Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

push image to multiple registry #1079

Merged
merged 5 commits into from
Mar 8, 2024
Merged

push image to multiple registry #1079

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
14c8292
push image to multiple registry
sarathchandra24 Mar 4, 2024
254337a
github actions permissions
sarathchandra24 Mar 6, 2024
60045e6
fluentd multi registry image push
sarathchandra24 Mar 6, 2024
36673e6
Limit build to PR changes for certain files
sarathchandra24 Mar 8, 2024
d7e2841
Merge branch 'fluent:master' into multi-registry-image-push
sarathchandra24 Mar 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
206 changes: 196 additions & 10 deletions .github/workflows/build-fb-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,98 @@ on:
- "cmd/fluent-watcher/fluentbit/**"
- "cmd/fluent-watcher/hooks/**"
- "pkg/filenotify/**"
pull_request:
branches:
- "master"
sarathchandra24 marked this conversation as resolved.
Show resolved Hide resolved
paths:
- ".github/workflows/build-fb-image.yaml"
- "cmd/fluent-watcher/fluentbit/**"
- "cmd/fluent-watcher/hooks/**"
- "pkg/filenotify/**"

env:
FB_IMG: 'kubesphere/fluent-bit:v2.2.2'
FB_IMG_DEBUG: 'kubesphere/fluent-bit:v2.2.2-debug'
DOCKER_REPO: 'kubesphere'
DOCKER_IMAGE: 'fluent-bit'
GITHUB_IMAGE: '${{ github.repository }}/fluent-bit'

permissions:
contents: read
packages: write

jobs:
build:
build-prod-image-metadata:
runs-on: ubuntu-latest
name: Build prod image metadata
outputs:
IMG_NAME: ${{ steps.set-outputs.outputs.IMAGE_NAME }}
DOCKER_IMG_NAME: ${{ steps.set-outputs.outputs.DOCKER_IMG_NAME }}
version: ${{ steps.image-metadata.outputs.version }}
tags: ${{ steps.image-metadata.outputs.tags }}
labels: ${{ steps.image-metadata.outputs.labels }}
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: docker metadata
id: image-metadata
uses: docker/metadata-action@v5
with:
images: "ghcr.io/${{ env.GITHUB_IMAGE }}"
tags: |
raw,latest
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}

- name: Set outputs
id: set-outputs
run: |
echo "IMAGE_NAME=${{ env.GITHUB_IMAGE }}" >> $GITHUB_OUTPUT
echo "DOCKER_IMG_NAME=${{env.DOCKER_REPO}}/${{ env.DOCKER_IMAGE }}" >> $GITHUB_OUTPUT

build-debug-image-metadata:
runs-on: ubuntu-latest
name: Build debug image metadata
outputs:
IMG_NAME: ${{ steps.set-outputs.outputs.IMAGE_NAME }}
DOCKER_IMG_NAME: ${{ steps.set-outputs.outputs.DOCKER_IMG_NAME }}
version: ${{ steps.image-metadata.outputs.version }}
tags: ${{ steps.image-metadata.outputs.tags }}
labels: ${{ steps.image-metadata.outputs.labels }}
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: docker metadata
id: image-metadata
uses: docker/metadata-action@v5
with:
images: "ghcr.io/${{ env.GITHUB_IMAGE }}"
flavor: |
latest=false
suffix=-debug
tags: |
raw,latest
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=semver,pattern={{version}}
Copy link
Member

@benjaminhuo benjaminhuo May 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a problem here that the fluent-operator and fluent bit have different version, and in this action it use the tag of fluent-operator to build fluentbit images:

when we released fluent-operator v2.8.0, the fluentbit remains 2.2.2, but fluent-bit:v2.8.0 is built instead
image

and this is the cause of #1178

The make file should be used to build fluentbit images instead https://github.com/fluent/fluent-operator/blob/v2.8.0/Makefile#L3

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @sarathchandra24 @wanjunlei @wenchajun @DouglasWillis1

Copy link
Collaborator Author

@sarathchandra24 sarathchandra24 May 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, let me know if my understanding is correct.

If we are releasing a tag suppose v2.8.0, it is building three images fluentd:v2.8.0, fluent-operator:v2.8.0 and fluent-bit:v2.8.0. As per the workflows, all the images are using tags to release new images.

Do we need to separate them; i.e. are these images having different build and release cycles?

Copy link
Member

@benjaminhuo benjaminhuo May 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are releasing a tag suppose v2.8.0, it is building three images fluentd:v2.8.0, fluent-operator:v2.8.0 and fluent-bit:v2.8.0. As per the workflows, all the images are using tags to release new images.

Do we need to separate them; i.e. are these images having different build and release cycles?

@sarathchandra24 Yes, we need to separate them. The tag of this project should only be used to build fluent-operator while the fluentbit and fluentd have separate tags as defined in the makefile:

fluentbit:
https://github.com/fluent/fluent-operator/blob/master/Makefile#L3

fluend:
https://github.com/fluent/fluent-operator/blob/master/Makefile#L5

type=semver,pattern={{major}}.{{minor}}

- name: Set outputs
id: set-outputs
run: |
echo "IMAGE_NAME=${{ env.GITHUB_IMAGE }}" >> $GITHUB_OUTPUT
echo "DOCKER_IMG_NAME=${{env.DOCKER_REPO}}/${{ env.DOCKER_IMAGE }}" >> $GITHUB_OUTPUT

build-FluentBit-prod-image:
needs:
- build-prod-image-metadata
runs-on: ubuntu-latest
timeout-minutes: 30
name: Build Image for Fluent Bit
name: Build Fluent Bit prod image
steps:
- name: Install Go
uses: actions/setup-go@v4
Expand All @@ -37,17 +119,121 @@ jobs:
with:
fetch-depth: 0

- name: Login to Docker Hub
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
Copy link
Member

@benjaminhuo benjaminhuo Mar 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I need to add a GitHub token to this repo's action secret?
But that token cannot start with Github, maybe we can change it to GH_TOKEN ?

image

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know of I am using GITHUB_TOKEN only which will restrict permissions defined in the actions. I referred to the following document. I allowed the write permissions globally on a repo, and use this clause in actions

permissions:
  contents: read
  packages: write
Allow Permissions on github

Let's check if this works! if not we can create a secret GH_TOKEN and use it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all right, looks like GITHUB_TOKEN is created automatically for each action and I need to create one manually


- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3

- name: Build and Push Image for Fluent Bit
run: |
make build-fb -e FB_IMG=${{ env.FB_IMG }}
make build-fb-debug -e FB_IMG_DEBUG=${{ env.FB_IMG_DEBUG }}
id: docker-build
uses: docker/build-push-action@v5
with:
context: .
file: ./cmd/fluent-watcher/fluentbit/Dockerfile
push: true
platforms: linux/amd64,linux/arm64
tags: ${{ needs.build-prod-image-metadata.outputs.tags }}
labels: ${{ needs.build-prod-image-metadata.outputs.labels }}

build-FluentBit-debug-image:
needs:
- build-debug-image-metadata
runs-on: ubuntu-latest
timeout-minutes: 30
name: Build Fluent Bit debug image
steps:
- name: Install Go
uses: actions/setup-go@v4
with:
go-version: 1.21

- uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}

- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3

- name: Build and Push Fluent Bit Debug Image
id: docker-build-debug
uses: docker/build-push-action@v5
with:
context: .
file: ./cmd/fluent-watcher/fluentbit/Dockerfile.debug
push: true
platforms: linux/amd64,linux/arm64
tags: ${{ needs.build-debug-image-metadata.outputs.tags }}
labels: ${{ needs.build-debug-image-metadata.outputs.labels }}

scan-FluentBit-image:
name: Scan prod image
needs:
- build-prod-image-metadata
- build-FluentBit-prod-image
uses: ./.github/workflows/scan-docker-image-action.yaml
with:
source_image: "${{ needs.build-prod-image-metadata.outputs.IMG_NAME }}:${{ needs.build-prod-image-metadata.outputs.version }}"
source_registry: ghcr.io
platforms: "['linux/arm64', 'linux/amd64']"
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.GITHUB_TOKEN }}

release-prod-image-to-docker-hub:
if: ${{ github.event_name != 'pull_request' }}
name: Release prod image to Docker Hub
uses: ./.github/workflows/clone-docker-image-action.yaml
needs:
- build-FluentBit-prod-image
- scan-FluentBit-image
- build-prod-image-metadata
with:
source_image: "${{ needs.build-prod-image-metadata.outputs.IMG_NAME }}:${{ needs.build-prod-image-metadata.outputs.version }}"
source_registry: ghcr.io
target_image: "${{ needs.build-prod-image-metadata.outputs.DOCKER_IMG_NAME }}:${{ needs.build-prod-image-metadata.outputs.version }}"
target_registry: docker.io
platforms: "['linux/arm64', 'linux/amd64']"
secrets:
source_registry_username: ${{ github.actor }}
source_registry_token: ${{ secrets.GITHUB_TOKEN }}
target_registry_username: ${{ secrets.REGISTRY_USER }}
target_registry_token: ${{ secrets.REGISTRY_PASSWORD }}

release-debug-image-to-docker-hub:
if: ${{ github.event_name != 'pull_request' }}
name: Release debug image to Docker Hub
uses: ./.github/workflows/clone-docker-image-action.yaml
needs:
- build-FluentBit-debug-image
- build-debug-image-metadata
with:
source_image: "${{ needs.build-debug-image-metadata.outputs.IMG_NAME }}:${{ needs.build-debug-image-metadata.outputs.version }}"
source_registry: ghcr.io
target_image: "${{ needs.build-debug-image-metadata.outputs.DOCKER_IMG_NAME }}:${{ needs.build-debug-image-metadata.outputs.version }}"
target_registry: docker.io
platforms: "['linux/arm64', 'linux/amd64']"
secrets:
source_registry_username: ${{ github.actor }}
source_registry_token: ${{ secrets.GITHUB_TOKEN }}
target_registry_username: ${{ secrets.REGISTRY_USER }}
target_registry_token: ${{ secrets.REGISTRY_PASSWORD }}
Loading
Loading