Skip to content

Commit

Permalink
Merge pull request kubernetes#1229 from justaugustus/vdf
Browse files Browse the repository at this point in the history
[VDF] Partial revert of k8s.gcr.io cutover
  • Loading branch information
k8s-ci-robot authored Apr 3, 2020
2 parents 2614864 + 36eb1e7 commit b60c168
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 33 deletions.
57 changes: 25 additions & 32 deletions anago
Original file line number Diff line number Diff line change
Expand Up @@ -259,11 +259,12 @@ copy_logs_to_workdir () {
}

###############################################################################
# Ensures we have write access to a specified registry
# @param registry - A registry to check the ACLs for
# Ensures all registries that will be used during both mock and --nomock
# runs allow write access so we don't fall over later
# @param registries - A space separated list of registries
#
ensure_registry_acls () {
local registry="$1"
local registries=($1)
local emptyfile="$TMPDIR/empty-file.$$"
local gs_path
local r
Expand All @@ -275,30 +276,27 @@ ensure_registry_acls () {

# Short of creating a hardcoded map of project-id to registry, translating
# _ to - seems to be a simple rule to keep this, well, simple.
r=${registry//_/-}

# When we are no-mock mode we need to perform an image promotion, so it's
# unnecessary to check for write access to the production container registry.
if ((FLAGS_nomock)); then
logecho -n "Skipping container registry ACL check on $GCRIO_PATH_PROD in no-mock mode: "
logecho $OK
return 0
else
artifact_namespace="${r/gcr.io\//}"
fi
for r in ${registries[*]//_/-}; do
# In this context, "google-containers" is still used
if [[ "$r" == "$GCRIO_PATH_PROD" ]]; then
artifact_namespace="google-containers"
else
artifact_namespace="${r/gcr.io\//}"
fi

gs_path="gs://artifacts.$artifact_namespace.appspot.com/containers"
logecho -n "Checking write access to registry $r: "
if logrun $GSUTIL -q cp $emptyfile $gs_path && \
logrun $GSUTIL -q rm $gs_path/${emptyfile##*/}; then
logecho $OK
else
logecho $FAILED
((retcode++))
fi
gs_path="gs://artifacts.$artifact_namespace.appspot.com/containers"
logecho -n "Checking write access to registry $r: "
if logrun $GSUTIL -q cp $emptyfile $gs_path && \
logrun $GSUTIL -q rm $gs_path/${emptyfile##*/}; then
logecho $OK
else
logecho $FAILED
((retcode++))
fi

# Always reset back to $USER
((FLAGS_gcb)) || logrun $GCLOUD config set account $GCP_USER
# Always reset back to $USER
((FLAGS_gcb)) || logrun $GCLOUD config set account $GCP_USER
done

logrun rm -f $emptyfile

Expand Down Expand Up @@ -380,7 +378,7 @@ check_prerequisites () {

# Verify write access to all container registries that might be used
# to ensure both mock and --nomock runs will work.
ensure_registry_acls "$GCRIO_PATH" || return 1
ensure_registry_acls "${ALL_CONTAINER_REGISTRIES[*]}" || return 1

logecho -n "Checking cloud project state: "
GCLOUD_PROJECT=$($GCLOUD config get-value project 2>/dev/null)
Expand Down Expand Up @@ -1446,13 +1444,8 @@ push_all_artifacts () {
gs://$RELEASE_BUCKET/$BUCKET_TYPE/$version || return 1
fi

# When we are no-mock mode we need to perform an image promotion, so
# instead of pushing to the production container registry, we validate
# that the manifest is populated on the remote registry.
if ! ((FLAGS_nomock)); then
common::runstep release::docker::release \
common::runstep release::docker::release \
$KUBE_DOCKER_REGISTRY $version $BUILD_OUTPUT-$version || return 1
fi

common::runstep release::docker::validate_remote_manifests \
$KUBE_DOCKER_REGISTRY $version $BUILD_OUTPUT-$version || return 1
Expand Down
8 changes: 7 additions & 1 deletion lib/releaselib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ readonly GCRIO_PATH_PROD="k8s.gcr.io"
# TODO(vdf): Remove all GCRIO_PATH_PROD_PUSH logic once the k8s.gcr.io vanity
# domain flip (VDF) is successful
readonly GCRIO_PATH_PROD_PUSH="gcr.io/google-containers"
readonly GCRIO_PATH_TEST="gcr.io/k8s-staging-kubernetes"
readonly GCRIO_PATH_TEST="gcr.io/$TEST_PROJECT"

readonly KUBE_CROSS_REGISTRY="us.gcr.io/k8s-artifacts-prod/build-image"
readonly KUBE_CROSS_IMAGE="${KUBE_CROSS_REGISTRY}/kube-cross"
Expand Down Expand Up @@ -1362,6 +1362,9 @@ release::send_announcement () {
# READ_RELEASE_BUCKETS - array of readable buckets for multiple sourcing of
# mock staged builds
# GCRIO_PATH - GCR path based on mock or --nomock
# ALL_CONTAINER_REGISTRIES - when running mock (via GCB) this array also
# contains k8s.gcr.io so we can check access in mock
# mode before an actual release occurs
release::set_globals () {
logecho -n "Setting global variables: "

Expand All @@ -1388,6 +1391,7 @@ release::set_globals () {
fi

GCRIO_PATH="${FLAGS_gcrio_path:-$GCRIO_PATH_TEST}"
ALL_CONTAINER_REGISTRIES=("$GCRIO_PATH")

if ((FLAGS_nomock)); then
RELEASE_BUCKET="$PROD_BUCKET"
Expand Down Expand Up @@ -1420,6 +1424,8 @@ release::set_globals () {
WRITE_RELEASE_BUCKETS=("$RELEASE_BUCKET")
READ_RELEASE_BUCKETS+=("$RELEASE_BUCKET")

ALL_CONTAINER_REGISTRIES=("$GCRIO_PATH")

# TODO:
# These KUBE_ globals extend beyond the scope of the new release refactored
# tooling so to pass these through as flags will require fixes across
Expand Down

0 comments on commit b60c168

Please sign in to comment.