Publish operator and bundle images for RedHat/OpenShift

Updating the build/release scripts to handle publishing the bundle
images and running preflight on them.

The publish-openshift script downloads the tagged release from
DockerHub, retags it correctly for the RedHat scanning repo, pushes it,
and finally runs the preflight check on it.

The openshift-bundle script largely does the same, only it publishes the
bundle image rather than the operator image. The same script is used for
both the certified and marketplace bundles. Passing `MARKETPLACE=1` will
use the marketplace bundle values rather than the certified ones
(default).

build/release/teamcity-publish-openshift-bundle.sh

@@ -17,38 +17,54 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
+# Default values are defined for the certified bundle.
+RH_PROJECT="5f5a433f9d6546ed7aa8634d"
+RH_REGISTRY="scan.connect.redhat.com"
+RH_REPO="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle"
+BUNDLE_DIR="bundle/cockroachdb-certified"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-    echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-    exit 1
+# If this is the marketplace bundle, update accordingly.
+if ! [[ -z "${MARKETPLACE}" ]]; then
+  RH_PROJECT="61765afbdd607bfc82e643b8"
+  RH_REPO="ospid-61765afbdd607bfc82e643b8/cockroachdb-operator-bundle-marketplace"
+  BUNDLE_DIR="bundle/cockroachdb-certified-rhmp"
 fi
 
-rhel_registry="scan.connect.redhat.com"
-rh_bundle_image_repository="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle"
-image="$rhel_registry/$rh_bundle_image_repository:$image_tag"
+# If it's a dry run, add -dryrun to the image
+if ! [[ -z "${DRY_RUN}" ]]; then RH_REPO="${RH_REPO}-dryrun"; fi
 
-if ! [[ -z "${DRY_RUN}" ]] ; then
-  image="${image}-dryrun"
-fi
-tc_end_block "Variable Setup"
+IMAGE="${RH_REGISTRY}/${RH_REPO}:${TAG}"
+
+main() {
+  docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}"
+
+  generate_bundle
+  publish_bundle_image
+  run_preflight
+}
+
+generate_bundle() {
+  # create the certified and marketplace bundles
+  tc_start_block "Generate bundle"
+  make release/generate-bundle
+  tc_end_block "Generate bundle"
+}
+
+publish_bundle_image() {
+  tc_start_block "Make and push bundle image"
 
+  pushd "${BUNDLE_DIR}"
+  docker build -t "${IMAGE}" .
+  docker push "${IMAGE}"
+  popd
 
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$rhel_registry" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_USER" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_KEY"
+  tc_end_block "Make and push bundle image"
+}
 
-# TODO(rail): switch to bazel generated images when it supports "FROM: scratch"
-cd deploy/certified-metadata-bundle/cockroach-operator
-docker build -t $image -f bundle.Dockerfile .
-docker push $image
+run_preflight() {
+  bazel build //hack/bin:preflight
+  PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \
+    check operator "${IMAGE}" --docker-config ~/.docker/config.json
+}
 
-tc_end_block "Make and push docker images"
+main "$@"

build/release/teamcity-publish-openshift.sh

@@ -17,41 +17,38 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
+RH_PROJECT_ID="5e6027425c5456060d5f6084"
+RH_REGISTRY="scan.connect.redhat.com"
+RH_OPERATOR_IMG="${RH_REGISTRY}/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator:${TAG}"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-    echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-    exit 1
-fi
-
-rhel_registry="scan.connect.redhat.com"
-
-dh_operator_image="docker.io/cockroachdb/cockroach-operator:$image_tag"
-rh_operator_image_repository="$rhel_registry/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator"
-
+OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator:${TAG}"
 if ! [[ -z "${DRY_RUN}" ]] ; then
-  # The operator image doesn't use the "-dryrun" suffix, it's published in a
-  # separate repository.
-  dh_operator_image="docker.io/cockroachdb/cockroach-operator-misc:$image_tag"
-  image_tag="${image_tag}-dryrun"
+  OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator-misc:${TAG}-dryrun"
 fi
-tc_end_block "Variable Setup"
-
-
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$rhel_registry" "$OPERATOR_REDHAT_REGISTRY_USER" "$OPERATOR_REDHAT_REGISTRY_KEY"
-
-docker pull "$dh_operator_image"
-docker tag "$dh_operator_image" "$rh_operator_image_repository:$image_tag"
-docker push "$rh_operator_image_repository:$image_tag"
 
-tc_end_block "Make and push docker images"
+main() {
+  docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}"
+
+  publish_to_redhat
+  run_preflight
+}
+
+publish_to_redhat() {
+  tc_start_block "Tag and release docker image"
+  docker pull "${OPERATOR_IMG}"
+  docker tag "${OPERATOR_IMG}" "${RH_OPERATOR_IMG}"
+  docker push "${RH_OPERATOR_IMG}"
+  tc_end_block "Tag and release docker image"
+}
+
+run_preflight() {
+  bazel build //hack/bin:preflight
+  PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \
+    check container "${RH_OPERATOR_IMG}" \
+    --certification-project-id="${RH_PROJECT_ID}" \
+    --docker-config=/home/agent/.docker/config.json \
+    --list-checks \
+    --submit
+}
+
+main "$@"

build/release/teamcity-publish-release.sh

@@ -17,45 +17,45 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-  echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-  exit 1
-fi
-
-docker_registry="docker.io"
-operator_image_repository="cockroachdb/cockroach-operator"
-
-if ! [[ -z "${DRY_RUN}" ]] ; then
-  operator_image_repository="cockroachdb/cockroach-operator-misc"
-fi
-
-tc_end_block "Variable Setup"
-
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$docker_registry" "$OPERATOR_DOCKER_ID" "$OPERATOR_DOCKER_ACCESS_TOKEN"
-
-if docker_image_exists "$docker_registry/$operator_image_repository:$image_tag"; then
-  echo "Docker image $docker_registry/$operator_image_repository:$image_tag already exists"
-  if [[ -z "${FORCE}" ]] ; then
-    echo "Use FORCE=1 to force push the docker image."
-    echo "Alternatively you can delete the tag in Docker Hub."
-    exit 1
+REGISTRY="docker.io"
+REPO="cockroachdb/cockroach-operator"
+if ! [[ -z "${DRY_RUN}" ]] ; then REPO="${REPO}-misc"; fi
+
+OPERATOR_IMG="${REGISTRY}/${REPO}:${TAG}"
+
+main() {
+  docker_login "${REGISTRY}" "${OPERATOR_DOCKER_ID}" "${OPERATOR_DOCKER_ACCESS_TOKEN}"
+
+  validate_image
+  publish_to_registry
+}
+
+validate_image() {
+  tc_start_block "Ensure image should be pushed"
+
+  if docker_image_exists "${OPERATOR_IMG}"; then
+    echo "Docker image ${OPERATOR_IMG} already exists!"
+
+    if [[ -z "${FORCE}" ]] ; then
+      echo "Use FORCE=1 to force push the docker image."
+      echo "Alternatively you can delete the tag in Docker Hub."
+      exit 1
+    fi
+    echo "Forcing docker push..."
   fi
-  echo "Forcing docker push..."
-fi
-
-make \
-  DOCKER_REGISTRY="$docker_registry" \
-  DOCKER_IMAGE_REPOSITORY="$operator_image_repository" \
-  release/image
-tc_end_block "Make and push docker images"
+
+  tc_end_block "Ensure image should be pushed"
+}
+
+publish_to_registry() {
+  tc_start_block "Make and push docker image"
+
+  make \
+    DOCKER_REGISTRY="${REGISTRY}" \
+    DOCKER_IMAGE_REPOSITORY="${REPO}" \
+    release/image
+
+  tc_end_block "Make and push docker image"
+}
+
+main "$@"

build/release/teamcity-support.sh

@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Set below with call to ensure_valid_tag
+export TAG=""
+
 # Common helpers for teamcity-*.sh scripts.
 
 remove_files_on_exit() {
@@ -29,10 +32,12 @@ tc_end_block() {
 }
 
 docker_login() {
-  local registry=$1
-  local registry_user=$2
-  local registry_token=$3
-  echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin $registry
+  configure_docker_creds
+
+  local registry="${1}"
+  local registry_user="${2}"
+  local registry_token="${3}"
+  echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin "${registry}"
 }
 
 configure_docker_creds() {
@@ -55,3 +60,24 @@ docker_image_exists() {
   docker pull "$1"
   return $?
 }
+
+ensure_valid_tag() {
+  tc_start_block "Extracting image tag"
+  local version="v$(cat version.txt)"
+
+  # Matching the version name regex from within the cockroach code except
+  # for the `metadata` part at the end because Docker tags don't support
+  # `+` in the tag name.
+  # https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
+  TAG="$(echo -n "${version}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
+  #                                         ^major           ^minor           ^patch         ^preRelease
+
+  if [[ -z "${TAG}" ]] ; then
+    echo "Invalid VERSION \"${version}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
+    exit 1
+  fi
+
+  tc_end_block "Extracting image tag"
+}
+
+ensure_valid_tag

hack/bundle.sh

@@ -89,6 +89,13 @@ generate_bundle() {
 
   # Update CSV with correct images, and timestamps
   adapt_csv "${dir}" "${img}"
+
+  # move the dockerfile into the bundle directory and make it valid
+  sed \
+    -e "s+${dir}/++g" bundle.Dockerfile \ # fix up paths
+    -e "/\s*COPY tests/d" > "${dir}/Dockerfile" # remove scorecard tests
+
+  rm bundle.Dockerfile
 }
 
 adapt_csv() {