forked from google/kctf
-
Notifications
You must be signed in to change notification settings - Fork 0
219 lines (193 loc) · 8.1 KB
/
update-images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
name: Update docker images
on:
push:
paths-ignore:
- 'docs/**'
- '*.md'
pull_request:
paths-ignore:
- 'docs/**'
- '*.md'
env:
GKE_PROJECT: ${{ secrets.GKE_PROJECT }}
GKE_ZONE: us-east1-c
GKE_CLUSTER: github-ci
GKE_REGISTRY: us.gcr.io
jobs:
build-docker:
runs-on: ubuntu-latest
if: github.event_name == 'push'
outputs:
operator-modified: ${{ steps.set-modified.outputs.operator-modified }}
nsjail-modified: ${{ steps.set-modified.outputs.nsjail-modified }}
chroot-modified: ${{ steps.set-modified.outputs.chroot-modified }}
pwntools-modified: ${{ steps.set-modified.outputs.pwntools-modified }}
operator-digest: ${{ steps.push.outputs.operator-digest }}
nsjail-digest: ${{ steps.push.outputs.nsjail-digest }}
chroot-digest: ${{ steps.push.outputs.chroot-digest }}
pwntools-digest: ${{ steps.push.outputs.pwntools-digest }}
strategy:
matrix:
image: ["operator", "nsjail", "chroot", "pwntools"]
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- id: modified
name: Check for modified paths
run: |
if [ "${{ matrix.image }}" == "operator" ]; then
PATHS=(".github/workflows/update-images.yaml" "kctf-operator/*" "kctf-operator/build/**" "kctf-operator/cmd/**" "kctf-operator/pkg/**" "kctf-operator/version/**")
else
PATHS=(".github/workflows/update-images.yaml" "config/docker/${{ matrix.image }}/**")
fi
BASE_SHA="$(git log -n1 --grep='Automated commit: update images.' --format=%H || echo '')"
echo "BASE_SHA=${BASE_SHA}"
if [ -z "${BASE_SHA}" ]; then
# we couldn't find any existing robot commit, just rebuild everything
echo "::set-output name=modified::true"
exit 0
fi
CHANGED_FILES="$(git diff --name-only ${BASE_SHA} ${{ github.sha }})"
echo "CHANGED_FILES=${CHANGED_FILES}"
while IFS= read -r changed_file; do
for watched_path in "${PATHS[@]}"; do
if [[ $changed_file == $watched_path ]]; then
echo "modified=true: ${changed_file} matches ${watched_path}"
echo "::set-output name=modified::true"
exit 0
fi
done
done <<< "${CHANGED_FILES}"
- id: set-modified
name: Set modified
run: |
echo "::set-output name=${{ matrix.image }}-modified::${{ steps.modified.outputs.modified }}"
- name: Build image
if: steps.modified.outputs.modified
run: |
if [ "${{ matrix.image }}" == "operator" ]; then
cd kctf-operator
curl -L https://github.com/operator-framework/operator-sdk/releases/download/v0.18.2/operator-sdk-v0.18.2-x86_64-linux-gnu -o operator-sdk
chmod u+x operator-sdk
sudo mv operator-sdk /usr/local/bin/
/usr/local/bin/operator-sdk build "${{ matrix.image }}"
else
cd "config/docker/${{ matrix.image }}"
docker build . --tag "${{ matrix.image }}"
fi
- name: Setup gcloud CLI
if: steps.modified.outputs.modified
uses: google-github-actions/setup-gcloud@master
with:
version: '319.0.0'
service_account_email: ${{ secrets.GCR_EMAIL }}
service_account_key: ${{ secrets.GCR_KEY }}
- name: Configure docker to use the gcloud command-line tool as a credential helper
if: steps.modified.outputs.modified
run: |
gcloud auth configure-docker
- id: push
name: Push images
if: steps.modified.outputs.modified
run: |
IMAGE_GCR="gcr.io/${{ secrets.GCR_PROJECT }}/kctf-${{ matrix.image }}"
docker tag "${{ matrix.image }}" "$IMAGE_GCR"
DIGEST="$(docker push "$IMAGE_GCR" | grep 'digest: ' | sed 's/.*\(sha256:[^ ]*\).*/\1/')"
echo "::set-output name=${{ matrix.image }}-digest::${DIGEST}"
update-image-and-commit:
runs-on: ubuntu-latest
needs:
- build-docker
steps:
- uses: actions/checkout@v2
- name: Update nsjail
if: needs.build-docker.outputs.nsjail-modified
run: |
IMAGE="gcr.io/kctf-docker/kctf-nsjail@${{ needs.build-docker.outputs.nsjail-digest }}"
sed -i "s#FROM .* AS bin#FROM ${IMAGE} AS bin#" base/nsjail-docker/Dockerfile
- name: Update chroot
if: needs.build-docker.outputs.chroot-modified
run: |
IMAGE="gcr.io/kctf-docker/kctf-chroot@${{ needs.build-docker.outputs.chroot-digest }}"
sed -i "s#FROM .* AS chroot#FROM ${IMAGE} AS chroot#" base/nsjail-docker/Dockerfile
- name: Update pwntools
if: needs.build-docker.outputs.pwntools-modified
run: |
IMAGE="gcr.io/kctf-docker/kctf-pwntools@${{ needs.build-docker.outputs.pwntools-digest }}"
sed -i "s#FROM .* AS pwntools#FROM ${IMAGE} AS pwntools#" base/healthcheck-docker/Dockerfile
- name: Update operator
if: needs.build-docker.outputs.operator-modified
run: |
IMAGE="gcr.io/kctf-docker/kctf-operator@${{ needs.build-docker.outputs.operator-digest }}"
sed -i "s#image: .*#image: ${IMAGE}#" kctf-operator/deploy/operator.yaml
- name: Download kubectl
run: |
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl
- name: Install yq
run: |
sudo snap install yq
- name: Setup gcloud CLI
uses: google-github-actions/setup-gcloud@master
with:
version: '319.0.0'
service_account_email: ${{ secrets.GKE_EMAIL }}
service_account_key: ${{ secrets.GKE_KEY }}
- name: Configure docker to use the gcloud command-line tool as a credential helper
run: |
gcloud auth configure-docker
- name: Configure kCTF directory
run: |
export PATH=$PATH:$PWD/bin
kctf-setup-chal-dir $PWD/samples
kctf-chal-create default-task
- name: Configure kCTF cluster
run: |
export PATH=$PATH:$PWD/bin
kctf-config-create --chal-dir samples --project $GKE_PROJECT --zone $GKE_ZONE --registry $GKE_REGISTRY --cluster-name $GKE_CLUSTER --domain-name $GKE_CLUSTER.kctf.dev --start-cluster
- name: Expose sample tasks
run: |
for f in samples/*/challenge.yaml; do
sed -i "s/public: false/public: true/" $f
done
- name: Deploy all tasks
run: |
export PATH=$PATH:$PWD/bin
cd samples
for challenge_name in $(kctf-kubectl get challenges -o "jsonpath={.items[*].metadata.name}"); do
kctf-kubectl delete "challenge/${challenge_name}"
done
for f in *; do
if [ ! "$f" == "kctf-conf" ]; then
pushd $f
CHALLENGE_NAME="$(yq read challenge.yaml 'metadata.name')"
make start
# We want to wait for the deployment to be available, but it
# might not have been created yet by the operator.
# Ideally, we would expose the condition in the operator but I
# don't think that's currently possible.
for i in {1..5}; do
kctf-kubectl get "deployment/${CHALLENGE_NAME}" && break
echo "deployment/${CHALLENGE_NAME} doesn't exist yet, sleeping"
sleep 5
done
kctf-kubectl wait --for=condition=available --timeout=5m "deployment/${CHALLENGE_NAME}"
make stop
popd
fi
done
- name: Commit
run: |
MODIFIED_FILES="$(git status --porcelain | grep -v 'sample' || true)"
echo "MODIFIED_FILES=${MODIFIED_FILES}"
if [ ! -z "${MODIFIED_FILES}" ]; then
git config user.email ${{ github.event.head_commit.author.email }}
git config user.name ${{ github.event.head_commit.author.name }}
git add base/nsjail-docker/Dockerfile || true
git add base/healthcheck-docker/Dockerfile || true
git add kctf-operator/deploy/operator.yaml || true
git commit -m "Automated commit: update images."
git push
fi