From 9ee407a68557f449235e6817d90f7a8d98bb8319 Mon Sep 17 00:00:00 2001 From: David Dornseifer Date: Fri, 11 Apr 2025 14:42:39 +0200 Subject: [PATCH 1/5] Helm Chart Default Value * Set Helm chart default value for Enclave CPU advertisement to `false` to be in sync with kubernetes manifest --- helm/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/values.yaml b/helm/values.yaml index a9b1d1d..0ad5a94 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -6,7 +6,7 @@ awsNitroEnclavesK8SDaemonset: drop: - ALL env: - enclaveCpuAdvertisement: "true" + enclaveCpuAdvertisement: "false" maxEnclavesPerNode: "4" image: repository: public.ecr.aws/aws-nitro-enclaves/aws-nitro-enclaves-k8s-device-plugin From 7dd5e96eb5bfdb2c35c4f4c93778db1c6bda28ff Mon Sep 17 00:00:00 2001 From: David Dornseifer Date: Wed, 16 Apr 2025 14:42:52 +0200 Subject: [PATCH 2/5] Added _docker suffix for docker build scripts * Added _docker suffix to docker build scripts * Added multi architecture build to build_docker.sh script * Added multi architecture build handling to push_docker.sh --- scripts/build.sh | 8 -------- scripts/build_docker.sh | 14 ++++++++++++++ scripts/create_manifest.sh | 27 --------------------------- scripts/create_manifest_docker.sh | 28 ++++++++++++++++++++++++++++ scripts/push.sh | 25 ------------------------- scripts/push_docker.sh | 31 +++++++++++++++++++++++++++++++ 6 files changed, 73 insertions(+), 60 deletions(-) delete mode 100755 scripts/build.sh create mode 100755 scripts/build_docker.sh delete mode 100755 scripts/create_manifest.sh create mode 100755 scripts/create_manifest_docker.sh delete mode 100755 scripts/push.sh create mode 100755 scripts/push_docker.sh diff --git a/scripts/build.sh b/scripts/build.sh deleted file mode 100755 index e6f02dc..0000000 --- a/scripts/build.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -source "$(dirname $(realpath $0))/common.sh" - -docker build --target builder -t $BUILDER_IMAGE $TOP_DIR -f $TOP_DIR/container/Dockerfile -docker build --target device_plugin -t $IMAGE $TOP_DIR -f $TOP_DIR/container/Dockerfile diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh new file mode 100755 index 0000000..da03759 --- /dev/null +++ b/scripts/build_docker.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +source "$(dirname $(realpath $0))/common.sh" + +build_docker_image() { + local arch=$1 + docker build --target device_plugin --platform linux/$arch -t $IMAGE-$arch $TOP_DIR -f $TOP_DIR/container/Dockerfile +} + +docker build --target builder -t $BUILDER_IMAGE $TOP_DIR -f $TOP_DIR/container/Dockerfile || + die "Failed to build generic builder image" +arch=x86_64 && build_docker_image ${arch} || die "Failed to build ${arch} image" +arch=aarch64 && build_docker_image ${arch} || die "Failed to build ${arch} image" diff --git a/scripts/create_manifest.sh b/scripts/create_manifest.sh deleted file mode 100755 index eee83b2..0000000 --- a/scripts/create_manifest.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -source "$(dirname $(realpath $0))/common.sh" - -main() { - ecr_login - - docker manifest create --amend $ECR_URL/$REPOSITORY_NAME \ - $ECR_URL/$REPOSITORY_NAME:$RELEASE-x86_64 \ - $ECR_URL/$REPOSITORY_NAME:$RELEASE-aarch64 || \ - die "Cannot create manifest for multiarch image." \ - " Please ensure that both x86_64 and aarch64 images" \ - " already exist in the repository." - - docker manifest inspect $ECR_URL/$IMAGE - - is_a_public_ecr_registry && { - confirm "You are about to make changes on a" \ - " publicly available manifest. Are you sure want to continue? (yes/no)" - } - - docker manifest push $ECR_URL/$REPOSITORY_NAME:latest -} - -main diff --git a/scripts/create_manifest_docker.sh b/scripts/create_manifest_docker.sh new file mode 100755 index 0000000..fff03d9 --- /dev/null +++ b/scripts/create_manifest_docker.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +source "$(dirname $(realpath $0))/common.sh" + +main() { + ecr_login + + docker manifest create --amend $ECR_URL/$IMAGE \ + $ECR_URL/$REPOSITORY_NAME:$RELEASE-x86_64 \ + $ECR_URL/$REPOSITORY_NAME:$RELEASE-aarch64 || + die "Cannot create manifest for multiarch image." \ + " Please ensure that both x86_64 and aarch64 images" \ + " already exist in the repository." + + docker manifest inspect $ECR_URL/$IMAGE || + die "Cannot inspect manifest for multiarch image." + + is_a_public_ecr_registry && { + confirm "You are about to push a $RELEASE multiarch manifest to a public repository." \ + "Are you sure you want to continue? (yes/no)" + } + + docker manifest push $ECR_URL/$REPOSITORY_NAME:$RELEASE || + die "Cannot push manifest for multiarch image." +} + +main diff --git a/scripts/push.sh b/scripts/push.sh deleted file mode 100755 index bf0ee2e..0000000 --- a/scripts/push.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -source "$(dirname $(realpath $0))/common.sh" - -main() { - ecr_login - - aws ecr --region $ECR_REGION describe-repositories \ - --repository-names "$REPOSITORY_NAME" > /dev/null || \ - die "There is no repository named $REPOSITORY_NAME in" \ - "$ECR_REGION region." - - is_a_public_ecr_registry && { - confirm "You are about to make changes on a public repository." \ - " Are you sure want to continue?" - } - - docker tag $IMAGE $ECR_URL/$IMAGE - say "Pushing $IMAGE to $ECR_URL..." - docker push $ECR_URL/$IMAGE -} - -main diff --git a/scripts/push_docker.sh b/scripts/push_docker.sh new file mode 100755 index 0000000..f5df7e6 --- /dev/null +++ b/scripts/push_docker.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +source "$(dirname $(realpath $0))/common.sh" + +tag_and_push_docker_image() { + local arch=$1 + + docker tag $IMAGE-$arch $ECR_URL/$IMAGE-$arch + say "Pushing $IMAGE-$arch to $ECR_URL..." + docker push $ECR_URL/$IMAGE-$arch +} + +main() { + ecr_login + + aws ecr-public --region $ECR_REGION describe-repositories \ + --repository-names "$REPOSITORY_NAME" >/dev/null || + die "There is no repository named $REPOSITORY_NAME in" \ + "$ECR_REGION region." + + is_a_public_ecr_registry && { + confirm "You are about to push $RELEASE docker images on a public repository." \ + "Are you sure you want to continue?" + } + + arch=x86_64 && tag_and_push_docker_image ${arch} || die "Failed to push $arch docker image" + arch=aarch64 && tag_and_push_docker_image ${arch} || die "Failed to push $arch docker image" +} + +main From ed8c0b57da5fd8d4966415b44714dc57ca79203e Mon Sep 17 00:00:00 2001 From: David Dornseifer Date: Wed, 16 Apr 2025 14:53:41 +0200 Subject: [PATCH 3/5] Added Helm related scripts * Added Helm package and push scripts * Added utility functions to common.sh --- scripts/common.sh | 18 ++++++++++++++++++ scripts/package_helm.sh | 17 +++++++++++++++++ scripts/push_helm.sh | 23 +++++++++++++++++++++++ 3 files changed, 58 insertions(+) create mode 100755 scripts/package_helm.sh create mode 100755 scripts/push_helm.sh diff --git a/scripts/common.sh b/scripts/common.sh index 42b54c3..216bd98 100755 --- a/scripts/common.sh +++ b/scripts/common.sh @@ -84,6 +84,24 @@ is_a_public_ecr_registry() { return $FAILURE } +_helm_login() { + is_a_public_ecr_registry + + if [[ $? -eq $SUCCESS ]]; then + aws ecr-public get-login-password --region "$ECR_REGION" | helm registry login --username AWS --password-stdin $ECR_URL + else + aws ecr get-login-password --region "$ECR_REGION" | helm registry login --username AWS --password-stdin $ECR_URL + fi +} + +# Loads configuration and logs in to a Helm registry. +# +helm_login() { + _load_ecr_config || die "Error while loading configuration file!" + say "Using ECR registry url: $ECR_URL. (region: $ECR_REGION)." + _helm_login || die "Failed to log in to the ECR registry." +} + # Generic user confirmation function # confirm() { diff --git a/scripts/package_helm.sh b/scripts/package_helm.sh new file mode 100755 index 0000000..0d98d94 --- /dev/null +++ b/scripts/package_helm.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +source "$(dirname $(realpath $0))/common.sh" + +helm lint $TOP_DIR/helm && helm package $TOP_DIR/helm || + die "Helm package lint failed" + +# assert that packaged file is located in directory +# its best practice to manage helm version and app relase version independent from each other +# VERSION is sourced from packed RELEASE veriable and HELM versions are based on Chart.yaml values +if [[ ! -f $TOP_DIR/aws-nitro-enclaves-k8s-device-plugin-$VERSION.tgz ]]; then + die "Packaged file not found in $TOP_DIR directory" +fi + +# change name of standard HELM archive to explicitly state that it is a packaged chart +mv aws-nitro-enclaves-k8s-device-plugin-$VERSION.tgz $HELM_CHART diff --git a/scripts/push_helm.sh b/scripts/push_helm.sh new file mode 100755 index 0000000..208f174 --- /dev/null +++ b/scripts/push_helm.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +source "$(dirname $(realpath $0))/common.sh" + +main() { + helm_login + + aws ecr-public --region $ECR_REGION describe-repositories \ + --repository-names "charts/$REPOSITORY_NAME" >/dev/null || + die "There is no repository named $REPOSITORY_NAME in" \ + "$ECR_REGION region." + + is_a_public_ecr_registry && { + confirm "You are about to push a $RELEASE Helm chart on a public repository." \ + "Are you sure you want to continue?" + } + say "Pushing $HELM_CHART to $ECR_HELM_URL..." + helm push aws-nitro-enclaves-k8s-device-plugin-chart-$VERSION.tgz oci://$ECR_HELM_URL || + die "Failed to push $HELM_CHART to $ECR_HELM_URL." +} + +main From 7098aaeb60ed58eb6889b20612e2ef23197acfbb Mon Sep 17 00:00:00 2001 From: David Dornseifer Date: Wed, 16 Apr 2025 14:57:43 +0200 Subject: [PATCH 4/5] Extended common.sh functionality * Fixed public ecr functions * Introduced HELM registry related variables * Added docker token reuse with 10s timeout * Made generic user confirmation function confirm() zsh compatible * Formatted common.sh --- scripts/common.sh | 77 ++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 34 deletions(-) diff --git a/scripts/common.sh b/scripts/common.sh index 216bd98..9c4c39e 100755 --- a/scripts/common.sh +++ b/scripts/common.sh @@ -13,8 +13,9 @@ readonly RELEASE_FILE="RELEASE" readonly BUILDER_IMAGE=ne-k8s-device-plugin-build:latest readonly REPOSITORY_NAME=aws-nitro-enclaves-k8s-device-plugin readonly RELEASE=$(cat $TOP_DIR/$RELEASE_FILE) -readonly TAG=$RELEASE-$(arch) -readonly IMAGE=$REPOSITORY_NAME:$TAG +readonly VERSION="$(echo $RELEASE | cut -c 2-).0" +readonly IMAGE=$REPOSITORY_NAME:$RELEASE +readonly HELM_CHART="aws-nitro-enclaves-k8s-device-plugin-chart-$VERSION.tgz" say() { echo "$@" @@ -25,7 +26,7 @@ die() { exit $FAILURE } -[[ -f $TOP_DIR/$RELEASE_FILE ]] || \ +[[ -f $TOP_DIR/$RELEASE_FILE ]] || die "Cannot find $RELEASE_FILE file in $TOP_DIR directory." _set_config_item() { @@ -33,55 +34,55 @@ _set_config_item() { local prompt="$@" local value="" - while [[ $value = "" ]]; - do - printf "$prompt" - read value + while [[ $value = "" ]]; do + printf "$prompt" + read value done - echo "$var=$value" >> "$ECR_CONFIG_FILE_PATH" + echo "$var=$value" >>"$ECR_CONFIG_FILE_PATH" } _load_ecr_config() { [[ -f $ECR_CONFIG_FILE_PATH ]] || { - printf "No configuration found!\n" - _set_config_item ECR_URL "Please enter an ECR URL:" - _set_config_item ECR_REGION "Please enter AWS region of the ECR repository:" + printf "No configuration found!\n" + _set_config_item ECR_URL "Please enter an ECR URL:" + _set_config_item ECR_HELM_URL "Please enter an ECR Helm URL:" + _set_config_item ECR_REGION "Please enter AWS region of the ECR repository:" } source "$ECR_CONFIG_FILE_PATH" [[ -z "$ECR_URL" || -z "$ECR_REGION" ]] && { - say "$(basename $ECR_CONFIG_FILE_PATH) seems corrupted. Try using" \ + say "$(basename $ECR_CONFIG_FILE_PATH) seems corrupted. Try using" \ "'rm -f $ECR_CONFIG_FILE_PATH' to remove this configuration." - exit 1 + exit 1 } return 0 } _ecr_login() { - is_a_public_ecr_registry + # check if docker client can login to specified registry again without prompting for a password + # indicating that it still has a valid access token + if timeout -f 10 docker login $ECR_URL &>/dev/null; then + say "Using existing ECR credentials" + return 0 + fi + + is_a_public_ecr_registry if [[ $? -eq $SUCCESS ]]; then - aws ecr-public get-login-password --region "$ECR_REGION" | docker login --username AWS --password-stdin $ECR_URL + aws ecr-public get-login-password --region "$ECR_REGION" | docker login --username AWS --password-stdin $ECR_URL else - aws ecr get-login-password --region "$ECR_REGION" | docker login --username AWS --password-stdin $ECR_URL + aws ecr get-login-password --region "$ECR_REGION" | docker login --username AWS --password-stdin $ECR_URL fi } # Loads configuration and logs in to a registry. # ecr_login() { - _load_ecr_config || die "Error while loading configuration file!" - say "Using ECR registry url: $ECR_URL. (region: $ECR_REGION)." - _ecr_login || die "Failed to log in to the ECR registry." -} - -# Check if the current ECR URL is a public one or not. -# -is_a_public_ecr_registry() { - [[ "$ECR_URL" =~ ^public.ecr.aws* ]] && { return $SUCCESS; } - return $FAILURE + _load_ecr_config || die "Error while loading configuration file!" + say "Using ECR registry url: $ECR_URL. (region: $ECR_REGION)." + _ecr_login || die "Failed to log in to the ECR registry." } _helm_login() { @@ -102,15 +103,23 @@ helm_login() { _helm_login || die "Failed to log in to the ECR registry." } +# Check if the current ECR URL is a public one or not. +# +is_a_public_ecr_registry() { + [[ "$ECR_URL" =~ ^public.ecr.aws* ]] && { return $SUCCESS; } + return $FAILURE +} + # Generic user confirmation function -# +# confirm() { - read -p "$@ (yes/no)" yn - case yn in - yes) ;; - *) - say "Aborting..." - exit $FAILURE - ;; + echo -n "$@ (yes/no): " + read yn + case $yn in + yes) ;; + *) + say "Aborting..." + exit $FAILURE + ;; esac } From 218d2e8d32f14c2543710c753e04fc0ee51d24f3 Mon Sep 17 00:00:00 2001 From: David Dornseifer Date: Wed, 16 Apr 2025 15:02:58 +0200 Subject: [PATCH 5/5] Added pipeline.sh orchestration script * Added `pipeline.sh` script for docker and Helm buid, packaging and release orchestration * Added `validate_artifacts_versions.sh` script to ensure that k8s, docker and Helm version tags are in sync when releasing --- scripts/pipeline.sh | 21 +++++++++++++++++++++ scripts/validate_artifacts_versions.sh | 20 ++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100755 scripts/pipeline.sh create mode 100755 scripts/validate_artifacts_versions.sh diff --git a/scripts/pipeline.sh b/scripts/pipeline.sh new file mode 100755 index 0000000..5aa075b --- /dev/null +++ b/scripts/pipeline.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +set -e +source "$(dirname $(realpath $0))/common.sh" +current_folder="$(dirname $(realpath $0))" + +# version of helm charts are based on /helm/Chart.yaml +# before packaging and publishing validate that the RELEASE version, manifest.yaml +# and helm chart version are in sync and pointig to the new multich arch docker manifest +$current_folder/validate_artifacts_versions.sh + +# build and upload docker artifacts +# version for docker artifacts are based on RELEASE file +$current_folder/build_docker.sh +$current_folder/push_docker.sh +$current_folder/create_manifest_docker.sh + +# build and upload helm artifacts +$current_folder/package_helm.sh +$current_folder/push_helm.sh diff --git a/scripts/validate_artifacts_versions.sh b/scripts/validate_artifacts_versions.sh new file mode 100755 index 0000000..5692f6d --- /dev/null +++ b/scripts/validate_artifacts_versions.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +source "$(dirname $(realpath $0))/common.sh" + +# extract version of kubernetes manifest +k8s_manifest=$TOP_DIR/aws-nitro-enclaves-k8s-ds.yaml +k8s_version=$(yq '.spec.template.spec.containers[]?.image' "$k8s_manifest" | grep -o '[^:]*$') + +# extract version of helm chart, should be based on k8s manifest +helm_chart=$TOP_DIR/helm/values.yaml +helm_version=$(yq '.awsNitroEnclavesK8SDaemonset.awsNitroEnclavesK8SDp.image.tag' $helm_chart) + +echo "Release: $RELEASE" +echo "Kubernetes Manifest: $k8s_version" +echo "Helm Chart: $helm_version" + +if [ $RELEASE != $k8s_version ] || [ $k8s_version != $helm_version ]; then + die "Versions in release $RELEASE are not in sync" +fi