Skip to content

Commit 1c906be

Browse files
anithapriyanatarajantekton-robot
authored andcommitted
chore(release-pipeline): update references to oci bucket
Signed-off-by: Anitha Natarajan <anataraj@redhat.com>
1 parent 15c4ea5 commit 1c906be

3 files changed

Lines changed: 131 additions & 59 deletions

File tree

tekton/README.md

Lines changed: 59 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -129,37 +129,70 @@ release and generate the `release.yaml`
129129
[`tektoncd/catalog`](https://github.com/tektoncd/catalog) and
130130
[`publish.yaml`](publish.yaml)'s `Task`.
131131

132-
### Service account and secrets
132+
### Dogfooding Cluster connectivity and secrets
133133

134-
In order to release, these Pipelines use the `release-right-meow` service account,
135-
which uses `release-secret` and has
136-
[`Storage Admin`](https://cloud.google.com/container-registry/docs/access-control)
137-
access to
138-
[`tekton-releases`]((https://github.com/tektoncd/plumbing/blob/main/gcp.md))
139-
and
140-
[`tekton-releases-nightly`]((https://github.com/tektoncd/plumbing/blob/main/gcp.md)).
134+
1. To connect to the cloud instance and OKE cluster we need the Oracle Cloud CLI client. Install Oracle Cloud CLI from https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm
141135

142-
After creating these service accounts in GCP, the kubernetes service account and
143-
secret were created with:
136+
1. The next step is to establish connection from the local client to the cloud instance. Login to the Oracle Cloud Console and create a new `API key` from the user profile.
137+
Follow the steps here: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#two
138+
Download a Private Key and Add a new API key as mentioned in the doc. Copy the config file to `~/.oci/config` and update the path to the private key file in config.
139+
With this the config is ready for usage by the CLI.
144140

145-
```bash
146-
KEY_FILE=release.json
147-
GENERIC_SECRET=release-secret
148-
ACCOUNT=release-right-meow
149-
150-
# Connected to the `prow` in the `tekton-releases` GCP project
151-
GCP_ACCOUNT="$ACCOUNT@tekton-releases.iam.gserviceaccount.com"
141+
1. Test the connection by doing a get of the OKE cluster id.
142+
Refer here https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.70.0/oci_cli_docs/cmdref/ce.html for the CLI options.
143+
Command to create a kubeconfig in your local could be obtained from console navigating to the OKE > Actions > Access Cluster. Run the command pointing to the PUBLIC_ENDPOINT and we should be connected to the cluster.
152144

153-
# 1. Create a private key for the service account
154-
gcloud iam service-accounts keys create $KEY_FILE --iam-account $GCP_ACCOUNT
145+
1. [Setup a context to connect to the dogfooding cluster](./release-cheat-sheet.md#setup-dogfooding-context)
155146

156-
# 2. Create kubernetes secret, which we will use via a service account and directly mounting
157-
kubectl create secret generic $GENERIC_SECRET --from-file=./$KEY_FILE
158-
159-
# 3. Add the docker secret to the service account
160-
kubectl apply -f tekton/account.yaml
161-
kubectl patch serviceaccount $ACCOUNT \
162-
-p "{\"secrets\": [{\"name\": \"$GENERIC_SECRET\"}]}"
147+
1. When executing release pipelines, some tasks require `oci cli` commands. The CLI requires credentials which should be created as a Kubernetes secret and mounted to the respective task's workspace. For example refer the precheck definition.
148+
```
149+
- name: precheck
150+
runAfter: [git-clone]
151+
taskRef:
152+
resolver: git
153+
params:
154+
- name: url
155+
value: https://github.com/tektoncd/plumbing
156+
- name: revision
157+
value: 8d3152d3d39982ce1768325b373d321efaa83031
158+
- name: pathInRepo
159+
value: tekton/resources/release/base/prerelease_checks_oci.yaml
160+
params:
161+
- name: package
162+
value: $(params.package)
163+
- name: versionTag
164+
value: $(params.versionTag)
165+
- name: releaseBucket
166+
value: $(params.releaseBucket)/$(params.repoName)
167+
workspaces:
168+
- name: source-to-release
169+
workspace: workarea
170+
subPath: git
171+
- name: oci-credentials
172+
workspace: release-secret
173+
```
174+
Sample secret template for reference:
175+
```
176+
apiVersion: v1
177+
kind: Secret
178+
metadata:
179+
name: oci-credentials
180+
type: Opaque
181+
stringData:
182+
# REQUIRED: OCI API Private Key (PEM format)
183+
oci_api_key.pem: |
184+
-----BEGIN RSA PRIVATE KEY-----
185+
YOUR_ACTUAL_PRIVATE_KEY_CONTENT_HERE
186+
-----END RSA PRIVATE KEY-----
187+
188+
# REQUIRED: API Key Fingerprint
189+
fingerprint: "YOUR_API_KEY_FINGERPRINT_HERE"
190+
191+
# OPTIONAL: These can be provided as task parameters instead
192+
tenancy_ocid: "ocid1.tenancy.oc1..example_tenancy_id"
193+
user_ocid: "ocid1.user.oc1..example_user_id"
194+
region: "us-ashburn-1"
195+
namespace: "your-namespace-here" # Will be auto-detected if not provided
163196
```
164197

165198
### Setup post processing

tekton/release-cheat-sheet.md

Lines changed: 63 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,24 @@ the pipelines repo, a terminal window and a text editor.
2929
- Select the most recent commit on the ***`release-<version number>x` branch***, e.g. [`release-v0.47.x`](https://github.com/tektoncd/pipeline/tree/release-v0.47.x) if you are patching a release i.e. `v0.47.2`.
3030

3131
```bash
32-
TEKTON_RELEASE_GIT_SHA=# SHA of the release to be released
32+
curl \
33+
-H "Accept: application/vnd.github.v3+json" \
34+
https://api.github.com/repos/tektoncd/pipeline/releases\?per_page=100 \
35+
| jq ".[].name" | cut -d'"' -f 3 | tr -d '\' | sort -u
36+
```
37+
38+
1. Create a `release.env` file with environment variables for bash scripts in later steps, and source it:
39+
40+
```bash
41+
cat <<EOF > release.env
42+
TEKTON_VERSION= # Example: v0.69.0
43+
TEKTON_RELEASE_GIT_SHA= # SHA of the release to be released, e.g. 5b082b1106753e093593d12152c82e1c4b0f37e5
44+
TEKTON_OLD_VERSION= # Example: v0.68.0
45+
TEKTON_RELEASE_NAME="Oriental Longhair Omnibot" # Name of the release
46+
TEKTON_PACKAGE=tektoncd/pipeline
47+
TEKTON_REPO_NAME=pipeline
48+
EOF
49+
. ./release.env
3350
```
3451
3552
1. Confirm commit SHA matches what you want to release.
@@ -59,17 +76,16 @@ the pipelines repo, a terminal window and a text editor.
5976
6077
```bash
6178
tkn --context dogfooding pipeline start pipeline-release \
62-
--serviceaccount=release-right-meow \
6379
--param package=github.com/tektoncd/pipeline \
80+
--param repoName="${TEKTON_REPO_NAME}" \
6481
--param gitRevision="${TEKTON_RELEASE_GIT_SHA}" \
6582
--param imageRegistry=ghcr.io \
6683
--param imageRegistryPath=tektoncd/pipeline \
6784
--param imageRegistryRegions="" \
6885
--param imageRegistryUser=tekton-robot \
69-
--param serviceAccountPath=release.json \
7086
--param serviceAccountImagesPath=credentials \
7187
--param versionTag="${TEKTON_VERSION}" \
72-
--param releaseBucket=gs://tekton-releases/pipeline \
88+
--param releaseBucket=tekton-releases \
7389
--param koExtraArgs="" \
7490
--workspace name=release-secret,secret=release-secret \
7591
--workspace name=release-images-secret,secret=ghcr-creds \
@@ -92,8 +108,8 @@ the pipelines repo, a terminal window and a text editor.
92108
93109
NAME VALUE
94110
∙ commit-sha ff6d7abebde12460aecd061ab0f6fd21053ba8a7
95-
∙ release-file https://storage.googleapis.com/tekton-releases-nightly/pipeline/previous/v20210223-xyzxyz/release.yaml
96-
∙ release-file-no-tag https://storage.googleapis.com/tekton-releases-nightly/pipeline/previous/v20210223-xyzxyz/release.notag.yaml
111+
∙ release-file https://infra.tekton.dev/tekton-releases/pipeline/previous/v0.13.0/release.yaml
112+
∙ release-file-no-tag https://infra.tekton.dev/tekton-releases/pipeline/previous/v0.13.0/release.notag.yaml
97113
98114
(...)
99115
```
@@ -115,8 +131,8 @@ the pipelines repo, a terminal window and a text editor.
115131
1. Find the Rekor UUID for the release
116132
117133
```bash
118-
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/${TEKTON_VERSION}/release.yaml
119-
CONTROLLER_IMAGE_SHA=$(curl $RELEASE_FILE | egrep 'ghcr.io.*controller' | cut -d'@' -f2)
134+
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/triggers/previous/${VERSION_TAG}/release.yaml
135+
CONTROLLER_IMAGE_SHA=$(curl -L $RELEASE_FILE | sed -n 's/"//g;s/.*ghcr\.io.*controller.*@//p;')
120136
REKOR_UUID=$(rekor-cli search --sha $CONTROLLER_IMAGE_SHA | grep -v Found | head -1)
121137
echo -e "CONTROLLER_IMAGE_SHA: ${CONTROLLER_IMAGE_SHA}\nREKOR_UUID: ${REKOR_UUID}"
122138
```
@@ -130,21 +146,34 @@ the pipelines repo, a terminal window and a text editor.
130146
131147
1. Execute the Draft Release Pipeline.
132148
133-
```bash
134-
tkn --context dogfooding pipeline start \
135-
--workspace name=shared,volumeClaimTemplateFile=workspace-template.yaml \
136-
--workspace name=credentials,secret=release-secret \
137-
-p package="tektoncd/pipeline" \
138-
-p git-revision="$TEKTON_RELEASE_GIT_SHA" \
139-
-p release-tag="${TEKTON_VERSION}" \
140-
-p previous-release-tag="${TEKTON_OLD_VERSION}" \
141-
-p release-name="${TEKTON_RELEASE_NAME}" \
142-
-p bucket="gs://tekton-releases/pipeline" \
143-
-p rekor-uuid="$REKOR_UUID" \
144-
release-draft
145-
```
146-
147-
1. Watch logs of create-draft-release
149+
Create a pod template file:
150+
151+
```shell
152+
cat <<EOF > tekton/pod-template.yaml
153+
securityContext:
154+
fsGroup: 65532
155+
runAsUser: 65532
156+
runAsNonRoot: true
157+
EOF
158+
```
159+
```shell
160+
161+
tkn pipeline start \
162+
--workspace name=shared,volumeClaimTemplateFile=workspace-template.yaml \
163+
--workspace name=credentials,secret=oci-release-secret \
164+
--pod-template pod-template.yaml \
165+
-p package="${TEKTON_PACKAGE}" \
166+
-p git-revision="$TEKTON_RELEASE_GIT_SHA" \
167+
-p release-tag="${TEKTON_VERSION}" \
168+
-p previous-release-tag="${TEKTON_OLD_VERSION}" \
169+
-p release-name="${TEKTON_RELEASE_NAME}" \
170+
-p repo-name="${TEKTON_REPO_NAME}" \
171+
-p bucket="tekton-releases" \
172+
-p rekor-uuid="$REKOR_UUID" \
173+
release-draft-oci
174+
```
175+
176+
1. Watch logs of resulting pipeline run on pipeline `release-draft-oci`
148177
149178
1. On successful completion, a URL will be logged. Visit that URL and look through the release notes.
150179
1. Manually add upgrade and deprecation notices based on the generated release notes
@@ -181,12 +210,12 @@ the pipelines repo, a terminal window and a text editor.
181210
182211
```bash
183212
# Test latest
184-
kubectl --context my-dev-cluster apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
213+
kubectl --context my-dev-cluster apply --filename https://infra.tekton.dev/tekton-releases/pipeline/latest/release.yaml
185214
```
186215
187216
```bash
188217
# Test backport
189-
kubectl --context my-dev-cluster apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.11.2/release.yaml
218+
kubectl --context my-dev-cluster apply --filename https://infra.tekton.dev/tekton-releases/pipeline/previous/v0.11.2/release.yaml
190219
```
191220
192221
1. Announce the release in Slack channels #general, #announcements and #pipelines.
@@ -205,15 +234,22 @@ Congratulations, you're done!
205234
1. Configure `kubectl` to connect to
206235
[the dogfooding cluster](https://github.com/tektoncd/plumbing/blob/main/docs/dogfooding.md):
207236
237+
The dogfooding cluster is currently an OKE cluster in oracle cloud. we need the Oracle Cloud CLI client. Install oracle cloud cli (https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm)
238+
208239
```bash
209-
gcloud container clusters get-credentials dogfooding --zone us-central1-a --project tekton-releases
240+
oci ce cluster create-kubeconfig --cluster-id <CLUSTER-OCID> --file $HOME/.kube/config --region <CLUSTER-REGION> --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT
210241
```
211242
212243
1. Give [the context](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
213244
a short memorable name such as `dogfooding`:
214245
215246
```bash
216-
kubectl config rename-context gke_tekton-releases_us-central1-a_dogfooding dogfooding
247+
kubectl config current-context
248+
```
249+
get the context name and replace with current_context_name
250+
251+
```bash
252+
kubectl config rename-context <current_context_name> dogfooding
217253
```
218254
219255
1. **Important: Switch `kubectl` back to your own cluster by default.**

tekton/release-pipeline.yaml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -95,20 +95,23 @@ spec:
9595
- name: org
9696
value: tektoncd
9797
- name: revision
98-
value: 50bc706c351cc05087564bb17afc1e658090edb0
98+
value: 8d3152d3d39982ce1768325b373d321efaa83031
9999
- name: pathInRepo
100-
value: tekton/resources/release/base/prerelease_checks.yaml
100+
value: tekton/resources/release/base/prerelease_checks_oci.yaml
101101
params:
102102
- name: package
103103
value: $(params.package)
104104
- name: versionTag
105105
value: $(params.versionTag)
106106
- name: releaseBucket
107-
value: $(params.releaseBucket)
107+
value: $(params.releaseBucket)/$(params.repoName)
108108
workspaces:
109109
- name: source-to-release
110110
workspace: workarea
111-
subpath: git
111+
subPath: git
112+
- name: oci-credentials
113+
workspace: release-secret
114+
112115
- name: unit-tests
113116
runAfter: [precheck]
114117
when:
@@ -204,7 +207,7 @@ spec:
204207
resolver: bundles
205208
params:
206209
- name: bundle
207-
value: ghcr.io/tektoncd/catalog/upstream/tasks/oracle-cloud-storage-upload:0.1
210+
value: ghcr.io/tektoncd/catalog/upstream/tasks/oracle-cloud-storage-upload:0.2
208211
- name: name
209212
value: oracle-cloud-storage-upload
210213
- name: kind
@@ -237,7 +240,7 @@ spec:
237240
resolver: bundles
238241
params:
239242
- name: bundle
240-
value: ghcr.io/tektoncd/catalog/upstream/tasks/oracle-cloud-storage-upload:0.1
243+
value: ghcr.io/tektoncd/catalog/upstream/tasks/oracle-cloud-storage-upload:0.2
241244
- name: name
242245
value: oracle-cloud-storage-upload
243246
- name: kind

0 commit comments

Comments
 (0)