This repository contains tooling and configuration for publishing gardenlinux images as machine images to different hyperscalers.

The images to be published are built in a separate pipeline from sources hosted in gardenlinux repository, and consumed from a S3 bucket.

• install python-package gardener-cicd-libs (requires "build-essentials" (gcc, ..))
• alternative: manually install from https://github.com/gardener/cc-utils
• install additional python-packages from Dockerfile
• clone https://github.com/gardenlinux/gardenlinux in a sibling directory gardenlinux to this repo

See Credential Handling below for details of how to pass secrets to publishing-script.

find available release-manifests

Use ls-manifests to list existing manifests.

Consider using --versions or --versions-and-commits flags for conveniently printing required selectors (gardenlinux-version and build-commit) for image-publishing.

Use --version-prefix to narrow down search.

publish images for consumption through gardener

Use publish-release-set to start image-publishing. Note that a full release will require some few GiBs of data download and upload, and will take several tens of minutes.

Use aforementioned ls-manifests command to determine valid combinations of --version and --commit. Optionally use --flavourset-name and --flavours-file to specify different platforms and build flavours (defaults to preset for "Gardener").

Any additional parameters are intended for debugging / testing purposes.

The build pipeline can be used with a central server managing configuration and secrets. As an alternative all credentials can be read from a Kubernetes secret named "secrets" in the corresponding namespace. This secret will be automatically generated from configuration files. The switch between central server and a Kubernetes secret is done by an environment variable named SECRET_SERVER_ENDPOINT. If it is not set the secret will be generated and applied. At minimum there need to be two secrets: One for uploading the artifacts to an S3-like Object store and one to upload container images to an OCI registry. Example files are provided in the folder ci/cfg.

Edit the files cfg/cfg_types.yaml. Each top-level entry refers to another file containing the credentials. Examples with templates are provided. A second entry is for uploading the base-image and to an OCI registry. Additional configuration information is found in publishing-cfg.yaml

For sending notifications by default recipients are read from the CODEOWNERS files. Resolving this to email requires access to the Github API which is not possible for external users. The behavior can be overriden by setting the variable only_recipients in the pipelineRun file. If this variable contains a semicolon separated list of email addresses emails are sent only to these recipients. CODEWONWERS access is not needed then. For configuring an SMTP server a sample file is provided.

The integration test are implemented as their own tekton task which can be found here. The test automatically clones the github repo specified in the tekton resource and executes the integration test with the specified version (branch or commit).

The task assumes that there is a secret in the cluster with the following structure:

---
apiVersion: v1
kind: Secret
metadata:
  name: github-com-user
  annotations:
    tekton.dev/git-0: https://github.com
type: kubernetes.io/basic-auth
stringData:
  username: <github username>
  password: <github password>

The test can be executed within a cluster that has tekton installed by running:

# create test defintions and resources
kubectl apply -f ./ci/integrationtest-task.yaml

# run the actual test as taskrun
kubectl create -f ./ci/it-run.yaml

Running the integration tests is work-in-progress.