Skip to content

images: updating to use quay 3.12.2 (PROJQUAY-8106) #447

images: updating to use quay 3.12.2 (PROJQUAY-8106)

images: updating to use quay 3.12.2 (PROJQUAY-8106) #447

Workflow file for this run

name: "Release"
on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
pull_request_target:
types: [labeled]
branches:
- main
- mirror-registry-*
# Allows us to run release manually from the Actions tab
workflow_dispatch:
inputs:
version:
description: 'Version to release (tag name)'
required: true
concurrency:
group: limit-to-one
jobs:
build-install-zip:
name: "Build Installer"
runs-on: ubuntu-latest
if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ok-to-test') || github.event.inputs.version
strategy:
matrix:
installer-type: ["online", "offline"]
steps:
# Checkout source branch for testing
- name: Checkout PR
uses: actions/checkout@v4
if: contains(github.event.pull_request.labels.*.name, 'ok-to-test')
with:
ref: ${{ github.event.pull_request.head.sha }}
# Checkout target branch for release build
- name: Checkout
uses: actions/checkout@v4
with:
ref: refs/tags/${{ github.event.inputs.version }}
if: github.event.inputs.version
- name: Set version from tag/branch
run: |
echo "RELEASE_VERSION=$GITHUB_REF_NAME" >>"$GITHUB_ENV"
if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ok-to-test')
- name: Set version from input
run: |
echo "RELEASE_VERSION=${{ github.event.inputs.version }}" >>"$GITHUB_ENV"
if: github.event.inputs.version
- name: Set up Go 1.x
uses: actions/setup-go@v4
with:
go-version: ^1.21
id: go
- name: Get dependencies
run: |
go install -v ./...
if [ -f Gopkg.toml ]; then
curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
dep ensure
fi
- name: Log into docker for registry.redhat.io
uses: docker/login-action@v2
with:
registry: registry.redhat.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Install ansible builder
run: sudo pip install ansible-builder
- name: Build tarfile
run: CLIENT=docker make build-${{ matrix.installer-type }}-zip
- name: Upload tarfile
uses: actions/upload-artifact@v3
with:
name: mirror-registry-${{ matrix.installer-type }}-installer
path: mirror-registry.tar.gz
retention-days: 1
test-remote-install:
name: "Remote Install"
needs: ["build-install-zip"]
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') # Skip on release
strategy:
fail-fast: false
matrix:
installer-type: ["online", "offline"]
env:
GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
TF_VAR_SSH_PUBLIC_KEY: ${{ secrets.TF_VAR_SSH_PUBLIC_KEY }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install oc
uses: redhat-actions/oc-installer@v1
with:
oc_version: "4.6"
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
with:
# terraform_version: 0.13.0:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
terraform_wrapper: false
- name: Install SSH Key
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }}
- name: Write SSH Key id_rsa
run: |
echo "$SSH_KEY" > /home/runner/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
env:
SSH_KEY: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }}
- name: Write SSH Key staging.key
run: |
mkdir -p ~/.ssh/
echo "$SSH_KEY" > ~/.ssh/staging.key
chmod 600 ~/.ssh/staging.key
cat >>~/.ssh/config <<END
Host quay
HostName quay
User jonathan
IdentityFile ~/.ssh/staging.key
StrictHostKeyChecking no
END
env:
SSH_KEY: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }}
- name: Initialize VM
uses: ./.github/actions/setup-terraform
with:
terraform-context: ".github/workflows/remote-${{ matrix.installer-type }}-installer"
- name: Wait for VM
uses: jakejarvis/wait-action@master
with:
time: "60s"
- name: Download tarfile
uses: actions/download-artifact@v3
with:
name: mirror-registry-${{ matrix.installer-type }}-installer
- name: Extract tarfile
run: tar -xf mirror-registry.tar.gz
- name: Add quay to /etc/hosts
run: ssh jonathan@quay 'echo "127.0.0.1 quay" | sudo tee -a /etc/hosts'
- name: Install podman
run: ssh jonathan@quay 'sudo subscription-manager refresh; sudo yum -y install podman'
- name: Log into podman for registry.redhat.io
run: ssh jonathan@quay "podman login -u ${{ secrets.REGISTRY_USERNAME }} -p ${{ secrets.REGISTRY_PASSWORD }} registry.redhat.io"
if: matrix.installer-type == 'online'
- name: Install Registry
run: ./mirror-registry install -u jonathan -r /home/jonathan/quay-install -H quay -v --initPassword password -k /home/runner/.ssh/id_rsa
- name: Mirror Images
uses: ./.github/actions/mirror
with:
quay-hostname: "quay:8443"
pull-secret: ${{ secrets.PULL_SECRET }}
- name: Upgrade Registry
run: ./mirror-registry upgrade -u jonathan -r /home/jonathan/quay-install -H quay -v -k /home/runner/.ssh/id_rsa
- name: Uninstall Registry
run: ./mirror-registry uninstall -u jonathan -H quay --autoApprove -v -k /home/runner/.ssh/id_rsa
- name: Download old mirror-registry tarball that runs quay with postgres
run: wget -O mirror-registry-postgres.tar.gz "https://github.com/quay/mirror-registry/releases/download/v1.3.10/mirror-registry-${{ matrix.installer-type }}.tar.gz"
- name: Create extraction directory for old mirror-registry binary
run: mkdir -p ./mirror-registry-postgres
- name: Extract tarball into the folder
run: tar -xzf mirror-registry-postgres.tar.gz -C ./mirror-registry-postgres
- name: Install postgres backed quay registry
run: ./mirror-registry-postgres/mirror-registry install -u jonathan -r /home/jonathan/quay-install -H quay -v --initPassword password -k /home/runner/.ssh/id_rsa
- name: Podman login to quay registry
run: podman login -u init -p password quay:8443 --tls-verify=false
- name: Pull busybox image from Docker Hub
run: podman pull docker.io/library/busybox
- name: Tag busybox image for Quay
run: podman tag docker.io/library/busybox quay:8443/init/busybox:latest
- name: Push busybox image to Quay
run: podman push quay:8443/init/busybox:latest --tls-verify=false
- name: Use latest binary to test upgrade cmd to ensure db migration from old postgres to sqlite
run: ./mirror-registry upgrade -u jonathan -r /home/jonathan/quay-install -H quay -v -k /home/runner/.ssh/id_rsa
- name: Pull already pushed busybox image from quay registry
run: podman pull quay:8443/init/busybox:latest --tls-verify=false
- name: Verify busybox image is pulled successfully
run: podman images | grep -q quay:8443/init/busybox
- name: Uninstall Registry
run: ./mirror-registry uninstall -u jonathan -H quay --autoApprove -v -k /home/runner/.ssh/id_rsa
- name: Terraform Destroy
run: terraform destroy --auto-approve
shell: bash
working-directory: ".github/workflows/remote-${{ matrix.installer-type }}-installer"
if: always()
test-local-install:
name: "Local Install"
needs: ["build-install-zip"]
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') # Skip on release
strategy:
fail-fast: false
matrix:
installer-type: ["online", "offline"]
env:
GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
TF_VAR_SSH_PUBLIC_KEY: ${{ secrets.TF_VAR_SSH_PUBLIC_KEY }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install oc
uses: redhat-actions/oc-installer@v1
with:
oc_version: "4.6"
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
with:
# terraform_version: 0.13.0:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
terraform_wrapper: false
- name: Install SSH Key
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }}
- name: Write SSH Key id_rsa
run: |
echo "$SSH_KEY" > /home/runner/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
env:
SSH_KEY: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }}
- name: Write SSH Key staging.key
run: |
mkdir -p ~/.ssh/
echo "$SSH_KEY" > ~/.ssh/staging.key
chmod 600 ~/.ssh/staging.key
cat >>~/.ssh/config <<END
Host quay
HostName quay
User jonathan
IdentityFile ~/.ssh/staging.key
StrictHostKeyChecking no
END
env:
SSH_KEY: ${{ secrets.TF_VAR_SSH_PRIVATE_KEY }}
- name: Initialize VM
uses: ./.github/actions/setup-terraform
with:
terraform-context: ".github/workflows/local-${{ matrix.installer-type }}-installer"
- name: Wait for VM
uses: jakejarvis/wait-action@master
with:
time: "60s"
- name: Download tarfile
uses: actions/download-artifact@v3
with:
name: mirror-registry-${{ matrix.installer-type }}-installer
- name: SCP tarball to VM
run: scp mirror-registry.tar.gz jonathan@quay:~/mirror-registry.tar.gz
- name: Add quay to /etc/hosts
run: ssh jonathan@quay 'echo "127.0.0.1 quay" | sudo tee -a /etc/hosts'
- name: Install podman
run: ssh jonathan@quay 'sudo subscription-manager refresh; sudo yum -y install podman'
- name: Log into podman for registry.redhat.io
run: ssh jonathan@quay "podman login -u ${{ secrets.REGISTRY_USERNAME }} -p ${{ secrets.REGISTRY_PASSWORD }} registry.redhat.io"
if: matrix.installer-type == 'online'
- name: Pull busybox image from Docker Hub before disabling traffic
run: ssh jonathan@quay 'podman pull docker.io/library/busybox'
- name: Disable outbound network traffic
run: ssh jonathan@quay 'sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT; sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=22 -j ACCEPT; sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=8443 -j ACCEPT; sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -j DROP'
if: matrix.installer-type == 'offline'
- name: Install Registry
run: ssh jonathan@quay 'tar -xf mirror-registry.tar.gz; ./mirror-registry install -v --quayHostname quay:8443 --initPassword password'
- name: Mirror Images
uses: ./.github/actions/mirror
with:
quay-hostname: "quay:8443"
pull-secret: ${{ secrets.PULL_SECRET }}
- name: Upgrade Quay
run: ssh jonathan@quay './mirror-registry upgrade -v'
- name: Uninstall Quay
run: ssh jonathan@quay './mirror-registry uninstall --autoApprove -v'
- name: Download old mirror-registry tarball that runs quay with postgres
run: wget -O mirror-registry-postgres.tar.gz "https://github.com/quay/mirror-registry/releases/download/v1.3.10/mirror-registry-${{ matrix.installer-type }}.tar.gz"
- name: SCP old tarball to VM
run: scp mirror-registry-postgres.tar.gz jonathan@quay:~/mirror-registry-postgres.tar.gz
- name: Create extraction directory for old mirror-registry binary
run: ssh jonathan@quay 'mkdir -p ./mirror-registry-postgres'
- name: Extract tarball into the folder
run: ssh jonathan@quay 'tar -xzf mirror-registry-postgres.tar.gz -C ./mirror-registry-postgres'
- name: Install postgres backed quay registry
run: ssh jonathan@quay './mirror-registry-postgres/mirror-registry install -u jonathan -r /home/jonathan/quay-install --quayHostname quay:8443 -v --initPassword password'
- name: Podman login to quay registry
run: ssh jonathan@quay 'podman login -u init -p password quay:8443 --tls-verify=false'
- name: Tag busybox image for Quay
run: ssh jonathan@quay 'podman tag docker.io/library/busybox quay:8443/init/busybox:latest'
- name: Push busybox image to Quay
run: ssh jonathan@quay 'podman push quay:8443/init/busybox:latest --tls-verify=false'
- name: Use latest binary to test upgrade cmd to ensure db migration from old postgres to sqlite
run: ssh jonathan@quay './mirror-registry upgrade -u jonathan -r /home/jonathan/quay-install --quayHostname quay:8443 -v'
- name: Pull already pushed busybox image from quay registry
run: ssh jonathan@quay 'podman pull quay:8443/init/busybox:latest --tls-verify=false'
- name: Verify busybox image was pulled successfully
run: ssh jonathan@quay 'podman images | grep -q quay:8443/init/busybox'
- name: Uninstall Quay
run: ssh jonathan@quay './mirror-registry uninstall --autoApprove -v'
- name: Terraform Destroy
run: terraform destroy --auto-approve
shell: bash
working-directory: ".github/workflows/local-${{ matrix.installer-type }}-installer"
if: always()
publish-release:
name: "Publish Release"
needs: ["build-install-zip"]
runs-on: ubuntu-latest
permissions:
contents: write
if: github.event_name == 'push' || github.event.inputs.version
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Download offline tarfile
uses: actions/download-artifact@v3
with:
name: mirror-registry-offline-installer
- name: Rename offline tarfile
run: mv mirror-registry.tar.gz mirror-registry-offline.tar.gz
- name: Download online tarfile
uses: actions/download-artifact@v3
with:
name: mirror-registry-online-installer
- name: Rename online tarfile
run: mv mirror-registry.tar.gz mirror-registry-online.tar.gz
- uses: ncipollo/release-action@v1
with:
artifacts: "*.tar.gz,README.md"
allowUpdates: true
prerelease: true
tag: ${{ github.ref_name }}
if: github.event_name == 'push'
- uses: ncipollo/release-action@v1
with:
artifacts: "*.tar.gz,README.md"
allowUpdates: true
prerelease: true
tag: ${{ github.event.inputs.version }}
if: github.event.inputs.version