Merge branch 'develop' into main

clemlesne · Apr 1, 2023 · 9f8e933 · 9f8e933
2 parents e4f9825 + 0f5c9ae
commit 9f8e933
Show file tree

Hide file tree

Showing 8 changed files with 103 additions and 27 deletions.
diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
@@ -2,7 +2,7 @@ name: pipeline
 
 on:
   schedule:
-    - cron: 0 0 * * 1
+    - cron: 0 0 * * *
   push:
     branches:
       - develop
@@ -59,7 +59,9 @@ jobs:
 
   deploy-helm:
     name: Deploy Helm chart
-    needs: build-helm
+    needs:
+      - build-deploy-docker
+      - build-helm
     if: github.ref == 'refs/heads/main' # Only deploy on main branch, as there is only one Helm repo
     runs-on: ubuntu-22.04
     steps:
@@ -100,6 +102,8 @@ jobs:
             arch: linux/amd64,linux/arm/v7,linux/arm64/v8
           - os: jammy
             arch: linux/amd64,linux/arm/v7,linux/arm64/v8
+          - os: ubi8
+            arch: linux/amd64,linux/arm64/v8
     steps:
       - name: checkout
         uses: actions/checkout@v3
@@ -145,15 +149,20 @@ jobs:
             type=ref,event=branch
             type=ref,event=pr
             type=schedule
+            type=schedule,pattern={{date 'YYYYMMDD'}}
             type=semver,pattern={{version}},value=${{ steps.version.outputs.version_full }}
             type=sha
           labels: |
             io.artifacthub.package.category=integration-delivery
             io.artifacthub.package.keywords=agent,azure,azure-devops,azure-pipelines,container,devops,docker,helm,kubernetes,pipelines,self-hosted,self-hosted-agent,auto-scale,keda
+            io.artifacthub.package.license=Apache-2.0
             io.artifacthub.package.logo-url=https://raw.githubusercontent.com/${{ env.CONTAINER_NAME }}/${{ github.sha }}/logo.svg
             io.artifacthub.package.maintainers=[{"name":"${{ github.actor }}","email":"${{ github.actor }}@users.noreply.github.com"}]
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ env.CONTAINER_NAME }}/${{ github.sha }}/README.md
-            io.artifacthub.package.license=Apache-2.0
+            org.opencontainers.image.created={{date 'YYYY-MM-DDTHH:mm:ssZ'}}
+            org.opencontainers.image.documentation=https://github.com/${{ env.CONTAINER_NAME }}
+            org.opencontainers.image.vendor=${{ github.actor }}
+            org.opencontainers.image.version=${{ steps.version.outputs.version_full }}
 
       - name: Build/push container
         uses: docker/build-push-action@v4

diff --git a/README.md b/README.md
@@ -13,8 +13,8 @@ Features:
 - Agent update itself to the latest version.
 - Auto-scale based on Pipeline usage (requires [KEDA](https://keda.sh)).
 - Cheap to run (dynamic provisioning of agents, can scale to 0 and in few seconds 100+).
-- Compatible with all Debian and Ubuntu LTS releases.
-- Container security updates are applied every week.
+- Compatible with Debian, Ubuntu and Red Hat LTS releases.
+- System updates are applied every days.
 - SBOM (Software Bill of Materials) is packaged with each container image.
 - Systems are based on [Microsoft official .NET images](https://mcr.microsoft.com/en-us/product/dotnet/aspnet/about).
 
@@ -43,11 +43,30 @@ helm upgrade --install agent clemlesne-azure-pipelines-agent/azure-pipelines-age
 
 | Ref | OS | Arch | Support |
 |-|-|-|-|
-| `docker pull ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main` | Debian Bullseye (11) slim | `linux/amd64`, `linux/arm/v5`, `linux/arm/v7`, `linux/arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS) |
+| `docker pull ghcr.io/clemlesne/azure-pipelines-agent:bullseye-main` | Debian Bullseye (11) slim | `linux/amd64`, `linux/arm/v7`, `linux/arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS) |
 | `docker pull ghcr.io/clemlesne/azure-pipelines-agent:focal-main` | Ubuntu Focal (20.04) minimal | `linux/amd64`, `linux/arm/v7`, `linux/arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) |
 | `docker pull ghcr.io/clemlesne/azure-pipelines-agent:jammy-main` | Ubuntu Jammy (22.04) minimal | `linux/amd64`, `linux/arm/v7`, `linux/arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) |
+| `docker pull ghcr.io/clemlesne/azure-pipelines-agent:ubi8-main` | Red Hat UBI 8 | `linux/amd64`, `linux/arm64/v8` | [See Red Hat product life cycles.](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux) |
 
-## Advanced usage
+## Advanced topics
+
+### Security & reliability notes
+
+Systems are built every days. Each image is accompanied by a SBOM (Software Bill of Materials) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours. To do this, by default, Kubernetes downloads the image at each pod deployment.
+
+Nevertheless:
+
+- These downloads may incur network costs.
+- It can happen that a package provider (e.g. Debian, Canonical, Red Hat) deploys a system update that introduces a bug. This is difficult to predict.
+
+So it is possible to change the `image.pullPolicy` property to `IfNotPresent`, but these updates will not be downloaded automatically. Each image is pushed with a unique tag, which corresponds to the date of the last update (example: `bullseye-20230313` for a build on March 13, 2023). It is therefore possible to fix the download of a version by modifying the `image.version` property to `20230313`.
+
+### Provided software
+
+- [Azure Pipelines agent system requirements](https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops#linux)
+- [ASP.NET Core](https://github.com/dotnet/aspnetcore) runtime (required by the Azure Pipelines agent)
+- [Azure CLI](https://github.com/Azure/azure-cli) (required by the Azure Pipelines agent)
+- "make, tar, unzip, zip, zstd" (for developer ease-of-life)
 
 ### Helm values
 
@@ -62,8 +81,10 @@ helm upgrade --install agent clemlesne-azure-pipelines-agent/azure-pipelines-age
 | `extraVolumeMounts` | Additional volume mounts for the agent container. | `[]` |
 | `extraVolumes` | Additional volumes for the agent pod. | `[]` |
 | `fullnameOverride` | Overrides release fullname | `""` |
+| `image.flavor` | Container image tag | `bullseye` |
 | `image.pullPolicy` | Container image pull policy | `Always` if `image.tag` is `latest`, else `IfNotPresent` |
 | `image.repository` | Container image repository | `ghcr.io/clemlesne/azure-pipelines-agent:bullseye` |
+| `image.version` | Container image tag | *App version* |
 | `initContainers` | InitContainers for the agent pod. | `[]` |
 | `nameOverride` | Overrides release name | `""` |
 | `nodeSelector` | Node labels for pod assignment | `{}` |
@@ -76,7 +97,6 @@ helm upgrade --install agent clemlesne-azure-pipelines-agent/azure-pipelines-age
 | `resources` | Resource limits | `{ "resources": { "limits": { "cpu": 2, "memory": "4Gi" }, "requests": { "cpu": 1, "memory": "2Gi" } }}` |
 | `serviceAccount.create` | Create ServiceAccount | `true` |
 | `serviceAccount.name` | ServiceAccount name | *Release name* |
-| `tagSuffix` | Container image tag | *App version* |
 | `tolerations` | Toleration labels for pod assignment. | `[]` |
 
 ## Support

diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye
@@ -2,23 +2,27 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update
-RUN apt-get upgrade -y
+RUN apt-get update -q
+RUN apt-get upgrade -y -q --no-install-recommends
 
-RUN apt-get install -y -qq --no-install-recommends \
+# Install:
+# - Azure Pipelines agent system requirements
+# - "make, tar, unzip, zip, zstd" for developer ease-of-life
+RUN apt-get install -y -q --no-install-recommends \
     apt-transport-https \
     apt-utils \
-    build-essential \
     ca-certificates \
     curl \
     git \
     iputils-ping \
     jq \
     lsb-release \
+    make \
     software-properties-common \
     tar \
     unzip \
-    zip
+    zip \
+    zstd
 
 # Install Azure CLI
 RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash

diff --git a/src/docker/Dockerfile-focal b/src/docker/Dockerfile-focal
@@ -2,23 +2,27 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-focal
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update
-RUN apt-get upgrade -y
+RUN apt-get update -q
+RUN apt-get upgrade -y -q --no-install-recommends
 
-RUN apt-get install -y -qq --no-install-recommends \
+# Install:
+# - Azure Pipelines agent system requirements
+# - "make, tar, unzip, zip, zstd" for developer ease-of-life
+RUN apt-get install -y -q --no-install-recommends \
     apt-transport-https \
     apt-utils \
-    build-essential \
     ca-certificates \
     curl \
     git \
     iputils-ping \
     jq \
     lsb-release \
+    make \
     software-properties-common \
     tar \
     unzip \
-    zip
+    zip \
+    zstd
 
 # Install Azure CLI
 RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash

diff --git a/src/docker/Dockerfile-jammy b/src/docker/Dockerfile-jammy
@@ -2,23 +2,27 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-jammy
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update
-RUN apt-get upgrade -y
+RUN apt-get update -q
+RUN apt-get upgrade -y -q --no-install-recommends
 
-RUN apt-get install -y -qq --no-install-recommends \
+# Install:
+# - Azure Pipelines agent system requirements
+# - "make, tar, unzip, zip, zstd" for developer ease-of-life
+RUN apt-get install -y -q --no-install-recommends \
     apt-transport-https \
     apt-utils \
-    build-essential \
     ca-certificates \
     curl \
     git \
     iputils-ping \
     jq \
     lsb-release \
+    make \
     software-properties-common \
     tar \
     unzip \
-    zip
+    zip \
+    zstd
 
 # Install Azure CLI
 RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash

diff --git a/src/docker/Dockerfile-ubi8 b/src/docker/Dockerfile-ubi8
@@ -0,0 +1,34 @@
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.7
+
+RUN microdnf upgrade -y --setopt=install_weak_deps=0
+
+# Install:
+# - Azure Pipelines agent system requirements
+# - ASP.NET Core runtime
+# - "make, tar, unzip, zip, zstd" for developer ease-of-life
+RUN microdnf install -y --setopt=install_weak_deps=0 \
+    aspnetcore-runtime-6.0 \
+    autoconf \
+    automake \
+    binutils \
+    ca-certificates \
+    curl \
+    make \
+    perl-generators \
+    unzip \
+    yum-utils \
+    zip \
+    zstd
+
+# Install Azure CLI
+RUN rpm --import https://packages.microsoft.com/keys/microsoft.asc \
+    && dnf install -y https://packages.microsoft.com/config/rhel/8/packages-microsoft-prod.rpm
+RUN microdnf install -y --setopt=install_weak_deps=0 \
+    azure-cli
+
+WORKDIR /azp
+
+COPY ./start.sh .
+RUN chmod +x start.sh
+
+CMD ["./start.sh"]
diff --git a/src/helm/azure-pipelines-agent/templates/statefulset.yaml b/src/helm/azure-pipelines-agent/templates/statefulset.yaml
@@ -36,7 +36,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}-{{ .Values.image.tagSuffix | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.flavor }}-{{ .Values.image.version | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             - name: AZP_AGENT_NAME

diff --git a/src/helm/azure-pipelines-agent/values.yaml b/src/helm/azure-pipelines-agent/values.yaml
@@ -1,8 +1,9 @@
 image:
-  repository: ghcr.io/clemlesne/azure-pipelines-agent:bullseye
-  pullPolicy: IfNotPresent
+  repository: ghcr.io/clemlesne/azure-pipelines-agent
+  pullPolicy: Always
+  flavor: bullseye
   # Overrides the image tag whose default is the chart appVersion.
-  tagSuffix: ""
+  version: ""
 
 imagePullSecrets: []
 nameOverride: ""