Merge pull request #1922 from kube-logging/feat/e2e-image-build-parallel

Author: csatib02

.github/workflows/artifacts.yaml

@@ -28,21 +28,6 @@ on:
       container-image-tag:
         description: Container image tag
         value: ${{ jobs.container-image.outputs.tag }}
-      container-image-ref:
-        description: Container image ref
-        value: ${{ jobs.container-image.outputs.ref }}
-      fluentd-full-image-name:
-        description: Fluentd-full container image name
-        value: ${{ jobs.fluentd-full-image.outputs.name }}
-      fluentd-full-image-digest:
-        description: Fluentd-full container image digest
-        value: ${{ jobs.fluentd-full-image.outputs.digest }}
-      fluentd-full-image-tag:
-        description: Fluentd-full container image tag
-        value: ${{ jobs.fluentd-full-image.outputs.tag }}
-      fluentd-full-image-ref:
-        description: Fluentd-full container image ref
-        value: ${{ jobs.fluentd-full-image.outputs.ref }}
       helm-chart-name:
         description: Helm chart OCI name
         value: ${{ jobs.helm-chart.outputs.name }}
@@ -80,7 +65,6 @@ jobs:
       name: ${{ steps.image-name.outputs.value }}
       digest: ${{ steps.build.outputs.digest }}
       tag: ${{ steps.meta.outputs.version }}
-      ref: ${{ steps.image-ref.outputs.value }}
 
     steps:
       - name: Checkout repository
@@ -94,6 +78,7 @@ jobs:
 
       - name: Set up Cosign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        if: inputs.publish
 
       - name: Set image name
         id: image-name
@@ -214,10 +199,6 @@ jobs:
             fi
           fi
 
-      - name: Set image ref
-        id: image-ref
-        run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
-
       - name: Fetch image
         run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar
         if: inputs.publish
@@ -275,6 +256,7 @@ jobs:
 
       - name: Set up Cosign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        if: inputs.publish && inputs.release
 
       - name: Set chart name
         id: chart-name
@@ -435,6 +417,7 @@ jobs:
 
       - name: Set up Cosign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        if: inputs.publish && inputs.release
 
       - name: Set chart name
         id: chart-name

.github/workflows/dependency-images.yaml

@@ -23,9 +23,6 @@ on:
       fluentd-image-tag:
         description: Container image tag
         value: ${{ jobs.fluentd.outputs.tag }}
-      fluentd-image-ref:
-        description: Container image ref
-        value: ${{ jobs.fluentd.outputs.ref }}
 
 permissions:
   contents: read
@@ -45,10 +42,125 @@ jobs:
           IMAGE_TYPES=$(echo '${{ inputs.image-types }}' | jq -R -c 'split(",")')
           echo "image-types=${IMAGE_TYPES}" >> $GITHUB_OUTPUT
 
-  fluentd-image:
-    name: Fluentd image
+  fluentd-image-export:
+    name: Fluentd image export
     needs: prepare-matrix
     runs-on: ${{ matrix.platform == 'linux/arm64' && 'linux-arm64' || 'ubuntu-latest' }}
+    if: ${{ !inputs.publish }}
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    outputs:
+      name: ${{ steps.image-name.outputs.value }}
+      digest: ${{ steps.build.outputs.digest }}
+      tag: ${{ steps.meta.outputs.version }}
+
+    strategy:
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
+        image-type: ${{ fromJson(needs.prepare-matrix.outputs.image-types) }}
+
+    steps:
+      - name: Prepare arm64 environment
+        if: matrix.platform == 'linux/arm64'
+        run: |
+          sudo install -m 0755 -d /etc/apt/keyrings
+          sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+          echo \
+          "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+          $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+          sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+          sudo apt-get update && sudo apt-get install -y acl docker-ce docker-ce-cli containerd.io docker-buildx-plugin
+          USERID=$(id -u)
+          sudo setfacl --modify user:${USERID}:rw /var/run/docker.sock
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        with:
+          platforms: all
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+
+      - name: Set image name
+        id: image-name
+        run: echo "value=ghcr.io/${{ github.repository }}/fluentd" >> "$GITHUB_OUTPUT"
+
+      - name: Set platform
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM=${platform//\//-}" >> $GITHUB_ENV
+
+      - name: Gather build metadata
+        id: meta
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        with:
+          images: ${{ steps.image-name.outputs.value }}
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch,suffix=-${{ matrix.image-type }}
+            type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.image-type }}
+            type=semver,pattern={{raw}},suffix=-${{ matrix.image-type }}
+            type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.image-type }}
+          labels: |
+            org.opencontainers.image.description=Custom Fluentd image for the Logging operator.
+            org.opencontainers.image.title=Logging operator Fluentd image
+            org.opencontainers.image.authors=Kube logging authors
+            org.opencontainers.image.documentation=https://kube-logging.dev/docs/
+
+      - name: Build and push fluentd-${{ matrix.image-type }}-${{ matrix.platform }} image
+        id: build
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        with:
+          context: images/fluentd
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          target: ${{ matrix.image-type }}
+          outputs: type=oci,dest=image.tar,name=${{ steps.image-name.outputs.value }},annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+
+      - name: Extract OCI tarball
+        run: |
+          mkdir -p image
+          tar -xf image.tar -C image
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          input: image
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: "[${{ github.job }}-${{ matrix.image-type }}-${{ env.PLATFORM }}] Trivy scan results"
+          path: trivy-results.sarif
+          retention-days: 5
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        with:
+          sarif_file: trivy-results.sarif
+
+  fluentd-image-push:
+    name: Fluentd image push
+    needs: prepare-matrix
+    runs-on: ${{ matrix.platform == 'linux/arm64' && 'linux-arm64' || 'ubuntu-latest' }}
+    if: inputs.publish
 
     permissions:
       contents: read
@@ -59,7 +171,6 @@ jobs:
       name: ${{ steps.image-name.outputs.value }}
       digest: ${{ steps.build.outputs.digest }}
       tag: ${{ steps.meta.outputs.version }}
-      ref: ${{ steps.image-ref.outputs.value }}
 
     strategy:
       matrix:
@@ -128,7 +239,7 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           target: ${{ matrix.image-type }}
-          outputs: type=image,name=${{ steps.image-name.outputs.value }},push-by-digest=true,push=true,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+          outputs: type=image,push=true,push-by-digest=true,name=${{ steps.image-name.outputs.value }},annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
 
       - name: Export digest
         run: |
@@ -176,7 +287,8 @@ jobs:
   merge-fluentd-image:
     name: Merge Fluentd image
     runs-on: ubuntu-latest
-    needs: [prepare-matrix, fluentd-image]
+    needs: [prepare-matrix, fluentd-image-push]
+    if: inputs.publish
 
     permissions:
       contents: read
@@ -201,7 +313,6 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ github.token }}
-        if: inputs.publish
 
       - name: Download digests
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -214,7 +325,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
-          images: ${{ needs.fluentd-image.outputs.name }}
+          images: ${{ needs.fluentd-image-push.outputs.name }}
           flavor: |
             latest = false
           tags: |
@@ -226,21 +337,16 @@ jobs:
       - name: Create multi-arch manifest list
         working-directory: /tmp/digests
         run: |
-          if [[ "${{ inputs.publish }}" == "true" ]]; then
-            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-              $(printf '${{ needs.fluentd-image.outputs.name }}@sha256:%s ' *)
-          else
-            docker buildx imagetools create --dry-run $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-              $(printf '${{ needs.fluentd-image.outputs.name }}@sha256:%s ' *)
-          fi
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ needs.fluentd-image-push.outputs.name }}@sha256:%s ' *)
 
       - name: Export digest
         run: |
-          DIGEST=$(docker buildx imagetools inspect ${{ needs.fluentd-image.outputs.name }}:${{ steps.meta.outputs.version }} --format '{{json .}}' | jq -r '.manifest.digest')
+          DIGEST=$(docker buildx imagetools inspect ${{ needs.fluentd-image-push.outputs.name }}:${{ steps.meta.outputs.version }} --format '{{json .}}' | jq -r '.manifest.digest')
           echo "DIGEST=$DIGEST" >> $GITHUB_ENV
 
       - name: Sign image with GitHub OIDC Token
-        if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        if: ${{ github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
         env:
           DIGEST: ${{ env.DIGEST }}
           TAGS: ${{ steps.meta.outputs.tags }}
@@ -253,7 +359,7 @@ jobs:
           cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images}
 
       - name: Verify signed image with cosign
-        if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        if: ${{ github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
         env:
           DIGEST: ${{ env.DIGEST }}
           TAGS: ${{ steps.meta.outputs.tags }}
@@ -265,12 +371,8 @@ jobs:
               --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
           done
 
-      - name: Set image ref
-        id: image-ref
-        run: echo "value=${{ needs.fluentd-image.outputs.name }}@${{ env.DIGEST }}" >> "$GITHUB_OUTPUT"
-
       - name: Fetch image
-        run: skopeo --insecure-policy copy docker://${{ needs.fluentd-image.outputs.name }}:${{ steps.meta.outputs.version }} oci-archive:image.tar
+        run: skopeo --insecure-policy copy docker://${{ needs.fluentd-image-push.outputs.name }}:${{ steps.meta.outputs.version }} oci-archive:image.tar
 
       - name: Extract OCI tarball
         run: |

.github/workflows/e2e.yaml

@@ -13,42 +13,47 @@ env:
 
 jobs:
   build:
-    name: Image build
+    name: Build ${{ matrix.image }} image
     runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        include:
+          - image: fluentd
+            context: images/fluentd
+            tags: fluentd-full:local
+            target: full
+            output: fluentd-full.tar
+          - image: controller
+            context: .
+            tags: controller:local
+            target: e2e-test
+            build_args: GO_BUILD_FLAGS=-cover -covermode=atomic
+            output: controller.tar
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
-      - name: Build and export fluentd-full image
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
-        with:
-          context: images/fluentd
-          tags: fluentd-full:local
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          target: full
-          outputs: type=docker,dest=/tmp/fluentd-full.tar
-
-      - name: Build and export operator image
+      - name: Build and export ${{ matrix.image }}-image
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
-          context: .
-          tags: controller:local
+          context: ${{ matrix.context }}
+          tags: ${{ matrix.tags }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          target: e2e-test
-          build-args: |
-            GO_BUILD_FLAGS=-cover -covermode=atomic
-          outputs: type=docker,dest=/tmp/controller.tar
+          target: ${{ matrix.target }}
+          build-args: ${{ matrix.build_args }}
+          outputs: type=docker,dest=/tmp/${{ matrix.output }}
 
       - name: Upload artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
-          name: e2e-images
-          path: /tmp/*.tar
+          name: e2e-${{ matrix.image }}
+          path: /tmp/${{ matrix.output }}
 
   go:
     name: Go end2end tests
@@ -67,8 +72,9 @@ jobs:
       - name: Download artifact
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          name: e2e-images
+          pattern: e2e-*
           path: /tmp
+          merge-multiple: true
 
       - name: Load image
         run: |
@@ -124,8 +130,9 @@ jobs:
       - name: Download artifact
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          name: e2e-images
+          pattern: e2e-*
           path: /tmp
+          merge-multiple: true
 
       - name: Load image
         run: |