panubo
diff --git a/‎.github/workflows/build-push.yml‎
Lines changed: 119 additions & 0 deletions b/‎.github/workflows/build-push.yml‎
Lines changed: 119 additions & 0 deletions
diff --git a/‎.github/workflows/github-release.yml‎
Lines changed: 68 additions & 0 deletions b/‎.github/workflows/github-release.yml‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 145 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 145 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 37 additions & 0 deletions b/‎Makefile‎
Lines changed: 37 additions & 0 deletions
@@ -0,0 +1,119 @@
+# Source: https://github.com/panubo/reference-github-actions/blob/main/docker-images/build-push.yml
+#
+# Description: Panubo build and push to Quay.io and ECR Public
+# This GH Action is intended for public docker images that package upstream applications/services (ie not for projects of Panubo's).
+# For repos that build multiple repos use the multi-build-push.yml workflow.
+#
+# This workflow runs on pushes to "main", PRs (does not push) or matching git tags.
+# Image names are generated from the repository name, if "docker-" is part of the repository name it is removed from the docker image name.
+#
+# Additionally this workflow performs some automated testing after a docker build.
+# Automated testing is triggered by `make _ci_test`, if no test is required the Makefile target should just run `true`.
+# Before tests are run a Docker build is performed, the resulting image has a tag of "test"
+# BATS is installed since it is commonly required by the tests.
+#
+# LICENSE: MIT License, Copyright (c) 2021-2025 Volt Grid Pty Ltd t/a Panubo
+
+name: build and push on main and tags
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+*
+  pull_request:
+
+env:
+  GITHUB_ROLE_ARN: arn:aws:iam::461800378586:role/GitHubECRPublic
+
+permissions:
+  id-token: write   # Required for OIDC
+  contents: read    # This is required for actions/checkout
+
+jobs:
+  build_and_push:
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          submodules: true
+
+      - name: Get repo name
+        id: image_name
+        run: |
+          sed -E -e 's/docker-//' -e 's/^/image_name=/' <<<"${{ github.repository }}" >> "$GITHUB_OUTPUT"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            quay.io/${{ steps.image_name.outputs.image_name }}
+            public.ecr.aws/${{ steps.image_name.outputs.image_name }}
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            # type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=match,pattern=v(.*),group=1
+            # type=sha
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      # The values provided to these two AWS steps are always the same for Panubo owned repos
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.GITHUB_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Login to ECR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: public.ecr.aws
+
+      - name: Login to Quay.io
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.PANUBUILD_QUAYIO_USERNAME }}
+          password: ${{ secrets.PANUBUILD_QUAYIO_TOKEN }}
+
+      - name: Setup BATS
+        uses: bats-core/bats-action@3.0.1
+
+      - name: Build and export to Docker
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          cache-from: type=gha
+          load: true
+          tags: ${{ steps.image_name.outputs.image_name }}:test
+
+      - name: Test
+        run: |
+          make _ci_test
+
+      - name: Build and Push
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          push: ${{ github.event_name != 'pull_request' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
@@ -0,0 +1,68 @@
+# Source: https://github.com/panubo/reference-github-actions/blob/main/github-release.yml
+# Description: Create a GitHub release
+# LICENSE: MIT License, Copyright (c) 2021-2025 Volt Grid Pty Ltd t/a Panubo
+#
+# This workflow supports release candidate tags. If a tag contains "-rc" for
+# example "v1.2.3-rc.1" then the release will be marked as a prerelease.
+# Additionally when generating changelog for release notes any RC releases will
+# be ignored.
+#
+# If you want to provide additional release notes you can add a
+# _ci_release_notes to a Makefile in the root of the repo. This will be called
+# while generating the release notes and will be attended to the end of the auto
+# generated release notes. If the command is absent or fails the failure will be
+# ignored. Additionally the tag/ref_name will be passed with TAG="${TAG#v}"
+# which will strip the "v" prefix from the tag, this is useful for listing
+# container images with their tag.
+
+name: GitHub Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_call:
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Required for git log to work
+
+      - name: Get Release Notes
+        env:
+          TAG: ${{ github.ref_name }}
+        id: get_release_notes
+        run: |
+          tag1="$(git -c 'versionsort.suffix=-' tag --sort=-v:refname | head -1)"
+          tag2="$(git -c 'versionsort.suffix=-' tag --sort=-v:refname | grep -v '\-rc' | grep -v -w "${tag1}" | head -1)"
+          {
+            echo 'notes<<EOF'
+            echo "Changes since last release:"
+            echo
+            git log --graph --pretty=tformat:'%s %H' --abbrev-commit --date=relative "${tag1}"..."${tag2}"
+            echo
+            echo "**Full Changelog**: https://github.com/${GITHUB_REPOSITORY}/compare/${tag2}...${tag1}"
+            # Optionally allow the Makefile to generate some release notes too
+            make _ci_release_notes TAG=${TAG#v} || true
+            echo EOF
+          } >> "${GITHUB_OUTPUT}"
+
+      - name: Create Release
+        id: create_release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          gh release create "$TAG" \
+            --title "Release $TAG" \
+            --notes "${{ steps.get_release_notes.outputs.notes }}" \
+            --draft=false \
+            --prerelease="${{ contains(github.ref, '-rc') }}"
@@ -0,0 +1,145 @@
+FROM docker.io/alpine:3.23
+
+# Set versions and checksums
+ENV \
+  HELM_VERSION=3.19.5 \
+  HELM_GPG_KEYS="672C657BE06B4B30969C4A57461449C25E36B98E F1261BDE929012C8FF2E501D6EA5D7598529A53E 967F8AC5E2216F9F4FD270AD92AA783CBAAE8E3B 76939899B137D575D3274E756DCCB9D752D35BA8 49D09C86C3DC8DA3F0A076221EF612347F8A9958 ABA2529598F6626C420D335B62F49E747D911B60 4AB45F1CB0D292975C6371436E2A23D806B6E6DD 208DD36ED5BB3745A16743A4C7C6FBB5B91C1155 7FEC81FACC7FFB2A010ADD13C2D40F4D8196E874" \
+  KUBECTL_VERSION=1.33.7 \
+  SOPS_VERSION=3.11.0 \
+  VALS_VERSION=0.43.1 \
+  VALS_CHECKSUM_X86_64=50403f8a13d534b7bd1392d3228b5785cad342b4c8819b39c075f132680afece \
+  VALS_CHECKSUM_AARCH64=16e55cefa2e6ae016e12c39fad6361695221dece97e8046615ac002d692cde22 \
+  HELM_SECRETS_VERSION=4.7.5 \
+  HELM_SECRETS_CHECKSUM=f1e332f159e67100612815dcb8773ea46ae75a682fcf058c29bd300581fe2401 \
+  CURL_VERSION=8.18.0 \
+  CURL_CHECKSUM_X86_64=35d3377193d67b4e0aa0931da4f443c8fccfa26d889e2f40457220afedfc9d7c \
+  CURL_CHECKSUM_AARCH64=1e9bf12c523254a54b79d07cdb621aa0830509a82646fe8be13340a03fcbbd05
+
+# Install some system packages
+RUN set -x \
+  && mkdir -p /gitops-tools/helm-plugins \
+  && apk add --no-cache gnupg ca-certificates cosign \
+  ;
+
+# Install Helm and validate the release is signed by a trusted releaser
+# Use Helm's KEYS file as the key source but only import the trusted keys from $HELM_GPG_KEYS
+RUN set -x \
+  && if [ "$(uname -m)" = "x86_64" ] ; then \
+  ARCH="amd64"; \
+  elif [ "$(uname -m)" = "aarch64" ]; then \
+  ARCH="arm64"; \
+  fi \
+  && IMPORT_GPG="$(mktemp -d)" \
+  && HELM_GPG="$(mktemp -d)" \
+  && wget --no-verbose "https://raw.githubusercontent.com/helm/helm/main/KEYS" -O /tmp/helm-KEYS \
+  && gpg --homedir "${IMPORT_GPG}" --import /tmp/helm-KEYS \
+  && for key in ${HELM_GPG_KEYS}; do gpg --homedir "${IMPORT_GPG}" --export "${key}" | gpg --homedir "${HELM_GPG}" --import; done \
+  && wget --no-verbose "https://get.helm.sh/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz" -O /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz \
+  && wget --no-verbose "https://get.helm.sh/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.sha256" -O /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.sha256 \
+  && wget --no-verbose "https://github.com/helm/helm/releases/download/v${HELM_VERSION}/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.asc" -O /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.asc \
+  && wget --no-verbose "https://github.com/helm/helm/releases/download/v${HELM_VERSION}/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.sha256.asc " -O /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.sha256.asc  \
+  && echo "$(cat /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.sha256)  /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz" | sha256sum -c - \
+  && gpg --batch --homedir "${HELM_GPG}" --no-default-keyring --verify /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.asc /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz \
+  && gpg --batch --homedir "${HELM_GPG}" --no-default-keyring --verify /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.sha256.asc /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz.sha256 \
+  && tar -C /gitops-tools -zxf /tmp/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz --strip-components 1 linux-${ARCH}/helm \
+  && chmod +x /gitops-tools/helm \
+  && rm -rf /tmp/* \
+  ;
+
+# Install kubectl and verify with cosign
+RUN set -x \
+  && if [ "$(uname -m)" = "x86_64" ] ; then \
+  ARCH="amd64"; \
+  elif [ "$(uname -m)" = "aarch64" ]; then \
+  ARCH="arm64"; \
+  fi \
+  && wget --no-verbose "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" -O /gitops-tools/kubectl \
+  && wget --no-verbose "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256" -O /tmp/kubectl.sha256 \
+  && wget --no-verbose "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sig" -O /tmp/kubectl.sig \
+  && wget --no-verbose "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.cert" -O /tmp/kubectl.cert \
+  && (cd /gitops-tools; echo "$(cat /tmp/kubectl.sha256)  kubectl" | sha256sum -c -) \
+  && cosign verify-blob "/gitops-tools/kubectl" \
+  --signature "/tmp/kubectl.sig" \
+  --certificate "/tmp/kubectl.cert" \
+  --certificate-identity krel-staging@k8s-releng-prod.iam.gserviceaccount.com \
+  --certificate-oidc-issuer https://accounts.google.com \
+  && chmod +x /gitops-tools/kubectl \
+  && rm -rf /tmp/* \
+  ;
+
+# Install SOPS and verify with cosign
+RUN set -x \
+  && if [ "$(uname -m)" = "x86_64" ] ; then \
+  ARCH="amd64"; \
+  elif [ "$(uname -m)" = "aarch64" ]; then \
+  ARCH="arm64"; \
+  fi \
+  && wget --no-verbose "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${ARCH}" -O /tmp/sops-v${SOPS_VERSION}.linux.${ARCH} \
+  && wget --no-verbose "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.txt" -O /tmp/sops-v${SOPS_VERSION}.checksums.txt \
+  && wget --no-verbose "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.pem" -O /tmp/sops-v${SOPS_VERSION}.checksums.pem \
+  && wget --no-verbose "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.checksums.sig" -O /tmp/sops-v${SOPS_VERSION}.checksums.sig \
+  && (cd /tmp; grep "sops-v${SOPS_VERSION}.linux.${ARCH}" /tmp/sops-v${SOPS_VERSION}.checksums.txt | sha256sum -c -) \
+  && cosign verify-blob "/tmp/sops-v${SOPS_VERSION}.checksums.txt" \
+  --certificate "/tmp/sops-v${SOPS_VERSION}.checksums.pem" \
+  --signature "/tmp/sops-v${SOPS_VERSION}.checksums.sig" \
+  --certificate-identity-regexp="https://github.com/getsops" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  && mv /tmp/sops-v${SOPS_VERSION}.linux.${ARCH} /gitops-tools/sops \
+  && chmod +x /gitops-tools/sops \
+  && rm -rf /tmp/* \
+  ;
+
+# Install helm vals and verify with checksum
+RUN set -x \
+  && if [ "$(uname -m)" = "x86_64" ] ; then \
+  VALS_CHECKSUM="${VALS_CHECKSUM_X86_64}"; \
+  ARCH="amd64"; \
+  elif [ "$(uname -m)" = "aarch64" ]; then \
+  VALS_CHECKSUM="${VALS_CHECKSUM_AARCH64}"; \
+  ARCH="arm64"; \
+  fi \
+  && wget --no-verbose "https://github.com/helmfile/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_${ARCH}.tar.gz" -O /tmp/vals_v${VALS_VERSION}_linux_${ARCH}.tar.gz \
+  && (cd /tmp; echo "${VALS_CHECKSUM}  vals_v${VALS_VERSION}_linux_${ARCH}.tar.gz" | sha256sum -c -) \
+  && tar -C /gitops-tools -zxf /tmp/vals_v${VALS_VERSION}_linux_${ARCH}.tar.gz vals \
+  && chmod +x /gitops-tools/vals \
+  && rm -rf /tmp/* \
+  ;
+
+# Install helm-secrets plugin
+RUN set -x \
+  && wget --no-verbose "https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz" -O /tmp/helm-secrets.tar.gz \
+  && (cd /tmp; echo "${HELM_SECRETS_CHECKSUM}  helm-secrets.tar.gz" | sha256sum -c -) \
+  && tar -C /gitops-tools/helm-plugins -zxf /tmp/helm-secrets.tar.gz \
+  && rm -rf /tmp/* \
+  ;
+
+# Install static curl
+RUN set -x \
+  && if [ "$(uname -m)" = "x86_64" ] ; then \
+  CURL_CHECKSUM="${CURL_CHECKSUM_X86_64}"; \
+  ARCH="x86_64"; \
+  elif [ "$(uname -m)" = "aarch64" ]; then \
+  CURL_CHECKSUM="${CURL_CHECKSUM_AARCH64}"; \
+  ARCH="aarch64"; \
+  fi \
+  && wget --no-verbose "https://github.com/stunnel/static-curl/releases/download/${CURL_VERSION}/curl-linux-${ARCH}-musl-${CURL_VERSION}.tar.xz" -O /tmp/curl-linux-${ARCH}-musl-${CURL_VERSION}.tar.xz \
+  && tar -C /gitops-tools -Jxf /tmp/curl-linux-${ARCH}-musl-${CURL_VERSION}.tar.xz curl \
+  && (cd /gitops-tools; echo "${CURL_CHECKSUM}  curl" | sha256sum -c -) \
+  && chmod +x /gitops-tools/curl \
+  ;
+
+# Add some env vars
+ENV \
+  PATH="/gitops-tools:${PATH}" \
+  HELM_PLUGINS=/gitops-tools/helm-plugins/ \
+  HELM_SECRETS_CURL_PATH=/gitops-tools/curl \
+  HELM_SECRETS_SOPS_PATH=/gitops-tools/sops \
+  HELM_SECRETS_VALS_PATH=/gitops-tools/vals \
+  HELM_SECRETS_HELM_PATH=/gitops-tools/helm \
+  HELM_SECRETS_KUBECTL_PATH=/gitops-tools/kubectl \
+  HELM_SECRETS_BACKEND=sops \
+  HELM_SECRETS_VALUES_ALLOW_SYMLINKS="false" \
+  HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH="true" \
+  HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL="false" \
+  HELM_SECRETS_WRAPPER_ENABLED="true" \
+  HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR="true"
@@ -0,0 +1,37 @@
+NAME       := gitops-toolbox
+TAG        := test
+IMAGE_NAME := panubo/$(NAME)
+
+.PHONY: help build build-quick run-nginx run-nginx-spa run-s3sync shell push clean
+
+help:
+	@printf "$$(grep -hE '^\S+:.*##' $(MAKEFILE_LIST) | sed -e 's/:.*##\s*/:/' -e 's/^\(.\+\):\(.*\)/\\x1b[36m\1\\x1b[m:\2/' | column -c2 -t -s :)\n"
+
+build:  ## build image
+	docker build -t $(IMAGE_NAME):$(TAG) .
+
+run:  ## run the container
+	docker run --rm -it $(IMAGE_NAME):$(TAG)
+
+test:  ## run test suite
+	( cd tests; bats -j 4 . )
+
+_ci_test:
+	-mkdir tests/results
+	( cd tests; bats -j 4 --report-formatter junit -o results . )
+
+_ci_release_notes:
+	@echo "## Installed Tools"
+	@grep -E '(HELM_VERSION|KUBECTL_VERSION|SOPS_VERSION|VALS_VERSION|HELM_SECRETS_VERSION|CURL_VERSION)=' Dockerfile | \
+	sed -e 's/^[[:space:]]*//' \
+		-e 's/ \\//' \
+		-e 's/HELM_VERSION=/- helm: /' \
+		-e 's/KUBECTL_VERSION=/- kubectl: /' \
+		-e 's/SOPS_VERSION=/- sops: /' \
+		-e 's/VALS_VERSION=/- vals: /' \
+		-e 's/HELM_SECRETS_VERSION=/- helm-secrets: /' \
+		-e 's/CURL_VERSION=/- curl: /'
+	@echo ""
+	@echo "## Container Images"
+	@echo "- quay.io/$(IMAGE_NAME):$(TAG)"
+	@echo "- public.ecr.aws/$(IMAGE_NAME):$(TAG)"