Publish stable alias tag for snapshot images (#8269)

This updates the operator images build to publish an additional "stable latest" tag and then uses those images to trigger a CVEs scan. This enables the scan of 4 images (all except eck-dev: `eck,eck-fips,eck-ubi8,eck-ubi8-fips`): - on nightly main build, nightly-main: `eck-snapshots/eck-operator:latest` - on merge in release branch, merge-xyz: `eck-snapshots/eck-operator:next-release-latest` - on build candidates tag, tag-bc: `eck-snapshots/eck-operator:bc-latest` - on final tag, tag-final: `eck/eck-operator:latest` Changes to get this: - update image name for `merge-xyz` and `tag-bc` to use `eck-snapshots` docker repo name. - build all flavors (eck,eck-dev,eck-fips,eck-ubi,eck-ubi-fips) for `nightly-main` and `merge-xyz` - add a latest stable tag on docker build via the drivah config and share the list of images to scan to the pipeline using a file and buildkite meta data.
elastic · Jan 8, 2025 · def6ea4 · def6ea4
1 parent 9cc8ab7
commit def6ea4
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 48 deletions.
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
@@ -136,49 +136,36 @@ steps:
 
   # ----------
 
-  # Run CVE checks for the main branch
-  - group: cve image scans
-    steps:
-
-      # scan the operator image for CVEs on merge to main or nightly builds
-      - label: ":buildkite: cve-checks"
-        if: build.branch == "main"
-        depends_on:
-          - "operator-image-build"
-        command: |
-          export CONTAINER=$$(buildkite-agent meta-data get operator-image)
-          cat <<- YAML | buildkite-agent pipeline upload
-          steps:
-            - label: "Trigger cve-slo-status pipeline for $$CONTAINER"
-              trigger: cve-slo-status
-              build:
-                env:
-                  CONTAINER: "$$CONTAINER"
-              soft_fail: true
-          YAML
-        agents:
-          image: docker.elastic.co/ci-agent-images/cloud-k8s-operator/buildkite-agent:a426ea5f
-          memory: "256Mi"
-
-      # scan the -ubi operator image on nightly builds
-      - label: ":buildkite: cve-checks"
-        if: build.branch == "main" && build.source == "schedule"
-        depends_on:
-          - "operator-image-build"
-        command: |
-          export CONTAINER=$$(buildkite-agent meta-data get operator-image | sed "s/operator:/operator-ubi:/")
-          cat <<- YAML | buildkite-agent pipeline upload
+  # scan the operator image(s) for CVEs
+  - label: ":buildkite:"
+    if: |  # merge-xyz, tag-bc, tag-final or nightly-main
+      build.branch =~ /^[0-9]*\.[0-9]*\$/
+      || build.tag != null
+      || ( build.branch == "main" && build.source == "schedule")
+    depends_on:
+      - "operator-image-build"
+    command: |
+      list-images() { buildkite-agent meta-data get images-to-scan; }
+      (
+        cat <<- YAML
+      steps:
+        - group: cve image scans
           steps:
-            - label: "Trigger cve-slo-status pipeline for $$CONTAINER"
+      YAML
+        for img in $$(list-images); do
+      cat <<- YAML
+            - label: "Trigger cve-slo-status pipeline for $$img"
               trigger: cve-slo-status
               build:
                 env:
-                  CONTAINER: "$$CONTAINER"
+                  CONTAINER: "$$img"
               soft_fail: true
-          YAML
-        agents:
-          image: docker.elastic.co/ci-agent-images/cloud-k8s-operator/buildkite-agent:a426ea5f
-          memory: "256Mi"
+      YAML
+        done
+      ) | buildkite-agent pipeline upload
+    agents:
+      image: docker.elastic.co/ci-agent-images/cloud-k8s-operator/buildkite-agent:a426ea5f
+      memory: "256Mi"
 
   - label: ":buildkite:"
     depends_on:

diff --git a/.buildkite/scripts/build/pre-build-operator.sh b/.buildkite/scripts/build/pre-build-operator.sh
@@ -21,6 +21,7 @@ main() {
     operator::set_image_vars "$TRIGGER"
     operator::set_build_flavors_var "$TRIGGER"
 
+    export TRIGGER
     "$ROOT/build/gen-drivah.toml.sh"
 }
 

diff --git a/.buildkite/scripts/common/operator-image.sh b/.buildkite/scripts/common/operator-image.sh
@@ -6,7 +6,7 @@
 
 # Functions to set environment variables to build the operator.
 
-source "$ROOT/.buildkite/scripts/common/lib.sh"
+source "${ROOT:-.}/.buildkite/scripts/common/lib.sh"
 
 # Sets operator image variables in the environment depending on the given trigger.
 operator::set_image_vars() {
@@ -16,26 +16,35 @@ operator::set_image_vars() {
     sha1=$(common::sha1)
 
     case "$trigger" in
-        tag-*)
+        tag-final)
             : "$BUILDKITE_TAG" # required
             IMAGE_NAME="docker.elastic.co/eck/eck-operator"
             IMAGE_TAG="${BUILDKITE_TAG#v}" # remove v prefix
         ;;
+        tag-bc)
+            : "$BUILDKITE_TAG" # required
+            IMAGE_NAME="docker.elastic.co/eck-snapshots/eck-operator"
+            IMAGE_TAG="${BUILDKITE_TAG#v}" # remove v prefix
+        ;;
+        merge-xyz)
+            IMAGE_NAME="docker.elastic.co/eck-snapshots/eck-operator"
+            IMAGE_TAG="$version-$sha1"
+        ;;
         *-main)
             IMAGE_NAME="docker.elastic.co/eck-snapshots/eck-operator"
             IMAGE_TAG="$version-$sha1"
         ;;
         pr-*)
             : "$BUILDKITE_PULL_REQUEST" # required
-            IMAGE_NAME="docker.elastic.co/eck-ci/eck-operator-pr"
-            IMAGE_TAG="$BUILDKITE_PULL_REQUEST-$sha1"
+            IMAGE_NAME="docker.elastic.co/eck-ci/eck-operator"
+            IMAGE_TAG="pr-$BUILDKITE_PULL_REQUEST-$sha1"
         ;;
         dev)
             IMAGE_NAME="docker.elastic.co/eck-dev/eck-operator"
             IMAGE_TAG="dev-$sha1"
         ;;
         *)
-            IMAGE_NAME="docker.elastic.co/eck-ci/eck-operator-br"
+            IMAGE_NAME="docker.elastic.co/eck-ci/eck-operator"
             IMAGE_TAG="$version-$sha1"
         ;;
     esac
@@ -50,10 +59,11 @@ operator::set_build_flavors_var() {
     if [[ "${BUILD_FLAVORS:-}" == "" ]]; then
         case $trigger in
             tag-*)           BUILD_FLAVORS="eck,eck-dev,eck-fips,eck-ubi,eck-ubi-fips" ;;
+            nightly-main)    BUILD_FLAVORS="eck,eck-dev,eck-fips,eck-ubi,eck-ubi-fips" ;;
+            merge-xyz)       BUILD_FLAVORS="eck,eck-dev,eck-fips,eck-ubi,eck-ubi-fips" ;;
             merge-main)      BUILD_FLAVORS="eck,eck-dev" ;;
-            nightly-main)    BUILD_FLAVORS="eck,eck-dev,eck-ubi" ;;
             *-test-snapshot) BUILD_FLAVORS="eck,eck-dev" ;;
-            pr-*|merge-xyz)  BUILD_FLAVORS="eck" ;;
+            pr-*)            BUILD_FLAVORS="eck" ;;
             dev)             BUILD_FLAVORS="dev" ;;
             *)               echo "error: trigger '$trigger' not supported"; exit ;;
         esac

diff --git a/.buildkite/scripts/common/trigger.sh b/.buildkite/scripts/common/trigger.sh
@@ -72,4 +72,3 @@ is_api() {
 is_dev() {
     [[ "${CI:-}" != "true" ]]
 }
-
diff --git a/build/gen-drivah.toml.sh b/build/gen-drivah.toml.sh
@@ -27,15 +27,32 @@ SNAPSHOT=true
 GO_TAGS=${GO_TAGS-release}
 LICENSE_PUBKEY=license.key
 
+latest_stable_tag() {
+    case "${TRIGGER:-}" in
+        merge-xyz) echo next-release-latest ;;
+        tag-bc)    echo bc-latest ;;
+        *)         echo latest ;;
+    esac
+}
+
 generate_drivah_config() {
     local name=$1
     local tag=$2
     local go_tags=$3
     local license_pubkey=$4
+
+    # add 'stable' tag without sha1 for snapshots
+    if [[ "$tag" =~ "SNAPSHOT" ]]; then
+        snapshot_stable_tag="${tag/-$SHA1/}"
+        additional_tags=",\"${snapshot_stable_tag}-${ARCH}\",\"$(latest_stable_tag)-${ARCH}\""
+    else
+        additional_tags=",\"$(latest_stable_tag)-${ARCH}\""
+    fi
+
 cat <<END
 [container.image]
 names = ["${name}"]
-tags = ["${tag}-${ARCH}"]
+tags = ["${tag}-${ARCH}"${additional_tags:-}]
 build_context = "../../"
 
 [container.image.build_args]
@@ -48,7 +65,7 @@ END
 }
 
 main() {
-    echo "# -- gen-drivah-config BUILD_FLAVORS=$BUILD_FLAVORS"
+    echo "# -- gen-drivah-config BUILD_FLAVORS=$BUILD_FLAVORS TRIGGER=$TRIGGER"
 
     # disable SNAPSHOT for tags
     tag_pattern="^[0-9]+\.[0-9]+\.[0-9]+"
@@ -59,6 +76,9 @@ main() {
     # delete only dirs
     find "$HERE" -maxdepth 1 -mindepth 1 -type d -exec rm -rf '{}' \;
 
+    # initialize file to share list of images for CVE scan
+    true > images-to-scan.txt
+
     IFS=","; for flavor in $BUILD_FLAVORS; do
 
         # default vars reset at each iteration
@@ -91,6 +111,11 @@ main() {
                 go_tags="$go_tags,goexperiment.boringcrypto"
         fi
 
+        # write the image name with the latest stable tag (except the 'dev' flavor) for CVE scan
+        if [[ ! "$flavor" =~ -dev ]]; then
+            echo "$name:$(latest_stable_tag)" >> images-to-scan.txt
+        fi
+
         # fetch public license key
         if [[ ! -f "$HERE/$license_pubkey" ]]; then
             prefix="${BUILD_LICENSE_PUBKEY:+$BUILD_LICENSE_PUBKEY-}" # add "-" suffix
@@ -105,6 +130,10 @@ main() {
         cp -f "$container_file_path" "$HERE/$flavor/Dockerfile"
 
     done
+
+    if [[ "${CI:-}" == true ]]; then
+        buildkite-agent meta-data set images-to-scan "$(cat images-to-scan.txt)"
+    fi
 }
 
 main
Original file line number	Diff line number	Diff line change
Expand Up		@@ -72,4 +72,3 @@ is_api() {
		is_dev() {
		[[ "${CI:-}" != "true" ]]
		}