Build, tag, and push operator base images during CI (operator-framework#832)

* Makefile,hack/docker,hack/tests: adding new docker scripts and Make targets

* Makefile,pkg/scaffold: changing default image repo to quay.io/operator-framework

* [travis deploy] .travis.yml: refactor into stages to build and push docker images

* [travis deploy] Makefile,hack/: renaming make 'docker' targets to 'image'

* [travis deploy] .travis.yml: renaming make 'docker' targets to 'image'

* [travis deploy] .travis.yml,Makefile,hack/image: updates from PR feedback

* [travis deploy] test/ansible-operator/cmd/ansible-operator/main.go: copying from github.com/water-hole/ansible-operator

* [travis deploy] test/helm-operator/cmd/helm-operator/main.go: use production logger

* [travis deploy] test/helm-operator/cmd/helm-operator/main.go: load watches from env, not hardcoded file

* [travis deploy] Makefile,hack/tests: always build, test, and tag from local-only image tag

* [travis deploy] pkg/scaffold/ansible,pkg/scaffold/helm: use image tags from latest release

* [travis deploy] Makefile: add missing PHONY target for test/ci-helm

* [travis deploy] test/ansible-operator/cmd/ansible-operator/main.go: watch all namespaces if WATCH_NAMESPACE is unset

* [travis deploy] test/ansible-operator/cmd/ansible-operator/main.go: fixing ansible-operator compile error

Author: joelanford

.travis.yml

@@ -5,51 +5,88 @@ sudo: required
 go:
 - 1.10.3
 
-before_install:
-  - |
-      if [ "$TRAVIS_COMMIT_RANGE" != "" ] && ! git diff --name-only $TRAVIS_COMMIT_RANGE | grep -qvE '(\.md)|(\.MD)|(\.png)|(\.pdf)|^(doc/)|^(MAINTAINERS)|^(LICENSE)'; then
-        echo "Only doc files were updated, not running the CI."
-        exit
-      fi
+# The `x_base_steps` top-level key is unknown to travis,
+# so we can use it to create a bunch of common build step
+# YAML anchors which we use in our build jobs.
+x_base_steps:
+  # before_install for jobs that require go builds
+  - &go_before_install
+    before_install:
+      # hack/ci/check-doc-only-update.sh needs to be sourced so
+      # that it can properly exit the test early with success
+      - source hack/ci/check-doc-only-update.sh
+      - curl -Lo dep https://github.com/golang/dep/releases/download/v0.5.0/dep-linux-amd64 && chmod +x dep && sudo mv dep /usr/local/bin/
+      - travis_retry dep ensure
+
+  # Base go, ansbile, and helm job
+  - &test
+    stage: test
+    env: CLUSTER=openshift
+    <<: *go_before_install
+    install:
+      - make install
+      - hack/ci/setup-openshift.sh
+    after_success:
+      - echo "Build succeeded, operator was generated, memcached operator is running on $CLUSTER, and unit/integration tests pass"
+    after_failure:
+      - echo "Build failed, operator failed to generate, memcached operator is not running on $CLUSTER, or unit/integration tests failed"
+      - kubectl get all --all-namespaces
+      - kubectl get events --all-namespaces --field-selector=type=Warning
+    services:
+      - docker
+
+  # Base deploy job
+  - &deploy
+    stage: deploy
+    if: type != pull_request AND ( tag IS present OR branch = master OR commit_message =~ /\[travis deploy\]/ )
+    <<: *go_before_install
+    install: skip
+    before_script:
+      - git config remote.origin.fetch +refs/heads/*:refs/remotes/origin/*
+      - git fetch --unshallow --tags
+    after_success:
+      - echo "Image build succeeded, and docker image tagged and pushed to repository"
+    after_failure:
+      - echo "Image build, docker image tagging, or docker image pushing to repository failed"
+    services:
+      - docker
 
 jobs:
   include:
-    - before_script: hack/ci/setup-openshift.sh
-      env: CLUSTER=openshift
-      script: make test/ci-go
+    # Build and test go
+    - <<: *test
       name: Go on OpenShift
-      services:
-      - docker
-    - before_script: hack/ci/setup-openshift.sh
-      env: CLUSTER=openshift
-      script: make test/ci-ansible
+      script: make test/ci-go
+
+    # Build and test ansible
+    - <<: *test
       name: Ansible on OpenShift
-      services:
-      - docker
-    - before_script: hack/ci/setup-openshift.sh
-      env: CLUSTER=openshift
-      script: make test/ci-helm
+      before_script: sudo pip install ansible
+      script: make test/ci-ansible
+
+    # Build and test helm
+    - <<: *test
       name: Helm on OpenShift
-      services:
-      - docker
-    - name: Markdown Link Checker
+      script: make test/ci-helm
+
+    # Test markdown
+    - stage: test
+      name: Markdown Link Checker
       language: bash
-      before_install: true
-      install: true
+      script: make test/markdown
       after_success: echo 'Markdown links are correct'
       after_failure: echo 'Incorrect markdown link detected'
-      script: make test/markdown
-
-install:
-- curl -Lo dep https://github.com/golang/dep/releases/download/v0.5.0/dep-linux-amd64 && chmod +x dep && sudo mv dep /usr/local/bin/
-- dep ensure
-- make install
-- sudo pip install ansible
 
-after_success:
-- echo "Build succeeded, operator was generated, memcached operator is running on $CLUSTER, and unit/integration tests pass"
+    # Build and deploy ansible-operator docker image
+    - <<: *deploy
+      name: Docker image for ansible-operator
+      script:
+        - make image/build/ansible
+        - make image/push/ansible
 
-after_failure:
-- echo "Build failed, operator failed to generate, memcached operator is not running on $CLUSTER, or unit/integration tests failed"
-- kubectl get all --all-namespaces
-- kubectl get events --all-namespaces --field-selector=type=Warning
+    # Build and deploy helm-operator docker image
+    - <<: *deploy
+      name: Docker image for helm-operator
+      script:
+        - make image/build/helm
+        - make image/push/helm

Makefile

@@ -14,6 +14,12 @@ REPO = github.com/operator-framework/operator-sdk
 BUILD_PATH = $(REPO)/commands/operator-sdk
 PKGS = $(shell go list ./... | grep -v /vendor/)
 
+ANSIBLE_BASE_IMAGE = quay.io/operator-framework/ansible-operator
+HELM_BASE_IMAGE = quay.io/operator-framework/helm-operator
+
+ANSIBLE_IMAGE ?= $(ANSIBLE_BASE_IMAGE)
+HELM_IMAGE ?= $(HELM_BASE_IMAGE)
+
 export CGO_ENABLED:=0
 
 all: format test build/operator-sdk
@@ -84,13 +90,33 @@ test/e2e: test/e2e/go test/e2e/ansible test/e2e/helm
 test/e2e/go:
 	./hack/tests/e2e-go.sh $(ARGS)
 
-test/e2e/ansible:
+test/e2e/ansible: image/build/ansible
 	./hack/tests/e2e-ansible.sh
 
-test/e2e/helm:
+test/e2e/helm: image/build/helm
 	./hack/tests/e2e-helm.sh
 
 test/markdown:
 	./hack/ci/marker --root=doc
 
-.PHONY: test test/sanity test/unit test/subcommand test/e2e test/e2e/go test/e2e/ansible test/e2e/helm test/ci-go test/ci-ansible test/markdown
+.PHONY: test test/sanity test/unit test/subcommand test/e2e test/e2e/go test/e2e/ansible test/e2e/helm test/ci-go test/ci-ansible test/ci-helm test/markdown
+
+image: image/build image/push
+
+image/build: image/build/ansible image/build/helm
+
+image/build/ansible:
+	./hack/image/build-ansible-image.sh $(ANSIBLE_BASE_IMAGE):dev
+
+image/build/helm:
+	./hack/image/build-helm-image.sh $(HELM_BASE_IMAGE):dev
+
+image/push: image/push/ansible image/push/helm
+
+image/push/ansible:
+	./hack/image/push-image-tags.sh $(ANSIBLE_BASE_IMAGE):dev $(ANSIBLE_IMAGE)
+
+image/push/helm:
+	./hack/image/push-image-tags.sh $(HELM_BASE_IMAGE):dev $(HELM_IMAGE)
+
+.PHONY: image image/build image/build/ansible image/build/helm image/push image/push/ansible image/push/helm

hack/ci/check-doc-only-update.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+if [ "$TRAVIS_COMMIT_RANGE" != "" ] && ! git diff --name-only $TRAVIS_COMMIT_RANGE | grep -qvE '(\.md)|(\.MD)|(\.png)|(\.pdf)|^(doc/)|^(MAINTAINERS)|^(LICENSE)'; then
+  echo "Only doc files were updated, not running the CI."
+  exit
+fi
+

hack/image/build-ansible-image.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -eux
+
+# build operator binary and base image
+go build -o test/ansible-operator/ansible-operator test/ansible-operator/cmd/ansible-operator/main.go
+pushd test/ansible-operator
+docker build -t "$1" .
+popd

hack/image/build-helm-image.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -eux
+
+# build operator binary and base image
+GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o test/helm-operator/helm-operator test/helm-operator/cmd/helm-operator/main.go
+pushd test/helm-operator
+docker build -t "$1" .
+popd

hack/image/push-image-tags.sh

@@ -0,0 +1,178 @@
+#!/usr/bin/env bash
+
+source hack/lib/common.sh
+
+semver_regex="^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
+
+#
+# push_image_tags <source_image> <push_image>
+#
+# push_image_tags tags the source docker image with zero or more
+# image tags based on TravisCI environment variables and the
+# presence of git tags in the repository of the current working
+# directory. If a second argument is present, it will be used as
+# the base image name in pushed image tags.
+#
+function push_image_tags() {
+  source_image=$1; shift || fatal "${FUNCNAME} usage error"
+  push_image=$1; shift || push_image=$source_image
+
+  print_image_info $source_image
+  print_git_tags
+  docker_login
+  check_can_push || return 0
+
+  images=$(get_image_tags $push_image)
+
+  for image in $images; do
+    docker tag "$source_image" "$image"
+    docker push "$image"
+  done
+}
+
+#
+# print_image_info <image_name>
+#
+# print_image_info prints helpful information about a docker
+# image.
+#
+function print_image_info() {
+  image_name=$1; shift || fatal "${FUNCNAME} usage error"
+  image_id=$(docker inspect "$image_name" -f "{{.Id}}")
+  image_created=$(docker inspect "$image_name" -f "{{.Created}}")
+
+  if [[ -n "$image_id" ]]; then
+    echo "Docker image info:"
+    echo "    Name:      $image_name"
+    echo "    ID:        $image_id"
+    echo "    Created:   $image_created"
+    echo ""
+  else
+    echo "Could not find docker image \"$image_name\""
+    return 1
+  fi
+}
+
+#
+# print_git_tags
+#
+# print_git_tags prints all tags present in the git repository.
+#
+function print_git_tags() {
+  git_tags=$(git tag -l | sed 's|^|    |')
+  if [[ -n "$git_tags" ]]; then
+    echo "Found git tags:"
+    echo "$git_tags"
+    echo ""
+  fi
+}
+
+#
+# docker_login <image_name>
+#
+# docker_login performs a docker login for the server of the provided
+# image if the DOCKER_USERNAME and DOCKER_PASSWORD environment variables
+# are set.
+#
+function docker_login() {
+  if [[ -n "$DOCKER_USERNAME" && -n "$DOCKER_PASSWORD" ]]; then
+    server=$(docker_server_for_image $image_name)
+    echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin "$server"
+  fi
+}
+
+#
+# check_can_push
+#
+# check_can_push performs various checks to determine whether images
+# built from this commit should be pushed. It prints a message and 
+# returns a failure code if any check doesn't pass.
+#
+function check_can_push() {
+  if [[ "$TRAVIS" != "true" ]]; then
+    echo "Detected execution in a non-TravisCI environment. Skipping image push."
+    return 1
+  elif [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]; then
+    echo "Detected pull request commit. Skipping image push"
+    return 1
+  elif [[ ! -f "$HOME/.docker/config.json" ]]; then
+    echo "Docker login credentials required to push. Skipping image push."
+    return 1
+  fi
+}
+
+#
+# get_image_tags <image_name>
+#
+# get_image_tags returns a list of tags that are eligible to be pushed.
+# If an image name is passed as an argument, the full <name>:<tag> will
+# be returned for each eligible tag. The criteria is:
+#   1. Is TRAVIS_BRANCH set?                 => <image_name>:$TRAVIS_BRANCH
+#   2. Is TRAVIS_TAG highest semver release? => <image_name>:latest
+#
+function get_image_tags() {
+  image_name=$1
+  [[ -n "$image_name" ]] && image_name="${image_name}:"
+
+  # Tag `:$TRAVIS_BRANCH` if it is set.
+  # Note that if the build is for a tag, $TRAVIS_BRANCH is set
+  # to the tag, so this works in both cases
+  if [[ -n "$TRAVIS_BRANCH" ]]; then
+    echo "${image_name}${TRAVIS_BRANCH}"
+  fi
+
+  # Tag `:latest` if $TRAVIS_TAG is the highest semver tag found in
+  # the repository.
+  if is_latest_tag "$TRAVIS_TAG"; then
+    echo "${image_name}latest"
+  fi
+}
+
+#
+# docker_server_for_image <image_name>
+#
+# docker_server_for_image returns the server component of the image
+# name. If the image name does not contain a server component, an
+# empty string is returned.
+#
+function docker_server_for_image() {
+  image_name=$1; shift || fatal "${FUNCNAME} usage error"
+  IFS='/' read -r -a segments <<< "$image_name"
+  if [[ "${#segments[@]}" -gt "2" ]]; then
+    echo "${segments[0]}"
+  else
+    echo ""
+  fi
+}
+
+#
+# latest_git_version
+#
+# latest_git_version returns the highest semantic version
+# number found in the repository, with the form "vX.Y.Z".
+# Version numbers not matching the semver release format
+# are ignored.
+#
+function latest_git_version() {
+  git tag -l | egrep "${semver_regex}" | sort -V | tail -1
+}
+
+#
+# is_latest_tag <candidate>
+#
+# is_latest_tag returns whether the candidate tag matches
+# the latest tag from the git repository, based on semver.
+# To be the latest tag, the candidate must match the semver
+# release format.
+#
+function is_latest_tag() {
+  candidate=$1; shift || fatal "${FUNCNAME} usage error"
+  if ! [[ "$candidate" =~ $semver_regex ]]; then
+    return 1
+  fi
+
+  latest="$(latest_git_version)"
+  [[ -z "$latest" || "$candidate" == "$latest" ]]
+}
+
+push_image_tags "$@"

hack/lib/common.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+function log() { printf '%s\n' "$*"; }
+function error() { log "ERROR: $*" >&2; }
+function fatal() { error "$@"; exit 1; }