From 5c5fbfb2849194dbaa915faa656969bb05f0e0cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 28 May 2024 11:43:00 +0200 Subject: [PATCH 01/10] Generate output with list of images built by ado --- cmd/image-builder/main.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cmd/image-builder/main.go b/cmd/image-builder/main.go index 7d493c5e45c0..8505636fe428 100644 --- a/cmd/image-builder/main.go +++ b/cmd/image-builder/main.go @@ -337,6 +337,12 @@ func buildInADO(o options) error { // if run in github actions, set output parameters if o.ciSystem == GithubActions { + registry := o.Config.DevRegistry + if !o.gitState.isPullRequest { + registry = o.Config.Registry + } + destinations := gatherDestinations(registry, o.name, o.tags) + actions.SetOutput("images", fmt.Sprintf("[%s]", strings.Join(destinations, ","))) actions.SetOutput("adoResult", string(*pipelineRunResult)) } From 53151185c3b7e7c08043a45922ef07c86bc6478d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 28 May 2024 13:57:05 +0200 Subject: [PATCH 02/10] Add extract logic for ADO logs --- cmd/image-builder/main.go | 26 +++++++++--- cmd/image-builder/main_test.go | 78 ++++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+), 6 deletions(-) diff --git a/cmd/image-builder/main.go b/cmd/image-builder/main.go index 8505636fe428..210e0dede1cb 100644 --- a/cmd/image-builder/main.go +++ b/cmd/image-builder/main.go @@ -13,12 +13,14 @@ import ( "os/exec" "path" "path/filepath" + "regexp" "strconv" "strings" "sync" "time" adopipelines "github.com/kyma-project/test-infra/pkg/azuredevops/pipelines" + "github.com/kyma-project/test-infra/pkg/extractimageurls" "github.com/kyma-project/test-infra/pkg/github/actions" "github.com/kyma-project/test-infra/pkg/sets" "github.com/kyma-project/test-infra/pkg/sign" @@ -337,12 +339,6 @@ func buildInADO(o options) error { // if run in github actions, set output parameters if o.ciSystem == GithubActions { - registry := o.Config.DevRegistry - if !o.gitState.isPullRequest { - registry = o.Config.Registry - } - destinations := gatherDestinations(registry, o.name, o.tags) - actions.SetOutput("images", fmt.Sprintf("[%s]", strings.Join(destinations, ","))) actions.SetOutput("adoResult", string(*pipelineRunResult)) } @@ -866,3 +862,21 @@ func getDockerfileDirPath(o options) (string, error) { dockerfileDirPath := filepath.Join(context, filepath.Dir(o.dockerfile)) return dockerfileDirPath, err } + +func extractImagesFromADOLogs(logs string) []string { + re := regexp.MustCompile(`--images-to-sign=(([a-z0-9]+(?:[.-][a-z0-9]+)*/)*([a-z0-9]+(?:[.-][a-z0-9]+)*)(?::[a-z0-9.-]+)?/([a-z0-9-]+)/([a-z0-9-]+)(?::[a-zA-Z0-9.-]+))`) + matches := re.FindAllStringSubmatch(logs, -1) + + images := []string{} + if len(matches) > 1 { + for _, match := range matches { + if len(match) > 1 { + images = append(images, match[1]) + } + } + } + + images = extractimageurls.UniqueImages(images) + + return images +} diff --git a/cmd/image-builder/main_test.go b/cmd/image-builder/main_test.go index 430d935fd36b..4b6b2b1f4337 100644 --- a/cmd/image-builder/main_test.go +++ b/cmd/image-builder/main_test.go @@ -618,6 +618,84 @@ func Test_parseTags(t *testing.T) { } } +func Test_extractImagesFromADOLogs(t *testing.T) { + tc := []struct { + name string + images []string + logs string + }{ + { + name: "sign image task log", + images: []string{"europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10854", "europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10852"}, + logs: `2024-05-28T09:49:07.8176591Z ============================================================================== + 2024-05-28T09:49:07.8176701Z Task : Docker + 2024-05-28T09:49:07.8176776Z Description : Build or push Docker images, login or logout, start or stop containers, or run a Docker command + 2024-05-28T09:49:07.8176902Z Version : 2.240.2 + 2024-05-28T09:49:07.8176962Z Author : Microsoft Corporation + 2024-05-28T09:49:07.8177044Z Help : https://aka.ms/azpipes-docker-tsg + 2024-05-28T09:49:07.8177121Z ============================================================================== + 2024-05-28T09:49:08.2220004Z [command]/usr/bin/docker run --env REPO_NAME=test-infra --env REPO_OWNER=kyma-project --env CI=true --env JOB_TYPE=presubmit --mount type=bind,src=/agent/_work/1/s/kaniko-build-config.yaml,dst=/kaniko-build-config.yaml --mount type=bind,src=/agent/_work/1/s/signify-prod-secret.yaml,dst=/secret-prod/secret.yaml europe-docker.pkg.dev/kyma-project/prod/image-builder:v20240515-f756e622 --sign-only --name=image-builder --context=. --dockerfile=cmd/image-builder/images/kaniko/Dockerfile --images-to-sign=europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10854 --images-to-sign=europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10852 --config=/kaniko-build-config.yaml + 2024-05-28T09:49:08.4547604Z sign images using services signify-prod + 2024-05-28T09:49:08.4548507Z signer signify-prod ignored, because is not enabled for a CI job of type: presubmit + 2024-05-28T09:49:08.4549247Z Start signing images europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10854 + 2024-05-28T09:49:08.5907215Z ##[section]Finishing: sign_images`, + }, + + { + name: "prepare args and sign tasks log", + images: []string{"europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10696"}, + logs: `2024-05-28T07:36:31.8953681Z ##[section]Starting: prepare_build_and_sign_args + 2024-05-28T07:36:31.8958057Z ============================================================================== + 2024-05-28T07:36:31.8958168Z Task : Python script + 2024-05-28T07:36:31.8958230Z Description : Run a Python file or inline script + 2024-05-28T07:36:31.8958324Z Version : 0.237.1 + 2024-05-28T07:36:31.8958385Z Author : Microsoft Corporation + 2024-05-28T07:36:31.8958459Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/python-script + 2024-05-28T07:36:31.8958587Z ============================================================================== + 2024-05-28T07:36:33.6944350Z [command]/usr/bin/python /agent/_work/1/s/scripts/prepare_kaniko_and_sign_arguments.py --PreparedTagsFile /agent/_work/_temp/task_outputs/run_1716881791884.txt --ExportTags False --JobType presubmit --Context . --Dockerfile cmd/image-builder/images/kaniko/Dockerfile --ImageName image-builder --BuildArgs --Platforms --BuildConfigPath /agent/_work/1/s/kaniko-build-config.yaml + 2024-05-28T07:36:33.7426177Z ##[command]Read build config file: + 2024-05-28T07:36:33.7426567Z ##[group]Build config file content: + 2024-05-28T07:36:33.7430240Z ##[debug] {'tag-template': 'v{{ .Date }}-{{ .ShortSHA }}', 'registry': ['europe-docker.pkg.dev/kyma-project/prod'], 'dev-registry': ['europe-docker.pkg.dev/kyma-project/dev'], 'reproducible': False, 'log-format': 'json', 'ado-config': {'ado-organization-url': 'https://dev.azure.com/hyperspace-pipelines', 'ado-project-name': 'kyma', 'ado-pipeline-id': 14902}, 'cache': {'enabled': True, 'cache-repo': 'europe-docker.pkg.dev/kyma-project/cache/cache', 'cache-run-layers': True}, 'sign-config': {'enabled-signers': {'*': ['signify-prod']}, 'signers': [{'name': 'signify-prod', 'type': 'notary', 'job-type': ['postsubmit'], 'config': {'endpoint': 'https://signing.repositories.cloud.sap/signingsvc/sign', 'timeout': '5m', 'retry-timeout': '10s', 'secret': {'path': '/secret-prod/secret.yaml', 'type': 'signify'}}}]}} + 2024-05-28T07:36:33.7431327Z ##[endgroup] + 2024-05-28T07:36:33.7431542Z Running in presubmit mode + 2024-05-28T07:36:33.7432035Z ##[debug]Using dev registries: ['europe-docker.pkg.dev/kyma-project/dev'] + 2024-05-28T07:36:33.7432334Z ##[debug]Using build context: . + 2024-05-28T07:36:33.7432779Z ##[debug]Using Dockerfile: ./cmd/image-builder/images/kaniko/Dockerfile + 2024-05-28T07:36:33.7433181Z ##[debug]Using image name: image-builder + 2024-05-28T07:36:33.7433438Z ##[command]Using prepared OCI image tags: + 2024-05-28T07:36:33.7433924Z ##[debug]Prepared tags file content: [{"name":"default_tag","value":"PR-10696"}] + 2024-05-28T07:36:33.7434608Z + 2024-05-28T07:36:33.7435959Z ##[command]Setting job scope pipeline variable kanikoArgs with value: --cache=True --cache-run-layers=True --cache-repo=europe-docker.pkg.dev/kyma-project/cache/cache --context=dir:///workspace/. --dockerfile=/workspace/./cmd/image-builder/images/kaniko/Dockerfile --build-arg=default_tag=PR-10696 --destination=europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10696 + 2024-05-28T07:36:33.7438292Z ##[command]Setting job scope pipeline variable imagesToSign with value: --images-to-sign=europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10696 + 2024-05-28T07:36:33.7496968Z + 2024-05-28T07:36:33.7549637Z ##[section]Finishing: prepare_build_and_sign_args + 2024-05-28T07:38:12.4360275Z ##[section]Starting: sign_images +2024-05-28T07:38:12.4364459Z ============================================================================== +2024-05-28T07:38:12.4364568Z Task : Docker +2024-05-28T07:38:12.4364645Z Description : Build or push Docker images, login or logout, start or stop containers, or run a Docker command +2024-05-28T07:38:12.4364762Z Version : 2.240.2 +2024-05-28T07:38:12.4364823Z Author : Microsoft Corporation +2024-05-28T07:38:12.4364906Z Help : https://aka.ms/azpipes-docker-tsg +2024-05-28T07:38:12.4364993Z ============================================================================== +2024-05-28T07:38:12.8400661Z [command]/usr/bin/docker run --env REPO_NAME=test-infra --env REPO_OWNER=kyma-project --env CI=true --env JOB_TYPE=presubmit --mount type=bind,src=/agent/_work/1/s/kaniko-build-config.yaml,dst=/kaniko-build-config.yaml --mount type=bind,src=/agent/_work/1/s/signify-prod-secret.yaml,dst=/secret-prod/secret.yaml europe-docker.pkg.dev/kyma-project/prod/image-builder:v20240515-f756e622 --sign-only --name=image-builder --context=. --dockerfile=cmd/image-builder/images/kaniko/Dockerfile --images-to-sign=europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10696 --config=/kaniko-build-config.yaml +2024-05-28T07:38:13.0389131Z sign images using services signify-prod +2024-05-28T07:38:13.0389670Z signer signify-prod ignored, because is not enabled for a CI job of type: presubmit +2024-05-28T07:38:13.0390290Z Start signing images europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10696 +2024-05-28T07:38:13.1669325Z ##[section]Finishing: sign_images`, + }, + } + + for _, c := range tc { + t.Run(c.name, func(t *testing.T) { + images := extractImagesFromADOLogs(c.logs) + + if !reflect.DeepEqual(images, c.images) { + t.Errorf("Expected %v, but got %v", c.images, images) + } + }) + } +} + type mockSigner struct { signFunc func([]string) error } From faa4d7ee1f436313e8a5a0c4af088c6bdfc43902 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 28 May 2024 14:13:12 +0200 Subject: [PATCH 03/10] Set images output as JSON array in image-builder workflow --- .github/actions/image-builder/action.yml | 2 ++ .github/workflows/image-builder.yml | 6 ++++++ cmd/image-builder/main.go | 7 +++++++ 3 files changed, 15 insertions(+) diff --git a/.github/actions/image-builder/action.yml b/.github/actions/image-builder/action.yml index a85e04a7c306..c742b87a76df 100644 --- a/.github/actions/image-builder/action.yml +++ b/.github/actions/image-builder/action.yml @@ -46,6 +46,8 @@ inputs: outputs: adoResult: description: The result of the ADO pipeline execution + images: + description: JSON array of the images built in ADO runs: using: "composite" diff --git a/.github/workflows/image-builder.yml b/.github/workflows/image-builder.yml index 57de2cc2929d..63aef75442f8 100644 --- a/.github/workflows/image-builder.yml +++ b/.github/workflows/image-builder.yml @@ -38,6 +38,10 @@ on: required: false type: string default: "" + outputs: + images: + description: JSON list of images built by image-builder + value: ${{ jobs.build.outputs.images }} jobs: get_oidc_token: @@ -65,6 +69,8 @@ jobs: build: needs: get_oidc_token runs-on: ubuntu-latest + outputs: + images: ${{ steps.build.outputs.images }} steps: - uses: ./.github/actions/image-builder id: build diff --git a/cmd/image-builder/main.go b/cmd/image-builder/main.go index 210e0dede1cb..7fd334580707 100644 --- a/cmd/image-builder/main.go +++ b/cmd/image-builder/main.go @@ -339,6 +339,13 @@ func buildInADO(o options) error { // if run in github actions, set output parameters if o.ciSystem == GithubActions { + images := extractImagesFromADOLogs(logs) + data, err := json.Marshal(images) + if err != nil { + return fmt.Errorf("cannot marshal list of images: %w", err) + } + + actions.SetOutput("images", string(data)) actions.SetOutput("adoResult", string(*pipelineRunResult)) } From 6503d38eba14de8f22deb9d1ea76b8ee06b793ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 28 May 2024 14:15:59 +0200 Subject: [PATCH 04/10] Merge image-builder jobs --- .github/workflows/image-builder.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/image-builder.yml b/.github/workflows/image-builder.yml index 63aef75442f8..26b14f52bec9 100644 --- a/.github/workflows/image-builder.yml +++ b/.github/workflows/image-builder.yml @@ -41,10 +41,10 @@ on: outputs: images: description: JSON list of images built by image-builder - value: ${{ jobs.build.outputs.images }} + value: ${{ jobs.get_oidc_token.outputs.images }} jobs: - get_oidc_token: + build: permissions: id-token: write # This is required for requesting the JWT token contents: read # This is required for actions/checkout @@ -52,6 +52,7 @@ jobs: name: A job to get OIDC token outputs: token: ${{ steps.get_oidc.outputs.jwt }} + images: ${{ steps.build.outputs.images }} steps: - name: Checkout repository based on test flag uses: actions/checkout@v4 @@ -66,17 +67,11 @@ jobs: id: get_oidc uses: ./.github/actions/expose-jwt-action - build: - needs: get_oidc_token - runs-on: ubuntu-latest - outputs: - images: ${{ steps.build.outputs.images }} - steps: - uses: ./.github/actions/image-builder id: build name: Run build in image-builder with: - oidc-token: ${{ needs.get_oidc_token.outputs.token }} + oidc-token: ${{ steps.get_oidc.outputs.token }} ado-token: ${{ secrets.ADO_PAT }} context: ${{ inputs.context }} build-args: ${{ inputs.build-args }} From 7cc8a4461f2229898db071d3495c4e23dcff0c8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 28 May 2024 14:16:57 +0200 Subject: [PATCH 05/10] Fix output job --- .github/workflows/image-builder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-builder.yml b/.github/workflows/image-builder.yml index 26b14f52bec9..33413b8d2773 100644 --- a/.github/workflows/image-builder.yml +++ b/.github/workflows/image-builder.yml @@ -41,7 +41,7 @@ on: outputs: images: description: JSON list of images built by image-builder - value: ${{ jobs.get_oidc_token.outputs.images }} + value: ${{ jobs.build.outputs.images }} jobs: build: From 5d18d6de5c5d0201ab65a473c42631945d4a72bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 28 May 2024 14:18:09 +0200 Subject: [PATCH 06/10] Add ado result as output --- .github/workflows/image-builder.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/image-builder.yml b/.github/workflows/image-builder.yml index 33413b8d2773..6d330ccc4d9e 100644 --- a/.github/workflows/image-builder.yml +++ b/.github/workflows/image-builder.yml @@ -42,6 +42,9 @@ on: images: description: JSON list of images built by image-builder value: ${{ jobs.build.outputs.images }} + adoResult: + description: The result of the ADO pipeline execution + value: ${{ jobs.build.outputs.result }} jobs: build: @@ -53,6 +56,7 @@ jobs: outputs: token: ${{ steps.get_oidc.outputs.jwt }} images: ${{ steps.build.outputs.images }} + result: ${{ steps.build.outputs.adoResult }} steps: - name: Checkout repository based on test flag uses: actions/checkout@v4 From c3f398f991bfe16d22434f9df450ced1722802a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Fri, 31 May 2024 10:59:02 +0200 Subject: [PATCH 07/10] trigger From 2794f47059a0d3dfa3a24e3cf34456c69f717f26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 4 Jun 2024 13:22:34 +0200 Subject: [PATCH 08/10] Do not expose oidc token --- .github/workflows/image-builder.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/image-builder.yml b/.github/workflows/image-builder.yml index 44c0500691b0..f66e1dcae7c5 100644 --- a/.github/workflows/image-builder.yml +++ b/.github/workflows/image-builder.yml @@ -54,7 +54,6 @@ jobs: runs-on: ubuntu-latest name: Build image outputs: - token: ${{ steps.get_oidc.outputs.jwt }} images: ${{ steps.build.outputs.images }} result: ${{ steps.build.outputs.adoResult }} steps: From 65b94f2cd33e09793099999fb67559ddedb2dad8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 4 Jun 2024 13:24:01 +0200 Subject: [PATCH 09/10] Improve readiblity of tets for extract images from ado logs --- cmd/image-builder/main_test.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/cmd/image-builder/main_test.go b/cmd/image-builder/main_test.go index 4b6b2b1f4337..bb86083f002c 100644 --- a/cmd/image-builder/main_test.go +++ b/cmd/image-builder/main_test.go @@ -620,13 +620,13 @@ func Test_parseTags(t *testing.T) { func Test_extractImagesFromADOLogs(t *testing.T) { tc := []struct { - name string - images []string - logs string + name string + expectedImages []string + logs string }{ { - name: "sign image task log", - images: []string{"europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10854", "europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10852"}, + name: "sign image task log", + expectedImages: []string{"europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10854", "europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10852"}, logs: `2024-05-28T09:49:07.8176591Z ============================================================================== 2024-05-28T09:49:07.8176701Z Task : Docker 2024-05-28T09:49:07.8176776Z Description : Build or push Docker images, login or logout, start or stop containers, or run a Docker command @@ -642,8 +642,8 @@ func Test_extractImagesFromADOLogs(t *testing.T) { }, { - name: "prepare args and sign tasks log", - images: []string{"europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10696"}, + name: "prepare args and sign tasks log", + expectedImages: []string{"europe-docker.pkg.dev/kyma-project/dev/image-builder:PR-10696"}, logs: `2024-05-28T07:36:31.8953681Z ##[section]Starting: prepare_build_and_sign_args 2024-05-28T07:36:31.8958057Z ============================================================================== 2024-05-28T07:36:31.8958168Z Task : Python script @@ -687,10 +687,10 @@ func Test_extractImagesFromADOLogs(t *testing.T) { for _, c := range tc { t.Run(c.name, func(t *testing.T) { - images := extractImagesFromADOLogs(c.logs) + actualImages := extractImagesFromADOLogs(c.logs) - if !reflect.DeepEqual(images, c.images) { - t.Errorf("Expected %v, but got %v", c.images, images) + if !reflect.DeepEqual(actualImages, c.expectedImages) { + t.Errorf("Expected %v, but got %v", c.expectedImages, actualImages) } }) } From 8f59fcdb54ae1c39741a5277ab8926768062943a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Ma=C5=82achowski?= Date: Tue, 4 Jun 2024 13:25:36 +0200 Subject: [PATCH 10/10] Add description of extractImagesFromADOLogs --- cmd/image-builder/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/image-builder/main.go b/cmd/image-builder/main.go index 7fd334580707..b5897173dbd4 100644 --- a/cmd/image-builder/main.go +++ b/cmd/image-builder/main.go @@ -870,6 +870,9 @@ func getDockerfileDirPath(o options) (string, error) { return dockerfileDirPath, err } +// extractImagesFromADOLogs extract docker images from Azure DevOps logs to allow us prepare list of images built in ADO backend +// The list can be than saved and provided as input for developers to use in next steps of their workflows. +// ADO Logs that we fetch anyway are the simplest solution to get such list from ADO backend. func extractImagesFromADOLogs(logs string) []string { re := regexp.MustCompile(`--images-to-sign=(([a-z0-9]+(?:[.-][a-z0-9]+)*/)*([a-z0-9]+(?:[.-][a-z0-9]+)*)(?::[a-z0-9.-]+)?/([a-z0-9-]+)/([a-z0-9-]+)(?::[a-zA-Z0-9.-]+))`) matches := re.FindAllStringSubmatch(logs, -1)