apm-agent-nodejs icon indicating copy to clipboard operation
apm-agent-nodejs copied to clipboard
verified publisher icon elastic

ci: build and push Docker image based on Chainguard base image

Open v1v opened this issue 1 year ago • 3 comments

What does this pull request do?

Release two flavours of Docker images:

Please note that we are going to preserve the current Dockerfile, so that users will still be able to build their own custom images based on Alpine: this is needed because docker.elastic.co/wolfi/chainguard-base is not a public base image, so docker build would fail for unauthenticated users.

Implementation details

I refactored the release workflow to have three different jobs that run sequentially:

  • release job, as usual
  • docker build - so it can use the matrix format for Dockerfile and Dockerfile.wolfi
  • notification - so if any of the above jobs failed then a message will be sent.

Then, I created the Dockerfile.wolfi - the naming convention we agreed upon.

Tests

I created a feature branch test-wolfi:

  • https://github.com/elastic/apm-agent-nodejs/tree/test-wolfi

Then I was able to test the release workflow without pushing any changes in production but generating docker images with the prefix test- and suffix if -wolfi.

See https://github.com/elastic/apm-agent-nodejs/actions/runs/9029167833

Docker images

The ones we usually release

image

Wolfi docker images

image

docker pull docker.elastic.co/observability/apm-agent-nodejs:test-latest-wolfi

Issues

Similar to https://github.com/elastic/apm-agent-python/pull/2036 Requires https://github.com/elastic/apm-agent-nodejs/pull/3998

Checklist

  • [x] Implement code
  • [ ] Add tests
  • [ ] Update TypeScript typings
  • [ ] Update documentation
  • [ ] Add CHANGELOG.asciidoc entry
  • [ ] Commit message follows commit guidelines

v1v avatar May 10 '24 07:05 v1v

Requires #3998

I'll wait until you've updated this PR after 3998 is merged before doing a final review.

trentm avatar May 10 '24 17:05 trentm

I'm not sure of the value of using a matrix for the two Dockerfiles. I think it adds more complexity than it saves in a little duplication.

trentm avatar May 10 '24 17:05 trentm

I'm not sure of the value of using a matrix for the two Dockerfiles. I think it adds more complexity than it saves in a little duplication.

Feel free to push back on that if you are using the same pattern in other repos.

trentm avatar May 10 '24 17:05 trentm

Do you prefer something like this?

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 942b6e4e..76ddaa37 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,6 +62,7 @@ jobs:
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
         with:
           context: .
+          file: 'Dockerfile'
           push: true
           tags: ${{ steps.docker-meta.outputs.tags }}
           labels: ${{ steps.docker-meta.outputs.labels }}
@@ -75,6 +76,39 @@ jobs:
           subject-digest: ${{ steps.docker-push.outputs.digest }}
           push-to-registry: true
 
+      - name: Extract metadata (tags, labels) (wolfi)
+        id: docker-meta-wolfi
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        with:
+          images: ${{ env.DOCKER_IMAGE_NAME }}
+          flavor: |
+            latest=auto
+            suffix=-wolfi
+          tags: |
+            # "1.2.3" and "latest" Docker tags on push of git tag "v1.2.3"
+            type=semver,pattern={{version}}
+            # "edge" Docker tag on git push to default branch
+            type=edge
+
+      - name: Build and Push Docker Image (wolfi)
+        id: docker-push-wolfi
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
+        with:
+          context: .
+          file: 'Dockerfile.wolfi'
+          push: true
+          tags: ${{ steps.docker-meta-wolfi.outputs.tags }}
+          labels: ${{ steps.docker-meta-wolfi.outputs.labels }}
+          build-args: |
+            AGENT_DIR=/build/dist/nodejs
+
+      - name: Attest Docker image (wolfi)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.docker-push-wolfi.outputs.digest }}
+          push-to-registry: true
+
       - name: Read AWS vault secrets
         uses: hashicorp/[email protected]
         with:
diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi
new file mode 100644
index 00000000..f0361904
--- /dev/null
+++ b/Dockerfile.wolfi
@@ -0,0 +1,3 @@
+FROM docker.elastic.co/wolfi/chainguard-base@sha256:9f940409f96296ef56140bcc4665c204dd499af4c32c96cc00e792558097c3f1
+ARG AGENT_DIR
+COPY ${AGENT_DIR} /opt/nodejs

Rather than the matrix approach?

v1v avatar May 13 '24 10:05 v1v

Do you prefer something like this?

Yes. Personally I think that looks clearer. Are you already doing a matrix-based workflow for other APM repos?

trentm avatar May 14 '24 15:05 trentm

Yes. Personally I think that looks clearer. Are you already doing a matrix-based workflow for other APM repos?

I did it for the APM Agent Python -> https://github.com/elastic/apm-agent-python/pull/2036

But it's not merged yet and we can change it if needed.

Each agent has its own idiosyncrasy., I'm happy to change it if makes thing easier to read.

I'll apply the new changes now in this PR

v1v avatar May 14 '24 16:05 v1v