From 9597038f1b383c934cf94dce584cdf10155a9b0d Mon Sep 17 00:00:00 2001 From: Andrea Frittoli Date: Wed, 24 Feb 2021 13:48:57 +0000 Subject: [PATCH] Rework the release pipeline to use workspaces Stop using pipeline resources, use workspaces instead. This allows us to use the catalog tasks for build and test too. Add results with URLs of the published releases. Signed-off-by: Andrea Frittoli --- tekton/account.yaml | 4 - tekton/build-push-ma-base-image.yaml | 67 ++++---- tekton/kustomization.yaml | 3 - tekton/publish.yaml | 189 +++++++++------------- tekton/release-cheat-sheet.md | 78 ++++----- tekton/release-pipeline-nightly.yaml | 113 ------------- tekton/release-pipeline.yaml | 230 +++++++++++++++++---------- tekton/resources.yaml | 139 ---------------- 8 files changed, 293 insertions(+), 530 deletions(-) delete mode 100644 tekton/account.yaml delete mode 100644 tekton/release-pipeline-nightly.yaml delete mode 100644 tekton/resources.yaml diff --git a/tekton/account.yaml b/tekton/account.yaml deleted file mode 100644 index 720059ead8e..00000000000 --- a/tekton/account.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: release-right-meow \ No newline at end of file diff --git a/tekton/build-push-ma-base-image.yaml b/tekton/build-push-ma-base-image.yaml index d0c9da9610b..e7ec4457f58 100644 --- a/tekton/build-push-ma-base-image.yaml +++ b/tekton/build-push-ma-base-image.yaml @@ -4,21 +4,25 @@ metadata: name: build-multiarch-base-image spec: params: + - name: package + description: package to build (e.g. github.com//) + default: github.com/tektoncd/pipeline - name: imageRegistry - - name: pathToProject - description: The path to the folder in the go/src dir that contains the project, which is used by `ko` to name the resulting images + description: The target image registry + - name: imageRegistryPath + description: The path (project) in the container registry - name: platforms description: Platforms to publish for the images (e.g. linux/amd64,linux/arm64) default: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le - resources: - inputs: + - name: serviceAccountPath + description: The name of the service account path within the release-secret workspace + workspaces: - name: source - type: git - targetPath: go/src/github.com/tektoncd/pipeline - outputs: - - name: builtBaseImage - type: image + description: The workspace where the repo has been cloned + - name: release-secret + description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket steps: + - image: gcr.io/tekton-releases/dogfooding/buildx-gcloud:latest name: build-image env: @@ -31,43 +35,39 @@ spec: # Use the certs generated by the sidecar daemon. - name: DOCKER_CERT_PATH value: /certs/client - - name: GOOGLE_APPLICATION_CREDENTIALS - value: "/secret/release.json" script: | - #!/usr/bin/env sh - - # Activate service account - gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS} + #!/usr/bin/env sh + set -ex - # Setup docker-auth - gcloud auth configure-docker + # Activate service account + gcloud auth activate-service-account --key-file=$(workspaces.release-secret.path)/$(params.serviceAccountPath) + # Setup docker-auth + gcloud auth configure-docker - ln -s /root/.docker/cli-plugins ~/.docker/cli-plugins + ln -s /root/.docker/cli-plugins ~/.docker/cli-plugins - # add qemu bins - docker run --rm --privileged tonistiigi/binfmt:latest --install all + # add qemu bins + docker run --rm --privileged tonistiigi/binfmt:latest --install all - #create docker context - docker context create context1 + #create docker context + docker context create context1 - #create builder - docker buildx create context1 --name builder-buildx1 --driver docker-container --platform $(params.platforms) --use + #create builder + docker buildx create context1 --name builder-buildx1 --driver docker-container --platform $(params.platforms) --use - #check the state - docker buildx inspect --bootstrap --builder builder-buildx1 + #check the state + docker buildx inspect --bootstrap --builder builder-buildx1 - #build multi-arch image - docker buildx build \ + #build multi-arch image + docker buildx build \ --platform $(params.platforms) \ - --tag $(params.imageRegistry)/$(params.pathToProject)/$(resources.outputs.builtBaseImage.url) \ + --tag $(params.imageRegistry)/$(params.imageRegistryPath)/$(params.package)/build-base \ --push \ - /workspace/go/src/github.com/tektoncd/pipeline/images + $(workspaces.source.path)/images volumeMounts: - mountPath: /certs/client name: dind-certs - - name: gcp-secret - mountPath: /secret sidecars: - image: docker:dind @@ -95,6 +95,3 @@ spec: volumes: - name: dind-certs emptyDir: {} - - name: gcp-secret - secret: - secretName: release-secret diff --git a/tekton/kustomization.yaml b/tekton/kustomization.yaml index 6a913568434..c6068bff043 100644 --- a/tekton/kustomization.yaml +++ b/tekton/kustomization.yaml @@ -1,9 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - account.yaml - build-push-ma-base-image.yaml - publish.yaml - - release-pipeline-nightly.yaml - release-pipeline.yaml - - resources.yaml diff --git a/tekton/publish.yaml b/tekton/publish.yaml index e7e1a8bea57..7944e6e4d04 100644 --- a/tekton/publish.yaml +++ b/tekton/publish.yaml @@ -1,49 +1,57 @@ apiVersion: tekton.dev/v1beta1 kind: Task metadata: - name: publish-tekton-pipelines + name: publish-release spec: params: - - name: versionTag - description: The vX.Y.Z version that the artifacts should be tagged with (including `v`) - - name: imageRegistry - description: TODO(#569) This is a hack to make it easy for folks to switch the registry being used by the many many image outputs - - name: pathToProject - description: The path to the folder in the go/src dir that contains the project, which is used by `ko` to name the resulting images - - name: releaseAsLatest - description: Whether to tag and publish this release as Pipelines' latest - default: "true" - - name: platforms - description: Platforms to publish for the images (e.g. linux/amd64,linux/arm64) - default: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le - resources: - inputs: + - name: package + description: package to release (e.g. github.com//) + default: github.com/tektoncd/pipeline + - name: images + description: List of cmd/* paths to be published as images + default: "controller webhook entrypoint nop kubeconfigwriter git-init imagedigestexporter pullrequest-init" + - name: versionTag + description: The vX.Y.Z version that the artifacts should be tagged with (including `v`) + - name: imageRegistry + description: The target image registry + default: gcr.io + - name: imageRegistryPath + description: The path (project) in the image registry + - name: imageRegistryRegions + description: The target image registry regions + default: "us eu asia" + - name: releaseAsLatest + description: Whether to tag and publish this release as Pipelines' latest + default: "true" + - name: platforms + description: Platforms to publish for the images (e.g. linux/amd64,linux/arm64) + default: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le + - name: serviceAccountPath + description: The name of the service account path within the release-secret workspace + workspaces: - name: source - type: git - targetPath: go/src/github.com/tektoncd/pipeline - - name: bucket - type: storage - outputs: - - name: bucket - type: storage - - name: builtEntrypointImage - type: image - - name: builtNopImage - type: image - - name: builtKubeconfigWriterImage - type: image - - name: builtGitInitImage - type: image - - name: builtControllerImage - type: image - - name: builtWebhookImage - type: image - - name: builtDigestExporterImage - type: image - - name: builtPullRequestInitImage - type: image - - name: notification - type: cloudEvent + description: >- + The workspace where the repo has been cloned. This should ideally + be /go/src/$(params.package) however that is not possible today, + see https://github.com/tektoncd/pipeline/issues/3786. To use this + task on a fork of pipeline change the mountPath below + mountPath: /go/src/github.com/tektoncd/pipeline + - name: release-secret + description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket + - name: output + description: The release YAML will be written to this workspace + stepTemplate: + env: + - name: "PROJECT_ROOT" + value: "$(workspaces.source.path)" + - name: CONTAINER_REGISTY_CREDENTIALS + value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)" + - name: CONTAINER_REGISTRY + value: "$(params.imageRegistry)/$(params.imageRegistryPath)" + - name: REGIONS + value: "$(params.imageRegistryRegions)" + - name: OUTPUT_RELEASE_DIR + value: "$(workspaces.output.path)/$(params.versionTag)" steps: - name: create-ko-yaml @@ -52,68 +60,43 @@ spec: #!/bin/sh set -ex - cat < /workspace/go/src/github.com/tektoncd/pipeline/.ko.yaml + cat < ${PROJECT_ROOT}/.ko.yaml # This matches the value configured in .ko.yaml defaultBaseImage: gcr.io/distroless/static:nonroot baseImageOverrides: - $(params.pathToProject)/$(resources.outputs.builtGitInitImage.url): $(params.imageRegistry)/$(params.pathToProject)/build-base:latest + $(params.package)/cmd/git-init: ${CONTAINER_REGISTRY}/$(params.package)/build-base:latest # These match values configured in .ko.yaml - $(params.pathToProject)/$(resources.outputs.builtEntrypointImage.url): gcr.io/distroless/base:debug-nonroot - $(params.pathToProject)/$(resources.outputs.builtPullRequestInitImage.url): gcr.io/distroless/static:latest + $(params.package)/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot + $(params.package)/cmd/pullrequest-init: gcr.io/distroless/static:latest EOF - cat /workspace/go/src/github.com/tektoncd/pipeline/.ko.yaml - - - name: link-input-bucket-to-output - image: busybox - command: ["cp"] - args: - - -r - - "/workspace/bucket" - - "/workspace/output/" - - - name: ensure-release-dir-exists - image: busybox - command: ["mkdir"] - args: - - "-p" - - "/workspace/output/bucket/previous/$(params.versionTag)/" + cat ${PROJECT_ROOT}/.ko.yaml - name: container-registy-auth image: gcr.io/go-containerregistry/crane:debug - env: - - name: CONTAINER_REGISTY_CREDENTIALS - value: "/secret/release.json" - - name: REGIONS - value: "us eu asia" script: | #!/busybox/sh set -ex - # Login to gcr.io + # Login to the container registry DOCKER_CONFIG=$(cat ${CONTAINER_REGISTY_CREDENTIALS} | \ - crane auth login -u _json_key --password-stdin gcr.io 2>&1 | \ + crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \ sed 's,^.*logged in via \(.*\)$,\1,g') # Auth with account credentials for all regions. for region in ${REGIONS} do - HOSTNAME=${region}.gcr.io + HOSTNAME=${region}.$(params.imageRegistry) cat ${CONTAINER_REGISTY_CREDENTIALS} | crane auth login -u _json_key --password-stdin ${HOSTNAME} done cp ${DOCKER_CONFIG} /workspace/docker-config.json - volumeMounts: - - name: gcp-secret - mountPath: /secret - name: run-ko image: gcr.io/tekton-releases/dogfooding/ko:latest env: - name: KO_DOCKER_REPO - value: $(params.imageRegistry) - - name: GOPATH - value: /workspace/go + value: $(params.imageRegistry)/$(params.imageRegistryPath) - name: GO111MODULE value: "off" - name: GOFLAGS @@ -128,68 +111,50 @@ spec: cp /workspace/docker-config.json ${DOCKER_CONFIG}/ # Change to directory with our .ko.yaml - cd /workspace/go/src/github.com/tektoncd/pipeline + cd ${PROJECT_ROOT} # For each cmd/* directory, include a full gzipped tar of all source in # vendor/. This is overkill. Some deps' licenses require the source to be # included in the container image when they're used as a dependency. - # Rather than trying to determine which deps have this requirement (and + # Rather than trying to determine which deps have this requirement (an(params.imageRegistryd # probably get it wrong), we'll just targz up the whole vendor tree and # include it. As of 9/20/2019, this amounts to about 11MB of additional # data in each image. TMPDIR=$(mktemp -d) tar cfz ${TMPDIR}/source.tar.gz vendor/ for d in cmd/*; do - ln -s ${TMPDIR}/source.tar.gz ${d}/kodata/ + if [ -d ${d}/kodata/ ]; then + ln -s ${TMPDIR}/source.tar.gz ${d}/kodata/ + fi done # Rewrite "devel" to params.versionTag - sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\("-version"\), "devel"/\1, "$(params.versionTag)"/g' /workspace/go/src/github.com/tektoncd/pipeline/config/*.yaml - - OUTPUT_BUCKET_RELEASE_DIR="/workspace/output/bucket/previous/$(params.versionTag)" + sed -i -e 's/\(pipeline.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\("-version"\), "devel"/\1, "$(params.versionTag)"/g' ${PROJECT_ROOT}/config/*.yaml # Publish images and create release.yaml - ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f /workspace/go/src/github.com/tektoncd/pipeline/config/ > $OUTPUT_BUCKET_RELEASE_DIR/release.yaml + mkdir -p $OUTPUT_RELEASE_DIR + + ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.yaml # Publish images and create release.notags.yaml # This is useful if your container runtime doesn't support the `image-reference:tag@digest` notation # This is currently the case for `cri-o` (and most likely others) - ko resolve --platform=$(params.platforms) --preserve-import-paths -f /workspace/go/src/github.com/tektoncd/pipeline/config/ > $OUTPUT_BUCKET_RELEASE_DIR/release.notags.yaml - - - name: copy-to-latest-bucket - image: busybox - workingDir: "/workspace/output/bucket" - script: | - #!/bin/sh - set -ex - - if [[ "$(params.releaseAsLatest)" == "true" ]] - then - mkdir -p "/workspace/output/bucket/latest/" - OUTPUT_BUCKET_RELEASE_DIR="/workspace/output/bucket/previous/$(params.versionTag)" - OUTPUT_BUCKET_LATEST_DIR="/workspace/output/bucket/latest" - cp "$OUTPUT_BUCKET_RELEASE_DIR/release.yaml" "$OUTPUT_BUCKET_LATEST_DIR/release.yaml" - cp "$OUTPUT_BUCKET_RELEASE_DIR/release.notags.yaml" "$OUTPUT_BUCKET_LATEST_DIR/release.notags.yaml" - fi + ko resolve --platform=$(params.platforms) --preserve-import-paths -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.notags.yaml - name: koparse image: gcr.io/tekton-releases/dogfooding/koparse:latest script: | set -ex - IMAGES_PATH=$(params.imageRegistry)/$(params.pathToProject) + IMAGES_PATH=${CONTAINER_REGISTRY}/$(params.package) - IMAGES="${IMAGES_PATH}/$(resources.outputs.builtEntrypointImage.url):$(params.versionTag)" - IMAGES="${IMAGES} ${IMAGES_PATH}/$(resources.outputs.builtNopImage.url):$(params.versionTag)" - IMAGES="${IMAGES} ${IMAGES_PATH}/$(resources.outputs.builtKubeconfigWriterImage.url):$(params.versionTag)" - IMAGES="${IMAGES} ${IMAGES_PATH}/$(resources.outputs.builtGitInitImage.url):$(params.versionTag)" - IMAGES="${IMAGES} ${IMAGES_PATH}/$(resources.outputs.builtControllerImage.url):$(params.versionTag)" - IMAGES="${IMAGES} ${IMAGES_PATH}/$(resources.outputs.builtWebhookImage.url):$(params.versionTag)" - IMAGES="${IMAGES} ${IMAGES_PATH}/$(resources.outputs.builtDigestExporterImage.url):$(params.versionTag)" - IMAGES="${IMAGES} ${IMAGES_PATH}/$(resources.outputs.builtPullRequestInitImage.url):$(params.versionTag)" + for cmd in $(params.images) + do + IMAGES="${IMAGES} ${IMAGES_PATH}/cmd/${cmd}:$(params.versionTag)" + done # Parse the built images from the release.yaml generated by ko koparse \ - --path /workspace/output/bucket/previous/$(params.versionTag)/release.yaml \ + --path $OUTPUT_RELEASE_DIR/release.yaml \ --base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images - name: tag-images @@ -231,11 +196,3 @@ spec: fi done done - volumeMounts: - - name: gcp-secret - mountPath: /secret - - volumes: - - name: gcp-secret - secret: - secretName: release-secret diff --git a/tekton/release-cheat-sheet.md b/tekton/release-cheat-sheet.md index 2cacd63d523..3035f34ae54 100644 --- a/tekton/release-cheat-sheet.md +++ b/tekton/release-cheat-sheet.md @@ -12,64 +12,66 @@ the pipelines repo, a terminal window and a text editor. most recent commit at https://github.com/tektoncd/pipeline/commits/master and note the commit's hash. -1. Create a `.yaml` file containing PipelineResource for new version. e.g. - - ```yaml - apiVersion: tekton.dev/v1alpha1 - kind: PipelineResource - metadata: - name: # Example: tekton-pipelines-v0-11-2 - spec: - type: git - params: - - name: url - value: https://github.com/tektoncd/pipeline - - name: revision - value: # The commmit you selected in the last step, e.g. 33e0847e67fc9804689e50371746c3cdad4b0a9d - ``` - -1. Apply file you just made to the dogfooding cluster: `kubectl --context dogfooding apply -f your-pipeline-resource-file.yaml` - 1. Create environment variables for bash scripts in later steps. ```bash - TEKTON_VERSION=# Example: v0.11.0 - TEKTON_RELEASE_GIT_RESOURCE=# Name of the resource you created, e.g.: tekton-pipelines-v0-11-0 + TEKTON_VERSION=# Example: v0.21.0 + TEKTON_RELEASE_GIT_SHA=# SHA of the release to be released TEKTON_IMAGE_REGISTRY=gcr.io/tekton-releases # only change if you want to publish to a different registry ``` 1. Confirm commit SHA matches what you want to release. ```bash - kubectl --context dogfooding get pipelineresource "$TEKTON_RELEASE_GIT_RESOURCE" -o=jsonpath="{'Target Revision: '}{.spec.params[?(@.name == 'revision')].value}{'\n'}" + git show $TEKTON_RELEASE_GIT_SHA ``` +1. Create a workspace template file: + + ```bash + cat < workspace-template.yaml + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + EOF + ``` 1. Execute the release pipeline. - **If you are backporting include this flag: `--param=releaseAsLatest="false"`** + **If you are back-porting include this flag: `--param=releaseAsLatest="false"`** ```bash - tkn --context dogfooding pipeline start \ - --param=versionTag="${TEKTON_VERSION}" \ - --param=imageRegistry="${TEKTON_IMAGE_REGISTRY}" \ + tkn --context dogfooding pipeline start pipeline-release \ --serviceaccount=release-right-meow \ - --resource=source-repo="${TEKTON_RELEASE_GIT_RESOURCE}" \ - --resource=bucket=pipeline-tekton-bucket \ - --resource=builtBaseImage=base-image \ - --resource=builtEntrypointImage=entrypoint-image \ - --resource=builtNopImage=nop-image \ - --resource=builtKubeconfigWriterImage=kubeconfigwriter-image \ - --resource=builtGitInitImage=git-init-image \ - --resource=builtControllerImage=controller-image \ - --resource=builtWebhookImage=webhook-image \ - --resource=builtDigestExporterImage=digest-exporter-image \ - --resource=builtPullRequestInitImage=pull-request-init-image \ - --resource=notification=post-release-trigger \ - pipeline-release + --param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \ + --param=serviceAccountPath=release.json \ + --workspace name=release-secret,secret=release-secret \ + --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml ``` 1. Watch logs of pipeline-release. +1. Once the pipeline is complete, check its results: + + ```bash + tkn pr describe + + (...) + 📝 Results + + NAME VALUE + ∙ commit-sha ff6d7abebde12460aecd061ab0f6fd21053ba8a7 + ∙ release-file https://storage.googleapis.com/tekton-releases-nightly/pipeline/previous/v20210223-xyzxyz/release.yaml + ∙ release-file-no-tag https://storage.googleapis.com/tekton-releases-nightly/pipeline/previous/v20210223-xyzxyz/release.notag.yaml + + (...) + ``` + + The `commit-sha` should match `$TEKTON_RELEASE_GIT_SHA`. + The two URLs can be opened in the browser or via `curl` to download the release manifests. + 1. The YAMLs are now released! Anyone installing Tekton Pipelines will now get the new version. Time to create a new GitHub release announcement: 1. Choose a name for the new release! The usual pattern is "< cat breed > < famous robot >" e.g. "Ragdoll Norby". diff --git a/tekton/release-pipeline-nightly.yaml b/tekton/release-pipeline-nightly.yaml deleted file mode 100644 index 370f5a050ff..00000000000 --- a/tekton/release-pipeline-nightly.yaml +++ /dev/null @@ -1,113 +0,0 @@ -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: pipeline-release-nightly -spec: - params: - - name: package - description: package to release - default: github.com/tektoncd/pipeline - - name: imageRegistry - default: gcr.io/tekton-nightly - - name: versionTag - description: The X.Y.Z version that the artifacts should be tagged with - resources: - - name: source-repo - type: git - - name: bucket - type: storage - - name: builtBaseImage - type: image - - name: builtEntrypointImage - type: image - - name: builtNopImage - type: image - - name: builtKubeconfigWriterImage - type: image - - name: builtGitInitImage - type: image - - name: builtControllerImage - type: image - - name: builtWebhookImage - type: image - - name: builtDigestExporterImage - type: image - - name: builtPullRequestInitImage - type: image - - name: notification - type: cloudEvent - tasks: - - name: unit-tests - taskRef: - name: golang-test-legacy - params: - - name: package - value: $(params.package) - resources: - inputs: - - name: source - resource: source-repo - - name: build - taskRef: - name: golang-build-legacy - params: - - name: package - value: $(params.package) - resources: - inputs: - - name: source - resource: source-repo - - name: build-base-image - runAfter: [build, unit-tests] - taskRef: - name: build-multiarch-base-image - params: - - name: pathToProject - value: $(params.package) - - name: imageRegistry - value: $(params.imageRegistry) - resources: - inputs: - - name: source - resource: source-repo - outputs: - - name: builtBaseImage - resource: builtBaseImage - - name: publish-images - runAfter: [build-base-image, build, unit-tests] - taskRef: - name: publish-tekton-pipelines - params: - - name: pathToProject - value: $(params.package) - - name: versionTag - value: $(params.versionTag) - - name: imageRegistry - value: $(params.imageRegistry) - resources: - inputs: - - name: source - resource: source-repo - - name: bucket - resource: bucket - outputs: - - name: bucket - resource: bucket - - name: builtEntrypointImage - resource: builtEntrypointImage - - name: builtNopImage - resource: builtNopImage - - name: builtKubeconfigWriterImage - resource: builtKubeconfigWriterImage - - name: builtGitInitImage - resource: builtGitInitImage - - name: builtControllerImage - resource: builtControllerImage - - name: builtWebhookImage - resource: builtWebhookImage - - name: builtDigestExporterImage - resource: builtDigestExporterImage - - name: builtPullRequestInitImage - resource: builtPullRequestInitImage - - name: notification - resource: notification diff --git a/tekton/release-pipeline.yaml b/tekton/release-pipeline.yaml index fa5aba113a6..efafc949ae5 100644 --- a/tekton/release-pipeline.yaml +++ b/tekton/release-pipeline.yaml @@ -8,43 +8,57 @@ spec: - name: package description: package to release default: github.com/tektoncd/pipeline + - name: gitRevision + description: the git revision to release - name: imageRegistry - default: gcr.io/tekton-releases + description: The target image registry + default: gcr.io + - name: imageRegistryPath + description: The path (project) in the image registry + default: tekton-releases - name: versionTag description: The X.Y.Z version that the artifacts should be tagged with + - name: releaseBucket + description: bucket where the release is stored. The bucket must be project specific. + default: gs://tekton-releases-nightly/pipeline - name: releaseAsLatest description: Whether to tag and publish this release as Pipelines' latest default: "true" - name: platforms description: Platforms to publish for the images (e.g. linux/amd64,linux/arm64) default: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le - resources: - - name: source-repo - type: git - - name: bucket - type: storage - - name: builtBaseImage - type: image - - name: builtEntrypointImage - type: image - - name: builtNopImage - type: image - - name: builtKubeconfigWriterImage - type: image - - name: builtGitInitImage - type: image - - name: builtControllerImage - type: image - - name: builtWebhookImage - type: image - - name: builtDigestExporterImage - type: image - - name: builtPullRequestInitImage - type: image - - name: notification - type: cloudEvent + - name: serviceAccountPath + description: The path to the service account file within the release-secret workspace + workspaces: + - name: workarea + description: The workspace where the repo will be cloned. + - name: release-secret + description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket + results: + - name: commit-sha + description: the sha of the commit that was released + value: $(tasks.git-clone.results.commit) + - name: release-file + description: the URL of the release file + value: $(tasks.report-bucket.results.release) + - name: release-file-no-tag + description: the URL of the release file + value: $(tasks.report-bucket.results.release-no-tag) tasks: + - name: git-clone + taskRef: + name: git-clone + workspaces: + - name: output + workspace: workarea + subpath: git + params: + - name: url + value: https://$(params.package) + - name: revision + value: $(params.gitRevision) - name: precheck + runAfter: [git-clone] taskRef: name: prerelease-checks params: @@ -52,95 +66,147 @@ spec: value: $(params.package) - name: versionTag value: $(params.versionTag) - resources: - inputs: - - name: release-bucket - resource: bucket - - name: source-to-release - resource: source-repo + - name: releaseBucket + value: $(params.releaseBucket) + workspaces: + - name: source-to-release + workspace: workarea + subpath: git - name: unit-tests runAfter: [precheck] taskRef: - name: golang-test-legacy + name: golang-test params: - name: package value: $(params.package) - name: flags value: -v -mod=vendor - resources: - inputs: - - name: source - resource: source-repo + workspaces: + - name: source + workspace: workarea + subpath: git - name: build runAfter: [precheck] taskRef: - name: golang-build-legacy + name: golang-build params: - name: package value: $(params.package) - - name: flags - value: -mod=vendor - resources: - inputs: - - name: source - resource: source-repo + - name: packages + value: ./cmd/... + workspaces: + - name: source + workspace: workarea + subpath: git - name: build-base-image runAfter: [build, unit-tests] taskRef: name: build-multiarch-base-image params: - - name: pathToProject + - name: package value: $(params.package) - name: imageRegistry value: $(params.imageRegistry) + - name: imageRegistryPath + value: $(params.imageRegistryPath) - name: platforms value: $(params.platforms) - resources: - inputs: - - name: source - resource: source-repo - outputs: - - name: builtBaseImage - resource: builtBaseImage + - name: serviceAccountPath + value: $(params.serviceAccountPath) + workspaces: + - name: source + workspace: workarea + subpath: git + - name: release-secret + workspace: release-secret - name: publish-images - runAfter: [build, unit-tests] + runAfter: [build-base-image] taskRef: - name: publish-tekton-pipelines + name: publish-release params: - - name: pathToProject + - name: package value: $(params.package) - name: versionTag value: $(params.versionTag) - name: imageRegistry value: $(params.imageRegistry) + - name: imageRegistryPath + value: $(params.imageRegistryPath) - name: releaseAsLatest value: $(params.releaseAsLatest) - name: platforms value: $(params.platforms) - resources: - inputs: - - name: source - resource: source-repo - - name: bucket - resource: bucket - outputs: - - name: bucket - resource: bucket - - name: builtEntrypointImage - resource: builtEntrypointImage - - name: builtNopImage - resource: builtNopImage - - name: builtKubeconfigWriterImage - resource: builtKubeconfigWriterImage - - name: builtGitInitImage - resource: builtGitInitImage - - name: builtControllerImage - resource: builtControllerImage - - name: builtWebhookImage - resource: builtWebhookImage - - name: builtDigestExporterImage - resource: builtDigestExporterImage - - name: builtPullRequestInitImage - resource: builtPullRequestInitImage - - name: notification - resource: notification + - name: serviceAccountPath + value: $(params.serviceAccountPath) + workspaces: + - name: source + workspace: workarea + subpath: git + - name: output + workspace: workarea + subpath: bucket + - name: release-secret + workspace: release-secret + - name: publish-to-bucket + runAfter: [publish-images] + taskRef: + name: gcs-upload + workspaces: + - name: credentials + workspace: release-secret + - name: source + workspace: workarea + subpath: bucket + params: + - name: location + value: $(params.releaseBucket)/previous/$(params.versionTag) + - name: path + value: $(params.versionTag) + - name: serviceAccountPath + value: $(params.serviceAccountPath) + - name: publish-to-bucket-latest + runAfter: [publish-images] + when: + - input: "$(params.releaseAsLatest)" + operator: in + values: ["true"] + taskRef: + name: gcs-upload + workspaces: + - name: credentials + workspace: release-secret + - name: source + workspace: workarea + subpath: bucket + params: + - name: location + value: $(params.releaseBucket)/latest + - name: path + value: $(params.versionTag) + - name: serviceAccountPath + value: $(params.serviceAccountPath) + - name: report-bucket + runAfter: [publish-to-bucket] + params: + - name: releaseBucket + value: $(params.releaseBucket) + - name: versionTag + value: $(params.versionTag) + taskSpec: + params: + - name: releaseBucket + - name: versionTag + results: + - name: release + description: The full URL of the release file in the bucket + - name: release-no-tag + description: The full URL of the release file (no tag) in the bucket + steps: + - name: create-results + image: alpine + script: | + BASE_URL=$(echo "$(params.releaseBucket)/previous/$(params.versionTag)") + # If the bucket is in the gs:// return the corresponding public https URL + BASE_URL=$(echo ${BASE_URL} | sed 's,gs://,https://storage.googleapis.com/,g') + echo "${BASE_URL}/release.yaml" > $(results.release.path) + echo "${BASE_URL}/release.notag.yaml" > $(results.release-no-tag.path) diff --git a/tekton/resources.yaml b/tekton/resources.yaml deleted file mode 100644 index a506d0b9bf2..00000000000 --- a/tekton/resources.yaml +++ /dev/null @@ -1,139 +0,0 @@ -# apiVersion: tekton.dev/v1alpha1 -# kind: PipelineResource -# metadata: -# name: tekton-pipelines-git -# spec: -# type: git -# params: -# - name: url -# value: https://github.com/tektoncd/pipeline -# - name: revision -# value: vX.Y.Z-invalid-tags-boouuhhh # REPLACE with the commit you want to release -# --- -# apiVersion: tekton.dev/v1alpha1 -# kind: PipelineResource -# metadata: -# name: post-release-trigger -# spec: -# type: cloudEvent -# params: -# - name: targetURI -# value: http://post-release-trigger-sink # This has to be changed to a valid URL -# --- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: pipeline-tekton-bucket -spec: - type: storage - params: - - name: type - value: gcs - - name: location - value: gs://tekton-releases/pipeline - - name: dir - value: "y" ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: pipeline-tekton-bucket-nightly -spec: - type: storage - params: - - name: type - value: gcs - - name: location - value: gs://tekton-releases-nightly - - name: dir - value: "y" ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: base-image -spec: - type: image - params: - - name: url - value: build-base # Registry is provided via parameter, this is a hack see #569 ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: entrypoint-image -spec: - type: image - params: - - name: url - value: cmd/entrypoint # Registry is provided via parameter, this is a hack see #569 ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: nop-image -spec: - type: image - params: - - name: url - value: cmd/nop # Registry is provided via parameter, this is a hack see #569 ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: kubeconfigwriter-image -spec: - type: image - params: - - name: url - value: cmd/kubeconfigwriter # Registry is provided via parameter, this is a hack see #569 ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: git-init-image -spec: - type: image - params: - - name: url - value: cmd/git-init # Registry is provided via parameter, this is a hack see #569 ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: controller-image -spec: - type: image - params: - - name: url - value: cmd/controller # Registry is provided via parameter, this is a hack see #569 ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: webhook-image -spec: - type: image - params: - - name: url - value: cmd/webhook # Registry is provided via parameter, this is a hack see #569 ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: digest-exporter-image -spec: - type: image - params: - - name: url - value: cmd/imagedigestexporter # Registry is provided via parameter, this is a hack see #569 ---- -apiVersion: tekton.dev/v1alpha1 -kind: PipelineResource -metadata: - name: pull-request-init-image -spec: - type: image - params: - - name: url - value: cmd/pullrequest-init # Registry is provided via parameter, this is a hack see #569