Build a toolkit image for aws and kubectl

Adds kubectl, aws, and docker to write a cron job to refresh ecr credentials.
holos-run · Nov 17, 2023 · bdd0fe0 · bdd0fe0
1 parent 3453039
commit bdd0fe0
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 0 deletions.
diff --git a/.github/workflows/toolkit.yaml b/.github/workflows/toolkit.yaml
@@ -0,0 +1,64 @@
+name: Toolkit
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "30 2 * * *" # 2:30AM UTC, 7:30PM PST
+
+jobs:
+  git:
+    runs-on: [dev-runners]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+  aws:
+    runs-on: [dev-runners]
+    permissions:
+      id-token: write # Necessary to get aws creds via oidc token exchange
+      contents: read
+    steps:
+      - name: AWS Credentials
+        id: login-aws
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          # Defined at https://github.com/holos-run/holos-infra/blob/main/terraform/projects/nonprod-holos/shared_services/aws/github_oidc/main.tf#L90-L106
+          role-to-assume: arn:aws:iam::271053619184:role/gha-app-role
+          aws-region: us-east-2
+          output-credentials: true
+      - name: AWS ECR Credentials
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Docker Login
+        id: docker-login
+        run: |
+          echo -n ${{ steps.login-ecr.outputs.docker_password_271053619184_dkr_ecr_us_east_2_amazonaws_com }} | docker login --password-stdin --username ${{ steps.login-ecr.outputs.docker_username_271053619184_dkr_ecr_us_east_2_amazonaws_com }} ${{ steps.login-ecr.outputs.registry }}
+          echo "docker-config=$(cat ~/.docker/config.json | base64 -w 0)" >> $GITHUB_OUTPUT
+    outputs:
+      registry: ${{ steps.login-ecr.outputs.registry }}
+      docker-config: ${{ steps.docker-login.outputs.docker-config }}
+  kaniko:
+    needs: [git, aws]
+    runs-on: [dev-runners]
+    container:
+      image: gcr.io/kaniko-project/executor:v1.17.0-debug
+    permissions:
+      contents: read # read the repository
+    steps:
+      - name: Build and push container image
+        run: |
+          # Kaniko
+          echo -n ${{ needs.aws.outputs.docker-config }} | base64 -d > /kaniko/.docker/config.json
+
+          # Configure git credentials to access github private repositories.
+          export GIT_USERNAME='holos-server-go'
+          export GIT_PASSWORD='${{ secrets.GITHUB_TOKEN }}'
+
+          # Build and push
+          /kaniko/executor --dockerfile=toolkit/Dockerfile \
+            --context='${{ github.repositoryUrl }}#${{ needs.git.outputs.sha }}' \
+            --destination=${{ needs.aws.outputs.registry }}/holos-run/container-images/toolkit:latest \
+            --push-retry 5 \
+            --image-name-with-digest-file /workspace/image-digest.txt
+
+          # Make this an artifact?
+          cat /workspace/image-digest.txt
diff --git a/toolkit/Dockerfile b/toolkit/Dockerfile
@@ -0,0 +1,28 @@
+FROM public.ecr.aws/docker/library/docker:cli as docker
+
+FROM public.ecr.aws/aws-cli/aws-cli as aws-cli
+
+FROM public.ecr.aws/docker/library/debian:bullseye AS final
+
+# Install tools
+RUN apt-get -qq -y update && \
+    apt-get -qq -y install \
+      curl \
+      jq
+
+# Install AWS CLI
+COPY --from=aws-cli /usr/local/aws-cli/ /usr/local/aws-cli/
+COPY --from=aws-cli /usr/local/bin/ /usr/local/bin/
+
+# Docker (Needed to write credentials)
+COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
+
+# Install kubectl
+RUN curl -Lo /usr/local/bin/kubectl "https://dl.k8s.io/release/v1.28.4/bin/linux/amd64/kubectl" \
+  && chmod 0755 /usr/local/bin/kubectl
+
+RUN groupadd --gid 8192 app && useradd -m -d /app -c "App" -m --uid 8192 --gid 8192 app
+
+WORKDIR /app
+
+USER app