Merge pull request #8 from voxpupuli/update_build

update build (copy of puppetdb changes)
voxpupuli · Oct 17, 2023 · d098af3 · d098af3
2 parents 5e40e7f + 079f001
commit d098af3
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 65 deletions.
diff --git a/.github/workflows/build_docker.yml b/.github/workflows/build_docker.yml
@@ -0,0 +1,42 @@
+name: Build and publish a 🛢️ container
+
+on:
+  push:
+    paths-ignore:
+      - '.github/**'
+    branches:
+      - 'main'
+    tags:
+      - '*'
+  workflow_dispatch:
+
+jobs:
+  build-and-push-container:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Build Puppetserver 7 container
+        uses: voxpupuli/gha-build-and-publish-a-container@v2
+        with:
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+          build_args: |
+            PUPPET_RELEASE=7
+            PUPPET_VERSION=${{ github.ref_name }}
+          build_arch: linux/amd64 #,linux/arm64
+          build_context: puppetserver
+          buildfile: puppetserver/Dockerfile
+        if: ${{ startsWith(github.ref_name, '7') }}
+
+      - name: Build Puppetserver 8 container
+        uses: voxpupuli/gha-build-and-publish-a-container@v2
+        with:
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+          build_args: |
+            PUPPET_RELEASE=8
+            PUPPET_VERSION=${{ github.ref_name }}
+          build_arch: linux/amd64 #,linux/arm64
+          build_context: puppetserver
+          buildfile: puppetserver/Dockerfile
+        if: ${{ startsWith(github.ref_name, '8') }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,51 @@
+---
+
+on:
+  pull_request: {}
+  push:
+    branches:
+      - main
+
+name: CI
+
+jobs:
+  build_docker_image:
+    name: 'Built test Docker image'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: 'puppetserver'
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: puppetserver
+          tags: 'ci/puppetserver:${{ github.sha }}'
+          push: false
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'ci/puppetserver:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  tests:
+    needs:
+      - build_docker_image
+    runs-on: ubuntu-latest
+    name: Test suite
+    steps:
+      - run: echo Test suite completed
diff --git a/puppetserver/Dockerfile b/puppetserver/Dockerfile
@@ -9,19 +9,17 @@ FROM ubuntu:22.04 as base
 
 ARG PACKAGES=ca-certificates\ git
 ARG DUMB_INIT_VERSION="1.2.5"
+ARG TARGETARCH
 
 LABEL org.label-schema.maintainer="Voxpupuli Team <[email protected]>" \
       org.label-schema.vendor="Voxpupuli" \
-      org.label-schema.url="https://github.com/puppetlabs/puppetserver" \
+      org.label-schema.url="https://github.com/voxpupuli/container-puppetserver" \
       org.label-schema.license="Apache-2.0" \
-      org.label-schema.vcs-url="https://github.com/puppetlabs/puppetserver" \
+      org.label-schema.vcs-url="https://github.com/voxpupuli/container-puppetserver" \
       org.label-schema.schema-version="1.0" \
       org.label-schema.dockerfile="/Dockerfile"
 
-# ENV PUPPERWARE_ANALYTICS_TRACKING_ID="UA-132486246-4" \
-#     PUPPERWARE_ANALYTICS_APP_NAME="puppetserver" \
-ENV PUPPERWARE_ANALYTICS_ENABLED=false \
-    PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
+ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
     PATH=/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin:$PATH \
     SSLDIR=/etc/puppetlabs/puppet/ssl \
     LOGDIR=/var/log/puppetlabs/puppetserver \
@@ -47,7 +45,7 @@ EXPOSE 8140
 ENTRYPOINT ["dumb-init", "/docker-entrypoint.sh"]
 CMD ["foreground"]
 
-ADD https://github.com/Yelp/dumb-init/releases/download/v"$DUMB_INIT_VERSION"/dumb-init_"$DUMB_INIT_VERSION"_amd64.deb /
+ADD https://github.com/Yelp/dumb-init/releases/download/v"$DUMB_INIT_VERSION"/dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb /
 
 COPY docker-entrypoint.sh \
      healthcheck.sh \
@@ -61,24 +59,22 @@ HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/h
 RUN chmod +x /docker-entrypoint.sh /healthcheck.sh /docker-entrypoint.d/*.sh && \
     apt-get update && \
     apt-get install -y --no-install-recommends $PACKAGES && \
-    dpkg -i dumb-init_"$DUMB_INIT_VERSION"_amd64.deb && \
-    rm dumb-init_"$DUMB_INIT_VERSION"_amd64.deb
-
-FROM base as edge
-
-ARG UBUNTU_CODENAME
-ARG deb_uri=http://nightlies.puppet.com/apt/puppet7-nightly-release-$UBUNTU_CODENAME.deb
+    dpkg -i dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb && \
+    rm dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb
 
 ######################################################
 # release (build from packages)
 ######################################################
 
 FROM base as release
 
-ARG version
+ARG PUPPET_RELEASE
+ENV PUPPET_RELEASE=${PUPPET_RELEASE:-7}
+
+ARG PUPPETSERVER_VERSION
+ENV PUPPETSERVER_VERSION=${PUPPETSERVER_VERSION:-7.13.0}
+
 ARG UBUNTU_CODENAME
-ARG install_path=puppetserver="$version"-1"$UBUNTU_CODENAME"
-ARG deb_uri=https://apt.puppetlabs.com/puppet7-release-$UBUNTU_CODENAME.deb
 
 ######################################################
 # final image
@@ -88,24 +84,18 @@ ARG deb_uri=https://apt.puppetlabs.com/puppet7-release-$UBUNTU_CODENAME.deb
 # hadolint ignore=DL3006
 FROM ${build_type} as final
 
-ARG build_type
 ARG vcs_ref
-ARG version
+ARG build_type
 ARG build_date
-ARG install_path
-ARG deb_uri
-# used by entrypoint to submit metrics to Google Analytics;
-# published images should use "production" for this build_arg
-# ARG pupperware_analytics_stream="dev"
 
-# hadolint ignore=DL3020
-ADD $deb_uri /puppet.deb
+ENV PUPPET_DEB=puppet${PUPPET_RELEASE}-release-${UBUNTU_CODENAME}.deb
+ADD https://apt.puppet.com/${PUPPET_DEB} /${PUPPET_DEB}
 
 # hadolint ignore=DL3008,DL3028
-RUN dpkg -i /puppet.deb && \
-    rm /puppet.deb
+RUN dpkg -i /${PUPPET_DEB} && \
+    rm /${PUPPET_DEB}
 RUN apt-get update && \
-    apt-get install --no-install-recommends -y $install_path puppetdb-termini && \
+    apt-get install --no-install-recommends -y puppetserver=${PUPPETSERVER_VERSION}-1${UBUNTU_CODENAME} puppetdb-termini && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
     gem install --no-doc r10k && \
@@ -121,13 +111,8 @@ COPY logback.xml \
 COPY puppetserver.conf /etc/puppetlabs/puppetserver/conf.d/
 COPY puppetdb.conf /var/tmp/puppet/
 
-# dynamic LABELs and ENV vars placed lower for the sake of Docker layer caching
-# these are specific to analytics
-# ENV PUPPERWARE_ANALYTICS_STREAM="$pupperware_analytics_stream" \
-#     PUPPET_SERVER_VERSION="$version"
-
 LABEL org.label-schema.name="Puppet Server ($build_type)" \
-      org.label-schema.version="$version" \
+      org.label-schema.version="$PUPPETSERVER_VERSION" \
       org.label-schema.vcs-ref="$vcs_ref" \
       org.label-schema.build-date="$build_date"
 

diff --git a/puppetserver/docker-entrypoint.d/10-analytics.sh b/puppetserver/docker-entrypoint.d/10-analytics.sh