Skip to content

A GitHub Action that can be used to call into a Tanzu Application Platform (TAP) installation and use Tanzu Build Service (TBS) to build an image from source.

License

Notifications You must be signed in to change notification settings

vmware-tanzu/build-image-action

Repository files navigation

Build Image Action for Tanzu Application Platform

build-and-test golangci-lint Build and Publish

This GitHub Action creates a TBS Build on the given cluster.

Warning This software is being released as an Alpha, meaning it is still in active development and may be subject to change at any point.

Overview

Try it out

Setup

In order to use this action there are two things that need to be configured:

  1. Ensure that the GitHub action runner has access to the kubernetes API Server.
  2. Configure a service account that has the required permissions.

Access to the kubernetes API server

The GitHub action talks directly to the kubernetes API server, so if you are running this on github.com with the default action runners you'll need to ensure your API server is accessable from GitHubs IP ranges. Alternatively it may be possible to runner the action on a custom runner within your firewall (with access to the TAP cluster).

Permissions Required

The minimum permissions required on the TBS cluster are documented below:

ClusterRole
 └ kpack.io
   └ clusterbuilders verbs=[get]
Role (developer namespace)
 ├ ''
 │ ├ pods verbs=[get watch list] ✔
 │ └ pods/log verbs=[get] ✔
 └ kpack.io
   └ builds verbs=[get watch list create delete] ✔

The example file contains the minimum required permissions.

To apply this file to a namespace called dev:

kubectl apply -f https://raw.githubusercontent.com/vmware-tanzu/build-image-action/main/config/rbac.yaml

Then to access the values:

DEV_NAMESPACE=dev
SECRET=$(kubectl get sa github-actions -oyaml -n $DEV_NAMESPACE | yq '.secrets[0].name')

CA_CERT=$(kubectl get secret $SECRET -oyaml -n $DEV_NAMESPACE | yq '.data."ca.crt"')
NAMESPACE=$(kubectl get secret $SECRET -oyaml -n $DEV_NAMESPACE | yq .data.namespace | base64 -d)
TOKEN=$(kubectl get secret $SECRET -oyaml -n $DEV_NAMESPACE | yq .data.token | base64 -d)
SERVER=$(kubectl config view --minify | yq '.clusters[0].cluster.server')

Using the GitHub cli create the required secrets on the repository:

gh secret set CA_CERT --app actions --body "$CA_CERT"
gh secret set NAMESPACE --app actions --body "$NAMESPACE"
gh secret set TOKEN --app actions --body "$TOKEN"
gh secret set SERVER --app actions --body "$SERVER"

Usage

Auth

  • server: Host of the API Server.
  • ca-cert: CA Certificate of the API Server.
  • token: Service Account token to access kubernetes.
  • namespace: (required) The namespace to create the build resource in.

Image Configuration

  • destination: (required)
  • env: A list of environment variables to be passed to the build, see below for the format
  • serviceAccountName: Name of the service account in the namespace, defaults to default
  • clusterBuilder: Name of the cluster builder to use, defaults to default
  • timeout: Max active time that the pod can run for in seconds, defaults to 3600
  • cleanup: Should the action cleanup any generated resources on completion, defaults to true

Basic Configuration

- name: Build Image
  id: build
  uses: vmware-tanzu/build-image-action@v1-alpha
  with:
    # auth
    server: ${{ secrets.SERVER }}
    token: ${{ secrets.TOKEN }}
    ca_cert: ${{ secrets.CA_CERT }}
    namespace: ${{ secrets.NAMESPACE }}
    # image config
    destination: gcr.io/project-id/name-for-image
    env: |
      BP_JAVA_VERSION=17
Outputs
  • name: The full name, including sha of the built image.
Example
- name: Do something with image
  run:
    echo "${{ steps.build.outputs.name }}"

Debugging

To run this action in "debug" mode, add a secret called ACTIONS_STEP_DEBUG with the value set to true as documented in the GitHub Action Docs.

Documentation

TODO

Contributing

The build-image-action project team welcomes contributions from the community. Before you start working with this project please read and sign our Contributor License Agreement CLA. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will prompt you to do so when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ.

License

The scripts and documentation in this project are released under the Apache 2.

About

A GitHub Action that can be used to call into a Tanzu Application Platform (TAP) installation and use Tanzu Build Service (TBS) to build an image from source.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages