Feature/Migrate container images (#4)

* Skip helm chart release packaging if exists

* Use correct Helm repo URL

* Add Helm charts: NFS-Ganesha & Rancher Cluster Template

* Copy demo application source

* Update CI to build and scan images

* Bump Helm charts & fix bad EOL

* Add Dockerhub login

* Update PKG with container image creation

.github/workflows/ci.yml

@@ -16,11 +16,29 @@ concurrency:
   group: "${{ github.ref }}-${{ github.workflow }}"
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
+  changes:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    outputs:
+      apps: ${{ steps.filter.outputs.changes }}
+    steps:
+    - uses: dorny/paths-filter@v3
+      id: filter
+      with:
+        filters: |
+          game-2048: src/game-2048/**
+          cow-demo: src/cow-demo/**
+          rancher-helloworld: src/rancher-helloworld/**
   code-check:
     runs-on: ubuntu-latest
     steps:
-      - name: Check-out the repository
+      - name: Checkout source code
         uses: actions/checkout@v4
         with:
           # gets all history for all branches and tags (mandatory for chart-testing to work, see https://github.com/helm/chart-testing/issues/186)
@@ -60,3 +78,35 @@ jobs:
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+  image-scan:
+    needs: changes
+    if: needs.changes.outputs.apps != '[]'
+    strategy:
+      matrix:
+        app: ${{ fromJSON(needs.changes.outputs.apps) }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build container image from source
+        run: |
+          cd src/${{ matrix.app }}
+          docker build . --tag $CONTAINER_REGITRY_DOMAIN/$IMAGE_FOLDER/${{ matrix.app }}:${{ env.IMAGE_TAG }}
+      - name: Scan container image with NeuVector
+        if: ${{ vars.USE_NEUVECTOR == 'true' }}
+        uses: neuvector/scan-action@main
+        with:
+          image-repository: ${{ env.CONTAINER_REGITRY_DOMAIN }}/${{ env.IMAGE_FOLDER }}/${{ matrix.app }}
+          image-tag: ${{ env.IMAGE_TAG }}
+          min-high-cves-to-fail: "1"
+          min-medium-cves-to-fail: "1"
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      CONTAINER_REGITRY_DOMAIN: docker.io
+      IMAGE_FOLDER: ${{ vars.DOCKERHUB_NAMESPACE }}
+      IMAGE_TAG: 1.0.${{ github.run_id }}

.github/workflows/pkg.yml

@@ -11,6 +11,20 @@ permissions:
   id-token: write
 
 jobs:
+  changes:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    outputs:
+      apps: ${{ steps.filter.outputs.changes }}
+    steps:
+    - uses: dorny/paths-filter@v3
+      id: filter
+      with:
+        filters: |
+          game-2048: src/game-2048/**
+          cow-demo: src/cow-demo/**
+          rancher-helloworld: src/rancher-helloworld/**
   build:
     runs-on: ubuntu-latest
     steps:
@@ -32,6 +46,8 @@ jobs:
           helm repo update
       - name: Host charts repository on GitHub Pages
         uses: helm/chart-releaser-action@v1.6.0
+        with:
+          skip_existing: true
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
       - name: Checkout gh-pages branch
@@ -63,3 +79,33 @@ jobs:
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v1
+  create-image:
+    if: needs.changes.outputs.apps != '[]'
+    strategy:
+      matrix:
+        app: ${{ fromJSON(needs.changes.outputs.apps) }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Login to container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.CONTAINER_REGITRY_DOMAIN }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build container image
+        run: |
+          cd src/${{ matrix.app }}
+          docker build . --tag $IMAGE_FOLDER/${{ matrix.app }}:${{ env.IMAGE_TAG }}
+      - name: Push image to container registry
+        run: docker push $IMAGE_FOLDER/${{ matrix.app }}:${{ env.IMAGE_TAG }}
+      - name: Push latest tag to container registry
+        if: ${{ github.ref_name == 'main' }}
+        run: |
+          docker tag $IMAGE_FOLDER/${{ matrix.app }}:${{ env.IMAGE_TAG }} $IMAGE_FOLDER/${{ matrix.app }}:latest
+          docker push $IMAGE_FOLDER/${{ matrix.app }}:latest
+    env:
+      CONTAINER_REGITRY_DOMAIN: docker.io
+      IMAGE_FOLDER: ${{ vars.DOCKERHUB_NAMESPACE }}
+      IMAGE_TAG: 1.0.${GITHUB_RUN_ID}

.gitignore

@@ -5,4 +5,5 @@
 temp*.yaml
 temp.sh
 /charts/temp/
-values_*.y*ml
+values_mine.y*ml
+.sass-cache/

CONTRIBUTING.md

@@ -0,0 +1,11 @@
+# Contribution guide
+
+## Code lifecycle
+
+This git repository follows the Gitflow pattern, so make sure to follow the convention.
+
+For instance, create a branch `feature/my-change-title` from `develop`, once good enough to be shared and reviewed create a Pull Request targetting `develop`.
+
+## Code convention
+
+For bash/shell script files, follow the conventions from [Google Style Guide](https://google.github.io/styleguide/shellguide.html).

README.md

@@ -4,7 +4,7 @@
 
 Welcome! You'll find in this repository some open-source material to setup a lab environment.
 
-It is used internally at SUSE (the goal being to capitalize and factorize), but is open to everyone. Feel free to contribute and share feedback!
+It is used internally at SUSE but is open to everyone. Feel free to [contribute](CONTRIBUTING.md) and share feedback!
 
 ## Getting started
 
@@ -32,7 +32,7 @@ Browse the [catalog of functions](scripts/README.md#shell-functions) and [concre
 Add Helm repository:
 
 ```bash
-helm repo add suse-lab-setup https://suse.github.io/lab-setup
+helm repo add suse-lab-setup https://opensource.suse.com/lab-setup
 helm repo update
 ```
 

charts/README.md

@@ -5,14 +5,23 @@
 * [Cow Demo](cow-demo/README.md)
 * [Game 2048](game-2048/README.md)
 * [Let's Encrypt](letsencrypt/README.md)
+* [NFS-Ganesha](nfs-ganesha/README.md)
+* [Rancher Cluster Template](rancher-cluster-templates/README.md)
 * [WordPress](wordpress/README.md)
 
 ## Developer's guide
 
+From within a chart directory:
+
 ```bash
 # lints a chart
-helm lint .
+helm lint
+
+# generates the manifest file from a chart (for review/comparison)
+helm template <releasename> . -f values.yaml -f values_mine.yaml --namespace demo > temp.yaml
 
-# creates Kubernetes template file from chart (for review/comparison)
-helm template myname . -f values.yaml --namespace demo > temp.yaml
+# installs a chart from local source
+helm upgrade --install <releasename> . -f values.yaml \
+# --debug > output.yaml \
+--create-namespace --namespace nfs-ganesha
 ```

charts/cow-demo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: cow-demo
 description: Helm chart for Cow Demo Application
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: "2.0.0"
 home: https://github.com/SUSE/lab-setup/tree/main/charts/cow-demo
 maintainers:

charts/cow-demo/README.md

@@ -8,11 +8,11 @@ Install the app with default settings:
 
 ```bash
 # adds the repo
-helm repo add devpro https://devpro.github.io/helm-charts
+helm repo add suse-lab-setup https://opensource.suse.com/lab-setup
 helm repo update
 
 # installs the chart
-helm upgrade --install cow-demo devpro/cow-demo --namespace demo --create-namespace
+helm upgrade --install cow-demo suse-lab-setup/cow-demo --namespace demo --create-namespace
 ```
 
 Look at [values.yaml](values.yaml) for the configuration.

charts/game-2048/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: game-2048
 description: Helm chart for Game 2048
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: "1.0.0"
 home: https://github.com/SUSE/lab-setup/tree/main/charts/game-2048
 maintainers:

charts/game-2048/README.md

@@ -8,11 +8,11 @@ Install the app with default settings:
 
 ```bash
 # adds the repo
-helm repo add devpro https://devpro.github.io/helm-charts
+helm repo add suse-lab-setup https://opensource.suse.com/lab-setup
 helm repo update
 
 # installs the chart
-helm upgrade --install game-2048 devpro/game-2048 --namespace demo --create-namespace
+helm upgrade --install game-2048 suse-lab-setup/game-2048 --namespace demo --create-namespace
 ```
 
 Look at [values.yaml](values.yaml) for the configuration.

charts/letsencrypt/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: letsencrypt
 description: Helm chart for managing Let's Encrypt
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: "1.0.0"
 home: https://github.com/SUSE/lab-setup/tree/main/charts/letsencrypt
 maintainers:

charts/letsencrypt/README.md

@@ -10,11 +10,11 @@ Install the app with minimal settings:
 
 ```bash
 # adds the repo
-helm repo add devpro https://devpro.github.io/helm-charts
+helm repo add suse-lab-setup https://opensource.suse.com/lab-setup
 helm repo update
 
 # installs the chart (this examples assumes NGINX Ingress Controller is installed)
-helm upgrade --install letsencrypt devpro/letsencrypt \
+helm upgrade --install letsencrypt suse-lab-setup/letsencrypt \
   --namespace cert-manager \
   --set registration.emailAddress=someuser@domain.com \
   --set ingress.className=nginx

charts/nfs-ganesha/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/nfs-ganesha/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: nfs-ganesha
+description: Helm chart for managing NFS-Ganesha
+type: application
+version: "0.1.0"
+appVersion: "1.0.0"
+dependencies: []
+home: https://github.com/SUSE/lab-setup/tree/main/charts/nfs-ganesha
+maintainers:
+  - name: devpro
+    email: bertrand.thomas@suse.com

charts/nfs-ganesha/README.md

@@ -0,0 +1,23 @@
+# NFS-Ganesha Helm Chart
+
+This Helm chart will install [NFS-Ganesha](https://nfs-ganesha.github.io/) on a Kubernetes cluster.
+
+## Quick start
+
+Install the app with minimal settings:
+
+```bash
+# adds the repo
+helm repo add suse-lab-setup https://opensource.suse.com/lab-setup
+helm repo update
+
+# installs the chart with default parameters
+helm upgrade --install nfs-ganesha suse-lab-setup/nfs-ganesha --create-namespace --namespace nfs-ganesha
+```
+
+Clean-up:
+
+```bash
+helm delete nfs-ganesha -n nfs-ganesha
+kubectl delete ns nfs-ganesha
+```

charts/nfs-ganesha/templates/deployment.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ .Values.name }}
+  name: {{ .Values.name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.name }}
+  template:
+    metadata:
+      labels:
+        app: nfs-ganesha
+    spec:
+      containers:
+        - name: container-0
+          image: {{ .Values.image }}:{{ .Values.tag }}
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 2049
+              name: nfsv4
+              protocol: TCP
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - DAC_READ_SEARCH
+            privileged: true
+          volumeMounts:
+            - mountPath: /data/nfs
+              name: share
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      volumes:
+        - emptyDir: {}
+          name: share

charts/nfs-ganesha/templates/service.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.name }}-nodeport
+spec:
+  selector:
+    app: {{ .Values.name }}
+  type: NodePort
+  ports:
+    - name: nfsv4
+      nodePort: 32049
+      port: 2049
+      protocol: TCP
+      targetPort: 2049
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.name }}
+spec:
+  selector:
+    app: {{ .Values.name }}
+  type: ClusterIP
+  ports:
+    - name: nfsv4
+      port: 2049
+      protocol: TCP
+      targetPort: 2049

charts/nfs-ganesha/values.yaml

@@ -0,0 +1,3 @@
+name: nfs-ganesha
+image: janeczku/nfs-ganesha
+tag: latest