.head_ref && github.head_ref || github.ref }}
tag: ${{ needs.checks.outputs.build_tag }}
authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }}
full-build: ${{ inputs.force && inputs.force || false }}
permissions:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit
build-docker-nap:
name: Build Docker NAP
needs: [binaries, checks]
strategy:
fail-fast: false
matrix:
image: [debian-plus-nap]
platforms: ["linux/amd64"]
target: [goreleaser, aws]
nap_modules: [dos, waf, "waf,dos"]
include:
- image: ubi-9-plus-nap
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: ubi-8-plus-nap
target: goreleaser
platforms: "linux/amd64"
nap_modules: dos
- image: ubi-8-plus-nap
target: goreleaser
platforms: "linux/amd64"
nap_modules: "waf,dos"
- image: ubi-9-plus-nap
target: aws
platforms: "linux/amd64"
nap_modules: waf
- image: ubi-8-plus-nap
target: aws
platforms: "linux/amd64"
nap_modules: dos
- image: ubi-8-plus-nap
target: aws
platforms: "linux/amd64"
nap_modules: "waf,dos"
- image: alpine-plus-nap-fips
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: alpine-plus-nap-v5-fips
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: debian-plus-nap-v5
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: ubi-9-plus-nap-v5
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: ubi-8-plus-nap-v5
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
branch: ${{ github.head_ref && github.head_ref || github.ref }}
tag: ${{ needs.checks.outputs.build_tag }}
nap-modules: ${{ matrix.nap_modules }}
authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }}
full-build: ${{ inputs.force && inputs.force || false }}
permissions:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit
tag-target:
name: Tag untested image with PR number
needs: [checks, build-docker, build-docker-plus, build-docker-nap]
permissions:
contents: read # To checkout repository
id-token: write # To sign into Google Container Registry
uses: ./.github/workflows/retag-images.yml
with:
source_tag: ${{ needs.checks.outputs.build_tag }}
target_tag: ${{ needs.checks.outputs.additional_tag }}
dry_run: false
secrets: inherit
if: ${{ inputs.force || (needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.stable_image_exists != 'true' && needs.checks.outputs.docs_only == 'false') }}
helm-tests:
if: ${{ needs.checks.outputs.docs_only != 'true' }}
name: Helm Tests ${{ matrix.base-os }}
runs-on: ubuntu-22.04
needs: [checks, binaries, build-docker, build-docker-plus]
strategy:
fail-fast: false
matrix:
include:
- base-os: debian
image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress
tag: ${{ needs.checks.outputs.build_tag }}
type: oss
- base-os: debian-plus
image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
tag: ${{ needs.checks.outputs.build_tag }}
type: plus
permissions:
contents: read
id-token: write
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
- name: Check if stable image exists
id: stable_exists
run: |
if docker pull ${{ matrix.image }}:${{ needs.checks.outputs.stable_tag }}; then
echo "exists=true" >> $GITHUB_OUTPUT
fi
if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }}
- name: Pull build image
run: |
docker pull ${{ matrix.image }}:${{ needs.checks.outputs.build_tag }}
if: ${{ ( needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' ) && steps.stable_exists.outputs.exists != 'true' }}
- name: Fetch Cached Artifacts
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }}
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Build Docker Image ${{ matrix.base-os }}
uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
with:
file: build/Dockerfile
context: "."
cache-from: type=gha,scope=${{ matrix.base-os }}
target: goreleaser
tags: "${{ matrix.image }}:${{ matrix.tag }}"
pull: true
load: true
build-args: |
BUILD_OS=${{ matrix.base-os }}
IC_VERSION=CI
secrets: |
${{ matrix.type == 'plus' && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
${{ matrix.type == 'plus' && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Deploy Kubernetes
id: k8s
run: |
kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ needs.checks.outputs.k8s_latest }} --wait 75s
kind load docker-image "${{ matrix.image }}:${{ matrix.tag }}" --name ${{ github.run_id }}
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Install Chart
run: >
helm install
${{ matrix.type }}
.
--set controller.image.repository=${{ matrix.image }}
--set controller.image.tag=${{ matrix.tag }}
--set controller.service.type=NodePort
--set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }}
--set controller.telemetryReporting.enable=false
--wait
working-directory: ${{ github.workspace }}/charts/nginx-ingress
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Expose Test Ingresses
run: |
kubectl port-forward service/${{ matrix.type }}-nginx-ingress-controller 8080:80 8443:443 &
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Test HTTP
run: |
counter=0
max_attempts=5
until [ $(curl --write-out %{http_code} -s --output /dev/null http://localhost:8080) -eq 404 ]; do
if [ ${counter} -eq ${max_attempts} ]; then
exit 1
fi
printf '.'; counter=$(($counter+1)); sleep 5;
done
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Test HTTPS
run: |
counter=0
max_attempts=5
until [ $(curl --write-out %{http_code} -ks --output /dev/null https://localhost:8443) -eq 000 ]; do
if [ ${counter} -eq ${max_attempts} ]; then
exit 1
fi
printf '.'; counter=$(($counter+1)); sleep 5;
done
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
setup-matrix:
if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }}
name: Setup Matrix for Smoke Tests
runs-on: ubuntu-22.04
needs: [binaries, checks]
permissions:
contents: read
id-token: write
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- id: set-matrix
run: |
echo "matrix=$(cat .github/data/matrix-smoke.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT
- name: Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
- name: Check if test image exists
id: check-image
run: |
docker pull gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}
shell: bash
continue-on-error: true
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
- name: Build Test-Runner Container
uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
with:
file: tests/Dockerfile
context: "."
cache-from: type=gha,scope=test-runner
tags: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}"
pull: true
push: ${{ needs.checks.outputs.forked_workflow == 'false' }}
load: false
if: ${{ steps.check-image.outcome == 'failure' && needs.checks.outputs.docs_only == 'false' }}
smoke-tests:
if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }}
name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} smoke tests
runs-on: ubuntu-22.04
needs:
- checks
- setup-matrix
- build-docker
- build-docker-plus
- build-docker-nap
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }}
permissions:
contents: read
id-token: write
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set image variables
id: image_details
run: |
echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.images.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.images.nap_modules, 'waf') && '-nap' || '' }}/nginx${{ contains(matrix.images.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT
echo "build_tag=${{ needs.checks.outputs.build_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT
echo "stable_tag=${{ needs.checks.outputs.stable_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
- name: Check if stable image exists
id: stable_exists
run: |
if docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.stable_tag }}; then
echo "exists=true" >> $GITHUB_OUTPUT
fi
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
- name: NAP modules
id: nap_modules
run: |
[[ "${{ matrix.images.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.images.nap_modules }}"
echo "modules=${modules}" >> $GITHUB_OUTPUT
if: ${{ matrix.images.nap_modules }}
- name: Pull build image
run: |
docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }}
if: ${{ needs.checks.outputs.forked_workflow == 'false' && steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Fetch Cached Artifacts
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }}
fail-on-cache-miss: true
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Check if test image exists
id: check-image
run: |
docker manifest inspect "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}"
shell: bash
continue-on-error: true
if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
- name: Build Test-Runner Container
uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
with:
file: tests/Dockerfile
context: "."
cache-from: type=gha,scope=test-runner
tags: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}"
pull: true
push: ${{ needs.checks.outputs.forked_workflow == 'false' }}
load: ${{ needs.checks.outputs.forked_workflow == 'true' }}
if: ${{ ( needs.checks.outputs.forked_workflow == 'true' || steps.check-image.outcome == 'failure' ) && needs.checks.outputs.docs_only == 'false' }}
- name: Build ${{ matrix.images.image }} Container
uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
with:
file: build/Dockerfile
context: "."
cache-from: type=gha,scope=${{ matrix.images.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}
cache-to: type=gha,scope=${{ matrix.images.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max
target: goreleaser
tags: "${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }}"
load: true
pull: true
build-args: |
BUILD_OS=${{ matrix.images.image }}
IC_VERSION=CI
${{ contains(matrix.images.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
${{ contains(matrix.images.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
secrets: |
${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }}
${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }}
${{ contains(matrix.images.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Run Smoke Tests
id: smoke-tests
uses: ./.github/actions/smoke-tests
with:
image-type: ${{ matrix.images.image }}
image-name: ${{ steps.image_details.outputs.name }}
tag: ${{ steps.image_details.outputs.build_tag }}
marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }}
k8s-version: ${{ matrix.k8s }}
azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }}
test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}"
if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }}
- name: Upload Test Results
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ steps.smoke-tests.outputs.test-results-name }}-${{ matrix.k8s }}
path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}-${{ matrix.k8s }}.html
if: always()
tag-stable:
name: Tag tested image as stable
needs: [checks, smoke-tests]
permissions:
contents: read # To checkout repository
id-token: write # To sign into Google Container Registry
uses: ./.github/workflows/retag-images.yml
with:
source_tag: ${{ needs.checks.outputs.build_tag }}
target_tag: ${{ needs.checks.outputs.stable_tag }}
dry_run: false
secrets: inherit
if: ${{ inputs.force || (needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.stable_image_exists != 'true' && needs.checks.outputs.docs_only == 'false') }}
tag-results:
if: ${{ always() }}
runs-on: ubuntu-22.04
name: Final CI Results
needs: [tag-stable, smoke-tests]
steps:
- run: |
tagResult="${{ needs.tag-stable.result }}"
smokeResult="${{ needs.smoke-tests.result }}"
if [[ $tagResult != "success" && $tagResult != "skipped" ]]; then
exit 1
fi
if [[ $smokeResult != "success" && $smokeResult != "skipped" ]]; then
exit 1
fi
trigger-image-promotion:
name: Promote images on Force Run
needs:
- build-docker
- build-docker-plus
- build-docker-nap
- tag-results
permissions:
contents: write # for pushing to Helm Charts repository
id-token: write # To sign into Google Container Registry
actions: read
packages: write # for helm to push to GHCR
security-events: write
pull-requests: write # for scout report
uses: ./.github/workflows/image-promotion.yml
if: ${{ inputs.force && inputs.force || false }}