[v7] Update drone publishing for Amazon ECR

Makefile

@@ -13,8 +13,9 @@
 #   Master/dev branch: "1.0.0-dev"
 VERSION=7.3.23
 
-DOCKER_IMAGE ?= quay.io/gravitational/teleport
-DOCKER_IMAGE_CI ?= quay.io/gravitational/teleport-ci
+DOCKER_IMAGE_QUAY ?= quay.io/gravitational/teleport
+DOCKER_IMAGE_ECR ?= public.ecr.aws/gravitational/teleport
+DOCKER_IMAGE_STAGING ?= 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport
 
 # These are standard autotools variables, don't change them please
 ifneq ("$(wildcard /bin/bash)","")
@@ -660,14 +661,20 @@ install: build
 .PHONY: image
 image: clean docker-binaries
 	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE):$(VERSION)
+	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_QUAY):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e image; fi
 
 .PHONY: publish
 publish: image
-	docker push $(DOCKER_IMAGE):$(VERSION)
+	docker push $(DOCKER_IMAGE_QUAY):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish; fi
 
+.PHONY: publish-ecr
+publish-ecr: image
+	docker tag $(DOCKER_IMAGE_QUAY) $(DOCKER_IMAGE_ECR)
+	docker push $(DOCKER_IMAGE_ECR):$(VERSION)
+	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ecr; fi
+
 # Docker image build in CI.
 # This is run to build and push Docker images to a private repository as part of the build process.
 # When we are ready to make the images public after testing (i.e. when publishing a release), we pull these
@@ -676,12 +683,12 @@ publish: image
 .PHONY: image-ci
 image-ci: clean docker-binaries
 	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_CI):$(VERSION)
+	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE_STAGING):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e image-ci; fi
 
 .PHONY: publish-ci
 publish-ci: image-ci
-	docker push $(DOCKER_IMAGE_CI):$(VERSION)
+	docker push $(DOCKER_IMAGE_STAGING):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish-ci; fi
 
 .PHONY: print-version

dronegen/common.go

@@ -19,6 +19,18 @@ import (
 	"strings"
 )
 
+const (
+	// StagingRegistry is the staging registry images are pushed to before being promoted to the production registry.
+	StagingRegistry = "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+
+	// ProductionRegistry is the production image registry that hosts are customer facing container images.
+	ProductionRegistry = "public.ecr.aws"
+
+	// ProductionRegistryQuay is the production image registry that hosts images on quay.io. Will be deprecated in the future.
+	// See RFD 73 - https://github.com/gravitational/teleport/blob/c18c09f5d562dd46a509154eab4295ad39decc3c/rfd/0073-public-image-registry.md
+	ProductionRegistryQuay = "quay.io"
+)
+
 var (
 	triggerPush = trigger{
 		Event:  triggerRef{Include: []string{"push"}, Exclude: []string{"pull_request"}},
@@ -31,6 +43,12 @@ var (
 		Repo:  triggerRef{Include: []string{"gravitational/*"}},
 	}
 
+	triggerPromote = trigger{
+		Event:  triggerRef{Include: []string{"promote"}},
+		Target: triggerRef{Include: []string{"production"}},
+		Repo:   triggerRef{Include: []string{"gravitational/*"}},
+	}
+
 	volumeDocker = volume{
 		Name: "dockersock",
 		Temp: &volumeTemp{},

dronegen/misc.go

@@ -9,3 +9,13 @@ func updateDocsPipeline() pipeline {
 	// TODO: migrate
 	return pipeline{}
 }
+
+func verifyTaggedBuildStep() step {
+	return step{
+		Name:  "Verify build is tagged",
+		Image: "alpine:latest",
+		Commands: []string{
+			"[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)",
+		},
+	}
+}

dronegen/promote.go

@@ -0,0 +1,132 @@
+// Copyright 2021 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import "fmt"
+
+func promoteBuildPipelines() []pipeline {
+	dockerPipelineECR := buildDockerPromotionPipelineECR()
+	dockerPipelineQuay := buildDockerPromotionPipelineQuay()
+	return []pipeline{dockerPipelineECR, dockerPipelineQuay}
+}
+
+func buildDockerPromotionPipelineECR() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker-ecr")
+	dockerPipeline.Trigger = triggerPromote
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-ecr")
+	dockerPipeline.Workspace = workspace{Path: "/go"}
+
+	// Add docker service
+	dockerPipeline.Services = []service{
+		dockerService(),
+	}
+	dockerPipeline.Volumes = dockerVolumes()
+
+	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
+	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
+
+	// Pull/Push Steps
+	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
+		Name:  "Pull/retag Docker images",
+		Image: "docker",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":     {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"},
+			"AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"},
+		},
+		Volumes: dockerVolumeRefs(),
+		Commands: []string{
+			"apk add --no-cache aws-cli",
+			"export VERSION=${DRONE_TAG##v}",
+			// authenticate with staging credentials
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
+			// pull staging images
+			"echo \"---> Pulling images for $${VERSION}\"",
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
+			// retag images to production naming
+			"echo \"---> Tagging images for $${VERSION}\"",
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistry),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistry),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistry),
+			// authenticate with production credentials
+			"docker logout " + StagingRegistry,
+			"aws ecr-public get-login-password --region=us-east-1 | docker login -u=\"AWS\" --password-stdin " + ProductionRegistry,
+			// push production images
+			"echo \"---> Pushing images for $${VERSION}\"",
+			// push production images ECR
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistry),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistry),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistry),
+		},
+	})
+
+	return dockerPipeline
+}
+
+func buildDockerPromotionPipelineQuay() pipeline {
+	dockerPipeline := newKubePipeline("promote-docker-quay")
+	dockerPipeline.Trigger = triggerPromote
+	dockerPipeline.Trigger.Target.Include = append(dockerPipeline.Trigger.Target.Include, "promote-docker", "promote-docker-quay")
+	dockerPipeline.Workspace = workspace{Path: "/go"}
+
+	// Add docker service
+	dockerPipeline.Services = []service{
+		dockerService(),
+	}
+	dockerPipeline.Volumes = dockerVolumes()
+
+	dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep())
+	dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep())
+
+	// Pull/Push Steps
+	dockerPipeline.Steps = append(dockerPipeline.Steps, step{
+		Name:  "Pull/retag Docker images",
+		Image: "docker",
+		Environment: map[string]value{
+			"AWS_ACCESS_KEY_ID":     {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_KEY"},
+			"AWS_SECRET_ACCESS_KEY": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_SECRET"},
+			"QUAY_USERNAME":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"},
+			"QUAY_PASSWORD":         {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"},
+		},
+		Volumes: dockerVolumeRefs(),
+		Commands: []string{
+			"apk add --no-cache aws-cli",
+			"export VERSION=${DRONE_TAG##v}",
+			// authenticate with staging credentials
+			"aws ecr get-login-password --region=us-west-2 | docker login -u=\"AWS\" --password-stdin " + StagingRegistry,
+			// pull staging images
+			"echo \"---> Pulling images for $${VERSION}\"",
+			fmt.Sprintf("docker pull %s/gravitational/teleport:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry),
+			fmt.Sprintf("docker pull %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry),
+			// retag images to production naming
+			"echo \"---> Tagging images for $${VERSION}\"",
+			fmt.Sprintf("docker tag %s/gravitational/teleport:$${VERSION} %s/gravitational/teleport:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION} %s/gravitational/teleport-ent:$${VERSION}", StagingRegistry, ProductionRegistryQuay),
+			fmt.Sprintf("docker tag %s/gravitational/teleport-ent:$${VERSION}-fips %s/gravitational/teleport-ent:$${VERSION}-fips", StagingRegistry, ProductionRegistryQuay),
+			// authenticate with production credentials
+			"docker logout " + StagingRegistry,
+			"docker login -u=\"$QUAY_USERNAME\" -p=\"$QUAY_PASSWORD\" " + ProductionRegistryQuay,
+			// push production images
+			"echo \"---> Pushing images for $${VERSION}\"",
+			fmt.Sprintf("docker push %s/gravitational/teleport:$${VERSION}", ProductionRegistryQuay),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}", ProductionRegistryQuay),
+			fmt.Sprintf("docker push %s/gravitational/teleport-ent:$${VERSION}-fips", ProductionRegistryQuay),
+		},
+	})
+
+	return dockerPipeline
+}