Building and Pushing to MCR #108
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This Github Action will build and publish images to Azure Container Registry(ACR), from where the published images will be | |
| # automatically pushed to the trusted registry, Microsoft Container Registry(MCR). | |
| name: Building and Pushing to MCR | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| releaseTag: | |
| description: 'Release tag to publish images, defaults to the latest one' | |
| type: string | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| # `public` indicates images to MCR wil be publicly available, and will be removed in the final MCR images | |
| REGISTRY_REPO: public/aks/fleet | |
| GO_VERSION: '1.24.9' | |
| jobs: | |
| prepare-variables: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release_tag: ${{ steps.vars.outputs.release_tag }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: 'Set output variables' | |
| id: vars | |
| run: | | |
| # set the image version | |
| RELEASE_TAG=${{ inputs.releaseTag }} | |
| if [ -z "$RELEASE_TAG" ]; then | |
| RELEASE_TAG=`git describe --tags $(git rev-list --tags --max-count=1)` | |
| echo "The user input release tag is empty, will use the latest tag $RELEASE_TAG." | |
| fi | |
| echo "::set-output name=release_tag::$RELEASE_TAG" | |
| # NOTE(mainred): As exporting a variable from a secret is not possible, the shared variable registry obtained | |
| # from AZURE_REGISTRY secret is not exported from here. | |
| publish-images-amd64: | |
| runs-on: | |
| labels: [ self-hosted, "1ES.Pool=1es-aks-fleet-networking-pool-ubuntu" ] | |
| needs: prepare-variables | |
| steps: | |
| - name: Set up Go ${{ env.GO_VERSION }} | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.prepare-variables.outputs.release_tag }} | |
| - name: 'Login the ACR' | |
| run: | | |
| az login --identity | |
| az acr login -n ${{ secrets.AZURE_REGISTRY }} | |
| - name: Build and publish controller manager images | |
| run: | | |
| make push | |
| env: | |
| TAG: ${{ needs.prepare-variables.outputs.release_tag }} | |
| REGISTRY: ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}} | |
| HUB_NET_CONTROLLER_MANAGER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}-amd64 | |
| MEMBER_NET_CONTROLLER_MANAGER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}-amd64 | |
| MCS_CONTROLLER_MANAGER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}-amd64 | |
| NET_CRD_INSTALLER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}-amd64 | |
| TARGET_ARCH: amd64 | |
| AUTO_DETECT_ARCH: "FALSE" | |
| publish-images-arm64: | |
| runs-on: | |
| labels: [ self-hosted, "1ES.Pool=1es-aks-fleet-networking-pool-ubuntu-arm64" ] | |
| needs: prepare-variables | |
| steps: | |
| - name: Set up Go ${{ env.GO_VERSION }} | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.prepare-variables.outputs.release_tag }} | |
| - name: 'Install the Azure CLI' | |
| # Note (chenyu1): the self-hosted 1ES ARM64 pool, for some reason, does not have Azure CLI installed by default; | |
| # install it manually here. | |
| run: | |
| curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash | |
| - name: 'Set up build dependencies' | |
| # Note (chenyu1): the self-hosted 1ES ARM64 pool, for some reason, does not have the common build | |
| # tools (e.g., make) installed by default; install them manually. | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y build-essential acl | |
| - name: 'Set up Docker' | |
| # Note (chenyu1): the self-hosted 1ES ARM64 pool, for some reason, does not have Docker installed by default, | |
| # and cannot have Docker installed via the docker/setup-docker-action Github Action, hence the manual setup | |
| # steps here. | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get -y install ca-certificates curl | |
| sudo install -m 0755 -d /etc/apt/keyrings | |
| sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc | |
| sudo chmod a+r /etc/apt/keyrings/docker.asc | |
| echo \ | |
| "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ | |
| $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \ | |
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
| sudo apt-get update | |
| sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin | |
| - name: 'Enable Docker access' | |
| # Note (chenyu1): there are situations where the newgrp command will not take effect; set access | |
| # to the docker daemon directly just in case. | |
| run: | | |
| sudo groupadd docker || true | |
| echo "Adding $USER to the docker group" | |
| sudo usermod -aG docker $USER | |
| newgrp docker | |
| sudo setfacl --modify user:$USER:rw /var/run/docker.sock | |
| - name: 'Login the ACR' | |
| run: | | |
| az login --identity | |
| az acr login -n ${{ secrets.AZURE_REGISTRY }} | |
| - name: 'Verify Docker CLI' | |
| run: | | |
| docker version | |
| docker info | |
| - name: Build and publish controller manager images | |
| run: | | |
| make push | |
| env: | |
| TAG: ${{ needs.prepare-variables.outputs.release_tag }} | |
| REGISTRY: ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}} | |
| HUB_NET_CONTROLLER_MANAGER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| MEMBER_NET_CONTROLLER_MANAGER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| MCS_CONTROLLER_MANAGER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| NET_CRD_INSTALLER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| TARGET_ARCH: arm64 | |
| AUTO_DETECT_ARCH: "FALSE" | |
| create-image-manifest-bundle: | |
| runs-on: | |
| # Use the x86_64 1ES pool to run this job; in theory it can be run on the ARM64 1ES pool as well. | |
| labels: [self-hosted, "1ES.Pool=1es-aks-fleet-networking-pool-ubuntu"] | |
| needs: [prepare-variables, publish-images-amd64, publish-images-arm64] | |
| steps: | |
| - name: 'Wait until images are processed' | |
| # Note (chenyu1): as we are pulling from ACR rather than MCR, the images should be available almost | |
| # immediately after the push is done; the delay is added here as a precaution. | |
| run: | | |
| echo "Waiting for 3 minutes to ensure that images are fully processed" | |
| sleep 180 | |
| - name: 'Login the ACR' | |
| run: | | |
| az login --identity | |
| az acr login -n ${{ secrets.AZURE_REGISTRY }} | |
| - name: 'Pull the hub networking agent images from ACR' | |
| # Note (chenyu1): must set the target platform explictly. | |
| run: | | |
| docker pull --platform linux/amd64 ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/hub-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-amd64 | |
| docker pull --platform linux/arm64 ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/hub-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| - name: 'Create and push multi-arch image manifests for the hub networking agent image' | |
| # Note (chenyu1): use `docker buildx imagetools create`, otherwise attestations cannot be perserved. | |
| run: | | |
| docker buildx imagetools create \ | |
| -t ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/hub-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }} \ | |
| ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/hub-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-amd64 \ | |
| ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/hub-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| - name: 'Pull the member networking agent images from ACR' | |
| # Note (chenyu1): must set the target platform explictly. | |
| run: | | |
| docker pull --platform linux/amd64 ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/member-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-amd64 | |
| docker pull --platform linux/arm64 ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/member-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| - name: 'Create and push multi-arch image manifests for the member networking agent image' | |
| # Note (chenyu1): use `docker buildx imagetools create`, otherwise attestations cannot be perserved. | |
| run: | | |
| docker buildx imagetools create \ | |
| -t ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/member-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }} \ | |
| ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/member-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-amd64 \ | |
| ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/member-net-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| - name: 'Pull the MCS agent images from ACR' | |
| # Note (chenyu1): must set the target platform explictly. | |
| run: | | |
| docker pull --platform linux/amd64 ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/mcs-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-amd64 | |
| docker pull --platform linux/arm64 ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/mcs-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| - name: 'Create and push multi-arch image manifests for the MCS agent image' | |
| # Note (chenyu1): use `docker buildx imagetools create`, otherwise attestations cannot be perserved. | |
| run: | | |
| docker buildx imagetools create \ | |
| -t ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/mcs-controller-manager:${{ needs.prepare-variables.outputs.release_tag }} \ | |
| ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/mcs-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-amd64 \ | |
| ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/mcs-controller-manager:${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| - name: 'Pull the networking crd installer images from ACR' | |
| # Note (chenyu1): must set the target platform explictly. | |
| run: | | |
| docker pull --platform linux/amd64 ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/net-crd-installer:${{ needs.prepare-variables.outputs.release_tag }}-amd64 | |
| docker pull --platform linux/arm64 ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/net-crd-installer:${{ needs.prepare-variables.outputs.release_tag }}-arm64 | |
| - name: 'Create and push multi-arch image manifests for the networking crd installer image' | |
| # Note (chenyu1): use `docker buildx imagetools create`, otherwise attestations cannot be perserved. | |
| run: | | |
| docker buildx imagetools create \ | |
| -t ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/net-crd-installer:${{ needs.prepare-variables.outputs.release_tag }} \ | |
| ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/net-crd-installer:${{ needs.prepare-variables.outputs.release_tag }}-amd64 \ | |
| ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}/net-crd-installer:${{ needs.prepare-variables.outputs.release_tag }}-arm64 |