This directory contains GitHub Actions workflows for building and publishing the Kafka Kerberos Gateway Docker images.
Trigger: Push to main branch
Actions:
- Builds multi-architecture Docker image (linux/amd64, linux/arm64)
- Pushes to GitHub Container Registry (GHCR)
- Tags with:
latest- Latest stable buildmain- Main branch build- SHA commit hash - Specific commit build
Registry: ghcr.io/glassflow/kafka-kerberos-gateway
Trigger: Push tags matching v* pattern or GitHub release
Actions:
- Builds multi-architecture Docker image
- Pushes to GHCR with version tags
- Creates GitHub release with changelog
- Tags with:
- Version tag (e.g.,
v1.0.0) stable- Latest stable release
- Version tag (e.g.,
Trigger: Pull requests to main branch
Actions:
- Builds Docker image (no push)
- Tests image locally
- Validates health endpoint
- Tags with:
pr-{number}- Pull request build- SHA commit hash
| Tag | Description | Example |
|---|---|---|
latest |
Latest stable build from main | ghcr.io/glassflow/kafka-kerberos-gateway:latest |
main |
Main branch build | ghcr.io/glassflow/kafka-kerberos-gateway:main |
stable |
Latest stable release | ghcr.io/glassflow/kafka-kerberos-gateway:stable |
v1.0.0 |
Specific version release | ghcr.io/glassflow/kafka-kerberos-gateway:v1.0.0 |
abc1234 |
Specific commit SHA | ghcr.io/glassflow/kafka-kerberos-gateway:abc1234 |
pr-123 |
Pull request build | ghcr.io/glassflow/kafka-kerberos-gateway:pr-123 |
services:
kafka-gateway:
image: ghcr.io/glassflow/kafka-kerberos-gateway:latest
ports:
- "8082:8082"
environment:
- PORT=8082apiVersion: apps/v1
kind: Deployment
metadata:
name: kafka-gateway
spec:
replicas: 1
selector:
matchLabels:
app: kafka-gateway
template:
metadata:
labels:
app: kafka-gateway
spec:
containers:
- name: kafka-gateway
image: ghcr.io/glassflow/kafka-kerberos-gateway:latest
ports:
- containerPort: 8082
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"- Main branch pushes: Creates
latestandmaintags - Version tags: Creates versioned releases (e.g.,
v1.0.0) - Pull requests: Creates
pr-{number}tags for testing
-
Update
VERSIONfile:echo "1.0.1" > VERSION
-
Commit and tag:
git add VERSION git commit -m "Bump version to 1.0.1" git tag v1.0.1 git push origin main --tags -
GitHub Actions will automatically:
- Build the image
- Push to GHCR with
v1.0.1tag - Create a GitHub release
The images are published to GitHub Container Registry (GHCR) and are publicly accessible:
# Pull latest image
docker pull ghcr.io/glassflow/kafka-kerberos-gateway:latest
# Pull specific version
docker pull ghcr.io/glassflow/kafka-kerberos-gateway:v1.0.0If you need private access, you'll need to:
-
Login to GHCR:
echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
-
Update image references in your projects
The gateway exposes a health endpoint with version information:
curl http://localhost:8082/healthResponse:
{
"status": "healthy",
"service": "kafka-kerberos-gateway",
"version": "1.0.0",
"commit": "abc1234",
"build": "2024-01-15T10:30:00Z"
}- Main workflow:
- Tag workflow:
- PR workflow:
- Check GitHub Actions logs for specific error messages
- Verify Dockerfile syntax and dependencies
- Ensure all required files are present (VERSION, go.mod, etc.)
- Verify image exists: https://github.com/orgs/glassflow/packages
- Check image tags: https://github.com/orgs/glassflow/packages/container/kafka-kerberos-gateway
- Ensure proper authentication if using private images
- Check VERSION file format (should be semantic version like
1.0.0) - Verify git tags are properly pushed
- Check GitHub Actions permissions for package publishing
- Images are built with minimal dependencies
- Multi-stage builds reduce attack surface
- Regular security updates via Dependabot
- No secrets or credentials in images
- Temporary Kerberos files are cleaned up after use
- Multi-architecture builds (AMD64 + ARM64)
- Docker layer caching for faster builds
- Optimized Dockerfile with minimal layers
- Small image size (~100MB)