1#!/usr/bin/env bash
2
3set -o errexit
4set -o nounset
5set -o pipefail
6
7source ./scripts/test_lib.sh
8source ./scripts/release_mod.sh
9
10DRY_RUN=${DRY_RUN:-true}
11
12# Following preparation steps help with the release process:
13
14# If you use password-protected gpg key, make sure the password is managed
15# by agent:
16#
17# % gpg-connect-agent reloadagent /bye
18# % gpg -s --default-key [git-email]@google.com -o /dev/null -s /dev/null
19#
20# Refresh your google credentials:
21#  % gcloud auth login
22# or
23#  % gcloud auth activate-service-account --key-file=gcp-key-etcd-development.json
24#
25# Make sure gcloud-docker plugin is configured:
26#  % gcloud auth configure-docker
27
28
29help() {
30  echo "$(basename "$0") [version]"
31  echo "Release etcd using the same approach as the etcd-release-runbook (https://goo.gl/Gxwysq)"
32  echo ""
33  echo "WARNING: This does not perform the 'Add API capabilities', 'Performance testing' "
34  echo "         or 'Documentation' steps. These steps must be performed manually BEFORE running this tool."
35  echo ""
36  echo "WARNING: This script does not sign releases, publish releases to github or sent announcement"
37  echo "         emails. These steps must be performed manually AFTER running this tool."
38  echo ""
39  echo "  args:"
40  echo "    version: version of etcd to release, e.g. 'v3.2.18'"
41  echo "  flags:"
42  echo "    --no-upload: skip gs://etcd binary artifact uploads."
43  echo "    --no-docker-push: skip docker image pushes."
44  echo ""
45  echo "One can perform a (dry-run) test release from any (uncommitted) branch using:"
46  echo "  DRY_RUN=true REPOSITORY=\`pwd\` BRANCH='local-branch-name' ./scripts/release 3.5.0-foobar.2"
47}
48
49main() {
50  VERSION=$1
51  if [[ ! "${VERSION}" =~ [0-9]+.[0-9]+.[0-9]+ ]]; then
52    log_error "Expected 'version' param of the form '<major-version>.<minor-version>.<patch-version>' but got '${VERSION}'"
53    exit 1
54  fi
55  RELEASE_VERSION="v${VERSION}"
56  MINOR_VERSION=$(echo "${VERSION}" | cut -d. -f 1-2)
57  BRANCH=${BRANCH:-"release-${MINOR_VERSION}"}
58  REPOSITORY=${REPOSITORY:-"git@github.com:etcd-io/etcd.git"}
59
60  log_warning "DRY_RUN=${DRY_RUN}"
61  log_callout "RELEASE_VERSION=${RELEASE_VERSION}"
62  log_callout "MINOR_VERSION=${MINOR_VERSION}"
63  log_callout "BRANCH=${BRANCH}"
64  log_callout "REPOSITORY=${REPOSITORY}"
65  log_callout ""
66
67  # Required to enable 'docker manifest ...'
68  export DOCKER_CLI_EXPERIMENTAL=enabled
69
70  if ! command -v docker >/dev/null; then
71    log_error "cannot find docker"
72    exit 1
73  fi
74
75  # Expected umask for etcd release artifacts
76  umask 022
77
78  # Set up release directory.
79  local reldir="/tmp/etcd-release-${VERSION}"
80  log_callout "Preparing temporary directory: ${reldir}"
81  if [ ! -d "${reldir}/etcd" ]; then
82    mkdir -p "${reldir}"
83    cd "${reldir}"
84    run git clone "${REPOSITORY}" --branch "${BRANCH}"
85  fi
86  run cd "${reldir}/etcd" || exit 2
87  # mark local directory as root for test_lib scripts executions
88  set_root_dir
89
90  run git checkout "${BRANCH}" || exit 2
91  run git pull origin
92  git_assert_branch_in_sync || exit 2
93
94  # If a release version tag already exists, use it.
95  local remote_tag_exists
96  remote_tag_exists=$(run git ls-remote origin "refs/tags/${RELEASE_VERSION}" | grep -c "${RELEASE_VERSION}" || true)
97
98  if [ "${remote_tag_exists}" -gt 0 ]; then
99    log_callout "Release version tag exists on remote. Checking out refs/tags/${RELEASE_VERSION}"
100    git checkout -q "tags/${RELEASE_VERSION}"
101  fi
102
103  # Check go version.
104  local go_version current_go_version
105  go_version="go$(run_go_tool "github.com/mikefarah/yq/v3" read .travis.yml "go[0]")"
106  current_go_version=$(go version | awk '{ print $3 }')
107  if [[ "${current_go_version}" != "${go_version}" ]]; then
108    log_error "Current go version is ${current_go_version}, but etcd ${RELEASE_VERSION} requires ${go_version} (see .travis.yml)."
109    exit 1
110  fi
111
112  # If the release tag does not already exist remotely, create it.
113  if [ "${remote_tag_exists}" -eq 0 ]; then
114    # Bump version/version.go to release version.
115    local source_version
116    source_version=$(grep -E "\s+Version\s*=" api/version/version.go | sed -e "s/.*\"\(.*\)\".*/\1/g")
117    if [[ "${source_version}" != "${VERSION}" ]]; then
118      source_minor_version=$(echo "${source_version}" | cut -d. -f 1-2)
119      if [[ "${source_minor_version}" != "${MINOR_VERSION}" ]]; then
120        log_error "Wrong etcd minor version in api/version/version.go. Expected ${MINOR_VERSION} but got ${source_minor_version}. Aborting."
121        exit 1
122      fi
123      log_callout "Updating modules definitions"
124      TARGET_VERSION="v${VERSION}" update_versions_cmd
125
126      log_callout "Updating version from ${source_version} to ${VERSION} in api/version/version.go"
127      sed -i "s/${source_version}/${VERSION}/g" api/version/version.go
128    fi
129
130
131    log_callout "Building etcd and checking --version output"
132    run ./build.sh
133    local etcd_version
134    etcd_version=$(bin/etcd --version | grep "etcd Version" | awk '{ print $3 }')
135    if [[ "${etcd_version}" != "${VERSION}" ]]; then
136      log_error "Wrong etcd version in version/version.go. Expected ${etcd_version} but got ${VERSION}. Aborting."
137      exit 1
138    fi
139
140    if [[ -n $(git status -s) ]]; then
141      log_callout "Committing mods & api/version/version.go update."
142      run git add api/version/version.go
143      run git add $(find -name go.mod ! -path './release/*'| xargs)
144      run git diff --staged | cat
145      run git commit -m "version: bump up to ${VERSION}"
146      run git diff --staged | cat
147    fi
148
149    # Push the version change if it's not already been pushed.
150    if [ "$(git rev-list --count "origin/${BRANCH}..${BRANCH}")" -gt 0 ]; then
151      read -p "Push version bump up to ${VERSION} to '$(git remote get-url origin)' [y/N]? " -r confirm
152      [[ "${confirm,,}" == "y" ]] || exit 1
153      maybe_run git push
154    fi
155
156    # Tag release.
157    if [ "$(git tag --list | grep -c "${RELEASE_VERSION}")" -gt 0 ]; then
158      log_callout "Skipping tag step. git tag ${RELEASE_VERSION} already exists."
159    else
160      log_callout "Tagging release..."
161      REMOTE_REPO="origin" push_mod_tags_cmd
162    fi
163
164    # Verify the latest commit has the version tag
165    local tag="$(git describe --exact-match HEAD)"
166    if [ "${tag}" != "${RELEASE_VERSION}" ]; then
167      log_error "Error: Expected HEAD to be tagged with ${RELEASE_VERSION}, but 'git describe --exact-match HEAD' reported: ${tag}"
168      exit 1
169    fi
170
171    # Verify the version tag is on the right branch
172    local branch=$(git for-each-ref --contains "${RELEASE_VERSION}" --format="%(refname)" 'refs/heads' | cut -d '/' -f 3)
173    if [ "${branch}" != "${BRANCH}" ]; then
174      log_error "Error: Git tag ${RELEASE_VERSION} should be on branch '${BRANCH}' but is on '${branch}'"
175      exit 1
176    fi
177  fi
178
179  # Build release.
180  # TODO: check the release directory for all required build artifacts.
181  if [ -d release ]; then
182    log_warning "Skipping release build step. /release directory already exists."
183  else
184    log_callout "Building release..."
185    if ${DRY_RUN}; then
186      log_warning "In DRY_RUN mode we clone the current release directory (as there was no push)"
187      REPOSITORY=$(pwd) ./scripts/build-release.sh "${RELEASE_VERSION}"
188    else
189      REPOSITORY=${REPOSITORY} ./scripts/build-release.sh "${RELEASE_VERSION}"
190    fi
191  fi
192
193  # Sanity checks.
194  "./release/etcd-${RELEASE_VERSION}-$(go env GOOS)-amd64/etcd" --version | grep -q "etcd Version: ${VERSION}" || true
195  "./release/etcd-${RELEASE_VERSION}-$(go env GOOS)-amd64/etcdctl" version | grep -q "etcdctl version: ${VERSION}" || true
196  "./release/etcd-${RELEASE_VERSION}-$(go env GOOS)-amd64/etcdutl" version | grep -q "etcdutl version: ${VERSION}" || true
197
198  # Generate SHA256SUMS
199  log_callout "Generating sha256sums of release artifacts."
200  pushd ./release
201  ls . | grep -E '\.tar.gz$|\.zip$' | xargs shasum -a 256 > ./SHA256SUMS
202  popd
203  if [ -s ./release/SHA256SUMS ]; then
204    cat ./release/SHA256SUMS
205  else
206    log_error "sha256sums is not valid. Aborting."
207    exit 1
208  fi
209
210  # Upload artifacts.
211  if [ "${NO_UPLOAD}" == 1 ]; then
212    log_callout "Skipping artifact upload to gs://etcd. --no-upload flat is set."
213  else
214    read -p "Upload etcd ${RELEASE_VERSION} release artifacts to gs://etcd [y/N]? " -r confirm
215    [[ "${confirm,,}" == "y" ]] || exit 1
216    maybe_run gsutil -m cp ./release/SHA256SUMS "gs://etcd/${RELEASE_VERSION}/"
217    maybe_run gsutil -m cp ./release/*.zip "gs://etcd/${RELEASE_VERSION}/"
218    maybe_run gsutil -m cp ./release/*.tar.gz "gs://etcd/${RELEASE_VERSION}/"
219    maybe_run gsutil -m acl ch -u allUsers:R -r "gs://etcd/${RELEASE_VERSION}/"
220  fi
221
222  # Push images.
223  if [ "${NO_DOCKER_PUSH}" == 1 ]; then
224    log_callout "Skipping docker push. --no-docker-push flat is set."
225  else
226    read -p "Publish etcd ${RELEASE_VERSION} docker images to quay.io [y/N]? " -r confirm
227    [[ "${confirm,,}" == "y" ]] || exit 1
228    # shellcheck disable=SC2034
229    for i in {1..5}; do
230      docker login quay.io && break
231      log_warning "login failed, retrying"
232    done
233
234    for TARGET_ARCH in "amd64" "arm64" "ppc64le" "s390x"; do
235      log_callout "Pushing container images to quay.io ${RELEASE_VERSION}-${TARGET_ARCH}"
236      maybe_run docker push "quay.io/coreos/etcd:${RELEASE_VERSION}-${TARGET_ARCH}"
237      log_callout "Pushing container images to gcr.io ${RELEASE_VERSION}-${TARGET_ARCH}"
238      maybe_run docker push "gcr.io/etcd-development/etcd:${RELEASE_VERSION}-${TARGET_ARCH}"
239    done
240
241    log_callout "Creating manifest-list (multi-image)..."
242
243    for TARGET_ARCH in "amd64" "arm64" "ppc64le" "s390x"; do
244      maybe_run docker manifest create --amend "quay.io/coreos/etcd:${RELEASE_VERSION}" "quay.io/coreos/etcd:${RELEASE_VERSION}-${TARGET_ARCH}"
245      maybe_run docker manifest annotate "quay.io/coreos/etcd:${RELEASE_VERSION}" "quay.io/coreos/etcd:${RELEASE_VERSION}-${TARGET_ARCH}" --arch "${TARGET_ARCH}"
246
247      maybe_run docker manifest create --amend "gcr.io/etcd-development/etcd:${RELEASE_VERSION}" "gcr.io/etcd-development/etcd:${RELEASE_VERSION}-${TARGET_ARCH}"
248      maybe_run docker manifest annotate "gcr.io/etcd-development/etcd:${RELEASE_VERSION}" "gcr.io/etcd-development/etcd:${RELEASE_VERSION}-${TARGET_ARCH}" --arch "${TARGET_ARCH}"
249    done
250
251    log_callout "Pushing container manifest list to quay.io ${RELEASE_VERSION}"
252    maybe_run docker manifest push "quay.io/coreos/etcd:${RELEASE_VERSION}"
253
254    log_callout "Pushing container manifest list to gcr.io ${RELEASE_VERSION}"
255    maybe_run docker manifest push "gcr.io/etcd-development/etcd:${RELEASE_VERSION}"
256
257    log_callout "Setting permissions using gsutil..."
258    maybe_run gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com
259  fi
260
261  ### Release validation
262  mkdir -p downloads
263
264  # Check image versions
265  for IMAGE in "quay.io/coreos/etcd:${RELEASE_VERSION}" "gcr.io/etcd-development/etcd:${RELEASE_VERSION}"; do
266    local image_version=$(dry_run docker run --rm "${IMAGE}" etcd --version | grep "etcd Version" | awk -F: '{print $2}' | tr -d '[:space:]')
267    if [ "${image_version}" != "${VERSION}" ]; then
268      log_error "Check failed: etcd --version output for ${IMAGE} is incorrect: ${image_version}"
269      exit 1
270    fi
271  done
272
273  # Check gsutil binary versions
274  local BINARY_TGZ="etcd-${RELEASE_VERSION}-$(go env GOOS)-amd64.tar.gz"
275  gsutil cp "gs://etcd/${RELEASE_VERSION}/${BINARY_TGZ}" downloads
276  tar -zx -C downloads -f "downloads/${BINARY_TGZ}"
277  local binary_version=$("./downloads/etcd-${RELEASE_VERSION}-$(go env GOOS)-amd64/etcd" --version | grep "etcd Version" | awk -F: '{print $2}' | tr -d '[:space:]')
278  if [ "${binary_version}" != "${VERSION}" ]; then
279    log_error "Check failed: etcd --version output for ${BINARY_TGZ} from gs://etcd/${RELEASE_VERSION} is incorrect: ${binary_version}"
280    exit 1
281  fi
282
283  # TODO: signing process
284  log_warning ""
285  log_warning "WARNING: The release has not been signed and published to github. This must be done manually."
286  log_warning ""
287  log_success "Success."
288  exit 0
289}
290
291POSITIONAL=()
292NO_UPLOAD=0
293NO_DOCKER_PUSH=0
294
295while test $# -gt 0; do
296        case "$1" in
297          -h|--help)
298            shift
299            help
300            exit 0
301            ;;
302          --no-upload)
303            NO_UPLOAD=1
304            shift
305            ;;
306          --no-docker-push)
307            NO_DOCKER_PUSH=1
308            shift
309            ;;
310          *)
311            POSITIONAL+=("$1") # save it in an array for later
312            shift # past argument
313            ;;
314        esac
315done
316set -- "${POSITIONAL[@]}" # restore positional parameters
317
318if [[ ! $# -eq 1 ]]; then
319  help
320  exit 1
321fi
322
323main "$1"
324