[v14] Fixed issue where prerelease container image tags can overwrite…

… production container image tags (#32701)

.drone.yml

@@ -8787,9 +8787,17 @@ steps:
     > /dev/null 2>&1 && echo 'Found existing image, skipping' || (docker tag drone-docker-registry:5000/teleport:$(cat
     "/go/var/full-version")-amd64 public.ecr.aws/gravitational/teleport:$(cat "/go/var/full-version")-amd64
     && docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/full-version")-amd64)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-amd64
     public.ecr.aws/gravitational/teleport:$(cat "/go/var/major-version")-amd64
   - docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/major-version")-amd64
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-amd64
     public.ecr.aws/gravitational/teleport:$(cat "/go/var/minor-version")-amd64
   - docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/minor-version")-amd64
@@ -8819,9 +8827,17 @@ steps:
     > /dev/null 2>&1 && echo 'Found existing image, skipping' || (docker tag drone-docker-registry:5000/teleport:$(cat
     "/go/var/full-version")-arm public.ecr.aws/gravitational/teleport:$(cat "/go/var/full-version")-arm
     && docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/full-version")-arm)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm
     public.ecr.aws/gravitational/teleport:$(cat "/go/var/major-version")-arm
   - docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/major-version")-arm
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm
     public.ecr.aws/gravitational/teleport:$(cat "/go/var/minor-version")-arm
   - docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/minor-version")-arm
@@ -8852,9 +8868,17 @@ steps:
     > /dev/null 2>&1 && echo 'Found existing image, skipping' || (docker tag drone-docker-registry:5000/teleport:$(cat
     "/go/var/full-version")-arm64 public.ecr.aws/gravitational/teleport:$(cat "/go/var/full-version")-arm64
     && docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/full-version")-arm64)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm64
     public.ecr.aws/gravitational/teleport:$(cat "/go/var/major-version")-arm64
   - docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/major-version")-arm64
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm64
     public.ecr.aws/gravitational/teleport:$(cat "/go/var/minor-version")-arm64
   - docker push public.ecr.aws/gravitational/teleport:$(cat "/go/var/minor-version")-arm64
@@ -9079,9 +9103,17 @@ steps:
     "/go/var/full-version")-amd64 public.ecr.aws/gravitational/teleport-ent:$(cat
     "/go/var/full-version")-amd64 && docker push public.ecr.aws/gravitational/teleport-ent:$(cat
     "/go/var/full-version")-amd64)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-amd64
     public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/major-version")-amd64
   - docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/major-version")-amd64
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-amd64
     public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/minor-version")-amd64
   - docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/minor-version")-amd64
@@ -9112,9 +9144,17 @@ steps:
     > /dev/null 2>&1 && echo 'Found existing image, skipping' || (docker tag drone-docker-registry:5000/teleport-ent:$(cat
     "/go/var/full-version")-arm public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/full-version")-arm
     && docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/full-version")-arm)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm
     public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/major-version")-arm
   - docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/major-version")-arm
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm
     public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/minor-version")-arm
   - docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/minor-version")-arm
@@ -9146,9 +9186,17 @@ steps:
     "/go/var/full-version")-arm64 public.ecr.aws/gravitational/teleport-ent:$(cat
     "/go/var/full-version")-arm64 && docker push public.ecr.aws/gravitational/teleport-ent:$(cat
     "/go/var/full-version")-arm64)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm64
     public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/major-version")-arm64
   - docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/major-version")-arm64
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm64
     public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/minor-version")-arm64
   - docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/minor-version")-arm64
@@ -9308,9 +9356,17 @@ steps:
     "/go/var/full-version")-fips-amd64 public.ecr.aws/gravitational/teleport-ent:$(cat
     "/go/var/full-version")-fips-amd64 && docker push public.ecr.aws/gravitational/teleport-ent:$(cat
     "/go/var/full-version")-fips-amd64)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-fips-amd64
     public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/major-version")-fips-amd64
   - docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/major-version")-fips-amd64
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-fips-amd64
     public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/minor-version")-fips-amd64
   - docker push public.ecr.aws/gravitational/teleport-ent:$(cat "/go/var/minor-version")-fips-amd64
@@ -9526,9 +9582,17 @@ steps:
     "/go/var/full-version")-amd64 public.ecr.aws/gravitational/teleport-operator:$(cat
     "/go/var/full-version")-amd64 && docker push public.ecr.aws/gravitational/teleport-operator:$(cat
     "/go/var/full-version")-amd64)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-amd64
     public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/major-version")-amd64
   - docker push public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/major-version")-amd64
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-amd64
     public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/minor-version")-amd64
   - docker push public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/minor-version")-amd64
@@ -9560,9 +9624,17 @@ steps:
     "/go/var/full-version")-arm public.ecr.aws/gravitational/teleport-operator:$(cat
     "/go/var/full-version")-arm && docker push public.ecr.aws/gravitational/teleport-operator:$(cat
     "/go/var/full-version")-arm)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm
     public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/major-version")-arm
   - docker push public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/major-version")-arm
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm
     public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/minor-version")-arm
   - docker push public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/minor-version")-arm
@@ -9594,9 +9666,17 @@ steps:
     "/go/var/full-version")-arm64 public.ecr.aws/gravitational/teleport-operator:$(cat
     "/go/var/full-version")-arm64 && docker push public.ecr.aws/gravitational/teleport-operator:$(cat
     "/go/var/full-version")-arm64)
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm64
     public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/major-version")-arm64
   - docker push public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/major-version")-arm64
+  - printf "Prerelease "; ! [ -f /go/vars/release-is-prerelease ] && printf "not ";
+    printf "detected for version $DRONE_TAG, "; [ -f /go/vars/release-is-prerelease
+    ] && echo "skipping" || echo "continuing"
+  - '[ -f /go/vars/release-is-prerelease ] && exit 0'
   - docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm64
     public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/minor-version")-arm64
   - docker push public.ecr.aws/gravitational/teleport-operator:$(cat "/go/var/minor-version")-arm64
@@ -17123,6 +17203,6 @@ image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 ---
 kind: signature
-hmac: 48b9cddbd35cde1ea0e0616c9918449dece4c3bb3cb336adb4c25ca1eb5a2bf7
+hmac: d4059c3f766f09ab4158f12060f85869f4ab978feb8e4f3c67e74acaba6bec05
 
 ...

dronegen/container_images_repos.go

@@ -262,10 +262,17 @@ func (cr *ContainerRepo) tagAndPushStep(buildStepDetails *buildStepOutput, image
 		archImage := archImageMap[archImageKey]
 
 		// Skip pushing images if the tag or container registry is immutable
-		tagAndPushCommands = append(tagAndPushCommands, buildImmutableSafeCommands(archImageKey.IsImmutable || cr.IsImmutable, archImage.GetShellName(), []string{
+		archImageCommands := buildImmutableSafeCommands(archImageKey.IsImmutable || cr.IsImmutable, archImage.GetShellName(), []string{
 			fmt.Sprintf("docker tag %s %s", buildStepDetails.BuiltImage.GetShellName(), archImage.GetShellName()),
 			fmt.Sprintf("docker push %s", archImage.GetShellName()),
-		})...)
+		})
+
+		// Only create and push images for major and minor versions if the release version is not a prerelease
+		if !archImageKey.IsForFullSemver {
+			archImageCommands = buildPrereleaseExclusionaryCommands(buildStepDetails.Version, archImageCommands)
+		}
+
+		tagAndPushCommands = append(tagAndPushCommands, archImageCommands...)
 	}
 	tagAndPushCommands = cr.buildCommandsWithLogin(tagAndPushCommands)