Drone publishing for Amazon ECR

Makefile

@@ -13,9 +13,11 @@
 #   Master/dev branch: "1.0.0-dev"
 VERSION=11.0.0-dev
 
-DOCKER_IMAGE ?= quay.io/gravitational/teleport
-DOCKER_IMAGE_CI ?= quay.io/gravitational/teleport-ci
+
 DOCKER_IMAGE_OPERATOR_CI ?= quay.io/gravitational/teleport-operator-ci
+DOCKER_IMAGE_QUAY ?= quay.io/gravitational/teleport
+DOCKER_IMAGE_ECR ?= public.ecr.aws/gravitational/teleport
+DOCKER_IMAGE_STAGING ?= 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport
 
 GOPATH ?= $(shell go env GOPATH)
 
@@ -986,14 +988,20 @@ install: build
 .PHONY: image
 image: clean docker-binaries
 	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE):$(VERSION)
+	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_QUAY):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e image; fi
 
 .PHONY: publish
 publish: image
-	docker push $(DOCKER_IMAGE):$(VERSION)
+	docker push $(DOCKER_IMAGE_QUAY):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish; fi
 
+.PHONY: publish-ecr
+publish-ecr: image
+	docker tag $(DOCKER_IMAGE_QUAY) $(DOCKER_IMAGE_ECR)
+	docker push $(DOCKER_IMAGE_ECR):$(VERSION)
+	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ecr; fi
+
 # Docker image build in CI.
 # This is run to build and push Docker images to a private repository as part of the build process.
 # When we are ready to make the images public after testing (i.e. when publishing a release), we pull these
@@ -1002,12 +1010,12 @@ publish: image
 .PHONY: image-ci
 image-ci: clean docker-binaries
 	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_CI):$(VERSION)
+	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_STAGING):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e image-ci; fi
 
 .PHONY: publish-ci
 publish-ci: image-ci
-	docker push $(DOCKER_IMAGE_CI):$(VERSION)
+	docker push $(DOCKER_IMAGE_STAGING):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ci; fi
 
 # Docker image build for Teleport Operator

dronegen/common.go

@@ -22,6 +22,18 @@ import (
 	"strings"
 )
 
+const (
+	// StagingRegistry is the staging registry images are pushed to before being promoted to the production registry.
+	StagingRegistry = "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+
+	// ProductionRegistry is the production image registry that hosts are customer facing container images.
+	ProductionRegistry = "public.ecr.aws"
+
+	// ProductionRegistryQuay is the production image registry that hosts images on quay.io. Will be deprecated in the future.
+	// See RFD 73 - https://github.com/gravitational/teleport/blob/c18c09f5d562dd46a509154eab4295ad39decc3c/rfd/0073-public-image-registry.md
+	ProductionRegistryQuay = "quay.io"
+)
+
 var (
 	triggerPush = trigger{
 		Event:  triggerRef{Include: []string{"push"}, Exclude: []string{"pull_request"}},

dronegen/main.go

@@ -33,7 +33,7 @@ func main() {
 	pipelines = append(pipelines, tagPipelines()...)
 	pipelines = append(pipelines, cronPipelines()...)
 	pipelines = append(pipelines, artifactMigrationPipeline())
-	pipelines = append(pipelines, promoteBuildPipeline())
+	pipelines = append(pipelines, promoteBuildPipelines()...)
 	pipelines = append(pipelines, updateDocsPipeline())
 	pipelines = append(pipelines, buildboxPipeline())
 

dronegen/misc.go

@@ -20,11 +20,6 @@ import (
 	"strings"
 )
 
-func promoteBuildPipeline() pipeline {
-	aptPipeline := promoteAptPipeline()
-	return aptPipeline
-}
-
 // Used for one-off migrations of older versions.
 // Use cases include:
 //  * We want to support another OS while providing backwards compatibility
@@ -91,13 +86,7 @@ func promoteAptPipeline() pipeline {
 	p.Trigger.Repo.Include = []string{"gravitational/teleport"}
 
 	steps := []step{
-		{
-			Name:  "Verify build is tagged",
-			Image: "alpine:latest",
-			Commands: []string{
-				"[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)",
-			},
-		},
+		verifyTaggedBuildStep(),
 	}
 	steps = append(steps, p.Steps...)
 	steps = append(steps,
@@ -344,3 +333,13 @@ func updateDocsPipeline() pipeline {
 	// TODO: migrate
 	return pipeline{}
 }
+
+func verifyTaggedBuildStep() step {
+	return step{
+		Name:  "Verify build is tagged",
+		Image: "alpine:latest",
+		Commands: []string{
+			"[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)",
+		},
+	}
+}

dronegen/promote.go

@@ -0,0 +1,133 @@
+// Copyright 2021 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import "fmt"
+
+func promoteBuildPipelines() []pipeline {
+	aptPipeline := promoteAptPipeline()
+	dockerPipelineECR := buildDockerPromotionPipelineECR()
+	dockerPipelineQuay := buildDockerPromotionPipelineQuay()
+	return []pipeline{aptPipeline, dockerPipelineECR, dockerPipelineQuay}
+}
+
+func buildDockerPromotionPipelineECR() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker-ecr")
+	dockerPipeline.Trigger = triggerPromote
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-ecr")
+	dockerPipeline.Workspace = workspace{Path: "/go"}
+
+	// Add docker service
+	dockerPipeline.Services = []service{
+		dockerService(),
+	}
+	dockerPipeline.Volumes = dockerVolumes()
+
+	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
+	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
+
+	// Pull/Push Steps
+	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
+		Name:  "Pull/retag Docker images",
+		Image: "docker",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":     {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"},
+			"AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"},
+		},
+		Volumes: dockerVolumeRefs(),
+		Commands: []string{
+			"apk add --no-cache aws-cli",
+			"export VERSION=${DRONE_TAG##v}",
+			// authenticate with staging credentials
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
+			// pull staging images
+			"echo \"---> Pulling images for $${VERSION}\"",
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
+			// retag images to production naming
+			"echo \"---> Tagging images for $${VERSION}\"",
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistry),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistry),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistry),
+			// authenticate with production credentials
+			"docker logout " + StagingRegistry,
+			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin " + ProductionRegistry,
+			// push production images
+			"echo \"---> Pushing images for $${VERSION}\"",
+			// push production images ECR
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistry),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistry),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistry),
+		},
+	})
+
+	return dockerPipeline
+}
+
+func buildDockerPromotionPipelineQuay() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker-quay")
+	dockerPipeline.Trigger = triggerPromote
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-quay")
+	dockerPipeline.Workspace = workspace{Path: "/go"}
+
+	// Add docker service
+	dockerPipeline.Services = []service{
+		dockerService(),
+	}
+	dockerPipeline.Volumes = dockerVolumes()
+
+	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
+	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
+
+	// Pull/Push Steps
+	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
+		Name:  "Pull/retag Docker images",
+		Image: "docker",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":     {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_KEY"},
+			"AWS_SECRET_ACCESS_KEY": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_SECRET"},
+			"QUAY_USERNAME":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"},
+			"QUAY_PASSWORD":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"},
+		},
+		Volumes: dockerVolumeRefs(),
+		Commands: []string{
+			"apk add --no-cache aws-cli",
+			"export VERSION=${DRONE_TAG##v}",
+			// authenticate with staging credentials
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
+			// pull staging images
+			"echo \"---> Pulling images for $${VERSION}\"",
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
+			// retag images to production naming
+			"echo \"---> Tagging images for $${VERSION}\"",
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistryQuay),
+			// authenticate with production credentials
+			"docker logout " + StagingRegistry,
+			"docker login -u=\"$QUAY_USERNAME\" -p=\"$QUAY_PASSWORD\" " + ProductionRegistryQuay,
+			// push production images
+			"echo \"---> Pushing images for $${VERSION}\"",
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistryQuay),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistryQuay),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistryQuay),
+		},
+	})
+
+	return dockerPipeline
+}