From 9ac5b3107b12333f31866590688a2025e9415056 Mon Sep 17 00:00:00 2001 From: Logan Davis <38335829+logand22@users.noreply.github.com> Date: Thu, 28 Jul 2022 18:37:09 -0500 Subject: [PATCH] [v10] Update drone publishing (#14961) --- .drone.yml | 491 +++++++++++++++++++++++++++++++++++++------- Makefile | 20 +- dronegen/common.go | 12 ++ dronegen/main.go | 2 +- dronegen/misc.go | 23 +-- dronegen/promote.go | 133 ++++++++++++ e | 2 +- 7 files changed, 590 insertions(+), 93 deletions(-) create mode 100644 dronegen/promote.go diff --git a/.drone.yml b/.drone.yml index 9549f512b1159..0411563137cb3 100644 --- a/.drone.yml +++ b/.drone.yml @@ -884,10 +884,9 @@ steps: environment: OS: linux ARCH: amd64 - settings: - username: + QUAY_USERNAME: from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME - password: + QUAY_PASSWORD: from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD volumes: - name: dockersock @@ -897,7 +896,7 @@ steps: - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips" - - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io + - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build - docker push $OSS_IMAGE_NAME @@ -913,10 +912,9 @@ steps: environment: OS: linux ARCH: amd64 - settings: - username: + QUAY_USERNAME: from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME - password: + QUAY_PASSWORD: from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD volumes: - name: dockersock @@ -926,7 +924,7 @@ steps: - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)" - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips" - - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io + - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build - docker push $OSS_IMAGE_NAME @@ -942,10 +940,9 @@ steps: environment: OS: linux ARCH: amd64 - settings: - username: + QUAY_USERNAME: from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME - password: + QUAY_PASSWORD: from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD volumes: - name: dockersock @@ -955,7 +952,7 @@ steps: - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)" - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips" - - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io + - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build - docker push $OSS_IMAGE_NAME @@ -1005,6 +1002,231 @@ volumes: - name: dockersock temp: {} +--- +kind: pipeline +type: kubernetes +name: teleport-docker-cron-ecr + +trigger: + cron: + - teleport-docker-cron-ecr + repo: + include: + - gravitational/teleport + +workspace: + path: /go + +clone: + disable: false + +steps: + - name: Set up variables and Dockerfile + image: docker:git + environment: + # increment these variables when a new major/minor version is released to bump the automatic builds + # this only needs to be done on the master branch, as that's the branch that the Drone cron is configured for + # build major version images which are just teleport:x + CURRENT_VERSION_ROOT: v10 + PREVIOUS_VERSION_ONE_ROOT: v9 + PREVIOUS_VERSION_TWO_ROOT: v8 + commands: + - apk --update --no-cache add curl go + - mkdir -p /go/build && cd /go/build + # CURRENT_VERSION + - (cd /go/build.assets/tooling && go run ./cmd/query-latest $CURRENT_VERSION_ROOT > /go/build/CURRENT_VERSION_TAG.txt) + - echo "$(cat /go/build/CURRENT_VERSION_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/CURRENT_VERSION_TAG_GENERIC.txt + # PREVIOUS_VERSION_ONE + - (cd /go/build.assets/tooling && go run ./cmd/query-latest $PREVIOUS_VERSION_ONE_ROOT > /go/build/PREVIOUS_VERSION_ONE_TAG.txt) + - echo "$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt + # PREVIOUS_VERSION_TWO + - (cd /go/build.assets/tooling && go run ./cmd/query-latest $PREVIOUS_VERSION_TWO_ROOT > /go/build/PREVIOUS_VERSION_TWO_TAG.txt) + - echo "$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt + # list versions + - for FILE in /go/build/*.txt; do echo $FILE; cat $FILE; done + # get Dockerfiles + - curl -Ls -o /go/build/Dockerfile-cron https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron + - curl -Ls -o /go/build/Dockerfile-cron-v8 https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron-v8 + # wait for Docker to be ready + - sleep 3 + + - name: Build and push Teleport containers (CURRENT_VERSION) + image: docker + environment: + OS: linux + ARCH: amd64 + STAGING_AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + STAGING_AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET + PROD_AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY + PROD_AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: dockersock + path: /var/run + commands: + - apk add --no-cache aws-cli + - export VERSION_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt) + - export CURRENT_DATE=$(date '+%Y%m%d%H%M') + # Staging image names + - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-$CURRENT_DATE" + - export ENT_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-$CURRENT_DATE" + - export ENT_FIPS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips-$CURRENT_DATE" + # Production image names + - export OSS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" + - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" + - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips" + # Authenticate to staging registry + - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" + - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" + - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + # OSS + - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build + - docker push $OSS_IMAGE_NAME_STAGE + # Enterprise + - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build + - docker push $ENT_IMAGE_NAME_STAGE + # Enterprise FIPS + - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build + - docker push $ENT_FIPS_IMAGE_NAME_STAGE + # Authenticate to production registry + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" + - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" + - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + # Retag images + - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD + - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD + - docker tag $ENT_FIPS_IMAGE_NAME_STAGE $ENT_FIPS_IMAGE_NAME_PROD + # Promote to production registry + - docker push $ENT_IMAGE_NAME_PROD + - docker push $OSS_IMAGE_NAME_PROD + - docker push $ENT_FIPS_IMAGE_NAME_PROD + + - name: Build and push Teleport containers (PREVIOUS_VERSION_ONE) + image: docker + environment: + OS: linux + ARCH: amd64 + STAGING_AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + STAGING_AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET + PROD_AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY + PROD_AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: dockersock + path: /var/run + commands: + - apk add --no-cache aws-cli + - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt) + - export CURRENT_DATE=$(date '+%Y%m%d%H%M') + # Staging image names + - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-$CURRENT_DATE" + - export ENT_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-$CURRENT_DATE" + - export ENT_FIPS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips-$CURRENT_DATE" + # Production image names + - export OSS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)" + - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)" + - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips" + # Authenticate to staging registry + - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" + - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" + - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + # OSS + - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build + - docker push $OSS_IMAGE_NAME_STAGE + # Enterprise + - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build + - docker push $ENT_IMAGE_NAME_STAGE + # Enterprise FIPS + - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build + - docker push $ENT_FIPS_IMAGE_NAME_STAGE + # Authenticate to production registry + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" + - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" + - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + # Retag images + - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD + - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD + - docker tag $ENT_FIPS_IMAGE_NAME_STAGE $ENT_FIPS_IMAGE_NAME_PROD + # Promote to production registry + - docker push $ENT_IMAGE_NAME_PROD + - docker push $OSS_IMAGE_NAME_PROD + - docker push $ENT_FIPS_IMAGE_NAME_PROD + + - name: Build and push Teleport containers (PREVIOUS_VERSION_TWO) + image: docker + environment: + OS: linux + ARCH: amd64 + STAGING_AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + STAGING_AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET + PROD_AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY + PROD_AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: dockersock + path: /var/run + commands: + - apk add --no-cache aws-cli + - export CURRENT_DATE=$(date '+%Y%m%d%H%M') + - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt) + # Staging image names + - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE" + - export ENT_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE" + - export ENT_FIPS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips-$CURRENT_DATE" + # Production image names + - export OSS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)" + - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)" + - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips" + # Authenticate to staging registry + - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" + - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" + - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + # OSS + - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron-v8 /go/build + - docker push $OSS_IMAGE_NAME_STAGE + # Enterprise + - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron-v8 /go/build + - docker push $ENT_IMAGE_NAME_STAGE + # Enterprise FIPS + - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron-v8 /go/build + - docker push $ENT_FIPS_IMAGE_NAME_STAGE + # Authenticate to production registry + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" + - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" + - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + # Retag images + - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD + - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD + - docker tag $ENT_FIPS_IMAGE_NAME_STAGE $ENT_FIPS_IMAGE_NAME_PROD + # Promote to production registry + - docker push $ENT_IMAGE_NAME_PROD + - docker push $OSS_IMAGE_NAME_PROD + - docker push $ENT_FIPS_IMAGE_NAME_PROD + +services: + - name: Start Docker + image: docker:dind + privileged: true + volumes: + - name: dockersock + path: /var/run + +volumes: + - name: dockersock + temp: {} + --- kind: pipeline type: kubernetes @@ -4801,19 +5023,17 @@ steps: GOPATH: /go OS: linux ARCH: amd64 - settings: - username: - from_secret: QUAYIO_DOCKER_USERNAME - password: - from_secret: QUAYIO_DOCKER_PASSWORD + AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run commands: - - apk add --no-cache make bash + - apk add --no-cache make bash aws-cli - chown -R $UID:$GID /go - - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io - - docker pull quay.io/gravitational/teleport-buildbox:$BUILDBOX_VERSION || true + - aws ecr get-login-password --region us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - cd /go/src/github.com/gravitational/teleport - make image-ci publish-ci - make publish-operator-ci @@ -4827,19 +5047,17 @@ steps: GOPATH: /go OS: linux ARCH: amd64 - settings: - username: - from_secret: QUAYIO_DOCKER_USERNAME - password: - from_secret: QUAYIO_DOCKER_PASSWORD + AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run commands: - - apk add --no-cache make + - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io - - docker pull quay.io/gravitational/teleport-buildbox:BUILDBOX_VERSION || true + - aws ecr get-login-password --region us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - cd /go/src/github.com/gravitational/teleport # VERSION needs to be set manually when running in the e directory. # Normally, the version is set and exported by the root Makefile and then inherited, @@ -5170,7 +5388,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/misc.go:145 +# Generated at dronegen/misc.go:134 ################################################ kind: pipeline @@ -5198,7 +5416,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/misc.go:169 +# Generated at dronegen/misc.go:158 ################################################ kind: pipeline @@ -5294,6 +5512,175 @@ volumes: temp: medium: memory +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/promote.go:81 +################################################ + +kind: pipeline +type: kubernetes +name: promote-docker-quay +trigger: + event: + include: + - promote + target: + include: + - production + - promote-docker + - promote-docker-quay + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +steps: +- name: Verify build is tagged + image: alpine:latest + commands: + - '[ -n ${DRONE_TAG} ] || (echo ''DRONE_TAG is not set. Is the commit tagged?'' + && exit 1)' +- name: Wait for docker + image: docker + commands: + - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' + volumes: + - name: dockersock + path: /var/run +- name: Pull/retag Docker images + image: docker + commands: + - apk add --no-cache aws-cli + - export VERSION=${DRONE_TAG##v} + - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin + 146628656107.dkr.ecr.us-west-2.amazonaws.com + - echo "---> Pulling images for $${VERSION}" + - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} + - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} + - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips + - echo "---> Tagging images for $${VERSION}" + - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} + quay.io/gravitational/teleport:$${VERSION} + - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} + quay.io/gravitational/teleport-ent:$${VERSION} + - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips + quay.io/gravitational/teleport-ent:$${VERSION}-fips + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io + - echo "---> Pushing images for $${VERSION}" + - docker push quay.io/gravitational/teleport:$${VERSION} + - docker push quay.io/gravitational/teleport-ent:$${VERSION} + - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips + environment: + AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET + QUAY_PASSWORD: + from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD + QUAY_USERNAME: + from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME + volumes: + - name: dockersock + path: /var/run +services: +- name: Start Docker + image: docker:dind + privileged: true + volumes: + - name: dockersock + path: /var/run +volumes: +- name: dockersock + temp: {} + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/promote.go:27 +################################################ + +kind: pipeline +type: kubernetes +name: promote-docker-ecr +trigger: + event: + include: + - promote + target: + include: + - production + - promote-docker + - promote-docker-ecr + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +steps: +- name: Verify build is tagged + image: alpine:latest + commands: + - '[ -n ${DRONE_TAG} ] || (echo ''DRONE_TAG is not set. Is the commit tagged?'' + && exit 1)' +- name: Wait for docker + image: docker + commands: + - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' + volumes: + - name: dockersock + path: /var/run +- name: Pull/retag Docker images + image: docker + commands: + - apk add --no-cache aws-cli + - export VERSION=${DRONE_TAG##v} + - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin + 146628656107.dkr.ecr.us-west-2.amazonaws.com + - echo "---> Pulling images for $${VERSION}" + - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} + - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} + - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips + - echo "---> Tagging images for $${VERSION}" + - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} + public.ecr.aws/gravitational/teleport:$${VERSION} + - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} + public.ecr.aws/gravitational/teleport-ent:$${VERSION} + - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips + public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin + public.ecr.aws + - echo "---> Pushing images for $${VERSION}" + - docker push public.ecr.aws/gravitational/teleport:$${VERSION} + - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION} + - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: dockersock + path: /var/run +services: +- name: Start Docker + image: docker:dind + privileged: true + volumes: + - name: dockersock + path: /var/run +volumes: +- name: dockersock + temp: {} + --- kind: pipeline type: kubernetes @@ -5349,48 +5736,6 @@ steps: target: teleport/${DRONE_TAG##v}/ strip_prefix: /go/artifacts/ - - name: Pull/retag Docker images - image: docker - settings: - docker_staging_username: - from_secret: QUAYIO_DOCKER_USERNAME - docker_staging_password: - from_secret: QUAYIO_DOCKER_PASSWORD - docker_production_username: - from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME - docker_production_password: - from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD - volumes: - - name: dockersock - path: /var/run - commands: - # wait for docker to start - - sleep 3 - - export VERSION=${DRONE_TAG##v} - # authenticate with staging credentials - - docker login -u="$PLUGIN_DOCKER_STAGING_USERNAME" -p="$PLUGIN_DOCKER_STAGING_PASSWORD" quay.io - # pull 'temporary' CI-built images - - echo "---> Pulling images for $${VERSION}" - - docker pull quay.io/gravitational/teleport-ci:$${VERSION} - - docker pull quay.io/gravitational/teleport-ent-ci:$${VERSION} - - docker pull quay.io/gravitational/teleport-ent-ci:$${VERSION}-fips - - docker pull quay.io/gravitational/teleport-operator-ci:$${VERSION} - # retag images to production naming - - echo "---> Tagging images for $${VERSION}" - - docker tag quay.io/gravitational/teleport-ci:$${VERSION} quay.io/gravitational/teleport:$${VERSION} - - docker tag quay.io/gravitational/teleport-ent-ci:$${VERSION} quay.io/gravitational/teleport-ent:$${VERSION} - - docker tag quay.io/gravitational/teleport-ent-ci:$${VERSION}-fips quay.io/gravitational/teleport-ent:$${VERSION}-fips - - docker tag quay.io/gravitational/teleport-operator-ci:$${VERSION} quay.io/gravitational/teleport-operator:$${VERSION} - # reauthenticate with production credentials - - docker logout quay.io - - docker login -u="$PLUGIN_DOCKER_PRODUCTION_USERNAME" -p="$PLUGIN_DOCKER_PRODUCTION_PASSWORD" quay.io - # push production images - - echo "---> Pushing images for $${VERSION}" - - docker push quay.io/gravitational/teleport:$${VERSION} - - docker push quay.io/gravitational/teleport-ent:$${VERSION} - - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips - - docker push quay.io/gravitational/teleport-operator:$${VERSION} - - name: Check out code image: docker:git commands: @@ -5685,6 +6030,6 @@ volumes: name: drone-s3-debrepo-pvc --- kind: signature -hmac: ee5556e3497a86d41cc61e1a692b2199ec672a55f6393ef888e61fef92baa787 +hmac: 98febafab4b023cc0a6cb874b976c6d1da78c371593268cec034eb6952cd8e30 ... diff --git a/Makefile b/Makefile index dca15b5ab8093..b586471996813 100644 --- a/Makefile +++ b/Makefile @@ -13,9 +13,11 @@ # Master/dev branch: "1.0.0-dev" VERSION=10.0.2 -DOCKER_IMAGE ?= quay.io/gravitational/teleport -DOCKER_IMAGE_CI ?= quay.io/gravitational/teleport-ci + DOCKER_IMAGE_OPERATOR_CI ?= quay.io/gravitational/teleport-operator-ci +DOCKER_IMAGE_QUAY ?= quay.io/gravitational/teleport +DOCKER_IMAGE_ECR ?= public.ecr.aws/gravitational/teleport +DOCKER_IMAGE_STAGING ?= 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport GOPATH ?= $(shell go env GOPATH) @@ -981,14 +983,20 @@ install: build .PHONY: image image: clean docker-binaries cp ./build.assets/charts/Dockerfile $(BUILDDIR)/ - cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE):$(VERSION) + cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_QUAY):$(VERSION) if [ -f e/Makefile ]; then $(MAKE) -C e image; fi .PHONY: publish publish: image - docker push $(DOCKER_IMAGE):$(VERSION) + docker push $(DOCKER_IMAGE_QUAY):$(VERSION) if [ -f e/Makefile ]; then $(MAKE) -C e publish; fi +.PHONY: publish-ecr +publish-ecr: image + docker tag $(DOCKER_IMAGE_QUAY) $(DOCKER_IMAGE_ECR) + docker push $(DOCKER_IMAGE_ECR):$(VERSION) + if [ -f e/Makefile ]; then $(MAKE) -C e publish-ecr; fi + # Docker image build in CI. # This is run to build and push Docker images to a private repository as part of the build process. # When we are ready to make the images public after testing (i.e. when publishing a release), we pull these @@ -997,12 +1005,12 @@ publish: image .PHONY: image-ci image-ci: clean docker-binaries cp ./build.assets/charts/Dockerfile $(BUILDDIR)/ - cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_CI):$(VERSION) + cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_STAGING):$(VERSION) if [ -f e/Makefile ]; then $(MAKE) -C e image-ci; fi .PHONY: publish-ci publish-ci: image-ci - docker push $(DOCKER_IMAGE_CI):$(VERSION) + docker push $(DOCKER_IMAGE_STAGING):$(VERSION) if [ -f e/Makefile ]; then $(MAKE) -C e publish-ci; fi # Docker image build for Teleport Operator diff --git a/dronegen/common.go b/dronegen/common.go index af079bf8ff93a..586f8214c2852 100644 --- a/dronegen/common.go +++ b/dronegen/common.go @@ -22,6 +22,18 @@ import ( "strings" ) +const ( + // StagingRegistry is the staging registry images are pushed to before being promoted to the production registry. + StagingRegistry = "146628656107.dkr.ecr.us-west-2.amazonaws.com" + + // ProductionRegistry is the production image registry that hosts are customer facing container images. + ProductionRegistry = "public.ecr.aws" + + // ProductionRegistryQuay is the production image registry that hosts images on quay.io. Will be deprecated in the future. + // See RFD 73 - https://github.com/gravitational/teleport/blob/c18c09f5d562dd46a509154eab4295ad39decc3c/rfd/0073-public-image-registry.md + ProductionRegistryQuay = "quay.io" +) + var ( triggerPush = trigger{ Event: triggerRef{Include: []string{"push"}, Exclude: []string{"pull_request"}}, diff --git a/dronegen/main.go b/dronegen/main.go index fc5fba0bd3188..a9847bba5ef20 100644 --- a/dronegen/main.go +++ b/dronegen/main.go @@ -33,7 +33,7 @@ func main() { pipelines = append(pipelines, tagPipelines()...) pipelines = append(pipelines, cronPipelines()...) pipelines = append(pipelines, artifactMigrationPipeline()) - pipelines = append(pipelines, promoteBuildPipeline()) + pipelines = append(pipelines, promoteBuildPipelines()...) pipelines = append(pipelines, updateDocsPipeline()) pipelines = append(pipelines, buildboxPipeline()) diff --git a/dronegen/misc.go b/dronegen/misc.go index a189c89de4757..20d6af0300e97 100644 --- a/dronegen/misc.go +++ b/dronegen/misc.go @@ -20,11 +20,6 @@ import ( "strings" ) -func promoteBuildPipeline() pipeline { - aptPipeline := promoteAptPipeline() - return aptPipeline -} - // Used for one-off migrations of older versions. // Use cases include: // * We want to support another OS while providing backwards compatibility @@ -87,13 +82,7 @@ func promoteAptPipeline() pipeline { p.Trigger.Repo.Include = []string{"gravitational/teleport"} steps := []step{ - { - Name: "Verify build is tagged", - Image: "alpine:latest", - Commands: []string{ - "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)", - }, - }, + verifyTaggedBuildStep(), } steps = append(steps, p.Steps...) steps = append(steps, @@ -340,3 +329,13 @@ func updateDocsPipeline() pipeline { // TODO: migrate return pipeline{} } + +func verifyTaggedBuildStep() step { + return step{ + Name: "Verify build is tagged", + Image: "alpine:latest", + Commands: []string{ + "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)", + }, + } +} diff --git a/dronegen/promote.go b/dronegen/promote.go new file mode 100644 index 0000000000000..7af8ce7cbe3e5 --- /dev/null +++ b/dronegen/promote.go @@ -0,0 +1,133 @@ +// Copyright 2021 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import "fmt" + +func promoteBuildPipelines() []pipeline { + aptPipeline := promoteAptPipeline() + dockerPipelineECR := buildDockerPromotionPipelineECR() + dockerPipelineQuay := buildDockerPromotionPipelineQuay() + return []pipeline{aptPipeline, dockerPipelineECR, dockerPipelineQuay} +} + +func buildDockerPromotionPipelineECR() pipeline { + dockerPipeline := newKubePipeline("promote-docker-ecr") + dockerPipeline.Trigger = triggerPromote + dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-ecr") + dockerPipeline.Workspace = workspace{Path: "/go"} + + // Add docker service + dockerPipeline.Services = []service{ + dockerService(), + } + dockerPipeline.Volumes = dockerVolumes() + + dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep()) + dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep()) + + // Pull/Push Steps + dockerPipeline.Steps = append(dockerPipeline.Steps, step{ + Name: "Pull/retag Docker images", + Image: "docker", + Environment: map[string]value{ + "AWS_ACCESS_KEY_ID": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"}, + "AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"}, + }, + Volumes: dockerVolumeRefs(), + Commands: []string{ + "apk add --no-cache aws-cli", + "export VERSION=${DRONE_TAG##v}", + // authenticate with staging credentials + "aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry, + // pull staging images + "echo \"---> Pulling images for $${VERSION}\"", + fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry), + fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry), + fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry), + // retag images to production naming + "echo \"---> Tagging images for $${VERSION}\"", + fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistry), + fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistry), + fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistry), + // authenticate with production credentials + "docker logout " + StagingRegistry, + "aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin " + ProductionRegistry, + // push production images + "echo \"---> Pushing images for $${VERSION}\"", + // push production images ECR + fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistry), + fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistry), + fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistry), + }, + }) + + return dockerPipeline +} + +func buildDockerPromotionPipelineQuay() pipeline { + dockerPipeline := newKubePipeline("promote-docker-quay") + dockerPipeline.Trigger = triggerPromote + dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-quay") + dockerPipeline.Workspace = workspace{Path: "/go"} + + // Add docker service + dockerPipeline.Services = []service{ + dockerService(), + } + dockerPipeline.Volumes = dockerVolumes() + + dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep()) + dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep()) + + // Pull/Push Steps + dockerPipeline.Steps = append(dockerPipeline.Steps, step{ + Name: "Pull/retag Docker images", + Image: "docker", + Environment: map[string]value{ + "AWS_ACCESS_KEY_ID": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_KEY"}, + "AWS_SECRET_ACCESS_KEY": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_SECRET"}, + "QUAY_USERNAME": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"}, + "QUAY_PASSWORD": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"}, + }, + Volumes: dockerVolumeRefs(), + Commands: []string{ + "apk add --no-cache aws-cli", + "export VERSION=${DRONE_TAG##v}", + // authenticate with staging credentials + "aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry, + // pull staging images + "echo \"---> Pulling images for $${VERSION}\"", + fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry), + fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry), + fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry), + // retag images to production naming + "echo \"---> Tagging images for $${VERSION}\"", + fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistryQuay), + fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistryQuay), + fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistryQuay), + // authenticate with production credentials + "docker logout " + StagingRegistry, + "docker login -u=\"$QUAY_USERNAME\" -p=\"$QUAY_PASSWORD\" " + ProductionRegistryQuay, + // push production images + "echo \"---> Pushing images for $${VERSION}\"", + fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistryQuay), + fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistryQuay), + fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistryQuay), + }, + }) + + return dockerPipeline +} diff --git a/e b/e index 4359033924fb6..174c1c8b5de51 160000 --- a/e +++ b/e @@ -1 +1 @@ -Subproject commit 4359033924fb63990ee5175ad9578edfc2b4b3aa +Subproject commit 174c1c8b5de51491561a4aec5ab2125e5be6ba2b