From 08a8892895502dfe22c811ebfcb463911fa0b9dc Mon Sep 17 00:00:00 2001 From: Luke Swart Date: Tue, 10 Sep 2024 00:48:03 -0700 Subject: [PATCH 1/4] update RELEASE.md Signed-off-by: Luke Swart --- docs/RELEASE.md | 98 +++++++++---------------------------------------- 1 file changed, 18 insertions(+), 80 deletions(-) diff --git a/docs/RELEASE.md b/docs/RELEASE.md index 25ec26a36..3a77713a1 100644 --- a/docs/RELEASE.md +++ b/docs/RELEASE.md @@ -1,7 +1,5 @@ # AWS IAM Authenticator Release Process -NOTE: Your GitHub account must have the required permissions and you must have generated a GitHub token. - ## Choosing the release version and branch Using semantic versioning, pick a release number that makes sense by bumping the major, minor or patch release version. If its a major or minor release (backwards incompatible changes, and new features, respectively) then you will want to start this process with an alpha release first. Here are some examples: @@ -28,105 +26,45 @@ v1.6.2 -> v2.0.0-alpha.0 -> v2.0.0 ``` -You also might need to create a release branch, if it doesn't already exist, if this release requires backporting changes to an older major or minor version. For example, in the case that we are backporting a fix to the v0.5 release branch, and we have a v0.6 release branch (which we don't at the time of writing), then we would do the following: +You also might need to create a release branch, if it doesn't already exist, if this release requires backporting changes to an older major or minor version. For example, in the case that we are backporting a fix to the v0.5 release branch, and we have a v0.6 release branch, then we would do the following: 1. Create the release branch (named release-0.5) if it doesn't exist from the last v0.5.x tagged release (or check it out if it already exists). 2. Cherry-pick the necessary commits onto the release branch. 3. Follow the instructions below to create the release commit. 4. Create a pull request to merge your fork of the release branch into the upstream release branch (i.e. nckturner/aws-iam-authenticator/release-0.5 -> kubernetes-sigs/aws-iam-authenticator/release-0.5). -5. Follow the instructions below, except creating the tag on the release branch instead of master. -6. Run goreleaser from the release branch. +5. CI will handle the rest automatically. This includes: + - creating and pushing the git tag into the upstream release branch + - running Goreleaser on the release branch + - creating the GitHub release + - Populating the release with the changes + - building and uploading the binaries to the release ## Creating the release commit -### Updating the Makefile - -Bump the version number in the Makefile: - -``` -VERSION ?= v0.5.2 -``` - -This ensures the binary version is correct. - -### Updating the CHANGELOG - -We need to generate the CHANGELOG for the new release by running `./hack/changelog.py`. First check the correctness of the output using the `--print-only` flag. Pass the previous release tag, and the commit SHA of the most recent commit (the new tag will include the changelog, so it hasn't been created yet). The commands use a `--token` field. Generate it from [github personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). - -``` -./hack/changelog.py --token=$GITHUB_TOKEN --section-title="Release v0.5.2" --range=v0.5.1..90653708db3f6437a446bbeec15b5036db66a855 --print-only -``` - -After checking for correctness, pass the `--changelog-file` argument to add the new text. -``` -./hack/changelog.py --token=$GITHUB_TOKEN --section-title="Release v0.5.2" --range=v0.5.1..90653708db3f6437a446bbeec15b5036db66a855 --changelog-file=CHANGELOG.md -``` +Update the `version.txt` with your new semantic version. This must be a standalone commit which only updates the `version.txt` file. Also, bump the image version in `deploy/example.yaml` to the new version. -Push the changes to a branch on your fork, and create a PR against the kubernetes-sigs upstream repository. - - -## Tagging the release - -One the PR merges, pull the master branch locally and tag the release commit with the relase tag. -``` -git pull upstream master -git tag v0.5.2 -``` - -## Run goreleaser - -In order to run goreleaser to make the release, you'll need to authenticate to the release ECR registry, and then run goreleaser. - -``` -aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 602401143452.dkr.ecr.us-west-2.amazonaws.com -goreleaser release --rm-dist -``` - -TODO: configure goreleaser to use `./hack/changelog.py` to format the release text. +Push (or cherry-pick) the changes to a branch on your fork, and create a PR against the kubernetes-sigs upstream repository. ## Check the release on GitHub Look at the release that was just published and validate that the release has the appropriate assets. The assets should include the following: ``` -authenticator_0.5.2_checksums.txt -aws-iam-authenticator-0.5.2.tar.gz -aws-iam-authenticator-0.5.2.zip -aws-iam-authenticator_0.5.2_darwin_amd64 -aws-iam-authenticator_0.5.2_linux_amd64 -aws-iam-authenticator_0.5.2_windows_amd64.exe +authenticator_0.6.26_checksums.txt +aws-iam-authenticator_0.6.26_darwin_amd64 +aws-iam-authenticator_0.6.26_darwin_arm64 +aws-iam-authenticator_0.6.26_linux_amd64 +aws-iam-authenticator_0.6.26_linux_arm64 +aws-iam-authenticator_0.6.26_linux_ppc64le +aws-iam-authenticator_0.6.26_linux_s390x +aws-iam-authenticator_0.6.26_windows_amd64.exe Source code (zip) Source code (tar.gz) ``` -Check the ECR registry to make sure that the images were published. Finally, edit the release text to match previous releases, by copying the changelog text and adding the container image links. The format of the release text should be similar to the following: - -```` -## Changelog - -* Added partition flag ([#341](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/341), @micahhausler) -* Update link to Kops docs site ([#338](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/338), @rifelpet) -* Security Improvements on the example yaml ([#335](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/335), @pjbgf) -* Fix RBAC on example file: service account requires get to ConfigMap ([#334](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/334), @pjbgf) -* Add AccessKeyID as variable for username ([#337](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/337), @pjbgf) -* Added server side AWS account ID log redaction ([#327](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/327), @micahhausler) - -## Docker Images - -Note: You must log in with the registry ID and your role must have the necessary ECR privileges: -``` -$(aws ecr get-login --no-include-email --region us-west-2 --registry-ids 602401143452) -``` - -* `docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.2-debian-jessie` -* `docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.2-alpine-3.7` -* `docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.2-debian-stretch` -* `docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.2-amazonlinux-2` -* `docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.2-alpine-3.6` -* `docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.2-scratch` -```` +Check the ECR registry to make sure that the images were published. ## Post Release From 75bf91583031618e125239fe532ceebe3caaa24c Mon Sep 17 00:00:00 2001 From: Luke Swart Date: Tue, 10 Sep 2024 00:49:49 -0700 Subject: [PATCH 2/4] Bump deploy/example.yaml version Signed-off-by: Luke Swart --- deploy/example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/example.yaml b/deploy/example.yaml index b3ba62cff..210b1060e 100644 --- a/deploy/example.yaml +++ b/deploy/example.yaml @@ -227,7 +227,7 @@ spec: # - output (output kubeconfig to plug into your apiserver configuration, mounted from the host) containers: - name: aws-iam-authenticator - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.3 + image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.6.26 args: - server # uncomment if using EKS-Style ConfigMap From 2056c0bd53a7e4596b9dbf7e5d11d3fd730e3704 Mon Sep 17 00:00:00 2001 From: Luke Swart Date: Tue, 10 Sep 2024 01:16:42 -0700 Subject: [PATCH 3/4] Remove outdated changelog artifacts Changelog process is now automated using GitHub releases. Signed-off-by: Luke Swart --- CHANGELOG.md | 92 ----------------------------------------------- hack/changelog.py | 68 ----------------------------------- 2 files changed, 160 deletions(-) delete mode 100644 CHANGELOG.md delete mode 100755 hack/changelog.py diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index 96217fe09..000000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,92 +0,0 @@ -Release v0.5.6 -* Bump AWS SDK to v1.43.28 ([#445](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/445), @nckturner) -* Use the apiversion from KUBERNETES_EXEC_INFO ([#439](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/439), @jyotimahapatra) -* Bump promptui module to v0.9.0 ([#437](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/437), @abhay-krishna) - -Release v0.5.5 -* Use full package name for goreleaser version ([#433](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/433), @nckturner) -* add sts error metric ([#430](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/430), @jyotimahapatra) -* emit metric for EC2 describeInstance calls ([#428](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/428), @jyotimahapatra) -* Rename configmap_watch_failures to configmap_watch_failures_total ([#432](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/432), @nckturner) -* Simplify goreleaser Dockerfiles ([#431](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/431), @jyotimahapatra) -* Don't pass metrics around ([#423](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/423), @nckturner) - -Release v0.5.4 -* Embed go-runner into the image ([#426](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/426), @jyotimahapatra) -* Bump Go to 1.17 in Travis ([#414](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/414), @gliptak) -* Build multi-arch images ([#417](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/417), @glebiller) -* Add kind-based development environment ([#422](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/422), @nckturner) -* Add jaypipes to approvers/reviewers ([#407](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/407), @nckturner) -* Fix deps ([#396](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/396), @frioux) -* Fix panic when cache file can't be Stat-ed ([#410](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/410), @sarahhodne) -* Fix missing status definition in v1 CRD ([#411](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/411), @rifelpet) -* Use ./hack/install-etcd.sh ([#405](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/405), @nckturner) -* Run integration tests with per-test role ([#402](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/402), @nckturner) -* Add a counter for API server watch failures ([#400](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/400), @nckturner) -* Upgrade CRD manifest to v1 ([#397](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/397), @rifelpet) -* Move inactives to emeritus_approvers and add active users ([#399](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/399), @nckturner) -* Fix tests add vendor ([#398](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/398), @nckturner) -* Integration test framework ([#395](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/395), @nckturner) -* Add cloudbuild & improvements ([#394](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/394), @nckturner) -* Fix typo ([#390](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/390), @shyr) -* *: add user/role subcommands ([#381](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/381), @gyuho) -* goreleaser: bump release to 0.164.0 and fix config deprecations ([#371](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/371), @antoinedeschenes) -* Run go mod vendor ([#388](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/388), @nckturner) -* doc: fix typo in RELEASE.md ([#376](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/376), @stig) -* [pkg/token]: Update credential API version ([#386](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/386), @micahhausler) -* Enrich Audit Logs with additional AWS Identity details (via audit logs' "extra" map) ([#372](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/372), @adrianosela) - -Release v0.5.3 -* Bump Go to 1.15 in Travis ([#361](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/361), @gliptak) -* Update aws sdk go v1.37.1 ([#360](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/360), @gaffneyd4) -* (arn): validate partition against all partitions returned by the aws sdk ([#348](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/348), @cmdallas) -* Document AccessKeyId from UserInfo ([#332](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/332), @ryanmt) -* Support IPv6 listen address ([#352](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/352), @anguslees) -* Added user agent to AWS SDK ([#359](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/359), @micahhausler) -* Remove Chris Hein from OWNERS ([#351](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/351), @christopherhein) -* Add instructions for the release process ([#346](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/346), @nckturner) - -Release v0.5.2 -* Added partition flag ([#341](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/341), @micahhausler) -* Update link to Kops docs site ([#338](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/338), @rifelpet) -* Security Improvements on the example yaml ([#335](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/335), @pjbgf) -* Fix RBAC on example file: service account requires get to ConfigMap ([#334](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/334), @pjbgf) -* Add AccessKeyID as variable for username ([#337](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/337), @pjbgf) -* Added server side AWS account ID log redaction ([#327](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/327), @micahhausler) - -Release v0.5.1 -* Update examples/README ([#317](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/317), @otterley) -* Changelog gen ([#318](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/318), @nckturner) -* Fix CRD mapper blocking all others because caches never sync and revamp backend-mode flag ([#303](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/303), @wongma7) -* Update aws-sdk-go to version v1.30.0 ([#306](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/306), @nckturner) -* Bump k8s.io/ dependencies to 1.16.8 ([#305](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/305), @wongma7) -* chown aws-iam-authenticator to avoid permission denied ([#302](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/302), @wongma7) -* Indentation and unit test improvements ([#298](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/298), @bhagwat070919) -* Adding Rate limiting ec2:DescribeInstances API along with Batching for high TPS ([#292](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/292), @bhagwat070919) -* Restrict ClusterRole to readonly IAMIdentityMapping access ([#287](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/287), @rifelpet) -* added selector to spec and changed from extenstions to apps/v1 ([#291](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/291), @andarob) -* Add AWS AccessKeyID as an extra field in UserInfo ([#286](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/286), @pepov) -* Allow server port customization ([#278](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/278), @diversario) - -Release v0.5.0 -* Remove DNS-1123 validation of usernames and groups ([#260](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/260), @richardmarshall) -* switch to use regional sts endpoint & imdsV2 ([#283](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/283), @M00nF1sh) -* Add AWS Access Key ID to log ([#282](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/282), @otterley) -* Require to pass in interface instead of the concrete type ([#279](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/279), @Skarlso) -* Refactor to allow configurable backends (configmap, eks configmap, crd) ([#269](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/269), @wongma7) -* Update go version ([#255](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/255), @christopherhein) -* Adding session name parameter to TokenGenerator ([#272](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/272), @SaranBalaji90) -* Rename prometheus metrics to match new project name ([#249](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/249), @rifelpet) -* Remove inactive approvers, add wongma7 ([#266](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/266), @nckturner) -* Update aws-sdk-go to v1.23.11 ([#257](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/257), @bdwyertech) -* Added go module download check ([#259](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/259), @micahhausler) -* Updating goreleaser yaml to fix deprecated options ([#252](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/252), @hyperbolic2346) -* Remove deprecated language from README ([#244](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/244), @nckturner) -* Lowercase ARN inside doMapping and log about it ([#239](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/239), @wongma7) -* IAMIdentityMapping CRD Implementation ([#116](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/116), @christopherhein) -* Adding micahhausler as approver ([#237](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/237), @christopherhein) -* add support for passing externalID to assume role ([#228](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/228), @jeffmhastings) -* Update README.md ([#231](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/231), @MIJOTHY) -* Using sigs.k8s.io domain instead of github.com ([#223](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/223), @christopherhein) -* Refactored EC2 API calls to be testable ([#226](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/226), @micahhausler) -* Include aws request ID when logging errors ([#178](https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/178), @doublerainbo) diff --git a/hack/changelog.py b/hack/changelog.py deleted file mode 100755 index db99e74f2..000000000 --- a/hack/changelog.py +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env python3 - -import argparse -import re -from subprocess import Popen, PIPE -import sys -from github import Github - -# Generate a changelog from github commit history (pull request merges) - -class ChangelogGenerator: - def __init__(self, github_repo, token): - self._github = Github(token) - self._github_repo = self._github.get_repo(github_repo) - - def generate(self, pr_id): - pr = self._github_repo.get_pull(pr_id) - return f'{pr.title} ([#{pr_id}]({pr.html_url}), @{pr.user.login})' - -def git_log(range=''): - process = Popen(['git', 'log', range], stdout=PIPE, stderr=PIPE) - stdout, stderr = process.communicate() - if process.returncode != 0: - raise RuntimeError(f'git log returned {process.returncode} and failed with error: {stderr.decode("utf-8")}') - return stdout.decode("utf-8") - -if __name__ == '__main__': - parser = argparse.ArgumentParser(prog='changelog') - parser.add_argument('--token', help='Your github token.') - parser.add_argument('--changelog-file', default='CHANGELOG.md', help='The path to the changelog output file.') - parser.add_argument('--print-only', action='store_true', help='Only print the output.') - parser.add_argument('--range', help='The range of commit logs to inspect in the repository. You can (and should) use tags here. Example: v5..v10 (This argument is passed to git log, so read the git log documentation for clarification.') - parser.add_argument('--section-title', help='The title for the section in the changelog that is generated') - args = parser.parse_args() - - if args.section_title is None: - print('--section-title is required') - sys.exit(1) - if args.token is None: - print('--token is required') - sys.exit(1) - if args.range is None: - print('--range is required') - sys.exit(1) - if args.changelog_file is None and args.print_only is None: - print('Either --print-only or --changelog-file is required.') - sys.exit(1) - - logs = git_log(args.range) - - changelog = f'{args.section_title}\n' - g = ChangelogGenerator('kubernetes-sigs/aws-iam-authenticator', args.token) - for pr_match in re.finditer(r'Merge pull request #(\d+)|\(#([\d]{1,7})\)', logs): - groups = pr_match.groups() - if groups[0]: - pr_id = int(groups[0]) - elif groups[1]: - pr_id = int(groups[1]) - changelog += f'* {g.generate(pr_id)}\n' - - if args.print_only: - print(changelog) - sys.exit(0) - else: - with open(args.changelog_file, 'r+') as f: - existing = f.read() - f.write(changelog) - f.write(existing) From 7c29fd0a9df3653ca5371084425b7b9b46535ac6 Mon Sep 17 00:00:00 2001 From: Luke Swart Date: Tue, 10 Sep 2024 09:19:33 -0700 Subject: [PATCH 4/4] Update RELEASE.md Signed-off-by: Luke Swart --- docs/RELEASE.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/RELEASE.md b/docs/RELEASE.md index 3a77713a1..5a900590e 100644 --- a/docs/RELEASE.md +++ b/docs/RELEASE.md @@ -64,8 +64,6 @@ Source code (zip) Source code (tar.gz) ``` -Check the ECR registry to make sure that the images were published. - ## Post Release In a new PR after the images are pushed to ECR, update the yaml in `deploy/example.yaml`: