github.com/verrazzano/verrazzano@v1.7.1/ci/scripts/push_to_ocir.sh

github.com/verrazzano/verrazzano@v1.7.1/ci/scripts/push_to_ocir.sh (about)

     1  #!/usr/bin/env bash
     2  #
     3  # Copyright (c) 2021, 2022, Oracle and/or its affiliates.
     4  # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
     5  #
     6  
     7  # Normally master and release-* branches are the only ones doing this, but there are other cases we also need to handle
     8  #   1) we need to test out periodic pipeline changes
     9  #   2) When new images are added to the BOM, folks need to be able to run registry tests and push to OCIR
    10  
    11  # Exit when any command fails
    12  set -e
    13  
    14  SCRIPT_DIR=$(cd $(dirname "$0"); pwd -P)
    15  TOOL_SCRIPT_DIR=${SCRIPT_DIR}/../../tools/scripts
    16  TEST_SCRIPT_DIR=${SCRIPT_DIR}/../../tests/e2e/config/scripts
    17  
    18  if [ -z "$JENKINS_URL" ] || [ -z "$WORKSPACE" ] || [ -z "$OCI_OS_NAMESPACE" ] || [ -z "$OCI_OS_BUCKET" ] || [ -z "$OCIR_SCAN_REGISTRY" ] \
    19     || [ -z "$OCIR_SCAN_REPOSITORY_PATH" ] || [ -z "$OCIR_SCAN_COMPARTMENT" ] || [ -z "$OCIR_SCAN_TARGET" ] || [ -z "${CLEAN_BRANCH_NAME}" ] \
    20     || [ -z "$IS_PERIODIC_PIPELINE" ] || [ -z "$VERRAZZANO_IMAGES_DIRECTORY" ]; then
    21    echo "This script must only be called from Jenkins and requires a number of environment variables are set"
    22    exit 1
    23  else
    24    echo "INFO: push_to_ocir: basic environment provided"
    25  fi
    26  
    27  # We should have image tar files created already in $VERRAZZANO_IMAGES_DIRECTORY
    28  if [ ! -d "${VERRAZZANO_IMAGES_DIRECTORY}" ]; then
    29    echo "No tar files were found to push into OCIR"
    30    exit 1
    31  else
    32    echo "INFO: push_to_ocir: tar files found to push:"
    33    ls ${VERRAZZANO_IMAGES_DIRECTORY}
    34  fi
    35  
    36  BOM_FILE=${WORKSPACE}/verrazzano-bom.json
    37  
    38  if [ ! -f "${BOM_FILE}" ]; then
    39    echo "There is no verrazzano-bom.json from this run, so we can't push anything to OCIR"
    40    exit 1
    41  else
    42    echo "INFO: push_to_ocir: BOM file found"
    43  fi
    44  
    45  # Periodic runs happen much more frequently than master promotions do, so we only conditionally do pushes to OCIR
    46  # Note that not all runs that call this are periodic runs now.
    47  
    48  # If we have a previous last-ocir-pushed-verrazzano-bom.json, then see if it matches the verrazzano-bom.json used
    49  # to test with in this run. If they match, then we have already pushed the images for this verrazzano-bom.json
    50  # into OCIR for this branches periodic runs and we do not need to do that again.
    51  # If they don't match, or if we didn't have one to compare, then we will proceed to push them to OCIR
    52  set +e
    53  if [ -f "${WORKSPACE}/last-ocir-pushed-verrazzano-bom.json" ]; then
    54    diff ${WORKSPACE}/last-ocir-pushed-verrazzano-bom.json ${BOM_FILE} > /dev/null
    55    if [ $? -eq 0 ]; then
    56      echo "OCIR images for this verrazzano-bom.json have already been pushed to OCIR for scanning in a previous periodic run, skipping this step"
    57      exit 0
    58    else
    59      echo "INFO: push_to_ocir: previous BOM file found and had differences, proceeding to push "
    60    fi
    61  else
    62    echo "INFO: push_to_ocir: no previous BOM file found to compare, proceeding to push"
    63  fi
    64  set -e
    65  
    66  # This assumes that the docker login has happened, and that the OCI CLI has access as well with default profile
    67  
    68  # We provide a single OCIR_SCAN_REPOSITORY_PATH as input, however the OCI CLI and the docker CLI requirements
    69  # differ in terms of what needs to be included in the path. For the OCI CLI usages we need to trim the tenancy
    70  # namespace from the path
    71  TRIMMED_REPOSITORY_PATH=$(echo "$OCIR_SCAN_REPOSITORY_PATH" | cut -d / -f2-)
    72  
    73  # We call the create repositories script, supplying the existing target information. If repositories are not
    74  # targeted they will be created and targeted. If they are already targeted the script will skip trying to create them
    75  # or updating the target. This is done to catch new images that get added in over time.
    76  echo "INFO: push_to_ocir: call create_ocir_repositories"
    77  sh $TEST_SCRIPT_DIR/create_ocir_repositories.sh -p $TRIMMED_REPOSITORY_PATH -r us-ashburn-1 -c $OCIR_SCAN_COMPARTMENT -t $OCIR_SCAN_TARGET -d ${VERRAZZANO_IMAGES_DIRECTORY}
    78  
    79  # Push the images. NOTE: If a new image was added before we do the above "ensure" step, this may have the side
    80  # effect of pushing that image to the root compartment rather than the desired sub-compartment (OCIR behaviour),
    81  # and that new image will not be getting scanned until that is rectified (manually)
    82  echo "INFO: push_to_ocir: call vz-registry-image-helper"
    83  sh $TOOL_SCRIPT_DIR/vz-registry-image-helper.sh -t $OCIR_SCAN_REGISTRY -r $OCIR_SCAN_REPOSITORY_PATH -l ${VERRAZZANO_IMAGES_DIRECTORY} -b ${BOM_FILE}
    84  
    85  # Finally push the current verrazzano-bom.json up as the last-ocir-pushed-verrazzano-bom.json so we know those were the latest images
    86  # pushed up. This is used above for avoiding pushing things multiple times for no reason, and also is used when polling for
    87  # results to know which images were last pushed (which results are the latest)
    88  
    89  # NOTE: The normal workflow for master and release-* branches is NOT to do this. Those branches are getting OCIR pushes
    90  # happening from the periodic tests normally. This is mainly to allow folks to push images from their branches to OCIR.
    91  # So we need to understand if this is periodic or not, and also be careful to handle master/release branches accordingly here
    92  echo "INFO: Pushing verrazzano-bom.json to object storage"
    93  if [ "$IS_PERIODIC_PIPELINE" == "true" ]; then
    94    echo "INFO: Pushing verrazzano-bom.json to object storage for periodic pipeline. Scan results will show up under latest for ${CLEAN_BRANCH_NAME}"
    95    oci --auth instance_principal --region us-phoenix-1 os object put --force --namespace ${OCI_OS_NAMESPACE} -bn ${OCI_OS_BUCKET} --name ${CLEAN_BRANCH_NAME}-last-clean-periodic-test/last-ocir-pushed-verrazzano-bom.json --file ${BOM_FILE}
    96  else
    97    if [[ "${CLEAN_BRANCH_NAME}" == "master" ]] || [[ "${CLEAN_BRANCH_NAME}" == release-* ]]; then
    98      echo "INFO: Pushing verrazzano-bom.json to object storage for non-periodic pipeline for master or release, Scan results are not normally tracked, these are stored under ${CLEAN_BRANCH_NAME}-last-snapshot/last-ocir-pushed-verrazzano-bom.json"
    99      oci --auth instance_principal --region us-phoenix-1 os object put --force --namespace ${OCI_OS_NAMESPACE} -bn ${OCI_OS_BUCKET} --name ${CLEAN_BRANCH_NAME}-last-snapshot/last-ocir-pushed-verrazzano-bom.json --file ${BOM_FILE}
   100    else
   101      echo "INFO: Pushing verrazzano-bom.json to object storage for non-periodic pipeline, Scan results are NOT automatically tracked from this"
   102      oci --auth instance_principal --region us-phoenix-1 os object put --force --namespace ${OCI_OS_NAMESPACE} -bn ${OCI_OS_BUCKET} --name ${CLEAN_BRANCH_NAME}/last-ocir-pushed-verrazzano-bom.json --file ${BOM_FILE}
   103    fi
   104  fi