Update OpenShift Release Process

.gitignore

@@ -63,5 +63,5 @@ bundle/
 faq
 
 _artifacts
-bundle.Dockerfile
+artifacts
 tmp

Makefile

@@ -205,6 +205,12 @@ test/e2e/testrunner-openshift-packaging: test/openshift-package
 		--action_env=APP_VERSION=$(APP_VERSION) \
 		--action_env=DOCKER_REGISTRY=$(DOCKER_REGISTRY)
 
+# Run preflight checks for OpenShift. This expects a running OpenShift cluster.
+# Eg. make test/preflight-<operator|bundle|marketplace>
+test/preflight-%: CONTAINER=$*
+test/preflight-%: release/generate-bundle
+	@bazel run //hack:redhat-preflight -- $(CONTAINER)
+
 #
 # Different dev targets
 #
@@ -262,6 +268,7 @@ dev/up: dev/down
 
 .PHONY: dev/down
 dev/down:
+	@bazel build //hack/bin:k3d
 	@hack/dev.sh down
 #
 # Targets that allow to install the operator on an existing cluster

WORKSPACE

@@ -108,9 +108,9 @@ container_pull(
 ################################
 http_archive(
     name = "io_bazel_rules_k8s",
-    sha256 = "51f0977294699cd547e139ceff2396c32588575588678d2054da167691a227ef",
-    strip_prefix = "rules_k8s-0.6",
-    urls = ["https://github.com/bazelbuild/rules_k8s/archive/v0.6.tar.gz"],
+    strip_prefix = "rules_k8s-0.5",
+    urls = ["https://github.com/bazelbuild/rules_k8s/archive/v0.5.tar.gz"],
+    sha256 = "773aa45f2421a66c8aa651b8cecb8ea51db91799a405bd7b913d77052ac7261a",
 )
 
 load("@io_bazel_rules_k8s//k8s:k8s.bzl", "k8s_repositories")

build/release/teamcity-publish-openshift-bundle.sh

@@ -17,38 +17,54 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
+# Default values are defined for the certified bundle.
+RH_PROJECT="5f5a433f9d6546ed7aa8634d"
+RH_REGISTRY="scan.connect.redhat.com"
+RH_REPO="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle"
+BUNDLE_DIR="bundle/cockroachdb-certified"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-    echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-    exit 1
+# If this is the marketplace bundle, update accordingly.
+if ! [[ -z "${MARKETPLACE}" ]]; then
+  RH_PROJECT="61765afbdd607bfc82e643b8"
+  RH_REPO="ospid-61765afbdd607bfc82e643b8/cockroachdb-operator-bundle-marketplace"
+  BUNDLE_DIR="bundle/cockroachdb-certified-rhmp"
 fi
 
-rhel_registry="scan.connect.redhat.com"
-rh_bundle_image_repository="ospid-857fe786-3eb7-4508-aafd-cc74c1b1dc24/cockroachdb-operator-bundle"
-image="$rhel_registry/$rh_bundle_image_repository:$image_tag"
+# If it's a dry run, add -dryrun to the image
+if ! [[ -z "${DRY_RUN}" ]]; then RH_REPO="${RH_REPO}-dryrun"; fi
 
-if ! [[ -z "${DRY_RUN}" ]] ; then
-  image="${image}-dryrun"
-fi
-tc_end_block "Variable Setup"
+IMAGE="${RH_REGISTRY}/${RH_REPO}:${TAG}"
+
+main() {
+  docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}"
+
+  generate_bundle
+  publish_bundle_image
+  run_preflight
+}
+
+generate_bundle() {
+  # create the certified and marketplace bundles
+  tc_start_block "Generate bundle"
+  make release/generate-bundle
+  tc_end_block "Generate bundle"
+}
+
+publish_bundle_image() {
+  tc_start_block "Make and push bundle image"
 
+  pushd "${BUNDLE_DIR}"
+  docker build -t "${IMAGE}" .
+  docker push "${IMAGE}"
+  popd
 
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$rhel_registry" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_USER" "$OPERATOR_BUNDLE_REDHAT_REGISTRY_KEY"
+  tc_end_block "Make and push bundle image"
+}
 
-# TODO(rail): switch to bazel generated images when it supports "FROM: scratch"
-cd deploy/certified-metadata-bundle/cockroach-operator
-docker build -t $image -f bundle.Dockerfile .
-docker push $image
+run_preflight() {
+  bazel build //hack/bin:preflight
+  PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \
+    check operator "${IMAGE}" --docker-config ~/.docker/config.json
+}
 
-tc_end_block "Make and push docker images"
+main "$@"

build/release/teamcity-publish-openshift.sh

@@ -17,41 +17,37 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
+RH_PROJECT_ID="5e6027425c5456060d5f6084"
+RH_REGISTRY="scan.connect.redhat.com"
+RH_OPERATOR_IMG="${RH_REGISTRY}/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator:${TAG}"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-    echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-    exit 1
-fi
-
-rhel_registry="scan.connect.redhat.com"
-
-dh_operator_image="docker.io/cockroachdb/cockroach-operator:$image_tag"
-rh_operator_image_repository="$rhel_registry/ospid-cf721588-ad8a-4618-938c-5191c5e10ae4/cockroachdb-operator"
-
+OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator:${TAG}"
 if ! [[ -z "${DRY_RUN}" ]] ; then
-  # The operator image doesn't use the "-dryrun" suffix, it's published in a
-  # separate repository.
-  dh_operator_image="docker.io/cockroachdb/cockroach-operator-misc:$image_tag"
-  image_tag="${image_tag}-dryrun"
+  OPERATOR_IMG="docker.io/cockroachdb/cockroach-operator-misc:${TAG}-dryrun"
 fi
-tc_end_block "Variable Setup"
-
-
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$rhel_registry" "$OPERATOR_REDHAT_REGISTRY_USER" "$OPERATOR_REDHAT_REGISTRY_KEY"
-
-docker pull "$dh_operator_image"
-docker tag "$dh_operator_image" "$rh_operator_image_repository:$image_tag"
-docker push "$rh_operator_image_repository:$image_tag"
 
-tc_end_block "Make and push docker images"
+main() {
+  docker_login "${RH_REGISTRY}" "${OPERATOR_REDHAT_REGISTRY_USER}" "${OPERATOR_REDHAT_REGISTRY_KEY}"
+
+  publish_to_redhat
+  run_preflight
+}
+
+publish_to_redhat() {
+  tc_start_block "Tag and release docker image"
+  docker pull "${OPERATOR_IMG}"
+  docker tag "${OPERATOR_IMG}" "${RH_OPERATOR_IMG}"
+  docker push "${RH_OPERATOR_IMG}"
+  tc_end_block "Tag and release docker image"
+}
+
+run_preflight() {
+  bazel build //hack/bin:preflight
+  PFLT_PYXIS_API_TOKEN="${REDHAT_API_TOKEN}" bazel-bin/hack/bin/preflight \
+    check container "${RH_OPERATOR_IMG}" \
+    --certification-project-id="${RH_PROJECT_ID}" \
+    --docker-config=/home/agent/.docker/config.json \
+    --submit
+}
+
+main "$@"

build/release/teamcity-publish-release.sh

@@ -17,45 +17,45 @@ set -euxo pipefail
 
 source "$(dirname "${0}")/teamcity-support.sh"
 
-tc_start_block "Variable Setup"
-VERSION="v"$(cat version.txt)
-# Matching the version name regex from within the cockroach code except
-# for the `metadata` part at the end because Docker tags don't support
-# `+` in the tag name.
-# https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
-image_tag="$(echo "${VERSION}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
-#                                         ^major           ^minor           ^patch         ^preRelease
-
-if [[ -z "$image_tag" ]] ; then
-  echo "Invalid VERSION \"${VERSION}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
-  exit 1
-fi
-
-docker_registry="docker.io"
-operator_image_repository="cockroachdb/cockroach-operator"
-
-if ! [[ -z "${DRY_RUN}" ]] ; then
-  operator_image_repository="cockroachdb/cockroach-operator-misc"
-fi
-
-tc_end_block "Variable Setup"
-
-tc_start_block "Make and push docker images"
-configure_docker_creds
-docker_login "$docker_registry" "$OPERATOR_DOCKER_ID" "$OPERATOR_DOCKER_ACCESS_TOKEN"
-
-if docker_image_exists "$docker_registry/$operator_image_repository:$image_tag"; then
-  echo "Docker image $docker_registry/$operator_image_repository:$image_tag already exists"
-  if [[ -z "${FORCE}" ]] ; then
-    echo "Use FORCE=1 to force push the docker image."
-    echo "Alternatively you can delete the tag in Docker Hub."
-    exit 1
+REGISTRY="docker.io"
+REPO="cockroachdb/cockroach-operator"
+if ! [[ -z "${DRY_RUN}" ]] ; then REPO="${REPO}-misc"; fi
+
+OPERATOR_IMG="${REGISTRY}/${REPO}:${TAG}"
+
+main() {
+  docker_login "${REGISTRY}" "${OPERATOR_DOCKER_ID}" "${OPERATOR_DOCKER_ACCESS_TOKEN}"
+
+  validate_image
+  publish_to_registry
+}
+
+validate_image() {
+  tc_start_block "Ensure image should be pushed"
+
+  if docker_image_exists "${OPERATOR_IMG}"; then
+    echo "Docker image ${OPERATOR_IMG} already exists!"
+
+    if [[ -z "${FORCE}" ]] ; then
+      echo "Use FORCE=1 to force push the docker image."
+      echo "Alternatively you can delete the tag in Docker Hub."
+      exit 1
+    fi
+    echo "Forcing docker push..."
   fi
-  echo "Forcing docker push..."
-fi
-
-make \
-  DOCKER_REGISTRY="$docker_registry" \
-  DOCKER_IMAGE_REPOSITORY="$operator_image_repository" \
-  release/image
-tc_end_block "Make and push docker images"
+
+  tc_end_block "Ensure image should be pushed"
+}
+
+publish_to_registry() {
+  tc_start_block "Make and push docker image"
+
+  make \
+    DOCKER_REGISTRY="${REGISTRY}" \
+    DOCKER_IMAGE_REPOSITORY="${REPO}" \
+    release/image
+
+  tc_end_block "Make and push docker image"
+}
+
+main "$@"

build/release/teamcity-support.sh

@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Set below with call to ensure_valid_tag
+export TAG=""
+
 # Common helpers for teamcity-*.sh scripts.
 
 remove_files_on_exit() {
@@ -29,10 +32,12 @@ tc_end_block() {
 }
 
 docker_login() {
-  local registry=$1
-  local registry_user=$2
-  local registry_token=$3
-  echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin $registry
+  configure_docker_creds
+
+  local registry="${1}"
+  local registry_user="${2}"
+  local registry_token="${3}"
+  echo "${registry_token}" | docker login --username "${registry_user}" --password-stdin "${registry}"
 }
 
 configure_docker_creds() {
@@ -55,3 +60,24 @@ docker_image_exists() {
   docker pull "$1"
   return $?
 }
+
+ensure_valid_tag() {
+  tc_start_block "Extracting image tag"
+  local version="v$(cat version.txt)"
+
+  # Matching the version name regex from within the cockroach code except
+  # for the `metadata` part at the end because Docker tags don't support
+  # `+` in the tag name.
+  # https://github.com/cockroachdb/cockroach/blob/4c6864b44b9044874488cfedee3a31e6b23a6790/pkg/util/version/version.go#L75
+  TAG="$(echo -n "${version}" | grep -E -o '^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[-.0-9A-Za-z]+)?$')"
+  #                                         ^major           ^minor           ^patch         ^preRelease
+
+  if [[ -z "${TAG}" ]] ; then
+    echo "Invalid VERSION \"${version}\". Must be of the format \"vMAJOR.MINOR.PATCH(-PRERELEASE)?\"."
+    exit 1
+  fi
+
+  tc_end_block "Extracting image tag"
+}
+
+ensure_valid_tag

config/default/BUILD.bazel

@@ -34,6 +34,7 @@ k8s_deploy(
         # when running locally, use the image from the local codebase
         "cockroachdb/cockroach-operator:$(APP_VERSION)": "//cmd/cockroach-operator:operator_image",
     },
+		resolver_args = ["--allow_unused_images"],
     template = ":manifest",
 )
 

config/manifests/bases/cockroach-operator.clusterserviceversion.yaml

@@ -178,6 +178,7 @@ spec:
   - email: support@cockroachlabs.com
     name: Cockroach Labs Support
   maturity: stable
+  minKubeVersion: 1.18.0
   provider:
     name: Cockroach Labs
   version: 0.0.0

config/templates/csv.yaml.in

@@ -178,6 +178,7 @@ spec:
   - email: support@cockroachlabs.com
     name: Cockroach Labs Support
   maturity: stable
+  minKubeVersion: 1.18.0
   provider:
     name: Cockroach Labs
   version: 0.0.0

hack/BUILD.bazel

@@ -129,6 +129,17 @@ sh_binary(
     ],
 )
 
+sh_binary(
+    name = "redhat-preflight",
+    srcs = ["redhat.sh"],
+    data = [
+			JQ,
+      OPM,
+      "//hack/bin:preflight",
+      "@//:all-srcs",
+    ],
+)
+
 filegroup(
     name = "package-srcs",
     srcs = glob(["**"]),