build and release with Concourse
This is a public repository. This message intentionally redacted. See t/120483 for rationale.
This commit is contained in:
parent
5bb40a908f
commit
79f3a76707
29
Dockerfile
29
Dockerfile
|
@ -1,29 +0,0 @@
|
||||||
FROM golang:1-alpine3.18 AS builder
|
|
||||||
|
|
||||||
RUN apk -v --no-progress --no-cache add git
|
|
||||||
|
|
||||||
WORKDIR /src
|
|
||||||
|
|
||||||
COPY go.mod go.sum ./
|
|
||||||
RUN go mod download
|
|
||||||
|
|
||||||
COPY internal ./internal/
|
|
||||||
COPY *.go ./
|
|
||||||
RUN CGO_ENABLED=0 GOARCH=amd64 go build .
|
|
||||||
|
|
||||||
|
|
||||||
FROM --platform=linux/amd64 debian:bookworm-slim
|
|
||||||
|
|
||||||
RUN DEBIAN_FRONTEND=noninteractive apt-get update \
|
|
||||||
&& DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade \
|
|
||||||
&& DEBIAN_FRONTEND=noninteractive apt-get clean \
|
|
||||||
&& ( find /var/lib/apt/lists -mindepth 1 -delete || true ) \
|
|
||||||
&& ( find /var/tmp -mindepth 1 -delete || true ) \
|
|
||||||
&& ( find /tmp -mindepth 1 -delete || true )
|
|
||||||
|
|
||||||
COPY --from=builder \
|
|
||||||
/src/discourse-auth-proxy \
|
|
||||||
/usr/local/bin/discourse-auth-proxy
|
|
||||||
COPY docker-entrypoint /usr/local/bin/docker-entrypoint
|
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
|
|
19
Makefile
19
Makefile
|
@ -1,19 +0,0 @@
|
||||||
IMAGE := discourse/auth-proxy
|
|
||||||
TAG := $(shell date -u +%Y%m%d.%H%M%S)
|
|
||||||
|
|
||||||
.PHONY: default
|
|
||||||
default: push
|
|
||||||
@printf "${IMAGE}:${TAG} ready\n"
|
|
||||||
|
|
||||||
.PHONY: push
|
|
||||||
push: build
|
|
||||||
docker push ${IMAGE}:${TAG}
|
|
||||||
|
|
||||||
.PHONY: build
|
|
||||||
build:
|
|
||||||
docker build --pull -t ${IMAGE}:${TAG} .
|
|
||||||
|
|
||||||
.PHONY: release
|
|
||||||
release:
|
|
||||||
docker tag ${IMAGE}:${TAG} ${IMAGE}:latest
|
|
||||||
docker push ${IMAGE}:latest
|
|
14
README.md
14
README.md
|
@ -55,16 +55,4 @@ docker run discourse/auth-proxy
|
||||||
|
|
||||||
Running will display configuration instructions
|
Running will display configuration instructions
|
||||||
|
|
||||||
You may build an image using
|
A new OCI image is automatically published to [Docker Hub](https://hub.docker.com/r/discourse/auth-proxy/tags) upon every push to branch `main` on GitHub. The release procedure is documented in t/120578 for the benefit of CDCK staff.
|
||||||
|
|
||||||
```
|
|
||||||
make build
|
|
||||||
```
|
|
||||||
|
|
||||||
After building, you may publish it as a new release -- i.e. `latest` tag -- using
|
|
||||||
|
|
||||||
```
|
|
||||||
make release TAG=20220406.135620
|
|
||||||
```
|
|
||||||
|
|
||||||
(Replace with the actual built tag.)
|
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
# syntax=docker/dockerfile:1
|
||||||
|
|
||||||
|
ARG BASE_IMAGE_DEBIAN=debian:bookworm-slim
|
||||||
|
ARG BASE_IMAGE_GO_ALPINE=golang:1-alpine
|
||||||
|
|
||||||
|
|
||||||
|
FROM ${BASE_IMAGE_GO_ALPINE} AS builder
|
||||||
|
|
||||||
|
ARG TARGETARCH
|
||||||
|
ARG TARGETOS
|
||||||
|
|
||||||
|
RUN apk -v --no-progress --no-cache add git
|
||||||
|
|
||||||
|
WORKDIR /src
|
||||||
|
|
||||||
|
COPY go.mod go.sum ./
|
||||||
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
||||||
|
go mod download
|
||||||
|
|
||||||
|
COPY internal ./internal/
|
||||||
|
COPY *.go ./
|
||||||
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
||||||
|
CGO_ENABLED=0 \
|
||||||
|
GOARCH=${TARGETARCH} \
|
||||||
|
GOOS=${TARGETOS} \
|
||||||
|
go build .
|
||||||
|
|
||||||
|
|
||||||
|
FROM ${BASE_IMAGE_DEBIAN}
|
||||||
|
|
||||||
|
RUN <<EOF sh -exs
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get clean
|
||||||
|
( find /var/lib/apt/lists -mindepth 1 -delete || true )
|
||||||
|
( find /var/tmp -mindepth 1 -delete || true )
|
||||||
|
( find /tmp -mindepth 1 -delete || true )
|
||||||
|
EOF
|
||||||
|
|
||||||
|
COPY --from=builder /src/discourse-auth-proxy /usr/local/bin/discourse-auth-proxy
|
||||||
|
COPY dist/docker-entrypoint /usr/local/bin/docker-entrypoint
|
||||||
|
|
||||||
|
ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
|
|
@ -0,0 +1,155 @@
|
||||||
|
# SECURITY
|
||||||
|
# This is a public repository. Mind what you write.
|
||||||
|
# Do not accept modifications from people outside CDCK.
|
||||||
|
# Seek infra security review if unsure.
|
||||||
|
|
||||||
|
---
|
||||||
|
var_sources:
|
||||||
|
- name: xacco
|
||||||
|
type: vault
|
||||||
|
config:
|
||||||
|
url: http://127.0.0.1:8200
|
||||||
|
path_prefix: /aws-xacc-obfuscate
|
||||||
|
client_token: unused-but-some-value-required
|
||||||
|
|
||||||
|
resource_types:
|
||||||
|
- name: metadata
|
||||||
|
type: registry-image
|
||||||
|
source:
|
||||||
|
repository: practical-concourse/resource-types/metadata
|
||||||
|
aws_access_key_id: ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_ACCESS_KEY_ID))
|
||||||
|
aws_secret_access_key: ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_SECRET_ACCESS_KEY))
|
||||||
|
aws_session_token: ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_SESSION_TOKEN))
|
||||||
|
aws_region: ((obfuscate-aws-docker-registry.region))
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- name: metadata
|
||||||
|
type: metadata
|
||||||
|
|
||||||
|
- name: discourse-auth-proxy
|
||||||
|
type: git
|
||||||
|
icon: github
|
||||||
|
source:
|
||||||
|
uri: git@github.com:discourse/discourse-auth-proxy.git
|
||||||
|
branch: ((branch))
|
||||||
|
private_key: ((github-discoursebuild))
|
||||||
|
webhook_token: unused-but-some-value-required
|
||||||
|
|
||||||
|
- name: alpine
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
check_every: 24h
|
||||||
|
source:
|
||||||
|
repository: alpine
|
||||||
|
tag: "3"
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
|
||||||
|
- name: debian-oci
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
check_every: 24h
|
||||||
|
source:
|
||||||
|
repository: debian
|
||||||
|
tag: "bookworm-slim"
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
|
||||||
|
- name: go1-oci
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
check_every: 168h
|
||||||
|
source:
|
||||||
|
repository: golang
|
||||||
|
tag: "1-alpine"
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
|
||||||
|
- name: ecr
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
source:
|
||||||
|
repository: ((image_repository))
|
||||||
|
aws_access_key_id: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_ACCESS_KEY_ID))
|
||||||
|
aws_secret_access_key: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SECRET_ACCESS_KEY))
|
||||||
|
aws_session_token: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SESSION_TOKEN))
|
||||||
|
aws_region: ((obfuscate-aws-docker-registry.region))
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
- name: build
|
||||||
|
serial: true
|
||||||
|
plan:
|
||||||
|
- in_parallel:
|
||||||
|
- get: discourse-auth-proxy
|
||||||
|
trigger: true
|
||||||
|
- get: alpine
|
||||||
|
- get: debian-oci
|
||||||
|
params: {format: oci}
|
||||||
|
- get: go1-oci
|
||||||
|
params: {format: oci}
|
||||||
|
- put: metadata
|
||||||
|
|
||||||
|
# The pipeline will always push ((image_tag)). This tag is mutable.
|
||||||
|
# So that older images are easier to retrieve,
|
||||||
|
# the pipeline will also push a tag whose value is assembled
|
||||||
|
# from the Concourse build ID and source revision ID.
|
||||||
|
# This latter tag is intended to be immutable.
|
||||||
|
- task: transform-tags
|
||||||
|
image: alpine
|
||||||
|
config:
|
||||||
|
platform: linux
|
||||||
|
inputs:
|
||||||
|
- name: metadata
|
||||||
|
- name: discourse-auth-proxy
|
||||||
|
outputs:
|
||||||
|
- name: tags
|
||||||
|
params:
|
||||||
|
BASE_TAG: ((image_tag))
|
||||||
|
run:
|
||||||
|
path: sh
|
||||||
|
args:
|
||||||
|
- -exc
|
||||||
|
- |
|
||||||
|
test -n "${BASE_TAG}"
|
||||||
|
BUILD_ID="$(head -n 1 metadata/build_id)"
|
||||||
|
test -n "${BUILD_ID}"
|
||||||
|
REVISION="$(head -n 1 discourse-auth-proxy/.git/short_ref)"
|
||||||
|
test -n "${REVISION}"
|
||||||
|
echo "${BASE_TAG}" >> tags/tags
|
||||||
|
echo "${BASE_TAG}-${BUILD_ID}-${REVISION}" >> tags/tags
|
||||||
|
|
||||||
|
- task: build
|
||||||
|
privileged: true
|
||||||
|
config:
|
||||||
|
platform: linux
|
||||||
|
image_resource:
|
||||||
|
type: registry-image
|
||||||
|
source:
|
||||||
|
repository: concourse/oci-build-task
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
inputs:
|
||||||
|
- name: discourse-auth-proxy
|
||||||
|
- name: debian-oci
|
||||||
|
- name: go1-oci
|
||||||
|
outputs:
|
||||||
|
- name: image
|
||||||
|
caches:
|
||||||
|
- path: cache
|
||||||
|
params:
|
||||||
|
CONTEXT: discourse-auth-proxy
|
||||||
|
DOCKERFILE: discourse-auth-proxy/dist/Dockerfile
|
||||||
|
IMAGE_ARG_BASE_IMAGE_DEBIAN: debian-oci/image.tar
|
||||||
|
IMAGE_ARG_BASE_IMAGE_GO_ALPINE: go1-oci/image.tar
|
||||||
|
OUTPUT_OCI: true
|
||||||
|
run:
|
||||||
|
path: build
|
||||||
|
|
||||||
|
- put: ecr
|
||||||
|
inputs:
|
||||||
|
- image
|
||||||
|
- tags
|
||||||
|
params:
|
||||||
|
image: image/image
|
||||||
|
additional_tags: tags/tags
|
||||||
|
get_params: {skip_download: true}
|
|
@ -0,0 +1,143 @@
|
||||||
|
# SECURITY
|
||||||
|
# This is a public repository. Mind what you write.
|
||||||
|
# Do not accept modifications from people outside CDCK.
|
||||||
|
# Seek infra security review if unsure.
|
||||||
|
|
||||||
|
---
|
||||||
|
var_sources:
|
||||||
|
- name: xacco
|
||||||
|
type: vault
|
||||||
|
config:
|
||||||
|
url: http://127.0.0.1:8200
|
||||||
|
path_prefix: /aws-xacc-obfuscate
|
||||||
|
client_token: unused-but-some-value-required
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- name: discourse-auth-proxy
|
||||||
|
type: git
|
||||||
|
icon: github
|
||||||
|
source:
|
||||||
|
uri: git@github.com:discourse/discourse-auth-proxy.git
|
||||||
|
private_key: ((github-discoursebuild))
|
||||||
|
webhook_token: unused-but-some-value-required
|
||||||
|
|
||||||
|
- name: alpine
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
check_every: 24h
|
||||||
|
source:
|
||||||
|
repository: alpine
|
||||||
|
tag: "3"
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
|
||||||
|
- name: debian-oci
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
check_every: 24h
|
||||||
|
source:
|
||||||
|
repository: debian
|
||||||
|
tag: "bookworm-slim"
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
|
||||||
|
- name: go1-oci
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
check_every: 168h
|
||||||
|
source:
|
||||||
|
repository: golang
|
||||||
|
tag: "1-alpine"
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
|
||||||
|
- name: docker-hub
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
source:
|
||||||
|
repository: discourse/auth-proxy
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
|
||||||
|
- name: ecr
|
||||||
|
type: registry-image
|
||||||
|
icon: docker
|
||||||
|
source:
|
||||||
|
repository: auth-proxy
|
||||||
|
aws_access_key_id: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_ACCESS_KEY_ID))
|
||||||
|
aws_secret_access_key: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SECRET_ACCESS_KEY))
|
||||||
|
aws_session_token: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SESSION_TOKEN))
|
||||||
|
aws_region: ((obfuscate-aws-docker-registry.region))
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
- name: build
|
||||||
|
serial: true
|
||||||
|
plan:
|
||||||
|
- in_parallel:
|
||||||
|
- get: discourse-auth-proxy
|
||||||
|
trigger: true
|
||||||
|
- get: alpine
|
||||||
|
- get: debian-oci
|
||||||
|
params: {format: oci}
|
||||||
|
- get: go1-oci
|
||||||
|
trigger: true
|
||||||
|
params: {format: oci}
|
||||||
|
|
||||||
|
- task: generate-tags
|
||||||
|
image: alpine
|
||||||
|
config:
|
||||||
|
platform: linux
|
||||||
|
outputs:
|
||||||
|
- name: tags
|
||||||
|
run:
|
||||||
|
path: sh
|
||||||
|
args:
|
||||||
|
- -exc
|
||||||
|
- |
|
||||||
|
echo latest >>tags/tags
|
||||||
|
date -u +%Y%m%d.%H%M%S >>tags/tags
|
||||||
|
|
||||||
|
- task: build
|
||||||
|
privileged: true
|
||||||
|
config:
|
||||||
|
platform: linux
|
||||||
|
image_resource:
|
||||||
|
type: registry-image
|
||||||
|
source:
|
||||||
|
repository: concourse/oci-build-task
|
||||||
|
username: ((docker-hub.username))
|
||||||
|
password: ((docker-hub.password))
|
||||||
|
inputs:
|
||||||
|
- name: discourse-auth-proxy
|
||||||
|
- name: debian-oci
|
||||||
|
- name: go1-oci
|
||||||
|
outputs:
|
||||||
|
- name: image
|
||||||
|
caches:
|
||||||
|
- path: cache
|
||||||
|
params:
|
||||||
|
CONTEXT: discourse-auth-proxy
|
||||||
|
DOCKERFILE: discourse-auth-proxy/dist/Dockerfile
|
||||||
|
IMAGE_ARG_BASE_IMAGE_DEBIAN: debian-oci/image.tar
|
||||||
|
IMAGE_ARG_BASE_IMAGE_GO_ALPINE: go1-oci/image.tar
|
||||||
|
OUTPUT_OCI: true
|
||||||
|
run:
|
||||||
|
path: build
|
||||||
|
|
||||||
|
- in_parallel:
|
||||||
|
- put: docker-hub
|
||||||
|
inputs:
|
||||||
|
- image
|
||||||
|
- tags
|
||||||
|
params:
|
||||||
|
image: image/image
|
||||||
|
additional_tags: tags/tags
|
||||||
|
get_params: {skip_download: true}
|
||||||
|
- put: ecr
|
||||||
|
inputs:
|
||||||
|
- image
|
||||||
|
- tags
|
||||||
|
params:
|
||||||
|
image: image/image
|
||||||
|
additional_tags: tags/tags
|
||||||
|
get_params: {skip_download: true}
|
Loading…
Reference in New Issue