From 54544dd6173960127e7d0b2e74975de7ab2acd42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 12:24:45 +0200 Subject: [PATCH 1/4] packaging: Allow passing registry to build-and-upload-payload.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's make the registry an optional argument to be passed to the `kata-deploy-build-and-upload-payload.sh` script, defaulting to the official Confidential Containers payload registry. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-build-and-upload-payload.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh index 917864249a..a715b0f49c 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh @@ -7,13 +7,14 @@ KATA_DEPLOY_DIR="`dirname $0`/../../kata-deploy-cc" KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" +REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}" echo "Copying $KATA_DEPLOY_ARTIFACT to $KATA_DEPLOY_DIR" cp $KATA_DEPLOY_ARTIFACT $KATA_DEPLOY_DIR pushd $KATA_DEPLOY_DIR -IMAGE_TAG="quay.io/confidential-containers/runtime-payload:kata-containers-$(git rev-parse HEAD)" +IMAGE_TAG="${REGISTRY}:kata-containers-$(git rev-parse HEAD)" echo "Building the image" docker build --tag $IMAGE_TAG . From f4437980b4958db506cff654c3d74669cb9dbd13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 12:57:29 +0200 Subject: [PATCH 2/4] packaging: Allow passing an extra tag to build-and-upload-payload.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's modify the script so we allow passing an extra tag, which will be used as part of the Kata Containers pyload for Confidential Containers CI GitHub action. With this we can pass a `latest` tag, which will make things easier for the integration on the operator side. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-build-and-upload-payload.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh index a715b0f49c..d7409c08ef 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh @@ -8,6 +8,7 @@ KATA_DEPLOY_DIR="`dirname $0`/../../kata-deploy-cc" KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}" +TAG="${3:-}" echo "Copying $KATA_DEPLOY_ARTIFACT to $KATA_DEPLOY_DIR" cp $KATA_DEPLOY_ARTIFACT $KATA_DEPLOY_DIR @@ -22,4 +23,14 @@ docker build --tag $IMAGE_TAG . echo "Pushing the image to quay.io" docker push $IMAGE_TAG +if [ -n "${TAG}" ]; then + ADDITIONAL_TAG="${REGISTRY}:${TAG}" + + echo "Building the ${ADDITIONAL_TAG} image" + docker build --tag ${ADDITIONAL_TAG} . + + echo "Pushing the image ${ADDITIONAL_TAG} to quay.io" + docker push ${ADDITIONAL_TAG} +fi + popd From c57f8ff669e733c0c3c37515d327d60656797760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 13:00:40 +0200 Subject: [PATCH 3/4] packaging: Expand the vars on build-and-upload-payload.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Just for the sake of avoiding issues in the future. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-build-and-upload-payload.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh index d7409c08ef..4e0d2393c4 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh @@ -5,23 +5,23 @@ # SPDX-License-Identifier: Apache-2.0 # -KATA_DEPLOY_DIR="`dirname $0`/../../kata-deploy-cc" +KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy-cc" KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}" TAG="${3:-}" -echo "Copying $KATA_DEPLOY_ARTIFACT to $KATA_DEPLOY_DIR" -cp $KATA_DEPLOY_ARTIFACT $KATA_DEPLOY_DIR +echo "Copying ${KATA_DEPLOY_ARTIFACT} to ${KATA_DEPLOY_DIR}" +cp ${KATA_DEPLOY_ARTIFACT} ${KATA_DEPLOY_DIR} -pushd $KATA_DEPLOY_DIR +pushd ${KATA_DEPLOY_DIR} IMAGE_TAG="${REGISTRY}:kata-containers-$(git rev-parse HEAD)" echo "Building the image" -docker build --tag $IMAGE_TAG . +docker build --tag ${IMAGE_TAG} . echo "Pushing the image to quay.io" -docker push $IMAGE_TAG +docker push ${IMAGE_TAG} if [ -n "${TAG}" ]; then ADDITIONAL_TAG="${REGISTRY}:${TAG}" From 4648d8bec7a9aa7f25f6f6e035433ecddd07d38b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 12:30:33 +0200 Subject: [PATCH 4/4] actions: Publish a payload on every CCv0 push MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's have a GitHub action to publish the Kata Containers payload, after every push to the CCv0 branch, to the Confidential Containers `runtime-payload-ci` registry. The intention of this action is to allow developers to test new features, and easily bisect breakages that could've happened during the development process. Ideally we'd have a CI/CD pipeline where every single change would be tested with the operator, but we're not yet there. In any case, this work would still be needed. :-) It's very important to mention that this should be carefully considered on whether it should or should not be merged back to `main`, as the flow of PRs there is way higher than what we currently have as part of the CCv0 branch. Fixes: #5460 Signed-off-by: Fabiano Fidêncio --- .github/workflows/cc-payload-after-push.yaml | 87 ++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 .github/workflows/cc-payload-after-push.yaml diff --git a/.github/workflows/cc-payload-after-push.yaml b/.github/workflows/cc-payload-after-push.yaml new file mode 100644 index 0000000000..7d3f78abfe --- /dev/null +++ b/.github/workflows/cc-payload-after-push.yaml @@ -0,0 +1,87 @@ +name: CI | Publish Kata Containers payload for Confidential Containers +on: + push: + branches: + - CCv0 + +jobs: + build-asset: + runs-on: ubuntu-latest + strategy: + matrix: + asset: + - cc-cloud-hypervisor + - cc-kernel + - cc-qemu + - cc-rootfs-image + - cc-shim-v2 + - cc-virtiofsd + - cc-sev-kernel + - cc-sev-ovmf + - cc-sev-rootfs-initrd + - cc-tdx-kernel + - cc-tdx-qemu + - cc-tdx-td-shim + - cc-tdx-tdvf + steps: + - uses: actions/checkout@v3 + - name: Build ${{ matrix.asset }} + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 1 + if-no-files-found: error + + create-kata-tarball: + runs-on: ubuntu-latest + needs: build-asset + steps: + - uses: actions/checkout@v3 + - name: get-artifacts + uses: actions/download-artifact@v3 + with: + name: kata-artifacts + path: kata-artifacts + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts + - name: store-artifacts + uses: actions/upload-artifact@v3 + with: + name: kata-static-tarball + path: kata-static.tar.xz + retention-days: 1 + if-no-files-found: error + + kata-payload: + needs: create-kata-tarball + runs-on: ubuntu-latest + steps: + - name: Login to quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v3 + - name: get-kata-tarball + uses: actions/download-artifact@v3 + with: + name: kata-static-tarball + + - name: build-and-push-kata-payload + id: build-and-push-kata-payload + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz "quay.io/repository/confidential-containers/runtime-payload-ci" "kata-containers-latest"