This is working towards "hands off" release builds, where we just tag
the release. When CI=1 and the git sha we are building _exactly_
matches a tag, we build that version. We enforce that version.go must
have previously been updated to match the tag.
We also refactor out the duplicated code into a shared script (tools/get_version.sh)
kube-apiserver doesn't expose the healthcheck via a dedicated
endpoint, instead relying on anonyomous-access being enabled. That
has previously forced us to enable the unauthenticated endpoint on
127.0.0.1:8080.
Instead we now run a small sidecar container, which
proxies /healthz and /readyz requests (only) adding appropriate
authentication using a client certificate.
This will also enable better load balancer checks in future, as these
have previously been hampered by the custom CA certificate.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
The image pushing postsubmit job [0] is one step closer to succeeding.
It currently fails because when the builder image uploads the kops directory to GCS for to be consumed by GCB, it excludes the .git directory [1].
This causes the job to fail because `make kops-controller-push` uses bazel which runs get_workspace_status.sh which aborts if the git commands fail.
The prow job doesnt contain much output but the GCB logs can be seen in GCS [2].
This PR removes the dependency on git commands.
I dont think any of the logic in the script will change because we already set VERSION [3] which is the only variable in get_workspace_status.sh that depends on git commands and is used to build and push the kops controller image.
[0] https://testgrid.k8s.io/sig-cluster-lifecycle-kops#kops-postsubmit-push-to-staging
[1] 18391d8986/images/builder/main.go (L87)
[2] gs://k8s-staging-kops-gcb/logs/log-a7dc3a24-97cd-42fe-bec3-971dc78a0e3a.txt
[3] b1276ac835/cloudbuild.yaml (L10)
We can move the gzip & sha steps from the makefile to bazel. This not
only simplifies the makefile, it should enable more parallelism and
better caching.
We bumped the version in the Makefile, but I did not understand that we
have to bump the version in the workplace status script. I added a note
in the Makefile, and bumped the version in the script.
Justin SB