From 8ca26756d5ccfb11c47f292c06c63f4bc8a5b451 Mon Sep 17 00:00:00 2001 From: Blaine Gardner Date: Thu, 6 Feb 2025 15:35:23 -0700 Subject: [PATCH 1/2] cloudbuild: fix epoch dating on staged image tags Using `gcloud container images add-tag` to add tags to images built and pushed to GCR was resulting in the added tags having a date of Dec. 31, 1969 (the epoch). In order to avoid tags having epoch dates, adjust the cloudbuild script to use `--tag` arguments for each tag. Signed-off-by: Blaine Gardner --- hack/cloudbuild.sh | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/hack/cloudbuild.sh b/hack/cloudbuild.sh index 54851ae0..098814b8 100755 --- a/hack/cloudbuild.sh +++ b/hack/cloudbuild.sh @@ -17,44 +17,45 @@ SIDECAR_IMAGE="${REPO}/objectstorage-sidecar" # args to 'make build' export DOCKER="/buildx-entrypoint" # available in gcr.io/k8s-testimages/gcb-docker-gcloud image -export BUILD_ARGS="--push" export PLATFORM export SIDECAR_TAG="${SIDECAR_IMAGE}:${GIT_TAG}" export CONTROLLER_TAG="${CONTROLLER_IMAGE}:${GIT_TAG}" -make build +ADDITIONAL_BUILD_ARGS="--push" +ADDITIONAL_CONTROLLER_TAGS=() +ADDITIONAL_SIDECAR_TAGS=() # PULL_BASE_REF is 'main' for non-tagged commits on the main branch if [[ "${PULL_BASE_REF}" == main ]]; then echo " ! ! ! this is a main branch build ! ! !" # 'main' tag follows the main branch head - gcloud container images add-tag "${CONTROLLER_TAG}" "${CONTROLLER_IMAGE}:main" - gcloud container images add-tag "${SIDECAR_TAG}" "${SIDECAR_IMAGE}:main" + ADDITIONAL_CONTROLLER_TAGS+=("${CONTROLLER_IMAGE}:main") + ADDITIONAL_SIDECAR_TAGS+=("${SIDECAR_IMAGE}:main") # 'latest' tag follows 'main' for easy use by developers - gcloud container images add-tag "${CONTROLLER_TAG}" "${CONTROLLER_IMAGE}:latest" - gcloud container images add-tag "${SIDECAR_TAG}" "${SIDECAR_IMAGE}:latest" + ADDITIONAL_CONTROLLER_TAGS+=("${CONTROLLER_IMAGE}:latest") + ADDITIONAL_SIDECAR_TAGS+=("${SIDECAR_IMAGE}:latest") fi # PULL_BASE_REF is 'release-*' for non-tagged commits on release branches if [[ "${PULL_BASE_REF}" == release-* ]]; then echo " ! ! ! this is a ${PULL_BASE_REF} release branch build ! ! !" # 'release-*' tags that follow each release branch head - gcloud container images add-tag "${CONTROLLER_TAG}" "${CONTROLLER_IMAGE}:${PULL_BASE_REF}" - gcloud container images add-tag "${SIDECAR_TAG}" "${SIDECAR_IMAGE}:${PULL_BASE_REF}" + ADDITIONAL_CONTROLLER_TAGS+=("${CONTROLLER_IMAGE}:${PULL_BASE_REF}") + ADDITIONAL_SIDECAR_TAGS+=("${SIDECAR_IMAGE}:${PULL_BASE_REF}") fi # PULL_BASE_REF is 'controller/TAG' for a tagged controller release if [[ "${PULL_BASE_REF}" == controller/* ]]; then echo " ! ! ! this is a tagged controller release ! ! !" TAG="${PULL_BASE_REF#controller/*}" - gcloud container images add-tag "${CONTROLLER_TAG}" "${CONTROLLER_IMAGE}:${TAG}" + ADDITIONAL_CONTROLLER_TAGS+=("${CONTROLLER_IMAGE}:${TAG}") fi # PULL_BASE_REF is 'sidecar/TAG' for a tagged sidecar release if [[ "${PULL_BASE_REF}" == sidecar/* ]]; then echo " ! ! ! this is a tagged sidecar release ! ! !" TAG="${PULL_BASE_REF#sidecar/*}" - gcloud container images add-tag "${SIDECAR_TAG}" "${SIDECAR_IMAGE}:${TAG}" + ADDITIONAL_SIDECAR_TAGS+=("${SIDECAR_IMAGE}:${TAG}") fi # PULL_BASE_REF is 'v0.y.z*' for tagged alpha releases where controller and sidecar are released simultaneously @@ -62,10 +63,28 @@ fi if [[ "${PULL_BASE_REF}" == 'v0.'* ]]; then echo " ! ! ! this is a tagged controller + sidecar release ! ! !" TAG="${PULL_BASE_REF}" - gcloud container images add-tag "${CONTROLLER_TAG}" "${CONTROLLER_IMAGE}:${TAG}" - gcloud container images add-tag "${SIDECAR_TAG}" "${SIDECAR_IMAGE}:${TAG}" + ADDITIONAL_CONTROLLER_TAGS+=("${CONTROLLER_IMAGE}:${TAG}") + ADDITIONAL_SIDECAR_TAGS+=("${SIDECAR_IMAGE}:${TAG}") fi # else, PULL_BASE_REF is something that doesn't release image(s) to staging, like: # - a random branch name (e.g., feature-xyz) # - a version tag for a subdir with no image associated (e.g., client/v0.2.0, proto/v0.2.0) + +# 'gcloud container images add-tag' within the cloudbuild infrastructure doesn't preserve the date +# of the underlying image when adding a new tag, resulting in tags dated Dec 31, 1969 (the epoch). +# To ensure the right date on all built image tags, do the build with '--tag' args for all tags. + +BUILD_ARGS="${ADDITIONAL_BUILD_ARGS}" +for tag in "${ADDITIONAL_CONTROLLER_TAGS[@]}"; do + BUILD_ARGS="${BUILD_ARGS} --tag=${tag}" +done +export BUILD_ARGS +make build.controller + +BUILD_ARGS="${ADDITIONAL_BUILD_ARGS}" +for tag in "${ADDITIONAL_SIDECAR_TAGS[@]}"; do + BUILD_ARGS="${BUILD_ARGS} --tag=${tag}" +done +export BUILD_ARGS +make build.sidecar From bf5c6191a25928a4ed9799d8826c91956ae7ae11 Mon Sep 17 00:00:00 2001 From: Blaine Gardner Date: Fri, 7 Feb 2025 13:34:45 -0700 Subject: [PATCH 2/2] cloudbuild: limit image release tags to semver only When doing cloudbuilds for tagged releases, limit images to only a single tag that represents the semver tag. The registry.k8s.io tooling uses scripts to coordinate which images and tags are promoted from staging to release. The script don't handle image digests with multiple tags, and COSI can assume less release breakage by not relying on more advanced handling. When the cloudbuild script detects a release is happening, it will now apply only the semver tag to the image. Signed-off-by: Blaine Gardner --- hack/cloudbuild.sh | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/hack/cloudbuild.sh b/hack/cloudbuild.sh index 098814b8..c6599e5f 100755 --- a/hack/cloudbuild.sh +++ b/hack/cloudbuild.sh @@ -48,14 +48,20 @@ fi if [[ "${PULL_BASE_REF}" == controller/* ]]; then echo " ! ! ! this is a tagged controller release ! ! !" TAG="${PULL_BASE_REF#controller/*}" - ADDITIONAL_CONTROLLER_TAGS+=("${CONTROLLER_IMAGE}:${TAG}") + # when tagging a release image, do not apply any other tags other than the release tag + # the registry.k8s.io scripting does not handle images with multiple tags + ADDITIONAL_CONTROLLER_TAGS=() + CONTROLLER_TAG="${CONTROLLER_IMAGE}:${TAG}" fi # PULL_BASE_REF is 'sidecar/TAG' for a tagged sidecar release if [[ "${PULL_BASE_REF}" == sidecar/* ]]; then echo " ! ! ! this is a tagged sidecar release ! ! !" TAG="${PULL_BASE_REF#sidecar/*}" - ADDITIONAL_SIDECAR_TAGS+=("${SIDECAR_IMAGE}:${TAG}") + # when tagging a release image, do not apply any other tags other than the release tag + # the registry.k8s.io scripting does not handle images with multiple tags + ADDITIONAL_SIDECAR_TAGS=() + SIDECAR_TAG="${SIDECAR_IMAGE}:${TAG}" fi # PULL_BASE_REF is 'v0.y.z*' for tagged alpha releases where controller and sidecar are released simultaneously @@ -63,17 +69,21 @@ fi if [[ "${PULL_BASE_REF}" == 'v0.'* ]]; then echo " ! ! ! this is a tagged controller + sidecar release ! ! !" TAG="${PULL_BASE_REF}" - ADDITIONAL_CONTROLLER_TAGS+=("${CONTROLLER_IMAGE}:${TAG}") - ADDITIONAL_SIDECAR_TAGS+=("${SIDECAR_IMAGE}:${TAG}") + # when tagging a release image, do not apply any other tags other than the release tag + # the registry.k8s.io scripting does not handle images with multiple tags + ADDITIONAL_CONTROLLER_TAGS=() + ADDITIONAL_SIDECAR_TAGS=() + CONTROLLER_TAG="${CONTROLLER_IMAGE}:${TAG}" + SIDECAR_TAG="${SIDECAR_IMAGE}:${TAG}" fi # else, PULL_BASE_REF is something that doesn't release image(s) to staging, like: # - a random branch name (e.g., feature-xyz) # - a version tag for a subdir with no image associated (e.g., client/v0.2.0, proto/v0.2.0) -# 'gcloud container images add-tag' within the cloudbuild infrastructure doesn't preserve the date -# of the underlying image when adding a new tag, resulting in tags dated Dec 31, 1969 (the epoch). -# To ensure the right date on all built image tags, do the build with '--tag' args for all tags. +# This script's tagging should be less error-prone if 'docker buildx' has all the tags that an image +# will be tagged with during the build process. All tags are applied at once without need to +# maintain tooling for adding tags to manifests after build. BUILD_ARGS="${ADDITIONAL_BUILD_ARGS}" for tag in "${ADDITIONAL_CONTROLLER_TAGS[@]}"; do