-
Notifications
You must be signed in to change notification settings - Fork 1.8k
/
Copy pathpublish.yaml
198 lines (174 loc) · 7.54 KB
/
publish.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: publish-release
spec:
params:
- name: package
description: package to release (e.g. github.com/<org>/<project>)
default: github.com/tektoncd/pipeline
- name: images
description: List of cmd/* paths to be published as images
default: "controller webhook entrypoint nop kubeconfigwriter git-init imagedigestexporter pullrequest-init"
- name: versionTag
description: The vX.Y.Z version that the artifacts should be tagged with (including `v`)
- name: imageRegistry
description: The target image registry
default: gcr.io
- name: imageRegistryPath
description: The path (project) in the image registry
- name: imageRegistryRegions
description: The target image registry regions
default: "us eu asia"
- name: releaseAsLatest
description: Whether to tag and publish this release as Pipelines' latest
default: "true"
- name: platforms
description: Platforms to publish for the images (e.g. linux/amd64,linux/arm64)
default: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
- name: serviceAccountPath
description: The name of the service account path within the release-secret workspace
workspaces:
- name: source
description: >-
The workspace where the repo has been cloned. This should ideally
be /go/src/$(params.package) however that is not possible today,
see https://github.com/tektoncd/pipeline/issues/3786. To use this
task on a fork of pipeline change the mountPath below
mountPath: /go/src/github.com/tektoncd/pipeline
- name: release-secret
description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
- name: output
description: The release YAML will be written to this workspace
stepTemplate:
env:
- name: "PROJECT_ROOT"
value: "$(workspaces.source.path)"
- name: CONTAINER_REGISTY_CREDENTIALS
value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)"
- name: CONTAINER_REGISTRY
value: "$(params.imageRegistry)/$(params.imageRegistryPath)"
- name: REGIONS
value: "$(params.imageRegistryRegions)"
- name: OUTPUT_RELEASE_DIR
value: "$(workspaces.output.path)/$(params.versionTag)"
steps:
- name: create-ko-yaml
image: busybox
script: |
#!/bin/sh
set -ex
cat <<EOF > ${PROJECT_ROOT}/.ko.yaml
# This matches the value configured in .ko.yaml
defaultBaseImage: gcr.io/distroless/static:nonroot
baseImageOverrides:
$(params.package)/cmd/git-init: ${CONTAINER_REGISTRY}/$(params.package)/git-init-build-base:latest
# These match values configured in .ko.yaml
$(params.package)/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot
$(params.package)/cmd/pullrequest-init: ${CONTAINER_REGISTRY}/$(params.package)/pullrequest-init-build-base:latest
EOF
cat ${PROJECT_ROOT}/.ko.yaml
- name: container-registy-auth
image: gcr.io/go-containerregistry/crane:debug
script: |
#!/busybox/sh
set -ex
# Login to the container registry
DOCKER_CONFIG=$(cat ${CONTAINER_REGISTY_CREDENTIALS} | \
crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \
sed 's,^.*logged in via \(.*\)$,\1,g')
# Auth with account credentials for all regions.
for region in ${REGIONS}
do
HOSTNAME=${region}.$(params.imageRegistry)
cat ${CONTAINER_REGISTY_CREDENTIALS} | crane auth login -u _json_key --password-stdin ${HOSTNAME}
done
cp ${DOCKER_CONFIG} /workspace/docker-config.json
- name: run-ko
image: gcr.io/tekton-releases/dogfooding/ko:latest
env:
- name: KO_DOCKER_REPO
value: $(params.imageRegistry)/$(params.imageRegistryPath)
- name: GO111MODULE
value: "off"
- name: GOFLAGS
value: "-mod=vendor"
script: |
#!/usr/bin/env sh
set -ex
# Setup docker-auth
DOCKER_CONFIG=~/.docker
mkdir -p ${DOCKER_CONFIG}
cp /workspace/docker-config.json ${DOCKER_CONFIG}/config.json
# Change to directory with our .ko.yaml
cd ${PROJECT_ROOT}
# For each cmd/* directory, include a full gzipped tar of all source in
# vendor/. This is overkill. Some deps' licenses require the source to be
# included in the container image when they're used as a dependency.
# Rather than trying to determine which deps have this requirement (an(params.imageRegistryd
# probably get it wrong), we'll just targz up the whole vendor tree and
# include it. As of 9/20/2019, this amounts to about 11MB of additional
# data in each image.
TMPDIR=$(mktemp -d)
tar cfz ${TMPDIR}/source.tar.gz vendor/
for d in cmd/*; do
if [ -d ${d}/kodata/ ]; then
ln -s ${TMPDIR}/source.tar.gz ${d}/kodata/
fi
done
# Rewrite "devel" to params.versionTag
sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\("-version"\), "devel"/\1, "$(params.versionTag)"/g' ${PROJECT_ROOT}/config/*.yaml
# Publish images and create release.yaml
mkdir -p $OUTPUT_RELEASE_DIR
ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.yaml
# Publish images and create release.notags.yaml
# This is useful if your container runtime doesn't support the `image-reference:tag@digest` notation
# This is currently the case for `cri-o` (and most likely others)
ko resolve --platform=$(params.platforms) --preserve-import-paths -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.notags.yaml
- name: koparse
image: gcr.io/tekton-releases/dogfooding/koparse:latest
script: |
set -ex
IMAGES_PATH=${CONTAINER_REGISTRY}/$(params.package)
for cmd in $(params.images)
do
IMAGES="${IMAGES} ${IMAGES_PATH}/cmd/${cmd}:$(params.versionTag)"
done
# Parse the built images from the release.yaml generated by ko
koparse \
--path $OUTPUT_RELEASE_DIR/release.yaml \
--base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images
- name: tag-images
image: gcr.io/go-containerregistry/crane:debug
script: |
#!/busybox/sh
set -ex
# Setup docker-auth
DOCKER_CONFIG=~/.docker
mkdir -p ${DOCKER_CONFIG}
cp /workspace/docker-config.json ${DOCKER_CONFIG}/config.json
REGIONS="us eu asia"
# Tag the images and put them in all the regions
for IMAGE in $(cat /workspace/built_images)
do
IMAGE_WITHOUT_SHA=${IMAGE%%@*}
IMAGE_WITHOUT_SHA_AND_TAG=${IMAGE_WITHOUT_SHA%%:*}
IMAGE_WITH_SHA=${IMAGE_WITHOUT_SHA_AND_TAG}@${IMAGE##*@}
if [[ "$(params.releaseAsLatest)" == "true" ]]
then
crane cp ${IMAGE_WITH_SHA} ${IMAGE_WITHOUT_SHA_AND_TAG}:latest
fi
for REGION in ${REGIONS}
do
if [[ "$(params.releaseAsLatest)" == "true" ]]
then
for TAG in "latest" $(params.versionTag)
do
crane cp ${IMAGE_WITH_SHA} ${REGION}.${IMAGE_WITHOUT_SHA_AND_TAG}:$TAG
done
else
TAG="$(params.versionTag)"
crane cp ${IMAGE_WITH_SHA} ${REGION}.${IMAGE_WITHOUT_SHA_AND_TAG}:$TAG
fi
done
done