Skip to content

suppressing vulnerability GO-2022-0635 for release (#4453) #2720

suppressing vulnerability GO-2022-0635 for release (#4453)

suppressing vulnerability GO-2022-0635 for release (#4453) #2720

Workflow file for this run

# Copyright (c) HashiCorp, Inc.
name: build
on:
workflow_dispatch:
push:
# Sequence of patterns matched against refs/heads
branches:
# Push events on main branch
- main
# Push events to branches matching refs/heads/release/**
- "release/**"
# Build on releng branches for testing build pipelines
- "releng/**"
env:
PKG_NAME: "consul-k8s"
jobs:
conditional-skip:
uses: ./.github/workflows/reusable-conditional-skip.yml
get-go-version:
# Cascades down to test jobs
needs: [ conditional-skip ]
if: needs.conditional-skip.outputs.skip-ci != 'true'
uses: ./.github/workflows/reusable-get-go-version.yml
get-product-version:
# Cascades down to test jobs
needs: [ conditional-skip ]
if: needs.conditional-skip.outputs.skip-ci != 'true'
runs-on: ubuntu-latest
outputs:
product-version: ${{ steps.get-product-version.outputs.product-version }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: get product version
id: get-product-version
run: |
make version
echo "product-version=$(make version)" >> $GITHUB_OUTPUT
generate-metadata-file:
needs: get-product-version
runs-on: ubuntu-latest
outputs:
filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
steps:
- name: "Checkout directory"
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Generate metadata file
id: generate-metadata-file
uses: hashicorp/actions-generate-metadata@v1
with:
version: ${{ needs.get-product-version.outputs.product-version }}
product: ${{ env.PKG_NAME }}
repositoryOwner: "hashicorp"
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: metadata.json
path: ${{ steps.generate-metadata-file.outputs.filepath }}
build:
needs: [get-go-version, get-product-version]
runs-on: ubuntu-20.04 # the GLIBC is too high on 22.04
strategy:
matrix:
include:
# cli (We aren't build packages for the linux 32-bit platforms)
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s"}
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s", "skip_packaging": "true"}
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s.exe" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s.exe" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "arm64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto", fips: "+fips1402", pkg_suffix: "-fips" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto CC=aarch64-linux-gnu-gcc", fips: "+fips1402", pkg_suffix: "-fips" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s.exe", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=cngcrypto", fips: "+fips1402" }
# control-plane
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "386", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "386", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
# solaris is only built for the control plane
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "solaris", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "386", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane.exe", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane.exe", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "arm64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto", fips: "+fips1402", pkg_suffix: "-fips", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto CC=aarch64-linux-gnu-gcc", fips: "+fips1402", pkg_suffix: "-fips", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane.exe", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=cngcrypto", fips: "+fips1402", "skip_packaging": "true" }
# consul-cni
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "386", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni", "skip_packaging": "true" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto", fips: "+fips1402", pkg_suffix: "-fips" }
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto CC=aarch64-linux-gnu-gcc", fips: "+fips1402", pkg_suffix: "-fips" }
fail-fast: true
name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} ${{ matrix.component }} ${{ matrix.fips }} build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Setup go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: ${{ matrix.go }}
- name: Replace Go for Windows FIPS with Microsoft Go
if: ${{ matrix.fips == '+fips1402' && matrix.goos == 'windows' }}
run: |
# Uninstall standard Go and use microsoft/go instead
rm -rf /home/runner/actions-runner/_work/_tool/go
curl https://aka.ms/golang/release/latest/go${{ matrix.go }}-1.linux-amd64.tar.gz -Lo go${{ matrix.go }}.linux-amd64.tar.gz
tar -C $HOME -xf go${{ matrix.go }}.linux-amd64.tar.gz
chmod +x $HOME/go/bin
export PATH=$HOME/go/bin:$PATH
if [ $(which go) != "$HOME/go/bin/go" ]; then
echo "Unable to verify microsoft/go toolchain"
exit 1
fi
- name: Install cross-compiler for FIPS on arm64
if: ${{ matrix.fips == '+fips1402' && matrix.goarch == 'arm64' }}
run: |
sudo apt-get update --allow-releaseinfo-change-suite --allow-releaseinfo-change-version && sudo apt-get install -y gcc-aarch64-linux-gnu
- name: Build
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
CGO_ENABLED: 0
working-directory: ${{ matrix.component }}
run: |
mkdir -p dist out
cp $GITHUB_WORKSPACE/LICENSE dist/LICENSE.txt
export GIT_COMMIT=$(git rev-parse --short HEAD)
export GIT_DIRTY=$(test -n "$(git status --porcelain)" && echo "+CHANGES")
export GIT_IMPORT=github.com/hashicorp/consul-k8s/version
export GOLDFLAGS="-X ${GIT_IMPORT}.GitCommit=${GIT_COMMIT}${GIT_DIRTY} -X ${GIT_IMPORT}.GitDescribe=${{ needs.get-product-version.outputs.product-version }}"
${{ matrix.env }} go build -o dist/${{ matrix.bin_name }} -ldflags "${GOLDFLAGS}" -tags=${{ matrix.gotags }} .
zip -r -j out/${{ matrix.pkg_name }}_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/
- name: Upload built binaries
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ matrix.pkg_name }}_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
path: ${{ matrix.component}}/out/${{ matrix.pkg_name }}_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
- name: Copy license file
env:
LICENSE_DIR: ".release/linux/package/usr/share/doc/${{ env.PKG_NAME }}"
run: |
mkdir -p "$LICENSE_DIR"
cp $GITHUB_WORKSPACE/LICENSE "$LICENSE_DIR/LICENSE.txt"
- name: Package rpm and deb files for consul-k8s CLI
if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
uses: hashicorp/actions-packaging-linux@v1
with:
name: consul-k8s${{ matrix.pkg_suffix }}
description: "consul-k8s provides a cli interface to first-class integrations between Consul and Kubernetes."
arch: ${{ matrix.goarch }}
version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}
maintainer: "HashiCorp"
homepage: "https://github.com/hashicorp/consul-k8s"
license: "MPL-2.0"
binary: "${{ matrix.component }}/dist/${{ matrix.bin_name }}"
deb_depends: "openssl"
rpm_depends: "openssl"
config_dir: ".release/linux/package/"
- name: Package rpm and deb files for consul-cni plugin
if: matrix.goos == 'linux' && matrix.component == 'control-plane/cni' && matrix.skip_packaging != 'true'
uses: hashicorp/actions-packaging-linux@v1
with:
name: consul-cni${{ matrix.pkg_suffix }}
description: "consul-cni provides a CNI plugin for use with Consul Service Mesh."
arch: ${{ matrix.goarch }}
version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}
maintainer: "HashiCorp"
homepage: "https://github.com/hashicorp/consul-k8s/control-plane/cni"
license: "MPL-2.0"
binary: "${{ matrix.component }}/dist/${{ matrix.bin_name }}"
deb_depends: "openssl"
rpm_depends: "openssl"
config_dir: ".release/linux/package/"
postinstall: ".release/linux/postinst"
postremove: ".release/linux/postrm"
- name: Set package names
if: matrix.goos == 'linux' && matrix.skip_packaging != 'true'
run: |
echo "RPM_PACKAGE=$(basename out/*.rpm)" >> $GITHUB_ENV
echo "DEB_PACKAGE=$(basename out/*.deb)" >> $GITHUB_ENV
- name: Enable docker runtime emulation for testing packages
if: matrix.goos == 'linux' && matrix.skip_packaging != 'true' && matrix.component == 'cli' && matrix.goarch != 'amd64'
run: |
docker run --privileged \
--rm \
docker.mirror.hashicorp.services/tonistiigi/binfmt@sha256:5540f38542290735d17da57d7084f684c62336105d018c605058daf03e4c8256 --install ${{ matrix.goarch }}
- name: Test consul-k8s CLI rpm package on platforms on UBI
if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3
with:
image: registry.access.redhat.com/ubi9/ubi:latest
options: -v ${{ github.workspace }}:/work --platform linux/${{matrix.goarch}}
run: |
dnf install -y /work/out/${{ env.RPM_PACKAGE }}
CONSUL_K8S_VERSION="$(consul-k8s version | awk '{print $2}')"
VERSION="v${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}"
if [ "${VERSION}" != "${CONSUL_K8S_VERSION}" ]; then
echo "Test FAILED, expected: ${VERSION}, got: ${CONSUL_K8S_VERSION}"
exit 1
fi
echo "Test PASSED, expected: ${VERSION}, got: ${CONSUL_K8S_VERSION}"
- name: Upload rpm packages
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: matrix.goos == 'linux' && matrix.skip_packaging != 'true'
with:
name: ${{ env.RPM_PACKAGE }}
path: out/${{ env.RPM_PACKAGE }}
- name: Test consul-k8s CLI debian package
if: matrix.goos == 'linux' && matrix.component == 'cli' && matrix.skip_packaging != 'true'
uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3
with:
image: ubuntu:latest
options: -v ${{ github.workspace }}:/work --platform linux/${{matrix.goarch}}
run: |
apt-get update -qq
apt-get install -y /work/out/${{ env.DEB_PACKAGE }}
CONSUL_K8S_VERSION="$(consul-k8s version | awk '{print $2}')"
VERSION="v${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}"
if [ "${VERSION}" != "${CONSUL_K8S_VERSION}" ]; then
echo "Test FAILED, expected: ${VERSION}, got: ${CONSUL_K8S_VERSION}"
exit 1
fi
echo "Test PASSED, expected: ${VERSION}, got: ${CONSUL_K8S_VERSION}"
- name: Upload debian packages
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: matrix.goos == 'linux' && matrix.skip_packaging != 'true'
with:
name: ${{ env.DEB_PACKAGE }}
path: out/${{ env.DEB_PACKAGE }}
build-docker:
name: Docker ${{ matrix.goarch }} ${{ matrix.fips }} default release build
needs: [get-product-version, get-go-version, build]
runs-on: ubuntu-latest
strategy:
matrix:
include:
- { goos: "linux", goarch: "arm" }
- { goos: "linux", goarch: "arm64" }
- { goos: "linux", goarch: "386" }
- { goos: "linux", goarch: "amd64" }
- { goos: "linux", goarch: "amd64", fips: "+fips1402" }
- { goos: "linux", goarch: "arm64", fips: "+fips1402" }
env:
repo: ${{ github.event.repository.name }}
version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: consul-cni_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_${{ matrix.goos}}_${{ matrix.goarch }}.zip
path: control-plane/dist/cni/${{ matrix.goos}}/${{ matrix.goarch }}
- name: extract consul-cni zip
env:
ZIP_LOCATION: control-plane/dist/cni/${{ matrix.goos}}/${{ matrix.goarch }}
run: |
cd "${ZIP_LOCATION}"
unzip -j *.zip
# This naming convention will be used ONLY for per-commit dev images
- name: Set docker dev tag
run: |
echo "full_dev_tag=${{ env.version }}"
echo "full_dev_tag=${{ env.version }}" >> $GITHUB_ENV
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')"
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV
- name: Docker Build (Action)
uses: hashicorp/actions-docker-build@v2
if: ${{ !matrix.fips }}
with:
smoke_test: |
TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version | awk '{print $2}')"
if [ "${TEST_VERSION}" != "v${version}" ]; then
echo "Test FAILED"
exit 1
fi
echo "Test PASSED"
version: ${{ env.version }}
target: release-default
arch: ${{ matrix.goarch }}
pkg_name: consul-k8s-control-plane_${{ env.version }}
bin_name: consul-k8s-control-plane
workdir: control-plane
tags: |
docker.io/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}
public.ecr.aws/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}
dev_tags: |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-${{ github.sha }}
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-${{ github.sha }}
extra_build_args: |
GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
- name: Docker FIPS Build (Action)
uses: hashicorp/actions-docker-build@v2
if: ${{ matrix.fips }}
with:
smoke_test: |
TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version | awk '{print $2}')"
if [ "${TEST_VERSION}" != "v${version}" ]; then
echo "Test FAILED"
exit 1
fi
echo "Test PASSED"
version: ${{ env.version }}
target: release-default-fips # duplicate target to distinguish FIPS builds in CRT machinery
arch: ${{ matrix.goarch }}
pkg_name: consul-k8s-control-plane_${{ env.version }}
bin_name: consul-k8s-control-plane
workdir: control-plane
tags: |
docker.io/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}
public.ecr.aws/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}
dev_tags: |
docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.full_dev_tag }}
docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.full_dev_tag }}-${{ github.sha }}
docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.minor_dev_tag }}
docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.minor_dev_tag }}-${{ github.sha }}
extra_build_args: |
GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
build-docker-ubi:
name: Docker ${{ matrix.arch }} ${{ matrix.fips }} UBI builds
needs: [get-product-version, get-go-version, build]
runs-on: ubuntu-latest
strategy:
matrix:
include:
- { arch: "amd64" }
- { arch: "amd64", fips: "+fips1402" }
env:
repo: ${{ github.event.repository.name }}
version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: consul-cni_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_linux_${{ matrix.arch }}.zip
path: control-plane/dist/cni/linux/${{ matrix.arch }}
- name: extract consul-cni zip
env:
ZIP_LOCATION: control-plane/dist/cni/linux/${{ matrix.arch }}
run: |
cd "${ZIP_LOCATION}"
unzip -j *.zip
# This naming convention will be used ONLY for per-commit dev images
- name: Set docker dev tag
run: |
echo "full_dev_tag=${{ env.version }}"
echo "full_dev_tag=${{ env.version }}" >> $GITHUB_ENV
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')"
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV
- name: Docker Build (Action)
if: ${{ !matrix.fips }}
uses: hashicorp/actions-docker-build@v2
with:
smoke_test: |
TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version | awk '{print $2}')"
if [ "${TEST_VERSION}" != "v${version}" ]; then
echo "Test FAILED"
exit 1
fi
echo "Test PASSED"
version: ${{ env.version }}
target: ubi
arch: ${{ matrix.arch }}
pkg_name: consul-k8s-control-plane_${{ env.version }}
bin_name: consul-k8s-control-plane
workdir: control-plane
tags: |
docker.io/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi
public.ecr.aws/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi
dev_tags: |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi-${{ github.sha }}
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-ubi
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-ubi-${{ github.sha }}
redhat_tag: quay.io/redhat-isv-containers/611ca2f89a9b407267837100:${{env.version}}-ubi
extra_build_args: |
GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
- name: Docker FIPS Build (Action)
if: ${{ matrix.fips }}
uses: hashicorp/actions-docker-build@v2
with:
smoke_test: |
TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version | awk '{print $2}')"
if [ "${TEST_VERSION}" != "v${version}" ]; then
echo "Test FAILED"
exit 1
fi
echo "Test PASSED"
version: ${{ env.version }}
target: ubi-fips # duplicate target to distinguish FIPS builds in CRT machinery
arch: ${{ matrix.arch }}
pkg_name: consul-k8s-control-plane_${{ env.version }}
bin_name: consul-k8s-control-plane
workdir: control-plane
tags: |
public.ecr.aws/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}-ubi
docker.io/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}-ubi
redhat_tag: quay.io/redhat-isv-containers/6486b1beabfc4e51588c0416:${{env.version}}-ubi # this is different than the non-FIPS one
extra_build_args: |
GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
dev_tags: |
docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.full_dev_tag }}-ubi
docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.full_dev_tag }}-ubi-${{ github.sha }}
docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.minor_dev_tag }}-ubi
docker.io/hashicorppreview/${{ env.repo }}-control-plane-fips:${{ env.minor_dev_tag }}-ubi-${{ github.sha }}