Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-v0.56.x] Backport release "scripts" changes from main… #8334

Merged
merged 1 commit into from
Oct 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion tekton/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,6 @@ Apply the tasks from the `pipeline` repo:
# Apply the Tasks and Pipelines we use from this repo
kubectl apply -f tekton/publish.yaml
kubectl apply -f tekton/release-pipeline.yaml
kubectl apply -f tekton/release-pipeline-nightly.yaml

# Apply the resources - note that when manually releasing you'll re-apply these
kubectl apply -f tekton/resources.yaml
Expand Down
67 changes: 67 additions & 0 deletions tekton/bugfix-release.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
#!/usr/bin/env bash
set -eu -o pipefail

RELEASE_BRANCH=${1:-$(git rev-parse --abbrev-ref HEAD)}
shift

echo "> Make sure our remotes are up-to-date"
git fetch -p --all

TEKTON_RELEASE_GIT_SHA=$(git rev-parse "${RELEASE_BRANCH}")
TEKTON_OLD_VERSION=$(git describe --tags --abbrev=0 "${TEKTON_RELEASE_GIT_SHA}")
TEKTON_OLD_VERSION_COMMIT_SHA=$(git rev-list -n 1 "${TEKTON_OLD_VERSION}")
TEKTON_RELEASE_NAME=$(gh release view "${TEKTON_OLD_VERSION}" --json name | jq .name | sed -e 's/.*\\"\(.*\)\\"\"/\1/')

if [[ "${TEKTON_RELEASE_GIT_SHA}" == "${TEKTON_OLD_VERSION_COMMIT_SHA}" ]]; then
echo "> No new commit in ${RELEASE_BRANCH} (${TEKTON_RELEASE_GIT_SHA}==${TEKTON_OLD_VERSION_COMMIT_SHA})"
exit 0
fi

TEKTON_VERSION=$(echo ${TEKTON_OLD_VERSION} | awk -F. -v OFS=. '{$NF += 1 ; print}')

echo "> Old version : ${TEKTON_OLD_VERSION}"
echo "> Old version commit : ${TEKTON_OLD_VERSION_COMMIT_SHA}"
echo "> New version : ${TEKTON_VERSION}"
echo "> New version commit: ${TEKTON_RELEASE_GIT_SHA}"
echo "> Tekton Release Name: ${TEKTON_RELEASE_NAME}"

# Might be overkill
git --no-pager diff "${TEKTON_OLD_VERSION_COMMIT_SHA}" "${TEKTON_RELEASE_GIT_SHA}"

cat <<EOF > workspace-template.yaml
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
EOF

echo "> Starting the release pipeline"
tkn pipeline start pipeline-release \
--serviceaccount=release-right-meow \
--param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \
--param=serviceAccountPath=release.json \
--param=versionTag="${TEKTON_VERSION}" \
--param=releaseBucket=gs://tekton-releases/pipeline \
--param=releaseAsLatest="false" \
--workspace name=release-secret,secret=release-secret \
--workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml --use-param-defaults --pipeline-timeout 3h --showlog

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/${TEKTON_VERSION}/release.yaml
CONTROLLER_IMAGE_SHA=$(curl $RELEASE_FILE | egrep 'gcr.io.*controller' | cut -d'@' -f2)
REKOR_UUID=$(rekor-cli search --sha $CONTROLLER_IMAGE_SHA | grep -v Found | head -1)
echo -e "CONTROLLER_IMAGE_SHA: ${CONTROLLER_IMAGE_SHA}\nREKOR_UUID: ${REKOR_UUID}"

echo "> Starting the release-draft pipeline"
tkn pipeline start release-draft \
--workspace name=shared,volumeClaimTemplateFile=workspace-template.yaml \
--workspace name=credentials,secret=release-secret \
-p package="tektoncd/pipeline" \
-p git-revision="${TEKTON_RELEASE_GIT_SHA}" \
-p release-tag="${TEKTON_VERSION}" \
-p previous-release-tag="${TEKTON_OLD_VERSION}" \
-p release-name="${TEKTON_RELEASE_NAME}" \
-p bucket="gs://tekton-releases/pipeline" \
-p rekor-uuid="$REKOR_UUID" \
--showlog
85 changes: 64 additions & 21 deletions tekton/publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ spec:
- name: images
description: List of cmd/* paths to be published as images
default: "controller webhook entrypoint nop workingdirinit resolvers sidecarlogresults events"
- name: koExtraArgs
description: Extra args to be passed to ko
default: "--preserve-import-paths"
- name: versionTag
description: The vX.Y.Z version that the artifacts should be tagged with (including `v`)
- name: imageRegistry
Expand All @@ -22,6 +25,9 @@ spec:
- name: imageRegistryRegions
description: The target image registry regions
default: "us eu asia"
- name: imageRegistryUser
description: Username to be used to login to the container registry
default: "_json_key"
- name: releaseAsLatest
description: Whether to tag and publish this release as Pipelines' latest
default: "true"
Expand All @@ -46,41 +52,47 @@ spec:
env:
- name: "PROJECT_ROOT"
value: "$(workspaces.source.path)"
- name: CONTAINER_REGISTY_CREDENTIALS
- name: CONTAINER_REGISTRY_CREDENTIALS
value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)"
- name: CONTAINER_REGISTRY
value: "$(params.imageRegistry)/$(params.imageRegistryPath)"
- name: IMAGE_REGISTRY_PATH
value: "$(params.imageRegistryPath)"
- name: CONTAINER_REGISTRY_USER
value: "$(params.imageRegistryUser)"
- name: REGIONS
value: "$(params.imageRegistryRegions)"
- name: OUTPUT_RELEASE_DIR
value: "$(workspaces.output.path)/$(params.versionTag)"
- name: KO_EXTRA_ARGS
value: "$(params.koExtraArgs)"
results:
# IMAGES result is picked up by Tekton Chains to sign the release.
# See https://github.com/tektoncd/plumbing/blob/main/docs/signing.md for more info.
- name: IMAGES
steps:

- name: container-registy-auth
image: gcr.io/go-containerregistry/crane:debug
- name: container-registry-auth
image: cgr.dev/chainguard/crane:latest-dev@sha256:b33c82b22a6cfb21e3db968fba5f426461f7540d7fa37048e2a6ffb9aaca7f19
script: |
#!/busybox/sh
#!/bin/sh
set -ex

# Login to the container registry
DOCKER_CONFIG=$(cat ${CONTAINER_REGISTY_CREDENTIALS} | \
crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \
DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
sed 's,^.*logged in via \(.*\)$,\1,g')

# Auth with account credentials for all regions.
for region in ${REGIONS}
do
HOSTNAME=${region}.$(params.imageRegistry)
cat ${CONTAINER_REGISTY_CREDENTIALS} | crane auth login -u _json_key --password-stdin ${HOSTNAME}
cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME}
done
cp ${DOCKER_CONFIG} /workspace/docker-config.json

- name: create-ko-yaml
image: golang:1.18.7
image: cgr.dev/chainguard/go:latest-dev@sha256:35dc4adbb3b6fadafd60d0a004d06d706f2f6ed1511f5c24f22f92f8fe94f783
script: |
#!/bin/sh
set -ex
Expand All @@ -93,13 +105,21 @@ spec:
# Change to directory with vendor/
cd ${PROJECT_ROOT}

COMBINED_BASE_IMAGE_BASE=${CONTAINER_REGISTRY}
# If the IMAGE_REGISTRY_PATH does not already includes the package, add it
# Package looks like github.com/<org>/<repo>
# Path may look like "tekton-releases" or "tektoncd/pipeline"
if [[ ! "$(params.package)" == "github.com/${IMAGE_REGISTRY_PATH}" ]]; then
COMBINED_BASE_IMAGE_BASE=${COMBINED_BASE_IMAGE_BASE}/${IMAGE_REGISTRY_PATH}
fi

# Combine Distroless with a Windows base image, used for the entrypoint image.
# Distroless is pinned to the last version based on Alpine 3.18. Newer versions are based on Alpine 3.19_alpha20230901.
COMBINED_BASE_IMAGE=$(go run ./vendor/github.com/tektoncd/plumbing/cmd/combine/main.go \
cgr.dev/chainguard/static@sha256:67a1b00e0134e2b3a614c7198a26f7deed9d11b7acad4d52c79c0cfd47a2eae7 \
mcr.microsoft.com/windows/nanoserver:ltsc2019 \
mcr.microsoft.com/windows/nanoserver:ltsc2022 \
${CONTAINER_REGISTRY}/$(params.package)/combined-base-image:latest)
${COMBINED_BASE_IMAGE_BASE}/combined-base-image:latest)

# NOTE: Make sure this list of images to use the combined base image is in sync with what's in test/presubmit-tests.sh's 'ko_resolve' function.
cat <<EOF > /workspace/.ko.yaml
Expand All @@ -115,7 +135,7 @@ spec:
cat /workspace/.ko.yaml

- name: run-ko
image: gcr.io/tekton-releases/dogfooding/ko@sha256:9471f9698c2bc1816c03ed8eefbfc2613d90a843cb936da4236c2c2b3a18b6de
image: gcr.io/tekton-releases/dogfooding/ko@sha256:bdcd596b40583f6f8316745e27d7ff327a0756fb6aee1251dfc0bdbd01b26c88
env:
- name: KO_DOCKER_REPO
value: $(params.imageRegistry)/$(params.imageRegistryPath)
Expand Down Expand Up @@ -159,46 +179,69 @@ spec:
# The real "tagging" will happen with the "create-release" pipeline.
git tag $(params.versionTag)

ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -R -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.yaml
ko resolve \
--image-label=org.opencontainers.image.source=https://$(params.package) \
--platform=$(params.platforms) \
-t $(params.versionTag) \
-R ${KO_EXTRA_ARGS} \
-f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.yaml
# Publish images and create release.notags.yaml
# This is useful if your container runtime doesn't support the `image-reference:tag@digest` notation
# This is currently the case for `cri-o` (and most likely others)
ko resolve --platform=$(params.platforms) --preserve-import-paths -R -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.notags.yaml
ko resolve \
--image-label=org.opencontainers.image.source=https://$(params.package) \
--platform=$(params.platforms) \
-R ${KO_EXTRA_ARGS} \
-f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.notags.yaml

# Rewrite "devel" to params.versionTag
sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/release.yaml
sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/release.notags.yaml
- name: koparse
image: gcr.io/tekton-releases/dogfooding/koparse@sha256:5945f709f5533347e2fac2f7e757a2acde2ce25418a7193489bf49027aa0497f
image: gcr.io/tekton-releases/dogfooding/koparse@sha256:6b70f2d6fc1cc7849c5e65dcf404ee153653055799ceea511935bba7a27d3c44
script: |
set -ex

IMAGES_PATH=${CONTAINER_REGISTRY}/$(params.package)
# Find "--preserve-import-paths" in a list of args
function find_preserve_import_path() {
for arg in $@; do
if [[ "$arg" == "--preserve-import-paths" ]]; then
return 0
fi
done
return 1
}

# If "--preserve-import-paths" is used, include "package" in the expected path
find_preserve_import_path \
$(echo $KO_EXTRA_ARGS) && \
PRESERVE_IMPORT_PATH="--preserve-path" || \
PRESERVE_IMPORT_PATH="--no-preserve-path"

for cmd in $(params.images)
do
IMAGES="${IMAGES} ${IMAGES_PATH}/cmd/${cmd}:$(params.versionTag)"
IMAGES="${IMAGES} $(params.package)/cmd/${cmd}:$(params.versionTag)"
done

# Parse the built images from the release.yaml generated by ko
koparse \
--path $OUTPUT_RELEASE_DIR/release.yaml \
--base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images

--base $(params.package) \
--container-registry ${CONTAINER_REGISTRY} \
--images ${IMAGES} \
${PRESERVE_IMPORT_PATH} > /workspace/built_images

- name: tag-images
image: gcr.io/go-containerregistry/crane:debug
image: cgr.dev/chainguard/crane:latest-dev@sha256:b33c82b22a6cfb21e3db968fba5f426461f7540d7fa37048e2a6ffb9aaca7f19
script: |
#!/busybox/sh
#!/bin/sh
set -ex

# Setup docker-auth
DOCKER_CONFIG=~/.docker
mkdir -p ${DOCKER_CONFIG}
cp /workspace/docker-config.json ${DOCKER_CONFIG}/config.json

REGIONS="us eu asia"

# Tag the images and put them in all the regions
for IMAGE in $(cat /workspace/built_images)
do
Expand Down
17 changes: 12 additions & 5 deletions tekton/release-cheat-sheet.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,15 +60,22 @@ the pipelines repo, a terminal window and a text editor.
```bash
tkn --context dogfooding pipeline start pipeline-release \
--serviceaccount=release-right-meow \
--param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \
--param=serviceAccountPath=release.json \
--param=versionTag="${TEKTON_VERSION}" \
--param=releaseBucket=gs://tekton-releases/pipeline \
--param package=github.com/tektoncd/pipeline \
--param gitRevision="${TEKTON_RELEASE_GIT_SHA}" \
--param imageRegistry=ghcr.io \
--param imageRegistryPath=tektoncd/pipeline \
--param imageRegistryRegions="" \
--param imageRegistryUser=tekton-robot \
--param serviceAccountPath=release.json \
--param serviceAccountImagesPath=credentials \
--param versionTag="${TEKTON_VERSION}" \
--param releaseBucket=gs://tekton-releases/pipeline \
--param koExtraArgs="" \
--workspace name=release-secret,secret=release-secret \
--workspace name=release-images-secret,secret=ghcr-creds \
--workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml \
--tasks-timeout 2h \
--pipeline-timeout 3h
```

Accept the default values of the parameters (except for "releaseAsLatest" if backporting).

Expand Down
34 changes: 30 additions & 4 deletions tekton/release-pipeline.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@ spec:
- name: imageRegistryPath
description: The path (project) in the image registry
default: tekton-releases
- name: imageRegistryRegions
description: The target image registry regions
default: "us eu asia"
- name: imageRegistryUser
description: The user for the image registry credentials
default: _json_key
- name: versionTag
description: The X.Y.Z version that the artifacts should be tagged with
- name: releaseBucket
Expand All @@ -33,13 +39,23 @@ spec:
can differ from buildPlatforms due to the fact that a windows-compatible base image
is constructed for the publishing phase.
default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64
- name: koExtraArgs
description: Extra args to be passed to ko
default: "--preserve-import-paths"
- name: serviceAccountPath
description: The path to the service account file within the release-secret workspace
- name: serviceAccountImagesPath
description: The path to the service account file or credentials within the release-images-secret workspace
- name: runTests
description: If set to something other than "true", skip the build and test tasks
default: "true"
workspaces:
- name: workarea
description: The workspace where the repo will be cloned.
- name: release-secret
description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
description: The secret that contains a service account authorized to push to the output bucket
- name: release-images-secret
description: The secret that contains a service account authorized to push to the imageRegistry
results:
- name: commit-sha
description: the sha of the commit that was released
Expand Down Expand Up @@ -94,6 +110,8 @@ spec:
subpath: git
- name: unit-tests
runAfter: [precheck]
when:
- cel: "'$(params.runTests)' == 'true'"
taskRef:
resolver: bundles
params:
Expand All @@ -114,6 +132,8 @@ spec:
subpath: git
- name: build
runAfter: [precheck]
when:
- cel: "'$(params.runTests)' == 'true'"
taskRef:
resolver: bundles
params:
Expand Down Expand Up @@ -154,12 +174,18 @@ spec:
value: $(params.imageRegistry)
- name: imageRegistryPath
value: $(params.imageRegistryPath)
- name: imageRegistryUser
value: $(params.imageRegistryUser)
- name: imageRegistryRegions
value: $(params.imageRegistryRegions)
- name: releaseAsLatest
value: $(params.releaseAsLatest)
- name: serviceAccountPath
value: $(params.serviceAccountPath)
value: $(params.serviceAccountImagesPath)
- name: platforms
value: $(params.publishPlatforms)
- name: koExtraArgs
value: $(params.koExtraArgs)
workspaces:
- name: source
workspace: workarea
Expand All @@ -168,7 +194,7 @@ spec:
workspace: workarea
subpath: bucket
- name: release-secret
workspace: release-secret
workspace: release-images-secret
timeout: 2h
- name: publish-to-bucket
runAfter: [publish-images]
Expand Down Expand Up @@ -242,7 +268,7 @@ spec:
description: The full URL of the release file (no tag) in the bucket
steps:
- name: create-results
image: alpine
image: docker.io/library/alpine:3.20.3@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d
env:
- name: RELEASE_BUCKET
value: $(params.releaseBucket)
Expand Down