Skip to content

azure-podvm-image-build #34

azure-podvm-image-build

azure-podvm-image-build #34

name: Azure PodVM image build
on:
workflow_call:
inputs:
image-version:
type: string
required: true
outputs:
image-id:
description: "The PodVM image id"
value: ${{ jobs.build-podvm-image.outputs.image-id }}
workflow_dispatch:
inputs:
image-version:
type: string
description: x.y.z
git-ref:
type: string
default: 'main'
description: tag, branch, sha
permissions:
id-token: write
contents: read
env:
AZURE_PODVM_IMAGE_DEF_NAME: "${{ vars.AZURE_PODVM_IMAGE_DEF_NAME }}"
AZURE_PODVM_IMAGE_VERSION: "${{ inputs.image-version }}"
COMMUNITY_GALLERY_PREFIX: "/CommunityGalleries/${{ vars.AZURE_COMMUNITY_GALLERY_NAME }}"
PODVM_IMAGE_NAME: "peerpod-image-${{ github.run_id }}-${{ github.run_attempt }}"
jobs:
build-podvm-image:
runs-on: ubuntu-22.04
defaults:
run:
working-directory: cloud-api-adaptor/src/cloud-api-adaptor/azure/image
outputs:
image-id: "${{ steps.create-image.outputs.image-id }}"
steps:
- name: Clone cloud-api-adaptor repository
uses: actions/checkout@v3
with:
path: cloud-api-adaptor
ref: "${{ inputs.git-ref || 'main' }}"
- name: Clone rust repos
run: |
# we have to clone prior to cache loading
make ../../podvm/..//../kata-containers
make ../../../guest-components
- name: Read properties from versions.yaml
working-directory: cloud-api-adaptor/src/cloud-api-adaptor
run: |
go_version="$(yq '.tools.golang' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
rust_version="$(yq '.tools.rust' versions.yaml)"
[ -n "$rust_version" ]
echo "RUST_VERSION=${rust_version}" >> "$GITHUB_ENV"
- name: Set up Go environment
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: cloud-api-adaptor/src/cloud-api-adaptor/go.sum
- uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: ${{ env.RUST_VERSION }}
target: x86_64-unknown-linux-musl
default: true
- name: Install build dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
clang \
gcc \
libdevmapper-dev \
libgpgme-dev \
libssl-dev \
libtss2-dev \
pkg-config \
protobuf-compiler
- name: Set up rust build cache
uses: actions/cache@v4
continue-on-error: false
with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
guest-components/target
kata-containers/src/agent/target
key: rust-${{ env.RUST_VERSION }}
- name: Build kata-agent
env:
GOPATH: /home/runner/go
run: make "$(realpath ../../podvm/files/usr/local/bin/kata-agent)" LIBC=gnu
- name: Build binaries
run: make binaries \
ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester" \
LIBC=gnu
- uses: azure/login@v1
name: 'Az CLI login'
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- name: Create image
id: create-image
env:
IMAGE_ID: "${{ env.COMMUNITY_GALLERY_PREFIX }}/images/${{ env.AZURE_PODVM_IMAGE_DEF_NAME }}/versions/${{ env.AZURE_PODVM_IMAGE_VERSION }}"
PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
PKR_VAR_resource_group: ${{ secrets.AZURE_RESOURCE_GROUP }}
PKR_VAR_location: ${{ secrets.AZURE_REGION }}
PKR_VAR_az_image_name: ${{ env.PODVM_IMAGE_NAME }}
PKR_VAR_vm_size: "Standard_D2as_v5"
PKR_VAR_ssh_username: "peerpod"
PKR_VAR_az_gallery_name: ${{ secrets.AZURE_PODVM_GALLERY_NAME }}
PKR_VAR_az_gallery_image_name: ${{ env.AZURE_PODVM_IMAGE_DEF_NAME }}
PKR_VAR_az_gallery_image_version: ${{ env.AZURE_PODVM_IMAGE_VERSION }}
PKR_VAR_use_azure_cli_auth: "true"
run: |
make image \
CLOUD_PROVIDER=azure \
PODVM_DISTRO=ubuntu
echo "successfully built $IMAGE_ID"
echo "image-id=${IMAGE_ID}" >> "$GITHUB_OUTPUT"
# Above build can take a > 10 minutes and the login assertion is valid only
# for 5 minutes, so re-login before we cleanup the intermediate image.
- uses: azure/login@v1
name: 'Az CLI login'
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- name: Cleanup intermediate image
if: always()
run: |
# Delete intermediate image
az image delete \
--resource-group ${{ secrets.AZURE_RESOURCE_GROUP }} \
--name ${{ env.PODVM_IMAGE_NAME }}