DEVOPS-2235 Switching to AiO

.dockerignore

@@ -0,0 +1,2 @@
+**/*.tar
+**/*.tar.gz

.github/workflows/build.yaml

@@ -16,7 +16,7 @@ jobs:
     outputs:
       release_type: ${{ steps.check_release.outputs.type }}
     env:
-      TAG: ${{ github.ref_name }}
+      CONTAINER_VERSION: ${{ github.ref_name }}
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.0.2
@@ -44,17 +44,14 @@ jobs:
         id: check_release
         run: |
           TYPE="production"
-          if [[ ${TAG} =~ "rc" ]]; then
+          if [[ ${CONTAINER_VERSION} =~ "rc" ]]; then
             TYPE="release-candidate"
           fi
           echo "Release type: ${TYPE}"
           echo "type=${TYPE}" >> $GITHUB_OUTPUT
 
-      - name: Build
-        run: make build
-
-      - name: Push
-        run: make push
+      - name: Build and push
+        run: make BUILDX_ARGS=--push build
 
       - name: Push latest
         if: steps.check_release.outputs.type == 'production'
@@ -105,7 +102,7 @@ jobs:
           syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX}
           cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST}
           cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom"
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
+          cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
 
           echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT
 
@@ -115,3 +112,73 @@ jobs:
           retention-days: 30
           name: ${{ steps.sign.outputs.sbom }}
           path: ${{ steps.sign.outputs.sbom }}
+
+  update_version:
+    name: Update package version
+    if: needs.build.outputs.release_type == 'production'
+    runs-on: self-hosted-amd64-1cpu
+    needs: build
+    steps:
+      - name: Import secrets
+        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
+        id: secrets
+        with:
+          exportEnv: true
+          url: ${{ secrets.VAULT_URL }}
+          role: ${{ secrets.VAULT_ROLE }}
+          method: kubernetes
+          path: kubernetes-ci
+          secrets: |
+            kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN ;
+            kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN_NAME ;
+            kv-gitlab-ci/data/github/shared/versions-repo-creds host | GITLAB_HOST ;
+            kv-gitlab-ci/data/github/shared/versions-repo-creds repo | GITLAB_REPO ;
+
+      - name: Update package version
+        env:
+          COMPONENT_NAME: wallarm-nginx-docker
+          COMPONENT_VERSION: ${{ github.ref_name }}
+        run: |
+          PR_BRANCH="update/${COMPONENT_NAME}/${COMPONENT_VERSION}"
+          COMMIT_MESSAGE="Bump ${COMPONENT_NAME} version to ${COMPONENT_VERSION}"
+          GITLAB_REPO_URL="https://${GITLAB_TOKEN_NAME}:${GITLAB_TOKEN}@${GITLAB_HOST}/${GITLAB_REPO}"
+
+          git clone ${GITLAB_REPO_URL}
+          cd packages_versions
+          git checkout -b ${PR_BRANCH}
+          git config --local user.name 'project_808_bot'
+          git config --local user.email 'project808_bot@noreply.${GITLAB_HOST}'
+
+          cd packages_versions
+          cat latest.json | jq -r '.body."'"$COMPONENT_NAME"'" += ["'"$COMPONENT_VERSION"'"]' > latest.new.json
+          mv latest.new.json latest.json
+          git add latest.json
+          git commit -m "${COMMIT_MESSAGE}"
+          git push ${GITLAB_REPO_URL} ${PR_BRANCH}
+
+          glab auth login --hostname ${GITLAB_HOST} --token ${GITLAB_TOKEN}
+
+          echo "Creating merge request ..."
+          glab mr create \
+            --fill \
+            --yes \
+            --label ${COMPONENT_NAME} \
+            --source-branch ${PR_BRANCH} \
+            --repo https://${GITLAB_HOST}/${GITLAB_REPO}
+
+          echo "Approving merge request ..."
+          glab mr approve \
+            ${PR_BRANCH} \
+            --repo https://${GITLAB_HOST}/${GITLAB_REPO}
+
+          # Sometimes merging is failed without delay
+          echo "Sleep ..."
+          sleep 20
+
+          echo "Merging ..."
+          glab mr merge \
+            ${PR_BRANCH} \
+            --yes \
+            --remove-source-branch \
+            --when-pipeline-succeeds=false \
+            --repo https://${GITLAB_HOST}/${GITLAB_REPO}

.github/workflows/ci.yaml

@@ -12,34 +12,48 @@ permissions:
 jobs:
   build:
     name: Build
-    runs-on: self-hosted-amd64-1cpu
+    runs-on: ${{ matrix.RUNNER }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - PLATFORM: amd64
+            ARCH: x86_64
+            RUNNER: self-hosted-amd64-1cpu
+          - PLATFORM: arm64
+            ARCH: aarch64
+            RUNNER: self-hosted-arm64-1cpu
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.0.2
 
       - name: Build image
-        run: make build
+        run: make ARCHS=${{ matrix.ARCH }} PLATFORMS=${{ matrix.PLATFORM }} BUILDX_ARGS=--load build
 
       - name: Save image
-        run: docker save -o node.tar docker.io/wallarm/node:test
+        run: docker save -o node-${{ matrix.ARCH }}.tar docker.io/wallarm/node:test
 
       - name: Cache image
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         with:
           retention-days: 1
-          name: node.tar
-          path: node.tar
+          name: node-${{ matrix.ARCH }}.tar
+          path: node-${{ matrix.ARCH }}.tar
 
   test:
     name: Test
-    runs-on: self-hosted-amd64-2cpu
+    runs-on: ${{ matrix.RUNNER }}
     needs:
       - build
     strategy:
       matrix:
-        case:
-          - single
-          - split
+        case: [single, split]
+        ARCH: [x86_64, aarch64]
+        include:
+          - ARCH: x86_64
+            RUNNER: self-hosted-amd64-2cpu
+          - ARCH: aarch64
+            RUNNER: self-hosted-arm64-2cpu
       fail-fast: false
     steps:
       - name: Checkout
@@ -58,6 +72,9 @@ jobs:
             kv-gitlab-ci/data/github/ingress api_token ;
             kv-gitlab-ci/data/github/ingress user_secret ;
             kv-gitlab-ci/data/github/ingress user_uuid ;
+            kv-gitlab-ci/data/github/ingress allure_project_id ;
+            kv-gitlab-ci/data/github/ingress allure_server_token ;
+            kv-gitlab-ci/data/github/ingress allure_server_url ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds registry_name ;
@@ -72,14 +89,19 @@ jobs:
       - name: Load cache
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
         with:
-          name: node.tar
+          name: node-${{ matrix.ARCH }}.tar
 
       - name: Load images
-        run: docker load -i node.tar
+        run: docker load -i node-${{ matrix.ARCH }}.tar
 
       - name: Run test
         env:
           USER_UUID: ${{ steps.secrets.outputs.user_uuid }}
           USER_SECRET: ${{ steps.secrets.outputs.user_secret }}
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
-        run: make ${{ matrix.case }}
+          ALLURE_TOKEN: ${{ steps.secrets.outputs.ALLURE_SERVER_TOKEN }}
+          ALLURE_ENDPOINT: ${{ steps.secrets.outputs.ALLURE_SERVER_URL }}
+          ALLURE_PROJECT_ID: ${{ steps.secrets.outputs.ALLURE_PROJECT_ID }}
+          ALLURE_ENVIRONMENT_ARCH: ${{ matrix.ARCH }}
+          ALLURE_UPLOAD_REPORT: true
+        run: make ${{ matrix.case }}

.gitignore

@@ -1 +1,3 @@
-.env
+.env
+build
+.idea

Dockerfile

@@ -1,44 +1,70 @@
-FROM debian:buster
+ARG ALPINE_VERSION
+
+FROM alpine:${ALPINE_VERSION}
+
+ARG ALPINE_VERSION
+ARG COMMIT_SHA
+ARG CONTAINER_VERSION
+ARG GOMPLATE_VERISON
+ARG NGINX_VERSION
+ARG TARGETPLATFORM
+ARG WLRM_FOLDER
+
 MAINTAINER Wallarm Support Team <[email protected]>
 
-ENV DEBIAN_FRONTEND noninteractive
-
-COPY conf/sources.list /etc/apt/sources.list.d/wallarm-node.list.tmp
-
-RUN apt-get -y update && apt-get -y install ca-certificates && mv /etc/apt/sources.list.d/wallarm-node.list.tmp /etc/apt/sources.list.d/wallarm-node.list \
-    && printf -- "mQINBGIMrcABEAC6Eiq7wvDFie+y6P8e8rRxXlmpOh7FP4NwyR+XAoANbztuZMZO2OLZAR/QBWXP8HINFIpA8JtB1/KACE3shw508KlZ1K2vhaYkbDBiK14BTvVYkl/rOQd4mYPChN5BFr1n/QBMleESxh9gegA8HeAu39PbJB60mpfdK+0dvrQlZ6A5D1/eXRTf1PqgpNwOx4P+2DoVSpwF5JSVwYFgjsAXCzOAhuhu7HFazDq7GKQoUx9Wau15/B0P2QYAlRVElWmwl0Ueni96uz0WikMpQHKo9zY67XuurNfmcp+jclaBqB+8n8mbDaWVQn0k+oTRURhD3W5WgF6dgcfV0vmeKtVa6FmMpA1fX2qh2PyHFno6P1I9+72gsISc6tXSiZ4X2HNkAcjk+lL0BarSW3bsoEOZP2CAZlucBQ5hcNQKJ/7BiaMOn2ihfs7mEpbSBpodKAXU79Nf4nkQlTHYGzkD8MzPNSyljh9QB+BnAass2xJyqIfqo4dpCst4dcBMuloBsRBfnsgpSurjeT6pY5hCQTJzi/6bA6vHf7fJUE96iidyZbSf2k4aYunESpeKfWPYOC51yNoIDTOcaIvcfC2mKr48IyEEVQHatvPAt8oyMg0GOg/8TgD2aMIr7YDVgLhBlWpV9Z7mMRPQo8wRb2JyiOGjN2dmcccb2WiiFv9x3k7CMQARAQABtClXYWxsYXJtIChXYWxsYXJtIEdQRykgPGFkbWluQHdhbGxhcm0uY29tPokCWAQTAQgAQhYhBJTqYS5aDCC27CA0RyhfkQbUiFfHBQJiDK3AAhsDBQkJZgGABQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRAoX5EG1IhXx6RjD/9A2UXjTdFdU7p4v8pIAbU4HaTiOmdhcRxDw9Et8fdBcywXMV2UPwVG50FuYjyFLpesrwcWU5rHb2ltI3i2yco4NEP01bV0P5H/bHxSYTRZtENhY4hmIpMeo5HkUrtHi74wr5P2xGyllT8F4BUJzManySOQzPJYmXw6feL5T25lzFEuMLSMVQq+02wPTqq2tgiHrxI/KhIPCcq22pKEdrrInOApC2tNBrr5CAniRfeWN9ZWkQRwdHdDd4h087ntQom8iRzgB61daF6k3pkTtkcsIT8O4oV+00QvXYOE+zfzzasXdBCGsrKE71GbemIkpBsAXfcczt2b8lGdopRV+RPq33AOEXzmEC9rm3l6/9+L0Ozk472zFsbcP7EUVwoN5PBzilZ/TZEzeHWb6reXWxbGEad+5ev2STqL9ljha1+WwFPsMCJXmfFUCTek+PdS/eVNG4HnGhBZEV2fD1ETik3ueb1Rv7068mZrHnsBR1tDFXx0mhygTGohkrrTKG5fEqNXQFk6xTn+4J2kTNhPgvC1wP0CVMVuiHAm8Cz84RTP1fJ+htJvH75//q1XocxT6cHI+pi0JDaO8rmAbouhlOTaohSrqUyDEXFyhttAYbudQPHRUJtr8h3iX8Gl/vBUYx4SU2Sts5XskNFKkrOXvlXlBQ6NRXum9f8av2Qy+bAOWLkCDQRiDK3AARAAzwghirEHaD8K3sAmdNQGK1460E8ITGIVSQWuKlUX8b1kZw+fJIc2k+yTWicRe/Omu09y2+tpTBXUoKRA60HNtLoceOvA2TnzEOi3VdabOeUirs39dzoG+OH3wizYuWiSOc2oi6oyP9chjpWVYM2ozgtFr1kvdi6HtGyg8oz6jks8U8E/rlftQhCtD/l4U6+0huIawggxOGTfXb9zWhaQiOAGh+DB79BPNuXxHbkAyEzsOqXWmWLCJXdZ5N5bwzUCrTw5J3zzfK+5cUFXj6G/HB/hRHV46To7859gzb6d2f8GsOvbElbM3vj4PLd81w6DesynssAwoUYWkREZ7Z3sVCyJ+pgRp0tO1SP08lis46xAHQ+oqbGL4JH5hf5byqUsHaq0MCkF9OGGVlar0wb7W3+xVyT3KJlQ9/bj3hFfG5k1BrEAPbjxSx+B7C9ldGNs+LtWAjwWgg24VESU1hzYV3OccvoWzBP08UVLyxt5tne+594Q5UiHYVbnKaxiUAp3mQnpKQW1GSL9btdyMXXMPMYfePxraYE8fFDg3uyJyEGTXQUwQbbTfB1BQib6esA/tTd/UDe0kUyHHqvg2DoowXIR17cfItzesuih3xpIFdDjB64vr79nUriOg5OYKCEWukq4rddTVlrmUjcCffPbMtqZmtYPSVxEcua8sbbOXekAEQEAAYkCPAQYAQgAJhYhBJTqYS5aDCC27CA0RyhfkQbUiFfHBQJiDK3AAhsMBQkJZgGAAAoJEChfkQbUiFfHvA4P/2QvLhIqztbxCAOa5vewhekfNmu5jTMqQqQ+czaF43GHe9CnC4uz2RyjuJpQeAUS4eicYZhit7RDHZ4PXBMdNV6YCpImF6LJv+FehuJZm6EJqdIq4t44fBQWtdqj+8xYxPNI9TVk0Qsxs4hEKHaG7+pCiGIZDNdQTHODQpPU9g1ir/WyJ10azGyLBmcINr1cCDnmV12v+E6yLKeTFK6R9ocVBw/3QrPgvHa5TSE9peo+7L0qeTz8uOodSJ6Df+3O1fMl8LPEPhOn1WdTd6x1yu21PXyJmFR60PfzNM/rT6JNTcc5xpDj+bIbaXikfZIPDPsV5cZIs/xvE9HeMfgBB6OJkQwWjg7znZYA1B1RGBkUHzLnO5ZppaV9NPw6LRUfnRc2BdfqC21LNfZJYHH3/IMdFJSmW12ivfbYFh81qUAuAgEJK09Xvvef6QrJPZM5XdB7H0e0PSfHhLgp16OgZkyc5UZ9tH8Cata/saBWM9lhKljQbZupd9kEYCSTnDhsmWGHbL2co6hH9yqLa5n4ogdZ854qUURG7X3IG9tyZOtv07a/khebMkQtm6h4UgRPD1FuZDJ+S/hwPMh1KvvUfmMl9s6UFRRhQRuUZR0gmSx652igzwCpgu8ZBUhhWdr37kAg80ZJbVYqkylS2+hKdG4zJBX16Jz8yD0gUrEN4DD0" | base64 -d > /usr/share/keyrings/wallarm.gpg \
-    && apt-get -y update && apt-get -y upgrade \
-    && apt-get -y --no-install-recommends install \
-        cron \
-        logrotate \
-        monitoring-plugins \
-        supervisor \
-        nginx \
-        wallarm-node \
-        libnginx-mod-http-wallarm \
-        collectd-utils \
-        curl \
-        iptables \
-        bsdmainutils \
-        sudo \
-        socat \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
-    && chown -R wallarm:wallarm /var/lib/wallarm-tarantool \
-    && sed -i 's|session    required     pam_loginuid.so|session    optional     pam_loginuid.so|g' /etc/pam.d/cron
-
-RUN cp /usr/share/doc/libnginx-mod-http-wallarm/examples/wallarm-status.conf /etc/nginx/conf.d/
-COPY scripts/init /usr/local/bin/
-COPY scripts/registernode_loop /usr/local/bin/
+LABEL org.opencontainers.image.title="Docker official image for Wallarm Node. API security platform agent"
+LABEL org.opencontainers.image.documentation="https://docs.wallarm.com/installation/inline/compute-instances/docker/nginx-based"
+LABEL org.opencontainers.image.source="https://github.com/wallarm/docker-wallarm-node"
+LABEL org.opencontainers.image.vendor="Wallarm"
+LABEL org.opencontainers.image.version="${CONTAINER_VERSION}"
+LABEL org.opencontainers.image.revision="${COMMIT_SHA}"
+LABEL com.wallarm.nginx-docker.versions.alpine="${ALPINE_VERSION}"
+LABEL com.wallarm.nginx-docker.versions.nginx="${NGINX_VERSION}"
+LABEL com.wallarm.nginx-docker.versions.aio="${AIO_VERSION}"
+LABEL com.wallarm.nginx-docker.versions.aio="${GOMPLATE_VERSION}"
 
-COPY conf/supervisord.conf /etc/supervisor/
-COPY conf/supervisord.filtering.conf /etc/supervisor/supervisord.filtering.conf.example
-COPY conf/supervisord.post-analytics.conf /etc/supervisor/supervisord.post-analytics.conf.example
+# core deps
+RUN addgroup -S wallarm && \
+    adduser -S -D -G wallarm -h /opt/wallarm wallarm && \
+    apk update && \
+    apk upgrade && \
+    apk add curl bash socat logrotate libgcc \
+        gomplate=~$GOMPLATE_VERISON \
+        nginx=~$NGINX_VERSION \
+        nginx-mod-http-perl=~$NGINX_VERSION \
+        nginx-mod-stream=~$NGINX_VERSION \
+        nginx-mod-http-dav-ext=~$NGINX_VERSION \
+        nginx-mod-http-echo=~$NGINX_VERSION \
+        nginx-mod-http-geoip=~$NGINX_VERSION \
+        nginx-mod-http-image-filter=~$NGINX_VERSION \
+        nginx-mod-mail=~$NGINX_VERSION \
+        nginx-mod-http-upstream-fair=~$NGINX_VERSION \
+        nginx-mod-http-xslt-filter=~$NGINX_VERSION && \
+    nginx -V && \
+    rm -r /var/cache/apk/*
+
+# install wallarm
+COPY --chown=wallarm:wallarm build/$TARGETPLATFORM/ /
+
+# build-time compat check
+COPY build-scripts/check_sig.sh /opt/wallarm/check_sig.sh
+RUN /bin/sh -c '/opt/wallarm/check_sig.sh' && rm /opt/wallarm/check_sig.sh
+
+# init script
+COPY scripts/init /usr/local/bin/
 
-COPY conf/logrotate.conf /etc/
-COPY conf/default /etc/nginx/sites-enabled/
-COPY conf/collectd.conf /etc/collectd/
+# configs
+RUN /bin/bash -c \
+    'mkdir -p /etc/nginx/{modules-available,sites-available,sites-enabled} && \
+    ln -sf /etc/nginx/modules/ /etc/nginx/modules-enabled && \
+    ln -sf /etc/nginx/modules-available/mod-http-wallarm.conf /etc/nginx/modules-enabled/ && \
+    touch /etc/environment && \
+    rm /etc/nginx/conf.d/stream.conf && \
+    chown -R wallarm:wallarm /run /etc/environment /etc/nginx /var/log/nginx /var/lib/nginx'
+COPY conf/nginx /etc/nginx/
+COPY conf/nginx_templates /opt/wallarm/
 
 EXPOSE 80 443
+USER wallarm
 
 CMD ["/usr/local/bin/init"]