running cmrel does not require to be in the release repo folder anymore

The flag --cloudbuild was thus removed.

Signed-off-by: Maël Valais <[email protected]>

cmd/cmrel/cmd/publish.go

@@ -28,6 +28,8 @@ import (
 
 	"github.com/cert-manager/release/pkg/gcb"
 	"github.com/cert-manager/release/pkg/release"
+
+	_ "embed"
 )
 
 const (
@@ -53,9 +55,6 @@ type publishOptions struct {
 	// Name of the staged release to publish
 	ReleaseName string
 
-	// The path to the cloudbuild.yaml file used to perform the cert-manager crossbuild
-	CloudBuildFile string
-
 	// Project to run the GCB job in
 	Project string
 
@@ -98,8 +97,6 @@ type publishOptions struct {
 func (o *publishOptions) AddFlags(fs *flag.FlagSet, markRequired func(string)) {
 	fs.StringVar(&o.Bucket, "bucket", release.DefaultBucketName, "The name of the GCS bucket to publish the release to.")
 	fs.StringVar(&o.ReleaseName, "release-name", "", "Name of the staged release to publish.")
-	fs.StringVar(&o.CloudBuildFile, "cloudbuild", "./gcb/publish/cloudbuild.yaml", "The path to the cloudbuild.yaml file used to publish the release. "+
-		"The default value assumes that this tool is run from the root of the release repository.")
 	fs.StringVar(&o.Project, "project", release.DefaultReleaseProject, "The GCP project to run the GCB build jobs in.")
 	fs.BoolVar(&o.NoMock, "nomock", false, "Whether to actually publish the release. If false, the command will exit after preparing the release for pushing.")
 	fs.StringVar(&o.PublishedImageRepository, "published-image-repo", release.DefaultImageRepository, "The docker image repository to push the release images & manifest lists to.")
@@ -145,7 +142,10 @@ func publishCmd(rootOpts *rootOptions) *cobra.Command {
 	return cmd
 }
 
-func runPublish(rootOpts *rootOptions, o *publishOptions) error {
+//go:embed publish_cloudbuild.yaml
+var cloudbuildPublish []byte
+
+func runPublish(_ *rootOptions, o *publishOptions) error {
 	ctx := context.Background()
 	gcs, err := storage.NewClient(ctx)
 	if err != nil {
@@ -159,8 +159,7 @@ func runPublish(rootOpts *rootOptions, o *publishOptions) error {
 	}
 	log.Printf("Release with version %q (%s) will be published", rel.Metadata().ReleaseVersion, rel.Metadata().GitCommitRef)
 
-	log.Printf("DEBUG: Loading cloudbuild.yaml file from %q", o.CloudBuildFile)
-	build, err := gcb.LoadBuild(o.CloudBuildFile)
+	build, err := gcb.LoadCloudBuild(cloudbuildPublish)
 	if err != nil {
 		return fmt.Errorf("error loading cloudbuild.yaml file: %w", err)
 	}

cmd/cmrel/cmd/publish_cloudbuild.yaml

@@ -0,0 +1,85 @@
+timeout: 14400s
+
+#### SECURITY NOTICE ####
+# Google Cloud Build (GCB) supports the usage of secrets for build requests.
+# Secrets appear within GCB configs as base64-encoded strings.
+# These secrets are GCP Cloud KMS-encrypted and cannot be decrypted by any human or system
+# outside of GCP Cloud KMS for the GCP project this encrypted resource was created for.
+# Seeing the base64-encoded encrypted blob here is not a security event for the project.
+#
+# More details on using encrypted resources on Google Cloud Build can be found here:
+# https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials
+#
+# (Please do not remove this security notice.)
+secrets:
+- kmsKeyName: projects/cert-manager-release/locations/europe-west1/keyRings/cert-manager-release/cryptoKeys/cert-manager-release-secret-key
+  secretEnv:
+    GITHUB_TOKEN: CiQAPjqeE0LnlyMJdmLr+laf8RxSKjw/BOv8yiTzdi/RjN9IWh4SUQBQ4fbHZMFt3QlDxBvdU81a6r5LXT0pTTXWOuHQbctSsjc2BZCMROgI2wdRCEyTgj5XJ1YQS0kXaEfIucZrhUlMKsJPXt4ZaZkKtxv4RNPpQg==
+    DOCKER_CONFIG: CiQAPjqeEyZx+aSgFNoW7KQ4wE4hp/9vbWElifjHJNTI0/71ywMSkwIAUOH2xwTfrn72i6p+Op2PYnjDfwMBcInMEtgKAqiTsaup3R5HeL8BsZGuWxVhCEm5CJJ0Rg3CPdFUx2IVmCfC3j32LkAiMxMpszdHTjWHEyWmxwtBlTJW8NFmoYzxfN4Ox9rYFF66eZ0XVdLz1UejXpqAkGFVzTzQSu4rvNFnAsP5Sj7ZKJpXn+p0ZZW1IdMTD0xzCwZjW9hhcTjyNaCKDJYwl8j6Y/bYeoUMrzDQNk48fzKIBgxEdUTR2OOAI785GWSrkB4Y03oEyrfw8jTd1yAoil2S6p3AGV1FbvFleajSCy3Ov+5gjomjtqCbTx06hVsTcqLHC45WzAWPa/8TsiXh5PPgBbkg+pfBQUTj6i9+WA==
+
+steps:
+
+## Clone & checkout the cert-manager release repository
+- name: gcr.io/cloud-builders/go:alpine-1.16
+  dir: "go/src/github.com/cert-manager/release"
+  entrypoint: sh
+  args:
+  - -c
+  - |
+    set -e
+    git clone "${_RELEASE_REPO_URL}" . && git checkout "${_RELEASE_REPO_REF}"
+    CGO_ENABLED=0 go build -o /workspace/go/bin/cmrel ./cmd/cmrel
+
+## Write DOCKER_CONFIG file to $HOME/.docker/config.json
+- name: gcr.io/cloud-builders/docker:19.03.8
+  entrypoint: bash
+  secretEnv:
+  - DOCKER_CONFIG
+  args:
+  - -c
+  - |
+    mkdir -p $$HOME/.docker
+    echo "$${DOCKER_CONFIG}" > $$HOME/.docker/config.json
+
+## Build and push the release artifacts
+- name: gcr.io/cloud-builders/docker:19.03.8
+  dir: "go/src/github.com/jetstack/cert-manager"
+  entrypoint: /workspace/go/bin/cmrel
+  secretEnv:
+  - GITHUB_TOKEN
+  args:
+  - gcb
+  - publish
+  - --bucket=${_RELEASE_BUCKET}
+  - --release-name=${_RELEASE_NAME}
+  - --nomock=${_NO_MOCK}
+  - --published-github-org=${_PUBLISHED_GITHUB_ORG}
+  - --published-github-repo=${_PUBLISHED_GITHUB_REPO}
+  - --published-helm-chart-github-owner=${_PUBLISHED_HELM_CHART_GITHUB_OWNER}
+  - --published-helm-chart-github-repo=${_PUBLISHED_HELM_CHART_GITHUB_REPO}
+  - --published-helm-chart-github-branch=${_PUBLISHED_HELM_CHART_GITHUB_BRANCH}
+  - --published-image-repo=${_PUBLISHED_IMAGE_REPO}
+
+tags:
+- "cert-manager-release-publish"
+- "name-${_TAG_RELEASE_NAME}"
+
+# Use the --substitutions=_OS=linux,_ARCH=arm64 flag to gcloud build submit to
+# override these values
+substitutions:
+  ## Required parameters
+  _RELEASE_NAME: ""
+  ## Optional/defaulted parameters
+  _RELEASE_BUCKET: ""
+  ## Options controlling the version of the release tooling used in the build.
+  _RELEASE_REPO_URL: https://github.com/cert-manager/release.git
+  _RELEASE_REPO_REF: "master"
+  _NO_MOCK: "false"
+  _PUBLISHED_GITHUB_ORG: ""
+  _PUBLISHED_GITHUB_REPO: ""
+  _PUBLISHED_HELM_CHART_GITHUB_OWNER: ""
+  _PUBLISHED_HELM_CHART_GITHUB_REPO: ""
+  _PUBLISHED_HELM_CHART_GITHUB_BRANCH: ""
+  _PUBLISHED_IMAGE_REPO: ""
+  ## Used as a tag to identify the build more easily later
+  _TAG_RELEASE_NAME: ""

cmd/cmrel/cmd/stage.go

@@ -27,6 +27,8 @@ import (
 
 	"github.com/cert-manager/release/pkg/gcb"
 	"github.com/cert-manager/release/pkg/release"
+
+	_ "embed"
 )
 
 const (
@@ -67,9 +69,6 @@ type stageOptions struct {
 	// Optional commit ref of cert-manager that should be staged
 	GitRef string
 
-	// The path to the cloudbuild.yaml file used to perform the cert-manager crossbuild
-	CloudBuildFile string
-
 	// Project is the name of the GCP project to run the GCB job in
 	Project string
 
@@ -92,8 +91,6 @@ func (o *stageOptions) AddFlags(fs *flag.FlagSet, markRequired func(string)) {
 	fs.StringVar(&o.Repo, "repo", "cert-manager", "Name of the GitHub repo to fetch cert-manager sources from.")
 	fs.StringVar(&o.Branch, "branch", "master", "The git branch to build the release from. If --git-ref is not specified, the HEAD of this branch will be looked up on GitHub.")
 	fs.StringVar(&o.GitRef, "git-ref", "", "The git commit ref of cert-manager that should be staged.")
-	fs.StringVar(&o.CloudBuildFile, "cloudbuild", "./gcb/stage/cloudbuild.yaml", "The path to the cloudbuild.yaml file used to perform the cert-manager crossbuild. "+
-		"The default value assumes that this tool is run from the root of the release repository.")
 	fs.StringVar(&o.Project, "project", release.DefaultReleaseProject, "The GCP project to run the GCB build jobs in.")
 	fs.StringVar(&o.ReleaseVersion, "release-version", "", "Optional release version override used to force the version strings used during the release to a specific value. If not set, build is treated as development build and artifacts staged to 'devel' path.")
 	fs.StringVar(&o.PublishedImageRepository, "published-image-repo", release.DefaultImageRepository, "The docker image repository set when building the release.")
@@ -107,7 +104,6 @@ func (o *stageOptions) print() {
 	log.Printf("  Repo: %q", o.Repo)
 	log.Printf("  Branch: %q", o.Branch)
 	log.Printf("  GitRef: %q", o.GitRef)
-	log.Printf("  CloudBuildFile: %q", o.CloudBuildFile)
 	log.Printf("  Project: %q", o.Project)
 	log.Printf("  ReleaseVersion: %q", o.ReleaseVersion)
 	log.Printf("  PublishedImageRepo: %q", o.PublishedImageRepository)
@@ -133,7 +129,10 @@ func stageCmd(rootOpts *rootOptions) *cobra.Command {
 	return cmd
 }
 
-func runStage(rootOpts *rootOptions, o *stageOptions) error {
+//go:embed stage_cloudbuild.yaml
+var cloudbuildStage []byte
+
+func runStage(_ *rootOptions, o *stageOptions) error {
 	if o.GitRef == "" {
 		log.Printf("git-ref flag not specified, looking up git commit ref for %s/%s@%s", o.Org, o.Repo, o.Branch)
 		ref, err := release.LookupBranchRef(o.Org, o.Repo, o.Branch)
@@ -144,8 +143,7 @@ func runStage(rootOpts *rootOptions, o *stageOptions) error {
 	}
 	log.Printf("Staging build for %s/%s@%s", o.Org, o.Repo, o.GitRef)
 
-	log.Printf("DEBUG: Loading cloudbuild.yaml file from %q", o.CloudBuildFile)
-	build, err := gcb.LoadBuild(o.CloudBuildFile)
+	build, err := gcb.LoadCloudBuild(cloudbuildStage)
 	if err != nil {
 		return fmt.Errorf("error loading cloudbuild.yaml file: %w", err)
 	}

cmd/cmrel/cmd/stage_cloudbuild.yaml

@@ -0,0 +1,62 @@
+timeout: 14400s
+
+steps:
+
+## Clone & checkout the cert-manager repository
+- name: gcr.io/cloud-builders/git
+  dir: "go/src/github.com/jetstack/cert-manager"
+  entrypoint: bash
+  args:
+  - -c
+  - |
+    set -e
+    git clone "${_CM_REPO}" . && git checkout "${_CM_REF}"
+
+## Clone & checkout the cert-manager release repository
+- name: gcr.io/cloud-builders/go:alpine-1.16
+  dir: "go/src/github.com/cert-manager/release"
+  entrypoint: sh
+  args:
+  - -c
+  - |
+    set -e
+    git clone "${_RELEASE_REPO_URL}" . && git checkout "${_RELEASE_REPO_REF}"
+    CGO_ENABLED=0 go build -o /workspace/go/bin/cmrel ./cmd/cmrel
+
+## Build and push the release artifacts
+- name: 'l.gcr.io/google/bazel:${_BAZEL_VERSION}'
+  dir: "go/src/github.com/jetstack/cert-manager"
+  entrypoint: /workspace/go/bin/cmrel
+  args:
+  - gcb
+  - stage
+  - --repo-path=.
+  - --release-version=${_RELEASE_VERSION}
+  - --published-image-repo=${_PUBLISHED_IMAGE_REPO}
+  - --bucket=${_RELEASE_BUCKET}
+
+tags:
+- "cert-manager-release-stage"
+- "bazel-${_BAZEL_VERSION}"
+- "ref-${_CM_REF}"
+- "branch-${_TAG_RELEASE_BRANCH}"
+
+# Use the --substitutions=_OS=linux,_ARCH=arm64 flag to gcloud build submit to
+# override these values
+substitutions:
+  ## Required parameters
+  _CM_REF: ""
+  ## Optional/defaulted parameters
+  _CM_REPO: https://github.com/jetstack/cert-manager.git
+  _RELEASE_VERSION: ""
+  _RELEASE_BUCKET: ""
+  _PUBLISHED_IMAGE_REPO: quay.io/jetstack
+  _BAZEL_VERSION: "3.5.0"
+  ## Options controlling the version of the release tooling used in the build.
+  _RELEASE_REPO_URL: https://github.com/cert-manager/release.git
+  _RELEASE_REPO_REF: "master"
+  ## Used as a tag to identify the build more easily later
+  _TAG_RELEASE_BRANCH: ""
+
+options:
+  machineType: n1-highcpu-32

pkg/gcb/gcb.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"time"
 
@@ -34,16 +33,11 @@ const (
 	Failure = "FAILURE"
 )
 
-// LoadBuild will decode a cloudbuild.yaml file into a cloudbuild.Build
-// structure and return it.
-func LoadBuild(filename string) (*cloudbuild.Build, error) {
-	f, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return nil, err
-	}
-
+// LoadCloudBuild will decode the content of a cloudbuild.yaml file into a
+// cloudbuild.Build structure and return it.
+func LoadCloudBuild(cloudbuildRaw []byte) (*cloudbuild.Build, error) {
 	cb := cloudbuild.Build{}
-	if err := yaml.UnmarshalStrict(f, &cb); err != nil {
+	if err := yaml.UnmarshalStrict(cloudbuildRaw, &cb); err != nil {
 		return nil, err
 	}
 
@@ -59,10 +53,9 @@ func SubmitBuild(svc *cloudbuild.Service, projectID string, build *cloudbuild.Bu
 		return nil, err
 	}
 
-	log.Printf("DEBUG: decoding build operation metadata")
 	metadata := &cloudbuild.BuildOperationMetadata{}
 	if err := json.Unmarshal(op.Metadata, metadata); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("while decoding build operation metadata: %v", err)
 	}
 
 	return metadata.Build, nil