add oci & packer

.github/workflows/alpine-glibc.yaml

@@ -4,7 +4,7 @@ on:
   push:
     paths:
       - '.github/workflows/alpine-glibc-image.yaml'
-      - 'base/alpine-glibc/Dockerfile'
+      - 'oci/base/alpine-glibc/Dockerfile'
     branches:
       - main
 
@@ -21,7 +21,7 @@ jobs:
           registry: artifact.onwalk.net
           username: admin 
           password: ${{ secrets.HELM_REPO_PASSWORD }}
-          path: './base/alpine-glibc'
+          path: '.oci/base/alpine-glibc'
           build_file: 'Dockerfile'
           image: k8s/alpine-glibc
           tag: 2.34

.github/workflows/alpine-with-custom-ca.yaml

@@ -3,7 +3,7 @@ on:
   pull_request:
   push:
     paths:
-      - 'base/alpine/Dockerfile'
+      - 'oci/base/alpine/Dockerfile'
       - '.github/workflows/alpine-with-custom-ca.yaml'
     branches:
       - main
@@ -21,7 +21,7 @@ jobs:
           registry: artifact.onwalk.net
           username: admin 
           password: ${{ secrets.HELM_REPO_PASSWORD }}
-          build_file: base/alpine/Dockerfile 
+          build_file: './oci/base/alpine/Dockerfile' 
           image: k8s/alpine-ca
           tag: latest
           cache: true

.github/workflows/app-runner-alpine.yaml

@@ -4,10 +4,10 @@ on:
   push:
     paths:
       - '.github/workflows/app-runner-alpine.yaml'
-      - 'ci-runner/alpine/Dockerfile'
-      - 'ci-runner/alpine/Makefile'
-      - 'ci-runner/alpine/ca.crt'
-      - 'ci-runner/alpine/repositories'
+      - 'oci/ci-runner/alpine/Dockerfile'
+      - 'oci/ci-runner/alpine/Makefile'
+      - 'oci/ci-runner/alpine/ca.crt'
+      - 'oci/ci-runner/alpine/repositories'
     branches:
       - main
 
@@ -24,7 +24,7 @@ jobs:
           registry: artifact.onwalk.net
           username: admin 
           password: ${{ secrets.HELM_REPO_PASSWORD }}
-          path: './ci-runner/alpine'
+          path: './oci/ci-runner/alpine'
           build_file: 'Dockerfile'
           image: devops/ci-runner-alpine
           tag: latest

.github/workflows/fluxcd/flux-cli-image.yaml

@@ -3,8 +3,8 @@ on:
   pull_request:
   push:
     paths:
-      - '.github/workflows/flux-cli-image.yaml'
-      - '.github/workflows/alpine-with-custom-ca.yaml'
+      - 'oci/fluxcd/flux-cli.Dockerfile'
+      - '.github/workflows/fluxcd/flux-cli-image.yaml'
     branches:
       - main
 

.github/workflows/fluxcd/flux-helm-controller-image.yaml

@@ -3,7 +3,7 @@ on:
   pull_request:
   push:
     paths:
-      - '.github/workflows/alpine-with-custom-ca.yaml'
+      - 'oci/fluxcd/flux-helm-controller.Dockerfile'
       - '.github/workflows/flux-helm-controller-image.yaml'
     branches:
       - main

.github/workflows/fluxcd/flux-image-automation-controller.yaml

@@ -4,7 +4,7 @@ on:
   push:
     paths:
       - 'fluxcd/flux-image-automation-controller.Dockerfile'
-      - '.github/workflows/flux-image-automation-controller.yaml'
+      - '.github/workflows/fluxcd/flux-image-automation-controller.yaml'
     branches:
       - main
 

.github/workflows/fluxcd/flux-image-reflector-controller.yaml

@@ -4,7 +4,7 @@ on:
   push:
     paths:
       - 'fluxcd/flux-image-reflector-controller.Dockerfile'
-      - '.github/workflows/flux-image-reflector-controller.yaml'
+      - '.github/workflows/fluxcd/flux-image-reflector-controller.yaml'
     branches:
       - main
 

.github/workflows/fluxcd/flux-kustomize-controller-image.yaml

@@ -4,7 +4,7 @@ on:
   push:
     paths:
       - 'fluxcd/flux-kustomize-controller.Dockerfile'
-      - '.github/workflows/flux-kustomize-controller-image.yaml'
+      - '.github/workflows/fluxcd/flux-kustomize-controller-image.yaml'
     branches:
       - main
 

.github/workflows/fluxcd/flux-notification-controller-image.yaml

@@ -3,7 +3,7 @@ on:
   pull_request:
   push:
     paths:
-      - '.github/workflows/flux-notification-controller-image.yaml'
+      - '.github/workflows/fluxcd/flux-notification-controller-image.yaml'
       - 'dockerfiles/flux-notification-controller.Dockerfile'
     branches:
       - main

.github/workflows/fluxcd/flux-source-controller-image.yaml

@@ -4,7 +4,7 @@ on:
   push:
     paths:
       - 'fluxcd/flux-source-controller.Dockerfile'
-      - '.github/workflows/flux-source-controller-image.yaml'
+      - '.github/workflows/fluxcd/flux-source-controller-image.yaml'
     branches:
       - main
 

.github/workflows/iac-runner-terraform.yaml

@@ -3,9 +3,9 @@ on:
   pull_request:
   push:
     paths:
-      - 'ci-runner/terraform/main.tf'
-      - 'ci-runner/terraform/Dockerfile'
-      - 'ci-runner/terraform/.terraformrc'
+      - 'oci/ci-runner/terraform/main.tf'
+      - 'oci/ci-runner/terraform/Dockerfile'
+      - 'oci/ci-runner/terraform/.terraformrc'
       - '.github/workflows/iac-runner-terraform.yaml'
     branches:
       - main
@@ -23,7 +23,7 @@ jobs:
           registry: artifact.onwalk.net
           username: admin 
           password: ${{ secrets.HELM_REPO_PASSWORD }}
-          path: './ci-runner/terraform'
+          path: './oci/ci-runner/terraform'
           build_file: 'Dockerfile'
           image: devops/ci-runner-terraform
           tag: latest

.github/workflows/packer/bootstrap.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+echo " ***You can add bash scripts to install prerequisite software in you image in bootstrap.sh file ***"
+
+curl -sfL https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -
+sudo chown ubuntu:ubuntu /etc/rancher/k3s/k3s.yaml
+export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+sudo wget https://mirrors.onwalk.net/tools/linux-amd64/helm.tar.gz && sudo tar -xvpf helm.tar.gz -C /usr/local/bin/
+sudo chmod 755 /usr/local/bin/helm
+helm repo add neuvector https://neuvector.github.io/neuvector-helm/
+#helm repo add nginx-stable https://helm.nginx.com/stable
+helm repo up
+#helm install ingress nginx-stable/nginx-ingress --set controller.enableCustomResources=false --set controller.appprotect.enable=false --set controller.hostNetwork=true
+sleep 30
+kubectl create namespace neuvector
+

.github/workflows/packer/build.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+sudo apt update && sudo apt install packer
+
+mkdir -pv ~/.aws/
+cat > ~/.aws/credentials << EOF
+aws_access_key_id=XXXXXXXXXXXXXXXXX
+aws_secret_access_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+EOF
+
+cat > ~/.aws/config << EOF
+[default]
+region=cn-northwest-1
+output=json
+EOF
+
+packer hcl2_upgrade ubuntu-ami.json
+
+export AWS_ACCESS_KEY_ID=
+export AWS_SECRET_ACCESS_KEY=
+export AWS_SECURITY_TOKEN
+packer init .
+packer fmt .
+packer validate .
+packer build ubuntu-ami.json.pkr.hcl

.github/workflows/packer/golden-image-pipeline.yaml

@@ -0,0 +1,28 @@
+name: Create AWS Golden AMI
+  pull_request:
+  push:
+    paths:
+      - '.github/workflows/packer/build.sh'
+      - '.github/workflows/packer/bootstrap.sh'
+      - '.github/workflows/packer/ubuntu-os-ami.json'
+      - '.github/workflows/packer/ubuntu-os-ami.json.pkr.hcl'
+      - '.github/workflows/packer/golden-image-pipeline.yaml'
+    branches:
+      - main
+
+jobs:
+  create-golden-ami:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install Packer
+      run: sudo apt-get install -y zip unzip jq
+      env:
+        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    - name: Download Packer
+      run: wget https://releases.hashicorp.com/packer/1.6.2/packer_1.6.2_linux_amd64.zip
+      shell: bash
+    - name: create image
+      run: build.sh
+      shell: bash

.github/workflows/packer/ubuntu-os-ami.json

@@ -0,0 +1,37 @@
+{
+    "variables": {
+        "aws_region": "cn-northwest-1",
+	"aws_accountId": "405306994013",
+        "aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
+        "aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
+        "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}"
+    },
+    "builders": [
+        {
+            "type": "amazon-ebs",
+	    "access_key":               "{{user `aws_access_key`}}",
+            "secret_key":               "{{user `aws_secret_key`}}",
+            "token":                    "{{user `aws_session_token`}}",
+            "ami_name": "K3S-NeuVector-{{timestamp}}",
+            "instance_type": "t2.large",
+            "region": "{{user `aws_region`}}",
+            "source_ami_filter": {
+              "filters": {
+              "virtualization-type": "hvm",
+              "name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220706",
+              "root-device-type": "ebs"
+              },
+              "owners": ["{{user `aws_accountId`}}"],
+              "most_recent": true
+            },
+            "ssh_username": "ubuntu"
+        }
+    ],
+
+  "provisioners": [
+    {
+            "type": "shell",
+            "script": "./scripts/ubuntu/bootstrap.sh"
+    }
+  ]
+}

.github/workflows/packer/ubuntu-os-ami.json.pkr.hcl

@@ -0,0 +1,44 @@
+variable "aws_accountId" {
+  type    = string
+  default = "837727238323"
+}
+
+variable "aws_region" {
+  type    = string
+  default = "cn-northwest-1"
+}
+
+locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
+
+source "amazon-ebs" "ubuntu" {
+  ami_name      = "K3S-NeuVector-${local.timestamp}"
+  instance_type = "t2.large"
+  region        = "${var.aws_region}"
+  source_ami_filter {
+    filters = {
+      name                = "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
+      root-device-type    = "ebs"
+      virtualization-type = "hvm"
+    }
+    most_recent = true
+    owners      = ["${var.aws_accountId}"]
+  }
+  ssh_username = "ubuntu"
+}
+
+build {
+  sources = ["source.amazon-ebs.ubuntu"]
+  provisioner "shell" {
+    script = "./scripts/ubuntu/bootstrap.sh"
+  }
+
+}
+
+packer {
+  required_plugins {
+    amazon = {
+      version = ">= 0.0.2"
+      source  = "github.com/hashicorp/amazon"
+    }
+  }
+}

.github/workflows/prometheus-to-cloudwatch-image.yaml

@@ -3,10 +3,11 @@ on:
   pull_request:
   push:
     paths:
-      - 'prometheus-to-cloudwatch/main.go'
-      - 'prometheus-to-cloudwatch/Makefile'
-      - 'prometheus-to-cloudwatch/Dockerfile'
-      - 'prometheus-to-cloudwatch/prometheus_to_cloudwatch.go'
+      - 'oci/prometheus-to-cloudwatch/main.go'
+      - 'oci/prometheus-to-cloudwatch/Makefile'
+      - 'oci/prometheus-to-cloudwatch/Dockerfile'
+      - 'oci/prometheus-to-cloudwatch/prometheus_to_cloudwatch.go'
+      - '.github/workflows/packer/bootstrap.sh'
       - '.github/workflows/prometheus-to-cloudwatch-image.yaml'
     branches:
       - main
@@ -28,6 +29,7 @@ jobs:
           registry: artifact.onwalk.net
           username: admin  
           password: ${{ secrets.HELM_REPO_PASSWORD }}
+          path: 'oci/prometheus-to-cloudwatch'
           build_file: ./Dockerfile
           image: k8s/prometheus-to-cloudwatch
           tag: ${{ steps.slug.outputs.sha8 }}