build(ci): verify labels of Docker image

Updates the release process to generate the correct labels for the Docker image, and verify them, failing the release process (and not pushing the image) if they are wrong. Ideally, this would be done before the Maven release to avoid wasting time if the image would produce the wrong labels. Doing this is quite a bit of refactoring of the CI pipeline unfortunately, and producing the wrong labels is most likely an issue with the CI pipeline itself, which should not happen very often. Errors in the Dockerfile itself would be checked by the GHA pipeline, which should cover the important cases and runs on each pull.
camunda · Aug 9, 2022 · 51716bb · 51716bb
1 parent 83b9b0a
commit 51716bb
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 3 deletions.
diff --git a/.ci/jobs/docker_zeebe.dsl b/.ci/jobs/docker_zeebe.dsl
@@ -12,7 +12,10 @@ pipelineJob('zeebe-docker') {
     parameters {
         stringParam('BRANCH', 'main', 'Which branch to build and push?')
         stringParam('VERSION', '', 'Zeebe version to build the image for')
+        stringParam('REVISION', '', 'The Git commit used to build the image; can be omitted except for releases')
+        stringParam('DATE', '', 'The ISO-8601 date when the packaged artifact was built; can be omitted except for releases')
         booleanParam('IS_LATEST', false, 'Should the docker image be tagged as camunda/zeebe:latest?')
         booleanParam('PUSH', false, 'Should the docker image be pushed to docker hub?')
+        booleanParam('VERIFY', false', 'Should we verify the Docker image before pushing it?')
     }
 }
diff --git a/.ci/pipelines/docker_zeebe.groovy b/.ci/pipelines/docker_zeebe.groovy
@@ -66,6 +66,9 @@ spec:
         PUSH = "${params.PUSH}"
         IMAGE = "camunda/zeebe"
         TAG = docker_tag("${params.VERSION}")
+        REVISION = "${params.REVISION}"
+        DATE = "${param.DATE}"
+        VERIFY = "${param.VERIFY}"
     }
 
     stages {
@@ -79,6 +82,12 @@ spec:
                 container('maven') {
                     sh '.ci/scripts/docker/prepare.sh'
                 }
+
+                // extract to a script if we need to do more here; these are necessary for the
+                // verify script
+                container('docker') {
+                    sh 'apk add -q bash jq'
+                }
             }
         }
 
@@ -90,6 +99,15 @@ spec:
             }
         }
 
+        stage('Verify') {
+            when { environment name: 'VERIFY', value: 'true' }
+            steps {
+                container('docker') {
+                    sh "./docker/test/verify.sh '${env.IMAGE}:${env.TAG}'"
+                }
+            }
+        }
+
         stage('Upload') {
             when { environment name: 'PUSH', value: 'true' }
             steps {

diff --git a/.ci/pipelines/release_zeebe.groovy b/.ci/pipelines/release_zeebe.groovy
@@ -146,13 +146,15 @@ spec:
         }
 
         stage('Docker Image') {
-            when { expression { return params.PUSH_DOCKER } }
             steps {
                 build job: 'zeebe-docker', parameters: [
                         string(name: 'BRANCH', value: env.RELEASE_BRANCH),
                         string(name: 'VERSION', value: params.RELEASE_VERSION),
+                        string(name: 'REVISION', value: env.GIT_COMMIT),
+                        string(name: 'DATE', value: java.time.Instant.now().toString()),
                         booleanParam(name: 'IS_LATEST', value: params.IS_LATEST),
-                        booleanParam(name: 'PUSH', value: true)
+                        booleanParam(name: 'PUSH', value: params.PUSH_DOCKER),
+                        booleanParam(name: 'VERIFY', value: true)
                 ]
             }
         }

diff --git a/.ci/scripts/docker/build.sh b/.ci/scripts/docker/build.sh
@@ -1,4 +1,9 @@
 #!/bin/sh -eux
 
 echo "Building Zeebe Docker image ${IMAGE}:${TAG}"
-docker build --no-cache --build-arg DISTBALL=camunda-zeebe.tar.gz -t ${IMAGE}:${TAG} --target app .
+docker build --no-cache \
+  --build-arg DISTBALL=camunda-zeebe.tar.gz \
+  --build-arg DATE="${DATE}" \
+  --build-arg REVISION="${REVISION}" \
+  --build-arg VERSION="${VERSION}" \
+  -t "${IMAGE}:${TAG}" --target app .
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -119,6 +119,9 @@ pipeline {
                 DOCKER_BUILDKIT = "1"
                 IMAGE = "camunda/zeebe"
                 TAG = 'current-test'
+                VERSION = readMavenPom(file: 'bom/pom.xml').getVersion()
+                REVISION = "${env.GIT_COMMIT}"
+                DATE = java.time.Instant.now().toString()
             }
 
             steps {