From d22c2705ab0105a3ecbf8133947021828ce07998 Mon Sep 17 00:00:00 2001 From: "David Muto (pseudomuto)" Date: Mon, 13 Jun 2022 15:44:15 +0000 Subject: [PATCH] Publish operator and bundle images for RedHat/OpenShift Updating the build/release scripts to handle publishing the bundle images and running preflight on them. The publish-openshift script downloads the tagged release from DockerHub, retags it correctly for the RedHat scanning repo, pushes it, and finally runs the preflight check on it. The openshift-bundle script largely does the same, only it publishes the bundle image rather than the operator image. The same script is used for both the certified and marketplace bundles. Passing `MARKETPLACE=1` will use the marketplace bundle values rather than the certified ones (default). --- .../teamcity-publish-openshift-bundle.sh | 70 ++++++++++------ build/release/teamcity-publish-openshift.sh | 64 +++++++-------- build/release/teamcity-publish-release.sh | 82 +++++++++---------- build/release/teamcity-support.sh | 34 +++++++- hack/bundle.sh | 7 ++ 5 files changed, 151 insertions(+), 106 deletions(-) diff --git a/build/release/teamcity-publish-openshift-bundle.sh b/build/release/teamcity-publish-openshift-bundle.sh index ca2b6a5a2..91dd3aa8d 100755 --- a/build/release/teamcity-publish-openshift-bundle.sh +++ b/build/release/teamcity-publish-openshift-bundle.sh @@ -17,38 +17,54 @@ set -euxo pipefail source "$(dirname "${0}")/teamcity-support.sh" +# Default values are defined for the certified bundle. +RH_PROJECT="5f5a433f9d6546ed7aa8634d" +RH_REGISTRY="scan.connect.redhat.com" +RH_REPO="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle" +BUNDLE_DIR="bundle/cockroachdb-certified" -tc_start_block "Variable Setup" -VERSION="v"$(cat version.txt) -# Matching the version name regex from within the cockroach code except -# for the `metadata` part at the end because Docker tags don't support -# `+` in the tag name. -# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75 -image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')" -# ^major ^minor ^patch ^preRelease - -if [[ -z "$image_tag" ]] ; then - echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"." - exit 1 +# If this is the marketplace bundle, update accordingly. +if ! [[ -z "${MARKETPLACE}" ]]; then + RH_PROJECT="61765afbdd607bfc82e643b8" + RH_REPO="ospid-61765afbdd607bfc82e643b8/cockroachdb-operator-bundle-marketplace" + BUNDLE_DIR="bundle/cockroachdb-certified-rhmp" fi -rhel_registry="scan.connect.redhat.com" -rh_bundle_image_repository="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle" -image="$rhel_registry/$rh_bundle_image_repository:$image_tag" +# If it's a dry run, add -dryrun to the image +if ! [[ -z "${DRY_RUN}" ]]; then RH_REPO="${RH_REPO}-dryrun"; fi -if ! [[ -z "${DRY_RUN}" ]] ; then - image="${image}-dryrun" -fi -tc_end_block "Variable Setup" +IMAGE="${RH_REGISTRY}/${RH_REPO}:${TAG}" + +main() { + docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}" + + generate_bundle + publish_bundle_image + run_preflight +} + +generate_bundle() { + # create the certified and marketplace bundles + tc_start_block "Generate bundle" + make release/generate-bundle + tc_end_block "Generate bundle" +} + +publish_bundle_image() { + tc_start_block "Make and push bundle image" + pushd "${BUNDLE_DIR}" + docker build -t "${IMAGE}" . + docker push "${IMAGE}" + popd -tc_start_block "Make and push docker images" -configure_docker_creds -docker_login "$rhel_registry" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_USER" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_KEY" + tc_end_block "Make and push bundle image" +} -# TODO(rail): switch to bazel generated images when it supports "FROM: scratch" -cd deploy/certified-metadata-bundle/cockroach-operator -docker build -t $image -f bundle.Dockerfile . -docker push $image +run_preflight() { + bazel build //hack/bin:preflight + PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \ + check operator "${IMAGE}" --docker-config ~/.docker/config.json +} -tc_end_block "Make and push docker images" +main "$@" diff --git a/build/release/teamcity-publish-openshift.sh b/build/release/teamcity-publish-openshift.sh index f461a6ffc..d63b820fa 100755 --- a/build/release/teamcity-publish-openshift.sh +++ b/build/release/teamcity-publish-openshift.sh @@ -17,41 +17,37 @@ set -euxo pipefail source "$(dirname "${0}")/teamcity-support.sh" +RH_PROJECT_ID="5e6027425c5456060d5f6084" +RH_REGISTRY="scan.connect.redhat.com" +RH_OPERATOR_IMG="${RH_REGISTRY}/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator:${TAG}" -tc_start_block "Variable Setup" -VERSION="v"$(cat version.txt) -# Matching the version name regex from within the cockroach code except -# for the `metadata` part at the end because Docker tags don't support -# `+` in the tag name. -# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75 -image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')" -# ^major ^minor ^patch ^preRelease - -if [[ -z "$image_tag" ]] ; then - echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"." - exit 1 -fi - -rhel_registry="scan.connect.redhat.com" - -dh_operator_image="docker.io/cockroachdb/cockroach-operator:$image_tag" -rh_operator_image_repository="$rhel_registry/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator" - +OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator:${TAG}" if ! [[ -z "${DRY_RUN}" ]] ; then - # The operator image doesn't use the "-dryrun" suffix, it's published in a - # separate repository. - dh_operator_image="docker.io/cockroachdb/cockroach-operator-misc:$image_tag" - image_tag="${image_tag}-dryrun" + OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator-misc:${TAG}-dryrun" fi -tc_end_block "Variable Setup" - - -tc_start_block "Make and push docker images" -configure_docker_creds -docker_login "$rhel_registry" "$OPERATOR_REDHAT_REGISTRY_USER" "$OPERATOR_REDHAT_REGISTRY_KEY" - -docker pull "$dh_operator_image" -docker tag "$dh_operator_image" "$rh_operator_image_repository:$image_tag" -docker push "$rh_operator_image_repository:$image_tag" -tc_end_block "Make and push docker images" +main() { + docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}" + + publish_to_redhat + run_preflight +} + +publish_to_redhat() { + tc_start_block "Tag and release docker image" + docker pull "${OPERATOR_IMG}" + docker tag "${OPERATOR_IMG}" "${RH_OPERATOR_IMG}" + docker push "${RH_OPERATOR_IMG}" + tc_end_block "Tag and release docker image" +} + +run_preflight() { + bazel build //hack/bin:preflight + PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \ + check container "${RH_OPERATOR_IMG}" \ + --certification-project-id="${RH_PROJECT_ID}" \ + --docker-config=/home/agent/.docker/config.json \ + --submit +} + +main "$@" diff --git a/build/release/teamcity-publish-release.sh b/build/release/teamcity-publish-release.sh index 233c65c9e..78430d80c 100755 --- a/build/release/teamcity-publish-release.sh +++ b/build/release/teamcity-publish-release.sh @@ -17,45 +17,45 @@ set -euxo pipefail source "$(dirname "${0}")/teamcity-support.sh" -tc_start_block "Variable Setup" -VERSION="v"$(cat version.txt) -# Matching the version name regex from within the cockroach code except -# for the `metadata` part at the end because Docker tags don't support -# `+` in the tag name. -# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75 -image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')" -# ^major ^minor ^patch ^preRelease - -if [[ -z "$image_tag" ]] ; then - echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"." - exit 1 -fi - -docker_registry="docker.io" -operator_image_repository="cockroachdb/cockroach-operator" - -if ! [[ -z "${DRY_RUN}" ]] ; then - operator_image_repository="cockroachdb/cockroach-operator-misc" -fi - -tc_end_block "Variable Setup" - -tc_start_block "Make and push docker images" -configure_docker_creds -docker_login "$docker_registry" "$OPERATOR_DOCKER_ID" "$OPERATOR_DOCKER_ACCESS_TOKEN" - -if docker_image_exists "$docker_registry/$operator_image_repository:$image_tag"; then - echo "Docker image $docker_registry/$operator_image_repository:$image_tag already exists" - if [[ -z "${FORCE}" ]] ; then - echo "Use FORCE=1 to force push the docker image." - echo "Alternatively you can delete the tag in Docker Hub." - exit 1 +REGISTRY="docker.io" +REPO="cockroachdb/cockroach-operator" +if ! [[ -z "${DRY_RUN}" ]] ; then REPO="${REPO}-misc"; fi + +OPERATOR_IMG="${REGISTRY}/${REPO}:${TAG}" + +main() { + docker_login "${REGISTRY}" "${OPERATOR_DOCKER_ID}" "${OPERATOR_DOCKER_ACCESS_TOKEN}" + + validate_image + publish_to_registry +} + +validate_image() { + tc_start_block "Ensure image should be pushed" + + if docker_image_exists "${OPERATOR_IMG}"; then + echo "Docker image ${OPERATOR_IMG} already exists!" + + if [[ -z "${FORCE}" ]] ; then + echo "Use FORCE=1 to force push the docker image." + echo "Alternatively you can delete the tag in Docker Hub." + exit 1 + fi + echo "Forcing docker push..." fi - echo "Forcing docker push..." -fi - -make \ - DOCKER_REGISTRY="$docker_registry" \ - DOCKER_IMAGE_REPOSITORY="$operator_image_repository" \ - release/image -tc_end_block "Make and push docker images" + + tc_end_block "Ensure image should be pushed" +} + +publish_to_registry() { + tc_start_block "Make and push docker image" + + make \ + DOCKER_REGISTRY="${REGISTRY}" \ + DOCKER_IMAGE_REPOSITORY="${REPO}" \ + release/image + + tc_end_block "Make and push docker image" +} + +main "$@" diff --git a/build/release/teamcity-support.sh b/build/release/teamcity-support.sh index 3a7d9e8b2..5bd3454db 100644 --- a/build/release/teamcity-support.sh +++ b/build/release/teamcity-support.sh @@ -12,6 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Set below with call to ensure_valid_tag +export TAG="" + # Common helpers for teamcity-*.sh scripts. remove_files_on_exit() { @@ -29,10 +32,12 @@ tc_end_block() { } docker_login() { - local registry=$1 - local registry_user=$2 - local registry_token=$3 - echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin $registry + configure_docker_creds + + local registry="${1}" + local registry_user="${2}" + local registry_token="${3}" + echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin "${registry}" } configure_docker_creds() { @@ -55,3 +60,24 @@ docker_image_exists() { docker pull "$1" return $? } + +ensure_valid_tag() { + tc_start_block "Extracting image tag" + local version="v$(cat version.txt)" + + # Matching the version name regex from within the cockroach code except + # for the `metadata` part at the end because Docker tags don't support + # `+` in the tag name. + # https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75 + TAG="$(echo -n "${version}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')" + # ^major ^minor ^patch ^preRelease + + if [[ -z "${TAG}" ]] ; then + echo "Invalid VERSION \"${version}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"." + exit 1 + fi + + tc_end_block "Extracting image tag" +} + +ensure_valid_tag diff --git a/hack/bundle.sh b/hack/bundle.sh index e46e1ae19..165b15200 100755 --- a/hack/bundle.sh +++ b/hack/bundle.sh @@ -89,6 +89,13 @@ generate_bundle() { # Update CSV with correct images, and timestamps adapt_csv "${dir}" "${img}" + + # move the dockerfile into the bundle directory and make it valid + sed \ + -e "s+${dir}/++g" bundle.Dockerfile \ # fix up paths + -e "/\s*COPY tests/d" > "${dir}/Dockerfile" # remove scorecard tests + + rm bundle.Dockerfile } adapt_csv() {