Templates/template-docker-repository
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[DO-1569] change-docker-repo-template (!3)

Browse Source 
- Добавлена возможность использовать секреты HVault
- Actions берутся из локального зеркала
- доп. правки

Co-authored-by: Yaroslav Bondarenko <yaroslav.bondarenko@avroid.tech>
Reviewed-on: https://git.avroid.tech/Templates/template-docker-repository/pulls/3
Reviewed-by: Vasiliy Chipizhin <vasiliy.chipizhin@avroid.team>
Reviewed-by: Aleksandr Vodyanov <aleksandr.vodyanov@avroid.team>
This commit is contained in:
Yaroslav Bondarenko
2025-02-11 16:17:00 +03:00
parent b1750866e2
commit e5ea3cae8b
2 changed files with 29 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
.gitea/workflows/build-and-push-image.yaml
View File

@@ -5,27 +5,43 @@ on: [push]
env: env:
CI: ON CI: ON
# Allow workflow to be manually run from the Gitea UI # Allow workflow to be manually run from the Gitea UI
workflow_dispatch: workflow_dispatch:
jobs: jobs:
build_and_push: build_and_push:
runs-on: docker runs-on: act-runner-label
name: Builds the image and publishes to docker hub name: Builds the image and publishes to docker hub
container: container:
image: harbor.avroid.tech/docker-hub-proxy/catthehacker/ubuntu:act-latest image: harbor.avroid.tech/docker-hub-proxy/catthehacker/ubuntu:act-latest
steps: steps:
- run: printenv - run: printenv
- name: Retrieve secrets from Hashicorp Vault
id: retrieve-secrets
uses: https://git-mirrors.avroid.tech/Mirrors-actions/vault-action.git@v3
with:
url: https://vault.avroid.tech
method: approle
roleId: ${{ secrets.HVAULT_GITEA_ACTIONS_ROLE_ID }}
secretId: ${{ secrets.HVAULT_GITEA_ACTIONS_SECRET_ID }}
# Ниже указываем {путь к секрету в HVault} {имя ключа секрета} | {имя переменной окружения куда засетим значение секрета}
# Доступ к секретам осуществляется через заранее созданный AppRole "gitea-actions-role" в HVault и подключенную
# к ней политику "gitea-actions". В политике описывается доступ к необходимым секретам. Политику можно посмотреть
# через UI Hashicorp Vault.
secrets: |
team-devops/data/services/registry/Harbor/harbor.avroid.tech 'service.user.ci.login' | HARBOR_LOGIN ;
team-devops/data/services/registry/Harbor/harbor.avroid.tech 'service.user.ci.token' | HARBOR_TOKEN ;
- name: Login to Harbor Docker Registry - name: Login to Harbor Docker Registry
uses: docker/login-action@v3 uses: https://git-mirrors.avroid.tech/Mirrors-actions/login-action@v3
with: with:
registry: https://harbor.avroid.tech registry: https://harbor.avroid.tech
username: ${{ secrets.DOCKER_USERNAME }} username: ${{ env.HARBOR_LOGIN }}
password: ${{ secrets.DOCKER_TOKEN }} password: ${{ env.HARBOR_TOKEN }}
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v3 uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout@v4
- name: "Build image" - name: "Build image"
run: | run: |
@@ -36,7 +52,7 @@ jobs:
make push make push
if: ${{ gitea.ref == 'refs/heads/master' }} if: ${{ gitea.ref == 'refs/heads/master' }}
- name: "Clear image" - name: "Clear image"
run: | run: |
make clean make clean

8
Makefile
View File

@@ -8,7 +8,7 @@ DOCKER_REGISTRY = harbor.avroid.tech
CI_FLAGS = CI_FLAGS =
ifeq ($(CI), false) ifeq ($(CI), true)
CI_FLAGS = --no-cache CI_FLAGS = --no-cache
endif endif
@@ -23,9 +23,13 @@ build:
DOCKER_BUILDKIT=1 docker build $(CI_FLAGS) \ DOCKER_BUILDKIT=1 docker build $(CI_FLAGS) \
-f Dockerfile \ -f Dockerfile \
--platform linux/amd64 \ --platform linux/amd64 \
-t $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION) src/ --build-arg IMAGE_TAG=$(IMAGE_TAG) \
-t $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION) .
push: push:
ifeq ($(CI), false)
docker login https://$(DOCKER_REGISTRY)
endif
docker push $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION) docker push $(DOCKER_REGISTRY)/$(IMAGE_GROUP)/$(IMAGE_NAME):$(IMAGE_TAG)$(REVISION)
getTag: getTag: