Update Openshift Release Process (cockroachdb#964)

* Install preflight binary on Linux machines

Adding preflight to the list of OpenShift binaries installed. For now,
this is only available on Linux machines and won't be added to anyone
using Darwin.

* Publish operator and bundle images for RedHat/OpenShift

Updating the build/release scripts to handle publishing the bundle
images and running preflight on them.

The publish-openshift script downloads the tagged release from
DockerHub, retags it correctly for the RedHat scanning repo, pushes it,
and finally runs the preflight check on it.

The openshift-bundle script largely does the same, only it publishes the
bundle image rather than the operator image. The same script is used for
both the certified and marketplace bundles. Passing `MARKETPLACE=1` will
use the marketplace bundle values rather than the certified ones
(default).

* Update OpenShift binaries to 4.10.18

Updated all of the outdated OpenShift binaries. This also includes a fix
to an issue with had with opm. We were copying the tar file into the bin
folder and marking it as executable. This naturally, caused issues when
we tried to run it.

* Add support for make test/preflight-<target>

Adding targets for running preflight tests. These only work on Linux
machines since preflight is currently not available on other platforms.

The preflight tasks all assume you've got a running OpenShift cluster
and that GCP_PROJECT and KUBECONFIG are set accordingly in the env.

* Build, Publish and automate release process for openshift

* Fix the review comments

---------

Co-authored-by: David Muto (pseudomuto) <[email protected]>

.gitignore

@@ -63,5 +63,5 @@ bundle/
 faq
 
 _artifacts
-bundle.Dockerfile
+artifacts
 tmp

Makefile

@@ -210,6 +210,12 @@ test/e2e/testrunner-openshift-packaging: test/openshift-package
 		--action_env=APP_VERSION=$(APP_VERSION) \
 		--action_env=DOCKER_REGISTRY=$(DOCKER_REGISTRY)
 
+# Run preflight checks for OpenShift. This expects a running OpenShift cluster.
+# Eg. make test/preflight-<operator|bundle|marketplace>
+test/preflight-%: CONTAINER=$*
+test/preflight-%: release/generate-bundle
+	@bazel run //hack:redhat-preflight -- $(CONTAINER)
+
 #
 # Different dev targets
 #
@@ -267,6 +273,7 @@ dev/up: dev/down
 
 .PHONY: dev/down
 dev/down:
+	@bazel build //hack/bin:k3d
 	@hack/dev.sh down
 #
 # Targets that allow to install the operator on an existing cluster
@@ -332,7 +339,7 @@ release/image:
 # RedHat OpenShift targets
 #
 
-#RED HAT IMAGE BUNDLE
+#REDHAT IMAGE BUNDLE
 RH_BUNDLE_REGISTRY?=registry.connect.redhat.com/cockroachdb
 RH_BUNDLE_IMAGE_REPOSITORY?=cockroachdb-operator-bundle
 RH_BUNDLE_VERSION?=$(VERSION)
@@ -356,3 +363,16 @@ PKG_MAN_OPTS ?= "$(PKG_CHANNELS) $(PKG_DEFAULT_CHANNEL)"
 .PHONY: release/generate-bundle
 release/generate-bundle:
 	bazel run //hack:bundle -- $(RH_BUNDLE_VERSION) $(RH_OPERATOR_IMAGE) $(PKG_MAN_OPTS) $(RH_COCKROACH_DATABASE_IMAGE)
+
+.PHONY: release/publish-operator
+publish-operator:
+	./build/release/teamcity-publish-release.sh
+
+.PHONY: release/publish-operator-openshift
+publish-operator-openshift:
+	./build/release/teamcity-publish-openshift.sh
+
+.PHONY: release/publish-openshift-bundle
+release/publish-openshift-bundle:
+	./build/release/teamcity-publish-openshift-bundle.sh
+

build/release/teamcity-publish-openshift-bundle.sh

@@ -17,38 +17,54 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
+# Default values are defined for the certified bundle.
+RH_PROJECT="5f5a433f9d6546ed7aa8634d"
+RH_REGISTRY="scan.connect.redhat.com"
+RH_REPO="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle"
+BUNDLE_DIR="bundle/cockroachdb-certified"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-    echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-    exit 1
+# If this is the marketplace bundle, update accordingly.
+if ! [[ -z "${MARKETPLACE}" ]]; then
+  RH_PROJECT="61765afbdd607bfc82e643b8"
+  RH_REPO="ospid-61765afbdd607bfc82e643b8/cockroachdb-operator-bundle-marketplace"
+  BUNDLE_DIR="bundle/cockroachdb-certified-rhmp"
 fi
 
-rhel_registry="scan.connect.redhat.com"
-rh_bundle_image_repository="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle"
-image="$rhel_registry/$rh_bundle_image_repository:$image_tag"
+# If it's a dry run, add -dryrun to the image
+if ! [[ -z "${DRY_RUN}" ]]; then RH_REPO="${RH_REPO}-dryrun"; fi
 
-if ! [[ -z "${DRY_RUN}" ]] ; then
-  image="${image}-dryrun"
-fi
-tc_end_block "Variable Setup"
+IMAGE="${RH_REGISTRY}/${RH_REPO}:${TAG}"
+
+main() {
+  docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}"
+
+  generate_bundle
+  publish_bundle_image
+  run_preflight
+}
+
+generate_bundle() {
+  # create the certified and marketplace bundles
+  tc_start_block "Generate bundle"
+  make release/generate-bundle
+  tc_end_block "Generate bundle"
+}
+
+publish_bundle_image() {
+  tc_start_block "Make and push bundle image"
 
+  pushd "${BUNDLE_DIR}"
+  docker build -t "${IMAGE}" .
+  docker push "${IMAGE}"
+  popd
 
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$rhel_registry" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_USER" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_KEY"
+  tc_end_block "Make and push bundle image"
+}
 
-# TODO(rail): switch to bazel generated images when it supports "FROM: scratch"
-cd deploy/certified-metadata-bundle/cockroach-operator
-docker build -t $image -f bundle.Dockerfile .
-docker push $image
+run_preflight() {
+  bazel build //hack/bin:preflight
+  PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \
+    check operator "${IMAGE}" --docker-config ~/.docker/config.json
+}
 
-tc_end_block "Make and push docker images"
+main "$@"

build/release/teamcity-publish-openshift.sh

@@ -17,41 +17,37 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
+RH_PROJECT_ID="5e6027425c5456060d5f6084"
+RH_REGISTRY="scan.connect.redhat.com"
+RH_OPERATOR_IMG="${RH_REGISTRY}/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator:${TAG}"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-    echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-    exit 1
-fi
-
-rhel_registry="scan.connect.redhat.com"
-
-dh_operator_image="docker.io/cockroachdb/cockroach-operator:$image_tag"
-rh_operator_image_repository="$rhel_registry/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator"
-
+OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator:${TAG}"
 if ! [[ -z "${DRY_RUN}" ]] ; then
-  # The operator image doesn't use the "-dryrun" suffix, it's published in a
-  # separate repository.
-  dh_operator_image="docker.io/cockroachdb/cockroach-operator-misc:$image_tag"
-  image_tag="${image_tag}-dryrun"
+  OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator-misc:${TAG}-dryrun"
 fi
-tc_end_block "Variable Setup"
-
-
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$rhel_registry" "$OPERATOR_REDHAT_REGISTRY_USER" "$OPERATOR_REDHAT_REGISTRY_KEY"
-
-docker pull "$dh_operator_image"
-docker tag "$dh_operator_image" "$rh_operator_image_repository:$image_tag"
-docker push "$rh_operator_image_repository:$image_tag"
 
-tc_end_block "Make and push docker images"
+main() {
+  docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}"
+
+  publish_to_redhat
+  run_preflight
+}
+
+publish_to_redhat() {
+  tc_start_block "Tag and release docker image"
+  docker pull "${OPERATOR_IMG}"
+  docker tag "${OPERATOR_IMG}" "${RH_OPERATOR_IMG}"
+  docker push "${RH_OPERATOR_IMG}"
+  tc_end_block "Tag and release docker image"
+}
+
+run_preflight() {
+  bazel build //hack/bin:preflight
+  PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \
+    check container "${RH_OPERATOR_IMG}" \
+    --certification-project-id="${RH_PROJECT_ID}" \
+    --docker-config=/home/agent/.docker/config.json \
+    --submit
+}
+
+main "$@"

build/release/teamcity-publish-release.sh

@@ -17,45 +17,45 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-  echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-  exit 1
-fi
-
-docker_registry="docker.io"
-operator_image_repository="cockroachdb/cockroach-operator"
-
-if ! [[ -z "${DRY_RUN}" ]] ; then
-  operator_image_repository="cockroachdb/cockroach-operator-misc"
-fi
-
-tc_end_block "Variable Setup"
-
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$docker_registry" "$OPERATOR_DOCKER_ID" "$OPERATOR_DOCKER_ACCESS_TOKEN"
-
-if docker_image_exists "$docker_registry/$operator_image_repository:$image_tag"; then
-  echo "Docker image $docker_registry/$operator_image_repository:$image_tag already exists"
-  if [[ -z "${FORCE}" ]] ; then
-    echo "Use FORCE=1 to force push the docker image."
-    echo "Alternatively you can delete the tag in Docker Hub."
-    exit 1
+REGISTRY="docker.io"
+REPO="cockroachdb/cockroach-operator"
+if ! [[ -z "${DRY_RUN}" ]] ; then REPO="${REPO}-misc"; fi
+
+OPERATOR_IMG="${REGISTRY}/${REPO}:${TAG}"
+
+main() {
+  docker_login "${REGISTRY}" "${OPERATOR_DOCKER_ID}" "${OPERATOR_DOCKER_ACCESS_TOKEN}"
+
+  validate_image
+  publish_to_registry
+}
+
+validate_image() {
+  tc_start_block "Ensure image should be pushed"
+
+  if docker_image_exists "${OPERATOR_IMG}"; then
+    echo "Docker image ${OPERATOR_IMG} already exists!"
+
+    if [[ -z "${FORCE}" ]] ; then
+      echo "Use FORCE=1 to force push the docker image."
+      echo "Alternatively you can delete the tag in Docker Hub."
+      exit 1
+    fi
+    echo "Forcing docker push..."
   fi
-  echo "Forcing docker push..."
-fi
-
-make \
-  DOCKER_REGISTRY="$docker_registry" \
-  DOCKER_IMAGE_REPOSITORY="$operator_image_repository" \
-  release/image
-tc_end_block "Make and push docker images"
+
+  tc_end_block "Ensure image should be pushed"
+}
+
+publish_to_registry() {
+  tc_start_block "Make and push docker image"
+
+  make \
+    DOCKER_REGISTRY="${REGISTRY}" \
+    DOCKER_IMAGE_REPOSITORY="${REPO}" \
+    release/image
+
+  tc_end_block "Make and push docker image"
+}
+
+main "$@"

build/release/teamcity-support.sh

@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Set below with call to ensure_valid_tag
+export TAG=""
+
 # Common helpers for teamcity-*.sh scripts.
 
 remove_files_on_exit() {
@@ -29,10 +32,12 @@ tc_end_block() {
 }
 
 docker_login() {
-  local registry=$1
-  local registry_user=$2
-  local registry_token=$3
-  echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin $registry
+  configure_docker_creds
+
+  local registry="${1}"
+  local registry_user="${2}"
+  local registry_token="${3}"
+  echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin "${registry}"
 }
 
 configure_docker_creds() {
@@ -55,3 +60,24 @@ docker_image_exists() {
   docker pull "$1"
   return $?
 }
+
+ensure_valid_tag() {
+  tc_start_block "Extracting image tag"
+  local version="v$(cat version.txt)"
+
+  # Matching the version name regex from within the cockroach code except
+  # for the `metadata` part at the end because Docker tags don't support
+  # `+` in the tag name.
+  # https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
+  TAG="$(echo -n "${version}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
+  #                                         ^major           ^minor           ^patch         ^preRelease
+
+  if [[ -z "${TAG}" ]] ; then
+    echo "Invalid VERSION \"${version}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
+    exit 1
+  fi
+
+  tc_end_block "Extracting image tag"
+}
+
+ensure_valid_tag

config/default/BUILD.bazel

@@ -34,6 +34,7 @@ k8s_deploy(
         # when running locally, use the image from the local codebase
         "cockroachdb/cockroach-operator:$(APP_VERSION)": "//cmd/cockroach-operator:operator_image",
     },
+    resolver_args = ["--allow_unused_images"],
     template = ":manifest",
 )
 

config/manifests/bases/cockroach-operator.clusterserviceversion.yaml

@@ -178,6 +178,7 @@ spec:
   - email: [email protected]
     name: Cockroach Labs Support
   maturity: stable
+  minKubeVersion: 1.18.0
   provider:
     name: Cockroach Labs
   version: 0.0.0

config/manifests/kustomization.yaml

@@ -17,6 +17,8 @@ namespace: placeholder
 resources:
   - ../default
   - ../samples
+  - ../scorecard
+
 
 patchesStrategicMerge:
   - patches/deployment_patch.yaml

config/templates/csv.yaml.in

@@ -178,6 +178,7 @@ spec:
   - email: [email protected]
     name: Cockroach Labs Support
   maturity: stable
+  minKubeVersion: 1.18.0
   provider:
     name: Cockroach Labs
   version: 0.0.0

hack/BUILD.bazel

@@ -129,6 +129,17 @@ sh_binary(
     ],
 )
 
+sh_binary(
+    name = "redhat-preflight",
+    srcs = ["redhat.sh"],
+    data = [
+        JQ,
+        OPM,
+        "//hack/bin:preflight",
+        "@//:all-srcs",
+    ],
+)
+
 filegroup(
     name = "package-srcs",
     srcs = glob(["**"]),