From 5f01375cdd4626bd076794e7152328b96d9c9a07 Mon Sep 17 00:00:00 2001 From: Dan Yishai Date: Mon, 22 Jul 2024 19:27:17 +0300 Subject: [PATCH 1/4] Fixed OPAL Cedar Client build CI --- .github/workflows/on_release.yml | 54 +++++++++++++++++++------------- cedar-agent | 2 +- docker/Dockerfile | 8 ++--- 3 files changed, 38 insertions(+), 26 deletions(-) diff --git a/.github/workflows/on_release.yml b/.github/workflows/on_release.yml index 736a64f0..e616e11d 100644 --- a/.github/workflows/on_release.yml +++ b/.github/workflows/on_release.yml @@ -109,13 +109,12 @@ jobs: # pushes the *same* docker images that were previously tested as part of e2e sanity test. # each image is pushed with the versioned tag first, if it succeeds the image is pushed with the latest tag as well. - name: Build & Push client - if: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }} id: build_push_client uses: docker/build-push-action@v4 with: file: docker/Dockerfile platforms: linux/amd64,linux/arm64 - push: true + push: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }} target: client cache-from: type=registry,ref=permitio/opal-client:latest cache-to: type=inline @@ -123,29 +122,13 @@ jobs: permitio/opal-client:latest permitio/opal-client:${{ env.opal_version_tag }} -# - name: Build & Push client cedar -# if: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }} -# id: build_push_client_cedar -# uses: docker/build-push-action@v4 -# with: -# file: docker/Dockerfile -# platforms: linux/amd64,linux/arm64 -# push: true -# target: client-cedar -# cache-from: type=registry,ref=permitio/opal-client-cedar:latest -# cache-to: type=inline -# tags: | -# permitio/opal-client-cedar:latest -# permitio/opal-client-cedar:${{ env.opal_version_tag }} - - name: Build client-standalone - if: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }} id: build_push_client_standalone uses: docker/build-push-action@v4 with: file: docker/Dockerfile platforms: linux/amd64,linux/arm64 - push: true + push: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }} target: client-standalone cache-from: type=registry,ref=permitio/opal-client-standalone:latest cache-to: type=inline @@ -154,16 +137,45 @@ jobs: permitio/opal-client-standalone:${{ env.opal_version_tag }} - name: Build server - if: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }} id: build_push_server uses: docker/build-push-action@v4 with: file: docker/Dockerfile platforms: linux/amd64,linux/arm64 - push: true + push: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }} target: server cache-from: type=registry,ref=permitio/opal-server:latest cache-to: type=inline tags: | permitio/opal-server:latest permitio/opal-server:${{ env.opal_version_tag }} + + - name: Check if cedar-agent directory exists + id: check_cedar_agent + run: | + if [ -d "cedar-agent" ]; then + echo "exists=true" >> $GITHUB_ENV + else + echo "exists=false" >> $GITHUB_ENV + fi + + - name: Clone cedar-agent repository + if: steps.check_cedar_agent.outputs.exists == 'false' + id: clone_cedar_agent + working-directory: . + run: | + git clone https://github.com/permitio/cedar-agent.git cedar-agent + + - name: Build & Push client cedar + id: build_push_client_cedar + uses: docker/build-push-action@v4 + with: + file: docker/Dockerfile + platforms: linux/amd64,linux/arm64 + push: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }} + target: client-cedar + cache-from: type=registry,ref=permitio/opal-client-cedar:latest + cache-to: type=inline + tags: | + permitio/opal-client-cedar:latest + permitio/opal-client-cedar:${{ env.opal_version_tag }} diff --git a/cedar-agent b/cedar-agent index 1838635f..687efc59 160000 --- a/cedar-agent +++ b/cedar-agent @@ -1 +1 @@ -Subproject commit 1838635f16ba6db60d16c2ca28cb257e970bdff0 +Subproject commit 687efc59ecc732d1b98fc7789ab803abfc45b94c diff --git a/docker/Dockerfile b/docker/Dockerfile index bccdf3d2..4723e37a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -17,10 +17,10 @@ RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r ./ # --------------------------------------------------- FROM rust:1.69.0 as cedar-builder COPY cedar-agent /tmp/cedar-agent/ -ARG cargo_flags="-r" -RUN cd /tmp/cedar-agent && \ - cargo build ${cargo_flags} && \ - cp /tmp/cedar-agent/target/*/cedar-agent / +ARG cargo_flags="--release" +RUN cd /tmp/cedar-agent +RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build ${cargo_flags} +RUN cp /tmp/cedar-agent/target/*/cedar-agent / # COMMON IMAGE -------------------------------------- # --------------------------------------------------- From 6ae6b18ccfb63cb632a079883420a5cc6a5c76c3 Mon Sep 17 00:00:00 2001 From: Dan Yishai Date: Mon, 22 Jul 2024 19:45:21 +0300 Subject: [PATCH 2/4] Updated rust version for OPAL Cedar Client docker --- .github/workflows/on_release.yml | 16 ---------------- docker/Dockerfile | 2 +- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/.github/workflows/on_release.yml b/.github/workflows/on_release.yml index e616e11d..3733c0fd 100644 --- a/.github/workflows/on_release.yml +++ b/.github/workflows/on_release.yml @@ -150,22 +150,6 @@ jobs: permitio/opal-server:latest permitio/opal-server:${{ env.opal_version_tag }} - - name: Check if cedar-agent directory exists - id: check_cedar_agent - run: | - if [ -d "cedar-agent" ]; then - echo "exists=true" >> $GITHUB_ENV - else - echo "exists=false" >> $GITHUB_ENV - fi - - - name: Clone cedar-agent repository - if: steps.check_cedar_agent.outputs.exists == 'false' - id: clone_cedar_agent - working-directory: . - run: | - git clone https://github.com/permitio/cedar-agent.git cedar-agent - - name: Build & Push client cedar id: build_push_client_cedar uses: docker/build-push-action@v4 diff --git a/docker/Dockerfile b/docker/Dockerfile index 4723e37a..31ca1801 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -15,7 +15,7 @@ RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r ./ # CEDAR AGENT BUILD STAGE --------------------------- # split this stage to save time and reduce image size # --------------------------------------------------- -FROM rust:1.69.0 as cedar-builder +FROM rust:1.77-bullseye as cedar-builder COPY cedar-agent /tmp/cedar-agent/ ARG cargo_flags="--release" RUN cd /tmp/cedar-agent From 63c27c8395121af93fa26eaf6f4c2addbcf69adc Mon Sep 17 00:00:00 2001 From: Dan Yishai Date: Mon, 22 Jul 2024 20:17:05 +0300 Subject: [PATCH 3/4] Fixed docker warnings --- docker/Dockerfile | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 31ca1801..89af2eba 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,7 +1,7 @@ # BUILD STAGE --------------------------------------- # split this stage to save time and reduce image size # --------------------------------------------------- -FROM python:3.10-bookworm as BuildStage +FROM python:3.10-bookworm AS build-stage # from now on, work in the /app directory WORKDIR /app/ # Layer dependency install (for caching) @@ -15,19 +15,18 @@ RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r ./ # CEDAR AGENT BUILD STAGE --------------------------- # split this stage to save time and reduce image size # --------------------------------------------------- -FROM rust:1.77-bullseye as cedar-builder -COPY cedar-agent /tmp/cedar-agent/ -ARG cargo_flags="--release" +FROM rust:1.79 AS cedar-builder +COPY ./cedar-agent /tmp/cedar-agent/ RUN cd /tmp/cedar-agent RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build ${cargo_flags} RUN cp /tmp/cedar-agent/target/*/cedar-agent / # COMMON IMAGE -------------------------------------- # --------------------------------------------------- -FROM python:3.10-slim-bookworm as common +FROM python:3.10-slim-bookworm AS common -# copy libraries from build stage (This won't copy redundant libraries we used in BuildStage) -COPY --from=BuildStage /usr/local /usr/local +# copy libraries from build stage (This won't copy redundant libraries we used in build-stage) +COPY --from=build-stage /usr/local /usr/local # Add non-root user (with home dir at /opal) RUN useradd -m -b / -s /bin/bash opal @@ -61,7 +60,7 @@ CMD ["./start.sh"] # STANDALONE IMAGE ---------------------------------- # --------------------------------------------------- -FROM common as client-standalone +FROM common AS client-standalone # uvicorn config ------------------------------------ # install the opal-client package RUN cd ./packages/opal-client && python setup.py install @@ -88,7 +87,7 @@ VOLUME /opal/backup # IMAGE to extract OPA from official image ---------- # --------------------------------------------------- -FROM alpine:latest as opa-extractor +FROM alpine:latest AS opa-extractor USER root RUN apk update && apk add skopeo tar @@ -106,7 +105,7 @@ RUN skopeo copy "docker://${opa_image}:${opa_tag}" docker-archive:./image.tar && # OPA CLIENT IMAGE ---------------------------------- # Using standalone image as base -------------------- # --------------------------------------------------- -FROM client-standalone as client +FROM client-standalone AS client # Temporarily move back to root for additional setup USER root @@ -123,7 +122,7 @@ USER opal # CEDAR CLIENT IMAGE -------------------------------- # Using standalone image as base -------------------- # --------------------------------------------------- -FROM client-standalone as client-cedar +FROM client-standalone AS client-cedar # Temporarily move back to root for additional setup USER root @@ -142,7 +141,7 @@ USER opal # SERVER IMAGE -------------------------------------- # --------------------------------------------------- -FROM common as server +FROM common AS server RUN apt-get update && apt-get install -y openssh-client git && apt-get clean From ed70c746fe4c2494df14260e1061ed6a49e39144 Mon Sep 17 00:00:00 2001 From: Dan Yishai Date: Mon, 22 Jul 2024 20:40:58 +0300 Subject: [PATCH 4/4] Fixed cedar build --- docker/Dockerfile | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 89af2eba..74ac1916 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -16,10 +16,9 @@ RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r ./ # split this stage to save time and reduce image size # --------------------------------------------------- FROM rust:1.79 AS cedar-builder -COPY ./cedar-agent /tmp/cedar-agent/ -RUN cd /tmp/cedar-agent -RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build ${cargo_flags} -RUN cp /tmp/cedar-agent/target/*/cedar-agent / +COPY ./cedar-agent /tmp/cedar-agent +WORKDIR /tmp/cedar-agent +RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build --release # COMMON IMAGE -------------------------------------- # --------------------------------------------------- @@ -128,7 +127,7 @@ FROM client-standalone AS client-cedar USER root # Copy cedar from its build stage -COPY --from=cedar-builder /cedar-agent /bin/cedar-agent +COPY --from=cedar-builder /tmp/cedar-agent/target/*/cedar-agent /bin/cedar-agent # enable inline Cedar agent ENV OPAL_POLICY_STORE_TYPE=CEDAR