From 17a581117999a65bf354778f01da0336c3b1fe58 Mon Sep 17 00:00:00 2001 From: "David Muto (pseudomuto)" Date: Mon, 13 Jun 2022 13:13:07 +0000 Subject: [PATCH 1/4] Install preflight binary on Linux machines Adding preflight to the list of OpenShift binaries installed. For now, this is only available on Linux machines and won't be added to anyone using Darwin. --- hack/bin/BUILD.bazel | 10 ++++++++++ hack/bin/deps.bzl | 19 +++++++++++++++++++ pkg/resource/BUILD.bazel | 2 +- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/hack/bin/BUILD.bazel b/hack/bin/BUILD.bazel index 9fc2bc241..3877732ea 100644 --- a/hack/bin/BUILD.bazel +++ b/hack/bin/BUILD.bazel @@ -38,6 +38,16 @@ genrule( visibility = ["//visibility:public"], ) +genrule( + name = "fetch_preflight", + srcs = select({ + ":k8": ["@preflight_linux//file"], + }), + outs = ["preflight"], + cmd = "cp $(SRCS) $@", + visibility = ["//visibility:public"], +) + genrule( name = "fetch_faq", srcs = select({ diff --git a/hack/bin/deps.bzl b/hack/bin/deps.bzl index 45bdebd20..7c9de0b9d 100644 --- a/hack/bin/deps.bzl +++ b/hack/bin/deps.bzl @@ -22,6 +22,13 @@ OPENSHIFT_REPO = "https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/o # filenames and versions from ${OPENSHIFT_REPO}/sha256sum.txt OPENSHIFT_BINS = { + "preflight": { + # currently, preflight is only available on linux + "preflight_linux": { + "url": "https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.2.1/preflight-linux-amd64", + "sha": "e5754a81d4baae4f4956fc0842179a3daeac4778e202450f886a9afb05d218ba", + }, + }, "oc": { "oc_darwin": { "url": "{}/openshift-client-mac-{}.tar.gz".format(OPENSHIFT_REPO, OPENSHIFT_VERSION), @@ -71,6 +78,7 @@ def install(): install_operator_sdk() install_opm() install_openshift() + install_preflight() # Install golang.org/x/build as kubernetes/repo-infra requires it for the # build-tar bazel target. @@ -413,6 +421,17 @@ filegroup( """ ) +def install_preflight(): + versions = OPENSHIFT_BINS["preflight"] + + for k, v in versions.items(): + http_file( + name = k, + executable = 1, + sha256 = v["sha"], + urls = [v["url"]] + ) + ## Fetch crdb used in our container def install_crdb(): http_archive( diff --git a/pkg/resource/BUILD.bazel b/pkg/resource/BUILD.bazel index f9d459125..34d3b85e1 100644 --- a/pkg/resource/BUILD.bazel +++ b/pkg/resource/BUILD.bazel @@ -57,8 +57,8 @@ go_library( go_test( name = "go_default_test", srcs = [ - "cluster_test.go", "certificate_test.go", + "cluster_test.go", "discovery_service_test.go", "pod_distruption_budget_test.go", "public_service_test.go", From d22c2705ab0105a3ecbf8133947021828ce07998 Mon Sep 17 00:00:00 2001 From: "David Muto (pseudomuto)" Date: Mon, 13 Jun 2022 15:44:15 +0000 Subject: [PATCH 2/4] Publish operator and bundle images for RedHat/OpenShift Updating the build/release scripts to handle publishing the bundle images and running preflight on them. The publish-openshift script downloads the tagged release from DockerHub, retags it correctly for the RedHat scanning repo, pushes it, and finally runs the preflight check on it. The openshift-bundle script largely does the same, only it publishes the bundle image rather than the operator image. The same script is used for both the certified and marketplace bundles. Passing `MARKETPLACE=1` will use the marketplace bundle values rather than the certified ones (default). --- .../teamcity-publish-openshift-bundle.sh | 70 ++++++++++------ build/release/teamcity-publish-openshift.sh | 64 +++++++-------- build/release/teamcity-publish-release.sh | 82 +++++++++---------- build/release/teamcity-support.sh | 34 +++++++- hack/bundle.sh | 7 ++ 5 files changed, 151 insertions(+), 106 deletions(-) diff --git a/build/release/teamcity-publish-openshift-bundle.sh b/build/release/teamcity-publish-openshift-bundle.sh index ca2b6a5a2..91dd3aa8d 100755 --- a/build/release/teamcity-publish-openshift-bundle.sh +++ b/build/release/teamcity-publish-openshift-bundle.sh @@ -17,38 +17,54 @@ set -euxo pipefail source "$(dirname "${0}")/teamcity-support.sh" +# Default values are defined for the certified bundle. +RH_PROJECT="5f5a433f9d6546ed7aa8634d" +RH_REGISTRY="scan.connect.redhat.com" +RH_REPO="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle" +BUNDLE_DIR="bundle/cockroachdb-certified" -tc_start_block "Variable Setup" -VERSION="v"$(cat version.txt) -# Matching the version name regex from within the cockroach code except -# for the `metadata` part at the end because Docker tags don't support -# `+` in the tag name. -# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75 -image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')" -# ^major ^minor ^patch ^preRelease - -if [[ -z "$image_tag" ]] ; then - echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"." - exit 1 +# If this is the marketplace bundle, update accordingly. +if ! [[ -z "${MARKETPLACE}" ]]; then + RH_PROJECT="61765afbdd607bfc82e643b8" + RH_REPO="ospid-61765afbdd607bfc82e643b8/cockroachdb-operator-bundle-marketplace" + BUNDLE_DIR="bundle/cockroachdb-certified-rhmp" fi -rhel_registry="scan.connect.redhat.com" -rh_bundle_image_repository="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle" -image="$rhel_registry/$rh_bundle_image_repository:$image_tag" +# If it's a dry run, add -dryrun to the image +if ! [[ -z "${DRY_RUN}" ]]; then RH_REPO="${RH_REPO}-dryrun"; fi -if ! [[ -z "${DRY_RUN}" ]] ; then - image="${image}-dryrun" -fi -tc_end_block "Variable Setup" +IMAGE="${RH_REGISTRY}/${RH_REPO}:${TAG}" + +main() { + docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}" + + generate_bundle + publish_bundle_image + run_preflight +} + +generate_bundle() { + # create the certified and marketplace bundles + tc_start_block "Generate bundle" + make release/generate-bundle + tc_end_block "Generate bundle" +} + +publish_bundle_image() { + tc_start_block "Make and push bundle image" + pushd "${BUNDLE_DIR}" + docker build -t "${IMAGE}" . + docker push "${IMAGE}" + popd -tc_start_block "Make and push docker images" -configure_docker_creds -docker_login "$rhel_registry" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_USER" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_KEY" + tc_end_block "Make and push bundle image" +} -# TODO(rail): switch to bazel generated images when it supports "FROM: scratch" -cd deploy/certified-metadata-bundle/cockroach-operator -docker build -t $image -f bundle.Dockerfile . -docker push $image +run_preflight() { + bazel build //hack/bin:preflight + PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \ + check operator "${IMAGE}" --docker-config ~/.docker/config.json +} -tc_end_block "Make and push docker images" +main "$@" diff --git a/build/release/teamcity-publish-openshift.sh b/build/release/teamcity-publish-openshift.sh index f461a6ffc..d63b820fa 100755 --- a/build/release/teamcity-publish-openshift.sh +++ b/build/release/teamcity-publish-openshift.sh @@ -17,41 +17,37 @@ set -euxo pipefail source "$(dirname "${0}")/teamcity-support.sh" +RH_PROJECT_ID="5e6027425c5456060d5f6084" +RH_REGISTRY="scan.connect.redhat.com" +RH_OPERATOR_IMG="${RH_REGISTRY}/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator:${TAG}" -tc_start_block "Variable Setup" -VERSION="v"$(cat version.txt) -# Matching the version name regex from within the cockroach code except -# for the `metadata` part at the end because Docker tags don't support -# `+` in the tag name. -# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75 -image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')" -# ^major ^minor ^patch ^preRelease - -if [[ -z "$image_tag" ]] ; then - echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"." - exit 1 -fi - -rhel_registry="scan.connect.redhat.com" - -dh_operator_image="docker.io/cockroachdb/cockroach-operator:$image_tag" -rh_operator_image_repository="$rhel_registry/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator" - +OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator:${TAG}" if ! [[ -z "${DRY_RUN}" ]] ; then - # The operator image doesn't use the "-dryrun" suffix, it's published in a - # separate repository. - dh_operator_image="docker.io/cockroachdb/cockroach-operator-misc:$image_tag" - image_tag="${image_tag}-dryrun" + OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator-misc:${TAG}-dryrun" fi -tc_end_block "Variable Setup" - - -tc_start_block "Make and push docker images" -configure_docker_creds -docker_login "$rhel_registry" "$OPERATOR_REDHAT_REGISTRY_USER" "$OPERATOR_REDHAT_REGISTRY_KEY" - -docker pull "$dh_operator_image" -docker tag "$dh_operator_image" "$rh_operator_image_repository:$image_tag" -docker push "$rh_operator_image_repository:$image_tag" -tc_end_block "Make and push docker images" +main() { + docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}" + + publish_to_redhat + run_preflight +} + +publish_to_redhat() { + tc_start_block "Tag and release docker image" + docker pull "${OPERATOR_IMG}" + docker tag "${OPERATOR_IMG}" "${RH_OPERATOR_IMG}" + docker push "${RH_OPERATOR_IMG}" + tc_end_block "Tag and release docker image" +} + +run_preflight() { + bazel build //hack/bin:preflight + PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \ + check container "${RH_OPERATOR_IMG}" \ + --certification-project-id="${RH_PROJECT_ID}" \ + --docker-config=/home/agent/.docker/config.json \ + --submit +} + +main "$@" diff --git a/build/release/teamcity-publish-release.sh b/build/release/teamcity-publish-release.sh index 233c65c9e..78430d80c 100755 --- a/build/release/teamcity-publish-release.sh +++ b/build/release/teamcity-publish-release.sh @@ -17,45 +17,45 @@ set -euxo pipefail source "$(dirname "${0}")/teamcity-support.sh" -tc_start_block "Variable Setup" -VERSION="v"$(cat version.txt) -# Matching the version name regex from within the cockroach code except -# for the `metadata` part at the end because Docker tags don't support -# `+` in the tag name. -# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75 -image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')" -# ^major ^minor ^patch ^preRelease - -if [[ -z "$image_tag" ]] ; then - echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"." - exit 1 -fi - -docker_registry="docker.io" -operator_image_repository="cockroachdb/cockroach-operator" - -if ! [[ -z "${DRY_RUN}" ]] ; then - operator_image_repository="cockroachdb/cockroach-operator-misc" -fi - -tc_end_block "Variable Setup" - -tc_start_block "Make and push docker images" -configure_docker_creds -docker_login "$docker_registry" "$OPERATOR_DOCKER_ID" "$OPERATOR_DOCKER_ACCESS_TOKEN" - -if docker_image_exists "$docker_registry/$operator_image_repository:$image_tag"; then - echo "Docker image $docker_registry/$operator_image_repository:$image_tag already exists" - if [[ -z "${FORCE}" ]] ; then - echo "Use FORCE=1 to force push the docker image." - echo "Alternatively you can delete the tag in Docker Hub." - exit 1 +REGISTRY="docker.io" +REPO="cockroachdb/cockroach-operator" +if ! [[ -z "${DRY_RUN}" ]] ; then REPO="${REPO}-misc"; fi + +OPERATOR_IMG="${REGISTRY}/${REPO}:${TAG}" + +main() { + docker_login "${REGISTRY}" "${OPERATOR_DOCKER_ID}" "${OPERATOR_DOCKER_ACCESS_TOKEN}" + + validate_image + publish_to_registry +} + +validate_image() { + tc_start_block "Ensure image should be pushed" + + if docker_image_exists "${OPERATOR_IMG}"; then + echo "Docker image ${OPERATOR_IMG} already exists!" + + if [[ -z "${FORCE}" ]] ; then + echo "Use FORCE=1 to force push the docker image." + echo "Alternatively you can delete the tag in Docker Hub." + exit 1 + fi + echo "Forcing docker push..." fi - echo "Forcing docker push..." -fi - -make \ - DOCKER_REGISTRY="$docker_registry" \ - DOCKER_IMAGE_REPOSITORY="$operator_image_repository" \ - release/image -tc_end_block "Make and push docker images" + + tc_end_block "Ensure image should be pushed" +} + +publish_to_registry() { + tc_start_block "Make and push docker image" + + make \ + DOCKER_REGISTRY="${REGISTRY}" \ + DOCKER_IMAGE_REPOSITORY="${REPO}" \ + release/image + + tc_end_block "Make and push docker image" +} + +main "$@" diff --git a/build/release/teamcity-support.sh b/build/release/teamcity-support.sh index 3a7d9e8b2..5bd3454db 100644 --- a/build/release/teamcity-support.sh +++ b/build/release/teamcity-support.sh @@ -12,6 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Set below with call to ensure_valid_tag +export TAG="" + # Common helpers for teamcity-*.sh scripts. remove_files_on_exit() { @@ -29,10 +32,12 @@ tc_end_block() { } docker_login() { - local registry=$1 - local registry_user=$2 - local registry_token=$3 - echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin $registry + configure_docker_creds + + local registry="${1}" + local registry_user="${2}" + local registry_token="${3}" + echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin "${registry}" } configure_docker_creds() { @@ -55,3 +60,24 @@ docker_image_exists() { docker pull "$1" return $? } + +ensure_valid_tag() { + tc_start_block "Extracting image tag" + local version="v$(cat version.txt)" + + # Matching the version name regex from within the cockroach code except + # for the `metadata` part at the end because Docker tags don't support + # `+` in the tag name. + # https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75 + TAG="$(echo -n "${version}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')" + # ^major ^minor ^patch ^preRelease + + if [[ -z "${TAG}" ]] ; then + echo "Invalid VERSION \"${version}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"." + exit 1 + fi + + tc_end_block "Extracting image tag" +} + +ensure_valid_tag diff --git a/hack/bundle.sh b/hack/bundle.sh index e46e1ae19..165b15200 100755 --- a/hack/bundle.sh +++ b/hack/bundle.sh @@ -89,6 +89,13 @@ generate_bundle() { # Update CSV with correct images, and timestamps adapt_csv "${dir}" "${img}" + + # move the dockerfile into the bundle directory and make it valid + sed \ + -e "s+${dir}/++g" bundle.Dockerfile \ # fix up paths + -e "/\s*COPY tests/d" > "${dir}/Dockerfile" # remove scorecard tests + + rm bundle.Dockerfile } adapt_csv() { From 73b81253f632b6c3b7ebcac51817bb2b6340d5a4 Mon Sep 17 00:00:00 2001 From: "David Muto (pseudomuto)" Date: Wed, 15 Jun 2022 16:24:38 +0000 Subject: [PATCH 3/4] Update OpenShift binaries to 4.10.18 Updated all of the outdated OpenShift binaries. This also includes a fix to an issue with had with opm. We were copying the tar file into the bin folder and marking it as executable. This naturally, caused issues when we tried to run it. --- hack/bin/BUILD.bazel | 6 +++--- hack/bin/deps.bzl | 32 +++++++++++++++++++------------- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/hack/bin/BUILD.bazel b/hack/bin/BUILD.bazel index 3877732ea..085909c03 100644 --- a/hack/bin/BUILD.bazel +++ b/hack/bin/BUILD.bazel @@ -213,9 +213,9 @@ genrule( genrule( name = "fetch_opm", srcs = select({ - ":m1": ["@opm_darwin//file"], - ":darwin": ["@opm_darwin//file"], - ":k8": ["@opm_linux//file"], + ":m1": ["@opm_darwin//:file"], + ":darwin": ["@opm_darwin//:file"], + ":k8": ["@opm_linux//:file"], }), outs = ["opm"], cmd = "cp $(SRCS) $@", diff --git a/hack/bin/deps.bzl b/hack/bin/deps.bzl index 7c9de0b9d..3f3795db9 100644 --- a/hack/bin/deps.bzl +++ b/hack/bin/deps.bzl @@ -17,7 +17,7 @@ load("@io_bazel_rules_docker//container:container.bzl", "container_pull") load("@bazel_gazelle//:deps.bzl", "go_repository") # This controls the version for all openshift binaries (opm, oc, opernshift-install, etc.) -OPENSHIFT_VERSION = "4.9.17" +OPENSHIFT_VERSION = "4.10.18" OPENSHIFT_REPO = "https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/{}".format(OPENSHIFT_VERSION) # filenames and versions from ${OPENSHIFT_REPO}/sha256sum.txt @@ -32,31 +32,31 @@ OPENSHIFT_BINS = { "oc": { "oc_darwin": { "url": "{}/openshift-client-mac-{}.tar.gz".format(OPENSHIFT_REPO, OPENSHIFT_VERSION), - "sha": "2b06b400ab929275b55d3dbb8d7c54b9f1dd17df0b50247b8fc24b9efc8b1566", + "sha": "285c307491d8ffd19c065a942515fda78e53f95289d4b4985aa4c92439f7f339", }, "oc_linux": { "url": "{}/openshift-client-linux-{}.tar.gz".format(OPENSHIFT_REPO, OPENSHIFT_VERSION), - "sha": "390268a64029f2aea7492f493034b75d4979f676f98762dbbf33eb0da5b294db", + "sha": "101bc7e11604b829157b3b314de3760eec857e55f51eeca978825307ff61c190", }, }, "openshift-install": { "openshift_darwin": { "url": "{}/openshift-install-mac-{}.tar.gz".format(OPENSHIFT_REPO, OPENSHIFT_VERSION), - "sha": "0c51934bfff15f8a8bf666bb9b15c894994afd87d838ffc5579e998f56110738", + "sha": "3a36acb92a6759d964a1af62512c747e075a2937a6368203d0598d804db10da2", }, "openshift_linux": { "url": "{}/openshift-install-linux-{}.tar.gz".format(OPENSHIFT_REPO, OPENSHIFT_VERSION), - "sha": "4213bf060c25a6f38f86f2245f1f28060185e8baa7431f272e726d50f0044604", + "sha": "27e6ccb60ce2c7dfe611e1639642277572af78a21c622a7443d5a19006b2e45b", }, }, "opm": { "opm_darwin": { "url": "{}/opm-mac-{}.tar.gz".format(OPENSHIFT_REPO, OPENSHIFT_VERSION), - "sha": "f6fb6205f242ffef62ac0f4db738b1c099d3302ebb98b23d94926ef2903ed5d8", + "sha": "36d7104b1fd29e77a880b63e3e1aa67639a48cca1fdf537411b40a0c36140dba", }, "opm_linux": { "url": "{}/opm-linux-{}.tar.gz".format(OPENSHIFT_REPO, OPENSHIFT_VERSION), - "sha": "f88d3dcc18950d8cd8512e460de5addcf11e8eb8f31ae675f0dd879908843747", + "sha": "6d422682fd688cbebc7818247005e2baf87675efef4931d2f0a2e744dc613b88", }, }, } @@ -396,12 +396,18 @@ def install_opm(): versions = OPENSHIFT_BINS["opm"] for k, v in versions.items(): - http_file( - name = k, - executable = 1, - sha256 = v["sha"], - urls = [v["url"]], - ) + http_archive( + name = k, + sha256 = v["sha"], + urls = [v["url"]], + build_file_content = """ +filegroup( + name = "file", + srcs = ["opm"], + visibility = ["//visibility:public"], +) +""" + ) ## Fetch openshift-installer def install_openshift(): From 147d7c7686abfefb582faa441956e64be2b94deb Mon Sep 17 00:00:00 2001 From: "David Muto (pseudomuto)" Date: Thu, 16 Jun 2022 17:37:16 +0000 Subject: [PATCH 4/4] Add support for make test/preflight- Adding targets for running preflight tests. These only work on Linux machines since preflight is currently not available on other platforms. The preflight tasks all assume you've got a running OpenShift cluster and that GCP_PROJECT and KUBECONFIG are set accordingly in the env. --- .gitignore | 2 +- Makefile | 7 ++ WORKSPACE | 6 +- config/default/BUILD.bazel | 1 + ...kroach-operator.clusterserviceversion.yaml | 1 + config/templates/csv.yaml.in | 1 + hack/BUILD.bazel | 11 ++ hack/bundle.sh | 8 +- hack/redhat.sh | 118 ++++++++++++++++++ version.txt | 2 +- 10 files changed, 149 insertions(+), 8 deletions(-) create mode 100755 hack/redhat.sh diff --git a/.gitignore b/.gitignore index 9da6ba232..9c96824f7 100644 --- a/.gitignore +++ b/.gitignore @@ -63,5 +63,5 @@ bundle/ faq _artifacts -bundle.Dockerfile +artifacts tmp diff --git a/Makefile b/Makefile index 511bdd3dc..3db2843ed 100644 --- a/Makefile +++ b/Makefile @@ -205,6 +205,12 @@ test/e2e/testrunner-openshift-packaging: test/openshift-package --action_env=APP_VERSION=$(APP_VERSION) \ --action_env=DOCKER_REGISTRY=$(DOCKER_REGISTRY) +# Run preflight checks for OpenShift. This expects a running OpenShift cluster. +# Eg. make test/preflight- +test/preflight-%: CONTAINER=$* +test/preflight-%: release/generate-bundle + @bazel run //hack:redhat-preflight -- $(CONTAINER) + # # Different dev targets # @@ -262,6 +268,7 @@ dev/up: dev/down .PHONY: dev/down dev/down: + @bazel build //hack/bin:k3d @hack/dev.sh down # # Targets that allow to install the operator on an existing cluster diff --git a/WORKSPACE b/WORKSPACE index 2d16e6fd8..24fde6992 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -108,9 +108,9 @@ container_pull( ################################ http_archive( name = "io_bazel_rules_k8s", - sha256 = "51f0977294699cd547e139ceff2396c32588575588678d2054da167691a227ef", - strip_prefix = "rules_k8s-0.6", - urls = ["https://github.com/bazelbuild/rules_k8s/archive/v0.6.tar.gz"], + strip_prefix = "rules_k8s-0.5", + urls = ["https://github.com/bazelbuild/rules_k8s/archive/v0.5.tar.gz"], + sha256 = "773aa45f2421a66c8aa651b8cecb8ea51db91799a405bd7b913d77052ac7261a", ) load("@io_bazel_rules_k8s//k8s:k8s.bzl", "k8s_repositories") diff --git a/config/default/BUILD.bazel b/config/default/BUILD.bazel index ee54a426e..ea7ad4aab 100644 --- a/config/default/BUILD.bazel +++ b/config/default/BUILD.bazel @@ -34,6 +34,7 @@ k8s_deploy( # when running locally, use the image from the local codebase "cockroachdb/cockroach-operator:$(APP_VERSION)": "//cmd/cockroach-operator:operator_image", }, + resolver_args = ["--allow_unused_images"], template = ":manifest", ) diff --git a/config/manifests/bases/cockroach-operator.clusterserviceversion.yaml b/config/manifests/bases/cockroach-operator.clusterserviceversion.yaml index 5f932d754..93b255df1 100644 --- a/config/manifests/bases/cockroach-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/cockroach-operator.clusterserviceversion.yaml @@ -178,6 +178,7 @@ spec: - email: support@cockroachlabs.com name: Cockroach Labs Support maturity: stable + minKubeVersion: 1.18.0 provider: name: Cockroach Labs version: 0.0.0 diff --git a/config/templates/csv.yaml.in b/config/templates/csv.yaml.in index f46cf837d..30474b097 100644 --- a/config/templates/csv.yaml.in +++ b/config/templates/csv.yaml.in @@ -178,6 +178,7 @@ spec: - email: support@cockroachlabs.com name: Cockroach Labs Support maturity: stable + minKubeVersion: 1.18.0 provider: name: Cockroach Labs version: 0.0.0 diff --git a/hack/BUILD.bazel b/hack/BUILD.bazel index 0529b61b7..1e72dd7d2 100644 --- a/hack/BUILD.bazel +++ b/hack/BUILD.bazel @@ -129,6 +129,17 @@ sh_binary( ], ) +sh_binary( + name = "redhat-preflight", + srcs = ["redhat.sh"], + data = [ + JQ, + OPM, + "//hack/bin:preflight", + "@//:all-srcs", + ], +) + filegroup( name = "package-srcs", srcs = glob(["**"]), diff --git a/hack/bundle.sh b/hack/bundle.sh index 165b15200..5646848a1 100755 --- a/hack/bundle.sh +++ b/hack/bundle.sh @@ -85,17 +85,19 @@ generate_bundle() { mv "${dir}/metadata/annotations.yaml.new" "${dir}/metadata/annotations.yaml" # add supported openshift versions - echo " com.redhat.openshift.versions: 4.7-4.9" >> "${dir}/metadata/annotations.yaml" + echo " com.redhat.openshift.versions: 4.7-4.10" >> "${dir}/metadata/annotations.yaml" # Update CSV with correct images, and timestamps adapt_csv "${dir}" "${img}" # move the dockerfile into the bundle directory and make it valid sed \ - -e "s+${dir}/++g" bundle.Dockerfile \ # fix up paths - -e "/\s*COPY tests/d" > "${dir}/Dockerfile" # remove scorecard tests + -e "/\s*tests\/scorecard/d" \ + -e "s+${dir}/++g" \ + bundle.Dockerfile > "${dir}/Dockerfile" rm bundle.Dockerfile + rm "${dir}/manifests/cockroach-operator-webhook-service_v1_service.yaml" } adapt_csv() { diff --git a/hack/redhat.sh b/hack/redhat.sh new file mode 100755 index 000000000..ba252a344 --- /dev/null +++ b/hack/redhat.sh @@ -0,0 +1,118 @@ +#!/usr/bin/env bash + +# Copyright 2022 The Cockroach Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +set -euo pipefail + +# include bazel binaries in the path +PATH="bazel-bin/hack/bin:${PATH}" + +# Global preflight settings +export PFLT_DOCKERCONFIG="${HOME}/.docker/config.json" +export PFLT_LOGLEVEL=debug + +OPERATOR="cockroachdb/cockroach-operator" +REGISTRY="gcr.io/${GCP_PROJECT}" +VERSION="$(cat version.txt)" +IMAGE="${OPERATOR}:v${VERSION}" +BUNDLE_IMAGE="${OPERATOR}-bundle:v${VERSION}" +BUNDLE_INDEX="${OPERATOR}-index:v${VERSION}" +RHMP_BUNDLE_IMAGE="${OPERATOR}-bundle-rhmp:v${VERSION}" +RHMP_BUNDLE_INDEX="${OPERATOR}-index-rhmp:v${VERSION}" + +main() { + # Switch to the build directory. The bundle directory is not part of source + # controller and therefore isn't a bazel target. This means when we run this + # script, there's no way to reference the Dockerfile created by the call to + # make release/generate-bundle (prerequisite of make test/preflight). By cd'ing + # into the build directory, we'll have access to _all_ the files. + if [[ -n "${BUILD_WORKSPACE_DIRECTORY}" ]]; then + cd "${BUILD_WORKSPACE_DIRECTORY}" + fi + + case "${1:-}" in + operator) + publish_operator_image + preflight_operator;; + bundle) + publish_bundle_image "${REGISTRY}/${BUNDLE_IMAGE}" "bundle/cockroachdb-certified" + publish_bundle_index "${REGISTRY}/${BUNDLE_IMAGE}" "${REGISTRY}/${BUNDLE_INDEX}" + preflight_bundle "${REGISTRY}/${BUNDLE_IMAGE}" "${REGISTRY}/${BUNDLE_INDEX}" + ensure_success;; + marketplace) + publish_bundle_image "${REGISTRY}/${RHMP_BUNDLE_IMAGE}" "bundle/cockroachdb-certified-rhmp" + publish_bundle_index "${REGISTRY}/${RHMP_BUNDLE_IMAGE}" "${REGISTRY}/${RHMP_BUNDLE_INDEX}" + preflight_bundle "${REGISTRY}/${RHMP_BUNDLE_IMAGE}" "${REGISTRY}/${RHMP_BUNDLE_INDEX}" + ensure_success;; + *) + echo "ERROR: Unknown command: ${1}" 1>&2 + echo "Usage bazel run //hack:redhat-preflight -- ." 1>&2 + exit 1;; + esac +} + +publish_operator_image() { + echo "Publishing operator image to local repo..." + APP_VERSION="v${VERSION}" \ + DOCKER_REGISTRY="${REGISTRY}" \ + DOCKER_IMAGE_REPOSITORY="${IMAGE%:*}" \ + bazel run --stamp --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //:push_operator_image +} + +preflight_operator() { + echo "Running preflight checks on operator image..." + preflight check container "${REGISTRY}/${IMAGE}" \ + --docker-config "${HOME}/.docker/config.json" +} + +publish_bundle_image() { + local img="${1}" + local dir="${2}" + + echo "Publishing ${img}..." + pushd "${dir}" + docker build -t "${img}" . + docker push "${img}" + popd +} + +publish_bundle_index() { + local bundle_img="${1}" + local index_img="${2}" + + echo "Publishing ${index_img}..." + opm index add \ + --container-tool docker \ + --bundles "${bundle_img}" \ + --tag "${index_img}" +} + +preflight_bundle() { + local bundle_img="${1}" + local index_img="${2}" + + echo "Running preflight checks on bundle image..." + echo " IMAGE: ${bundle_img}" + + PFLT_INDEXIMAGE="${index_img}" preflight check operator "${bundle_img}" +} + +ensure_success() { + if [[ $(cat artifacts/results.json | jq -r .passed) == 'false' ]]; then + # error already displayed + exit 1 + fi +} + +main "$@" diff --git a/version.txt b/version.txt index 9aa34646d..24ba9a38d 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -2.7.0 \ No newline at end of file +2.7.0