Merge pull request #45 from sarg3nt/Updates-found-while-updating-cert…

…-manager-infoblox Updates learned from cert-manager-webhook repo
sarg3nt · Nov 7, 2024 · bd9f6cb · bd9f6cb
2 parents 739a310 + 9176b68
commit bd9f6cb
Show file tree

Hide file tree

Showing 10 changed files with 209 additions and 73 deletions.
diff --git a/.devcontainer/initialize_command.sh b/.devcontainer/initialize_command.sh
@@ -3,6 +3,13 @@ set -euo pipefail
 IFS=$'\n\t'
 
 main() {
+  # Set HOME to the user's home directory if it is not set
+  : "${HOME:=$(eval echo "~${USER}")}"
+  if [[ -z "${HOME}" ]]; then
+    echo "Error: HOME environment variable is not set."
+    exit 1
+  fi
+
   get_latest_dev_container_version
   create_required_folders
 }
@@ -27,15 +34,6 @@ get_latest_dev_container_version() {
 #######################################
 create_required_folders() {
   echo "************** Create any required missing folders if they do not exist ******************"
-
-  if [[ ! -d "${HOME}" && -d "~/" ]]; then
-    HOME="~/"
-  fi
-
-  if [[ ! -d "${HOME}" ]]; then
-    echo "Error: HOME directory does not exist and cannot be set to ~/."
-    exit 1
-  fi
 
   local directories_created=false
   if [[ ! -d "${HOME}/.docker" ]]; then

diff --git a/.devcontainer/post_start_command.sh b/.devcontainer/post_start_command.sh
@@ -3,6 +3,9 @@ set -euo pipefail
 IFS=$'\n\t'
 
 main() {
+  # $HOME is not set in certain situations and since we will always know the home user in the dev container we hard code it.
+  HOME="/home/vscode"
+
   git_update_diff_tool
   copy_ssh_folder
   copy_kube_config

diff --git a/.github/workflows/release-weekly.yml b/.github/workflows/release-weekly.yml
@@ -8,12 +8,13 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+  REPOSITORY: ${{ github.repository }}
   VERSION: ""
   TAG_MAJOR: ""
   TAG_MINOR: ""
   TAG_PATCH: ""
   TAG_LATEST: ""
+  TAG_OLD: ""
 
 permissions: read-all
 
@@ -30,70 +31,56 @@ jobs:
         with:
           disable-sudo: true
           egress-policy: audit
+
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
           fetch-tags: true
 
-      # Must generate the tag version manually becuase scheduled workflows do not have access to ref: refs/tags/v1.0.0
-      - name: Get the latest tag version
+      - name: Get the latest version
         id: get_version
-        run: |
-          latest_version=$(git describe --tags $(git rev-list --tags --max-count=1))
-          echo "Latest Version: $latest_version"
-          if [[ $latest_version =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
-            major=${BASH_REMATCH[1]}
-            echo "Major: $major"
-            minor=${BASH_REMATCH[2]}
-            echo "Minor: $minor"
-            patch=${BASH_REMATCH[3]}
-            echo "Patch: $patch"
-            
-            new_patch=$((patch + 1))
-
-            tag_major=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${major}
-            tag_minor=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${major}.${minor}
-            tag_patch=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${major}.${minor}.${new_patch}
-            tag_latest=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-            echo "TAG_MAJOR: $tag_major"
-            echo "TAG_MAJOR=$tag_major" >> $GITHUB_ENV
-            echo "TAG_MINOR: $tag_minor"
-            echo "TAG_MINOR=$tag_minor" >> $GITHUB_ENV
-            echo "TAG_PATCH: $tag_patch"
-            echo "TAG_PATCH=$tag_patch" >> $GITHUB_ENV
-            echo "TAG_LATEST: $tag_latest"
-            echo "TAG_LATEST=$tag_latest" >> $GITHUB_ENV
-
-            new_version="v${major}.${minor}.${new_patch}"
-            echo "New Version: $new_version"
-            echo "VERSION=$new_version" >> $GITHUB_ENV
-          else
-            echo "Could not determine the latest tag version."
-            exit 1
-          fi
-
-      # Docs: https://github.com/marketplace/actions/create-release
-      - name: 'Create Release'
-        id: create_release
-        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5
-        with:
-          body: "A Weekly release contianing upgrades to system packages in the base Rocky Linux container."
-          makeLatest: true
-          prerelease: false
-          tag: ${{ env.VERSION }}
+        run: bash ${GITHUB_WORKSPACE}/workflow_scripts/get_latest_version.sh
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REGISTRY: ${{ env.REGISTRY }}
+          REPOSITORY: ${{ env.REPOSITORY }}
 
-
       - name: Log into registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push Docker image
+      - name: Build Docker image
+        id: build
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
+        with:
+          push: false
+          tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }}
+
+      - name: Compare the Old and New Docker Images
+        id: compare_versions
+        run: bash ${GITHUB_WORKSPACE}/workflow_scripts/compare_containers.sh
+        env:
+          TAG_OLD: ${{ env.TAG_OLD }}
+          TAG_PATCH: ${{ env.TAG_PATCH }}
+
+      - name: Push Docker image
+        if: steps.compare_versions.outputs.continue == 'true'
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         with:
           push: true
-          tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }}
+          tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }}
+
+      # Docs: https://github.com/marketplace/actions/create-release
+      - name: Create Release
+        id: create_release
+        if: steps.compare_versions.outputs.continue == 'true'
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5
+        with:
+          body: "A Weekly release containing upgrades to system packages in the base Rocky Linux container."
+          makeLatest: true
+          prerelease: false
+          tag: ${{ env.VERSION }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,7 +6,7 @@ on:
       - '*'
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+  REPOSITORY: ${{ github.repository }}
 
 permissions:
   contents: read
@@ -25,6 +25,7 @@ jobs:
         with:
           disable-sudo: true
           egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
@@ -38,11 +39,12 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # During a release workflow the new git tag is provided and is automatically used by this step to generate the new image tags.
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -17,7 +17,7 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+  REPOSITORY: ${{ github.repository }}
 
 permissions:
   contents: read
@@ -50,12 +50,12 @@ jobs:
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         with:
           push: false
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          tags: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ github.sha }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
         with:
-          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
+          image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ github.sha }}'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
@@ -72,7 +72,7 @@ jobs:
       - name: Generate SBOM with Trivy
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
         with:
-          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
+          image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ github.sha }}'
           scan-type: image
           format: 'github'
           output: 'dependency-results.sbom.json'

diff --git a/cspell.json b/cspell.json
@@ -137,6 +137,8 @@
     "roslynator",
     "RPCs",
     "rref",
+    "sarg",
+    "sarg3nt",
     "sbnumber",
     "semver",
     "Serilog",

diff --git a/home/vscode/.bashrc b/home/vscode/.bashrc
@@ -32,7 +32,7 @@ export PROMPT_DIRTRIM=4
 # Set up bash history to work with the passed in Docker volume
 export PROMPT_COMMAND='history -a' &&
   export HISTFILE=/commandhistory/.bash_history
-export PATH="${HOME}/.krew/bin:${HOME}/.local:${HOME}/.local/bin:${HOME}/.local/share:$HOME/.local/share/mise/shims:$HOME/bin:${PATH}"
+export PATH="${HOME}/.local:${HOME}/.local/bin:${HOME}/.local/share:$HOME/.local/share/mise/shims:$HOME/bin:${PATH}"
 
 export EDITOR="nano"
 
@@ -46,12 +46,11 @@ alias la='ls -A'
 alias d="docker"
 
 # Kubernetes
-alias a="argocd"
 alias k="k9s"
 alias kc="kubectl"
 alias kga="kubectl_get_all"
-alias kx="kubectl ctx"
-alias kn="kubectl ns"
+alias kx="kubectx"
+alias kn="kubens"
 alias h="helm"
 
 # shellcheck source=/dev/null
@@ -83,18 +82,17 @@ complete -F __start_helm helm
 # Starship
 eval "$(starship init bash)"
 
-alias g="git"
-
 # Utils
 alias help="/usr/local/bin/help"
+alias g=git
 
 # Run fzf
 # shellcheck source=/dev/null
 [ -f ~/.fzf.bash ] && source ~/.fzf.bash
 
 # Active mise
 eval "$(/usr/local/bin/mise activate bash)"
-mie trust --all
+mise trust --all
 mise install --yes
 
 # Run help screen on shell start.

diff --git a/home/vscode/.zshrc b/home/vscode/.zshrc
@@ -127,7 +127,6 @@ export PATH="${HOME}/.local:${HOME}/.local/bin:${HOME}/.local/share:$HOME/.local
 
 # List files colors and aliases
 export LS_COLORS=$LS_COLORS:"ow=0;32:"
-# alias ls to lsd, the colorful ls replacement
 alias ls='lsd'
 alias ll='ls -alh'
 alias la='ls -A'
@@ -143,6 +142,32 @@ alias kx="kubectx"
 alias kn="kubens"
 alias h="helm"
 
+# shellcheck source=/dev/null
+source <(kubectl completion bash)
+complete -o default -F __start_kubectl k
+
+# kx and kn
+_kube_contexts() {
+  local current_arg
+  current_arg=${COMP_WORDS[COMP_CWORD]}
+  # shellcheck disable=SC2207
+  COMPREPLY=($(compgen -W "- $(kubectl config get-contexts --output='name')" -- "$current_arg"))
+}
+_kube_namespaces() {
+  local current_arg
+  current_arg=${COMP_WORDS[COMP_CWORD]}
+  # shellcheck disable=SC2207
+  COMPREPLY=($(compgen -W "- $(kubectl get namespaces -o=jsonpath='{range .items[*].metadata.name}{@}{"\n"}{end}')" -- "$current_arg"))
+}
+
+complete -F _kube_contexts kx
+complete -F _kube_namespaces kn
+
+# shellcheck source=/dev/null
+source <(helm completion bash)
+complete -F __start_helm h
+complete -F __start_helm helm
+
 # Starship
 if [[ -z "${ZSH_THEME}" ]]; then
   eval "$(starship init zsh)"
@@ -163,4 +188,5 @@ eval "$(/usr/local/bin/mise activate zsh)"
 mise trust --all
 mise install --yes
 
+# Run help screen on shell start.
 help
diff --git a/workflow_scripts/compare_containers.sh b/workflow_scripts/compare_containers.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+#cspell:ignore diffoci
+
+set -euo pipefail
+IFS=$'\n\t'
+
+main() {
+  if [ -z "${TAG_OLD:-}" ]; then
+    echo "Error: TAG_OLD is not set."
+    exit 1
+  fi
+
+  if [ -z "${TAG_PATCH:-}" ]; then
+    echo "Error: TAG_PATCH is not set."
+    exit 1
+  fi
+
+  echo "Downloading the diffoci binary."
+  latest_release_url=$(gh release view -R reproducible-containers/diffoci --json assets -q '.assets[] | select(.name | test("linux-amd64")) | .url')
+  echo "Using the latest release URL: $latest_release_url"
+  curl -L -o diffoci "$latest_release_url"
+  chmod +x diffoci
+  # Github runner does not print empty echos. :(
+  echo "-"
+
+  echo "Pulling the previous Docker image to compare."
+  docker pull "${TAG_OLD}"
+  echo "-"
+
+  echo "Checking if the images are different with diffoci."
+  OLD_IMAGE="docker://${TAG_OLD}"
+  NEW_IMAGE="docker://${TAG_PATCH}"
+  set +e
+  ./diffoci diff --semantic "$OLD_IMAGE" "$NEW_IMAGE"
+  DIFFOCI_EXIT_CODE=$?
+  set -e
+  echo "-"
+
+  # Check the exit code of diffoci. If it is zero then there are no changes, otherwise there are.
+  if [ $DIFFOCI_EXIT_CODE -eq 0 ]; then
+    echo "The images appear to be the same, exiting."
+    echo "continue=false" >>"$GITHUB_OUTPUT"
+    exit 0
+  fi
+
+  echo "The images appear to be different.  Continuing."
+  echo "continue=true" >>"$GITHUB_OUTPUT"
+}
+
+if ! (return 0 2>/dev/null); then
+  (main "$@")
+fi