From 0be2ec776da150b80ddbb4021267f673c26e4836 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Sat, 12 Nov 2022 11:49:03 -0500 Subject: [PATCH 1/6] update mkdocs requirements, python version Signed-off-by: Kingdon Barrett --- Dockerfile | 2 +- requirements.txt | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index e25ae7dae..abae0c6c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.5.1-alpine +FROM python:3.10.8-alpine COPY . /app WORKDIR /app diff --git a/requirements.txt b/requirements.txt index d3a71b1d9..4feaed805 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs==1.0.3 -markdown-checklist==0.4.1 -markdown-include==0.5.1 +mkdocs==1.4.2 +markdown-checklist==0.4.4 +markdown-include==0.7.0 From dc8cf850bea493e2fa6fc0b41b21644346176da8 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Sat, 12 Nov 2022 13:08:25 -0500 Subject: [PATCH 2/6] test building for OCI target MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * test build and push * test again * pull the result of build This is not for merge, it is just for the example * actions/cache@v3 * this is too much indirection but it's for testing so I think it's OK (the original idea was to pull this at runtime, so we'd always have the latest – this is going to need some refining, but I just want something that I can run right now, and say the job is done, point a domain at it, and call it good for today) push server * slightly broken ingress manifests works: http://teamhephy.info/ http://docs.teamhephy.info/ http://teamhephy.info/workflow/docs/ http://docs.teamhephy.info/workflow/docs/ doesn't (bad): http://docs.teamhephy.info/workflow/docs http://teamhephy.info/workflow/docs enable production letsencrypt try a new text trigger another build try imagePullPolicy: Always try another build try one more tracking one behind Add keyless (experimental) signing with Cosign This may or may not work? Just try it... Signed-off-by: Kingdon Barrett add differentiation between "build" and "serve" we're going to remove this again in a moment, but it will be helpful to have the tasks separated before we try to obviate them together again set up flux-pull.sh for exec at runtime update deployment manifest and add init container soften rsync -a rsync: [generator] chgrp "/usr/share/nginx/html/." failed: Operation not permitted (1) a side effect of the -g in -rlptgoD, (how -a is expanded) further soften -t rsync: [generator] failed to set times on "/usr/share/nginx/html/.": Operation not permitted (1) further soften -p rsync: [generator] failed to set permissions on "/usr/share/nginx/html/.": Operation not permitted (1) USER 101 directive messes a bunch of things up nginx will drop the root user permission, so long as we are root when we start running (but with this USER directive here, it won't even start) Signed-off-by: Kingdon Barrett try rebuilding docs add write packages permission here skip the pre-build part try again with fresh docs all of this chown stuff is unnecessary the server drops permissions, but the container starts as root let's test tagging docs not sure if these really worked try for beta2 try later metadata-action version remove redundant USER root make sure to tag the artifact as "testing" too this is our environment tag (until we come up with something better!) beta3 Signed-off-by: Kingdon Barrett --- .github/workflows/push-workflow-serve.yaml | 37 +++++++++ .github/workflows/push-workflow-site.yaml | 86 +++++++++++++++++++++ .gitignore | 1 + Dockerfile | 15 ++-- Makefile | 3 + _scripts/flux-pull.sh | 14 ++++ manifests/teamhephy.info/deployment.yaml | 36 +++++++++ manifests/teamhephy.info/ingress.yaml | 49 ++++++++++++ manifests/teamhephy.info/kustomization.yaml | 10 +++ manifests/teamhephy.info/service.yaml | 11 +++ src/index.md | 2 +- 11 files changed, 257 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/push-workflow-serve.yaml create mode 100644 .github/workflows/push-workflow-site.yaml create mode 100755 _scripts/flux-pull.sh create mode 100644 manifests/teamhephy.info/deployment.yaml create mode 100644 manifests/teamhephy.info/ingress.yaml create mode 100644 manifests/teamhephy.info/kustomization.yaml create mode 100644 manifests/teamhephy.info/service.yaml diff --git a/.github/workflows/push-workflow-serve.yaml b/.github/workflows/push-workflow-serve.yaml new file mode 100644 index 000000000..9bfcbab6e --- /dev/null +++ b/.github/workflows/push-workflow-serve.yaml @@ -0,0 +1,37 @@ +name: Build docs server + +env: + PUSH_TARGET_IMG: ghcr.io/kingdonb/sites/workflow # assumed to be on GHCR, ambient credentials are used + PUSH_TARGET_TAG: serve # Configure what tag will push + BUILDDIR: ./site + +on: + push: + branches: [ main ] # Configure the branchs which you want to run this workflow + +jobs: + build-push: + name: "Build & Push docs server" + runs-on: ubuntu-latest + + steps: + + # Checkout source code + - name: Checkout + uses: actions/checkout@v2 + + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Make server with latest published artifact + # FIXME: this will always/occasionally pick up the "last" image published + # so you may need to push twice to publish a change, unless this is fixed + - name: Docker build and push + run: | + SITE=${PUSH_TARGET_IMG}:${PUSH_TARGET_TAG} + docker build -t ${SITE} . + docker push ${SITE} diff --git a/.github/workflows/push-workflow-site.yaml b/.github/workflows/push-workflow-site.yaml new file mode 100644 index 000000000..17882b8d0 --- /dev/null +++ b/.github/workflows/push-workflow-site.yaml @@ -0,0 +1,86 @@ +name: Build documentation (tag) + +env: + PIP_CACHE_DIR: .pip # Configure the PIP cache directory + PUSH_TARGET: ghcr.io/kingdonb/sites/workflow # assumed to be on GHCR, ambient credentials are used + BUILDDIR: ./site + +on: + push: + # paths: [ src/**.md ] # Only trigger workflow when there are changes on docs + # branches: [ main ] # Configure the branchs which you want to run this workflow + tags: [ "*" ] + +jobs: + build-push: + permissions: + packages: write + id-token: write # needed for signing the images with GitHub OIDC Token **not production ready** + + name: "Build & Push docs" + runs-on: ubuntu-latest + + steps: + + # Checkout source code + - name: Checkout + uses: actions/checkout@v2 + + # Use Flux to publish mkdocs build output as OCI + - name: Setup Flux CLI + uses: fluxcd/flux2/action@main + + # Use Cosign to sign and verify site content as OCI + - name: Install Cosign + uses: sigstore/cosign-installer@main + + # Cache mkdocs dependencies for faster build time + - name: Cache dependencies + uses: actions/cache@v3 + with: + path: | + ./.pip + key: ${{ runner.os }}-modules-${{ hashFiles('./requirements.txt') }} + + # Install dependencies for build process + - name: Install build dependencies + run: | + make deps + + # Build docs + - name: Build mkdocs + run: | + make build BUILDDIR=$BUILDDIR + + # Use docker/metadata-action eventually (not used for now) + - id: docker_meta + uses: docker/metadata-action@v4.1.1 + with: + images: ${{ env.PUSH_TARGET }} + tags: | + type=sha,format=long + type=semver,pattern={{version}} + #,value=v1.0.0 + + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Make build published as Flux OCI artifact + - name: Flux push + run: | + flux push artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} --path=$BUILDDIR \ + --source="$(git config --get remote.origin.url)" \ + --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" + flux tag artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} \ + --tag testing + + # Sign the docs tag with cosign (keyless/experimental) + - name: Cosign (keyless) + run: cosign sign ${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} + env: + TAGS: ${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} + COSIGN_EXPERIMENTAL: true diff --git a/.gitignore b/.gitignore index 84105361f..169797396 100644 --- a/.gitignore +++ b/.gitignore @@ -20,5 +20,6 @@ bower_components venv/ _build/ +site/ .DS_Store diff --git a/Dockerfile b/Dockerfile index abae0c6c0..1c8a48b4e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,12 @@ -FROM python:3.10.8-alpine +### +FROM ghcr.io/fluxcd/flux-cli:v0.36.0 AS flux -COPY . /app -WORKDIR /app +### +FROM nginx:1.23.2-alpine AS server -RUN pip install -r requirements.txt +COPY --from=flux /usr/local/bin/flux /usr/local/bin/flux -EXPOSE 8000 -CMD ["mkdocs", "serve", "-a", "0.0.0.0:8000"] +RUN apk add rsync + +ADD _scripts/flux-pull.sh /usr/local/bin/ +RUN chmod +x /usr/local/bin/flux-pull.sh diff --git a/Makefile b/Makefile index 4b718976a..e3f6ac950 100644 --- a/Makefile +++ b/Makefile @@ -53,3 +53,6 @@ docker-serve: ${DEV_ENV_CMD} ${IMAGE} $(MKDOCSSERVE) run: docker-build docker-serve + +pull: + flux pull artifact oci://ghcr.io/kingdonb/sites/workflow:testing --output ./ diff --git a/_scripts/flux-pull.sh b/_scripts/flux-pull.sh new file mode 100755 index 000000000..6d5c12310 --- /dev/null +++ b/_scripts/flux-pull.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e +set -x + +rm -rf /tmp/oci-pull +mkdir /tmp/oci-pull + +flux pull artifact \ + oci://ghcr.io/kingdonb/sites/workflow:testing \ + --output /tmp/oci-pull && \ + rsync --delete -rlv /tmp/oci-pull/site/ /usr/share/nginx/html + +rm -rf /tmp/oci-pull diff --git a/manifests/teamhephy.info/deployment.yaml b/manifests/teamhephy.info/deployment.yaml new file mode 100644 index 000000000..01131196f --- /dev/null +++ b/manifests/teamhephy.info/deployment.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workflow-docs +spec: + selector: + matchLabels: + app: workflow-docs-nginx + replicas: 2 + template: + metadata: + labels: + app: workflow-docs-nginx + spec: + initContainers: + - name: flux-pull + image: ghcr.io/kingdonb/sites/workflow:serve + imagePullPolicy: Always + command: + - "/usr/local/bin/flux-pull.sh" + volumeMounts: + - mountPath: /usr/share/nginx/html + name: html + containers: + - name: nginx + image: ghcr.io/kingdonb/sites/workflow:serve # build + imagePullPolicy: Always + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /usr/share/nginx/html + name: html + volumes: + - name: html + emptyDir: + sizeLimit: 100Mi diff --git a/manifests/teamhephy.info/ingress.yaml b/manifests/teamhephy.info/ingress.yaml new file mode 100644 index 000000000..8cbe373ff --- /dev/null +++ b/manifests/teamhephy.info/ingress.yaml @@ -0,0 +1,49 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: workflow-docs + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$2 + cert-manager.io/cluster-issuer: production-letsencrypt +spec: + ingressClassName: public + rules: + - host: docs.teamhephy.info + http: + paths: + - path: /()(.*) + pathType: Prefix + backend: + service: + name: workflow-docs + port: + number: 80 + - path: /workflow/docs(/|$)(.*) + pathType: Prefix + backend: + service: + name: workflow-docs + port: + number: 80 + - host: teamhephy.info + http: + paths: + - path: /()(.*) + pathType: Prefix + backend: + service: + name: workflow-docs + port: + number: 80 + - path: /workflow/docs(/|$)(.*) + pathType: Prefix + backend: + service: + name: workflow-docs + port: + number: 80 + tls: + - hosts: + - teamhephy.info + - docs.teamhephy.info + secretName: workflow-docs diff --git a/manifests/teamhephy.info/kustomization.yaml b/manifests/teamhephy.info/kustomization.yaml new file mode 100644 index 000000000..c47d1f0a3 --- /dev/null +++ b/manifests/teamhephy.info/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- deployment.yaml +- service.yaml +- ingress.yaml +images: +- name: ghcr.io/kingdonb/sites/workflow + newName: ghcr.io/kingdonb/sites/workflow + newTag: serve diff --git a/manifests/teamhephy.info/service.yaml b/manifests/teamhephy.info/service.yaml new file mode 100644 index 000000000..8f24006b9 --- /dev/null +++ b/manifests/teamhephy.info/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: workflow-docs +spec: + selector: + app: workflow-docs-nginx + ports: + - protocol: TCP + port: 80 + targetPort: 80 diff --git a/src/index.md b/src/index.md index a033635e4..66623c1b9 100644 --- a/src/index.md +++ b/src/index.md @@ -9,7 +9,7 @@ application configuration, creating and rolling back releases, managing domain n certificates, providing seamless edge routing, aggregating logs, and sharing applications with teams. All of this is exposed through a simple REST API and command line interface. -Please note that this documentation is for Hephy Workflow (v2.23.0). Older versions of Hephy Workflow and Deis Workflow are not supported. +Please note that this documentation is for Hephy Workflow (v2.24.0-beta3). Older versions of Hephy Workflow and Deis Workflow are not supported. ## Getting Started From 0cd3cf387a9fc693a302bb3dceec452431ab784a Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Sun, 13 Nov 2022 20:40:25 -0500 Subject: [PATCH 3/6] clean up Signed-off-by: Kingdon Barrett --- .github/workflows/push-workflow-serve.yaml | 1 - .github/workflows/push-workflow-site.yaml | 9 ++++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/push-workflow-serve.yaml b/.github/workflows/push-workflow-serve.yaml index 9bfcbab6e..eb2695151 100644 --- a/.github/workflows/push-workflow-serve.yaml +++ b/.github/workflows/push-workflow-serve.yaml @@ -3,7 +3,6 @@ name: Build docs server env: PUSH_TARGET_IMG: ghcr.io/kingdonb/sites/workflow # assumed to be on GHCR, ambient credentials are used PUSH_TARGET_TAG: serve # Configure what tag will push - BUILDDIR: ./site on: push: diff --git a/.github/workflows/push-workflow-site.yaml b/.github/workflows/push-workflow-site.yaml index 17882b8d0..27788dd32 100644 --- a/.github/workflows/push-workflow-site.yaml +++ b/.github/workflows/push-workflow-site.yaml @@ -71,16 +71,19 @@ jobs: # Make build published as Flux OCI artifact - name: Flux push + id: push_html run: | flux push artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} --path=$BUILDDIR \ --source="$(git config --get remote.origin.url)" \ - --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" + --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" | tee tmp-digest.out + DIGEST="$(grep '✔ artifact successfully pushed to' tmp-digest.out | awk '{print $6}')" + echo "::set-output name=digest::$DIGEST" flux tag artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} \ --tag testing # Sign the docs tag with cosign (keyless/experimental) - name: Cosign (keyless) - run: cosign sign ${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} + run: cosign sign $TAGS env: - TAGS: ${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} + TAGS: ${{ steps.push_html.outputs.digest }} COSIGN_EXPERIMENTAL: true From a6ae01254e815c49ea6374fae68be07b4cb6f3f4 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Sun, 13 Nov 2022 20:41:57 -0500 Subject: [PATCH 4/6] beta4 Signed-off-by: Kingdon Barrett --- src/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/index.md b/src/index.md index 66623c1b9..760c3bb22 100644 --- a/src/index.md +++ b/src/index.md @@ -9,7 +9,7 @@ application configuration, creating and rolling back releases, managing domain n certificates, providing seamless edge routing, aggregating logs, and sharing applications with teams. All of this is exposed through a simple REST API and command line interface. -Please note that this documentation is for Hephy Workflow (v2.24.0-beta3). Older versions of Hephy Workflow and Deis Workflow are not supported. +Please note that this documentation is for Hephy Workflow (v2.24.0-beta4). Older versions of Hephy Workflow and Deis Workflow are not supported. ## Getting Started From 025419852588a51e9910a4b08e2c7074c6e3c596 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Sun, 13 Nov 2022 20:47:14 -0500 Subject: [PATCH 5/6] fix output to use GITHUB_OUTPUT file try fixup cosign * only build main when Dockerfile changes we don't need a new `serve` image unless one of these files has changed try fixup action puts debugger * ahhhh it is working cosign OCI manifests which are addressed by digest are signed without warning Signed-off-by: Kingdon Barrett --- .github/workflows/push-workflow-serve.yaml | 1 + .github/workflows/push-workflow-site.yaml | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/push-workflow-serve.yaml b/.github/workflows/push-workflow-serve.yaml index eb2695151..43feb5612 100644 --- a/.github/workflows/push-workflow-serve.yaml +++ b/.github/workflows/push-workflow-serve.yaml @@ -6,6 +6,7 @@ env: on: push: + paths: [ Dockerfile, _scripts/flux-pull.sh ] branches: [ main ] # Configure the branchs which you want to run this workflow jobs: diff --git a/.github/workflows/push-workflow-site.yaml b/.github/workflows/push-workflow-site.yaml index 27788dd32..10447e4aa 100644 --- a/.github/workflows/push-workflow-site.yaml +++ b/.github/workflows/push-workflow-site.yaml @@ -75,15 +75,20 @@ jobs: run: | flux push artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} --path=$BUILDDIR \ --source="$(git config --get remote.origin.url)" \ - --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" | tee tmp-digest.out + --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" 2>&1 | tee tmp-digest.out + # Warning: This is not stable, flux CLI output may change + cat tmp-digest.out DIGEST="$(grep '✔ artifact successfully pushed to' tmp-digest.out | awk '{print $6}')" - echo "::set-output name=digest::$DIGEST" + echo DIGEST=$DIGEST + + echo "digest=$(grep '✔ artifact successfully pushed to' tmp-digest.out | awk '{print $6}')" >> $GITHUB_OUTPUT + flux tag artifact oci://${{ env.PUSH_TARGET }}:${{ steps.docker_meta.outputs.version }} \ --tag testing # Sign the docs tag with cosign (keyless/experimental) - name: Cosign (keyless) - run: cosign sign $TAGS + run: cosign sign ${{ steps.push_html.outputs.digest }} env: TAGS: ${{ steps.push_html.outputs.digest }} COSIGN_EXPERIMENTAL: true From a993fcd406f5959086d4e41d760efb8edbe36857 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Tue, 15 Nov 2022 11:29:55 -0500 Subject: [PATCH 6/6] set actions/checkout @v3 Signed-off-by: Kingdon Barrett --- .github/workflows/push-workflow-serve.yaml | 2 +- .github/workflows/push-workflow-site.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push-workflow-serve.yaml b/.github/workflows/push-workflow-serve.yaml index 43feb5612..3fe234cad 100644 --- a/.github/workflows/push-workflow-serve.yaml +++ b/.github/workflows/push-workflow-serve.yaml @@ -18,7 +18,7 @@ jobs: # Checkout source code - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Login to GHCR uses: docker/login-action@v2 diff --git a/.github/workflows/push-workflow-site.yaml b/.github/workflows/push-workflow-site.yaml index 10447e4aa..1e2147988 100644 --- a/.github/workflows/push-workflow-site.yaml +++ b/.github/workflows/push-workflow-site.yaml @@ -24,7 +24,7 @@ jobs: # Checkout source code - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Use Flux to publish mkdocs build output as OCI - name: Setup Flux CLI