From c7e8a87a3685b286fcd43a1e624b4a1abb715db3 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <nikolai.rodionov@grandcentrix.net>
Date: Thu, 4 May 2023 12:31:31 +0200
Subject: [PATCH] Add an image with helm secrets installed

---
 .github/workflows/container-stable.yaml  | 60 ++++++++++++++--------
 .github/workflows/container-version.yaml | 65 +++++++++++++++---------
 dockerfiles/Dockerfile-helmfile-secrets  | 24 +++++++++
 3 files changed, 103 insertions(+), 46 deletions(-)
 create mode 100644 dockerfiles/Dockerfile-helmfile-secrets

diff --git a/.github/workflows/container-stable.yaml b/.github/workflows/container-stable.yaml
index 63cbe14..5c14b37 100644
--- a/.github/workflows/container-stable.yaml
+++ b/.github/workflows/container-stable.yaml
@@ -7,7 +7,8 @@ on:
       - main
 
 jobs:
-  containerization:
+  prepare_base:
+    name: Prepare the base image
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -30,6 +31,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.CR_PAT }}
+
       - name: Build base
         uses: docker/build-push-action@v2
         with:
@@ -46,35 +48,49 @@ jobs:
             actor=${{ github.actor }}
             sha=${{ github.sha }}
             ref=${{ github.ref }}
-      - name: Build helmfile
-        uses: docker/build-push-action@v2
-        with:
-          builder: ${{ steps.buildx.outputs.name }}
-          context: ./dockerfiles
-          file: ./dockerfiles/Dockerfile-helmfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ghcr.io/${{ github.repository }}-helmfile:latest
-            ghcr.io/${{ github.repository }}-helmfile:stable
-          labels: |
-            action_id=${{ github.action }}
-            action_link=${{ env.LINK }}
-            actor=${{ github.actor }}
-            sha=${{ github.sha }}
-            ref=${{ github.ref }}
+      
+  build_containers:
+    name: Build final images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        target_image:
+          - helmfile
+          - helmfile-secrets
+          - argo
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
 
-      - name: Build argo
+      - name: Set action link variable
+        run: echo "LINK=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_ENV
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@master
+        with:
+          platforms: all
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@master
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.CR_PAT }}
+
+      - name: Build ${{ matrix.target_image }}
         uses: docker/build-push-action@v2
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ./dockerfiles
-          file: ./dockerfiles/Dockerfile-argo
+          file: ./dockerfiles/Dockerfile-$${{ matrix.target_image }}
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |
-            ghcr.io/${{ github.repository }}-argo:latest
-            ghcr.io/${{ github.repository }}-argo:stable
+            ghcr.io/${{ github.repository }}-${{ matrix.target_image }}:latest
+            ghcr.io/${{ github.repository }}-${{ matrix.target_image }}:stable
           labels: |
             action_id=${{ github.action }}
             action_link=${{ env.LINK }}
diff --git a/.github/workflows/container-version.yaml b/.github/workflows/container-version.yaml
index f5d1a3a..8510f6f 100644
--- a/.github/workflows/container-version.yaml
+++ b/.github/workflows/container-version.yaml
@@ -7,7 +7,8 @@ on:
       - "v*.*.*"
 
 jobs:
-  containerization:
+  build_base:
+    name: Prepare the base image
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -49,40 +50,56 @@ jobs:
             actor=${{ github.actor }}
             sha=${{ github.sha }}
             ref=${{ github.ref }}
-      - name: Build helmfile
-        uses: docker/build-push-action@v2
-        with:
-          build-args: |
-            BASE_VERSION=${{ env.TAG }}
-          builder: ${{ steps.buildx.outputs.name }}
-          context: ./dockerfiles
-          file: ./dockerfiles/Dockerfile-helmfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ghcr.io/${{ github.repository }}-helmfile:${{ env.TAG }}
-          labels: |
-            action_id=${{ github.action }}
-            action_link=${{ env.LINK }}
-            actor=${{ github.actor }}
-            sha=${{ github.sha }}
-            ref=${{ github.ref }}
+      
+  build_containers:
+    name: Build final images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        target_image:
+          - helmfile
+          - helmfile-secrets
+          - argo
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
 
-      - name: Build argo
+      - name: Set version variable
+        run: echo "TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV
+
+      - name: Set action link variable
+        run: echo "LINK=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_ENV
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@master
+        with:
+          platforms: all
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@master
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.CR_PAT }}
+
+      - name: Build ${{ matrix.target_image }}
         uses: docker/build-push-action@v2
         with:
           builder: ${{ steps.buildx.outputs.name }}
-          build-args: |
-            BASE_VERSION=${{ env.TAG }}
           context: ./dockerfiles
-          file: ./dockerfiles/Dockerfile-argo
+          file: ./dockerfiles/Dockerfile-$${{ matrix.target_image }}
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |
-            ghcr.io/${{ github.repository }}-argo:${{ env.TAG }}
+            ghcr.io/${{ github.repository }}-${{ matrix.target_image }}:${{ env.TAG }}
+            ghcr.io/${{ github.repository }}-${{ matrix.target_image }}:${{ env.TAG }}
           labels: |
             action_id=${{ github.action }}
             action_link=${{ env.LINK }}
             actor=${{ github.actor }}
             sha=${{ github.sha }}
             ref=${{ github.ref }}
+      
\ No newline at end of file
diff --git a/dockerfiles/Dockerfile-helmfile-secrets b/dockerfiles/Dockerfile-helmfile-secrets
new file mode 100644
index 0000000..5e3f4f2
--- /dev/null
+++ b/dockerfiles/Dockerfile-helmfile-secrets
@@ -0,0 +1,24 @@
+ARG BASE_VERSION=latest
+FROM ghcr.io/allanger/dumb-downloader as builder
+RUN apt-get update -y && apt-get install tar -y
+ARG HELM_VERSION=v3.10.3
+ARG HELMFILE_VERSION=0.151.0
+ENV RUST_LOG=info
+RUN dudo -l "https://github.com/helmfile/helmfile/releases/download/v{{ version }}/helmfile_{{ version }}_{{ os }}_{{ arch }}.tar.gz" -d /tmp/helmfile.tar.gz -p $HELMFILE_VERSION
+RUN dudo -l "https://get.helm.sh/helm-{{ version }}-{{ os }}-{{ arch }}.tar.gz" -d /tmp/helm.tar.gz -p $HELM_VERSION
+RUN tar -xf /tmp/helm.tar.gz  -C /tmp && rm -f /tmp/helm.tar.gz 
+RUN tar -xf /tmp/helmfile.tar.gz  -C /tmp && rm -f /tmp/helmfile.tar.gz 
+RUN mkdir /out && for bin in `find /tmp | grep helm`; do cp $bin /out/; done
+RUN chmod +x /out/helm
+RUN chmod +x /out/helmfile
+
+FROM mozilla/sops:v3.7-alpine as sops
+WORKDIR /out
+RUN cp $(which sops) /out/sops
+
+FROM ghcr.io/allanger/check-da-helm-base:${BASE_VERSION} 
+COPY --from=builder /out/ /usr/bin
+COPY --from=sops /out/ /usr/bin
+RUN apk update --no-cache && apk add --no-cache jq bash age git
+RUN helm plugin install https://github.com/jkroepke/helm-secrets --version v4.4.2
+ENTRYPOINT ["cdh"]