From cde680e29732f56082b7d7f6c0da34e34065cfd2 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Fri, 8 Sep 2023 16:56:10 -0300 Subject: [PATCH 01/10] workflows/podvm: configurable registry Added the `registry` parameter to the builder/binaries/podvm workflows to allow publish the images in an arbitrary registry. Also added login handler if the registry is `ghcr.io`. Signed-off-by: Wainer dos Santos Moschetta --- .github/workflows/podvm.yaml | 20 +++++++++++++++++--- .github/workflows/podvm_binaries.yaml | 18 ++++++++++++++++-- .github/workflows/podvm_builder.yaml | 18 ++++++++++++++++-- 3 files changed, 49 insertions(+), 7 deletions(-) diff --git a/.github/workflows/podvm.yaml b/.github/workflows/podvm.yaml index 309059f44..e38654252 100644 --- a/.github/workflows/podvm.yaml +++ b/.github/workflows/podvm.yaml @@ -1,6 +1,11 @@ name: Create Pod VM Image on: workflow_call: + inputs: + registry: + default: 'quay.io/confidential-containers' + required: false + type: string jobs: build: @@ -37,16 +42,25 @@ jobs: - name: Login to Quay container Registry uses: docker/login-action@v2 with: + if: ${{ startsWith(inputs.registry, 'quay.io') }} registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} + - name: Login to Github Container Registry + if: ${{ startsWith(inputs.registry, 'ghcr.io') }} + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push uses: docker/build-push-action@v3 with: tags: | - quay.io/confidential-containers/podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}:latest - quay.io/confidential-containers/podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}:${{ github.sha }} + ${{ inputs.registry }}/podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}:latest + ${{ inputs.registry }}/podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}:${{ github.sha }} push: true context: podvm platforms: linux/amd64 @@ -57,4 +71,4 @@ jobs: "ARCH=${{ matrix.arch }}" "UBUNTU_IMAGE_URL=" "UBUNTU_IMAGE_CHECKSUM=" - "BINARIES_IMG=quay.io/confidential-containers/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}" + "BINARIES_IMG=${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}" diff --git a/.github/workflows/podvm_binaries.yaml b/.github/workflows/podvm_binaries.yaml index 5bda907a2..154093ca6 100644 --- a/.github/workflows/podvm_binaries.yaml +++ b/.github/workflows/podvm_binaries.yaml @@ -1,6 +1,11 @@ name: Create Pod VM Binaries Image on: workflow_call: + inputs: + registry: + default: 'quay.io/confidential-containers' + required: false + type: string jobs: build: @@ -37,18 +42,27 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to Quay container Registry + if: ${{ startsWith(inputs.registry, 'quay.io') }} uses: docker/login-action@v2 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} + - name: Login to Github Container Registry + if: ${{ startsWith(inputs.registry, 'ghcr.io') }} + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push uses: docker/build-push-action@v3 with: tags: | - quay.io/confidential-containers/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}:latest - quay.io/confidential-containers/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}:${{ github.sha }} + ${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}:latest + ${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}:${{ github.sha }} push: true context: podvm platforms: linux/amd64 diff --git a/.github/workflows/podvm_builder.yaml b/.github/workflows/podvm_builder.yaml index 7a669d326..2a6a5191c 100644 --- a/.github/workflows/podvm_builder.yaml +++ b/.github/workflows/podvm_builder.yaml @@ -1,6 +1,11 @@ name: Create Pod VM Builder Image on: workflow_call: + inputs: + registry: + default: 'quay.io/confidential-containers' + required: false + type: string jobs: build: @@ -68,18 +73,27 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to Quay container Registry + if: ${{ startsWith(inputs.registry, 'quay.io') }} uses: docker/login-action@v2 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} + - name: Login to Github Container Registry + if: ${{ startsWith(inputs.registry, 'ghcr.io') }} + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push uses: docker/build-push-action@v3 with: tags: | - quay.io/confidential-containers/podvm-builder-${{ matrix.os }}:latest - quay.io/confidential-containers/podvm-builder-${{ matrix.os }}:${{ github.sha }} + ${{ inputs.registry }}/podvm-builder-${{ matrix.os }}:latest + ${{ inputs.registry }}/podvm-builder-${{ matrix.os }}:${{ github.sha }} push: true context: podvm platforms: linux/amd64 From 1de5211df06978562bb821ff12da08c34ec01298 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Fri, 8 Sep 2023 17:51:29 -0300 Subject: [PATCH 02/10] workflows/podvm: event-based image tagging The current behavior of builder/binaries/podvm workflows is to push images with the `latest` and commit SHA tags. Now that those workflows are callable there is a need to tag those images differently depending on the use case. The approach took here was to used different tags based on the event that triggered the workflow: * on `release` event, tag with `latest` and the commit SHA. Default behavior does not change * on `pull_request` or `pull_request_target` uses the `ci-prN` where `N` is the pull request number. Does not make sense to push `latest` or commit SHA to an image that is transient. Signed-off-by: Wainer dos Santos Moschetta --- .github/workflows/podvm.yaml | 19 ++++++++++++++++--- .github/workflows/podvm_binaries.yaml | 19 ++++++++++++++++--- .github/workflows/podvm_builder.yaml | 19 ++++++++++++++++--- 3 files changed, 48 insertions(+), 9 deletions(-) diff --git a/.github/workflows/podvm.yaml b/.github/workflows/podvm.yaml index e38654252..94134665f 100644 --- a/.github/workflows/podvm.yaml +++ b/.github/workflows/podvm.yaml @@ -55,12 +55,25 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Determine image tags + run: | + event_name=${{ github.event_name }} + img="${{ inputs.registry }}/podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}" + tags="" + + case "$event_name" in + release) + tags="${img}:latest,${img}:${{ github.sha }}" ;; + pull_request|pull_request_target) + tags="${img}:ci-pr${{ github.event.number }}" ;; + esac + + echo "IMG_TAGS=$tags" >> "$GITHUB_ENV" + - name: Build and push uses: docker/build-push-action@v3 with: - tags: | - ${{ inputs.registry }}/podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}:latest - ${{ inputs.registry }}/podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}:${{ github.sha }} + tags: ${{ env.IMG_TAGS }} push: true context: podvm platforms: linux/amd64 diff --git a/.github/workflows/podvm_binaries.yaml b/.github/workflows/podvm_binaries.yaml index 154093ca6..34f6bc297 100644 --- a/.github/workflows/podvm_binaries.yaml +++ b/.github/workflows/podvm_binaries.yaml @@ -57,12 +57,25 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Determine image tags + run: | + event_name=${{ github.event_name }} + img="${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}" + tags="" + + case "$event_name" in + release) + tags="${img}:latest,${img}:${{ github.sha }}" ;; + pull_request|pull_request_target) + tags="${img}:ci-pr${{ github.event.number }}" ;; + esac + + echo "IMG_TAGS=$tags" >> "$GITHUB_ENV" + - name: Build and push uses: docker/build-push-action@v3 with: - tags: | - ${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}:latest - ${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}:${{ github.sha }} + tags: ${{ env.IMG_TAGS }} push: true context: podvm platforms: linux/amd64 diff --git a/.github/workflows/podvm_builder.yaml b/.github/workflows/podvm_builder.yaml index 2a6a5191c..3029098f6 100644 --- a/.github/workflows/podvm_builder.yaml +++ b/.github/workflows/podvm_builder.yaml @@ -88,12 +88,25 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Determine image tags + run: | + event_name=${{ github.event_name }} + img="${{ inputs.registry }}/podvm-builder-${{ matrix.os }}" + tags="" + + case "$event_name" in + release) + tags="${img}:latest,${img}:${{ github.sha }}" ;; + pull_request|pull_request_target) + tags="${img}:ci-pr${{ github.event.number }}" ;; + esac + + echo "IMG_TAGS=$tags" >> "$GITHUB_ENV" + - name: Build and push uses: docker/build-push-action@v3 with: - tags: | - ${{ inputs.registry }}/podvm-builder-${{ matrix.os }}:latest - ${{ inputs.registry }}/podvm-builder-${{ matrix.os }}:${{ github.sha }} + tags: ${{ env.IMG_TAGS }} push: true context: podvm platforms: linux/amd64 From af3e4ef68ec83c6c4f83eb684523df9b7342362f Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Fri, 8 Sep 2023 19:09:43 -0300 Subject: [PATCH 03/10] workflows/podvm: allow to overwrite base images Added parameters to the `podvm_binaries` and `podvm` workflows to allow overwrite the base images to build the podvm-binaries-* and podvm-* images. This is needed to accomodate the use case of running those workflows on pull request, for instance, suppose a PR 123: * ghcr.io/cloud-adaptor-api/podvm-builder-ubuntu:ci-pr123 is created. * `podvm_binaries` is called with `builder_img_tag=ghcr.io/cloud-adaptor-api/podvm-builder-ubuntu:ci-pr123` which is passed down to the podvm/Dockerfile.binaries in order to use the new builder * Same goes for `podvm`, this time using the built, say, `ghcr.io/cloud-adaptor-api/podvm-binaries-ubuntu-amd64:ci-pr123` image. Signed-off-by: Wainer dos Santos Moschetta --- .github/workflows/podvm.yaml | 6 +++++- .github/workflows/podvm_binaries.yaml | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/podvm.yaml b/.github/workflows/podvm.yaml index 94134665f..373b9345c 100644 --- a/.github/workflows/podvm.yaml +++ b/.github/workflows/podvm.yaml @@ -2,6 +2,10 @@ name: Create Pod VM Image on: workflow_call: inputs: + binaries_img_tag: + default: 'latest' + required: false + type: string registry: default: 'quay.io/confidential-containers' required: false @@ -84,4 +88,4 @@ jobs: "ARCH=${{ matrix.arch }}" "UBUNTU_IMAGE_URL=" "UBUNTU_IMAGE_CHECKSUM=" - "BINARIES_IMG=${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}" + "BINARIES_IMG=${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}:${{ inputs.binaries_img_tag }}" diff --git a/.github/workflows/podvm_binaries.yaml b/.github/workflows/podvm_binaries.yaml index 34f6bc297..67ecf6152 100644 --- a/.github/workflows/podvm_binaries.yaml +++ b/.github/workflows/podvm_binaries.yaml @@ -2,6 +2,10 @@ name: Create Pod VM Binaries Image on: workflow_call: inputs: + builder_img_tag: + default: 'latest' + required: false + type: string registry: default: 'quay.io/confidential-containers' required: false @@ -83,5 +87,6 @@ jobs: podvm/${{ matrix.dockerfile }} build-args: | "ARCH=${{ matrix.arch }}" + "BUILDER_IMG=${{ inputs.registry }}/podvm-builder-${{ matrix.os }}:${{ inputs.builder_img_tag }}" "UBUNTU_IMAGE_URL=" "UBUNTU_IMAGE_CHECKSUM=" From a5aea2f2faf7edd501b07052fb56f707af99c370 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Mon, 11 Sep 2023 14:54:51 -0300 Subject: [PATCH 04/10] test/podvm: allow to overwrite CAA sources ref Added the `caa_src_ref` parameter to builder/binaries/podvm workflows so that: * the workflow's `checkout` action will use the passed git ref * the cloud-api-adaptor repository used on the image builds is checked out to ref too Signed-off-by: Wainer dos Santos Moschetta --- .github/workflows/podvm.yaml | 18 ++++++++++++++++++ .github/workflows/podvm_binaries.yaml | 18 ++++++++++++++++++ .github/workflows/podvm_builder.yaml | 13 ++++++++++++- 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/.github/workflows/podvm.yaml b/.github/workflows/podvm.yaml index 373b9345c..c5db206bd 100644 --- a/.github/workflows/podvm.yaml +++ b/.github/workflows/podvm.yaml @@ -6,6 +6,10 @@ on: default: 'latest' required: false type: string + caa_src_ref: + default: '' + required: false + type: string registry: default: 'quay.io/confidential-containers' required: false @@ -36,6 +40,19 @@ jobs: steps: - name: Checkout Code uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ inputs.caa_src_ref }} + + - name: Read properties from versions.yaml + run: | + # There reference to CAA sources will honored if passed to this + # workflow via inputs. + caa_src_ref="${{ inputs.caa_src_ref }}" + [ -n "$caa_src_ref" ] || \ + caa_src_ref="$(yq '.git.cloud-api-adaptor.reference' versions.yaml)" + [ -n "$caa_src_ref" ] + echo "CAA_SRC_REF=${caa_src_ref}" >> $GITHUB_ENV #- name: Set up QEMU # uses: docker/setup-qemu-action@v2 @@ -89,3 +106,4 @@ jobs: "UBUNTU_IMAGE_URL=" "UBUNTU_IMAGE_CHECKSUM=" "BINARIES_IMG=${{ inputs.registry }}/podvm-binaries-${{ matrix.os }}-${{ matrix.arch }}:${{ inputs.binaries_img_tag }}" + "CAA_SRC_REF=${{ env.CAA_SRC_REF }}" diff --git a/.github/workflows/podvm_binaries.yaml b/.github/workflows/podvm_binaries.yaml index 67ecf6152..52f142f7f 100644 --- a/.github/workflows/podvm_binaries.yaml +++ b/.github/workflows/podvm_binaries.yaml @@ -6,6 +6,10 @@ on: default: 'latest' required: false type: string + caa_src_ref: + default: '' + required: false + type: string registry: default: 'quay.io/confidential-containers' required: false @@ -31,6 +35,19 @@ jobs: steps: - name: Checkout Code uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ inputs.caa_src_ref }} + + - name: Read properties from versions.yaml + run: | + # There reference to CAA sources will honored if passed to this + # workflow via inputs. + caa_src_ref="${{ inputs.caa_src_ref }}" + [ -n "$caa_src_ref" ] || \ + caa_src_ref="$(yq '.git.cloud-api-adaptor.reference' versions.yaml)" + [ -n "$caa_src_ref" ] + echo "CAA_SRC_REF=${caa_src_ref}" >> $GITHUB_ENV #- name: Set up QEMU # uses: docker/setup-qemu-action@v2 @@ -88,5 +105,6 @@ jobs: build-args: | "ARCH=${{ matrix.arch }}" "BUILDER_IMG=${{ inputs.registry }}/podvm-builder-${{ matrix.os }}:${{ inputs.builder_img_tag }}" + "CAA_SRC_REF=${{ env.CAA_SRC_REF }}" "UBUNTU_IMAGE_URL=" "UBUNTU_IMAGE_CHECKSUM=" diff --git a/.github/workflows/podvm_builder.yaml b/.github/workflows/podvm_builder.yaml index 3029098f6..b9ecedfd3 100644 --- a/.github/workflows/podvm_builder.yaml +++ b/.github/workflows/podvm_builder.yaml @@ -2,6 +2,10 @@ name: Create Pod VM Builder Image on: workflow_call: inputs: + caa_src_ref: + default: '' + required: false + type: string registry: default: 'quay.io/confidential-containers' required: false @@ -28,6 +32,9 @@ jobs: steps: - name: Checkout Code uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ inputs.caa_src_ref }} - name: Read properties from versions.yaml run: | @@ -47,7 +54,11 @@ jobs: [ -n "$caa_src" ] echo "CAA_SRC=${caa_src}" >> $GITHUB_ENV - caa_src_ref="$(yq '.git.cloud-api-adaptor.reference' versions.yaml)" + # There reference to CAA sources will honored if passed to this + # workflow via inputs. + caa_src_ref="${{ inputs.caa_src_ref }}" + [ -n "$caa_src_ref" ] || \ + caa_src_ref="$(yq '.git.cloud-api-adaptor.reference' versions.yaml)" [ -n "$caa_src_ref" ] echo "CAA_SRC_REF=${caa_src_ref}" >> $GITHUB_ENV From e22c9ed891314d6ccecc41a39e49ac31c1238ccb Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Mon, 11 Sep 2023 16:05:38 -0300 Subject: [PATCH 05/10] podvm/builder: checkout an arbitrary git ref The Dockerfile.builder* dockerfiles were changed to allow checking out in an arbitrary git ref, otherwise it will checkout only branches. This make the builder dockerfiles on pair with the other dockerfiles (binaries' and podvm's). Signed-off-by: Wainer dos Santos Moschetta --- podvm/Dockerfile.podvm_builder | 10 +++++++++- podvm/Dockerfile.podvm_builder.centos | 10 +++++++++- podvm/Dockerfile.podvm_builder.rhel | 10 +++++++++- 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/podvm/Dockerfile.podvm_builder b/podvm/Dockerfile.podvm_builder index 883706c71..13ef4db17 100644 --- a/podvm/Dockerfile.podvm_builder +++ b/podvm/Dockerfile.podvm_builder @@ -63,7 +63,15 @@ RUN echo $CAA_SRC RUN echo $CAA_SRC_REF -RUN git clone ${CAA_SRC} -b ${CAA_SRC_REF} cloud-api-adaptor +RUN if [ -n "${CAA_SRC}" ]; then \ + rm -rf cloud-api-adaptor && \ + git clone ${CAA_SRC} cloud-api-adaptor;\ + fi && \ + if [ -n "${CAA_SRC_REF}" ]; then \ + cd cloud-api-adaptor && \ + git fetch origin ${CAA_SRC_REF} && \ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ + fi RUN git clone ${KATA_SRC} kata-containers RUN cd kata-containers && git checkout ${KATA_SRC_BRANCH} diff --git a/podvm/Dockerfile.podvm_builder.centos b/podvm/Dockerfile.podvm_builder.centos index 031b43e36..cb8f454fc 100644 --- a/podvm/Dockerfile.podvm_builder.centos +++ b/podvm/Dockerfile.podvm_builder.centos @@ -64,7 +64,15 @@ RUN echo $CAA_SRC RUN echo $CAA_SRC_REF -RUN git clone ${CAA_SRC} -b ${CAA_SRC_REF} cloud-api-adaptor +RUN if [ -n "${CAA_SRC}" ]; then \ + rm -rf cloud-api-adaptor && \ + git clone ${CAA_SRC} cloud-api-adaptor;\ + fi && \ + if [ -n "${CAA_SRC_REF}" ]; then \ + cd cloud-api-adaptor && \ + git fetch origin ${CAA_SRC_REF} && \ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ + fi RUN git clone ${KATA_SRC} kata-containers RUN cd kata-containers && git checkout ${KATA_SRC_BRANCH} diff --git a/podvm/Dockerfile.podvm_builder.rhel b/podvm/Dockerfile.podvm_builder.rhel index d6eaea66f..b90a68b12 100644 --- a/podvm/Dockerfile.podvm_builder.rhel +++ b/podvm/Dockerfile.podvm_builder.rhel @@ -60,7 +60,15 @@ RUN echo $CAA_SRC RUN echo $CAA_SRC_REF -RUN git clone ${CAA_SRC} -b ${CAA_SRC_REF} cloud-api-adaptor +RUN if [ -n "${CAA_SRC}" ]; then \ + rm -rf cloud-api-adaptor && \ + git clone ${CAA_SRC} cloud-api-adaptor;\ + fi && \ + if [ -n "${CAA_SRC_REF}" ]; then \ + cd cloud-api-adaptor && \ + git fetch origin ${CAA_SRC_REF} && \ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ + fi RUN git clone ${KATA_SRC} kata-containers RUN cd kata-containers && git checkout ${KATA_SRC_BRANCH} From 9884b7549eace058d6d1801737b8b806e9090077 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Mon, 11 Sep 2023 19:39:32 -0300 Subject: [PATCH 06/10] podvm: reset the CAA branch if it exists When it tries to create the `CAA_SRC_REF` branch and it exists already, it will reset the branch instead of simply fail the checkout operation. That error can happen, for example, if `CAA_SRC_REF` is passed to the builder image then that image is used for the binaries build and you passed the same `CAA_SRC_REF`, i.e., on the builder image the repository is already branched to `CAA_SRC_REF` and in the binary image build it will try to create the branch same again (so failing). The checkout with `-B` will reset the branch instead of fail. Signed-off-by: Wainer dos Santos Moschetta --- podvm/Dockerfile.podvm | 2 +- podvm/Dockerfile.podvm.centos | 2 +- podvm/Dockerfile.podvm.rhel | 2 +- podvm/Dockerfile.podvm_binaries | 2 +- podvm/Dockerfile.podvm_binaries.centos | 2 +- podvm/Dockerfile.podvm_binaries.rhel | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/podvm/Dockerfile.podvm b/podvm/Dockerfile.podvm index 84aecd59d..40fbeb8f2 100644 --- a/podvm/Dockerfile.podvm +++ b/podvm/Dockerfile.podvm @@ -35,7 +35,7 @@ RUN if [ -n "${CAA_SRC}" ]; then \ if [ -n "${CAA_SRC_REF}" ]; then \ cd cloud-api-adaptor && \ git fetch origin ${CAA_SRC_REF} && \ - git checkout FETCH_HEAD -b ${CAA_SRC_REF} ;\ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ fi # Installs add-ons for foreign target, if required RUN ./cloud-api-adaptor/podvm/hack/cross-build-extras.sh diff --git a/podvm/Dockerfile.podvm.centos b/podvm/Dockerfile.podvm.centos index 81b48edec..f04e14603 100644 --- a/podvm/Dockerfile.podvm.centos +++ b/podvm/Dockerfile.podvm.centos @@ -33,7 +33,7 @@ RUN if [ -n "${CAA_SRC}" ]; then \ if [ -n "${CAA_SRC_REF}" ]; then \ cd cloud-api-adaptor && \ git fetch origin ${CAA_SRC_REF} && \ - git checkout FETCH_HEAD -b ${CAA_SRC_REF} ;\ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ fi # Defaults to CentOS 8-stream x86_64 image. These variables can be overriden as needed diff --git a/podvm/Dockerfile.podvm.rhel b/podvm/Dockerfile.podvm.rhel index 353a9342c..9e3f87f84 100644 --- a/podvm/Dockerfile.podvm.rhel +++ b/podvm/Dockerfile.podvm.rhel @@ -31,7 +31,7 @@ RUN if [ -n "${CAA_SRC}" ]; then \ if [ -n "${CAA_SRC_REF}" ]; then \ cd cloud-api-adaptor && \ git fetch origin ${CAA_SRC_REF} && \ - git checkout FETCH_HEAD -b ${CAA_SRC_REF} ;\ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ fi ARG IMAGE_URL="/tmp/rhel.qcow2" diff --git a/podvm/Dockerfile.podvm_binaries b/podvm/Dockerfile.podvm_binaries index 5fed2da51..925f6e6fd 100644 --- a/podvm/Dockerfile.podvm_binaries +++ b/podvm/Dockerfile.podvm_binaries @@ -32,7 +32,7 @@ RUN if [ -n "${CAA_SRC}" ]; then \ if [ -n "${CAA_SRC_REF}" ]; then \ cd cloud-api-adaptor && \ git fetch origin ${CAA_SRC_REF} && \ - git checkout FETCH_HEAD -b ${CAA_SRC_REF} ;\ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ fi # Installs add-ons for foreign target, if required RUN ./cloud-api-adaptor/podvm/hack/cross-build-extras.sh diff --git a/podvm/Dockerfile.podvm_binaries.centos b/podvm/Dockerfile.podvm_binaries.centos index d33448302..f03b9bd54 100644 --- a/podvm/Dockerfile.podvm_binaries.centos +++ b/podvm/Dockerfile.podvm_binaries.centos @@ -32,7 +32,7 @@ RUN if [ -n "${CAA_SRC}" ]; then \ if [ -n "${CAA_SRC_REF}" ]; then \ cd cloud-api-adaptor && \ git fetch origin ${CAA_SRC_REF} && \ - git checkout FETCH_HEAD -b ${CAA_SRC_REF} ;\ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ fi RUN cd cloud-api-adaptor/podvm && \ diff --git a/podvm/Dockerfile.podvm_binaries.rhel b/podvm/Dockerfile.podvm_binaries.rhel index 06c8786b2..cd0b7833e 100644 --- a/podvm/Dockerfile.podvm_binaries.rhel +++ b/podvm/Dockerfile.podvm_binaries.rhel @@ -32,7 +32,7 @@ RUN if [ -n "${CAA_SRC}" ]; then \ if [ -n "${CAA_SRC_REF}" ]; then \ cd cloud-api-adaptor && \ git fetch origin ${CAA_SRC_REF} && \ - git checkout FETCH_HEAD -b ${CAA_SRC_REF} ;\ + git checkout FETCH_HEAD -B ${CAA_SRC_REF} ;\ fi RUN cd cloud-api-adaptor/podvm && \ From 7f37a7814010f455b3a90785f809c59f6a781565 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Tue, 12 Sep 2023 11:43:36 -0300 Subject: [PATCH 07/10] test/e2e: build podvm on e2e_on_pull Until now the `e2e_on_pull` workflow was using built podvm images, where the qcow2 files are extracted and uploaded as artifacts which are picked up by downstream jobs (e.g. `e2e_libvirt`). This changed the workflow to leverage the new `podvm_builder`, `podvm_binaries` and `podvm` workflows so that the podvm images are built from the pull request code, pushed to ghcr.io and the downstream jobs should extract the qcow2 file themselves. Signed-off-by: Wainer dos Santos Moschetta --- .github/workflows/e2e_libvirt.yaml | 14 ++++---- .github/workflows/e2e_on_pull.yaml | 58 ++++++++++++------------------ 2 files changed, 31 insertions(+), 41 deletions(-) diff --git a/.github/workflows/e2e_libvirt.yaml b/.github/workflows/e2e_libvirt.yaml index 4670386fd..0a952773f 100644 --- a/.github/workflows/e2e_libvirt.yaml +++ b/.github/workflows/e2e_libvirt.yaml @@ -7,7 +7,7 @@ name: (Callable) libvirt e2e tests on: workflow_call: inputs: - qcow2_artifact: + podvm_image: required: true type: string install_directory_artifact: @@ -46,10 +46,12 @@ jobs: with: go-version: ${{ env.GO_VERSION }} - - uses: actions/download-artifact@v3 - with: - name: ${{ inputs.qcow2_artifact }} - path: podvm + - name: Extract qcow2 from ${{ inputs.podvm_image }} + run: | + qcow2=$(echo ${{ inputs.podvm_image }} | sed -e "s#.*/\(.*\):.*#\1.qcow2#") + ./hack/download-image.sh ${{ inputs.podvm_image }} . -o ${qcow2} + echo "PODVM_QCOW2=$(pwd)/${qcow2}" >> "$GITHUB_ENV" + working-directory: podvm - name: Get the install directory if: ${{ inputs.install_directory_artifact != '' }} @@ -154,7 +156,7 @@ jobs: export TEST_PROVISION="yes" export TEST_TEARDOWN="no" export TEST_PROVISION_FILE="$PWD/libvirt.properties" - export TEST_PODVM_IMAGE="${PWD}/podvm/${{ inputs.qcow2_artifact }}" + export TEST_PODVM_IMAGE="${{ env.PODVM_QCOW2 }}" export TEST_E2E_TIMEOUT="50m" make test-e2e diff --git a/.github/workflows/e2e_on_pull.yaml b/.github/workflows/e2e_on_pull.yaml index 270eb426e..ae1bd18e0 100644 --- a/.github/workflows/e2e_on_pull.yaml +++ b/.github/workflows/e2e_on_pull.yaml @@ -43,43 +43,31 @@ jobs: # Build the podvm images. # - # Currently it will not build the podvm, instead it downloads the qcow2 file - # from the built image. The file will be archived so that downstream jobs can - # just download the file on their runners. - podvm: - name: podvm + podvm_builder: needs: [authorize] - runs-on: ubuntu-latest - strategy: - fail-fast: true - matrix: - os: - - centos - - ubuntu - provider: - - generic - arch: - - amd64 - env: - registry: quay.io/confidential-containers - podvm_image: podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }} - qcow2: podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}.qcow2 - steps: - - name: Checkout Code - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} + uses: ./.github/workflows/podvm_builder.yaml + with: + caa_src_ref: ${{ github.event.pull_request.head.sha }} + registry: ghcr.io/${{ github.repository_owner }} + secrets: inherit - - name: Extract the podvm qcow2 - run: ./hack/download-image.sh ${{ env.registry }}/${{ env.podvm_image }} . -o ${{ env.qcow2 }} - working-directory: podvm + podvm_binaries: + needs: [podvm_builder] + uses: ./.github/workflows/podvm_binaries.yaml + with: + caa_src_ref: ${{ github.event.pull_request.head.sha }} + registry: ghcr.io/${{ github.repository_owner }} + builder_img_tag: ci-pr${{ github.event.number }} + secrets: inherit - - uses: actions/upload-artifact@v3 - with: - name: ${{ env.qcow2 }} - path: podvm/${{ env.qcow2 }} - retention-days: 1 + podvm: + needs: [podvm_binaries] + uses: ./.github/workflows/podvm.yaml + with: + caa_src_ref: ${{ github.event.pull_request.head.sha }} + registry: ghcr.io/${{ github.repository_owner }} + binaries_img_tag: ci-pr${{ github.event.number }} + secrets: inherit # Build and push the cloud-api-adaptor image # @@ -175,6 +163,6 @@ jobs: - amd64 uses: ./.github/workflows/e2e_libvirt.yaml with: - qcow2_artifact: podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}.qcow2 + podvm_image: ghcr.io/${{ github.repository_owner }}/podvm-${{ matrix.provider }}-${{ matrix.os }}-${{ matrix.arch }}:ci-pr${{ github.event.number }} install_directory_artifact: install_directory git_ref: ${{ github.event.pull_request.head.sha }} \ No newline at end of file From 7e1bf8984fe145e9a5fd9799f3ffba3a2f0b1d58 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Fri, 8 Sep 2023 17:54:26 -0300 Subject: [PATCH 08/10] podvm on pull Signed-off-by: Wainer dos Santos Moschetta --- .github/workflows/podvm_on_pull.yaml | 30 ++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/podvm_on_pull.yaml diff --git a/.github/workflows/podvm_on_pull.yaml b/.github/workflows/podvm_on_pull.yaml new file mode 100644 index 000000000..db051a1bb --- /dev/null +++ b/.github/workflows/podvm_on_pull.yaml @@ -0,0 +1,30 @@ +name: podvm_on_pull +on: + workflow_dispatch: + +jobs: + podvm_builder: + uses: ./.github/workflows/podvm_builder.yaml + with: + #caa_src_ref: ${{ github.sha }} + caa_src_ref: ${{ github.ref }} + registry: ghcr.io/${{ github.repository_owner }} + secrets: inherit + podvm_binaries: + needs: [podvm_builder] + uses: ./.github/workflows/podvm_binaries.yaml + with: + #caa_src_ref: ${{ github.sha }} + caa_src_ref: ${{ github.ref }} + registry: ghcr.io/${{ github.repository_owner }} + builder_img_tag: ci-pr${{ github.event.number }} + secrets: inherit + podvm: + needs: [podvm_binaries] + uses: ./.github/workflows/podvm.yaml + with: + #caa_src_ref: ${{ github.sha }} + caa_src_ref: ${{ github.ref }} + registry: ghcr.io/${{ github.repository_owner }} + binaries_img_tag: ci-pr${{ github.event.number }} + secrets: inherit \ No newline at end of file From 417ec72d1a6818d9fecda9f39eeaaa17edba5a79 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Tue, 12 Sep 2023 11:51:21 -0300 Subject: [PATCH 09/10] do not merge Signed-off-by: Wainer dos Santos Moschetta --- .github/workflows/e2e_libvirt.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e_libvirt.yaml b/.github/workflows/e2e_libvirt.yaml index 0a952773f..1ce435b5e 100644 --- a/.github/workflows/e2e_libvirt.yaml +++ b/.github/workflows/e2e_libvirt.yaml @@ -27,7 +27,7 @@ env: jobs: test: - runs-on: az-ubuntu-2204 + runs-on: ubuntu-latest steps: - name: Checkout Code uses: actions/checkout@v3 From ea0d2697f8e53ca923c79f56471c9d3df05a95c5 Mon Sep 17 00:00:00 2001 From: Wainer Moschetta Date: Tue, 12 Sep 2023 18:04:40 -0300 Subject: [PATCH 10/10] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 86be81149..1f90077c0 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Introduction -This repository contains the implementation of Kata [remote hypervisor](https://github.com/kata-containers/kata-containers/tree/CCv0). +This repository contains the implementation of Kata Containers [remote hypervisor](https://github.com/kata-containers/kata-containers/tree/CCv0). Kata remote hypervisor enables creation of Kata VMs on any environment without requiring baremetal servers or nested virtualization support.