From 079851c7d58eddcf71e9c105e14d828be32ff3d8 Mon Sep 17 00:00:00 2001 From: Cyril Tovena Date: Sun, 29 Mar 2020 10:18:49 -0400 Subject: [PATCH 1/7] Sign helm package with GPG. Also add GPG to the build image and fixes dlv not pinned (this was causing issue using latest 1.4). Signed-off-by: Cyril Tovena --- .circleci/config.yml | 33 ++++++++++++++++++--------------- Makefile | 5 +++-- loki-build-image/Dockerfile | 10 +++++----- 3 files changed, 26 insertions(+), 22 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index d10bbf02aa453..24a42108d6690 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ version: 2 .tags: &tags # tags need to be explicitely defined (whitelist) - tags: {only: "/.*/"} + tags: { only: "/.*/" } .only-tags: &only-tags <<: *tags @@ -11,7 +11,8 @@ version: 2 branches: { only: master } <<: *tags -.no-master: &no-master # contrary to tags, the branches must be excluded (blacklist) +.no-master: + &no-master # contrary to tags, the branches must be excluded (blacklist) branches: { ignore: master } workflows: @@ -20,34 +21,33 @@ workflows: jobs: # publish jobs depend on this as well, # thus tags need to be allowed for these - - test: {filters: {<<: *tags}} + - test: { filters: { <<: *tags } } - build/promtail-windows: - requires: [ test ] + requires: [test] - build/docker-driver: - requires: [ test ] - filters: {<<: *no-master} + requires: [test] + filters: { <<: *no-master } - publish/docker-driver: - requires: [ test ] + requires: [test] filters: { <<: *tag-or-master } - publish/binaries: - requires: [ test ] + requires: [test] filters: { <<: *only-tags } - test-helm: - requires: [ test ] - filters: {<<: *tags} + requires: [test] + filters: { <<: *tags } - publish-helm: - requires: [ test-helm ] - filters: {<<: *tag-or-master} - + requires: [test-helm] + # filters: { <<: *tag-or-master } # https://circleci.com/blog/circleci-hacks-reuse-yaml-in-your-circleci-config-with-yaml/ .defaults: &defaults docker: - - image: grafana/loki-build-image:0.9.1 + - image: grafana/loki-build-image:0.9.2 working_directory: /src/loki jobs: @@ -146,4 +146,7 @@ jobs: fingerprints: - "5a:d3:08:5e:f7:53:a0:c4:e9:5d:83:c6:02:6a:d9:bd" - checkout - - run: make helm-publish + - run: + name: import GPG key + command: echo -e "$GPG_KEY" | gpg --import && gpg --export-secret-key loki-team@googlegroups.com > ~/.gnupg/secring.gpg + - run: PACKAGE_ARGS='--sign --key "Grafana Loki" --keyring ~/.gnupg/secring.gpg' make helm-publish diff --git a/Makefile b/Makefile index a602a387ba451..97bab20285144 100644 --- a/Makefile +++ b/Makefile @@ -38,7 +38,7 @@ IMAGE_NAMES := $(foreach dir,$(DOCKER_IMAGE_DIRS),$(patsubst %,$(IMAGE_PREFIX)%, # make BUILD_IN_CONTAINER=false target # or you can override this with an environment variable BUILD_IN_CONTAINER ?= true -BUILD_IMAGE_VERSION := 0.9.1 +BUILD_IMAGE_VERSION := 0.9.2 # Docker image info IMAGE_PREFIX ?= grafana @@ -319,6 +319,7 @@ endif CHARTS := production/helm/loki production/helm/promtail production/helm/fluent-bit production/helm/loki-stack +helm: PACKAGE_ARGS ?= helm: -rm -f production/helm/*/requirements.lock @set -e; \ @@ -326,7 +327,7 @@ helm: for chart in $(CHARTS); do \ helm dependency build $$chart; \ helm lint $$chart; \ - helm package $$chart; \ + helm package $(PACKAGE_ARGS) $$chart; \ done rm -f production/helm/*/requirements.lock diff --git a/loki-build-image/Dockerfile b/loki-build-image/Dockerfile index 1bc496669f8df..aeca9cbc21ac4 100644 --- a/loki-build-image/Dockerfile +++ b/loki-build-image/Dockerfile @@ -23,10 +23,10 @@ RUN GO111MODULE=on go get github.com/drone/drone-cli/drone@1fad337d74ca0ecf42099 FROM golang:1.13.4-stretch RUN apt-get update && \ apt-get install -qy \ - musl \ - file zip unzip jq gettext\ - protobuf-compiler libprotobuf-dev \ - libsystemd-dev && \ + musl gnupg \ + file zip unzip jq gettext\ + protobuf-compiler libprotobuf-dev \ + libsystemd-dev && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* COPY --from=docker /usr/bin/docker /usr/bin/docker @@ -43,7 +43,7 @@ RUN GO111MODULE=on go get \ github.com/golang/protobuf/protoc-gen-go@v1.3.0 \ github.com/gogo/protobuf/protoc-gen-gogoslick@v1.2.1 \ github.com/gogo/protobuf/gogoproto@v1.2.1 \ - github.com/go-delve/delve/cmd/dlv \ + github.com/go-delve/delve/cmd/dlv@v1.3.2 \ # Due to the lack of a proper release tag, we use the commit hash of # https://github.com/golang/tools/releases v0.1.7 golang.org/x/tools/cmd/goyacc@58d531046acdc757f177387bc1725bfa79895d69 \ From f44de71a9c5c0e36ee92dd1fef9021f5e152849d Mon Sep 17 00:00:00 2001 From: Cyril Tovena Date: Sun, 29 Mar 2020 10:26:18 -0400 Subject: [PATCH 2/7] Regen drone config. Signed-off-by: Cyril Tovena --- .drone/drone.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.drone/drone.yml b/.drone/drone.yml index 2e575e203a208..e46fe5eb008e1 100644 --- a/.drone/drone.yml +++ b/.drone/drone.yml @@ -12,28 +12,28 @@ workspace: steps: - name: test - image: grafana/loki-build-image:0.9.1 + image: grafana/loki-build-image:0.9.2 commands: - make BUILD_IN_CONTAINER=false test depends_on: - clone - name: lint - image: grafana/loki-build-image:0.9.1 + image: grafana/loki-build-image:0.9.2 commands: - make BUILD_IN_CONTAINER=false lint depends_on: - clone - name: check-generated-files - image: grafana/loki-build-image:0.9.1 + image: grafana/loki-build-image:0.9.2 commands: - make BUILD_IN_CONTAINER=false check-generated-files depends_on: - clone - name: check-mod - image: grafana/loki-build-image:0.9.1 + image: grafana/loki-build-image:0.9.2 commands: - make BUILD_IN_CONTAINER=false check-mod depends_on: @@ -561,7 +561,7 @@ platform: steps: - name: trigger - image: grafana/loki-build-image:0.9.1 + image: grafana/loki-build-image:0.9.2 commands: - ./tools/deploy.sh environment: @@ -588,7 +588,7 @@ platform: steps: - name: trigger - image: grafana/loki-build-image:0.9.1 + image: grafana/loki-build-image:0.9.2 commands: - go run ./tools/delete_tags.go -max-age=2160h -repo grafana/loki -delete - go run ./tools/delete_tags.go -max-age=2160h -repo grafana/promtail -delete From f07d1468b78b7ccd026b0a655c9a2044fd719c5d Mon Sep 17 00:00:00 2001 From: Cyril Tovena Date: Sun, 29 Mar 2020 10:36:47 -0400 Subject: [PATCH 3/7] Testing CI. Signed-off-by: Cyril Tovena --- .circleci/config.yml | 47 +++++++++++++++++++++++--------------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 24a42108d6690..0af6cb801a05e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -19,29 +19,29 @@ workflows: version: 2 default: jobs: - # publish jobs depend on this as well, - # thus tags need to be allowed for these - - test: { filters: { <<: *tags } } - - - build/promtail-windows: - requires: [test] - - - build/docker-driver: - requires: [test] - filters: { <<: *no-master } - - publish/docker-driver: - requires: [test] - filters: { <<: *tag-or-master } - - - publish/binaries: - requires: [test] - filters: { <<: *only-tags } - - - test-helm: - requires: [test] - filters: { <<: *tags } + # # publish jobs depend on this as well, + # # thus tags need to be allowed for these + # - test: { filters: { <<: *tags } } + + # - build/promtail-windows: + # requires: [test] + + # - build/docker-driver: + # requires: [test] + # filters: { <<: *no-master } + # - publish/docker-driver: + # requires: [test] + # filters: { <<: *tag-or-master } + + # - publish/binaries: + # requires: [test] + # filters: { <<: *only-tags } + + # - test-helm: + # requires: [test] + # filters: { <<: *tags } - publish-helm: - requires: [test-helm] + requires: [] #[test-helm] # filters: { <<: *tag-or-master } # https://circleci.com/blog/circleci-hacks-reuse-yaml-in-your-circleci-config-with-yaml/ @@ -149,4 +149,7 @@ jobs: - run: name: import GPG key command: echo -e "$GPG_KEY" | gpg --import && gpg --export-secret-key loki-team@googlegroups.com > ~/.gnupg/secring.gpg + - run: + name: export GPG key + command: gpg --export-secret-key loki-team@googlegroups.com > ~/.gnupg/secring.gpg - run: PACKAGE_ARGS='--sign --key "Grafana Loki" --keyring ~/.gnupg/secring.gpg' make helm-publish From 3370d35152a32524528238f8899a00729b6f1208 Mon Sep 17 00:00:00 2001 From: Cyril Tovena Date: Sun, 29 Mar 2020 10:38:27 -0400 Subject: [PATCH 4/7] Test CI. Signed-off-by: Cyril Tovena --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 0af6cb801a05e..1c17ae46b9c83 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -148,7 +148,7 @@ jobs: - checkout - run: name: import GPG key - command: echo -e "$GPG_KEY" | gpg --import && gpg --export-secret-key loki-team@googlegroups.com > ~/.gnupg/secring.gpg + command: echo -e "$GPG_KEY" | gpg --import - run: name: export GPG key command: gpg --export-secret-key loki-team@googlegroups.com > ~/.gnupg/secring.gpg From 969eaca902c75e7c7a83cb11d7d7091c0ed7559c Mon Sep 17 00:00:00 2001 From: Cyril Tovena Date: Sun, 29 Mar 2020 11:01:40 -0400 Subject: [PATCH 5/7] Include .prov files for charts. Signed-off-by: Cyril Tovena --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 97bab20285144..e40df874006b4 100644 --- a/Makefile +++ b/Makefile @@ -350,7 +350,7 @@ helm-publish: helm git config user.name "${CIRCLE_USERNAME}" git checkout gh-pages || (git checkout --orphan gh-pages && git rm -rf . > /dev/null) mkdir -p charts - mv *.tgz index.md charts/ + mv *.tgz *.tgz.prov index.md charts/ helm repo index charts/ git add charts/ git commit -m "[skip ci] Publishing helm charts: ${CIRCLE_SHA1}" From 657d236f3b1b5797e43e2a4f13ba2b1866cce57d Mon Sep 17 00:00:00 2001 From: Cyril Tovena Date: Sun, 29 Mar 2020 11:19:08 -0400 Subject: [PATCH 6/7] Revert testing changes. Signed-off-by: Cyril Tovena --- .circleci/config.yml | 46 ++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1c17ae46b9c83..82ec00875fda5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -19,30 +19,30 @@ workflows: version: 2 default: jobs: - # # publish jobs depend on this as well, - # # thus tags need to be allowed for these - # - test: { filters: { <<: *tags } } - - # - build/promtail-windows: - # requires: [test] - - # - build/docker-driver: - # requires: [test] - # filters: { <<: *no-master } - # - publish/docker-driver: - # requires: [test] - # filters: { <<: *tag-or-master } - - # - publish/binaries: - # requires: [test] - # filters: { <<: *only-tags } - - # - test-helm: - # requires: [test] - # filters: { <<: *tags } + # publish jobs depend on this as well, + # thus tags need to be allowed for these + - test: { filters: { <<: *tags } } + + - build/promtail-windows: + requires: [test] + + - build/docker-driver: + requires: [test] + filters: { <<: *no-master } + - publish/docker-driver: + requires: [test] + filters: { <<: *tag-or-master } + + - publish/binaries: + requires: [test] + filters: { <<: *only-tags } + + - test-helm: + requires: [test] + filters: { <<: *tags } - publish-helm: - requires: [] #[test-helm] - # filters: { <<: *tag-or-master } + requires: [test-helm] + filters: { <<: *tag-or-master } # https://circleci.com/blog/circleci-hacks-reuse-yaml-in-your-circleci-config-with-yaml/ .defaults: &defaults From 888a07e6a43b3b1a2b7d38043cacc2585a33a6ca Mon Sep 17 00:00:00 2001 From: Cyril Tovena Date: Sun, 29 Mar 2020 12:14:04 -0400 Subject: [PATCH 7/7] Add public GPG key for verifying helm charts. Signed-off-by: Cyril Tovena --- production/helm/public.pgp | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 production/helm/public.pgp diff --git a/production/helm/public.pgp b/production/helm/public.pgp new file mode 100644 index 0000000000000..f3d730f097231 --- /dev/null +++ b/production/helm/public.pgp @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF5/50EBCAC3Pab5BojOdLJT+6aJmfWF3HbVbI4l/TOIxMdvI8jneCA+wBX7 +Pp3x4LoSUWX968fX4Mfqyf/fqgHxQltzm5S+MCakROnVkmy5ecsbm61plcvGA1uU +PiYtsWccXvq+cO22onNieSTV7z/330jAFwOGYRrT/utIVmEOefD64uQx6YXhglEU +PmE2N6OVdajd8mlfKStaq/ef1NCwnax4EgWXBnVMrRfouZX//ouguYOyDaQ7IqcG +kFvEaSVqF5hYyVR2Ot+C7hH4/JNy2q6cf6J2N2JS8PE9aMkc7W6VE7BDi0CTweQ4 +0ejK7Y8oRUrKNZH/fsJK5SpqW8kai0NBKDPDABEBAAG0KUdyYWZhbmEgTG9raSA8 +bG9raS10ZWFtQGdvb2dsZWdyb3Vwcy5jb20+iQFUBBMBCAA+FiEEZzewM0g2wzSd +/y3UcFSpVZ08+wsFAl5/50ECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AACgkQcFSpVZ08+wudGAf+OU26FHzudVMd4uMWHlQZGSCAGQWriGeFntYke1Ri +str5cjJo78kLYcMKUXfHGrILBEpO7WYr/VEPMxnKNkW8qC9sV/W+Gz+OpEZ7Zuli +3Y9vRI44kJ18Wo7vDryucy9WLR99GmHn0W7C/PMpuXa8P+X5jEQUs5WAm8Rkd3vC +gS0niAf/k3AwWSPxJV+VEy/rAqSuA61tiPiTXOhaD3OpfsCgCigT4epqr/YBLuYF +K728443pJZbxf1TrT8sBacPPg7KK9UkuafZapC/cQ4+0b8/o4CSbPiOPRbysKYmP +9nwg36lFlR0VSI9y68H6KPHe0dTjfgZISUD7QU1okdTVQbkBDQRef+dBAQgA8+h8 +GneZ6QjLrDSVDndNkukP7q0d2abiSx4hzA65mr6lwfGwg20jHKPeYbuYt0n7wUg8 +e3cIkbN2b/CKojgAesLQMHo/TmH0blY3VWoI6WWyTioOWPII9qc4cKnKZGjA8fG1 +CBse3ZNUbHDtvJP/qBbQd4j6waEjIwODaTCwpWGboKDG0o7Zoemx+YwGN7678g1B +E1f8ckwL1FoHZ8ID+bNsBBEUYO+Iup/gcdhZUVsJ1TdTmDfYdpDNMeQ7fyeRyl6O +kUk+Za/ieJhc6Tv+EdPbXmWiTcQDCwiCb7lrQOqcv68q8zcRRjRaqF03dUz8onOl +dhUUqWpIxGdh1+gXTQARAQABiQE8BBgBCAAmFiEEZzewM0g2wzSd/y3UcFSpVZ08 ++wsFAl5/50ECGwwFCQPCZwAACgkQcFSpVZ08+wssFwgAobGpA0FgW+uJ7N05q9lm +WB4ohlUnPSCUaxvzeLxxDPdw0xlxr5rMDwqD9Zvg546fzVx0xxbHka+l/toIV1oI +yQEPIQSPWNUxt5AYfgi/+uhX1qHhFzFU+ebvwWCxxwCM7WBmItswoAFkPfwFbbu9 +7L3HUaRWZbXneaYfPCrg+mv/20r8BGXD8TMTBmkKPwHqmfO1XhwWFEvRRNeYWUMe +GzLqvocxJoZWulgemrdTj4QNIb9HY+UhZuMxkRk3Lvz34dURK4bg86V/KgR3h0Y5 +wWovQyy1DnH+QryT//MT8lMfbD19bjfsuEwRTCEvEWUptg0Y9EfYNe8cHQADTBHE +Hg== +=pugM +-----END PGP PUBLIC KEY BLOCK-----