release: embed image replacements

edgelesssys · May 29, 2024 · db629c5 · db629c5
1 parent b195d5f
commit db629c5
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -244,10 +244,13 @@ jobs:
             'select(.kind == "Deployment") | .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' |
             base64 -d | sha256sum | cut -d " " -f1 > cli/cmd/assets/coordinator-policy-hash
 
+          cp image-replacements.txt cli/cmd/assets/image-replacements.txt
+
           git config --global user.name "edgelessci"
           git config --global user.email "[email protected]"
           git add cli/cmd/assets/coordinator-policy-hash
-          git diff --staged --quiet || git commit -m "release: update coordinator policy hash"
+          git add cli/cmd/assets/image-replacements.txt
+          git diff --staged --quiet || git commit -m "release: update cli assets"
       - name: Build CLI
         run: |
           nix build -L .#cli-release

diff --git a/cli/cmd/assets/image-replacements.txt b/cli/cmd/assets/image-replacements.txt
@@ -0,0 +1 @@
+# THIS FILE IS REPLACED DURING RELEASE BUILD TO INCLUDE UPDATED IMAGE REFERENCES
diff --git a/cli/cmd/common.go b/cli/cmd/common.go
@@ -33,6 +33,8 @@ var (
 	defaultGenpolicySettings []byte
 	//go:embed assets/genpolicy-rules.rego
 	defaultRules []byte
+	//go:embed assets/image-replacements.txt
+	releaseImageReplacements []byte
 	// DefaultCoordinatorPolicyHash is derived from the coordinator release candidate and injected at release build time.
 	//
 	// It is intentionally left empty for dev builds.

diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go
@@ -252,6 +252,7 @@ func generatePolicies(ctx context.Context, regoRulesPath, policySettingsPath str
 
 func injectInitializer(paths []string, imageReplacementsFile string, logger *slog.Logger) error {
 	var replacements map[string]string
+	var err error
 	if imageReplacementsFile != "" {
 		f, err := os.Open(imageReplacementsFile)
 		if err != nil {
@@ -263,6 +264,11 @@ func injectInitializer(paths []string, imageReplacementsFile string, logger *slo
 		if err != nil {
 			return fmt.Errorf("could not parse image definition file %s: %w", imageReplacementsFile, err)
 		}
+	} else {
+		replacements, err = kuberesource.ImageReplacementsFromFile(bytes.NewReader(releaseImageReplacements))
+		if err != nil {
+			return fmt.Errorf("could not parse release image definitions %s: %w", releaseImageReplacements, err)
+		}
 	}
 	for _, path := range paths {
 		data, err := os.ReadFile(path)

diff --git a/internal/kuberesource/lookup.go b/internal/kuberesource/lookup.go
@@ -17,7 +17,7 @@ var replacementRE = regexp.MustCompile(`(?P<image>[^\s=]+)\s*=\s*(?P<replacement
 // The file is expected to contain newline-separated pairs of images and their intended
 // replacement, separated by an = sign. Empty lines and lines starting with the pound character
 // are ignored. This file is populated by container image build rules in the justfile.
-func ImageReplacementsFromFile(file io.ReadCloser) (map[string]string, error) {
+func ImageReplacementsFromFile(file io.Reader) (map[string]string, error) {
 	m := make(map[string]string)
 
 	scanner := bufio.NewScanner(file)

diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix
@@ -51,6 +51,7 @@ buildGoModule rec {
       fileset = fileset.unions [
         (path.append root "go.mod")
         (path.append root "go.sum")
+        (path.append root "cli/cmd/assets/image-replacements.txt")
         (lib.fileset.difference
           (lib.fileset.fileFilter (file: lib.hasSuffix ".go" file.name) root)
           (fileset.unions [
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# THIS FILE IS REPLACED DURING RELEASE BUILD TO INCLUDE UPDATED IMAGE REFERENCES