Skip to content

consul: allow non-root Nomad to rewrite token (#24410) #6424

consul: allow non-root Nomad to rewrite token (#24410)

consul: allow non-root Nomad to rewrite token (#24410) #6424

Workflow file for this run

name: build
on:
push:
branches:
- main
- release/**
workflow_dispatch:
inputs:
build-ref:
description: 'The git ref to build from'
type: string
default: ''
required: false
make-prerelease:
description: "Run prerelease to generate files"
type: "boolean"
required: false
default: true
env:
PKG_NAME: "nomad"
GO_TAGS: "release"
jobs:
get-go-version:
runs-on: ubuntu-20.04
outputs:
go-version: ${{ steps.get-go-version.outputs.go-version }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.inputs.build-ref }}
- name: Determine Go version
id: get-go-version
# We use .go-version as our source of truth for current Go
# version, because "goenv" can react to it automatically.
run: |-
echo "Building with Go $(cat .go-version)"
echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
get-product-version:
runs-on: ubuntu-20.04
outputs:
product-version: ${{ steps.get-product-version.outputs.product-version }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.inputs.build-ref }}
- name: get product version
id: get-product-version
run: |-
make version
echo "product-version=$(make version)" >> "$GITHUB_OUTPUT"
generate-metadata-file:
needs: get-product-version
runs-on: ubuntu-20.04
outputs:
filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
steps:
- name: "Checkout directory"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.inputs.build-ref }}
- name: Generate metadata file
id: generate-metadata-file
uses: hashicorp/actions-generate-metadata@fdbc8803a0e53bcbb912ddeee3808329033d6357 # v1.1.1
with:
version: ${{ needs.get-product-version.outputs.product-version }}
product: ${{ env.PKG_NAME }}
repositoryOwner: "hashicorp"
sha: ${{ github.event.inputs.build-ref }}
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: metadata.json
path: ${{ steps.generate-metadata-file.outputs.filepath }}
build-other:
needs: [get-go-version, get-product-version]
runs-on: custom-linux-xxl-nomad-20.04
strategy:
matrix:
goos: [windows]
goarch: ["amd64"]
fail-fast: true
name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.inputs.build-ref }}
- name: Setup go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: Build dependencies
run: make deps
- name: Setup node and yarn
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: "18"
cache-dependency-path: "ui/yarn.lock"
- name: Install Yarn
run: |
npm install -g yarn
- name: Build prerelease
run: make prerelease
if: ${{ github.event_name != 'workflow_dispatch' || github.event.inputs.make-prerelease == 'true' }}
- name: Build
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
GO_TAGS: ${{ env.GO_TAGS }}
CGO_ENABLED: 1
run: |
go clean -cache
make pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip
mv pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
path: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
build-linux:
needs: [get-go-version, get-product-version]
runs-on: custom-linux-xxl-nomad-20.04
strategy:
matrix:
goos: [linux]
goarch: ["arm64", "amd64"]
fail-fast: true
name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.inputs.build-ref }}
- name: Setup go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: Build dependencies
run: make deps
- name: Setup node and yarn
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: "18"
cache-dependency-path: "ui/yarn.lock"
- name: Install Yarn
run: |
npm install -g yarn
- name: Build prerelease
run: make prerelease
if: ${{ github.event_name != 'workflow_dispatch' || github.event.inputs.make-prerelease == 'true' }}
- name: Install Linux build utilties
run: |
sudo apt-get update
sudo apt-get install -y software-properties-common
sudo apt-get update
sudo apt-get install -y \
binutils-aarch64-linux-gnu \
gcc-aarch64-linux-gnu
- name: Set gcc
run: |
if [ "${{ matrix.goarch }}" == "arm64" ]; then
echo "CC=aarch64-linux-gnu-gcc" >> "$GITHUB_ENV"
fi
- name: Build
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
GO_TAGS: ${{ env.GO_TAGS }}
CGO_ENABLED: 1
run: |
go clean -cache
make pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip
mv pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
path: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
- name: Copy license file
env:
LICENSE_DIR: ".release/linux/package/usr/share/doc/${{ env.PKG_NAME }}"
run: |
mkdir -p "$LICENSE_DIR"
cp LICENSE "$LICENSE_DIR/LICENSE.txt"
- name: Package
uses: hashicorp/actions-packaging-linux@8d55a640bb30b5508f16757ea908b274564792d4 # v1.8.0
with:
name: ${{ env.PKG_NAME }}
description: "Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications."
arch: ${{ matrix.goarch }}
version: ${{ needs.get-product-version.outputs.product-version }}
maintainer: "HashiCorp"
homepage: "https://github.com/hashicorp/nomad"
license: "BUSL-1.1"
binary: "pkg/${{ matrix.goos }}_${{ matrix.goarch }}/${{ env.PKG_NAME }}"
deb_depends: "openssl"
rpm_depends: "openssl"
config_dir: ".release/linux/package/"
preinstall: ".release/linux/preinst"
postinstall: ".release/linux/postinst"
postremove: ".release/linux/postrm"
- name: Set Package Names
run: |
echo "RPM_PACKAGE=$(basename out/*.rpm)" >> "$GITHUB_ENV"
echo "DEB_PACKAGE=$(basename out/*.deb)" >> "$GITHUB_ENV"
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ env.RPM_PACKAGE }}
path: out/${{ env.RPM_PACKAGE }}
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ env.DEB_PACKAGE }}
path: out/${{ env.DEB_PACKAGE }}
build-darwin:
needs: [get-go-version, get-product-version]
runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "macos"]') || 'macos-latest' }}
strategy:
matrix:
goos: [darwin]
goarch: ["arm64", "amd64"]
fail-fast: true
name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.inputs.build-ref }}
- name: Retrieve Vault-hosted Secrets
if: endsWith(github.repository, '-enterprise')
id: vault
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
with:
url: ${{ vars.CI_VAULT_URL }}
method: ${{ vars.CI_VAULT_METHOD }}
path: ${{ vars.CI_VAULT_PATH }}
jwtGithubAudience: ${{ vars.CI_VAULT_AUD }}
secrets: |-
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- name: Setup go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}
- name: Build dependencies
run: make deps
- name: Setup node and yarn
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: "18"
cache-dependency-path: "ui/yarn.lock"
- name: Install Yarn
run: |
npm install -g yarn
- name: Build prerelease
run: make prerelease
if: ${{ github.event_name != 'workflow_dispatch' || github.event.inputs.make-prerelease == 'true' }}
- name: Build
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
GO_TAGS: "${{ env.GO_TAGS }} netcgo"
CGO_ENABLED: 1
run: |
go clean -cache
make pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip
mv pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
path: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
build-docker:
name: Docker ${{ matrix.arch }} build
needs:
- get-product-version
- build-linux
runs-on: custom-linux-xxl-nomad-20.04
strategy:
matrix:
arch: ["arm64", "amd64"]
env:
version: ${{needs.get-product-version.outputs.product-version}}
revision: ${{github.sha}}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set revision
if: "${{ github.event.inputs.build-ref != '' }}"
run: |
echo "revision=${{ github.event.inputs.build-ref }}" >> "$GITHUB_ENV"
- name: Docker Build (Action)
uses: hashicorp/actions-docker-build@11d43ef520c65f58683d048ce9b47d6617893c9a # v2.0.0
with:
smoke_test: |
TEST_VERSION="$(docker run "${IMAGE_NAME}" version | awk '/Nomad v/{print $2}')"
if [ "${TEST_VERSION}" != "v${version}" ]; then
echo "Test FAILED"
exit 1
fi
echo "Test PASSED"
version: ${{env.version}}
revision: ${{env.revision}}
target: release
arch: ${{matrix.arch}}
tags: |
docker.io/hashicorp/${{env.PKG_NAME}}:${{env.version}}
dev_tags: |
docker.io/hashicorppreview/${{ env.PKG_NAME }}:${{ env.version }}-dev
docker.io/hashicorppreview/${{ env.PKG_NAME }}:${{ env.version }}-${{env.revision}}
minimum-os:
name: OS Compatibility
# A quick smoke test of our binaries on our minimum target OS (RHEL 7). Why RHEL 7? Because the glibc version is that old (2.17).
needs:
- get-go-version
- get-product-version
- build-linux
runs-on: ubuntu-22.04
strategy:
fail-fast: false
# Note: Ideally we'd test all our target archs, unfortunately availability of containers of these OS's vary.
# For instance there is no ubi7 image for arm64 (there is on ubi8), RHBZ#1728771. And none at all for arm.
# So we have to settle for only being able to validate where we can, which is just amd64.
matrix:
goos: [linux]
goarch: [amd64]
steps:
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: ${{needs.get-go-version.outputs.go-version}}
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
- name: Test binary
env:
artifact_name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
run: |
echo "::group::Unpack and Prep"
docker pull registry.access.redhat.com/ubi7/ubi-minimal:7.9-1057
unzip "$artifact_name"
echo "::group::Diagnostics"
echo "CGO related build information:"
go version -m ./nomad | grep CGO
echo "GLIBC links:"
go tool nm ./nomad | grep -i glibc | cut -d @ -f 2-3 | sort --version-sort | uniq
echo "::group::Smoke test binary"
docker run --rm -v "$PWD:/src" registry.access.redhat.com/ubi7/ubi-minimal:7.9-1057 /src/nomad version
permissions:
contents: read
id-token: write