Merge branch 'main' into update-1739280091

observability-noctua-bot · Feb 19, 2025 · 87c5ee5 · 87c5ee5
2 parents 3f7c3a2 + 8585bdd
commit 87c5ee5
Show file tree

Hide file tree

Showing 19 changed files with 347 additions and 55 deletions.
diff --git a/.github/actions/checkout/action.yaml b/.github/actions/checkout/action.yaml
@@ -18,6 +18,10 @@ inputs:
   github-server-url: 
     description: 'The base URL for the GitHub instance that you are trying to clone from'
     default: 'https://github.com'
+  token:
+    description: "Github token for pulling from private repositories"
+    default: ''
+    required: false
 
 runs:
   using: "composite" 
@@ -34,6 +38,12 @@ runs:
           git_url="${{ inputs.github-server-url }}/${{ inputs.repository }}.git"
         fi
 
+        # if a token is provided, use it
+        if ! [[ -z "${{ inputs.token }}" ]]; then
+          protocol=$(echo "$git_url" | grep -oE '^[a-zA-Z]+://')
+          git_url="${git_url/${protocol}/${protocol}${{ inputs.token }}@}"
+        fi
+
         # create repo path relative to GITHUB_WORKSPACE as per actions/checkout@v4
         repo_path="$GITHUB_WORKSPACE/${{ inputs.path }}"
 

diff --git a/.github/workflows/Build-Rock.yaml b/.github/workflows/Build-Rock.yaml
@@ -35,7 +35,13 @@ on:
         description: "Enable fallback to Launchpad build when runners for target arch are not available."
         type: boolean
         default: false
-
+
+    secrets:
+      # authentication parameters
+      host-github-token:
+        description: "GitHub token from repository executing this workflow."
+      source-github-token:
+        description: "GitHub token for pulling a Rockcraft project from a private repository."
 env:
   ROCK_REPO_DIR: rock-repo  # path where the image repo is cloned into
   ROCK_CI_FOLDER: ci-rocks  # path of uploaded/downloaded artifacts
@@ -53,13 +59,12 @@ jobs:
     steps:
 
       - name: Get Workflow Version
-        # Note: we may need to pass a github token when working with private repositories. 
-        # https://github.com/canonical/get-workflow-version-action  
         id: workflow-version
         uses: canonical/get-workflow-version-action@v1
         with:
           repository-name: canonical/oci-factory
           file-name: Build-Rock.yaml
+          github-token: ${{ secrets.host-github-token }}
 
       - name: Cloning OCI Factory
         uses: actions/checkout@v4
@@ -75,6 +80,7 @@ jobs:
           path: ${{ env.ROCK_REPO_DIR }}
           ref: ${{ inputs.rock-repo-commit }}
           submodules: "recursive"
+          token: ${{ secrets.source-github-token }}
 
       - name: Installing Python 
         uses: actions/setup-python@v5
@@ -118,6 +124,7 @@ jobs:
           path: ${{ env.ROCK_REPO_DIR }}
           ref: ${{ inputs.rock-repo-commit }}
           submodules: "recursive"
+          token: ${{ secrets.source-github-token }}
 
       - name: Building Target
         id: rockcraft
@@ -167,6 +174,7 @@ jobs:
           path: ${{ env.ROCK_REPO_DIR }}
           ref: ${{ inputs.rock-repo-commit }}
           submodules: "recursive"
+          token: ${{ secrets.source-github-token }}
 
       - name: Building Target
         # TODO: Replace this retry action with bash equivalent for better testing

diff --git a/.github/workflows/CLA-Check.yaml b/.github/workflows/CLA-Check.yaml
@@ -6,7 +6,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Check if CLA signed
-        uses: canonical/has-signed-canonical-cla@v1
+        uses: canonical/has-signed-canonical-cla@v2
         with:
           # This is to avoid failing the checks for ROCKsBot
           accept-existing-contributors: true

diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml
@@ -399,7 +399,7 @@ jobs:
         run: |
           oci_images="${PWD}/images-oci"
           rm -fr $oci_images
-          mkdir -p $oci_images  
+          mkdir -p $oci_images
 
           tar -xf ${{ steps.rename-oci-archive.outputs.name }} -C $oci_images
 
@@ -485,7 +485,7 @@ jobs:
           do
             ret=0
             release=$(jq -er .release < ${{ env.REVISION_DATA_DIR }}/$revision_file) || ret=1
-            
+
             if [ $ret -eq 1 ]
             then
               echo "Revision $revision_file not marked for release"

diff --git a/.github/workflows/Test-Rock.yaml b/.github/workflows/Test-Rock.yaml
@@ -45,6 +45,11 @@ on:
         default: true
         type: boolean
 
+    secrets:
+      # authentication parameters
+      host-github-token:
+        description: "GitHub token from repository executing this workflow."
+
 env:
   VULNERABILITY_REPORT_SUFFIX: ".vulnerability-report.json"  # TODO: inherit string from caller
   TEST_IMAGE_NAME: "test-img"
@@ -66,13 +71,12 @@ jobs:
 
     steps:
       - name: Get Workflow Version
-        # Note: we may need to pass a github token when working with private repositories. 
-        # https://github.com/canonical/get-workflow-version-action  
         id: workflow-version
         uses: canonical/get-workflow-version-action@v1
         with:
           repository-name: canonical/oci-factory
           file-name: Test-Rock.yaml
+          github-token: ${{ secrets.host-github-token }}
 
       - name: Cloning OCI Factory
         uses: actions/checkout@v4

diff --git a/README.md b/README.md
@@ -407,6 +407,15 @@ supported through Launchpad build services.
 - [Building an external Rock](https://github.com/canonical/rocks-toolbox/blob/main/.github/workflows/oci-factory_build_external_rock.yaml) 
   - Build a Chiseled-Python Rock from an external repository using a specified Git commit hash.
 
+
+**Note on Private Repositories** 
+When using reusable workflows with private repositories, one or more GitHub
+tokens must be provided. If the repository executing the workflow is private,
+the `host-github-token` is required. If the source repository containing the
+rockcraft.yaml file is private, the `source-github-token` must be provided. In
+many cases, these repositories are the same, meaning both `host-github-token` and
+`source-github-token` are required and should use the same token.
+
 **Workflow Inputs:**
 | Property | Required | Type | Description |
 |---|---|---|---|
@@ -418,6 +427,14 @@ supported through Launchpad build services.
 | `arch-map` | False | JSON str | JSON string mapping target architecture to runners. |
 | `lpci-fallback` | False | bool | Enable fallback to Launchpad build when runners for target arch are not available. |
 
+**Workflow Secrets:**
+
+_See Note on Private Repositories._
+| Property | Required | Description |
+|---|---|---|
+| `source-github-token` | False | GitHub token for pulling a Rockcraft project from a private repository. |
+| `host-github-token` | False | GitHub token from repository executing this workflow. |
+
 ### Test-Rock Workflow
 
 The [Test-Rock workflow](.github/workflows/Test-Rock.yaml)
@@ -458,3 +475,10 @@ needed.
 |`test-vulnerabilities`| False | bool | Enable Trivy vulnerability test. Enabled by default. |
 |`trivyignore-path`| False | str | Optional path to `.trivyignore` file used in vulnerability scan. |
 |`test-malware`| False | bool | Enable ClamAV malware test. Enabled by default. |
+
+**Workflow Secrets:**
+
+_See Note on Private Repositories._
+| Property | Required | Description |
+|---|---|---|
+| `host-github-token` | False  | GitHub token from repository executing this workflow. |
diff --git a/oci/glauth/.trivyignore b/oci/glauth/.trivyignore
@@ -0,0 +1,2 @@
+# Upstream CVEs
+
diff --git a/oci/glauth/_releases.json b/oci/glauth/_releases.json
@@ -0,0 +1,17 @@
+{
+    "2-22.04": {
+        "end-of-life": "2025-05-01T00:00:00Z",
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "1"
+        },
+        "edge": {
+            "target": "1"
+        },
+        "beta": {
+            "target": "2-22.04_candidate"
+        }
+    }
+}
diff --git a/oci/glauth/contacts.yaml b/oci/glauth/contacts.yaml
@@ -0,0 +1,7 @@
+notify:
+  emails:
+    - identity.charmers@lists.launchpad.net
+  mattermost-channels:
+    - ofi4for9obfq8m978h318x56ar
+maintainers:
+  - canonical-iam
diff --git a/oci/glauth/documentation.yaml b/oci/glauth/documentation.yaml
@@ -0,0 +1,40 @@
+version: 1
+application: glauth
+is_chiselled: True
+description: |
+  Go-lang LDAP Authentication (GLAuth) is a secure, easy-to-use, LDAP server w/ configurable 
+  backends. Use it to centralize account management across your Linux servers, your OSX machines,
+  and your support applications (Jenkins, Apache/Nginx, Graylog2, and many more!).
+  * Centrally manage accounts across your infrastructure
+  * Centrally manage SSH keys, Linux accounts, and passwords for cloud servers.
+  * Lightweight alternative to OpenLDAP and Active Directory for development, or a homelab.
+  * Store your user directory in a file, local or in S3; SQL database; or proxy to existing LDAP servers.
+  * Two Factor Authentication (transparent to applications)
+  * Multiple backends can be chained to inject features
+docker:
+  parameters:
+    - -p 3893:3893  # ldap
+    - -p 3894:3894  # ldaps
+    - -p 5555:5555  # ui and prometheus metrics
+  access: Access the LDAP server on "ldap://localhost:3893"
+parameters:
+  - type: -p
+    value: '3893:3893'
+    description: LDAP port.
+  - type: -p
+    value: '3894:3894'
+    description: LDAPS port.
+  - type: -p
+    value: '5555:5555'
+    description: UI and metrics port.
+  - type: -v
+    value: '/path/to/glauth/config.cfg:/glauth.cfg'
+    description: >
+      GLAuth config contains all the information needed to successfully configure a basic LDAP
+      server, see https://github.com/glauth/glauth/blob/master/v2/sample-simple.cfg as a reference
+  - type: CMD
+    value: "glauth -c /glauth.cfg"
+    description: >
+      Launch GLAuth server with a set config.
+debug:
+  text: ""
diff --git a/oci/glauth/image.yaml b/oci/glauth/image.yaml
@@ -0,0 +1,12 @@
+version: 1
+upload:
+  - source: "canonical/glauth-rock"
+    commit: 388696fcf8976768cf84d551bde84f0bf1ae2e35
+    directory: .
+    release:
+      2-22.04:
+        risks:
+          - stable
+          - candidate
+          - edge
+        end-of-life: "2025-05-01T00:00:00Z"
diff --git a/oci/grafana-agent/_releases.json b/oci/grafana-agent/_releases.json
@@ -270,9 +270,9 @@
         }
     },
     "0-24.04": {
-        "end-of-life": "2025-03-12T00:00:00Z",
+        "end-of-life": "2025-05-02T00:00:00Z",
         "stable": {
-            "target": "79"
+            "target": "80"
         },
         "candidate": {
             "target": "0-24.04_stable"
@@ -313,5 +313,35 @@
         "edge": {
             "target": "0.43.4-24.04_beta"
         }
+    },
+    "0.44-24.04": {
+        "end-of-life": "2025-05-02T00:00:00Z",
+        "stable": {
+            "target": "80"
+        },
+        "candidate": {
+            "target": "0.44-24.04_stable"
+        },
+        "beta": {
+            "target": "0.44-24.04_candidate"
+        },
+        "edge": {
+            "target": "0.44-24.04_beta"
+        }
+    },
+    "0.44.2-24.04": {
+        "end-of-life": "2025-05-02T00:00:00Z",
+        "stable": {
+            "target": "80"
+        },
+        "candidate": {
+            "target": "0.44.2-24.04_stable"
+        },
+        "beta": {
+            "target": "0.44.2-24.04_candidate"
+        },
+        "edge": {
+            "target": "0.44.2-24.04_beta"
+        }
     }
 }
diff --git a/oci/grafana-agent/image.yaml b/oci/grafana-agent/image.yaml
@@ -1,18 +1,18 @@
 version: 1
 upload:
   - source: canonical/grafana-agent-rock
-    commit: d3c1eaec89c38897141ff2b5b2e549664dea3992
-    directory: 0.43.4
+    commit: c47016c42c66c2d2b9a8f3bba6ed48feca714f9f
+    directory: 0.44.2
     release:
       0-24.04:
-        end-of-life: '2025-03-12T00:00:00Z'
+        end-of-life: '2025-05-02T00:00:00Z'
         risks:
           - stable
-      0.43-24.04:
-        end-of-life: '2025-03-12T00:00:00Z'
+      0.44-24.04:
+        end-of-life: '2025-05-02T00:00:00Z'
         risks:
           - stable
-      0.43.4-24.04:
-        end-of-life: '2025-03-12T00:00:00Z'
+      0.44.2-24.04:
+        end-of-life: '2025-05-02T00:00:00Z'
         risks:
           - stable
diff --git a/oci/loki/_releases.json b/oci/loki/_releases.json
@@ -178,5 +178,65 @@
         "edge": {
             "target": "90"
         }
+    },
+    "3-24.04": {
+        "end-of-life": "2025-05-18T00:00:00Z",
+        "stable": {
+            "target": "92"
+        },
+        "candidate": {
+            "target": "3-24.04_stable"
+        },
+        "beta": {
+            "target": "3-24.04_candidate"
+        },
+        "edge": {
+            "target": "3-24.04_beta"
+        }
+    },
+    "3.4-24.04": {
+        "end-of-life": "2025-05-18T00:00:00Z",
+        "stable": {
+            "target": "92"
+        },
+        "candidate": {
+            "target": "3.4-24.04_stable"
+        },
+        "beta": {
+            "target": "3.4-24.04_candidate"
+        },
+        "edge": {
+            "target": "3.4-24.04_beta"
+        }
+    },
+    "3.4.1-24.04": {
+        "end-of-life": "2025-05-16T00:00:00Z",
+        "stable": {
+            "target": "91"
+        },
+        "candidate": {
+            "target": "3.4.1-24.04_stable"
+        },
+        "beta": {
+            "target": "3.4.1-24.04_candidate"
+        },
+        "edge": {
+            "target": "3.4.1-24.04_beta"
+        }
+    },
+    "3.4.2-24.04": {
+        "end-of-life": "2025-05-18T00:00:00Z",
+        "stable": {
+            "target": "92"
+        },
+        "candidate": {
+            "target": "3.4.2-24.04_stable"
+        },
+        "beta": {
+            "target": "3.4.2-24.04_candidate"
+        },
+        "edge": {
+            "target": "3.4.2-24.04_beta"
+        }
     }
 }