nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

Upload Docker images to AWS ECR Nonprod Repositories (#1713)

Browse Source
This commit is contained in:
Vince Grassia 2021-11-15 13:23:51 -05:00 committed by GitHub
parent e3143271d7
commit 27351762de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
.github/workflows/build.yml vendored
View File

@ -248,7 +248,9 @@ jobs:
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403 uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with: with:
keyvault: "bitwarden-prod-kv" keyvault: "bitwarden-prod-kv"
secrets: "docker-password, secrets: "aws-ecr-access-key-id,
aws-ecr-secret-access-key,
docker-password,
docker-username, docker-username,
dct-delegate-2-repo-passphrase, dct-delegate-2-repo-passphrase,
dct-delegate-2-key" dct-delegate-2-key"
@ -278,7 +280,6 @@ jobs:
DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }} DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
run: | run: |
mkdir -p ~/.docker/trust/private mkdir -p ~/.docker/trust/private
echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
- name: Setup service name - name: Setup service name
@ -306,34 +307,12 @@ jobs:
run: | run: |
if [ "${{ matrix.service_name }}" = "K8S-Proxy" ]; then if [ "${{ matrix.service_name }}" = "K8S-Proxy" ]; then
docker build -f ${{ matrix.base_path }}/Nginx/Dockerfile-k8s \ docker build -f ${{ matrix.base_path }}/Nginx/Dockerfile-k8s \
-t ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} ${{ matrix.base_path }}/Nginx -t ${{ steps.setup.outputs.service_name }} ${{ matrix.base_path }}/Nginx
else else
docker build -t ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \ docker build -t ${{ steps.setup.outputs.service_name }} \
${{ matrix.base_path }}/${{ matrix.service_name }} ${{ matrix.base_path }}/${{ matrix.service_name }}
fi fi
- name: Tag rc
if: github.ref == 'refs/heads/rc'
run: |
docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
- name: Tag hotfix
if: github.ref == 'refs/heads/hotfix'
run: |
docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
- name: Tag dev
if: github.ref == 'refs/heads/master'
run: |
docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
- name: List Docker images
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
run: docker images
- name: Docker Trust setup - name: Docker Trust setup
if: | if: |
matrix.docker_repo == 'bitwarden' matrix.docker_repo == 'bitwarden'
@ -342,27 +321,74 @@ jobs:
DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }} DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
run: | run: |
echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV
- name: Push rc images - name: Tag and Push RC to Docker Hub
if: github.ref == 'refs/heads/rc' if: github.ref == 'refs/heads/rc'
run: | run: |
docker tag ${{ steps.setup.outputs.service_name }} \
${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
- name: Push hotfix images - name: Tag and Push Hotfix to Docker Hub
if: github.ref == 'refs/heads/hotfix' if: github.ref == 'refs/heads/hotfix'
run: | run: |
docker tag ${{ steps.setup.outputs.service_name }} \
${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
- name: Push dev images - name: Tag and Push Dev to Docker Hub
if: github.ref == 'refs/heads/master' if: github.ref == 'refs/heads/master'
run: | run: |
docker tag ${{ steps.setup.outputs.service_name }} \
${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
- name: Log out of Docker - name: Log out of Docker
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix' if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
run: docker logout run: docker logout
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@0d9a5be0dceea74e09396820e1e522ba4a110d2f # v1
with:
aws-access-key-id: ${{ steps.retrieve-secrets.outputs.aws-ecr-access-key-id }}
aws-secret-access-key: ${{ steps.retrieve-secrets.outputs.aws-ecr-secret-access-key }}
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@aaf69d68aa3fb14c1d5a6be9ac61fe15b48453a2 # v1
- name: Tag and Push RC to AWS ECR nonprod registry
if: github.ref == 'refs/heads/rc'
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ github.sha }}
run: |
docker tag ${{ steps.setup.outputs.service_name }} \
$ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:rc-${IMAGE_TAG:(-8)}
docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:rc-${IMAGE_TAG:(-8)}
- name: Tag and Push Hotfix to AWS ECR nonprod registry
if: github.ref == 'refs/heads/hotfix'
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ github.sha }}
run: |
docker tag ${{ steps.setup.outputs.service_name }} \
$ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:hotfix-${IMAGE_TAG:(-8)}
docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:hotfix-${IMAGE_TAG:(-8)}
- name: Tag and Push Dev to AWS ECR nonprod registry
if: github.ref == 'refs/heads/master'
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ github.sha }}
run: |
docker tag ${{ steps.setup.outputs.service_name }} \
$ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:dev-${IMAGE_TAG:(-8)}
docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:dev-${IMAGE_TAG:(-8)}
upload: upload:
name: Upload name: Upload

3
.github/workflows/release.yml vendored
View File

@ -117,7 +117,8 @@ jobs:
release-docker: release-docker:
name: Build Docker images name: Build Docker images
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
needs: setup needs:
- setup
env: env:
_RELEASE_VERSION: ${{ needs.setup.outputs.release_version }} _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
_BRANCH_NAME: ${{ needs.setup.outputs.branch-name }} _BRANCH_NAME: ${{ needs.setup.outputs.branch-name }}