-
Notifications
You must be signed in to change notification settings - Fork 124
/
publish-images.sh
executable file
·164 lines (140 loc) · 5.2 KB
/
publish-images.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#!/usr/bin/env bash
set -euo pipefail
. build_utils.sh
# Publishes the 'conjur' image to docker registries
# There are 3 primary flows:
# - Publish build-specific (commit SHA) based images internally
# - Publish edge and release builds images internally and to DockerHub
# - Promote an existing image to a customer release and publish to latest
#
# If no parameters are specified, no images are pushed
function print_help() {
echo "Usage: $0 [OPTION...] <version>"
echo " --internal: publish SHA tagged images internally"
echo " --edge: publish images as edge versions to registry.tld and dockerhub"
echo " --promote: publish images as a promotion (latest and less specific versions) to registry.tld and dockerhub"
echo " --redhat: publish image to redhat registry"
echo " --version=VERSION: specify version number to use"
echo " --base-version=VERSION: specify base image version number to use to apply tags to"
echo " --arch=ARCH: specify architecture for tagging an image (default 'amd64'). Possible values are: amd64,arm64"
}
PUBLISH_EDGE=false
PUBLISH_INTERNAL=false
PROMOTE=false
REDHAT=false
DOCKERHUB=false
VERSION=$(<VERSION)
ARCH="amd64"
LOCAL_TAG="$(version_tag)"
for arg in "$@"; do
case $arg in
--internal )
PUBLISH_INTERNAL=true
shift
;;
--edge )
PUBLISH_EDGE=true
shift
;;
--promote )
PROMOTE=true
shift
;;
--dockerhub )
DOCKERHUB=true
shift
;;
--redhat )
REDHAT=true
shift
;;
--version=* )
VERSION="${arg#*=}"
shift
;;
--base-version=* )
LOCAL_TAG="${arg#*=}"
shift
;;
--arch=* )
ARCH="${arg#*=}"
shift
;;
* )
echo "Unknown option: ${arg}"
print_help
exit 1
;;
esac
done
LOCAL_IMAGE="conjur:${LOCAL_TAG}"
RH_LOCAL_IMAGE="conjur-ubi:${LOCAL_TAG}"
IMAGE_NAME="cyberark/conjur"
REDHAT_CERT_PID="5f905d433a93dc782c77a0f9"
REDHAT_REGISTRY="quay.io"
REDHAT_REMOTE_IMAGE="${REDHAT_REGISTRY}/redhat-isv-containers/${REDHAT_CERT_PID}"
REDHAT_USER="redhat-isv-containers+${REDHAT_CERT_PID}-robot"
# Normalize version number in the case of '+' included
VERSION="$(echo -n "${VERSION}" | tr "+" "_")"
# Don't publish to DockerHub unless the build is in the main conjur repo
if [[ "${JOB_NAME}" != cyberark--conjur/* ]];
then
DOCKERHUB=false
fi
# Only push SHA images on internal
if [[ "${PUBLISH_INTERNAL}" = true ]]; then
echo "Pushing ${LOCAL_TAG}-${ARCH} tagged images to registry.tld..."
# Always push SHA versioned images internally
tag_and_push "${VERSION}-${LOCAL_TAG}-${ARCH}" "${LOCAL_IMAGE}" "registry.tld/conjur"
tag_and_push "${VERSION}-${LOCAL_TAG}-${ARCH}" "conjur-test:${LOCAL_TAG}" "registry.tld/conjur-test"
tag_and_push "${VERSION}-${LOCAL_TAG}-${ARCH}" "conjur-ubi:${LOCAL_TAG}" "registry.tld/conjur-ubi"
# Push SHA only tagged images to our internal registry
tag_and_push "${LOCAL_TAG}-${ARCH}" "${LOCAL_IMAGE}" "registry.tld/conjur"
tag_and_push "${LOCAL_TAG}-${ARCH}" "conjur-test:${LOCAL_TAG}" "registry.tld/conjur-test"
tag_and_push "${LOCAL_TAG}-${ARCH}" "conjur-ubi:${LOCAL_TAG}" "registry.tld/conjur-ubi"
fi
if [[ "${PUBLISH_EDGE}" = true ]]; then
echo "Pushing edge versions..."
# Publish release specific versions internally
echo "Pushing ${VERSION}-${ARCH} to registry.tld..."
tag_and_push "${VERSION}-${ARCH}" "${LOCAL_IMAGE}" "registry.tld/${IMAGE_NAME}"
tag_and_push "${VERSION}-${ARCH}" "${RH_LOCAL_IMAGE}" "registry.tld/conjur-ubi"
# Push image to internal registry
tag_and_push "edge-${ARCH}" "${LOCAL_IMAGE}" "registry.tld/${IMAGE_NAME}"
tag_and_push "edge-${ARCH}" "${RH_LOCAL_IMAGE}" "registry.tld/conjur-ubi"
# Publish release specific and edge tags to dockerhub
if [[ "${DOCKERHUB}" = true ]]; then
echo "Pushing to DockerHub"
tag_and_push "${VERSION}" "${LOCAL_IMAGE}" "${IMAGE_NAME}"
tag_and_push "edge" "${LOCAL_IMAGE}" "${IMAGE_NAME}"
fi
fi
if [[ "${PROMOTE}" = true ]]; then
echo "Promoting image to ${VERSION}-${ARCH}"
# Push edge, latest, 1.x.y, 1.x, and 1 images
readarray -t prefix_versions < <(gen_versions "${VERSION}")
for version in edge latest "${prefix_versions[@]}"; do
echo "Pushing images for tag: $version-${ARCH}"
tag_and_push "${version}-${ARCH}" "registry.tld/${IMAGE_NAME}:${LOCAL_TAG}-${ARCH}" "registry.tld/${IMAGE_NAME}"
tag_and_push "${version}-${ARCH}" "registry.tld/conjur-ubi:${LOCAL_TAG}-${ARCH}" "registry.tld/conjur-ubi"
if [[ "${DOCKERHUB}" ]]; then
echo "Pushing to DockerHub"
tag_and_push "${version}-${ARCH}" "${LOCAL_IMAGE}-${ARCH}" "${IMAGE_NAME}"
fi
done
fi
if [[ "${REDHAT}" = true ]]; then
echo "Publishing ${VERSION} to RedHat registry..."
# Publish only the tag version to the Redhat container registry
if docker login "${REDHAT_REGISTRY}" -u "${REDHAT_USER}" -p "${REDHAT_API_KEY}"; then
# push image to red hat
tag_and_push "${VERSION}" "${RH_LOCAL_IMAGE}" "${REDHAT_REMOTE_IMAGE}"
# scan image with preflight tool
scan_redhat_image "${REDHAT_REMOTE_IMAGE}:${VERSION}" "${REDHAT_CERT_PID}"
# push latest tag to RH
tag_and_push "latest" "${RH_LOCAL_IMAGE}" "${REDHAT_REMOTE_IMAGE}"
else
echo 'Failed to log in to quay.io'
exit 1
fi
fi