forked from tektoncd/pipeline
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpublish.yaml
234 lines (204 loc) · 9.41 KB
/
publish.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: publish-release
annotations:
chains.tekton.dev/transparency-upload: "true"
spec:
params:
- name: package
description: package to release (e.g. github.com/<org>/<project>)
default: github.com/tektoncd/pipeline
- name: images
description: List of cmd/* paths to be published as images
default: "controller webhook entrypoint nop git-init imagedigestexporter pullrequest-init workingdirinit resolvers sidecarlogresults"
- name: versionTag
description: The vX.Y.Z version that the artifacts should be tagged with (including `v`)
- name: imageRegistry
description: The target image registry
default: gcr.io
- name: imageRegistryPath
description: The path (project) in the image registry
- name: imageRegistryRegions
description: The target image registry regions
default: "us eu asia"
- name: releaseAsLatest
description: Whether to tag and publish this release as Pipelines' latest
default: "true"
- name: platforms
description: Platforms to publish for the images (e.g. linux/amd64,linux/arm64)
default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le,windows/amd64
- name: serviceAccountPath
description: The name of the service account path within the release-secret workspace
workspaces:
- name: source
description: >-
The workspace where the repo has been cloned. This should ideally
be /go/src/$(params.package) however that is not possible today,
see https://github.com/tektoncd/pipeline/issues/3786. To use this
task on a fork of pipeline change the mountPath below
mountPath: /go/src/github.com/tektoncd/pipeline
- name: release-secret
description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
- name: output
description: The release YAML will be written to this workspace
stepTemplate:
env:
- name: "PROJECT_ROOT"
value: "$(workspaces.source.path)"
- name: CONTAINER_REGISTY_CREDENTIALS
value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)"
- name: CONTAINER_REGISTRY
value: "$(params.imageRegistry)/$(params.imageRegistryPath)"
- name: REGIONS
value: "$(params.imageRegistryRegions)"
- name: OUTPUT_RELEASE_DIR
value: "$(workspaces.output.path)/$(params.versionTag)"
results:
# IMAGES result is picked up by Tekton Chains to sign the release.
# See https://github.com/tektoncd/plumbing/blob/main/docs/signing.md for more info.
- name: IMAGES
steps:
- name: container-registy-auth
image: gcr.io/go-containerregistry/crane:debug
script: |
#!/busybox/sh
set -ex
# Login to the container registry
DOCKER_CONFIG=$(cat ${CONTAINER_REGISTY_CREDENTIALS} | \
crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \
sed 's,^.*logged in via \(.*\)$,\1,g')
# Auth with account credentials for all regions.
for region in ${REGIONS}
do
HOSTNAME=${region}.$(params.imageRegistry)
cat ${CONTAINER_REGISTY_CREDENTIALS} | crane auth login -u _json_key --password-stdin ${HOSTNAME}
done
cp ${DOCKER_CONFIG} /workspace/docker-config.json
- name: create-ko-yaml
image: golang:1.18.7
script: |
#!/bin/sh
set -ex
# Setup docker-auth
DOCKER_CONFIG=~/.docker
mkdir -p ${DOCKER_CONFIG}
cp /workspace/docker-config.json ${DOCKER_CONFIG}/config.json
# Change to directory with vendor/
cd ${PROJECT_ROOT}
# Combine Distroless with a Windows base image, used for the entrypoint image.
COMBINED_BASE_IMAGE=$(go run ./vendor/github.com/tektoncd/plumbing/cmd/combine/main.go \
cgr.dev/chainguard/static \
mcr.microsoft.com/windows/nanoserver:ltsc2019 \
mcr.microsoft.com/windows/nanoserver:ltsc2022 \
${CONTAINER_REGISTRY}/$(params.package)/combined-base-image:latest)
# NOTE: Make sure this list of images to use the combined base image is in sync with what's in test/presubmit-tests.sh's 'ko_resolve' function.
cat <<EOF > /workspace/.ko.yaml
# This matches the value configured in .ko.yaml
defaultBaseImage: cgr.dev/chainguard/static
baseImageOverrides:
# Use the combined base image for images that should include Windows support.
$(params.package)/cmd/entrypoint: ${COMBINED_BASE_IMAGE}
$(params.package)/cmd/nop: ${COMBINED_BASE_IMAGE}
$(params.package)/cmd/workingdirinit: ${COMBINED_BASE_IMAGE}
# This matches values configured in .ko.yaml
$(params.package)/cmd/git-init: cgr.dev/chainguard/git
EOF
cat /workspace/.ko.yaml
- name: run-ko
image: gcr.io/tekton-releases/dogfooding/ko@sha256:0e9f6349df349cbeb859b3c7899c78c024202fa95f174b910fb181361fdf737a
env:
- name: KO_DOCKER_REPO
value: $(params.imageRegistry)/$(params.imageRegistryPath)
- name: GOFLAGS
value: "-mod=vendor"
script: |
#!/usr/bin/env sh
set -ex
# Use the generated `.ko.yaml`
export KO_CONFIG_PATH=/workspace
cat ${KO_CONFIG_PATH}/.ko.yaml
# Setup docker-auth
DOCKER_CONFIG=~/.docker
mkdir -p ${DOCKER_CONFIG}
cp /workspace/docker-config.json ${DOCKER_CONFIG}/config.json
# Change to directory with our .ko.yaml
cd ${PROJECT_ROOT}
# For each cmd/* directory, include a full gzipped tar of all source in
# vendor/. This is overkill. Some deps' licenses require the source to be
# included in the container image when they're used as a dependency.
# Rather than trying to determine which deps have this requirement (and
# probably get it wrong), we'll just targz up the whole vendor tree and
# include it. As of 9/20/2019, this amounts to about 11MB of additional
# data in each image.
TMPDIR=$(mktemp -d)
tar cfz ${TMPDIR}/source.tar.gz vendor/
for d in cmd/*; do
if [ -d ${d}/kodata/ ]; then
ln -s ${TMPDIR}/source.tar.gz ${d}/kodata/
fi
done
# Publish images and create release.yaml
mkdir -p $OUTPUT_RELEASE_DIR
# Make a local git tag to make git status happy :)
# The real "tagging" will happen with the "create-release" pipeline.
git tag $(params.versionTag)
ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -R -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.yaml
# Publish images and create release.notags.yaml
# This is useful if your container runtime doesn't support the `image-reference:tag@digest` notation
# This is currently the case for `cri-o` (and most likely others)
ko resolve --platform=$(params.platforms) --preserve-import-paths -R -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.notags.yaml
# Rewrite "devel" to params.versionTag
sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/release.yaml
sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/release.notags.yaml
- name: koparse
image: gcr.io/tekton-releases/dogfooding/koparse:latest
script: |
set -ex
IMAGES_PATH=${CONTAINER_REGISTRY}/$(params.package)
for cmd in $(params.images)
do
IMAGES="${IMAGES} ${IMAGES_PATH}/cmd/${cmd}:$(params.versionTag)"
done
# Parse the built images from the release.yaml generated by ko
koparse \
--path $OUTPUT_RELEASE_DIR/release.yaml \
--base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images
- name: tag-images
image: gcr.io/go-containerregistry/crane:debug
script: |
#!/busybox/sh
set -ex
# Setup docker-auth
DOCKER_CONFIG=~/.docker
mkdir -p ${DOCKER_CONFIG}
cp /workspace/docker-config.json ${DOCKER_CONFIG}/config.json
REGIONS="us eu asia"
# Tag the images and put them in all the regions
for IMAGE in $(cat /workspace/built_images)
do
IMAGE_WITHOUT_SHA=${IMAGE%%@*}
IMAGE_WITHOUT_SHA_AND_TAG=${IMAGE_WITHOUT_SHA%%:*}
IMAGE_WITH_SHA=${IMAGE_WITHOUT_SHA_AND_TAG}@${IMAGE##*@}
echo $IMAGE_WITH_SHA, >> $(results.IMAGES.path)
if [[ "$(params.releaseAsLatest)" == "true" ]]
then
crane cp ${IMAGE_WITH_SHA} ${IMAGE_WITHOUT_SHA_AND_TAG}:latest
fi
for REGION in ${REGIONS}
do
if [[ "$(params.releaseAsLatest)" == "true" ]]
then
for TAG in "latest" $(params.versionTag)
do
crane cp ${IMAGE_WITH_SHA} ${REGION}.${IMAGE_WITHOUT_SHA_AND_TAG}:$TAG
done
else
TAG="$(params.versionTag)"
crane cp ${IMAGE_WITH_SHA} ${REGION}.${IMAGE_WITHOUT_SHA_AND_TAG}:$TAG
fi
# Until we are able to store larger results, we cannot include the
# regional copies of the images in the result - see https://github.com/tektoncd/pipeline/issues/4282
# echo ${REGION}.$IMAGE_WITH_SHA, >> $(results.IMAGES.path)
done
done