From bdd0fe071aa9ab7633983f9469f4ee5b624415c8 Mon Sep 17 00:00:00 2001 From: Jeff McCune Date: Fri, 17 Nov 2023 14:04:20 -0800 Subject: [PATCH] Build a toolkit image for aws and kubectl Adds kubectl, aws, and docker to write a cron job to refresh ecr credentials. --- .github/workflows/toolkit.yaml | 64 ++++++++++++++++++++++++++++++++++ toolkit/Dockerfile | 28 +++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 .github/workflows/toolkit.yaml create mode 100644 toolkit/Dockerfile diff --git a/.github/workflows/toolkit.yaml b/.github/workflows/toolkit.yaml new file mode 100644 index 0000000..e2d8383 --- /dev/null +++ b/.github/workflows/toolkit.yaml @@ -0,0 +1,64 @@ +name: Toolkit + +on: + workflow_dispatch: {} + schedule: + - cron: "30 2 * * *" # 2:30AM UTC, 7:30PM PST + +jobs: + git: + runs-on: [dev-runners] + steps: + - name: Checkout + uses: actions/checkout@v4 + aws: + runs-on: [dev-runners] + permissions: + id-token: write # Necessary to get aws creds via oidc token exchange + contents: read + steps: + - name: AWS Credentials + id: login-aws + uses: aws-actions/configure-aws-credentials@v4 + with: + # Defined at https://github.com/holos-run/holos-infra/blob/main/terraform/projects/nonprod-holos/shared_services/aws/github_oidc/main.tf#L90-L106 + role-to-assume: arn:aws:iam::271053619184:role/gha-app-role + aws-region: us-east-2 + output-credentials: true + - name: AWS ECR Credentials + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + - name: Docker Login + id: docker-login + run: | + echo -n ${{ steps.login-ecr.outputs.docker_password_271053619184_dkr_ecr_us_east_2_amazonaws_com }} | docker login --password-stdin --username ${{ steps.login-ecr.outputs.docker_username_271053619184_dkr_ecr_us_east_2_amazonaws_com }} ${{ steps.login-ecr.outputs.registry }} + echo "docker-config=$(cat ~/.docker/config.json | base64 -w 0)" >> $GITHUB_OUTPUT + outputs: + registry: ${{ steps.login-ecr.outputs.registry }} + docker-config: ${{ steps.docker-login.outputs.docker-config }} + kaniko: + needs: [git, aws] + runs-on: [dev-runners] + container: + image: gcr.io/kaniko-project/executor:v1.17.0-debug + permissions: + contents: read # read the repository + steps: + - name: Build and push container image + run: | + # Kaniko + echo -n ${{ needs.aws.outputs.docker-config }} | base64 -d > /kaniko/.docker/config.json + + # Configure git credentials to access github private repositories. + export GIT_USERNAME='holos-server-go' + export GIT_PASSWORD='${{ secrets.GITHUB_TOKEN }}' + + # Build and push + /kaniko/executor --dockerfile=toolkit/Dockerfile \ + --context='${{ github.repositoryUrl }}#${{ needs.git.outputs.sha }}' \ + --destination=${{ needs.aws.outputs.registry }}/holos-run/container-images/toolkit:latest \ + --push-retry 5 \ + --image-name-with-digest-file /workspace/image-digest.txt + + # Make this an artifact? + cat /workspace/image-digest.txt diff --git a/toolkit/Dockerfile b/toolkit/Dockerfile new file mode 100644 index 0000000..b4d657e --- /dev/null +++ b/toolkit/Dockerfile @@ -0,0 +1,28 @@ +FROM public.ecr.aws/docker/library/docker:cli as docker + +FROM public.ecr.aws/aws-cli/aws-cli as aws-cli + +FROM public.ecr.aws/docker/library/debian:bullseye AS final + +# Install tools +RUN apt-get -qq -y update && \ + apt-get -qq -y install \ + curl \ + jq + +# Install AWS CLI +COPY --from=aws-cli /usr/local/aws-cli/ /usr/local/aws-cli/ +COPY --from=aws-cli /usr/local/bin/ /usr/local/bin/ + +# Docker (Needed to write credentials) +COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker + +# Install kubectl +RUN curl -Lo /usr/local/bin/kubectl "https://dl.k8s.io/release/v1.28.4/bin/linux/amd64/kubectl" \ + && chmod 0755 /usr/local/bin/kubectl + +RUN groupadd --gid 8192 app && useradd -m -d /app -c "App" -m --uid 8192 --gid 8192 app + +WORKDIR /app + +USER app