discourse
/
discourse-auth-proxy
mirror of https://github.com/discourse/discourse-auth-proxy.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

build and release with Concourse 

This is a public repository.  This message intentionally redacted.
See t/120483 for rationale.
This commit is contained in:
Saj Goonatilleke 2024-01-25 09:49:37 +11:00
parent 5bb40a908f
commit 79f3a76707
7 changed files with 342 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Dockerfile
View File

@ -1,29 +0,0 @@
FROM golang:1-alpine3.18 AS builder
RUN apk -v --no-progress --no-cache add git
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY internal ./internal/
COPY *.go ./
RUN CGO_ENABLED=0 GOARCH=amd64 go build .
FROM --platform=linux/amd64 debian:bookworm-slim
RUN DEBIAN_FRONTEND=noninteractive apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade \
&& DEBIAN_FRONTEND=noninteractive apt-get clean \
&& ( find /var/lib/apt/lists -mindepth 1 -delete || true ) \
&& ( find /var/tmp -mindepth 1 -delete || true ) \
&& ( find /tmp -mindepth 1 -delete || true )
COPY --from=builder \
/src/discourse-auth-proxy \
/usr/local/bin/discourse-auth-proxy
COPY docker-entrypoint /usr/local/bin/docker-entrypoint
ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]

19
Makefile
View File

@ -1,19 +0,0 @@
IMAGE := discourse/auth-proxy
TAG := $(shell date -u +%Y%m%d.%H%M%S)
.PHONY: default
default: push
@printf "${IMAGE}:${TAG} ready\n"
.PHONY: push
push: build
docker push ${IMAGE}:${TAG}
.PHONY: build
build:
docker build --pull -t ${IMAGE}:${TAG} .
.PHONY: release
release:
docker tag ${IMAGE}:${TAG} ${IMAGE}:latest
docker push ${IMAGE}:latest

14
README.md
View File

@ -55,16 +55,4 @@ docker run discourse/auth-proxy
Running will display configuration instructions Running will display configuration instructions
You may build an image using A new OCI image is automatically published to [Docker Hub](https://hub.docker.com/r/discourse/auth-proxy/tags) upon every push to branch `main` on GitHub. The release procedure is documented in t/120578 for the benefit of CDCK staff.
```
make build
```
After building, you may publish it as a new release -- i.e. `latest` tag -- using
```
make release TAG=20220406.135620
```
(Replace with the actual built tag.)

43
dist/Dockerfile vendored Normal file
View File

@ -0,0 +1,43 @@
# syntax=docker/dockerfile:1
ARG BASE_IMAGE_DEBIAN=debian:bookworm-slim
ARG BASE_IMAGE_GO_ALPINE=golang:1-alpine
FROM ${BASE_IMAGE_GO_ALPINE} AS builder
ARG TARGETARCH
ARG TARGETOS
RUN apk -v --no-progress --no-cache add git
WORKDIR /src
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/root/.cache/go-build \
go mod download
COPY internal ./internal/
COPY *.go ./
RUN --mount=type=cache,target=/root/.cache/go-build \
CGO_ENABLED=0 \
GOARCH=${TARGETARCH} \
GOOS=${TARGETOS} \
go build .
FROM ${BASE_IMAGE_DEBIAN}
RUN <<EOF sh -exs
DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get clean
( find /var/lib/apt/lists -mindepth 1 -delete || true )
( find /var/tmp -mindepth 1 -delete || true )
( find /tmp -mindepth 1 -delete || true )
EOF
COPY --from=builder /src/discourse-auth-proxy /usr/local/bin/discourse-auth-proxy
COPY dist/docker-entrypoint /usr/local/bin/docker-entrypoint
ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]

155
dist/concourse/pipeline-branch.yaml vendored Normal file
View File

@ -0,0 +1,155 @@
# SECURITY
# This is a public repository. Mind what you write.
# Do not accept modifications from people outside CDCK.
# Seek infra security review if unsure.
---
var_sources:
- name: xacco
type: vault
config:
url: http://127.0.0.1:8200
path_prefix: /aws-xacc-obfuscate
client_token: unused-but-some-value-required
resource_types:
- name: metadata
type: registry-image
source:
repository: practical-concourse/resource-types/metadata
aws_access_key_id: ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_ACCESS_KEY_ID))
aws_secret_access_key: ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_SECRET_ACCESS_KEY))
aws_session_token: ((xacco:machine/concourse-ecr-pull/docker-registry.AWS_SESSION_TOKEN))
aws_region: ((obfuscate-aws-docker-registry.region))
resources:
- name: metadata
type: metadata
- name: discourse-auth-proxy
type: git
icon: github
source:
uri: git@github.com:discourse/discourse-auth-proxy.git
branch: ((branch))
private_key: ((github-discoursebuild))
webhook_token: unused-but-some-value-required
- name: alpine
type: registry-image
icon: docker
check_every: 24h
source:
repository: alpine
tag: "3"
username: ((docker-hub.username))
password: ((docker-hub.password))
- name: debian-oci
type: registry-image
icon: docker
check_every: 24h
source:
repository: debian
tag: "bookworm-slim"
username: ((docker-hub.username))
password: ((docker-hub.password))
- name: go1-oci
type: registry-image
icon: docker
check_every: 168h
source:
repository: golang
tag: "1-alpine"
username: ((docker-hub.username))
password: ((docker-hub.password))
- name: ecr
type: registry-image
icon: docker
source:
repository: ((image_repository))
aws_access_key_id: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_ACCESS_KEY_ID))
aws_secret_access_key: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SECRET_ACCESS_KEY))
aws_session_token: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SESSION_TOKEN))
aws_region: ((obfuscate-aws-docker-registry.region))
jobs:
- name: build
serial: true
plan:
- in_parallel:
- get: discourse-auth-proxy
trigger: true
- get: alpine
- get: debian-oci
params: {format: oci}
- get: go1-oci
params: {format: oci}
- put: metadata
# The pipeline will always push ((image_tag)). This tag is mutable.
# So that older images are easier to retrieve,
# the pipeline will also push a tag whose value is assembled
# from the Concourse build ID and source revision ID.
# This latter tag is intended to be immutable.
- task: transform-tags
image: alpine
config:
platform: linux
inputs:
- name: metadata
- name: discourse-auth-proxy
outputs:
- name: tags
params:
BASE_TAG: ((image_tag))
run:
path: sh
args:
- -exc
- |
test -n "${BASE_TAG}"
BUILD_ID="$(head -n 1 metadata/build_id)"
test -n "${BUILD_ID}"
REVISION="$(head -n 1 discourse-auth-proxy/.git/short_ref)"
test -n "${REVISION}"
echo "${BASE_TAG}" >> tags/tags
echo "${BASE_TAG}-${BUILD_ID}-${REVISION}" >> tags/tags
- task: build
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: concourse/oci-build-task
username: ((docker-hub.username))
password: ((docker-hub.password))
inputs:
- name: discourse-auth-proxy
- name: debian-oci
- name: go1-oci
outputs:
- name: image
caches:
- path: cache
params:
CONTEXT: discourse-auth-proxy
DOCKERFILE: discourse-auth-proxy/dist/Dockerfile
IMAGE_ARG_BASE_IMAGE_DEBIAN: debian-oci/image.tar
IMAGE_ARG_BASE_IMAGE_GO_ALPINE: go1-oci/image.tar
OUTPUT_OCI: true
run:
path: build
- put: ecr
inputs:
- image
- tags
params:
image: image/image
additional_tags: tags/tags
get_params: {skip_download: true}

143
dist/concourse/pipeline.yaml vendored Normal file
View File

@ -0,0 +1,143 @@
# SECURITY
# This is a public repository. Mind what you write.
# Do not accept modifications from people outside CDCK.
# Seek infra security review if unsure.
---
var_sources:
- name: xacco
type: vault
config:
url: http://127.0.0.1:8200
path_prefix: /aws-xacc-obfuscate
client_token: unused-but-some-value-required
resources:
- name: discourse-auth-proxy
type: git
icon: github
source:
uri: git@github.com:discourse/discourse-auth-proxy.git
private_key: ((github-discoursebuild))
webhook_token: unused-but-some-value-required
- name: alpine
type: registry-image
icon: docker
check_every: 24h
source:
repository: alpine
tag: "3"
username: ((docker-hub.username))
password: ((docker-hub.password))
- name: debian-oci
type: registry-image
icon: docker
check_every: 24h
source:
repository: debian
tag: "bookworm-slim"
username: ((docker-hub.username))
password: ((docker-hub.password))
- name: go1-oci
type: registry-image
icon: docker
check_every: 168h
source:
repository: golang
tag: "1-alpine"
username: ((docker-hub.username))
password: ((docker-hub.password))
- name: docker-hub
type: registry-image
icon: docker
source:
repository: discourse/auth-proxy
username: ((docker-hub.username))
password: ((docker-hub.password))
- name: ecr
type: registry-image
icon: docker
source:
repository: auth-proxy
aws_access_key_id: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_ACCESS_KEY_ID))
aws_secret_access_key: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SECRET_ACCESS_KEY))
aws_session_token: ((xacco:machine/concourse-ecr-push/docker-registry.AWS_SESSION_TOKEN))
aws_region: ((obfuscate-aws-docker-registry.region))
jobs:
- name: build
serial: true
plan:
- in_parallel:
- get: discourse-auth-proxy
trigger: true
- get: alpine
- get: debian-oci
params: {format: oci}
- get: go1-oci
trigger: true
params: {format: oci}
- task: generate-tags
image: alpine
config:
platform: linux
outputs:
- name: tags
run:
path: sh
args:
- -exc
- |
echo latest >>tags/tags
date -u +%Y%m%d.%H%M%S >>tags/tags
- task: build
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: concourse/oci-build-task
username: ((docker-hub.username))
password: ((docker-hub.password))
inputs:
- name: discourse-auth-proxy
- name: debian-oci
- name: go1-oci
outputs:
- name: image
caches:
- path: cache
params:
CONTEXT: discourse-auth-proxy
DOCKERFILE: discourse-auth-proxy/dist/Dockerfile
IMAGE_ARG_BASE_IMAGE_DEBIAN: debian-oci/image.tar
IMAGE_ARG_BASE_IMAGE_GO_ALPINE: go1-oci/image.tar
OUTPUT_OCI: true
run:
path: build
- in_parallel:
- put: docker-hub
inputs:
- image
- tags
params:
image: image/image
additional_tags: tags/tags
get_params: {skip_download: true}
- put: ecr
inputs:
- image
- tags
params:
image: image/image
additional_tags: tags/tags
get_params: {skip_download: true}

0
docker-entrypoint → dist/docker-entrypoint vendored
View File