Merging upstream version 1.45.3+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 205 insertions, 0 deletions

diff --git a/src/fluent-bit/.github/workflows/call-test-images.yaml b/src/fluent-bit/.github/workflows/call-test-images.yaml
new file mode 100644
index 000000000..29bc0cd3d
--- /dev/null
+++ b/src/fluent-bit/.github/workflows/call-test-images.yaml
@@ -0,0 +1,205 @@
+---
+name: Reusable workflow to test container images
+on:
+  workflow_call:
+    inputs:
+      registry:
+        description: The registry to pull the images to test from.
+        type: string
+        required: true
+      username:
+        description: The username for authentication with the registry.
+        type: string
+        required: true
+      image:
+        description: The name of the image to pull from the registry for testing.
+        type: string
+        required: true
+      image-tag:
+        description: The tag of the image to pull from the registry for testing.
+        type: string
+        required: true
+      environment:
+        description: The Github environment to run this workflow on.
+        type: string
+        required: false
+      ref:
+        description: The commit, tag or branch to checkout for testing scripts.
+        type: string
+        default: master
+        required: false
+    secrets:
+      token:
+        description: The Github token or similar to authenticate with for the registry.
+        required: true
+      cosign_key:
+        description: The optional Cosign key to use for verifying the images.
+        required: false
+jobs:
+  call-test-images-cosign-verify:
+    name: Cosign verification of container image
+    environment: ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ inputs.username }}
+          password: ${{ secrets.token }}
+
+      # There is currently no way to verify a local image, e.g. for a particular architecture
+      # https://github.com/sigstore/cosign/issues/60
+      - name: Verify image with a key
+        # Only key-based verification currently
+        if: ${{ env.COSIGN_PUBLIC_KEY }}
+        run: |
+          echo -e "${COSIGN_PUBLIC_KEY}" > /tmp/my_cosign.pub
+          cosign verify --key /tmp/my_cosign.pub "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
+          rm -f /tmp/my_cosign.key
+        shell: bash
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.cosign_key }}
+          REGISTRY: ${{ inputs.registry }}
+          IMAGE_NAME: ${{ inputs.image }}
+          IMAGE_TAG: ${{ inputs.image-tag }}
+
+  call-test-images-container-architecture:
+    name: ${{ matrix.arch }} image architecture verification
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    # Test as much as we can
+    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ linux/amd64, linux/arm64, linux/arm/v7 ]
+        include:
+          # Rather than extract the specific central arch we just provide it
+          - arch: linux/amd64
+            expected: amd64
+          - arch: linux/arm64
+            expected: arm64
+          - arch: linux/arm/v7
+            expected: arm
+    steps:
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ inputs.username }}
+          password: ${{ secrets.token }}
+
+      - name: Pull and extract architecture of image
+        id: extract_arch
+        run: |
+          docker pull --platform=${{ matrix.arch }} "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
+          ACTUAL_ARCH=$(docker image inspect --format '{{.Architecture}}' "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG")
+          echo "ACTUAL_ARCH=$ACTUAL_ARCH" >> $GITHUB_OUTPUT
+          docker image inspect "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
+        shell: bash
+        env:
+          REGISTRY: ${{ inputs.registry }}
+          IMAGE_NAME: ${{ inputs.image }}
+          IMAGE_TAG: ${{ inputs.image-tag }}
+
+      - name: Validate architecture of image
+        run: |
+          if [[ "$ACTUAL_ARCH" != "$EXPECTED_ARCH" ]]; then
+            echo "Invalid architecture for $REGISTRY/$IMAGE_NAME: $ACTUAL_ARCH != $EXPECTED_ARCH"
+            exit 1
+          fi
+        env:
+          EXPECTED_ARCH: ${{ matrix.expected }}
+          ACTUAL_ARCH: ${{ steps.extract_arch.outputs.ACTUAL_ARCH }}
+        shell: bash
+
+  call-test-images-container-smoke:
+    # Ensure each architecture container runs up correctly with default configuration.
+    name: ${{ matrix.arch }} smoke test for local container images
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    # No point running if the architecture is incorrect
+    needs: [ call-test-images-container-architecture ]
+    continue-on-error: true
+    strategy:
+      fail-fast: false # verify all
+      matrix:
+        arch: [ linux/amd64, linux/arm64, linux/arm/v7 ]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ inputs.username }}
+          password: ${{ secrets.token }}
+
+      - name: Set up QEMU using standard action
+        if: ${{ matrix.arch != 'linux/arm64' }}
+        uses: docker/setup-qemu-action@v3
+
+      # Without this QEMU fails for ARM64
+      - name: Set up binary emulation for QEMU
+        if: ${{ matrix.arch == 'linux/arm64' }}
+        run: |
+          docker run --privileged --rm tonistiigi/binfmt --install all
+
+      - name: Verify platform is supported with Alpine container
+        # We make sure there is not an inherent issue with this architecture on this runner
+        run: |
+          docker run --rm --platform=${{ matrix.arch }} alpine uname -a
+
+      - name: Test the HTTP server is responding
+        timeout-minutes: 10
+        run: |
+          packaging/testing/smoke/container/container-smoke-test.sh
+        shell: bash
+        env:
+          CONTAINER_NAME: local-smoke-${{ matrix.arch }}
+          CONTAINER_ARCH: ${{ matrix.arch }}
+          REGISTRY: ${{ inputs.registry }}
+          IMAGE_NAME: ${{ inputs.image }}
+          IMAGE_TAG: ${{ inputs.image-tag }}
+
+  call-test-images-k8s-smoke:
+    # No need to test every architecture here, that is covered by local container tests.
+    # Testing helm chart deployment on KIND here.
+    name: Helm chart test on KIND
+    environment: ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.8.0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3.5
+        with:
+          version: v3.6.3
+
+      - name: Set up Kubectl
+        uses: azure/setup-kubectl@v3.2
+
+      - name: Test the HTTP server is responding
+        timeout-minutes: 5
+        run: |
+          packaging/testing/smoke/k8s/k8s-smoke-test.sh
+        shell: bash
+        env:
+          NAMESPACE: default
+          REGISTRY: ${{ inputs.registry }}
+          IMAGE_NAME: ${{ inputs.image }}
+          IMAGE_TAG: ${{ inputs.image-tag }}
+