feat(update-track): allow push from build and cosign with manifests (…

…PL-1056) (#238) * feat(update-track): allow push from build and cosign with manifests * fix: use BRANCH_NAME for CACHE_BRANCH_NAME * fix: add builder name to args * feat: push by default and param to enable loading to docker * feat: buildx only for update-track --------- Co-authored-by: Greg O'Grady <gregory.ogrady@voiceflow.com>
voiceflow · May 21, 2024 · 7bdd573 · 7bdd573
1 parent 334c818
commit 7bdd573
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 67 deletions.
diff --git a/src/commands/track/update_track.yml b/src/commands/track/update_track.yml
@@ -75,8 +75,8 @@ parameters:
     description: container image to run verdaccio
     type: string
     default: 168387678261.dkr.ecr.us-east-1.amazonaws.com/ci-node-build-image:v1
-  use_buildkit:
-    description: Use buildkit to build the image
+  enable_load:
+    description: Load image into local docker
     type: boolean
     default: false
   platform:
@@ -139,7 +139,7 @@ steps:
         ENABLE_CACHE_TO: "<< parameters.enable_cache_to >>"
         DOCKERFILE: "<< parameters.dockerfile >>"
         INJECT_AWS_CREDENTIALS: "<< parameters.inject_aws_credentials >>"
-        USE_BUILDKIT: "<< parameters.use_buildkit >>"
+        ENABLE_LOAD: "<< parameters.enable_load >>"
         PLATFORM: "<< parameters.platform >>"
         BUILDER_NAME: "<< parameters.builder_name >>"
       command: <<include(scripts/track/update_track.sh)>>
diff --git a/src/executors/node/build-executor.yml b/src/executors/node/build-executor.yml
@@ -5,7 +5,7 @@ parameters:
     default: medium
 working_directory: ~/voiceflow
 docker:
-  - image: 168387678261.dkr.ecr.us-east-1.amazonaws.com/ci-image:v5
+  - image: 168387678261.dkr.ecr.us-east-1.amazonaws.com/ci-image:25.0.5-dind-vf-2
     aws_auth:
       aws_access_key_id: $AWS_ACCESS_KEY_ID
       aws_secret_access_key: $AWS_SECRET_ACCESS_KEY

diff --git a/src/jobs/track/update_track.yml b/src/jobs/track/update_track.yml
@@ -79,8 +79,8 @@ parameters:
     description: container image to run verdaccio
     type: string
     default: 168387678261.dkr.ecr.us-east-1.amazonaws.com/ci-node-build-image:v1
-  use_buildkit:
-    description: Use buildkit to build the image
+  enable_load:
+    description: Load image into local docker
     type: boolean
     default: false
   platform:
@@ -116,7 +116,7 @@ steps:
       kms_key: "<< parameters.kms_key >>"
       inject_aws_credentials: "<< parameters.inject_aws_credentials >>"
       local_registry_container_image: "<< parameters.local_registry_container_image >>"
-      use_buildkit: "<< parameters.use_buildkit >>"
       platform: "<< parameters.platform >>"
       enable_dlc: "<< parameters.enable_dlc >>"
+      enable_load: "<< parameters.enable_load >>"
       builder_name: "<< parameters.builder_name >>"
diff --git a/src/scripts/track/update_track.sh b/src/scripts/track/update_track.sh
@@ -13,10 +13,10 @@ echo "LOCAL_REGISTRY: ${LOCAL_REGISTRY?}"
 echo "DOCKERFILE: ${DOCKERFILE?}"
 echo "INJECT_AWS_CREDENTIALS: ${INJECT_AWS_CREDENTIALS?}"
 echo "PLATFORM: ${PLATFORM?}"
-echo "USE_BUILDKIT: ${USE_BUILDKIT?}"
 echo "BUILDER_NAME: ${BUILDER_NAME-}"
 echo "EXTRA_BUILD_ARGS: ${EXTRA_BUILD_ARGS[*]}"
 echo "ENABLE_CACHE_TO: ${ENABLE_CACHE_TO:=0}"
+echo "ENABLE_LOAD: ${ENABLE_LOAD:=0}"
 
 # force string to array
 read -r -a EXTRA_BUILD_ARGS <<< "$EXTRA_BUILD_ARGS"
@@ -33,12 +33,10 @@ if [[ "$TRACK_EXISTS" != "true" ]]; then
     exit 0
 fi
 
-BRANCH_NAME="$CIRCLE_BRANCH"
 if [[ -z "$CIRCLE_BRANCH" && -n "$CIRCLE_TAG" ]]; then
     BRANCH_NAME="master"
-    CACHE_BRANCH_NAME="master"
 else
-    CACHE_BRANCH_NAME="${CIRCLE_BRANCH//[^[:alnum:]]/-}" # Change all non alphanumeric characters to -
+    BRANCH_NAME="${CIRCLE_BRANCH//[^[:alnum:]]/-}" # Change all non alphanumeric characters to -
 fi
 
 IMAGE_TAG="${IMAGE_TAG_OVERRIDE:-"k8s-$CIRCLE_SHA1"}"
@@ -88,32 +86,43 @@ if [[ $IMAGE_EXISTS == "false" || "$CIRCLE_BRANCH" == "master" || "$CIRCLE_BRANC
       BUILD_ARGS+=(--build-arg "${arg}")
     done
 
-    BUILD_COMMAND="build"
-    if (( USE_BUILDKIT )); then
-        # NOTE: think of this as the CircleCI DLC key
-        echo "BUILDER_NAME: ${BUILDER_NAME:=buildy-${CACHE_BRANCH_NAME-}}"
-
-        BUILDER_ARGS=(--name "${BUILDER_NAME-}")
-        docker buildx create --use --platform="$PLATFORM" \
-          "${BUILDER_ARGS[@]}"
-        docker buildx inspect --bootstrap
-        BUILD_COMMAND="buildx build --load"
-        NPM_TOKEN_SECRET=(--secret id=NPM_TOKEN)
-
-        CACHE_FROM_ARG=(--cache-from "${IMAGE_REPO-}:cache-master")
-        if [ "${CACHE_BRANCH_NAME}" != "master" ] ; then
-          CACHE_FROM_ARG+=(--cache-from "${IMAGE_REPO-}:cache-${CACHE_BRANCH_NAME-}")
-        fi
-
-        if [[ "${ENABLE_CACHE_TO-}" -eq 1  && "${CACHE_BRANCH_NAME}" == "master" ]] ; then
-          CACHE_TO_ARG=(--cache-to "mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${IMAGE_REPO-}:cache-${CACHE_BRANCH_NAME-}")
-        fi
-
-        BUILD_ARGS+=( "${CACHE_FROM_ARG[@]}" )
-        BUILD_ARGS+=( "${CACHE_TO_ARG[@]}" )
+    # NOTE: think of this as the CircleCI DLC key
+    echo "BUILDER_NAME: ${BUILDER_NAME:=buildy-${BRANCH_NAME-}}"
+
+    BUILDER_ARGS=(--name "${BUILDER_NAME-}")
+    docker buildx create --use --platform="$PLATFORM" \
+      "${BUILDER_ARGS[@]}"
+    docker buildx inspect --bootstrap
+
+    OUTPUT_ARGS=(--push)
+    if (( ENABLE_LOAD )); then
+      OUTPUT_ARGS+=(--load)
+    fi
+
+    NPM_TOKEN_SECRET=(--secret id=NPM_TOKEN)
+
+    CACHE_FROM_ARG=(--cache-from "${IMAGE_REPO-}:cache-master")
+    if [ "${BRANCH_NAME}" != "master" ] ; then
+      CACHE_FROM_ARG+=(--cache-from "${IMAGE_REPO-}:cache-${BRANCH_NAME-}")
+    fi
+
+    if [[ "${ENABLE_CACHE_TO-}" -eq 1  && "${BRANCH_NAME}" == "master" ]] ; then
+      CACHE_TO_ARG=(--cache-to "mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${IMAGE_REPO-}:cache-${BRANCH_NAME-}")
+    fi
+
+    BUILD_ARGS+=( "${CACHE_FROM_ARG[@]}" )
+    BUILD_ARGS+=( "${CACHE_TO_ARG[@]}" )
+    BUILD_ARGS+=( --builder "${BUILDER_NAME-}")
+
+    TAGS=(-t "$IMAGE_NAME")
+
+    if [[ -z "$IMAGE_TAG_OVERRIDE" ]]; then
+        TAGS+=(-t "$IMAGE_REPO:latest-$BRANCH_NAME")
+        TAGS+=(-t "$IMAGE_REPO:k8s-$BRANCH_NAME-$CIRCLE_SHA1")
     fi
 
-    docker $BUILD_COMMAND \
+    echo "BUILD_ARGS: ${BUILD_ARGS[*]} $PLATFORM"
+    docker buildx build \
         --build-arg build_BUILD_NUM="${CIRCLE_BUILD_NUM}" \
         --build-arg build_GITHUB_TOKEN="${GITHUB_TOKEN}" \
         --build-arg build_BUILD_URL="${CIRCLE_BUILD_URL}" \
@@ -124,50 +133,26 @@ if [[ $IMAGE_EXISTS == "false" || "$CIRCLE_BRANCH" == "master" || "$CIRCLE_BRANC
         "${AWS_CREDENTIALS_ARG[@]}" \
         "${NPM_TOKEN_SECRET[@]}" \
         "${BUILD_ARGS[@]}" \
+        "${OUTPUT_ARGS[@]}" \
         --platform "$PLATFORM" \
         -f "$BUILD_CONTEXT/$DOCKERFILE" \
-        -t "$IMAGE_NAME" "$BUILD_CONTEXT"
-    echo "BUILD_ARGS: ${BUILD_ARGS[*]} $PLATFORM"
-    docker push "$IMAGE_NAME"
+        "${TAGS[@]}" \
+        "$BUILD_CONTEXT"
+
+    IMAGE_DIGEST=$(crane digest "$IMAGE_NAME")
 
     # Signing Docker Image
-    cosign sign --key "$KMS_KEY" "$IMAGE_NAME"
-
-    # if a tag is set, do not push to latest-$BRANCH_NAME
-    if [[ "$IMAGE_TAG_OVERRIDE" == "" ]]; then
-        if [[ -z "$CIRCLE_BRANCH" && -n "$CIRCLE_TAG" ]]; then
-            BRANCH_NAME="master"
-        else
-            BRANCH_NAME="${CIRCLE_BRANCH//[^[:alnum:]]/-}" # Change all non alphanumeric characters to -
-        fi
-
-        docker tag "$IMAGE_NAME" "$IMAGE_REPO:latest-$BRANCH_NAME"
-        docker push "$IMAGE_REPO:latest-$BRANCH_NAME"
-
-        # Signing Docker Image
-        cosign sign --key "$KMS_KEY" "$IMAGE_REPO:latest-$BRANCH_NAME"
-
-        # To not to have untagged images
-        docker tag "$IMAGE_NAME" "$IMAGE_REPO:k8s-$BRANCH_NAME-$CIRCLE_SHA1"
-        docker push "$IMAGE_REPO:k8s-$BRANCH_NAME-$CIRCLE_SHA1"
-        cosign sign --key "$KMS_KEY" "$IMAGE_REPO:k8s-$BRANCH_NAME-$CIRCLE_SHA1"
-    fi
+    cosign sign --key "$KMS_KEY" "$IMAGE_REPO@$IMAGE_DIGEST"
 fi
 
-# Pull the image to get the sha is needed.
-# If the image has been built, the following command will not pull the image because it exists locally
-TMPFILE="$(mktemp)"
-docker pull "$IMAGE_NAME" | tee -a "$TMPFILE"
-# Get image SHA
-IMAGE_SHA=$(awk '/Digest: / {print $2}' "$TMPFILE")
+IMAGE_SHA=$(crane digest "$IMAGE_NAME")
 # Remove the sha256: string
 IMAGE_SHA="${IMAGE_SHA//sha256:/}"
-rm "$TMPFILE"
 
 # update the track
 TRACK="tracks/$COMPONENT/$CIRCLE_BRANCH"
 echo "TRACK: $TRACK"
-pip3 install yq
+
 # the file /tmp/$TRACK is downloaded in the check_track_exists step
 yq -y -i --arg tag "${IMAGE_TAG}" ".\"$COMPONENT\".image.tag=\$tag" "/tmp/$TRACK"
 yq -y -i --arg sha "${IMAGE_SHA}" ".\"$COMPONENT\".image.sha=\$sha" "/tmp/$TRACK"