diff --git a/.github/workflows/Procedure_push_docker_images.yml b/.github/workflows/Procedure_push_docker_images.yml index 28fcf085..1a0ca807 100644 --- a/.github/workflows/Procedure_push_docker_images.yml +++ b/.github/workflows/Procedure_push_docker_images.yml @@ -11,10 +11,6 @@ on: docker_reference: description: 'wazuh-docker reference' required: true - products: - description: 'Comma-separated list of the image names to build and push' - default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer,wazuh-agent' - required: true filebeat_module_version: description: 'Filebeat module version' default: '0.4' @@ -23,11 +19,6 @@ on: description: 'Package revision' default: '1' required: true - push_images: - description: 'Push images' - type: boolean - default: true - required: true id: description: "ID used to identify the workflow uniquely." type: string @@ -48,11 +39,6 @@ on: description: 'wazuh-docker reference' required: false type: string - products: - description: 'Comma-separated list of the image names to build and push' - default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer,wazuh-agent' - required: true - type: string filebeat_module_version: description: 'Filebeat module version' default: '0.4' @@ -63,11 +49,6 @@ on: default: '1' required: true type: string - push_images: - description: 'Push images' - type: boolean - default: true - required: true id: description: "ID used to identify the workflow uniquely." type: string @@ -82,6 +63,16 @@ jobs: build-and-push: runs-on: ubuntu-22.04 + permissions: + id-token: write + contents: read + + env: + IMAGE_REGISTRY: ${{ inputs.dev && vars.IMAGE_REGISTRY_DEV || vars.IMAGE_REGISTRY_PROD }} + IMAGE_TAG: ${{ inputs.image_tag }} + FILEBEAT_MODULE_VERSION: ${{ inputs.filebeat_module_version }} + REVISION: ${{ inputs.revision }} + steps: - name: Print inputs run: | @@ -96,10 +87,8 @@ jobs: echo "* id: ${{ inputs.id }}" echo "* image_tag: ${{ inputs.image_tag }}" echo "* docker_reference: ${{ inputs.docker_reference }}" - echo "* products: ${{ inputs.products }}" echo "* filebeat_module_version: ${{ inputs.filebeat_module_version }}" echo "* revision: ${{ inputs.revision }}" - echo "* push_images: ${{ inputs.push_images }}" echo "* dev: ${{ inputs.dev }}" echo "---------------------------------------------" @@ -108,7 +97,28 @@ jobs: with: ref: ${{ inputs.docker_reference }} + - name: free disk space + uses: ./.github/free-disk-space + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Configure aws credentials + if: ${{ inputs.dev == true }} + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_IAM_DOCKER_ROLE }} + aws-region: "${{ secrets.AWS_REGION }}" + + - name: Log in to Amazon ECR + if: ${{ inputs.dev == true }} + uses: aws-actions/amazon-ecr-login@v2 + - name: Log in to Docker Hub + if: ${{ inputs.dev == false }} uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -116,7 +126,7 @@ jobs: - name: Build Wazuh images run: | - IMAGE_TAG=${{ inputs.image_tag }} + IMAGE_TAG="${{ inputs.image_tag }}" FILEBEAT_MODULE_VERSION=${{ inputs.filebeat_module_version }} REVISION=${{ inputs.revision }} @@ -128,13 +138,13 @@ jobs: fi DEV_STAGE=${tokens[1]} WAZUH_VER=${tokens[0]} - ./build-docker-images/build-images.sh -v $WAZUH_VER -r $REVISION -d $DEV_STAGE -f $FILEBEAT_MODULE_VERSION + ./build-images.sh -v $WAZUH_VER -r $REVISION -d $DEV_STAGE -f $FILEBEAT_MODULE_VERSION -rg $IMAGE_REGISTRY -m else - ./build-docker-images/build-images.sh -v $IMAGE_TAG -r $REVISION -f $FILEBEAT_MODULE_VERSION + ./build-images.sh -v $IMAGE_TAG -r $REVISION -f $FILEBEAT_MODULE_VERSION -rg $IMAGE_REGISTRY -m fi # Save .env file (generated by build-images.sh) contents to $GITHUB_ENV - ENV_FILE_PATH=".env" + ENV_FILE_PATH="../.env" if [ -f $ENV_FILE_PATH ]; then while IFS= read -r line || [ -n "$line" ]; do @@ -144,102 +154,4 @@ jobs: echo "The environment file $ENV_FILE_PATH does not exist!" exit 1 fi - - - name: Image exists validation - if: ${{ inputs.push_images }} - id: validation - run: | - IMAGE_TAG=${{ inputs.image_tag }} - PURPOSE="" - - if [[ "$IMAGE_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - if docker manifest inspect wazuh/wazuh-manager:$IMAGE_TAG > /dev/null 2>&1; then - PURPOSE="regeneration" - echo "Image wazuh/wazuh-manager:$IMAGE_TAG exists. Setting PURPOSE to 'regeneration'" - else - PURPOSE="new release" - echo "Image wazuh/wazuh-manager:$IMAGE_TAG does NOT exist. Setting PURPOSE to 'new release'" - fi - echo "✅ Release tag: '$IMAGE_TAG'" - elif [[ "$IMAGE_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+-(alpha|beta|rc)[0-9]+$ ]]; then - PURPOSE="new stage" - echo "✅ Stage tag: '$IMAGE_TAG'. Setting PURPOSE to 'new stage'" - else - echo "❌ No release or stage tag ('$IMAGE_TAG'), the GH issue will not be created" - fi - - echo "purpose=$PURPOSE" >> $GITHUB_OUTPUT - - - name: Tag and Push Wazuh images - if: ${{ inputs.push_images }} - run: | - IMAGE_TAG="${{ inputs.image_tag }}$( [ "${{ inputs.dev }}" == "true" ] && echo '-dev' || true )" - IMAGE_NAMES=${{ inputs.products }} - IFS=',' read -r -a images <<< "$IMAGE_NAMES" - for image in "${images[@]}"; do - echo "Tagging and pushing wazuh/$image:${WAZUH_VERSION} to wazuh/$image:$IMAGE_TAG" - docker tag wazuh/$image:${WAZUH_VERSION} wazuh/$image:$IMAGE_TAG - echo "Pushing wazuh/$image:$IMAGE_TAG ..." - docker push wazuh/$image:$IMAGE_TAG - done - - - name: GH issue notification - if: ${{ inputs.push_images && steps.validation.outputs.purpose != '' }} - run: | - IMAGE_TAG=${{ inputs.image_tag }} - GH_TITLE="" - GH_MESSAGE="" - PURPOSE="${{ steps.validation.outputs.purpose }}" - - ## Setting GH issue title - GH_TITLE="Artifactory vulnerabilities update \`v$IMAGE_TAG\`" - - ## Setting GH issue body - GH_MESSAGE=$(cat <<- EOF | tr -d '\r' | sed 's/^[[:space:]]*//' - ### Description - - [ ] Update the [Artifactory vulnerabilities](${{ secrets.NOTIFICATION_SHEET_URL }}) sheet with the \`v$IMAGE_TAG\` vulnerabilities. - - **Purpose**: $PURPOSE - >[!NOTE] - >To update the \`Tentative Release\` column, follow these steps: - https://github.com/wazuh/${{ secrets.NOTIFICATION_REPO }}/issues/2049#issuecomment-2671590268 - EOF - ) - - # Print the GH Variables content - echo "--- Variable Content ---" - echo "$GH_TITLE" - echo "------------------------" - - echo "--- Variable Content ---" - echo "$GH_MESSAGE" - echo "------------------------" - - ## GH issue creation - ISSUE_URL=$(gh issue create \ - -R wazuh/${{ secrets.NOTIFICATION_REPO }} \ - --title "$GH_TITLE" \ - --body "$GH_MESSAGE" \ - --label "level/task" \ - --label "type/maintenance" \ - --label "request/operational") - - ## Adding the issue to the team project - PROJECT_ITEM_ID=$(gh project item-add \ - ${{ secrets.NOTIFICATION_PROJECT_NUMBER }} \ - --url $ISSUE_URL \ - --owner wazuh \ - --format json \ - | jq -r '.id') - - ## Setting Objective - gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_OBJECTIVE_ID }} --text "Security scans" - ## Setting Priority - gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_PRIORITY_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_PRIORITY_OPTION_ID }} - ## Setting Size - gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_SIZE_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_SIZE_OPTION_ID }} - ## Setting Subteam - gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_SUBTEAM_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_SUBTEAM_OPTION_ID }} - - env: - GH_TOKEN: ${{ secrets.NOTIFICATION_GH_ARTIFACT_TOKEN }} + working-directory: ./build-docker-images diff --git a/build-docker-images/build-images.sh b/build-docker-images/build-images.sh index 2cec68c8..f57d4878 100755 --- a/build-docker-images/build-images.sh +++ b/build-docker-images/build-images.sh @@ -1,8 +1,6 @@ -WAZUH_IMAGE_VERSION=4.14.3 -WAZUH_VERSION=$(echo $WAZUH_IMAGE_VERSION | sed -e 's/\.//g') -WAZUH_TAG_REVISION=1 +IMAGE_TAG=4.14.3 WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '["]tag_name["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g') -IMAGE_VERSION=${WAZUH_IMAGE_VERSION} +WAZUH_REGISTRY=docker.io # Wazuh package generator # Copyright (C) 2023, Wazuh Inc. @@ -44,7 +42,7 @@ build() { if [ "${WAZUH_DEV_STAGE}" ];then FILEBEAT_TEMPLATE_BRANCH="v${FILEBEAT_TEMPLATE_BRANCH}-${WAZUH_DEV_STAGE,,}" if ! curl --output /dev/null --silent --head --fail "https://github.com/wazuh/wazuh/tree/${FILEBEAT_TEMPLATE_BRANCH}"; then - echo "The indicated branch does not exist in the wazuh/wazuh repository: ${FILEBEAT_TEMPLATE_BRANCH}" + echo "The indicated branch does not exist in the wazuh/wazuh repository: ${FILEBEAT_TEMPLATE_BRANCH}" clean 1 fi else @@ -58,15 +56,25 @@ build() { fi fi - echo WAZUH_VERSION=$WAZUH_IMAGE_VERSION > .env - echo WAZUH_IMAGE_VERSION=$WAZUH_IMAGE_VERSION >> .env - echo WAZUH_TAG_REVISION=$WAZUH_TAG_REVISION >> .env - echo FILEBEAT_TEMPLATE_BRANCH=$FILEBEAT_TEMPLATE_BRANCH >> .env - echo WAZUH_FILEBEAT_MODULE=$WAZUH_FILEBEAT_MODULE >> .env - echo WAZUH_UI_REVISION=$WAZUH_UI_REVISION >> .env - docker compose -f build-docker-images/build-images.yml --env-file .env build --no-cache || clean 1 + echo WAZUH_VERSION=$WAZUH_IMAGE_VERSION > ../.env + echo WAZUH_IMAGE_VERSION=$WAZUH_IMAGE_VERSION >> ../.env + echo WAZUH_TAG_REVISION=$WAZUH_TAG_REVISION >> ../.env + echo FILEBEAT_TEMPLATE_BRANCH=$FILEBEAT_TEMPLATE_BRANCH >> ../.env + echo WAZUH_FILEBEAT_MODULE=$WAZUH_FILEBEAT_MODULE >> ../.env + echo WAZUH_UI_REVISION=$WAZUH_UI_REVISION >> ../.env + echo WAZUH_REGISTRY=$WAZUH_REGISTRY >> ../.env + echo IMAGE_TAG=$IMAGE_TAG >> ../.env + set -a + source ../.env + set +a + + if [ "${MULTIARCH}" ];then + docker buildx bake --file build-images.yml --push --set *.platform=linux/amd64,linux/arm64 --no-cache || clean 1 + else + docker buildx bake --file build-images.yml --no-cache|| clean 1 + fi return 0 } @@ -79,7 +87,10 @@ help() { echo " -d, --dev [Optional] Set the development stage you want to build, example alpha0 or beta1, not used by default." echo " -f, --filebeat-module [Optional] Set Filebeat module version. By default ${FILEBEAT_MODULE_VERSION}." echo " -r, --revision [Optional] Package revision. By default ${WAZUH_TAG_REVISION}" + echo " -ref, --reference [Optional] Set the Wazuh reference to build development images. By default, the latest stable release." + echo " -rg, --registry [Optional] Set the Docker registry to push the images." echo " -v, --version [Optional] Set the Wazuh version should be builded. By default, ${WAZUH_IMAGE_VERSION}." + echo " -m, --multiarch [Optional] Enable multi-architecture builds." echo " -h, --help Show this help." echo exit $1 @@ -110,6 +121,10 @@ main() { help 1 fi ;; + "-m"|"--multiarch") + MULTIARCH="true" + shift + ;; "-r"|"--revision") if [ -n "${2}" ]; then WAZUH_TAG_REVISION="${2}" @@ -118,6 +133,22 @@ main() { help 1 fi ;; + "-ref"|"--reference") + if [ -n "${2}" ]; then + WAZUH_TAG_REFERENCE="${2}" + shift 2 + else + help 1 + fi + ;; + "-rg"|"--registry") + if [ -n "${2}" ]; then + WAZUH_REGISTRY="${2}" + shift 2 + else + help 1 + fi + ;; "-v"|"--version") if [ -n "$2" ]; then WAZUH_IMAGE_VERSION="$2" @@ -136,4 +167,4 @@ main() { clean 0 } -main "$@" +main "$@" \ No newline at end of file diff --git a/build-docker-images/build-images.yml b/build-docker-images/build-images.yml index ed784cec..b77669ca 100644 --- a/build-docker-images/build-images.yml +++ b/build-docker-images/build-images.yml @@ -8,7 +8,7 @@ services: WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION} FILEBEAT_TEMPLATE_BRANCH: ${FILEBEAT_TEMPLATE_BRANCH} WAZUH_FILEBEAT_MODULE: ${WAZUH_FILEBEAT_MODULE} - image: wazuh/wazuh-manager:${WAZUH_IMAGE_VERSION} + image: ${WAZUH_REGISTRY}/wazuh/wazuh-manager:${IMAGE_TAG} hostname: wazuh.manager restart: always ports: @@ -40,7 +40,7 @@ services: args: WAZUH_VERSION: ${WAZUH_VERSION} WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION} - image: wazuh/wazuh-agent:${WAZUH_IMAGE_VERSION} + image: ${WAZUH_REGISTRY}/wazuh/wazuh-agent:${IMAGE_TAG} hostname: wazuh.agent restart: always @@ -50,7 +50,7 @@ services: args: WAZUH_VERSION: ${WAZUH_VERSION} WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION} - image: wazuh/wazuh-indexer:${WAZUH_IMAGE_VERSION} + image: ${WAZUH_REGISTRY}/wazuh/wazuh-indexer:${IMAGE_TAG} hostname: wazuh.indexer restart: always ports: @@ -72,7 +72,7 @@ services: WAZUH_VERSION: ${WAZUH_VERSION} WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION} WAZUH_UI_REVISION: ${WAZUH_UI_REVISION} - image: wazuh/wazuh-dashboard:${WAZUH_IMAGE_VERSION} + image: ${WAZUH_REGISTRY}/wazuh/wazuh-dashboard:${IMAGE_TAG} hostname: wazuh.dashboard restart: always ports: