From a90a541abbad06f4bf1130646d980b22c3b27220 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Mon, 11 Jul 2022 16:43:14 -0500
Subject: [PATCH 01/22] Update Makefile Image names

---
 Makefile | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index cbbb58e216652..00436fd45a01c 100644
--- a/Makefile
+++ b/Makefile
@@ -14,8 +14,9 @@
 VERSION=11.0.0-dev
 
 DOCKER_IMAGE ?= quay.io/gravitational/teleport
-DOCKER_IMAGE_CI ?= quay.io/gravitational/teleport-ci
 DOCKER_IMAGE_OPERATOR_CI ?= quay.io/gravitational/teleport-operator-ci
+DOCKER_IMAGE_ECR ?= public.ecr.aws/gravitational/teleport
+DOCKER_IMAGE_CI ?= 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport
 
 GOPATH ?= $(shell go env GOPATH)
 
@@ -994,6 +995,12 @@ publish: image
 	docker push $(DOCKER_IMAGE):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish; fi
 
+.PHONY: publish-ecr
+publish-ecr: image
+	docker tag $(DOCKER_IMAGE) $(DOCKER_IMAGE_ECR)
+	docker push $(DOCKER_IMAGE_ECR):$(VERSION)
+	if [ -f e/Makefile ]; then $(MAKE) _C e publish-ecr; fi
+
 # Docker image build in CI.
 # This is run to build and push Docker images to a private repository as part of the build process.
 # When we are ready to make the images public after testing (i.e. when publishing a release), we pull these

From 544c127da59d2038727943c1cf1410f0dba490a2 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Mon, 11 Jul 2022 16:52:42 -0500
Subject: [PATCH 02/22] Update drone tagging for ECR staging registry

---
 .drone.yml | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index b4656b9140310..493707b595787 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4739,18 +4739,17 @@ steps:
       GOPATH: /go
       OS: linux
       ARCH: amd64
-    settings:
-      username:
-        from_secret: QUAYIO_DOCKER_USERNAME
-      password:
-        from_secret: QUAYIO_DOCKER_PASSWORD
+      AWS_ACCESS_KEY_ID:
+        from_secret: TELEPORT_BUILD_USER_KEY
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: TELEPORT_BUILD_USER_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
-      - apk add --no-cache make bash
+      - apk add --no-cache make bash aws-cli
       - chown -R $UID:$GID /go
-      - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io
+      - aws ecr get-login-password --region us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       - docker pull quay.io/gravitational/teleport-buildbox:$BUILDBOX_VERSION || true
       - cd /go/src/github.com/gravitational/teleport
       - make image-ci publish-ci
@@ -4765,19 +4764,18 @@ steps:
       GOPATH: /go
       OS: linux
       ARCH: amd64
-    settings:
-      username:
-        from_secret: QUAYIO_DOCKER_USERNAME
-      password:
-        from_secret: QUAYIO_DOCKER_PASSWORD
+      AWS_ACCESS_KEY_ID:
+        from_secret: TELEPORT_BUILD_USER_KEY
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: TELEPORT_BUILD_USER_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
       - apk add --no-cache make
       - chown -R $UID:$GID /go
-      - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io
-      - docker pull quay.io/gravitational/teleport-buildbox:BUILDBOX_VERSION || true
+      - aws ecr get-login-password --region us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
+      - docker pull quay.io/gravitational/teleport-buildbox:$BUILDBOX_VERSION || true
       - cd /go/src/github.com/gravitational/teleport
       # VERSION needs to be set manually when running in the e directory.
       # Normally, the version is set and exported by the root Makefile and then inherited,

From cbb5d7f45bba8c508f75c47dfb428b7d57ccda11 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Mon, 11 Jul 2022 17:07:00 -0500
Subject: [PATCH 03/22] Update promotion pipeline to push to both registries

---
 .drone.yml       | 101 ++++++++++++++++++++++++++++++++++++++++++++++-
 dronegen/main.go |   2 +-
 dronegen/misc.go |  87 +++++++++++++++++++++++++++++++++++-----
 3 files changed, 178 insertions(+), 12 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 493707b595787..af268aabe9a0f 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -5106,7 +5106,7 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:149
+# Generated at dronegen/misc.go:208
 ################################################
 
 kind: pipeline
@@ -5134,7 +5134,7 @@ steps:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:173
+# Generated at dronegen/misc.go:232
 ################################################
 
 kind: pipeline
@@ -5230,6 +5230,103 @@ volumes:
   temp:
     medium: memory
 
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/misc.go:30
+################################################
+
+kind: pipeline
+type: kubernetes
+name: promote-docker
+trigger:
+  event:
+    include:
+    - promote
+  target:
+    include:
+    - production
+    - promote-docker
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+steps:
+- name: Verify build is tagged
+  image: alpine:latest
+  commands:
+  - '[ -n ${DRONE_TAG} ] || (echo ''DRONE_TAG is not set. Is the commit tagged?''
+    && exit 1)'
+- name: Wait for docker
+  image: docker
+  commands:
+  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
+  volumes:
+  - name: dockersock
+    path: /var/run
+- name: Pull/retag Docker images
+  image: docker
+  commands:
+  - apk add --no-cache aws-cli
+  - export VERSION=${DRONE_TAG##v}
+  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
+    146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - echo "---> Pulling images for $${VERSION}"
+  - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION}
+  - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}
+  - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips
+  - echo "---> Tagging images for $${VERSION}"
+  - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION}
+    quay.io/gravitational/teleport:$${VERSION}
+  - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}
+    quay.io/gravitational/teleport-ent:$${VERSION}
+  - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips
+    quay.io/gravitational/teleport-ent:$${VERSION}-fips
+  - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION}
+    public.ecr.aws/gravitational/teleport:$${VERSION}
+  - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}
+    public.ecr.aws/gravitational/teleport-ent:$${VERSION}
+  - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips
+    public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips
+  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - docker login -u="$DOCKER_PRODUCTION_USERNAME" -p="$DOCKER_PRODUCTION_PASSWORD"
+    quay.io
+  - echo "---> Pushing images for $${VERSION}"
+  - docker push quay.io/gravitational/teleport:$${VERSION}
+  - docker push quay.io/gravitational/teleport-ent:$${VERSION}
+  - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips
+  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
+    public.ecr.aws
+  - docker push public.ecr.aws/gravitational/teleport:$${VERSION}
+  - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}
+  - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips
+  environment:
+    AWS_ACCESS_KEY_ID:
+      from_secret: TELEPORT_BUILD_USER_KEY
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: TELEPORT_BUILD_USER_SECRET
+    DOCKER_PRODUCTION_PASSWORD:
+      from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
+    DOCKER_PRODUCTION_USERNAME:
+      from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
+  volumes:
+  - name: dockersock
+    path: /var/run
+services:
+- name: Start Docker
+  image: docker:dind
+  privileged: true
+  volumes:
+  - name: dockersock
+    path: /var/run
+volumes:
+- name: dockersock
+  temp: {}
+
 ---
 kind: pipeline
 type: kubernetes
diff --git a/dronegen/main.go b/dronegen/main.go
index fc5fba0bd3188..a9847bba5ef20 100644
--- a/dronegen/main.go
+++ b/dronegen/main.go
@@ -33,7 +33,7 @@ func main() {
 	pipelines = append(pipelines, tagPipelines()...)
 	pipelines = append(pipelines, cronPipelines()...)
 	pipelines = append(pipelines, artifactMigrationPipeline())
-	pipelines = append(pipelines, promoteBuildPipeline())
+	pipelines = append(pipelines, promoteBuildPipelines()...)
 	pipelines = append(pipelines, updateDocsPipeline())
 	pipelines = append(pipelines, buildboxPipeline())
 
diff --git a/dronegen/misc.go b/dronegen/misc.go
index e9aa90d24ef0e..56278ccaa576b 100644
--- a/dronegen/misc.go
+++ b/dronegen/misc.go
@@ -20,9 +20,74 @@ import (
 	"strings"
 )
 
-func promoteBuildPipeline() pipeline {
+func promoteBuildPipelines() []pipeline {
 	aptPipeline := promoteAptPipeline()
-	return aptPipeline
+	dockerPipeline := promoteDockerPipeline()
+	return []pipeline{aptPipeline, dockerPipeline}
+}
+
+func promoteDockerPipeline() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker")
+	dockerPipeline.Trigger = triggerPromote
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker")
+	dockerPipeline.Workspace = workspace{Path: "/go"}
+
+	// Add docker service
+	dockerPipeline.Services = []service{
+		dockerService(),
+	}
+	dockerPipeline.Volumes = dockerVolumes()
+
+	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
+	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
+
+	// Pull/Push Steps
+	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
+		Name:  "Pull/retag Docker images",
+		Image: "docker",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":          {fromSecret: "TELEPORT_BUILD_USER_KEY"},
+			"AWS_SECRET_ACCESS_KEY":      {fromSecret: "TELEPORT_BUILD_USER_SECRET"},
+			"DOCKER_PRODUCTION_USERNAME": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"},
+			"DOCKER_PRODUCTION_PASSWORD": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"},
+		},
+		Volumes: dockerVolumeRefs(),
+		Commands: []string{
+			"apk add --no-cache aws-cli",
+			"export VERSION=${DRONE_TAG##v}",
+			// authenticate with staging credentials
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com",
+			// pull 'temporary' CI-built images
+			"echo \"---> Pulling images for $${VERSION}\"",
+			"docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION}",
+			"docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}",
+			"docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips",
+			// retag images to production naming
+			"echo \"---> Tagging images for $${VERSION}\"",
+			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} quay.io/gravitational/teleport:$${VERSION}",
+			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} quay.io/gravitational/teleport-ent:$${VERSION}",
+			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips quay.io/gravitational/teleport-ent:$${VERSION}-fips",
+			//retag ECR images
+			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} public.ecr.aws/gravitational/teleport:$${VERSION}",
+			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} public.ecr.aws/gravitational/teleport-ent:$${VERSION}",
+			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips",
+			// authenticate with production credentials
+			"docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com",
+			"docker login -u=\"$DOCKER_PRODUCTION_USERNAME\" -p=\"$DOCKER_PRODUCTION_PASSWORD\" quay.io",
+			// push production images
+			"echo \"---> Pushing images for $${VERSION}\"",
+			"docker push quay.io/gravitational/teleport:$${VERSION}",
+			"docker push quay.io/gravitational/teleport-ent:$${VERSION}",
+			"docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips",
+			// push production images ECR
+			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin public.ecr.aws",
+			"docker push public.ecr.aws/gravitational/teleport:$${VERSION}",
+			"docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}",
+			"docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips",
+		},
+	})
+
+	return dockerPipeline
 }
 
 // Used for one-off migrations of older versions.
@@ -91,13 +156,7 @@ func promoteAptPipeline() pipeline {
 	p.Trigger.Repo.Include = []string{"gravitational/teleport"}
 
 	steps := []step{
-		{
-			Name:  "Verify build is tagged",
-			Image: "alpine:latest",
-			Commands: []string{
-				"[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)",
-			},
-		},
+		verifyTaggedBuildStep(),
 	}
 	steps = append(steps, p.Steps...)
 	steps = append(steps,
@@ -344,3 +403,13 @@ func updateDocsPipeline() pipeline {
 	// TODO: migrate
 	return pipeline{}
 }
+
+func verifyTaggedBuildStep() step {
+	return step{
+		Name:  "Verify build is tagged",
+		Image: "alpine:latest",
+		Commands: []string{
+			"[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)",
+		},
+	}
+}

From 112c2d8adfd92744164da503cabd1cc4245905aa Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Mon, 11 Jul 2022 17:21:09 -0500
Subject: [PATCH 04/22] Update cronjob step to publish to both places.

---
 .drone.yml | 81 ++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 69 insertions(+), 12 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index af268aabe9a0f..4066ab0935940 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -882,20 +882,27 @@ steps:
     environment:
       OS: linux
       ARCH: amd64
-    settings:
-      username:
+      QUAY_USERNAME:
         from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
-      password:
+      QUAY_PASSWORD:
         from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
+      AWS_ACCESS_KEY_ID:
+        from_secret: TELEPORT_BUILD_USER_KEY
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: TELEPORT_BUILD_USER_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
+      - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt)
       - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
       - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
       - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips"
-      - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io
+      - export OSS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips"
+      - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io
       # OSS
       - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $OSS_IMAGE_NAME
@@ -905,26 +912,45 @@ steps:
       # Enterprise FIPS
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
+      # Login to ECR
+      - docker logout quay.io
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # OSS ECR
+      - docker tag $OSS_IMAGE_NAME $OSS_IMAGE_NAME_ECR
+      - docker push $OSS_IMAGE_NAME_ECR
+      # Enterprise
+      - docker tag $ENT_IMAGE_NAME $ENT_IMAGE_NAME_ECR
+      - docker push $ENT_IMAGE_NAME_ECR
+      # Enterprise FIPS
+      - docker tag $ENT_FIPS_IMAGE_NAME $ENT_FIPS_IMAGE_NAME_ECR
+      - docker push $ENT_FIPS_IMAGE_NAME_ECR
 
   - name: Build and push Teleport containers (PREVIOUS_VERSION_ONE)
     image: docker
     environment:
       OS: linux
       ARCH: amd64
-    settings:
-      username:
+      QUAY_USERNAME:
         from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
-      password:
+      QUAY_PASSWORD:
         from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
+      AWS_ACCESS_KEY_ID:
+        from_secret: TELEPORT_BUILD_USER_KEY
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: TELEPORT_BUILD_USER_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
+      - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt)
       - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
       - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
       - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips"
-      - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io
+      - export OSS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips"
+      - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io
       # OSS
       - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $OSS_IMAGE_NAME
@@ -934,26 +960,45 @@ steps:
       # Enterprise FIPS
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
+      # Login to ECR
+      - docker logout quay.io
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # OSS ECR
+      - docker tag $OSS_IMAGE_NAME $OSS_IMAGE_NAME_ECR
+      - docker push $OSS_IMAGE_NAME_ECR
+      # Enterprise
+      - docker tag $ENT_IMAGE_NAME $ENT_IMAGE_NAME_ECR
+      - docker push $ENT_IMAGE_NAME_ECR
+      # Enterprise FIPS
+      - docker tag $ENT_FIPS_IMAGE_NAME $ENT_FIPS_IMAGE_NAME_ECR
+      - docker push $ENT_FIPS_IMAGE_NAME_ECR
 
   - name: Build and push Teleport containers (PREVIOUS_VERSION_TWO)
     image: docker
     environment:
       OS: linux
       ARCH: amd64
-    settings:
-      username:
+      QUAY_USERNAME:
         from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
-      password:
+      QUAY_PASSWORD:
         from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
+      AWS_ACCESS_KEY_ID:
+        from_secret: TELEPORT_BUILD_USER_KEY
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: TELEPORT_BUILD_USER_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
+      - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
       - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
       - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
       - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips"
-      - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io
+      - export OSS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips"
+      - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io
       # OSS
       # TODO(logand22): Remove v8 when Teleport 11 is released
       - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron-v8 /go/build
@@ -966,6 +1011,18 @@ steps:
       # TODO(logand22): Remove v8 when Teleport 11 is released
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron-v8 /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
+      # Login to ECR
+      - docker logout quay.io
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # OSS ECR
+      - docker tag $OSS_IMAGE_NAME $OSS_IMAGE_NAME_ECR
+      - docker push $OSS_IMAGE_NAME_ECR
+      # Enterprise
+      - docker tag $ENT_IMAGE_NAME $ENT_IMAGE_NAME_ECR
+      - docker push $ENT_IMAGE_NAME_ECR
+      # Enterprise FIPS
+      - docker tag $ENT_FIPS_IMAGE_NAME $ENT_FIPS_IMAGE_NAME_ECR
+      - docker push $ENT_FIPS_IMAGE_NAME_ECR
 
   - name: Build/push Teleport Lab Docker image
     image: docker:git

From aeda0d38c38c47f5c9166fa95a3df2b22a07c807 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 12 Jul 2022 13:24:35 -0500
Subject: [PATCH 05/22] Fix _ to - in Makefile

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 00436fd45a01c..0ff856f2f734e 100644
--- a/Makefile
+++ b/Makefile
@@ -999,7 +999,7 @@ publish: image
 publish-ecr: image
 	docker tag $(DOCKER_IMAGE) $(DOCKER_IMAGE_ECR)
 	docker push $(DOCKER_IMAGE_ECR):$(VERSION)
-	if [ -f e/Makefile ]; then $(MAKE) _C e publish-ecr; fi
+	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ecr; fi
 
 # Docker image build in CI.
 # This is run to build and push Docker images to a private repository as part of the build process.

From e15ec22b7d33b49798cdfeb349f312e1b4b7f81f Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 12 Jul 2022 13:25:49 -0500
Subject: [PATCH 06/22] Updated image names

---
 Makefile | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/Makefile b/Makefile
index 0ff856f2f734e..01a04df39287c 100644
--- a/Makefile
+++ b/Makefile
@@ -13,10 +13,11 @@
 #   Master/dev branch: "1.0.0-dev"
 VERSION=11.0.0-dev
 
-DOCKER_IMAGE ?= quay.io/gravitational/teleport
+
 DOCKER_IMAGE_OPERATOR_CI ?= quay.io/gravitational/teleport-operator-ci
+DOCKER_IMAGE_QUAY ?= quay.io/gravitational/teleport
 DOCKER_IMAGE_ECR ?= public.ecr.aws/gravitational/teleport
-DOCKER_IMAGE_CI ?= 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport
+DOCKER_IMAGE_STAGING ?= 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport
 
 GOPATH ?= $(shell go env GOPATH)
 
@@ -987,17 +988,17 @@ install: build
 .PHONY: image
 image: clean docker-binaries
 	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE):$(VERSION)
+	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_QUAY):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e image; fi
 
 .PHONY: publish
 publish: image
-	docker push $(DOCKER_IMAGE):$(VERSION)
+	docker push $(DOCKER_IMAGE_QUAY):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish; fi
 
 .PHONY: publish-ecr
 publish-ecr: image
-	docker tag $(DOCKER_IMAGE) $(DOCKER_IMAGE_ECR)
+	docker tag $(DOCKER_IMAGE_QUAY) $(DOCKER_IMAGE_ECR)
 	docker push $(DOCKER_IMAGE_ECR):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ecr; fi
 
@@ -1009,12 +1010,12 @@ publish-ecr: image
 .PHONY: image-ci
 image-ci: clean docker-binaries
 	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_CI):$(VERSION)
+	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_STAGING):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e image-ci; fi
 
 .PHONY: publish-ci
 publish-ci: image-ci
-	docker push $(DOCKER_IMAGE_CI):$(VERSION)
+	docker push $(DOCKER_IMAGE_STAGING):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ci; fi
 
 # Docker image build for Teleport Operator

From 62bedf801ed51c2e019e58080aa92635dff7eaf9 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 12 Jul 2022 14:20:40 -0500
Subject: [PATCH 07/22] Added Registry variables

---
 dronegen/misc.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dronegen/misc.go b/dronegen/misc.go
index 56278ccaa576b..a827f5ea93457 100644
--- a/dronegen/misc.go
+++ b/dronegen/misc.go
@@ -20,6 +20,18 @@ import (
 	"strings"
 )
 
+const (
+	// STAGING_REGISTRY is the staging registry images are pushed to before being promoted to the production registry.
+	STAGING_REGISTRY = "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+
+	// PRODUCTION_REGISTRY is the production image registry that hosts are customer facing container images.
+	PRODUCTION_REGISTRY = "public.ecr.aws"
+
+	// PRODUCTION_REGISTRY_QUAY is the production image registry that hosts images on quay.io. Will be deprecated in the future.
+	// See RFD 73 - https://github.com/gravitational/teleport/blob/c18c09f5d562dd46a509154eab4295ad39decc3c/rfd/0073-public-image-registry.md
+	PRODUCTION_REGISTRY_QUAY = "quay.io"
+)
+
 func promoteBuildPipelines() []pipeline {
 	aptPipeline := promoteAptPipeline()
 	dockerPipeline := promoteDockerPipeline()

From 5d8db4bf0fa6ec0e69252962b8d252b66477c7c5 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 12 Jul 2022 14:26:20 -0500
Subject: [PATCH 08/22] Incorporate additional feedback.

---
 .drone.yml       | 302 +++++++++++++++++++++++++++++++++++------------
 dronegen/misc.go | 106 ++++++++++++-----
 2 files changed, 300 insertions(+), 108 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 4066ab0935940..9da2b272774d4 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -886,22 +886,14 @@ steps:
         from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
       QUAY_PASSWORD:
         from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
-      AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_BUILD_USER_KEY
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_BUILD_USER_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
-      - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt)
       - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
       - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
       - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips"
-      - export OSS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
-      - export ENT_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
-      - export ENT_FIPS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips"
       - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io
       # OSS
       - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
@@ -912,18 +904,6 @@ steps:
       # Enterprise FIPS
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
-      # Login to ECR
-      - docker logout quay.io
-      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
-      # OSS ECR
-      - docker tag $OSS_IMAGE_NAME $OSS_IMAGE_NAME_ECR
-      - docker push $OSS_IMAGE_NAME_ECR
-      # Enterprise
-      - docker tag $ENT_IMAGE_NAME $ENT_IMAGE_NAME_ECR
-      - docker push $ENT_IMAGE_NAME_ECR
-      # Enterprise FIPS
-      - docker tag $ENT_FIPS_IMAGE_NAME $ENT_FIPS_IMAGE_NAME_ECR
-      - docker push $ENT_FIPS_IMAGE_NAME_ECR
 
   - name: Build and push Teleport containers (PREVIOUS_VERSION_ONE)
     image: docker
@@ -934,22 +914,14 @@ steps:
         from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
       QUAY_PASSWORD:
         from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
-      AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_BUILD_USER_KEY
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_BUILD_USER_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
-      - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt)
       - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
       - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
       - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips"
-      - export OSS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
-      - export ENT_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
-      - export ENT_FIPS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips"
       - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io
       # OSS
       - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
@@ -960,18 +932,6 @@ steps:
       # Enterprise FIPS
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
-      # Login to ECR
-      - docker logout quay.io
-      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
-      # OSS ECR
-      - docker tag $OSS_IMAGE_NAME $OSS_IMAGE_NAME_ECR
-      - docker push $OSS_IMAGE_NAME_ECR
-      # Enterprise
-      - docker tag $ENT_IMAGE_NAME $ENT_IMAGE_NAME_ECR
-      - docker push $ENT_IMAGE_NAME_ECR
-      # Enterprise FIPS
-      - docker tag $ENT_FIPS_IMAGE_NAME $ENT_FIPS_IMAGE_NAME_ECR
-      - docker push $ENT_FIPS_IMAGE_NAME_ECR
 
   - name: Build and push Teleport containers (PREVIOUS_VERSION_TWO)
     image: docker
@@ -982,22 +942,14 @@ steps:
         from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
       QUAY_PASSWORD:
         from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
-      AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_BUILD_USER_KEY
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_BUILD_USER_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
-      - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
       - export OSS_IMAGE_NAME="quay.io/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
       - export ENT_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
       - export ENT_FIPS_IMAGE_NAME="quay.io/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips"
-      - export OSS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
-      - export ENT_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
-      - export ENT_FIPS_IMAGE_NAME_ECR="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips"
       - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io
       # OSS
       # TODO(logand22): Remove v8 when Teleport 11 is released
@@ -1011,18 +963,6 @@ steps:
       # TODO(logand22): Remove v8 when Teleport 11 is released
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron-v8 /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
-      # Login to ECR
-      - docker logout quay.io
-      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
-      # OSS ECR
-      - docker tag $OSS_IMAGE_NAME $OSS_IMAGE_NAME_ECR
-      - docker push $OSS_IMAGE_NAME_ECR
-      # Enterprise
-      - docker tag $ENT_IMAGE_NAME $ENT_IMAGE_NAME_ECR
-      - docker push $ENT_IMAGE_NAME_ECR
-      # Enterprise FIPS
-      - docker tag $ENT_FIPS_IMAGE_NAME $ENT_FIPS_IMAGE_NAME_ECR
-      - docker push $ENT_FIPS_IMAGE_NAME_ECR
 
   - name: Build/push Teleport Lab Docker image
     image: docker:git
@@ -1063,6 +1003,140 @@ volumes:
   - name: dockersock
     temp: {}
 
+---
+kind: pipeline
+type: kubernetes
+name: teleport-docker-cron-ecr
+
+trigger:
+  cron:
+    - teleport-docker-cron-ecr
+  repo:
+    include:
+      - gravitational/teleport
+
+workspace:
+  path: /go
+
+clone:
+  disable: false
+
+steps:
+  - name: Set up variables and Dockerfile
+    image: docker:git
+    environment:
+      # increment these variables when a new major/minor version is released to bump the automatic builds
+      # this only needs to be done on the master branch, as that's the branch that the Drone cron is configured for
+      # build major version images which are just teleport:x
+      CURRENT_VERSION_ROOT: v10
+      PREVIOUS_VERSION_ONE_ROOT: v9
+      PREVIOUS_VERSION_TWO_ROOT: v8
+    commands:
+      - apk --update --no-cache add curl go
+      - mkdir -p /go/build && cd /go/build
+      # CURRENT_VERSION (10)
+      - (cd /go/build.assets/tooling && go run ./cmd/query-latest $CURRENT_VERSION_ROOT > /go/build/CURRENT_VERSION_TAG.txt)
+      - echo "$(cat /go/build/CURRENT_VERSION_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/CURRENT_VERSION_TAG_GENERIC.txt
+      # PREVIOUS_VERSION_ONE (9)
+      - (cd /go/build.assets/tooling && go run ./cmd/query-latest $PREVIOUS_VERSION_ONE_ROOT > /go/build/PREVIOUS_VERSION_ONE_TAG.txt)
+      - echo "$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt
+      # PREVIOUS_VERSION_TWO (8)
+      - (cd /go/build.assets/tooling && go run ./cmd/query-latest $PREVIOUS_VERSION_TWO_ROOT > /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
+      - echo "$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt
+      # list versions
+      - for FILE in /go/build/*.txt; do echo $FILE; cat $FILE; done
+      # get Dockerfiles
+      - curl -Ls -o /go/build/Dockerfile-cron https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron
+      # wait for Docker to be ready
+      - sleep 3
+
+  - name: Build and push Teleport containers (CURRENT_VERSION)
+    image: docker
+    environment:
+      OS: linux
+      ARCH: amd64
+      AWS_ACCESS_KEY_ID:
+        from_secret: TELEPORT_DRONE_USER_PRODUCTION_KEY
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: TELEPORT_DRONE_USER_PRODUCTION_SECRET
+    volumes:
+      - name: dockersock
+        path: /var/run
+    commands:
+      - apk add --no-cache aws-cli
+      - export VERSION_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt)
+      - export OSS_IMAGE_NAME="public.ecr.aws/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips"
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # OSS
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $OSS_IMAGE_NAME
+      # Enterprise
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_IMAGE_NAME
+      # Enterprise FIPS
+      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_FIPS_IMAGE_NAME
+
+  - name: Build and push Teleport containers (PREVIOUS_VERSION_ONE)
+    image: docker
+    environment:
+      OS: linux
+      ARCH: amd64
+      AWS_ACCESS_KEY_ID:
+        from_secret: TELEPORT_DRONE_USER_PRODUCTION_KEY
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: TELEPORT_DRONE_USER_PRODUCTION_SECRET
+    volumes:
+      - name: dockersock
+        path: /var/run
+    commands:
+      - apk add --no-cache aws-cli
+      - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt)
+      - export OSS_IMAGE_NAME="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips"
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # OSS
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $OSS_IMAGE_NAME
+      # Enterprise
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_IMAGE_NAME
+      # Enterprise FIPS
+      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_FIPS_IMAGE_NAME
+
+  - name: Build and push Teleport containers (PREVIOUS_VERSION_TWO)
+    image: docker
+    environment:
+      OS: linux
+      ARCH: amd64
+      AWS_ACCESS_KEY_ID:
+        from_secret: TELEPORT_DRONE_USER_PRODUCTION_KEY
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: TELEPORT_DRONE_USER_PRODUCTION_SECRET
+    volumes:
+      - name: dockersock
+        path: /var/run
+    commands:
+      - apk add --no-cache aws-cli
+      - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
+      - export OSS_IMAGE_NAME="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips"
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # OSS
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $OSS_IMAGE_NAME
+      # Enterprise
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_IMAGE_NAME
+      # Enterprise FIPS
+      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_FIPS_IMAGE_NAME
+
 ---
 kind: pipeline
 type: kubernetes
@@ -4797,9 +4871,9 @@ steps:
       OS: linux
       ARCH: amd64
       AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_BUILD_USER_KEY
+        from_secret: TELEPORT_DRONE_USER_STAGING_KEY
       AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_BUILD_USER_SECRET
+        from_secret: TELEPORT_DRONE_USER_STAGING_SECRET
     volumes:
       - name: dockersock
         path: /var/run
@@ -5163,7 +5237,7 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:208
+# Generated at dronegen/misc.go:266
 ################################################
 
 kind: pipeline
@@ -5191,7 +5265,7 @@ steps:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:232
+# Generated at dronegen/misc.go:290
 ################################################
 
 kind: pipeline
@@ -5291,12 +5365,12 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:30
+# Generated at dronegen/misc.go:97
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: promote-docker
+name: promote-docker-quay
 trigger:
   event:
     include:
@@ -5305,6 +5379,7 @@ trigger:
     include:
     - production
     - promote-docker
+    - promote-docker-quay
   repo:
     include:
     - gravitational/*
@@ -5343,6 +5418,86 @@ steps:
     quay.io/gravitational/teleport-ent:$${VERSION}
   - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips
     quay.io/gravitational/teleport-ent:$${VERSION}-fips
+  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io
+  - echo "---> Pushing images for $${VERSION}"
+  - docker push quay.io/gravitational/teleport:$${VERSION}
+  - docker push quay.io/gravitational/teleport-ent:$${VERSION}
+  - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips
+  environment:
+    AWS_ACCESS_KEY_ID:
+      from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET
+    QUAY_PASSWORD:
+      from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
+    QUAY_USERNAME:
+      from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
+  volumes:
+  - name: dockersock
+    path: /var/run
+services:
+- name: Start Docker
+  image: docker:dind
+  privileged: true
+  volumes:
+  - name: dockersock
+    path: /var/run
+volumes:
+- name: dockersock
+  temp: {}
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/misc.go:43
+################################################
+
+kind: pipeline
+type: kubernetes
+name: promote-docker-ecr
+trigger:
+  event:
+    include:
+    - promote
+  target:
+    include:
+    - production
+    - promote-docker
+    - promote-docker-ecr
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+steps:
+- name: Verify build is tagged
+  image: alpine:latest
+  commands:
+  - '[ -n ${DRONE_TAG} ] || (echo ''DRONE_TAG is not set. Is the commit tagged?''
+    && exit 1)'
+- name: Wait for docker
+  image: docker
+  commands:
+  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
+  volumes:
+  - name: dockersock
+    path: /var/run
+- name: Pull/retag Docker images
+  image: docker
+  commands:
+  - apk add --no-cache aws-cli
+  - export VERSION=${DRONE_TAG##v}
+  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
+    146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - echo "---> Pulling images for $${VERSION}"
+  - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION}
+  - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}
+  - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips
+  - echo "---> Tagging images for $${VERSION}"
   - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION}
     public.ecr.aws/gravitational/teleport:$${VERSION}
   - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}
@@ -5350,26 +5505,17 @@ steps:
   - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips
     public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips
   - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - docker login -u="$DOCKER_PRODUCTION_USERNAME" -p="$DOCKER_PRODUCTION_PASSWORD"
-    quay.io
-  - echo "---> Pushing images for $${VERSION}"
-  - docker push quay.io/gravitational/teleport:$${VERSION}
-  - docker push quay.io/gravitational/teleport-ent:$${VERSION}
-  - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips
   - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
     public.ecr.aws
+  - echo "---> Pushing images for $${VERSION}"
   - docker push public.ecr.aws/gravitational/teleport:$${VERSION}
   - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}
   - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips
   environment:
     AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_KEY
+      from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY
     AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_SECRET
-    DOCKER_PRODUCTION_PASSWORD:
-      from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD
-    DOCKER_PRODUCTION_USERNAME:
-      from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME
+      from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET
   volumes:
   - name: dockersock
     path: /var/run
diff --git a/dronegen/misc.go b/dronegen/misc.go
index a827f5ea93457..ca92de478c241 100644
--- a/dronegen/misc.go
+++ b/dronegen/misc.go
@@ -34,14 +34,15 @@ const (
 
 func promoteBuildPipelines() []pipeline {
 	aptPipeline := promoteAptPipeline()
-	dockerPipeline := promoteDockerPipeline()
-	return []pipeline{aptPipeline, dockerPipeline}
+	dockerPipelineECR := buildDockerPromotionPipelineECR()
+	dockerPipelineQuay := buildDockerPromotionPipelineQuay()
+	return []pipeline{aptPipeline, dockerPipelineECR, dockerPipelineQuay}
 }
 
-func promoteDockerPipeline() pipeline {
-	dockerPipeline := newKubePipeline("promote-docker")
+func buildDockerPromotionPipelineECR() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker-ecr")
 	dockerPipeline.Trigger = triggerPromote
-	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker")
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-ecr")
 	dockerPipeline.Workspace = workspace{Path: "/go"}
 
 	// Add docker service
@@ -58,44 +59,89 @@ func promoteDockerPipeline() pipeline {
 		Name:  "Pull/retag Docker images",
 		Image: "docker",
 		Environment: map[string]value{
-			"AWS_ACCESS_KEY_ID":          {fromSecret: "TELEPORT_BUILD_USER_KEY"},
-			"AWS_SECRET_ACCESS_KEY":      {fromSecret: "TELEPORT_BUILD_USER_SECRET"},
-			"DOCKER_PRODUCTION_USERNAME": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"},
-			"DOCKER_PRODUCTION_PASSWORD": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"},
+			"AWS_ACCESS_KEY_ID":     {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"},
+			"AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"},
 		},
 		Volumes: dockerVolumeRefs(),
 		Commands: []string{
 			"apk add --no-cache aws-cli",
 			"export VERSION=${DRONE_TAG##v}",
 			// authenticate with staging credentials
-			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com",
-			// pull 'temporary' CI-built images
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + STAGING_REGISTRY,
+			// pull staging images
 			"echo \"---> Pulling images for $${VERSION}\"",
-			"docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION}",
-			"docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}",
-			"docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips",
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", STAGING_REGISTRY),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", STAGING_REGISTRY),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", STAGING_REGISTRY),
 			// retag images to production naming
 			"echo \"---> Tagging images for $${VERSION}\"",
-			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} quay.io/gravitational/teleport:$${VERSION}",
-			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} quay.io/gravitational/teleport-ent:$${VERSION}",
-			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips quay.io/gravitational/teleport-ent:$${VERSION}-fips",
-			//retag ECR images
-			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} public.ecr.aws/gravitational/teleport:$${VERSION}",
-			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} public.ecr.aws/gravitational/teleport-ent:$${VERSION}",
-			"docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips",
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", STAGING_REGISTRY, PRODUCTION_REGISTRY),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", STAGING_REGISTRY, PRODUCTION_REGISTRY),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", STAGING_REGISTRY, PRODUCTION_REGISTRY),
 			// authenticate with production credentials
-			"docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com",
-			"docker login -u=\"$DOCKER_PRODUCTION_USERNAME\" -p=\"$DOCKER_PRODUCTION_PASSWORD\" quay.io",
+			"docker logout " + STAGING_REGISTRY,
+			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin " + PRODUCTION_REGISTRY,
 			// push production images
 			"echo \"---> Pushing images for $${VERSION}\"",
-			"docker push quay.io/gravitational/teleport:$${VERSION}",
-			"docker push quay.io/gravitational/teleport-ent:$${VERSION}",
-			"docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips",
 			// push production images ECR
-			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin public.ecr.aws",
-			"docker push public.ecr.aws/gravitational/teleport:$${VERSION}",
-			"docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}",
-			"docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips",
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", PRODUCTION_REGISTRY),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", PRODUCTION_REGISTRY),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", PRODUCTION_REGISTRY),
+		},
+	})
+
+	return dockerPipeline
+}
+
+func buildDockerPromotionPipelineQuay() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker-quay")
+	dockerPipeline.Trigger = triggerPromote
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-quay")
+	dockerPipeline.Workspace = workspace{Path: "/go"}
+
+	// Add docker service
+	dockerPipeline.Services = []service{
+		dockerService(),
+	}
+	dockerPipeline.Volumes = dockerVolumes()
+
+	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
+	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
+
+	// Pull/Push Steps
+	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
+		Name:  "Pull/retag Docker images",
+		Image: "docker",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":     {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_KEY"},
+			"AWS_SECRET_ACCESS_KEY": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_SECRET"},
+			"QUAY_USERNAME":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"},
+			"QUAY_PASSWORD":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"},
+		},
+		Volumes: dockerVolumeRefs(),
+		Commands: []string{
+			"apk add --no-cache aws-cli",
+			"export VERSION=${DRONE_TAG##v}",
+			// authenticate with staging credentials
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + STAGING_REGISTRY,
+			// pull staging images
+			"echo \"---> Pulling images for $${VERSION}\"",
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", STAGING_REGISTRY),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", STAGING_REGISTRY),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", STAGING_REGISTRY),
+			// retag images to production naming
+			"echo \"---> Tagging images for $${VERSION}\"",
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", STAGING_REGISTRY, PRODUCTION_REGISTRY_QUAY),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", STAGING_REGISTRY, PRODUCTION_REGISTRY_QUAY),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", STAGING_REGISTRY, PRODUCTION_REGISTRY_QUAY),
+			// authenticate with production credentials
+			"docker logout " + STAGING_REGISTRY,
+			"docker login -u=\"$QUAY_USERNAME\" -p=\"$QUAY_PASSWORD\" " + PRODUCTION_REGISTRY_QUAY,
+			// push production images
+			"echo \"---> Pushing images for $${VERSION}\"",
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", PRODUCTION_REGISTRY_QUAY),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", PRODUCTION_REGISTRY_QUAY),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", PRODUCTION_REGISTRY_QUAY),
 		},
 	})
 

From 91ce403479716d8b9d8206732417c50e04344c93 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 12 Jul 2022 14:37:28 -0500
Subject: [PATCH 09/22] Update environment secret names

---
 .drone.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 9da2b272774d4..64916653cf984 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -1056,9 +1056,9 @@ steps:
       OS: linux
       ARCH: amd64
       AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_DRONE_USER_PRODUCTION_KEY
+        from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY
       AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_DRONE_USER_PRODUCTION_SECRET
+        from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET
     volumes:
       - name: dockersock
         path: /var/run
@@ -1085,9 +1085,9 @@ steps:
       OS: linux
       ARCH: amd64
       AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_DRONE_USER_PRODUCTION_KEY
+        from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY
       AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_DRONE_USER_PRODUCTION_SECRET
+        from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET
     volumes:
       - name: dockersock
         path: /var/run
@@ -1114,9 +1114,9 @@ steps:
       OS: linux
       ARCH: amd64
       AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_DRONE_USER_PRODUCTION_KEY
+        from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY
       AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_DRONE_USER_PRODUCTION_SECRET
+        from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET
     volumes:
       - name: dockersock
         path: /var/run
@@ -4871,9 +4871,9 @@ steps:
       OS: linux
       ARCH: amd64
       AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_DRONE_USER_STAGING_KEY
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY
       AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_DRONE_USER_STAGING_SECRET
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET
     volumes:
       - name: dockersock
         path: /var/run

From 732666e76840da53c19ef14287da2b1e8753a5b9 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 12 Jul 2022 18:23:27 -0500
Subject: [PATCH 10/22] Added promotion step to cronjob for ecr

---
 .drone.yml | 130 +++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 106 insertions(+), 24 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 64916653cf984..5cd9061a9ce77 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -859,13 +859,13 @@ steps:
     commands:
       - apk --update --no-cache add curl go
       - mkdir -p /go/build && cd /go/build
-      # CURRENT_VERSION (10)
+      # CURRENT_VERSION
       - (cd /go/build.assets/tooling && go run ./cmd/query-latest $CURRENT_VERSION_ROOT > /go/build/CURRENT_VERSION_TAG.txt)
       - echo "$(cat /go/build/CURRENT_VERSION_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/CURRENT_VERSION_TAG_GENERIC.txt
-      # PREVIOUS_VERSION_ONE (9)
+      # PREVIOUS_VERSION_ONE
       - (cd /go/build.assets/tooling && go run ./cmd/query-latest $PREVIOUS_VERSION_ONE_ROOT > /go/build/PREVIOUS_VERSION_ONE_TAG.txt)
       - echo "$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt
-      # PREVIOUS_VERSION_TWO (8)
+      # PREVIOUS_VERSION_TWO
       - (cd /go/build.assets/tooling && go run ./cmd/query-latest $PREVIOUS_VERSION_TWO_ROOT > /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
       - echo "$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt
       # list versions
@@ -1034,13 +1034,13 @@ steps:
     commands:
       - apk --update --no-cache add curl go
       - mkdir -p /go/build && cd /go/build
-      # CURRENT_VERSION (10)
+      # CURRENT_VERSION
       - (cd /go/build.assets/tooling && go run ./cmd/query-latest $CURRENT_VERSION_ROOT > /go/build/CURRENT_VERSION_TAG.txt)
       - echo "$(cat /go/build/CURRENT_VERSION_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/CURRENT_VERSION_TAG_GENERIC.txt
-      # PREVIOUS_VERSION_ONE (9)
+      # PREVIOUS_VERSION_ONE
       - (cd /go/build.assets/tooling && go run ./cmd/query-latest $PREVIOUS_VERSION_ONE_ROOT > /go/build/PREVIOUS_VERSION_ONE_TAG.txt)
       - echo "$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt
-      # PREVIOUS_VERSION_TWO (8)
+      # PREVIOUS_VERSION_TWO
       - (cd /go/build.assets/tooling && go run ./cmd/query-latest $PREVIOUS_VERSION_TWO_ROOT > /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
       - echo "$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt | cut -d. -f1 | tr -d '^v')" > /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt
       # list versions
@@ -1055,9 +1055,13 @@ steps:
     environment:
       OS: linux
       ARCH: amd64
-      AWS_ACCESS_KEY_ID:
+      STAGING_AWS_ACCESS_KEY_ID:
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY
+      STAGING_AWS_SECRET_ACCESS_KEY:
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET
+      PROD_AWS_ACCESS_KEY_ID:
         from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY
-      AWS_SECRET_ACCESS_KEY:
+      PROD_AWS_SECRET_ACCESS_KEY:
         from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET
     volumes:
       - name: dockersock
@@ -1065,10 +1069,19 @@ steps:
     commands:
       - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt)
-      - export OSS_IMAGE_NAME="public.ecr.aws/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
-      - export ENT_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
-      - export ENT_FIPS_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips"
-      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      - export CURRENT_DATE=$(date '+%Y%m%d')
+      # Staging image names
+      - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-$CURRENT_DATE"
+      - export ENT_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-$CURRENT_DATE"
+      - export ENT_FIPS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips-$CURRENT_DATE"
+      # Production image names
+      - export OSS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips"
+      # Authenticate to staging registry
+      - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID"
+      - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY"
+      - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       # OSS
       - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $OSS_IMAGE_NAME
@@ -1078,15 +1091,32 @@ steps:
       # Enterprise FIPS
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
+      # Authenticate to production registry
+      - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+      - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID"
+      - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY"
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # Retag images
+      - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD
+      - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD
+      - docker tag $ENT_FIPS_IMAGE_NAME_STAGE $ENT_FIPS_IMAGE_NAME_PROD
+      # Promote to production registry
+      - docker push $ENT_IMAGE_NAME_PROD
+      - docker push $OSS_IMAGE_NAME_PROD
+      - docker push $ENT_FIPS_IMAGE_NAME_PROD
 
   - name: Build and push Teleport containers (PREVIOUS_VERSION_ONE)
     image: docker
     environment:
       OS: linux
       ARCH: amd64
-      AWS_ACCESS_KEY_ID:
+      STAGING_AWS_ACCESS_KEY_ID:
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY
+      STAGING_AWS_SECRET_ACCESS_KEY:
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET
+      PROD_AWS_ACCESS_KEY_ID:
         from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY
-      AWS_SECRET_ACCESS_KEY:
+      PROD_AWS_SECRET_ACCESS_KEY:
         from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET
     volumes:
       - name: dockersock
@@ -1094,10 +1124,19 @@ steps:
     commands:
       - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt)
-      - export OSS_IMAGE_NAME="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
-      - export ENT_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
-      - export ENT_FIPS_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips"
-      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      - export CURRENT_DATE=$(date '+%Y%m%d')
+      # Staging image names
+      - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-$CURRENT_DATE"
+      - export ENT_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-$CURRENT_DATE"
+      - export ENT_FIPS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips-$CURRENT_DATE"
+      # Production image names
+      - export OSS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips"
+      # Authenticate to staging registry
+      - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID"
+      - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY"
+      - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       # OSS
       - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $OSS_IMAGE_NAME
@@ -1107,26 +1146,52 @@ steps:
       # Enterprise FIPS
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
+      # Authenticate to production registry
+      - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+      - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID"
+      - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY"
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # Retag images
+      - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD
+      - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD
+      - docker tag $ENT_FIPS_IMAGE_NAME_STAGE $ENT_FIPS_IMAGE_NAME_PROD
+      # Promote to production registry
+      - docker push $ENT_IMAGE_NAME_PROD
+      - docker push $OSS_IMAGE_NAME_PROD
+      - docker push $ENT_FIPS_IMAGE_NAME_PROD
 
   - name: Build and push Teleport containers (PREVIOUS_VERSION_TWO)
     image: docker
     environment:
       OS: linux
       ARCH: amd64
-      AWS_ACCESS_KEY_ID:
+      STAGING_AWS_ACCESS_KEY_ID:
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY
+      STAGING_AWS_SECRET_ACCESS_KEY:
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET
+      PROD_AWS_ACCESS_KEY_ID:
         from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY
-      AWS_SECRET_ACCESS_KEY:
+      PROD_AWS_SECRET_ACCESS_KEY:
         from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
       - apk add --no-cache aws-cli
+      - export CURRENT_DATE=$(date '+%Y%m%d')
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
-      - export OSS_IMAGE_NAME="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
-      - export ENT_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
-      - export ENT_FIPS_IMAGE_NAME="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips"
-      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # Staging image names
+      - export OSS_IMAGE_NAME="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE"
+      - export ENT_IMAGE_NAME="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE"
+      - export ENT_FIPS_IMAGE_NAME="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips-$CURRENT_DATE"
+      # Production image names
+      - export OSS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
+      - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
+      - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips"
+      # Authenticate to staging registry
+      - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID"
+      - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY"
+      - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       # OSS
       - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $OSS_IMAGE_NAME
@@ -1136,6 +1201,19 @@ steps:
       # Enterprise FIPS
       - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
       - docker push $ENT_FIPS_IMAGE_NAME
+      # Authenticate to production registry
+      - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+      - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID"
+      - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY"
+      - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws
+      # Retag images
+      - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD
+      - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD
+      - docker tag $ENT_FIPS_IMAGE_NAME_STAGE $ENT_FIPS_IMAGE_NAME_PROD
+      # Promote to production registry
+      - docker push $ENT_IMAGE_NAME_PROD
+      - docker push $OSS_IMAGE_NAME_PROD
+      - docker push $ENT_FIPS_IMAGE_NAME_PROD
 
 ---
 kind: pipeline
@@ -5921,6 +5999,10 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
+<<<<<<< HEAD
 hmac: 5a84f1468c34f05ab0815842e8760c683908b0eee7d5b431b26da434bf81f97f
+=======
+hmac: da65877b4a3477160c76392204ea1f0e02cb3ffc892604db6da5d44416ab6b98
+>>>>>>> 16ee1cd9dc (Added promotion step to cronjob for ecr)
 
 ...

From 9655a5cff3bc01423b79ddea2dfdf7cb7094bdc9 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 12 Jul 2022 18:26:57 -0500
Subject: [PATCH 11/22] Removed unneeded docker pull

---
 .drone.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 5cd9061a9ce77..9a49ea84d3413 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4959,7 +4959,6 @@ steps:
       - apk add --no-cache make bash aws-cli
       - chown -R $UID:$GID /go
       - aws ecr get-login-password --region us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
-      - docker pull quay.io/gravitational/teleport-buildbox:$BUILDBOX_VERSION || true
       - cd /go/src/github.com/gravitational/teleport
       - make image-ci publish-ci
       - make publish-operator-ci
@@ -4984,7 +4983,6 @@ steps:
       - apk add --no-cache make
       - chown -R $UID:$GID /go
       - aws ecr get-login-password --region us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
-      - docker pull quay.io/gravitational/teleport-buildbox:$BUILDBOX_VERSION || true
       - cd /go/src/github.com/gravitational/teleport
       # VERSION needs to be set manually when running in the e directory.
       # Normally, the version is set and exported by the root Makefile and then inherited,
@@ -5999,10 +5997,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-<<<<<<< HEAD
 hmac: 5a84f1468c34f05ab0815842e8760c683908b0eee7d5b431b26da434bf81f97f
-=======
-hmac: da65877b4a3477160c76392204ea1f0e02cb3ffc892604db6da5d44416ab6b98
->>>>>>> 16ee1cd9dc (Added promotion step to cronjob for ecr)
 
 ...

From 8b0350957d7a47a2834f520f815c6eb827b9f7bb Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 19 Jul 2022 15:13:53 -0500
Subject: [PATCH 12/22] Fix cronjob issue

---
 .drone.yml | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 9a49ea84d3413..b37dba0a1d9fa 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -1083,14 +1083,14 @@ steps:
       - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY"
       - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       # OSS
-      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $OSS_IMAGE_NAME
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $OSS_IMAGE_NAME_STAGE
       # Enterprise
-      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $ENT_IMAGE_NAME
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_IMAGE_NAME_STAGE
       # Enterprise FIPS
-      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $ENT_FIPS_IMAGE_NAME
+      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_FIPS_IMAGE_NAME_STAGE
       # Authenticate to production registry
       - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
       - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID"
@@ -1138,14 +1138,14 @@ steps:
       - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY"
       - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       # OSS
-      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $OSS_IMAGE_NAME
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $OSS_IMAGE_NAME_STAGE
       # Enterprise
-      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $ENT_IMAGE_NAME
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_IMAGE_NAME_STAGE
       # Enterprise FIPS
-      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $ENT_FIPS_IMAGE_NAME
+      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_FIPS_IMAGE_NAME_STAGE
       # Authenticate to production registry
       - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
       - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID"
@@ -1181,9 +1181,9 @@ steps:
       - export CURRENT_DATE=$(date '+%Y%m%d')
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
       # Staging image names
-      - export OSS_IMAGE_NAME="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE"
-      - export ENT_IMAGE_NAME="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE"
-      - export ENT_FIPS_IMAGE_NAME="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips-$CURRENT_DATE"
+      - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE"
+      - export ENT_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE"
+      - export ENT_FIPS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips-$CURRENT_DATE"
       # Production image names
       - export OSS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
       - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)"
@@ -1193,14 +1193,14 @@ steps:
       - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY"
       - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       # OSS
-      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $OSS_IMAGE_NAME
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $OSS_IMAGE_NAME_STAGE
       # Enterprise
-      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $ENT_IMAGE_NAME
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_IMAGE_NAME_STAGE
       # Enterprise FIPS
-      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build
-      - docker push $ENT_FIPS_IMAGE_NAME
+      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker push $ENT_FIPS_IMAGE_NAME_STAGE
       # Authenticate to production registry
       - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
       - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID"
@@ -5997,6 +5997,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 5a84f1468c34f05ab0815842e8760c683908b0eee7d5b431b26da434bf81f97f
+hmac: a4c8abaefef008b4602f58e3403bab8dec09d0125ed6e1fb1576d8003d8b52f8
 
 ...

From e42b55711295aaae6a9601967a3f3905ad06e18c Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 19 Jul 2022 15:18:53 -0500
Subject: [PATCH 13/22] Add docker service

---
 .drone.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.drone.yml b/.drone.yml
index b37dba0a1d9fa..b21c827ad4895 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -1215,6 +1215,18 @@ steps:
       - docker push $OSS_IMAGE_NAME_PROD
       - docker push $ENT_FIPS_IMAGE_NAME_PROD
 
+services:
+  - name: Start Docker
+    image: docker:dind
+    privileged: true
+    volumes:
+      - name: dockersock
+        path: /var/run
+
+volumes:
+  - name: dockersock
+    temp: {}
+
 ---
 kind: pipeline
 type: kubernetes
@@ -5997,6 +6009,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: a4c8abaefef008b4602f58e3403bab8dec09d0125ed6e1fb1576d8003d8b52f8
+hmac: bb679eaea3ac522b5b53657f339ec88586936fd1f550445e63f1b02c548207dc
 
 ...

From c28d118243fd59f26f30a2b26b32e0a7abbfc386 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Wed, 20 Jul 2022 14:46:12 -0500
Subject: [PATCH 14/22] Update staging image to use hour and minutes

---
 .drone.yml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index b21c827ad4895..d7497e61913df 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -1047,6 +1047,7 @@ steps:
       - for FILE in /go/build/*.txt; do echo $FILE; cat $FILE; done
       # get Dockerfiles
       - curl -Ls -o /go/build/Dockerfile-cron https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron
+      - curl -Ls -o /go/build/Dockerfile-cron https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron-v8
       # wait for Docker to be ready
       - sleep 3
 
@@ -1069,7 +1070,7 @@ steps:
     commands:
       - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt)
-      - export CURRENT_DATE=$(date '+%Y%m%d')
+      - export CURRENT_DATE=$(date '+%Y%m%d%H%M')
       # Staging image names
       - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-$CURRENT_DATE"
       - export ENT_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-$CURRENT_DATE"
@@ -1124,7 +1125,7 @@ steps:
     commands:
       - apk add --no-cache aws-cli
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt)
-      - export CURRENT_DATE=$(date '+%Y%m%d')
+      - export CURRENT_DATE=$(date '+%Y%m%d%H%M')
       # Staging image names
       - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-$CURRENT_DATE"
       - export ENT_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-$CURRENT_DATE"
@@ -1178,7 +1179,7 @@ steps:
         path: /var/run
     commands:
       - apk add --no-cache aws-cli
-      - export CURRENT_DATE=$(date '+%Y%m%d')
+      - export CURRENT_DATE=$(date '+%Y%m%d%H%M')
       - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_TWO_TAG.txt)
       # Staging image names
       - export OSS_IMAGE_NAME_STAGE="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-$CURRENT_DATE"
@@ -1193,13 +1194,13 @@ steps:
       - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY"
       - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       # OSS
-      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron-v8 /go/build
       - docker push $OSS_IMAGE_NAME_STAGE
       # Enterprise
-      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH  -t $ENT_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron-v8 /go/build
       - docker push $ENT_IMAGE_NAME_STAGE
       # Enterprise FIPS
-      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build
+      - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron-v8 /go/build
       - docker push $ENT_FIPS_IMAGE_NAME_STAGE
       # Authenticate to production registry
       - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
@@ -6009,6 +6010,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: bb679eaea3ac522b5b53657f339ec88586936fd1f550445e63f1b02c548207dc
+hmac: de3774c3f04f74fba369be19fa3f0fe917d15055d73febbb10b43e1dc9f455b8
 
 ...

From 5c20f6e5ce315440940bdfdab8a3f760c439f5b9 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Wed, 20 Jul 2022 15:24:00 -0500
Subject: [PATCH 15/22] Fix typo

---
 .drone.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index d7497e61913df..503bc67af50ec 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -1047,7 +1047,7 @@ steps:
       - for FILE in /go/build/*.txt; do echo $FILE; cat $FILE; done
       # get Dockerfiles
       - curl -Ls -o /go/build/Dockerfile-cron https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron
-      - curl -Ls -o /go/build/Dockerfile-cron https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron-v8
+      - curl -Ls -o /go/build/Dockerfile-cron-v8 https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron-v8
       # wait for Docker to be ready
       - sleep 3
 
@@ -6010,6 +6010,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: de3774c3f04f74fba369be19fa3f0fe917d15055d73febbb10b43e1dc9f455b8
+hmac: 71142578b12f90c9da6387f518bd8898ed995147f8e31b7bf0aadf2babebfd66
 
 ...

From 12d73c6438ad7076623a869b90c17db316ee65a6 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Wed, 20 Jul 2022 15:37:45 -0500
Subject: [PATCH 16/22] Fix v8 download for non-ecr

---
 .drone.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.drone.yml b/.drone.yml
index 503bc67af50ec..7f327e8c06f71 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -872,7 +872,7 @@ steps:
       - for FILE in /go/build/*.txt; do echo $FILE; cat $FILE; done
       # get Dockerfiles
       - curl -Ls -o /go/build/Dockerfile-cron https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron
-      - curl -Ls -o /go/build/Dockerfile-cron https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron-v8
+      - curl -Ls -o /go/build/Dockerfile-cron-v8 https://raw.githubusercontent.com/gravitational/teleport/${DRONE_SOURCE_BRANCH:-master}/build.assets/Dockerfile-cron-v8
 
       # wait for Docker to be ready
       - sleep 3

From 64dde1dd1769eb14613f8cd48c4bd0edf85fc4c9 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Wed, 20 Jul 2022 15:38:05 -0500
Subject: [PATCH 17/22] Updated drone signature

---
 .drone.yml | 8 ++++----
 e          | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 7f327e8c06f71..bb20286e904d3 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4986,14 +4986,14 @@ steps:
       OS: linux
       ARCH: amd64
       AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_BUILD_USER_KEY
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY
       AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_BUILD_USER_SECRET
+        from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET
     volumes:
       - name: dockersock
         path: /var/run
     commands:
-      - apk add --no-cache make
+      - apk add --no-cache make aws-cli
       - chown -R $UID:$GID /go
       - aws ecr get-login-password --region us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
       - cd /go/src/github.com/gravitational/teleport
@@ -6010,6 +6010,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 71142578b12f90c9da6387f518bd8898ed995147f8e31b7bf0aadf2babebfd66
+hmac: 4f64d204b34ab877c7439caff7c37a76b795efb5e3ccfe29b4fbedbb6f614b7d
 
 ...
diff --git a/e b/e
index ffe8c99e88ed5..7cc7cf005b2bb 160000
--- a/e
+++ b/e
@@ -1 +1 @@
-Subproject commit ffe8c99e88ed56349b15efa1f887b1fc81042812
+Subproject commit 7cc7cf005b2bb3730fd54a014a5d8ced6b695a49

From 59a0cc3830918dc153a8a21cbbf48311af7be555 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Thu, 21 Jul 2022 16:31:24 -0500
Subject: [PATCH 18/22] Lint updates

---
 dronegen/misc.go | 60 ++++++++++++++++++++++++------------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/dronegen/misc.go b/dronegen/misc.go
index ca92de478c241..383b0ce7460e1 100644
--- a/dronegen/misc.go
+++ b/dronegen/misc.go
@@ -21,15 +21,15 @@ import (
 )
 
 const (
-	// STAGING_REGISTRY is the staging registry images are pushed to before being promoted to the production registry.
-	STAGING_REGISTRY = "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+	// StagingRegistry is the staging registry images are pushed to before being promoted to the production registry.
+	StagingRegistry = "146628656107.dkr.ecr.us-west-2.amazonaws.com"
 
-	// PRODUCTION_REGISTRY is the production image registry that hosts are customer facing container images.
-	PRODUCTION_REGISTRY = "public.ecr.aws"
+	// ProductionRegistry is the production image registry that hosts are customer facing container images.
+	ProductionRegistry = "public.ecr.aws"
 
-	// PRODUCTION_REGISTRY_QUAY is the production image registry that hosts images on quay.io. Will be deprecated in the future.
+	// ProductionRegistryQuay is the production image registry that hosts images on quay.io. Will be deprecated in the future.
 	// See RFD 73 - https://github.com/gravitational/teleport/blob/c18c09f5d562dd46a509154eab4295ad39decc3c/rfd/0073-public-image-registry.md
-	PRODUCTION_REGISTRY_QUAY = "quay.io"
+	ProductionRegistryQuay = "quay.io"
 )
 
 func promoteBuildPipelines() []pipeline {
@@ -67,26 +67,26 @@ func buildDockerPromotionPipelineECR() pipeline {
 			"apk add --no-cache aws-cli",
 			"export VERSION=${DRONE_TAG##v}",
 			// authenticate with staging credentials
-			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + STAGING_REGISTRY,
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
 			// pull staging images
 			"echo \"---> Pulling images for $${VERSION}\"",
-			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", STAGING_REGISTRY),
-			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", STAGING_REGISTRY),
-			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", STAGING_REGISTRY),
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
 			// retag images to production naming
 			"echo \"---> Tagging images for $${VERSION}\"",
-			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", STAGING_REGISTRY, PRODUCTION_REGISTRY),
-			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", STAGING_REGISTRY, PRODUCTION_REGISTRY),
-			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", STAGING_REGISTRY, PRODUCTION_REGISTRY),
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistry),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistry),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistry),
 			// authenticate with production credentials
-			"docker logout " + STAGING_REGISTRY,
-			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin " + PRODUCTION_REGISTRY,
+			"docker logout " + StagingRegistry,
+			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin " + ProductionRegistry,
 			// push production images
 			"echo \"---> Pushing images for $${VERSION}\"",
 			// push production images ECR
-			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", PRODUCTION_REGISTRY),
-			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", PRODUCTION_REGISTRY),
-			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", PRODUCTION_REGISTRY),
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistry),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistry),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistry),
 		},
 	})
 
@@ -123,25 +123,25 @@ func buildDockerPromotionPipelineQuay() pipeline {
 			"apk add --no-cache aws-cli",
 			"export VERSION=${DRONE_TAG##v}",
 			// authenticate with staging credentials
-			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + STAGING_REGISTRY,
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
 			// pull staging images
 			"echo \"---> Pulling images for $${VERSION}\"",
-			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", STAGING_REGISTRY),
-			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", STAGING_REGISTRY),
-			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", STAGING_REGISTRY),
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
 			// retag images to production naming
 			"echo \"---> Tagging images for $${VERSION}\"",
-			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", STAGING_REGISTRY, PRODUCTION_REGISTRY_QUAY),
-			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", STAGING_REGISTRY, PRODUCTION_REGISTRY_QUAY),
-			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", STAGING_REGISTRY, PRODUCTION_REGISTRY_QUAY),
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistryQuay),
 			// authenticate with production credentials
-			"docker logout " + STAGING_REGISTRY,
-			"docker login -u=\"$QUAY_USERNAME\" -p=\"$QUAY_PASSWORD\" " + PRODUCTION_REGISTRY_QUAY,
+			"docker logout " + StagingRegistry,
+			"docker login -u=\"$QUAY_USERNAME\" -p=\"$QUAY_PASSWORD\" " + ProductionRegistryQuay,
 			// push production images
 			"echo \"---> Pushing images for $${VERSION}\"",
-			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", PRODUCTION_REGISTRY_QUAY),
-			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", PRODUCTION_REGISTRY_QUAY),
-			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", PRODUCTION_REGISTRY_QUAY),
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistryQuay),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistryQuay),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistryQuay),
 		},
 	})
 

From 4a5d66da3b1bc0701f7376192905730895314311 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Fri, 22 Jul 2022 09:15:27 -0500
Subject: [PATCH 19/22] Update commit for e

---
 e | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/e b/e
index 7cc7cf005b2bb..7868ba469330d 160000
--- a/e
+++ b/e
@@ -1 +1 @@
-Subproject commit 7cc7cf005b2bb3730fd54a014a5d8ced6b695a49
+Subproject commit 7868ba469330df45a76cae1840b7b961aee315f3

From 7af4c489b3f864391535fad6cd9f05d6298e5082 Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Mon, 25 Jul 2022 15:52:30 -0500
Subject: [PATCH 20/22] Migrate code to new file.

---
 .drone.yml          |  10 ++--
 dronegen/common.go  |  12 +++++
 dronegen/misc.go    | 128 --------------------------------------------
 dronegen/promote.go | 119 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 136 insertions(+), 133 deletions(-)
 create mode 100644 dronegen/promote.go

diff --git a/.drone.yml b/.drone.yml
index bb20286e904d3..fbff218fe1e7e 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -5326,7 +5326,7 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:266
+# Generated at dronegen/misc.go:138
 ################################################
 
 kind: pipeline
@@ -5354,7 +5354,7 @@ steps:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:290
+# Generated at dronegen/misc.go:162
 ################################################
 
 kind: pipeline
@@ -5454,7 +5454,7 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:97
+# Generated at dronegen/promote.go:67
 ################################################
 
 kind: pipeline
@@ -5540,7 +5540,7 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/misc.go:43
+# Generated at dronegen/promote.go:13
 ################################################
 
 kind: pipeline
@@ -6010,6 +6010,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 4f64d204b34ab877c7439caff7c37a76b795efb5e3ccfe29b4fbedbb6f614b7d
+hmac: aab0b00350d8504f16387de7b45648ff9768efe9b984f9477ddd370fcee65eb7
 
 ...
diff --git a/dronegen/common.go b/dronegen/common.go
index af079bf8ff93a..586f8214c2852 100644
--- a/dronegen/common.go
+++ b/dronegen/common.go
@@ -22,6 +22,18 @@ import (
 	"strings"
 )
 
+const (
+	// StagingRegistry is the staging registry images are pushed to before being promoted to the production registry.
+	StagingRegistry = "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+
+	// ProductionRegistry is the production image registry that hosts are customer facing container images.
+	ProductionRegistry = "public.ecr.aws"
+
+	// ProductionRegistryQuay is the production image registry that hosts images on quay.io. Will be deprecated in the future.
+	// See RFD 73 - https://github.com/gravitational/teleport/blob/c18c09f5d562dd46a509154eab4295ad39decc3c/rfd/0073-public-image-registry.md
+	ProductionRegistryQuay = "quay.io"
+)
+
 var (
 	triggerPush = trigger{
 		Event:  triggerRef{Include: []string{"push"}, Exclude: []string{"pull_request"}},
diff --git a/dronegen/misc.go b/dronegen/misc.go
index 383b0ce7460e1..7d0b115d21901 100644
--- a/dronegen/misc.go
+++ b/dronegen/misc.go
@@ -20,134 +20,6 @@ import (
 	"strings"
 )
 
-const (
-	// StagingRegistry is the staging registry images are pushed to before being promoted to the production registry.
-	StagingRegistry = "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-
-	// ProductionRegistry is the production image registry that hosts are customer facing container images.
-	ProductionRegistry = "public.ecr.aws"
-
-	// ProductionRegistryQuay is the production image registry that hosts images on quay.io. Will be deprecated in the future.
-	// See RFD 73 - https://github.com/gravitational/teleport/blob/c18c09f5d562dd46a509154eab4295ad39decc3c/rfd/0073-public-image-registry.md
-	ProductionRegistryQuay = "quay.io"
-)
-
-func promoteBuildPipelines() []pipeline {
-	aptPipeline := promoteAptPipeline()
-	dockerPipelineECR := buildDockerPromotionPipelineECR()
-	dockerPipelineQuay := buildDockerPromotionPipelineQuay()
-	return []pipeline{aptPipeline, dockerPipelineECR, dockerPipelineQuay}
-}
-
-func buildDockerPromotionPipelineECR() pipeline {
-	dockerPipeline := newKubePipeline("promote-docker-ecr")
-	dockerPipeline.Trigger = triggerPromote
-	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-ecr")
-	dockerPipeline.Workspace = workspace{Path: "/go"}
-
-	// Add docker service
-	dockerPipeline.Services = []service{
-		dockerService(),
-	}
-	dockerPipeline.Volumes = dockerVolumes()
-
-	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
-	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
-
-	// Pull/Push Steps
-	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
-		Name:  "Pull/retag Docker images",
-		Image: "docker",
-		Environment: map[string]value{
-			"AWS_ACCESS_KEY_ID":     {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"},
-			"AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"},
-		},
-		Volumes: dockerVolumeRefs(),
-		Commands: []string{
-			"apk add --no-cache aws-cli",
-			"export VERSION=${DRONE_TAG##v}",
-			// authenticate with staging credentials
-			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
-			// pull staging images
-			"echo \"---> Pulling images for $${VERSION}\"",
-			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
-			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
-			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
-			// retag images to production naming
-			"echo \"---> Tagging images for $${VERSION}\"",
-			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistry),
-			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistry),
-			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistry),
-			// authenticate with production credentials
-			"docker logout " + StagingRegistry,
-			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin " + ProductionRegistry,
-			// push production images
-			"echo \"---> Pushing images for $${VERSION}\"",
-			// push production images ECR
-			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistry),
-			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistry),
-			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistry),
-		},
-	})
-
-	return dockerPipeline
-}
-
-func buildDockerPromotionPipelineQuay() pipeline {
-	dockerPipeline := newKubePipeline("promote-docker-quay")
-	dockerPipeline.Trigger = triggerPromote
-	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-quay")
-	dockerPipeline.Workspace = workspace{Path: "/go"}
-
-	// Add docker service
-	dockerPipeline.Services = []service{
-		dockerService(),
-	}
-	dockerPipeline.Volumes = dockerVolumes()
-
-	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
-	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
-
-	// Pull/Push Steps
-	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
-		Name:  "Pull/retag Docker images",
-		Image: "docker",
-		Environment: map[string]value{
-			"AWS_ACCESS_KEY_ID":     {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_KEY"},
-			"AWS_SECRET_ACCESS_KEY": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_SECRET"},
-			"QUAY_USERNAME":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"},
-			"QUAY_PASSWORD":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"},
-		},
-		Volumes: dockerVolumeRefs(),
-		Commands: []string{
-			"apk add --no-cache aws-cli",
-			"export VERSION=${DRONE_TAG##v}",
-			// authenticate with staging credentials
-			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
-			// pull staging images
-			"echo \"---> Pulling images for $${VERSION}\"",
-			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
-			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
-			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
-			// retag images to production naming
-			"echo \"---> Tagging images for $${VERSION}\"",
-			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
-			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
-			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistryQuay),
-			// authenticate with production credentials
-			"docker logout " + StagingRegistry,
-			"docker login -u=\"$QUAY_USERNAME\" -p=\"$QUAY_PASSWORD\" " + ProductionRegistryQuay,
-			// push production images
-			"echo \"---> Pushing images for $${VERSION}\"",
-			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistryQuay),
-			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistryQuay),
-			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistryQuay),
-		},
-	})
-
-	return dockerPipeline
-}
-
 // Used for one-off migrations of older versions.
 // Use cases include:
 //  * We want to support another OS while providing backwards compatibility
diff --git a/dronegen/promote.go b/dronegen/promote.go
new file mode 100644
index 0000000000000..b8b904cec43d5
--- /dev/null
+++ b/dronegen/promote.go
@@ -0,0 +1,119 @@
+package main
+
+import "fmt"
+
+func promoteBuildPipelines() []pipeline {
+	aptPipeline := promoteAptPipeline()
+	dockerPipelineECR := buildDockerPromotionPipelineECR()
+	dockerPipelineQuay := buildDockerPromotionPipelineQuay()
+	return []pipeline{aptPipeline, dockerPipelineECR, dockerPipelineQuay}
+}
+
+func buildDockerPromotionPipelineECR() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker-ecr")
+	dockerPipeline.Trigger = triggerPromote
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-ecr")
+	dockerPipeline.Workspace = workspace{Path: "/go"}
+
+	// Add docker service
+	dockerPipeline.Services = []service{
+		dockerService(),
+	}
+	dockerPipeline.Volumes = dockerVolumes()
+
+	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
+	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
+
+	// Pull/Push Steps
+	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
+		Name:  "Pull/retag Docker images",
+		Image: "docker",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":     {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"},
+			"AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"},
+		},
+		Volumes: dockerVolumeRefs(),
+		Commands: []string{
+			"apk add --no-cache aws-cli",
+			"export VERSION=${DRONE_TAG##v}",
+			// authenticate with staging credentials
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
+			// pull staging images
+			"echo \"---> Pulling images for $${VERSION}\"",
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
+			// retag images to production naming
+			"echo \"---> Tagging images for $${VERSION}\"",
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistry),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistry),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistry),
+			// authenticate with production credentials
+			"docker logout " + StagingRegistry,
+			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin " + ProductionRegistry,
+			// push production images
+			"echo \"---> Pushing images for $${VERSION}\"",
+			// push production images ECR
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistry),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistry),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistry),
+		},
+	})
+
+	return dockerPipeline
+}
+
+func buildDockerPromotionPipelineQuay() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker-quay")
+	dockerPipeline.Trigger = triggerPromote
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-quay")
+	dockerPipeline.Workspace = workspace{Path: "/go"}
+
+	// Add docker service
+	dockerPipeline.Services = []service{
+		dockerService(),
+	}
+	dockerPipeline.Volumes = dockerVolumes()
+
+	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
+	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
+
+	// Pull/Push Steps
+	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
+		Name:  "Pull/retag Docker images",
+		Image: "docker",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":     {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_KEY"},
+			"AWS_SECRET_ACCESS_KEY": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_SECRET"},
+			"QUAY_USERNAME":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"},
+			"QUAY_PASSWORD":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"},
+		},
+		Volumes: dockerVolumeRefs(),
+		Commands: []string{
+			"apk add --no-cache aws-cli",
+			"export VERSION=${DRONE_TAG##v}",
+			// authenticate with staging credentials
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
+			// pull staging images
+			"echo \"---> Pulling images for $${VERSION}\"",
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
+			// retag images to production naming
+			"echo \"---> Tagging images for $${VERSION}\"",
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistryQuay),
+			// authenticate with production credentials
+			"docker logout " + StagingRegistry,
+			"docker login -u=\"$QUAY_USERNAME\" -p=\"$QUAY_PASSWORD\" " + ProductionRegistryQuay,
+			// push production images
+			"echo \"---> Pushing images for $${VERSION}\"",
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistryQuay),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistryQuay),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistryQuay),
+		},
+	})
+
+	return dockerPipeline
+}

From 224492ac96a55adc649364d96bd6e5ec9bba153b Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Mon, 25 Jul 2022 16:18:43 -0500
Subject: [PATCH 21/22] Add license for linting.

---
 .drone.yml          |  6 +++---
 dronegen/promote.go | 14 ++++++++++++++
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index fbff218fe1e7e..9a9852b948286 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -5454,7 +5454,7 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/promote.go:67
+# Generated at dronegen/promote.go:81
 ################################################
 
 kind: pipeline
@@ -5540,7 +5540,7 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/promote.go:13
+# Generated at dronegen/promote.go:27
 ################################################
 
 kind: pipeline
@@ -6010,6 +6010,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: aab0b00350d8504f16387de7b45648ff9768efe9b984f9477ddd370fcee65eb7
+hmac: 1c975c95b4a2f1fd1103ba497c8091f7ee17a330f228d1433891d1cadce2a6aa
 
 ...
diff --git a/dronegen/promote.go b/dronegen/promote.go
index b8b904cec43d5..7af8ce7cbe3e5 100644
--- a/dronegen/promote.go
+++ b/dronegen/promote.go
@@ -1,3 +1,17 @@
+// Copyright 2021 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package main
 
 import "fmt"

From a19a96241c63c80edc8269641f034869f35f816a Mon Sep 17 00:00:00 2001
From: Logan Davis <logan.davis@goteleport.com>
Date: Tue, 26 Jul 2022 10:52:58 -0500
Subject: [PATCH 22/22] Update signature

---
 .drone.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.drone.yml b/.drone.yml
index 18b63ba94c898..362ebc8297455 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -6073,6 +6073,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 1c975c95b4a2f1fd1103ba497c8091f7ee17a330f228d1433891d1cadce2a6aa
+hmac: 084a8ac6cb415c7919799b27ceef13812c37faacc14093bb46b79908051b0a2c
 
 ...