Prepare for publishing images to GHCR

docs/dev/installer.md

@@ -15,7 +15,6 @@ It covers the following topics:
   - [Install ingress](#install-ingress)
 - [Uninstall command](#uninstall-command)
 - [Build command](#build-command)
-- [Release command](#release-command)
 - [Platform support](#platform-support)
 
 ## Before you begin
@@ -55,7 +54,6 @@ Accepted commands:
         install|i                               Installs the dashboard
         uninstall|u                             Uninstalls the dashboard
         build|b                                 Builds the manifests and dashboard docker image
-        release|r                               Builds the manifests and dashboard docker image for release
 
 Accepted options:
         [--debug]                               Prints additional messages in the console
@@ -170,12 +168,6 @@ This will NOT deploy the resulting manifest in the target cluster but will build
 
 The `build` command is useful when you want to ensure everything builds correctly without altering the current deployment. It can help verifying the generated manifests are correct when a change was made in the base or overlays used by `kustomize` too.
 
-## Release command
-
-This command is essentially the same as the [build command](#build-command) but adds the `--preserve-import-paths` option when invoking `ko`.
-
-This is needed to generate the correct docker image name in the manifests when cutting a release.
-
 ## Platform support
 
 Official Dashboard releases since v0.12.0 provide multi-platform images supporting the following:

scripts/installer

@@ -30,7 +30,7 @@ EXTERNAL_LOGS=""
 BASE_RELEASE_URL="https://storage.googleapis.com/tekton-releases/dashboard"
 
 # additional options passed to ko resolve
-KO_RESOLVE_OPTIONS=""
+KO_RESOLVE_OPTIONS="--image-label=org.opencontainers.image.source=https://github.com/tektoncd/dashboard"
 PLATFORM=""
 
 # Display a box banner.
@@ -388,7 +388,6 @@ help () {
   echo -e "\tinstall|i\t\t\t\tInstalls the dashboard"
   echo -e "\tuninstall|u\t\t\t\tUninstalls the dashboard"
   echo -e "\tbuild|b\t\t\t\t\tBuilds the manifests and dashboard docker image"
-  echo -e "\trelease|r\t\t\t\tBuilds the manifests and dashboard docker image for release"
   echo -e ""
   echo -e "Accepted options:"
   echo -e "\t[--debug]\t\t\t\tPrints additional messages in the console"
@@ -444,11 +443,6 @@ case $1 in
     ACTION="build"
     shift
     ;;
-  'release'|r)
-    KO_RESOLVE_OPTIONS="--preserve-import-paths"
-    ACTION="build"
-    shift
-    ;;
   *)
     ACTION="build"
     ;;
@@ -539,6 +533,10 @@ while [[ $# -gt 0 ]]; do
       shift
       KO_RESOLVE_OPTIONS="$KO_RESOLVE_OPTIONS -t ${1}"
       ;;
+    '--preserve-import-paths')
+      shift
+      KO_RESOLVE_OPTIONS="$KO_RESOLVE_OPTIONS --preserve-import-paths"
+      ;;
     *)
       echo "ERROR: Unknown option $1"
       help

tekton/publish.yaml

@@ -27,6 +27,9 @@ spec:
     - name: images
       description: List of cmd/* paths to be published as images
       default: "dashboard"
+    - name: koExtraArgs
+      description: Extra args to be passed to ko
+      default: "--preserve-import-paths"
     - name: versionTag
       description: The vX.Y.Z version that the artifacts should be tagged with (including `v`)
     - name: imageRegistry
@@ -37,6 +40,9 @@ spec:
     - name: imageRegistryRegions
       description: The target image registry regions
       default: "us eu asia"
+    - name: imageRegistryUser
+      description: Username to be used to login to the container registry
+      default: "_json_key"
     - name: releaseAsLatest
       description: Whether to tag and publish this release as Dashboard's latest
       default: "true"
@@ -61,10 +67,14 @@ spec:
         value: "$(workspaces.release-secret.path)/$(params.serviceAccountPath)"
       - name: CONTAINER_REGISTRY
         value: "$(params.imageRegistry)/$(params.imageRegistryPath)"
+      - name: CONTAINER_REGISTRY_USER
+        value: "$(params.imageRegistryUser)"
       - name: REGIONS
         value: "$(params.imageRegistryRegions)"
       - name: OUTPUT_RELEASE_DIR
         value: "$(workspaces.output.path)/$(params.versionTag)"
+      - name: KO_EXTRA_ARGS
+        value: "$(params.koExtraArgs)"
   results:
     # IMAGES result is picked up by Tekton Chains to sign the release.
     # See https://github.com/tektoncd/plumbing/blob/main/docs/signing.md for more info.
@@ -78,14 +88,14 @@ spec:
 
         # Login to the container registry
         DOCKER_CONFIG=$(cat ${CONTAINER_REGISTRY_CREDENTIALS} | \
-          crane auth login -u _json_key --password-stdin $(params.imageRegistry) 2>&1 | \
+          crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin $(params.imageRegistry) 2>&1 | \
           sed 's,^.*logged in via \(.*\)$,\1,g')
 
         # Auth with account credentials for all regions.
         for region in ${REGIONS}
         do
           HOSTNAME=${region}.$(params.imageRegistry)
-          cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u _json_key --password-stdin ${HOSTNAME}
+          cat ${CONTAINER_REGISTRY_CREDENTIALS} | crane auth login -u ${CONTAINER_REGISTRY_USER} --password-stdin ${HOSTNAME}
         done
         cp ${DOCKER_CONFIG} /workspace/docker-config.json
 
@@ -122,18 +132,33 @@ spec:
         cp ${PROJECT_ROOT}/scripts/installer $OUTPUT_RELEASE_DIR/installer
 
         # build manifests for installer
-        kustomize build overlays/installer/read-only  --load-restrictor LoadRestrictionsNone | ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f - > $OUTPUT_RELEASE_DIR/installer-release.yaml
-        kustomize build overlays/installer/read-write --load-restrictor LoadRestrictionsNone | ko resolve --platform=$(params.platforms) --preserve-import-paths -t $(params.versionTag) -f - > $OUTPUT_RELEASE_DIR/installer-release-full.yaml
+        KO_RESOLVE_IMAGE_LABEL="--image-label=org.opencontainers.image.source=https://$(params.package)"
+        kustomize build overlays/installer/read-only  --load-restrictor LoadRestrictionsNone | ko resolve ${KO_RESOLVE_IMAGE_LABEL} --platform=$(params.platforms) ${KO_EXTRA_ARGS} -t $(params.versionTag) -f - > $OUTPUT_RELEASE_DIR/installer-release.yaml
+        kustomize build overlays/installer/read-write --load-restrictor LoadRestrictionsNone | ko resolve ${KO_RESOLVE_IMAGE_LABEL} --platform=$(params.platforms) ${KO_EXTRA_ARGS} -t $(params.versionTag) -f - > $OUTPUT_RELEASE_DIR/installer-release-full.yaml
 
         # build pre configured manifests
-        ./scripts/installer release --debug              --platform $(params.platforms) --tag $(params.versionTag) --output $OUTPUT_RELEASE_DIR/release.yaml
-        ./scripts/installer release --debug --read-write --platform $(params.platforms) --tag $(params.versionTag) --output $OUTPUT_RELEASE_DIR/release-full.yaml
-
+        ./scripts/installer build --debug              --platform $(params.platforms) --tag $(params.versionTag) --output $OUTPUT_RELEASE_DIR/release.yaml ${KO_EXTRA_ARGS}
+        ./scripts/installer build --debug --read-write --platform $(params.platforms) --tag $(params.versionTag) --output $OUTPUT_RELEASE_DIR/release-full.yaml ${KO_EXTRA_ARGS}
     - name: koparse
       image: gcr.io/tekton-releases/dogfooding/koparse:v20240923-1c3aa3eee7@sha256:ae363d70e3c2fb75e96aaeb561dcea20383c27a47f0266c8179bbb72b89c2430
       script: |
         set -ex
 
+        # Find "--preserve-import-paths" in a list of args
+        function find_preserve_import_path() {
+          for arg in $@; do
+            if [[ "$arg" == "--preserve-import-paths" ]]; then
+              return 0
+            fi
+          done
+          return 1
+        }
+        # If "--preserve-import-paths" is used, include "package" in the expected path
+        find_preserve_import_path \
+          $(echo $KO_EXTRA_ARGS) && \
+          PRESERVE_IMPORT_PATH="--preserve-path" || \
+          PRESERVE_IMPORT_PATH="--no-preserve-path"
+
         for cmd in $(params.images)
         do
           IMAGES="${IMAGES} $(params.package)/cmd/${cmd}:$(params.versionTag)"
@@ -144,7 +169,8 @@ spec:
           --path $OUTPUT_RELEASE_DIR/release.yaml \
           --base $(params.package) \
           --container-registry ${CONTAINER_REGISTRY} \
-          --images ${IMAGES} > /workspace/built_images
+          --images ${IMAGES} \
+          ${PRESERVE_IMPORT_PATH} > /workspace/built_images
 
     - name: tag-images
       image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785
@@ -157,8 +183,6 @@ spec:
         mkdir -p ${DOCKER_CONFIG}
         cp /workspace/docker-config.json ${DOCKER_CONFIG}/config.json
 
-        REGIONS="us eu asia"
-
         # Tag the images and put them in all the regions
         for IMAGE in $(cat /workspace/built_images)
         do

tekton/release-cheat-sheet.md

@@ -47,9 +47,11 @@ the dashboard repo, a terminal window and a text editor.
       --serviceaccount=release-right-meow \
       --param=gitRevision="${TEKTON_RELEASE_GIT_SHA}" \
       --param=serviceAccountPath=release.json \
+      --param=serviceAccountImagesPath=release.json \
       --param=versionTag="${TEKTON_VERSION}" \
       --param=releaseBucket=gs://tekton-releases/dashboard \
       --workspace name=release-secret,secret=release-secret \
+      --workspace name=release-images-secret,secret=release-secret \
       --workspace name=workarea,volumeClaimTemplateFile=workspace-template.yaml
     ```
 

tekton/release-pipeline.yaml

@@ -30,6 +30,12 @@ spec:
     - name: imageRegistryPath
       description: The path (project) in the image registry
       default: tekton-releases
+    - name: imageRegistryRegions
+      description: The target image registry regions
+      default: "us eu asia"
+    - name: imageRegistryUser
+      description: The user for the image registry credentials
+      default: "_json_key"
     - name: versionTag
       description: The X.Y.Z version that the artifacts should be tagged with
     - name: releaseBucket
@@ -41,13 +47,20 @@ spec:
     - name: platforms
       description: Platforms to publish for the images (e.g. linux/amd64,linux/arm64)
       default: linux/amd64,linux/arm,linux/arm64,linux/s390x,linux/ppc64le
+    - name: koExtraArgs
+      description: Extra args to be passed to ko
+      default: "--preserve-import-paths"
     - name: serviceAccountPath
       description: The path to the service account file within the release-secret workspace
+    - name: serviceAccountImagesPath
+      description: The path to the service account file or credentials within the release-images-secret workspace
   workspaces:
     - name: workarea
       description: The workspace where the repo will be cloned.
     - name: release-secret
-      description: The secret that contains a service account authorized to push to the imageRegistry and to the output bucket
+      description: The secret that contains a service account authorized to push to the output bucket
+    - name: release-images-secret
+      description: The secret that contains a service account authorized to push to the image registry
   results:
     - name: commit-sha
       description: the sha of the commit that was released
@@ -107,12 +120,18 @@ spec:
           value: $(params.imageRegistry)
         - name: imageRegistryPath
           value: $(params.imageRegistryPath)
+        - name: imageRegistryUser
+          value: $(params.imageRegistryUser)
+        - name: imageRegistryRegions
+          value: $(params.imageRegistryRegions)
         - name: releaseAsLatest
           value: $(params.releaseAsLatest)
         - name: serviceAccountPath
-          value: $(params.serviceAccountPath)
+          value: $(params.serviceAccountImagesPath)
         - name: platforms
           value: $(params.platforms)
+        - name: koExtraArgs
+          value: $(params.koExtraArgs)
       workspaces:
         - name: source
           workspace: workarea
@@ -121,7 +140,7 @@ spec:
           workspace: workarea
           subpath: bucket
         - name: release-secret
-          workspace: release-secret
+          workspace: release-images-secret
     - name: publish-to-bucket
       runAfter: [publish-images]
       taskRef: