images: updating to use quay 3.12.2 (PROJQUAY-8106) #448
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Release" | |
on: | |
push: | |
tags: | |
- 'v[0-9]+.[0-9]+.[0-9]+' | |
pull_request_target: | |
types: [labeled] | |
branches: | |
- main | |
- mirror-registry-* | |
# Allows us to run release manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
version: | |
description: 'Version to release (tag name)' | |
required: true | |
concurrency: | |
group: limit-to-one | |
jobs: | |
build-install-zip: | |
name: "Build Installer" | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ok-to-test') || github.event.inputs.version | |
strategy: | |
matrix: | |
installer-type: ["online", "offline"] | |
steps: | |
# Checkout source branch for testing | |
- name: Checkout PR | |
uses: actions/checkout@v4 | |
if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
# Checkout target branch for release build | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: refs/tags/${{ github.event.inputs.version }} | |
if: github.event.inputs.version | |
- name: Set version from tag/branch | |
run: | | |
echo "RELEASE_VERSION=$GITHUB_REF_NAME" >>"$GITHUB_ENV" | |
if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ok-to-test') | |
- name: Set version from input | |
run: | | |
echo "RELEASE_VERSION=${{ github.event.inputs.version }}" >>"$GITHUB_ENV" | |
if: github.event.inputs.version | |
- name: Set up Go 1.x | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ^1.21 | |
id: go | |
- name: Get dependencies | |
run: | | |
go install -v ./... | |
if [ -f Gopkg.toml ]; then | |
curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh | |
dep ensure | |
fi | |
- name: Log into docker for registry.redhat.io | |
uses: docker/login-action@v2 | |
with: | |
registry: registry.redhat.io | |
username: ${{ secrets.REGISTRY_USERNAME }} | |
password: ${{ secrets.REGISTRY_PASSWORD }} | |
- name: Install ansible builder | |
run: sudo pip install ansible-builder | |
- name: Build tarfile | |
run: CLIENT=docker make build-${{ matrix.installer-type }}-zip | |
- name: Upload tarfile | |
uses: actions/upload-artifact@v3 | |
with: | |
name: mirror-registry-${{ matrix.installer-type }}-installer | |
path: mirror-registry.tar.gz | |
retention-days: 1 | |
test-remote-install: | |
name: "Remote Install" | |
needs: ["build-install-zip"] | |
runs-on: ubuntu-latest | |
if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') # Skip on release | |
strategy: | |
fail-fast: false | |
matrix: | |
installer-type: ["online", "offline"] | |
env: | |
GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }} | |
TF_VAR_SSH_PUBLIC_KEY: ${{ secrets.TF_VAR_SSH_PUBLIC_KEY }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install oc | |
uses: redhat-actions/oc-installer@v1 | |
with: | |
oc_version: "4.6" | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v1 | |
with: | |
# terraform_version: 0.13.0: | |
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | |
terraform_wrapper: false | |
- name: Install SSH Key | |
uses: webfactory/[email protected] | |
with: | |
ssh-private-key: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }} | |
- name: Write SSH Key id_rsa | |
run: | | |
echo "$SSH_KEY" > /home/runner/.ssh/id_rsa | |
chmod 600 ~/.ssh/id_rsa | |
env: | |
SSH_KEY: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }} | |
- name: Write SSH Key staging.key | |
run: | | |
mkdir -p ~/.ssh/ | |
echo "$SSH_KEY" > ~/.ssh/staging.key | |
chmod 600 ~/.ssh/staging.key | |
cat >>~/.ssh/config <<END | |
Host quay | |
HostName quay | |
User jonathan | |
IdentityFile ~/.ssh/staging.key | |
StrictHostKeyChecking no | |
END | |
env: | |
SSH_KEY: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }} | |
- name: Initialize VM | |
uses: ./.github/actions/setup-terraform | |
with: | |
terraform-context: ".github/workflows/remote-${{ matrix.installer-type }}-installer" | |
- name: Wait for VM | |
uses: jakejarvis/wait-action@master | |
with: | |
time: "60s" | |
- name: Download tarfile | |
uses: actions/download-artifact@v3 | |
with: | |
name: mirror-registry-${{ matrix.installer-type }}-installer | |
- name: Extract tarfile | |
run: tar -xf mirror-registry.tar.gz | |
- name: Add quay to /etc/hosts | |
run: ssh jonathan@quay 'echo "127.0.0.1 quay" | sudo tee -a /etc/hosts' | |
- name: Install podman | |
run: ssh jonathan@quay 'sudo subscription-manager refresh; sudo yum -y install podman' | |
- name: Log into podman for registry.redhat.io | |
run: ssh jonathan@quay "podman login -u ${{ secrets.REGISTRY_USERNAME }} -p ${{ secrets.REGISTRY_PASSWORD }} registry.redhat.io" | |
if: matrix.installer-type == 'online' | |
- name: Install Registry | |
run: ./mirror-registry install -u jonathan -r /home/jonathan/quay-install -H quay -v --initPassword password -k /home/runner/.ssh/id_rsa | |
- name: Mirror Images | |
uses: ./.github/actions/mirror | |
with: | |
quay-hostname: "quay:8443" | |
pull-secret: ${{ secrets.PULL_SECRET }} | |
- name: Upgrade Registry | |
run: ./mirror-registry upgrade -u jonathan -r /home/jonathan/quay-install -H quay -v -k /home/runner/.ssh/id_rsa | |
- name: Uninstall Registry | |
run: ./mirror-registry uninstall -u jonathan -H quay --autoApprove -v -k /home/runner/.ssh/id_rsa | |
- name: Download old mirror-registry tarball that runs quay with postgres | |
run: wget -O mirror-registry-postgres.tar.gz "https://github.com/quay/mirror-registry/releases/download/v1.3.10/mirror-registry-${{ matrix.installer-type }}.tar.gz" | |
- name: Create extraction directory for old mirror-registry binary | |
run: mkdir -p ./mirror-registry-postgres | |
- name: Extract tarball into the folder | |
run: tar -xzf mirror-registry-postgres.tar.gz -C ./mirror-registry-postgres | |
- name: Install postgres backed quay registry | |
run: ./mirror-registry-postgres/mirror-registry install -u jonathan -r /home/jonathan/quay-install -H quay -v --initPassword password -k /home/runner/.ssh/id_rsa | |
- name: Podman login to quay registry | |
run: podman login -u init -p password quay:8443 --tls-verify=false | |
- name: Pull busybox image from Docker Hub | |
run: podman pull docker.io/library/busybox | |
- name: Tag busybox image for Quay | |
run: podman tag docker.io/library/busybox quay:8443/init/busybox:latest | |
- name: Push busybox image to Quay | |
run: podman push quay:8443/init/busybox:latest --tls-verify=false | |
- name: Use latest binary to test upgrade cmd to ensure db migration from old postgres to sqlite | |
run: ./mirror-registry upgrade -u jonathan -r /home/jonathan/quay-install -H quay -v -k /home/runner/.ssh/id_rsa | |
- name: Pull already pushed busybox image from quay registry | |
run: podman pull quay:8443/init/busybox:latest --tls-verify=false | |
- name: Verify busybox image is pulled successfully | |
run: podman images | grep -q quay:8443/init/busybox | |
- name: Uninstall Registry | |
run: ./mirror-registry uninstall -u jonathan -H quay --autoApprove -v -k /home/runner/.ssh/id_rsa | |
- name: Terraform Destroy | |
run: terraform destroy --auto-approve | |
shell: bash | |
working-directory: ".github/workflows/remote-${{ matrix.installer-type }}-installer" | |
if: always() | |
test-local-install: | |
name: "Local Install" | |
needs: ["build-install-zip"] | |
runs-on: ubuntu-latest | |
if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') # Skip on release | |
strategy: | |
fail-fast: false | |
matrix: | |
installer-type: ["online", "offline"] | |
env: | |
GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }} | |
TF_VAR_SSH_PUBLIC_KEY: ${{ secrets.TF_VAR_SSH_PUBLIC_KEY }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install oc | |
uses: redhat-actions/oc-installer@v1 | |
with: | |
oc_version: "4.6" | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v1 | |
with: | |
# terraform_version: 0.13.0: | |
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | |
terraform_wrapper: false | |
- name: Install SSH Key | |
uses: webfactory/[email protected] | |
with: | |
ssh-private-key: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }} | |
- name: Write SSH Key id_rsa | |
run: | | |
echo "$SSH_KEY" > /home/runner/.ssh/id_rsa | |
chmod 600 ~/.ssh/id_rsa | |
env: | |
SSH_KEY: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }} | |
- name: Write SSH Key staging.key | |
run: | | |
mkdir -p ~/.ssh/ | |
echo "$SSH_KEY" > ~/.ssh/staging.key | |
chmod 600 ~/.ssh/staging.key | |
cat >>~/.ssh/config <<END | |
Host quay | |
HostName quay | |
User jonathan | |
IdentityFile ~/.ssh/staging.key | |
StrictHostKeyChecking no | |
END | |
env: | |
SSH_KEY: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }} | |
- name: Initialize VM | |
uses: ./.github/actions/setup-terraform | |
with: | |
terraform-context: ".github/workflows/local-${{ matrix.installer-type }}-installer" | |
- name: Wait for VM | |
uses: jakejarvis/wait-action@master | |
with: | |
time: "60s" | |
- name: Download tarfile | |
uses: actions/download-artifact@v3 | |
with: | |
name: mirror-registry-${{ matrix.installer-type }}-installer | |
- name: SCP tarball to VM | |
run: scp mirror-registry.tar.gz jonathan@quay:~/mirror-registry.tar.gz | |
- name: Add quay to /etc/hosts | |
run: ssh jonathan@quay 'echo "127.0.0.1 quay" | sudo tee -a /etc/hosts' | |
- name: Install podman | |
run: ssh jonathan@quay 'sudo subscription-manager refresh; sudo yum -y install podman' | |
- name: Log into podman for registry.redhat.io | |
run: ssh jonathan@quay "podman login -u ${{ secrets.REGISTRY_USERNAME }} -p ${{ secrets.REGISTRY_PASSWORD }} registry.redhat.io" | |
if: matrix.installer-type == 'online' | |
- name: Pull busybox image from Docker Hub before disabling traffic | |
run: ssh jonathan@quay 'podman pull docker.io/library/busybox' | |
- name: Disable outbound network traffic | |
run: ssh jonathan@quay 'sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT; sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=22 -j ACCEPT; sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=8443 -j ACCEPT; sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -j DROP' | |
if: matrix.installer-type == 'offline' | |
- name: Install Registry | |
run: ssh jonathan@quay 'tar -xf mirror-registry.tar.gz; ./mirror-registry install -v --quayHostname quay:8443 --initPassword password' | |
- name: Mirror Images | |
uses: ./.github/actions/mirror | |
with: | |
quay-hostname: "quay:8443" | |
pull-secret: ${{ secrets.PULL_SECRET }} | |
- name: Upgrade Quay | |
run: ssh jonathan@quay './mirror-registry upgrade -v' | |
- name: Uninstall Quay | |
run: ssh jonathan@quay './mirror-registry uninstall --autoApprove -v' | |
- name: Download old mirror-registry tarball that runs quay with postgres | |
run: wget -O mirror-registry-postgres.tar.gz "https://github.com/quay/mirror-registry/releases/download/v1.3.10/mirror-registry-${{ matrix.installer-type }}.tar.gz" | |
- name: SCP old tarball to VM | |
run: scp mirror-registry-postgres.tar.gz jonathan@quay:~/mirror-registry-postgres.tar.gz | |
- name: Create extraction directory for old mirror-registry binary | |
run: ssh jonathan@quay 'mkdir -p ./mirror-registry-postgres' | |
- name: Extract tarball into the folder | |
run: ssh jonathan@quay 'tar -xzf mirror-registry-postgres.tar.gz -C ./mirror-registry-postgres' | |
- name: Install postgres backed quay registry | |
run: ssh jonathan@quay './mirror-registry-postgres/mirror-registry install -u jonathan -r /home/jonathan/quay-install --quayHostname quay:8443 -v --initPassword password' | |
- name: Podman login to quay registry | |
run: ssh jonathan@quay 'podman login -u init -p password quay:8443 --tls-verify=false' | |
- name: Tag busybox image for Quay | |
run: ssh jonathan@quay 'podman tag docker.io/library/busybox quay:8443/init/busybox:latest' | |
- name: Push busybox image to Quay | |
run: ssh jonathan@quay 'podman push quay:8443/init/busybox:latest --tls-verify=false' | |
- name: Use latest binary to test upgrade cmd to ensure db migration from old postgres to sqlite | |
run: ssh jonathan@quay './mirror-registry upgrade -u jonathan -r /home/jonathan/quay-install --quayHostname quay:8443 -v' | |
- name: Pull already pushed busybox image from quay registry | |
run: ssh jonathan@quay 'podman pull quay:8443/init/busybox:latest --tls-verify=false' | |
- name: Verify busybox image was pulled successfully | |
run: ssh jonathan@quay 'podman images | grep -q quay:8443/init/busybox' | |
- name: Uninstall Quay | |
run: ssh jonathan@quay './mirror-registry uninstall --autoApprove -v' | |
- name: Terraform Destroy | |
run: terraform destroy --auto-approve | |
shell: bash | |
working-directory: ".github/workflows/local-${{ matrix.installer-type }}-installer" | |
if: always() | |
publish-release: | |
name: "Publish Release" | |
needs: ["build-install-zip"] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
if: github.event_name == 'push' || github.event.inputs.version | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Download offline tarfile | |
uses: actions/download-artifact@v3 | |
with: | |
name: mirror-registry-offline-installer | |
- name: Rename offline tarfile | |
run: mv mirror-registry.tar.gz mirror-registry-offline.tar.gz | |
- name: Download online tarfile | |
uses: actions/download-artifact@v3 | |
with: | |
name: mirror-registry-online-installer | |
- name: Rename online tarfile | |
run: mv mirror-registry.tar.gz mirror-registry-online.tar.gz | |
- uses: ncipollo/release-action@v1 | |
with: | |
artifacts: "*.tar.gz,README.md" | |
allowUpdates: true | |
prerelease: true | |
tag: ${{ github.ref_name }} | |
if: github.event_name == 'push' | |
- uses: ncipollo/release-action@v1 | |
with: | |
artifacts: "*.tar.gz,README.md" | |
allowUpdates: true | |
prerelease: true | |
tag: ${{ github.event.inputs.version }} | |
if: github.event.inputs.version |