diff --git a/istio-1.29.yaml b/istio-1.29.yaml new file mode 100644 index 000000000000..cf1cfe20f8b7 --- /dev/null +++ b/istio-1.29.yaml @@ -0,0 +1,290 @@ +package: + name: istio-1.29 + version: "1.29.0" + epoch: 0 # GHSA-jv3w-x3r3-g6rm + description: Istio is an open source service mesh that layers transparently onto existing distributed applications. + copyright: + - license: Apache-2.0 + +var-transforms: + - from: ${{package.version}} + match: ^(\d+\.\d+)\.\d+$ + replace: "$1" + to: major-minor-version + +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - go + environment: + CGO_ENABLED: "0" + +pipeline: + - uses: git-checkout + with: + repository: https://github.com/istio/istio + tag: ${{package.version}} + expected-commit: b155e9e7642e5c0a40ef199da8b20596e2a3d443 + +subpackages: + - name: istio-cni-${{vars.major-minor-version}} + pipeline: + - uses: go/build + with: + packages: ./cni/cmd/istio-cni + output: istio-cni + ldflags: | + -X istio.io/istio/pkg/version.buildVersion=${{package.version}} + -X istio.io/istio/pkg/version.buildGitRevision=$(git rev-parse HEAD) + -X istio.io/istio/pkg/version.buildTag=$(git describe --tags --always) + -X istio.io/istio/pkg/version.buildStatus="Clean" + extra-args: "-buildvcs=false" + - uses: strip + dependencies: + provides: + - istio-cni=${{package.full-version}} + test: + pipeline: + - uses: test/virtualpackage + with: + virtual-pkg-name: istio-cni + real-pkg-name: ${{subpkg.name}} + + - name: istioctl-${{vars.major-minor-version}} + pipeline: + - uses: go/build + with: + packages: ./istioctl/cmd/istioctl + output: istioctl + ldflags: | + -X istio.io/istio/pkg/version.buildVersion=${{package.version}} + -X istio.io/istio/pkg/version.buildGitRevision=$(git rev-parse HEAD) + -X istio.io/istio/pkg/version.buildTag=$(git describe --tags --always) + -X istio.io/istio/pkg/version.buildStatus="Clean" + extra-args: "-buildvcs=false" + dependencies: + provides: + - istioctl=${{package.full-version}} + test: + pipeline: + - runs: | + istioctl version --remote=false + istioctl --help + + - name: istioctl-bash-completion-${{vars.major-minor-version}} + dependencies: + provides: + - istioctl-bash-completion=${{package.full-version}} + runtime: + - istioctl-${{vars.major-minor-version}} + - bash-completion + pipeline: + - runs: | + mkdir -p "${{targets.contextdir}}"/usr/share/bash-completion/completions + ${{targets.outdir}}/istioctl-${{vars.major-minor-version}}/usr/bin/istioctl completion bash > "${{targets.contextdir}}"/usr/share/bash-completion/completions/istioctl-${{vars.major-minor-version}} + test: + pipeline: + - runs: stat /usr/share/bash-completion/completions/istioctl-${{vars.major-minor-version}} + + - name: istioctl-zsh-completion-${{vars.major-minor-version}} + dependencies: + provides: + - istioctl-zsh-completion=${{package.full-version}} + runtime: + - istioctl-${{vars.major-minor-version}} + pipeline: + - runs: | + mkdir -p "${{targets.contextdir}}"/usr/share/zsh/site-functions + ${{targets.outdir}}/istioctl-${{vars.major-minor-version}}/usr/bin/istioctl completion zsh > "${{targets.contextdir}}"/usr/share/zsh/site-functions/istioctl-${{vars.major-minor-version}} + test: + pipeline: + - runs: stat /usr/share/zsh/site-functions/istioctl-${{vars.major-minor-version}} + + - name: istio-cni-${{vars.major-minor-version}}-compat + pipeline: + - runs: | + # See https://github.com/istio/istio/blob/1.20.2/cni/deployments/kubernetes/Dockerfile.install-cni + mkdir -p ${{targets.subpkgdir}}/opt/cni/bin + ln -sf /usr/bin/istio-cni ${{targets.subpkgdir}}/opt/cni/bin/istio-cni + dependencies: + provides: + - istio-cni-compat=${{package.full-version}} + test: + pipeline: + - uses: test/virtualpackage + with: + virtual-pkg-name: istio-cni-compat + real-pkg-name: ${{subpkg.name}} + + - name: istio-install-cni-${{vars.major-minor-version}} + pipeline: + - uses: go/build + with: + packages: ./cni/cmd/install-cni + output: install-cni + ldflags: | + -X istio.io/istio/pkg/version.buildVersion=${{package.version}} + -X istio.io/istio/pkg/version.buildGitRevision=$(git rev-parse HEAD) + -X istio.io/istio/pkg/version.buildTag=$(git describe --tags --always) + -X istio.io/istio/pkg/version.buildStatus="Clean" + extra-args: "-buildvcs=false" + - uses: strip + dependencies: + provides: + - istio-install-cni=${{package.full-version}} + test: + pipeline: + - uses: test/virtualpackage + with: + virtual-pkg-name: istio-install-cni + real-pkg-name: ${{subpkg.name}} + + - name: istio-install-cni-${{vars.major-minor-version}}-compat + pipeline: + - runs: | + # See https://github.com/istio/istio/blob/1.20.0/cni/deployments/kubernetes/Dockerfile.install-cni + mkdir -p ${{targets.subpkgdir}}/usr/local/bin + ln -sf /usr/bin/install-cni ${{targets.subpkgdir}}/usr/local/bin/install-cni + dependencies: + provides: + - istio-install-cni-compat=${{package.full-version}} + test: + pipeline: + - uses: test/virtualpackage + with: + virtual-pkg-name: istio-install-cni-compat + real-pkg-name: ${{subpkg.name}} + + - name: istio-pilot-agent-${{vars.major-minor-version}} + pipeline: + - uses: go/build + with: + packages: ./pilot/cmd/pilot-agent + output: pilot-agent + # Extracted from https://github.com/istio/istio/blob/4358b84b911a80ba09ef36ac00ad85535a77e7ca/common/scripts/report_build_info.sh#L41-L48 + # Use this instead for buildStatus once our pipeline stops dirtying the git tree: "$(if git diff-index --quiet HEAD --; then echo "Clean"; else echo "Modified"; fi)" + ldflags: | + -X istio.io/istio/pkg/version.buildVersion=${{package.version}} + -X istio.io/istio/pkg/version.buildGitRevision=$(git rev-parse HEAD) + -X istio.io/istio/pkg/version.buildTag=$(git describe --tags --always) + -X istio.io/istio/pkg/version.buildStatus="Clean" + extra-args: "-buildvcs=false" + - runs: | + mkdir -p ${{targets.subpkgdir}}/var/lib/istio/envoy + cp ./tools/packaging/common/envoy_bootstrap.json \ + ${{targets.subpkgdir}}/var/lib/istio/envoy/envoy_bootstrap_tmpl.json + + - name: istio-pilot-agent-${{vars.major-minor-version}}-compat + pipeline: + - runs: | + # link /usr/local/bin/pilot-agent -> /usr/bin/pilot-agent to match + # what the Istio Helm charts may expect. + mkdir -p ${{targets.subpkgdir}}/usr/local/bin + ln -sf /usr/bin/pilot-agent ${{targets.subpkgdir}}/usr/local/bin/pilot-agent + dependencies: + provides: + - istio-pilot-agent-compat=${{package.full-version}} + test: + pipeline: + - uses: test/virtualpackage + with: + virtual-pkg-name: istio-pilot-agent-compat + real-pkg-name: ${{subpkg.name}} + + - name: istio-pilot-discovery-${{vars.major-minor-version}} + pipeline: + - uses: go/build + with: + packages: ./pilot/cmd/pilot-discovery + output: pilot-discovery + # Extracted from https://github.com/istio/istio/blob/4358b84b911a80ba09ef36ac00ad85535a77e7ca/common/scripts/report_build_info.sh#L41-L48 + # Use this instead for buildStatus once our pipeline stops dirtying the git tree: "$(if git diff-index --quiet HEAD --; then echo "Clean"; else echo "Modified"; fi)" + ldflags: | + -X istio.io/istio/pkg/version.buildVersion=${{package.version}} + -X istio.io/istio/pkg/version.buildGitRevision=$(git rev-parse HEAD) + -X istio.io/istio/pkg/version.buildTag=$(git describe --tags --always) + -X istio.io/istio/pkg/version.buildStatus="Clean" + extra-args: "-buildvcs=false" + - runs: | + mkdir -p ${{targets.subpkgdir}}/var/lib/istio/envoy + cp ./tools/packaging/common/envoy_bootstrap.json \ + ${{targets.subpkgdir}}/var/lib/istio/envoy/envoy_bootstrap_tmpl.json + + - name: istio-pilot-discovery-${{vars.major-minor-version}}-compat + pipeline: + - runs: | + # link /usr/local/bin/pilot-discovery -> /usr/bin/pilot-discovery to match + # what the Istio Helm charts may expect. + mkdir -p ${{targets.subpkgdir}}/usr/local/bin + ln -sf /usr/bin/pilot-discovery ${{targets.subpkgdir}}/usr/local/bin/pilot-discovery + dependencies: + provides: + - istio-discovery-compat=${{package.full-version}} + test: + pipeline: + - uses: test/virtualpackage + with: + virtual-pkg-name: istio-discovery-compat + real-pkg-name: ${{subpkg.name}} + + - name: ${{package.name}}-base + description: Package for Istio base image with common utilities + dependencies: + provides: + - istio-base=${{package.full-version}} + runtime: + - bash + - bind-tools + - ca-certificates + - conntrack-tools + - curl + - iproute2 + - iptables + - iputils + - lsof + - net-tools + - netcat-openbsd + - nftables + - sudo + - tcpdump + pipeline: + - runs: | + if ! diff -q docker/Dockerfile.base Dockerfile.base; then + echo "Dockerfile has changed since last build, please update istio-1.28/Dockerfile.base and runtime dependencies" + exit 1 + fi + test: + pipeline: + - uses: test/emptypackage + +update: + enabled: true + ignore-regex-patterns: + - '-rc' + - '-beta' + github: + identifier: istio/istio + tag-filter-prefix: 1.29. + use-tag: true + +test: + environment: + contents: + packages: + - jq + - grep + - istio-pilot-agent-${{vars.major-minor-version}} + - istio-pilot-discovery-${{vars.major-minor-version}} + pipeline: + - runs: | + # check version/tag/commit are not "unknown" for pilot-discovery + pilot-discovery version -o json | jq .clientVersion.version | grep -q ${{package.version}} + pilot-discovery version -o json | jq .clientVersion.revision | grep -qv unknown + pilot-discovery version -o json | jq .clientVersion.tag | grep -qv unknown + + # check version/tag/commit are not "unknown" for pilot-agent + pilot-agent version -o json | jq .clientVersion.version | grep -q ${{package.version}} + pilot-agent version -o json | jq .clientVersion.revision | grep -qv unknown + pilot-agent version -o json | jq .clientVersion.tag | grep -qv unknown diff --git a/istio-1.29/Dockerfile.base b/istio-1.29/Dockerfile.base new file mode 100644 index 000000000000..cc0467245edd --- /dev/null +++ b/istio-1.29/Dockerfile.base @@ -0,0 +1,35 @@ +FROM ubuntu:noble + +ENV DEBIAN_FRONTEND=noninteractive + +# Do not add more stuff to this list that isn't small or critically useful. +# If you occasionally need something on the container do +# sudo apt-get update && apt-get whichever + +# hadolint ignore=DL3005,DL3008 +RUN apt-get update && \ + apt-get install --no-install-recommends -y \ + ca-certificates \ + curl \ + iptables \ + nftables \ + iproute2 \ + iputils-ping \ + knot-dnsutils \ + netcat-openbsd \ + tcpdump \ + conntrack \ + bsdmainutils \ + net-tools \ + lsof \ + sudo \ + && update-ca-certificates \ + && apt-get upgrade -y \ + && apt-get clean \ + && rm -rf /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old \ + && update-alternatives --set iptables /usr/sbin/iptables-legacy \ + && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy + +# Sudoers used to allow tcpdump and other debug utilities. +RUN useradd -m --uid 1337 istio-proxy && \ + echo "istio-proxy ALL=NOPASSWD: ALL" >> /etc/sudoers