PRODENG-2551 clean and fix local/release

- separate goreleaser/makefile processes for local/release build - different goreleaser files now for local/release - can now build/sign/release separately - remove make target for release, which is dangerous enough that it should never be run accidentally, and just runs a script - Jenkins podspec to separate build/sign/release - build-release now happens in a goreleaser container - sign-release now happens in the Mir digicert container Signed-off-by: James Nesbitt <[email protected]>
Mirantis · Mar 8, 2024 · 7ccc1f0 · 7ccc1f0
1 parent ce7035c
commit 7ccc1f0
Show file tree

Hide file tree

Showing 8 changed files with 152 additions and 84 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,16 @@
+# goreleaser build path
 dist/
+
+# Mac & VSCode files
 .idea/
 .DS_Store
 
+# any terraform state files that you may have created running tests
+# or terraform directly to test.
 .tfstate
 
+# the gh releaser, downloaded in release.sh
 github-release
+
+# go mod vendor folder
+vendor
diff --git a/.goreleaser.local.yml b/.goreleaser.local.yml
@@ -0,0 +1,15 @@
+#
+# GoRelease instructions for local builds
+#
+project_name: launchpad
+builds:
+- env:
+    - CGO_ENABLED=0
+  mod_timestamp: '{{ .CommitTimestamp }}'
+  flags:
+    - -trimpath
+  ldflags:
+    - -X github.com/Mirantis/mcc/version.Environment=development
+    - -X github.com/Mirantis/mcc/version.GitCommit={{ .FullCommit }}
+    - -X github.com/Mirantis/mcc/version.Version={{ .Version }}
+  binary: '{{ .ProjectName }}'
diff --git a/.goreleaser.build.yml → .goreleaser.release.yml b/.goreleaser.build.yml → .goreleaser.release.yml
@@ -15,16 +15,15 @@ builds:
   flags:
     - -trimpath
   ldflags:
-    - -X github.com/Mirantis/mcc/version.Environment=Production
     - -X github.com/Mirantis/mcc/version.GitCommit={{ .FullCommit }}
-    - -X github.com/Mirantis/mcc/version.Version={{ .Tag }}
+    - -X github.com/Mirantis/mcc/version.Version={{ .Version }}
   goos:
-    - freebsd
-    - windows
     - linux
     - darwin
+    - windows
+    - freebsd
   goarch:
     - amd64
     - arm64
   no_unique_dist_dir: true  
-  binary: 'artifacts/{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}_{{ .Version }}'
+  binary: 'release/{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}_{{ .Version }}'
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,43 +1,95 @@
-launchpad_creds = [
-  usernamePassword(
-    usernameVariable: 'GITHUB_USERNAME',
-    passwordVariable: 'GITHUB_TOKEN',
-    credentialsId   : 'tools-github-up',
-  ),
-  usernamePassword(
-    usernameVariable: 'REGISTRY_USERNAME',
-    passwordVariable: 'REGISTRY_PASSWORD',
-    credentialsId   : 'tools-dockerhub-up',
-  ),
-  string(credentialsId: 'common-digicert--api-key--secret-text', variable: 'SM_API_KEY'),
-  file(credentialsId: 'common-digicert--auth-pkcs12--file', variable: 'SM_CLIENT_CERT_FILE'),
-  string(credentialsId: 'common-digicert--auth-pkcs12-passphrase--secret-text', variable: 'SM_CLIENT_CERT_PASSWORD'),
-]
-
 pipeline {
-  agent none
   parameters {
     string(
-        defaultValue: 'v1.5.3', 
-        name: 'TAG_NAME', 
+        name: 'TAG_NAME',
         trim: true
     )
   }
+  agent {
+    kubernetes {
+      yaml """\
+apiVersion: v1
+kind: Pod
+spec:
+  imagePullSecrets:
+  - name: regcred-registry-mirantis-com
+  containers:
+  - name: jnlp
+    image: registry.mirantis.com/prodeng/ci-workspace:stable
+    imagePullPolicy: Always
+    resources:
+      requests:
+        cpu: "0.5"
+        memory: 128Mi
+  - name: goreleaser
+    image: goreleaser/goreleaser:latest
+    imagePullPolicy: Always
+    resources:
+      limits:
+        cpu: "4"
+      requests:
+        cpu: "4"
+    command:
+    - sleep
+    args:
+    - 99d
+  - name: digicert
+    image: registry.mirantis.com/prodeng/digicert-keytools-jsign:latest
+    imagePullPolicy: Always
+    resources:
+      requests:
+        cpu: "1"
+        memory: 4Gi
+    command:
+    - sleep
+    args:
+    - 99d
+""".stripIndent()
+    }
+  }
 
   stages {
     stage('Release') {
-      agent {
-        label "linux && pod"
-      }
       steps {
-        withCredentials(launchpad_creds) {
+        container("goreleaser") {
           sh (
-            label: "Executing 'make release'",
+            label: "build clean release",
             script: """
-              make release
+              make build-release
             """
           )
         }
+        container("digicert") {
+          withCredentials([
+            string(credentialsId: 'common-digicert--api-key--secret-text', variable: 'SM_API_KEY'),
+            file(credentialsId: 'common-digicert--auth-pkcs12--file', variable: 'SM_CLIENT_CERT_FILE'),
+            string(credentialsId: 'common-digicert--auth-pkcs12-passphrase--secret-text', variable: 'SM_CLIENT_CERT_PASSWORD'),
+          ]) {
+            sh (
+              label: "signing release binaries (in digicert container)",
+              script: """
+                make SIGN=./sign sign-release
+              """
+            )
+          }
+        }
+        container("jnlp") {
+          withCredentials([
+            usernamePassword(
+              usernameVariable: 'GITHUB_USERNAME',
+              passwordVariable: 'GITHUB_TOKEN',
+              credentialsId   : 'tools-github-up',
+            ),
+          ]) {
+            sh (
+              label: "creating release",
+              script: """
+                make checksum-release
+                ./release.sh
+              """
+            )
+          }
+        }
       }
     }
   }

diff --git a/Makefile b/Makefile
@@ -1,31 +1,62 @@
-GIT_COMMIT = $(shell git rev-parse --short=7 HEAD)
-
-VOLUME_MOUNTS=-v "$(CURDIR):/v"
-SIGN?=docker run --rm -i $(VOLUME_MOUNTS) -e SM_API_KEY -e SM_CLIENT_CERT_PASSWORD -e SM_CLIENT_CERT_FILE -v "$(SM_CLIENT_CERT_FILE):$(SM_CLIENT_CERT_FILE)" -w "/v" registry.mirantis.com/prodeng/digicert-keytools-jsign:latest sign
-
 GO=$(shell which go)
 
-ARTIFACTS_FOLDER=dist/artifacts
+RELEASE_FOLDER=dist/release
 
 CHECKSUM=$(shell which sha256sum)
 CHECKSUM_FILE?=checksums.txt
 
-GOLANGCI_LINT?=docker run -t --rm -v "$(CURDIR):/data" -w "/data" golangci/golangci-lint:latest golangci-lint
+VOLUME_MOUNTS=-v "$(CURDIR):/v"
+SIGN?=docker run --rm -i $(VOLUME_MOUNTS) -e SM_API_KEY -e SM_CLIENT_CERT_PASSWORD -e SM_CLIENT_CERT_FILE -v "$(SM_CLIENT_CERT_FILE):$(SM_CLIENT_CERT_FILE)" -w "/v" registry.mirantis.com/prodeng/digicert-keytools-jsign:latest sign
 
-# "Signing Windows binaries"
-sign-win:
-	for f in `find $(ARTIFACTS_FOLDER)/*.exe`; do echo $(SIGN) "$$f"; done
+GOLANGCI_LINT?=docker run -t --rm -v "$(CURDIR):/data" -w "/data" golangci/golangci-lint:latest golangci-lint
 
+.PHONY: clean
 clean:
-	rm -f dist
+	rm -fr dist
+
+# Sign release binaries (Windows)
+# (build may need to be run in a separate make run)
+.PHONY: sign-release
+sign-release: $(RELEASE_FOLDER)
+	for f in `find $(RELEASE_FOLDER)/*.exe`; do echo $(SIGN) "$$f"; done
+
+# Force a clean build of the artifacts by first cleaning
+# and then building
+.PHONY: build-release
+build-release: clean $(RELEASE_FOLDER)
 
 # build all the binaries for release, using goreleaser, but
 # don't use any of the other features of goreleaser - because
 # we need to use digicert to sign the binaries first, and
 # goreleaser doesn't allow for that (some pro features may
 # allow it in a round about way.)
-build-release:
-	goreleaser build --clean --config=.goreleaser.build.yml
+$(RELEASE_FOLDER):
+	goreleaser build --clean --config=.goreleaser.release.yml
+
+# clean out any existing release build
+.PHONY: clean-release
+clean-release:
+	rm -fr $(RELEASE_FOLDER)
+
+# write checksum files for the release artifacts
+# (build may need to be run in a separate make run)
+.PHONY: checksumm-release
+checksum-release: $(RELEASE_FOLDER)
+	cd $(RELEASE_FOLDER) && rm -rf $(CHECKSUM_FILE) && $(CHECKSUM) * > $(CHECKSUM_FILE)
+
+# Local build of the plugin. This saves time building platforms that you
+# won't test locally. To use it, find the path to your build binary path
+# and alias it.
+.PHONY: local
+local:
+	GORELEASER_CURRENT_TAG="$(LOCAL_TAG)" goreleaser build --clean --single-target --skip=validate --snapshot --config .goreleaser.local.yml
+
+# run linting
+.PHONY: lint
+lint:
+	$(GOLANGCI_LINT) run
+
+# Testing related targets
 
 .PHONY: unit-test
 unit-test:
@@ -43,20 +74,3 @@ smoke-full:
 clean-launchpad-chart:
 	terraform -chdir=./examples/tf-aws/launchpad apply --auto-approve --destroy
 
-checksum-release: build-release
-	cd $(ARTIFACTS_FOLDER) && rm -rf $(CHECKSUM_FILE) && $(CHECKSUM) * > $(CHECKSUM_FILE)
-
-# Local build of the plugin. This saves time building platforms that you
-# won't test locally. To use it, find the path to your build binary path
-# and alias it.
-.PHONY: local
-local:
-	GORELEASER_CURRENT_TAG="$(LOCAL_TAG)" goreleaser build --clean --single-target --skip=validate --snapshot  --config .goreleaser.build.yml
-
-# run the Github release script after a buil
-release: build-release sign-win checksum-release
-	./release.sh
-
-.PHONY: lint
-lint:
-	$(GOLANGCI_LINT) run
diff --git a/release.sh b/release.sh
@@ -6,7 +6,7 @@ if [ -z "${TAG_NAME}" ]; then
   exit 1
 fi
 
-artifact_path="dist/artifacts"
+artifact_path="dist/release"
 artifacts=$(find ${artifact_path}/* -exec basename {} \;)
 echo "Releasing with:"
 for artifact in ${artifacts}; do echo "- ${artifact}"; done
@@ -44,7 +44,7 @@ do
     --file "${artifact_path}/${artifact}"
 done
 
-if [ -z "$releaseopt"]; then
+if [ -z "$releaseopt" ]; then
   echo "Creating release named ${TAG_NAME} in Launchpad repo"
 
   # Release to the public repo

diff --git a/version/version.go b/version/version.go
@@ -20,7 +20,7 @@ var (
 	// GitCommit is set during the build.
 	GitCommit = "HEAD"
 	// Environment of the product, is set during the build.
-	Environment = "development"
+	Environment = "production"
 
 	// GitHubRepo for the upgrade check.
 	GitHubRepo = "Mirantis/launchpad"