Skip to content

Commit 17bd372

Browse files
afrittolitekton-robot
afrittoli
authored and
tekton-robot
committed
Migrate nightly builds and releases to ghcr.io
As part of the work to reduce Tekton's infra spend, we are migrating nightly builds and new releases from gcr.io to ghcr.io, to reduce the expensive egress bandwith utilisation (tektoncd/plumbing#2157). This PR introduces support for publishing container images to ghcr.io (YAML files are still published to Google Cloud storage). It also replicates a few improvements that have been done in the pipeline release pipeline before, such us: - Support for hashing the image path (for nicer path in GitHub) - Support for skipping build and test tasks, to be enabled for nightly builds to save CPU time Signed-off-by: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
1 parent 528706c commit 17bd372

File tree

2 files changed

+174
-41
lines changed

2 files changed

+174
-41
lines changed

tekton/publish.yaml

Lines changed: 74 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ spec:
1515
- name: interceptorImages
1616
description: List of cmd/* paths to be published as images in release manifest interceptors.yaml
1717
default: "interceptors"
18+
- name: koExtraArgs
19+
description: Extra args to be passed to ko
20+
default: "--preserve-import-paths"
1821
- name: versionTag
1922
description: The vX.Y.Z version that the artifacts should be tagged with (including `v`)
2023
- name: imageRegistry
@@ -25,6 +28,9 @@ spec:
2528
- name: imageRegistryRegions
2629
description: The target image registry regions
2730
default: "us eu asia"
31+
- name: imageRegistryUser
32+
description: Username to be used to login to the container registry
33+
default: "_json_key"
2834
- name: releaseAsLatest
2935
description: Whether to tag and publish this release as Triggers' latest
3036
default: "true"
@@ -49,41 +55,45 @@ spec:
4955
env:
5056
- name: "PROJECT_ROOT"
5157
value: "$(workspaces.source.path)"
52-
- name: CONTAINER_REGISTY_CREDENTIALS
58+
- name: CONTAINER_REGISTRY_CREDENTIALS
5359
value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)"
5460
- name: CONTAINER_REGISTRY
5561
value: "$(params.imageRegistry)/$(params.imageRegistryPath)"
62+
- name: CONTAINER_REGISTRY_USER
63+
value: "$(params.imageRegistryUser)"
5664
- name: REGIONS
5765
value: "$(params.imageRegistryRegions)"
5866
- name: OUTPUT_RELEASE_DIR
5967
value: "$(workspaces.output.path)/$(params.versionTag)"
68+
- name: KO_EXTRA_ARGS
69+
value: "$(params.koExtraArgs)"
6070
results:
6171
# IMAGES result is picked up by Tekton Chains to sign the release.
6272
# See https://github.com/tektoncd/plumbing/blob/main/docs/signing.md for more info.
6373
- name: IMAGES
6474
steps:
6575

6676
- name: container-registy-auth
67-
image: gcr.io/go-containerregistry/crane:debug
77+
image: cgr.dev/chainguard/crane:latest-dev@sha256:8ebcdd154abd06371886fee6583c7c9bbc4e88a2999c493266b1580f605e0e7c
6878
script: |
69-
#!/busybox/sh
79+
#!/bin/sh
7080
set -ex
7181
7282
# Login to the container registry
73-
DOCKER_CONFIG=$(cat ${CONTAINER_REGISTY_CREDENTIALS} | \
74-
crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \
83+
DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
84+
crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
7585
sed 's,^.*logged in via \(.*\)$,\1,g')
7686
7787
# Auth with account credentials for all regions.
7888
for region in ${REGIONS}
7989
do
8090
HOSTNAME=${region}.$(params.imageRegistry)
81-
cat ${CONTAINER_REGISTY_CREDENTIALS} | crane auth login -u _json_key --password-stdin ${HOSTNAME}
91+
cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME}
8292
done
8393
cp ${DOCKER_CONFIG} /workspace/docker-config.json
8494
8595
- name: run-ko
86-
image: gcr.io/tekton-releases/dogfooding/ko@sha256:9ee3ae5273b1f55bf01ba71bd79b5a4a9d357c51c0fdabf1efec8bd7e7087983
96+
image: gcr.io/tekton-releases/dogfooding/ko@sha256:8c4dbc57bcfd4c0a68f62c42da3f22932b0f3f54d4724c65841ad78406bc09ad
8797
env:
8898
- name: KO_DOCKER_REPO
8999
value: $(params.imageRegistry)/$(params.imageRegistryPath)
@@ -104,7 +114,7 @@ spec:
104114
# For each cmd/* directory, include a full gzipped tar of all source in
105115
# vendor/. This is overkill. Some deps' licenses require the source to be
106116
# included in the container image when they're used as a dependency.
107-
# Rather than trying to determine which deps have this requirement (an(params.imageRegistryd
117+
# Rather than trying to determine which deps have this requirement (and
108118
# probably get it wrong), we'll just targz up the whole vendor tree and
109119
# include it. As of 9/20/2019, this amounts to about 11MB of additional
110120
# data in each image.
@@ -116,60 +126,99 @@ spec:
116126
fi
117127
done
118128
119-
# Rewrite "devel" to params.versionTag
120-
sed -i -e 's/\(triggers.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${PROJECT_ROOT}/config/*.yaml
121-
sed -i -e 's/\(triggers.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${PROJECT_ROOT}/config/interceptors/*.yaml
122129
# Publish images and create release.yaml
123130
mkdir -p $OUTPUT_RELEASE_DIR
124131
125-
ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.yaml
126-
ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f ${PROJECT_ROOT}/config/interceptors > $OUTPUT_RELEASE_DIR/interceptors.yaml
132+
# Make a local git tag to make git status happy :)
133+
# The real "tagging" will happen with the "create-release" pipeline.
134+
git tag $(params.versionTag)
135+
136+
ko resolve \
137+
--image-label=org.opencontainers.image.source=https://$(params.package) \
138+
--platform=$(params.platforms) \
139+
-t $(params.versionTag) ${KO_EXTRA_ARGS} \
140+
-f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.yaml
141+
ko resolve \
142+
--image-label=org.opencontainers.image.source=https://$(params.package) \
143+
--platform=$(params.platforms) ${KO_EXTRA_ARGS} \
144+
-t $(params.versionTag) \
145+
-f ${PROJECT_ROOT}/config/interceptors > $OUTPUT_RELEASE_DIR/interceptors.yaml
146+
127147
# Publish images and create release.notags.yaml
128148
# This is useful if your container runtime doesn't support the `image-reference:tag@digest` notation
129149
# This is currently the case for `cri-o` (and most likely others)
130-
ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.notags.yaml
131-
ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f ${PROJECT_ROOT}/config/interceptors > $OUTPUT_RELEASE_DIR/interceptors.notags.yaml
150+
ko resolve \
151+
--image-label=org.opencontainers.image.source=https://$(params.package) \
152+
--platform=$(params.platforms) ${KO_EXTRA_ARGS} \
153+
-f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.notags.yaml
154+
ko resolve \
155+
--image-label=org.opencontainers.image.source=https://$(params.package) \
156+
--platform=$(params.platforms) ${KO_EXTRA_ARGS} \
157+
-f ${PROJECT_ROOT}/config/interceptors > $OUTPUT_RELEASE_DIR/interceptors.notags.yaml
132158
159+
# Rewrite "devel" to params.versionTag
160+
sed -i -e 's/\(triggers.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/release.yaml
161+
sed -i -e 's/\(triggers.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/release.notags.yaml
162+
sed -i -e 's/\(triggers.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/interceptors.yaml
163+
sed -i -e 's/\(triggers.tekton.dev\/release\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(app.kubernetes.io\/version\): "devel"/\1: "$(params.versionTag)"/g' -e 's/\(version\): "devel"/\1: "$(params.versionTag)"/g' ${OUTPUT_RELEASE_DIR}/interceptors.notags.yaml
133164
- name: koparse
134-
image: gcr.io/tekton-releases/dogfooding/koparse:latest
165+
image: gcr.io/tekton-releases/dogfooding/koparse@sha256:ae363d70e3c2fb75e96aaeb561dcea20383c27a47f0266c8179bbb72b89c2430
135166
script: |
136167
set -ex
137168
138-
IMAGES_PATH=${CONTAINER_REGISTRY}/$(params.package)
169+
# Find "--preserve-import-paths" in a list of args
170+
function find_preserve_import_path() {
171+
for arg in $@; do
172+
if [[ "$arg" == "--preserve-import-paths" ]]; then
173+
return 0
174+
fi
175+
done
176+
return 1
177+
}
178+
179+
# If "--preserve-import-paths" is used, include "package" in the expected path
180+
find_preserve_import_path \
181+
$(echo $KO_EXTRA_ARGS) && \
182+
PRESERVE_IMPORT_PATH="--preserve-path" || \
183+
PRESERVE_IMPORT_PATH="--no-preserve-path"
139184
140185
for cmd in $(params.images)
141186
do
142-
IMAGES="${IMAGES} ${IMAGES_PATH}/cmd/${cmd}:$(params.versionTag)"
187+
IMAGES="${IMAGES} $(params.package)/cmd/${cmd}:$(params.versionTag)"
143188
done
144189
145190
# Parse the built images from the release.yaml generated by ko
146191
koparse \
147192
--path $OUTPUT_RELEASE_DIR/release.yaml \
148-
--base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images
193+
--base $(params.package) \
194+
--container-registry ${CONTAINER_REGISTRY} \
195+
--images ${IMAGES} \
196+
${PRESERVE_IMPORT_PATH} > /workspace/built_images
149197
150198
for cmd in $(params.interceptorImages)
151199
do
152-
INTERCEPTOR_IMAGES="${INTERCEPTOR_IMAGES} ${IMAGES_PATH}/cmd/${cmd}:$(params.versionTag)"
200+
INTERCEPTOR_IMAGES="${INTERCEPTOR_IMAGES} $(params.package)/cmd/${cmd}:$(params.versionTag)"
153201
done
154202
155203
# Parse the built images from the interceptor.yaml generated by ko
156204
koparse \
157205
--path $OUTPUT_RELEASE_DIR/interceptors.yaml \
158-
--base ${IMAGES_PATH} --images ${INTERCEPTOR_IMAGES} >> /workspace/built_images
206+
--base $(params.package) \
207+
--container-registry ${CONTAINER_REGISTRY} \
208+
--images ${INTERCEPTOR_IMAGES} \
209+
${PRESERVE_IMPORT_PATH} >> /workspace/built_images
159210
160211
- name: tag-images
161-
image: gcr.io/go-containerregistry/crane:debug
212+
image: cgr.dev/chainguard/crane:latest-dev@sha256:8ebcdd154abd06371886fee6583c7c9bbc4e88a2999c493266b1580f605e0e7c
162213
script: |
163-
#!/busybox/sh
214+
#!/bin/sh
164215
set -ex
165216
166217
# Setup docker-auth
167218
DOCKER_CONFIG=~/.docker
168219
mkdir -p ${DOCKER_CONFIG}
169220
cp /workspace/docker-config.json ${DOCKER_CONFIG}/config.json
170221
171-
REGIONS="us eu asia"
172-
173222
# Tag the images and put them in all the regions
174223
for IMAGE in $(cat /workspace/built_images)
175224
do

0 commit comments

Comments
 (0)