Merge pull request #6 from Conjur-Enterprise/use-release-stage

CNJR-5578: Use internal registry for pre-releases

Author: szh

.gitignore

@@ -1,2 +1,4 @@
 .bundle/
 rspec_junit.xml
+# Temporary directory to store the CyberArk proxy CA certificate
+build_ca_certificate/

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.3.3] - 2024-11-08
+### Changed
+- Decrease Docker image size by using ruby:3-alpine base image (CNJR-5578)
+
 ## [1.3.2] - 2024-11-05
 ### Changed
 - Use internal auto release process (CNJR-5578)

Dockerfile

@@ -1,4 +1,7 @@
-FROM ruby:3
+FROM ruby:3-alpine
+
+# We use git in the Gemspec file
+RUN apk update && apk add --no-cache git
 
 RUN gem install bundler --no-document
 

Jenkinsfile

@@ -17,7 +17,12 @@ if (params.MODE == "PROMOTE") {
     // Any publishing of targetVersion artifacts occur here
     // Anything added to assetDirectory will be attached to the Github Release
 
-    infrapool.agentSh "./publish.sh v${targetVersion}"
+    // Pull existing images from internal registry in order to promote
+    infrapool.agentSh """
+      docker pull registry.tld/parse-a-changelog:${sourceVersion}
+      # Promote source version to target version.
+      ./publish.sh --promote --source ${sourceVersion} --target ${targetVersion}
+    """
 
     // Ensure the working directory is a safe git directory for the subsequent
     // promotion operations after this block.
@@ -121,6 +126,15 @@ pipeline {
       }
     }
 
+    // Allows for the promotion of images.
+    stage('Push images to internal registry') {
+      steps {
+        script {
+          infrapool.agentSh './publish.sh --internal'
+        }
+      }
+    }
+
     stage('Release') {
       when {
         expression {
@@ -144,6 +158,7 @@ pipeline {
                 If your assets are in target on the main Jenkins agent, use:
                   infrapool.agentPut(from: 'target/', to: assetDirectory)
             */
+            infrapool.agentSh './publish.sh --edge'
           }
         }
       }

build.sh

@@ -2,4 +2,22 @@
 
 set -eux
 
-docker build . --tag parse-a-changelog
+. build_utils.sh
+
+VERSION=unreleased
+# Version derived from CHANGELOG and automated release library
+[ -f VERSION ] && VERSION=$(<VERSION)
+FULL_VERSION_TAG="$VERSION-$(git_tag)"
+
+function main() {
+  retrieve_cyberark_ca_cert
+  build_docker_image
+}
+
+function build_docker_image() {
+  docker build . \
+    --tag parse-a-changelog:latest \
+    --tag "parse-a-changelog:${FULL_VERSION_TAG}"
+}
+
+main

build_utils.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+set -euo pipefail
+
+####
+# Functions to generate version numbers for this project
+####
+
+git_tag() {
+  git rev-parse --short HEAD
+}
+
+# generate less specific versions, eg. given 1.2.3 will print 1.2 and 1
+# (note: the argument itself is not printed, append it explicitly if needed)
+gen_versions() {
+  local version=$1
+  while [[ $version = *.* ]]; do
+    version=${version%.*}
+    echo $version
+  done
+}
+
+function tag_and_push() {
+  local source="$1"
+  shift
+  local target="$1"
+  shift
+
+  docker tag "${source}" "${target}"
+  docker push "${target}"
+}
+
+function retrieve_cyberark_ca_cert() {
+  # On CyberArk dev laptops, golang module dependencies are downloaded with a
+  # corporate proxy in the middle. For these connections to succeed we need to
+  # configure the proxy CA certificate in build containers.
+  #
+  # To allow this script to also work on non-CyberArk laptops where the CA
+  # certificate is not available, we update container certificates based on
+  # a (potentially empty) certificate directory, rather than relying on the
+  # CA file itself.
+  mkdir -p "$(repo_root)/build_ca_certificate"
+
+  # Only attempt to extract the certificate if the security
+  # command is available.
+  #
+  # The certificate file must have the .crt extension to be imported
+  # by `update-ca-certificates`.
+  if command -v security &> /dev/null
+  then
+    security find-certificate \
+      -a -c "CyberArk Root CA" \
+      -p > build_ca_certificate/cyberark_root.crt
+  fi
+}
+
+repo_root() {
+  git rev-parse --show-toplevel
+}

publish.sh

@@ -2,24 +2,126 @@
 
 set -e
 
-# This script will publish to rubygems and dockerhub
+# The following is used to:
+# Publish images on pre-release and tag as edge
+# Promote pre-releases to releases and tag as latest
 
-# Clone the release-tools repository if it doesn't exist
-if [ ! -d release-tools ]; then
-  git clone git@github.com:conjurinc/release-tools.git
+. build_utils.sh
+
+function print_help() {
+  echo "Build Usage: $0 --internal"
+  echo "Release Usage: $0 --edge"
+  echo "Promote Usage: $0 --promote --source <VERSION> --target <VERSION>"
+  echo " --internal: publish images to registry.tld"
+  echo " --edge: publish docker images to docker hub"
+  echo " --source <VERSION>: specify version number of local image"
+  echo " --target <VERSION>: specify version number of remote image"
+}
+
+# Fail if no arguments are given.
+if [[ $# -lt 1 ]]; then
+  print_help
+  exit 1
 fi
 
-export PATH=$PWD/release-tools/bin/:$PATH
+PUBLISH_INTERNAL=false
+PUBLISH_EDGE=false
+PROMOTE=false
 
-# Build and publish rubygem
-summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
-  publish-rubygem parse_a_changelog
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+  --internal)
+    PUBLISH_INTERNAL=true
+    ;;
+  --edge)
+    PUBLISH_EDGE=true
+    ;;
+  --promote)
+    PROMOTE=true
+    ;;
+  --source)
+    SOURCE_ARG="$2"
+    shift
+    ;;
+  --target)
+    TARGET_ARG="$2"
+    shift
+    ;;
+  --help)
+    print_help
+    exit 1
+    ;;
+  *)
+    echo "Unknown option: ${1}"
+    print_help
+    exit 1
+    ;;
+  esac
+  shift
+done
 
-# Publish to Docker Hub
-TAG_NAME=$1
-DOCKERHUB_IMAGE="cyberark/parse-a-changelog"
-docker tag parse-a-changelog "${DOCKERHUB_IMAGE}:latest"
-docker tag parse-a-changelog "${DOCKERHUB_IMAGE}:${TAG_NAME}"
+readonly IMAGE_NAME="parse-a-changelog"
+readonly REGISTRY='cyberark'
+readonly LOCAL_REGISTRY='registry.tld'
+# Version derived from CHANGLEOG and automated release library
+VERSION=$(<VERSION)
+readonly VERSION
+FULL_VERSION_TAG="$VERSION-$(git_tag)"
+readonly FULL_VERSION_TAG
 
-docker push "${DOCKERHUB_IMAGE}:latest"
-docker push "${DOCKERHUB_IMAGE}:${TAG_NAME}"
+if [[ ${PUBLISH_INTERNAL} = true ]]; then
+  echo "Publishing built images internally to registry.tld."
+  SOURCE_TAG=$FULL_VERSION_TAG
+  REMOTE_TAG=$VERSION
+
+  tag_and_push "${IMAGE_NAME}:${SOURCE_TAG}" "${LOCAL_REGISTRY}/${IMAGE_NAME}:${REMOTE_TAG}"
+fi
+
+if [[ ${PUBLISH_EDGE} = true ]]; then
+  echo "Performing edge release."
+  SOURCE_TAG=$FULL_VERSION_TAG
+  REMOTE_TAG=edge
+  readonly TAGS=(
+    "$VERSION"
+    "$REMOTE_TAG"
+  )
+
+  for tag in "${TAGS[@]}"; do
+    tag_and_push "$IMAGE_NAME:$SOURCE_TAG" "$REGISTRY/$IMAGE_NAME:$tag"
+  done
+fi
+
+if [[ ${PROMOTE} = true ]]; then
+  if [[ -z ${SOURCE_ARG:-} || -z ${TARGET_ARG:-} ]]; then
+    echo "When promoting, --source and --target flags are required."
+    print_help
+    exit 1
+  fi
+
+  # First publish the RubyGem
+  echo "Publishing RubyGem"
+  # Clone the release-tools repository if it doesn't exist
+  if [ ! -d release-tools ]; then
+    git clone git@github.com:conjurinc/release-tools.git
+  fi
+  export PATH=$PWD/release-tools/bin/:$PATH
+  # Build and publish rubygem
+  summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+    publish-rubygem parse_a_changelog
+
+  # Update vars to utilize build_utils
+  SOURCE_TAG=$SOURCE_ARG
+  REMOTE_TAG=$TARGET_ARG
+
+  echo "Promoting image to $REMOTE_TAG"
+  readonly TAGS=(
+    "$REMOTE_TAG"
+    "latest"
+  )
+
+  # Publish images to docker hub
+  for tag in "${TAGS[@]}" $(gen_versions "$REMOTE_TAG"); do
+    echo "Tagging and pushing $REGISTRY/$IMAGE_NAME:$tag"
+    tag_and_push "${LOCAL_REGISTRY}/$IMAGE_NAME:$SOURCE_TAG" "$REGISTRY/$IMAGE_NAME:$tag"
+  done
+fi