Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch Dockerfile image to wolfi and add pipeline for vulnerability scanning #3063

Merged
merged 9 commits into from
Jan 20, 2025
+129 −9
Merged

Switch Dockerfile image to wolfi and add pipeline for vulnerability scanning #3063

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a1b50bd
switch extensible Dockerfiles to wolfi-base image
kostasb Dec 27, 2024
30f59fd
remove packages unnecessary in runtime
kostasb Jan 7, 2025
53ae3e1
remove packages unnecessary in runtime from Dockerfile.ftest
kostasb Jan 7, 2025
2334402
weekly schedule for main and 8.x
kostasb Jan 7, 2025
157b8e7
merge extensible dockerfiles into main pipeline
kostasb Jan 10, 2025
fa7c0b0
Merge branch 'main' into kostasb/switch-dockerfile-image
kostasb Jan 15, 2025
c9a5e46
add ftest image tests to pipeline dependencies
kostasb Jan 15, 2025
bfd0ef8
use oss convention and remove ftest
kostasb Jan 16, 2025
c243aa4
Merge branch 'main' into kostasb/switch-dockerfile-image
kostasb Jan 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 102 additions & 2 deletions .buildkite/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -534,7 +534,7 @@ steps:
- ".buildkite/run_functional_test.sh"
artifact_paths:
- "perf8-report-*/**/*"

- path:
- "connectors/sources/redis.py"
- "tests/sources/fixtures/redis/**"
Expand All @@ -553,7 +553,7 @@ steps:
- ".buildkite/run_functional_test.sh"
artifact_paths:
- "perf8-report-*/**/*"

- path:
- "connectors/sources/graphql.py"
- "tests/sources/fixtures/graphql/**"
Expand Down Expand Up @@ -647,11 +647,111 @@ steps:
- buildkite-agent artifact download '.artifacts/*.tar.gz*' .artifacts/ --step build_docker_image_arm64
- ".buildkite/publish/test-docker.sh"

# ----
# OSS Dockerfile build, tests and vunlerability scan on amd64
# ----
- label: "Building amd64 Docker image from OSS Dockerfile"
agents:
provider: aws
instanceType: m6i.xlarge
imagePrefix: ci-amazonlinux-2
env:
ARCHITECTURE: "amd64"
DOCKERFILE_PATH: "Dockerfile"
DOCKER_IMAGE_NAME: "docker.elastic.co/ci-agent-images/elastic-connectors-oss-dockerfile"
DOCKER_ARTIFACT_KEY: "elastic-connectors-oss-dockerfile"
command: ".buildkite/publish/build-docker.sh"
key: "build_oss_dockerfile_image_amd64"
artifact_paths: ".artifacts/*.tar.gz"
- label: "Testing amd64 image built from OSS Dockerfile"
agents:
provider: aws
instanceType: m6i.xlarge
imagePrefix: ci-amazonlinux-2
env:
ARCHITECTURE: "amd64"
DOCKERFILE_PATH: "Dockerfile"
DOCKER_IMAGE_NAME: "docker.elastic.co/ci-agent-images/elastic-connectors-oss-dockerfile"
DOCKER_ARTIFACT_KEY: "elastic-connectors-oss-dockerfile"
depends_on: "build_oss_dockerfile_image_amd64"
key: "test_oss_dockerfile_image_amd64"
commands:
- "mkdir -p .artifacts"
- buildkite-agent artifact download '.artifacts/*.tar.gz*' .artifacts/ --step build_oss_dockerfile_image_amd64
- ".buildkite/publish/test-docker.sh"
- label: "Trivy Scan amd64 OSS Dockerfile image"
timeout_in_minutes: 10
depends_on:
- test_oss_dockerfile_image_amd64
key: "trivy-scan-amd64-oss-dockerfile-image"
agents:
provider: k8s
image: "docker.elastic.co/ci-agent-images/trivy:latest"
command: |-
mkdir -p .artifacts
buildkite-agent artifact download '.artifacts/*.tar.gz*' .artifacts/ --step build_oss_dockerfile_image_amd64
trivy --version
env | grep TRIVY
find .artifacts -type f -name '*.tar.gz*' -exec trivy image --quiet --input {} \;
# ----
# OSS Dockerfile build, tests and vunlerability scan on arm64
# ----
- label: "Building arm64 Docker image from OSS Dockerfile"
agents:
provider: aws
instanceType: m6g.xlarge
imagePrefix: ci-amazonlinux-2-aarch64
diskSizeGb: 40
diskName: '/dev/xvda'
env:
ARCHITECTURE: "arm64"
DOCKERFILE_PATH: "Dockerfile"
DOCKER_IMAGE_NAME: "docker.elastic.co/ci-agent-images/elastic-connectors-oss-dockerfile"
DOCKER_ARTIFACT_KEY: "elastic-connectors-oss-dockerfile"
command: ".buildkite/publish/build-docker.sh"
key: "build_oss_dockerfile_image_arm64"
artifact_paths: ".artifacts/*.tar.gz"
- label: "Testing arm64 image built from OSS Dockerfile"
agents:
provider: aws
instanceType: m6g.xlarge
imagePrefix: ci-amazonlinux-2-aarch64
diskSizeGb: 40
diskName: '/dev/xvda'
env:
ARCHITECTURE: "arm64"
DOCKERFILE_PATH: "Dockerfile"
DOCKER_IMAGE_NAME: "docker.elastic.co/ci-agent-images/elastic-connectors-oss-dockerfile"
DOCKER_ARTIFACT_KEY: "elastic-connectors-oss-dockerfile"
depends_on: "build_oss_dockerfile_image_arm64"
key: "test_oss_dockerfile_image_arm64"
commands:
- "mkdir -p .artifacts"
- buildkite-agent artifact download '.artifacts/*.tar.gz*' .artifacts/ --step build_oss_dockerfile_image_arm64
- ".buildkite/publish/test-docker.sh"
- label: "Trivy Scan arm64 OSS Dockerfile image"
timeout_in_minutes: 10
depends_on:
- test_oss_dockerfile_image_arm64
key: "trivy-scan-arm64-oss-dockerfile-image"
agents:
provider: k8s
image: "docker.elastic.co/ci-agent-images/trivy:latest"
command: |-
mkdir -p .artifacts
buildkite-agent artifact download '.artifacts/*.tar.gz*' .artifacts/ --step build_oss_dockerfile_image_arm64
trivy --version
env | grep TRIVY
find .artifacts -type f -name '*.tar.gz*' -exec trivy image --quiet --input {} \;
- label: ":truck: Publish DRA Items"
<<: *test-agents
key: "publish-dra-artifacts"
timeout_in_minutes: 45
depends_on:
- test_docker_image_amd64
- test_docker_image_arm64
- test_oss_dockerfile_image_amd64
- test_oss_dockerfile_image_arm64
command: ".buildkite/publish/dra/init_dra_publishing.sh"
17 changes: 14 additions & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,18 @@
FROM python:3.11-slim-bookworm
RUN apt -y update && apt -y upgrade && apt -y install make git
COPY . /app
FROM cgr.dev/chainguard/wolfi-base
ARG python_version=3.11

USER root
RUN apk add --no-cache python3=~${python_version} make git

COPY --chown=nonroot:nonroot . /app

USER nonroot
WORKDIR /app
RUN make clean install
RUN ln -s .venv/bin /app/bin

kostasb marked this conversation as resolved.
Show resolved Hide resolved
USER root
RUN apk del make git

USER nonroot
ENTRYPOINT []
17 changes: 13 additions & 4 deletions Dockerfile.ftest
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,16 @@
FROM python:3.11-slim-bookworm
# RUN apt update && apt install make
RUN apt -y update && apt -y upgrade && apt -y install make git
COPY . /app
FROM cgr.dev/chainguard/wolfi-base
ARG python_version=3.11

USER root
RUN apk add --no-cache python3=~${python_version} make git

COPY --chown=nonroot:nonroot . /app

USER nonroot
WORKDIR /app
RUN make clean install
RUN .venv/bin/pip install -r requirements/ftest.txt

USER root
RUN apk del make git
USER nonroot