Switch CI, image building, image pushing to Taskgraph (#161)

* Switch CI, image building, image pushing to Taskgraph

This lets us easily use Kaniko to build

* Remove remnants of pre-taskgraph docker build/push

* Update README with basic deployment instructions

README.rst

@@ -7,3 +7,8 @@ Autoscale scriptworkers in Kubernetes
 * Free software: MPL2
 * Documentation: https://scriptworker-scripts.readthedocs.io/en/latest/scriptworkers-autoscaling.html
 
+==========
+Deployment
+==========
+
+Push to `dev` to deploy to dev, and `production` to deploy to production.

taskcluster/config.yml

@@ -0,0 +1,22 @@
+---
+trust-domain: "releng"
+task-priority: low
+
+taskgraph:
+  cached-task-prefix: "releng.v2.k8s-autoscale"
+  repositories:
+    k8s_autoscale:
+      name: "k8s-autoscale"
+
+workers:
+  aliases:
+    test:
+      provisioner: '{trust-domain}-t'
+      implementation: docker-worker
+      os: linux
+      worker-type: linux-gcp
+    images:
+      provisioner: '{trust-domain}-{level}'
+      implementation: docker-worker
+      os: linux
+      worker-type: 'linux-gcp'

taskcluster/docker/k8s_autoscale/Dockerfile

@@ -0,0 +1,44 @@
+ARG PYTHON_VERSION
+FROM python:$PYTHON_VERSION
+
+RUN groupadd --gid 10001 app && \
+    useradd -g app --uid 10001 --shell /usr/sbin/nologin --create-home --home-dir /app app
+
+COPY . /app
+
+WORKDIR /app
+
+# %include version.txt
+COPY topsrcdir/version.txt /app/version.txt
+
+# %include docker.d
+COPY topsrcdir/docker.d/healthcheck /bin/healthcheck
+COPY topsrcdir/docker.d/init.sh /app/bin/init.sh
+
+# %include configs
+# %include requirements
+# %include MANIFEST.in
+# %include README.rst
+# %include pyproject.toml
+# %include setup.py
+# %include src
+COPY topsrcdir/configs/ /app/configs/
+COPY topsrcdir/requirements/ /app/requirements/
+COPY topsrcdir/MANIFEST.in /app/
+COPY topsrcdir/README.rst /app/
+COPY topsrcdir/pyproject.toml /app/
+COPY topsrcdir/setup.py /app/
+COPY topsrcdir/src/ /app/src/
+RUN python -m venv /app
+RUN ./bin/pip install -r /app/requirements/base.txt
+RUN ./bin/pip install -e .
+
+RUN chown -R app:app /app
+
+# %include-run-task
+
+VOLUME /builds/worker/checkouts
+VOLUME /builds/worker/.cache
+
+USER app
+CMD ["/app/bin/init.sh"]

taskcluster/docker/skopeo/Dockerfile

@@ -0,0 +1,60 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+FROM golang:1.14 as skopeo
+
+WORKDIR /go/src/
+RUN ["/usr/bin/git", "clone", "--no-checkout", "--depth=1", "--branch=v1.1.0", "https://github.com/containers/skopeo", "."]
+RUN ["/usr/bin/git", "checkout", "63085f5bef1131aa9ec0907a5c8d66b67de7c4b2"]
+ENV GO111MODULE=on CGO_ENABLED=0
+RUN ["/usr/local/go/bin/go", "build", \
+    "-mod=vendor", "-o", "out/skopeo", \
+    "-tags", "exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp", \
+    "-ldflags", "-extldflags \"-static\" -w -s", \
+    "./cmd/skopeo"]
+
+
+FROM golang:1.14 as umoci
+
+WORKDIR /go/src/
+RUN ["/usr/bin/git", "clone", "--no-checkout", "--depth=1", "--branch=v0.4.6", "https://github.com/opencontainers/umoci", "."]
+RUN ["/usr/bin/git", "checkout", "5efa06acfb3bb4e65d2711cf5255970948e047cf"]
+ENV GO111MODULE=on CGO_ENABLED=0
+RUN ["/usr/local/go/bin/go", "build", \
+    "-mod=vendor", "-o", "out/umoci", \
+    "-ldflags", "-extldflags \"-static\" -w -s", \
+    "./cmd/umoci"]
+
+
+FROM debian:buster
+
+# %include-run-task
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -qq \
+    && apt-get dist-upgrade -y \
+    && apt-get install -y jq zstd python3-minimal curl \
+    && apt-get clean
+
+COPY push_image.sh /usr/local/bin/
+COPY policy.json /etc/containers/policy.json
+RUN chmod a+x /usr/local/bin/push_image.sh
+COPY --from=skopeo /go/src/out/skopeo /usr/local/bin/
+COPY --from=umoci /go/src/out/umoci /usr/local/bin/
+
+# Add worker user
+RUN mkdir /builds && \
+    groupadd -g 1000 -o worker && \
+    useradd -d /builds/worker -s /bin/bash -m worker -g 1000 -o -u 1000 && \
+    mkdir /builds/worker/artifacts && \
+    chown worker:worker /builds/worker/artifacts
+
+USER worker
+ENV SHELL=/bin/bash \
+    HOME=/builds/worker \
+    USER=worker
+
+WORKDIR /builds/worker
+# Set a default command useful for debugging
+CMD ["/bin/bash", "--login"]

taskcluster/docker/skopeo/policy.json

@@ -0,0 +1,14 @@
+{
+    "default": [{"type": "reject"}],
+    "transports": {
+        "oci": {
+            "": [{"type": "insecureAcceptAnything"}]
+        },
+        "docker-archive": {
+            "": [{"type": "insecureAcceptAnything"}]
+        },
+        "dir": {
+            "": [{"type": "insecureAcceptAnything"}]
+        }
+    }
+}

taskcluster/docker/skopeo/push_image.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+set -e
+
+export
+test $DOCKER_REPO
+test $MOZ_FETCHES_DIR
+test $SECRET_URL
+test $TASKCLUSTER_ROOT_URL
+test $TASK_ID
+test $VCS_HEAD_REPOSITORY
+test $VCS_HEAD_REV
+test $DRYRUN
+
+cd $MOZ_FETCHES_DIR
+unzstd image.tar.zst
+
+echo "=== Inserting version.json into image ==="
+# Create an OCI copy of image in order umoci can patch it
+skopeo copy docker-archive:image.tar oci:k8s_autoscale:final
+
+cat > version.json <<EOF
+{
+    "commit": "${VCS_HEAD_REV}",
+    "version": "${APP_VERSION}",
+    "source": "${VCS_HEAD_REPOSITORY}",
+    "build": "${TASKCLUSTER_ROOT_URL}/tasks/${TASK_ID}"
+}
+EOF
+
+umoci insert --image k8s_autoscale:final version.json /app/version.json
+
+if [ $DRYRUN = 1 ];
+then
+    echo "Skipping push because DRYRUN is 1"
+else
+    echo "=== Generating dockercfg ==="
+    install -m 600 /dev/null $HOME/.dockercfg
+    curl $SECRET_URL | jq '.secret.dockercfg' > $HOME/.dockercfg
+
+    echo "=== Pushing to docker hub ==="
+    DOCKER_TAG="${DOCKER_TAG}-$(cat ./version.txt)-$(date +%Y%m%d%H%M%S)-${GIT_HEAD_REV}"
+    skopeo copy oci:k8s_autoscale:final docker://$DOCKER_REPO:$DOCKER_TAG
+    skopeo inspect docker://$DOCKER_REPO:$DOCKER_TAG
+fi
+
+echo "=== Clean up ==="
+rm -rf $HOME/.docker

taskcluster/docker/test/Dockerfile

@@ -0,0 +1,23 @@
+ARG PYTHON_VERSION
+FROM python:$PYTHON_VERSION
+
+# Add worker user
+RUN mkdir /builds && \
+    groupadd -g 1000 -o worker && \
+    useradd -d /builds/worker -s /bin/bash -m worker -g 1000 -o -u 1000 && \
+    mkdir /builds/worker/artifacts && \
+    chown worker:worker /builds/worker/artifacts
+
+RUN pip install tox
+
+# %include-run-task
+
+ENV SHELL=/bin/bash \
+    HOME=/builds/worker \
+    PATH=/builds/worker/.local/bin:$PATH
+
+VOLUME /builds/worker/checkouts
+VOLUME /builds/worker/.cache
+
+# Set a default command useful for debugging
+CMD ["/bin/bash", "--login"]

taskcluster/k8s_autoscale_taskgraph/transforms/by_tasks_for.py

@@ -0,0 +1,18 @@
+from taskgraph.transforms.base import TransformSequence
+from taskgraph.util.schema import resolve_keyed_by
+
+transforms = TransformSequence()
+
+
+@transforms.add
+def evaluate_keyed_by(config, jobs):
+    for job in jobs:
+        for item in ("worker.env.DRYRUN", "worker.env.DOCKER_TAG", "scopes"):
+            resolve_keyed_by(
+                job,
+                item,
+                item_name=job["description"],
+                **{"tasks-for": config.params["tasks_for"]},
+            )
+
+        yield job

taskcluster/kinds/docker-image/kind.yml

@@ -0,0 +1,18 @@
+---
+loader: taskgraph.loader.transform:loader
+
+transforms:
+    - taskgraph.transforms.docker_image:transforms
+    - taskgraph.transforms.cached_tasks:transforms
+    - taskgraph.transforms.task:transforms
+
+task-defaults:
+    args:
+        PYTHON_VERSION: "3.11.3"
+
+tasks:
+    k8s_autoscale: {}
+
+    skopeo: {}
+
+    test: {}