Merge pull request #430 from neilcook/gh_actions

Use Org-Wide Secrets and PDNS Account for Image Push
PowerDNS · Jul 8, 2024 · 76b6ffa · 76b6ffa
2 parents a0c72ae + ba5af8e
commit 76b6ffa
Show file tree

Hide file tree

Showing 10 changed files with 44 additions and 19 deletions.
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -15,8 +15,8 @@ jobs:
     strategy:
       matrix:
         os:
-          - centos-7
-          - ol-8
+          - el-7
+          - el-8
           - el-9
           - amazon-2
           - debian-bullseye

diff --git a/.github/workflows/docker-minimal.yml b/.github/workflows/docker-minimal.yml
@@ -15,7 +15,7 @@ jobs:
       DOCKERFILE: docker/wforce_image/Dockerfile.minimal
       BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
       IMAGE_NAME: wforce-minimal
-      DOCKER_ORGANIZATION_NAME: ${{ secrets.DOCKER_ORGANIZATION_NAME }}
+      DOCKER_ORGANIZATION_NAME: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -35,12 +35,17 @@ jobs:
           if [[ ${{ github.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "release=YES" >> $GITHUB_OUTPUT
           fi
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
       - name: Login to Docker
         if: steps.release_check.outputs.release == 'YES' || env.BRANCH_NAME == 'master'
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build and push to docker hub for releases with tag
         id: release_build
         if: ${{ steps.release_check.outputs.release == 'YES' }}
@@ -49,6 +54,10 @@ jobs:
           context: .
           file: ${{ env.DOCKERFILE }}
           platforms: ${{ env.PLATFORMS }}
+          build-args: |
+            license=GPLv3
+            git_revision=${{ env.COMMIT_SHORT_SHA }}
+            version=${{ env.MYREF }}
           push: true
           sbom: true
           tags: |
@@ -61,6 +70,10 @@ jobs:
           context: .
           file: ${{ env.DOCKERFILE }}
           platforms: ${{ env.PLATFORMS }}
+          build-args: |
+            license=GPLv3
+            git_revision=${{ env.COMMIT_SHORT_SHA }}
+            version=${{ env.MYREF }}
           push: true
           sbom: true
           tags: |

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -29,7 +29,8 @@ jobs:
       - run: ./configure --enable-docker --disable-dns --disable-sodium --disable-geoip
       - run: cd docker/wforce_image && make test_wforce_image
       - run: cd docker/wforce_image && make build_wforce_image
-      - run: cd docker && bash docker_push.sh "powerdns/wforce"
+      - run: cd docker && bash docker_push.sh "${{ env.DOCKER_ORGNAME }}/wforce"
         env:
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
+          DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKER_ORGNAME: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}
diff --git a/builder-support/dockerfiles/Dockerfile.target.centos-7 b/builder-support/dockerfiles/Dockerfile.target.centos-7
@@ -6,8 +6,8 @@
 # This defines the distribution base layer
 # Put only the bare minimum of common commands here, without dev tools
 FROM centos:7 as dist-base
-RUN yum install -y epel-release
-RUN yum install -y centos-release-scl && yum install -y llvm-toolset-7.0
+RUN sed -i 's,mirrorlist,#&,g;s,#baseurl=http://mirror.centos.org,baseurl=http://vault.centos.org,g' /etc/yum.repos.d/CentOS-* && yum install -y epel-release
+RUN yum install -y centos-release-scl-rh && sed -i 's,mirrorlist,#&,g;s,#baseurl=http://mirror.centos.org,baseurl=http://vault.centos.org,g' /etc/yum.repos.d/CentOS-* && yum install -y llvm-toolset-7.0
 RUN echo "source /opt/rh/llvm-toolset-7.0/enable" >> /etc/bashrc
 
 # Do the actual rpm build

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -17,7 +17,7 @@ services:
     depends_on:
       - elasticsearch
   elasticsearch:
-    image: elasticsearch:7.14.1
+    image: elasticsearch:8.14.1
     environment:
       - xpack.security.enabled=false
       - discovery.type=single-node

diff --git a/docker/logstash/Dockerfile b/docker/logstash/Dockerfile
@@ -1,7 +1,7 @@
-FROM docker.elastic.co/logstash/logstash:7.14.2
+FROM docker.elastic.co/logstash/logstash:8.14.1
 
 USER root
-RUN yum install -y wget
+RUN apt update && apt install -y wget
 RUN mkdir -p /usr/share/logstash/geoip
 RUN chown -R logstash:logstash /usr/share/logstash/geoip
 ARG MAXMIND_LICENSE_KEY

diff --git a/docker/wforce_image/Dockerfile b/docker/wforce_image/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:bookworm-slim as wforce_build
+FROM debian:bookworm-slim AS wforce_build
 
 RUN apt-get update && \
     apt-get dist-upgrade -y && \
@@ -55,7 +55,7 @@ RUN ./configure --prefix /usr --enable-trackalert --disable-systemd --disable-so
 RUN make clean
 RUN make install DESTDIR=/wforce/install
 
-FROM debian:bookworm-slim as wforce_image
+FROM debian:bookworm-slim AS wforce_image
 
 WORKDIR /wforce/
 

diff --git a/docker/wforce_image/Dockerfile.minimal b/docker/wforce_image/Dockerfile.minimal
@@ -1,4 +1,4 @@
-FROM alpine:3.20 as lua_build
+FROM alpine:3.20 AS lua_build
 
 RUN apk update && \
     apk add \
@@ -20,7 +20,7 @@ RUN luarocks-5.1 install elasticsearch-lua && \
     luarocks-5.1 install lua-resty-template && \
     luarocks-5.1 install redis-lua
 
-FROM alpine:3.20 as wforce_build
+FROM alpine:3.20 AS wforce_build
 
 RUN apk update && \
     apk add \
@@ -85,7 +85,7 @@ RUN strip /wforce/install/usr/bin/wforce /wforce/install/usr/bin/trackalert
 # Remove the default wforce.conf and trackalert.conf files
 RUN rm /wforce/install/etc/wforce/wforce.conf /wforce/install/etc/wforce/trackalert.conf
 
-FROM alpine:3.20 as wforce_image
+FROM alpine:3.20 AS wforce_image
 
 WORKDIR /wforce/
 

diff --git a/docker/wforce_image/Makefile.am b/docker/wforce_image/Makefile.am
@@ -1,6 +1,7 @@
 DCMP = docker-compose
 WFORCE_IMAGE_COMPOSE_TARGET = .wforce_image_docker
 WFORCE_IMAGE_SERVICE = wforce_image
+WFORCE_MINIMAL_IMAGE_SERVICE = wforce_minimal
 TRACKALERT_IMAGE_SERVICE = trackalert
 COMPOSE_SOURCE=Dockerfile create_config.sh docker-compose.yml docker-entrypoint.sh wforce.conf.j2
 export BUILD_DATE= $(shell date)
@@ -36,6 +37,8 @@ test_wforce_image: build_wforce_image
 	$(DCMP) up -d
 	$(DCMP) exec -T $(WFORCE_IMAGE_SERVICE) test -f /usr/bin/wforce
 	$(DCMP) exec -T $(WFORCE_IMAGE_SERVICE) test -f /usr/bin/trackalert
+	$(DCMP) exec -T $(WFORCE_MINIMAL_IMAGE_SERVICE) test -f /usr/bin/wforce
+	$(DCMP) exec -T $(WFORCE_MINIMAL_IMAGE_SERVICE) test -f /usr/bin/trackalert
 	curl -u foo:$(WFORCE_PASSWORD) http://localhost:$(WFORCE_PORT)/metrics
 	$(DCMP) exec -T $(WFORCE_IMAGE_SERVICE) wforce -e 'showStringStatsDB()' | grep "Shards"
 	curl -u foo:$(WFORCE_PASSWORD) http://localhost:$(TRACKALERT_PORT)/metrics

diff --git a/docker/wforce_image/docker-compose.yml b/docker/wforce_image/docker-compose.yml
@@ -1,6 +1,5 @@
 version: '2'
 services:
-  # This is the optimized image that will go onto Docker Hub
   wforce_image:
     image: powerdns/wforce:${VERSION}
     build:
@@ -19,6 +18,15 @@ services:
       - WFORCE_CONFIG_FILE
     ports:
       - "${WFORCE_PORT}:${WFORCE_PORT}"
+  wforce_minimal:
+    image: powerdns/wforce-minimal:${VERSION}
+    build:
+      context: weakforced
+      dockerfile: docker/wforce_image/Dockerfile.minimal
+      args:
+        - license=${LICENSE}
+        - git_revision=${GIT_REVISION}
+        - version=${VERSION}
   trackalert:
     image: powerdns/wforce:${VERSION}
     environment: