Delete change tags from docker image repos

Whenever we promote an image, delete the change tag for that image
in Docker Hub, and also delete any change tags older than 24 hours
in order to keep the Docker Hub image registry tidy.

Change-Id: Id4654c893963bdb0a364b1132793fe4fb152bf27

docker/gitea/Dockerfile

@@ -112,4 +112,4 @@ EXPOSE 22
 VOLUME ["/data"]
 ENTRYPOINT ["/usr/bin/entrypoint"]
 CMD ["/usr/sbin/sshd", "-D"]
-# this comment is here to perform a test run of the job...
+# this comment is here to perform a test run of the job....

playbooks/zuul/build-image/promote-delete-tag.yaml

@@ -0,0 +1,20 @@
+- name: List tags
+  uri:
+    url: "https://hub.docker.com/v2/repositories/{{ image.repository }}/tags?page_size=1000"
+    status_code: 200
+  register: tags
+- name: Set cutoff timestamp to 24 hours ago
+  command: "python3 -c \"import datetime; print((datetime.datetime.utcnow()-datetime.timedelta(days=1)).strftime('%Y-%m-%dT%H:%M:%fZ'))\""
+  register: cutoff
+- name: Delete all change tags older than the cutoff
+  no_log: true
+  loop: "{{ tags.json.results }}"
+  loop_control:
+    loop_var: docker_tag
+  when: docker_tag.last_updated < cutoff.stdout and docker_tag.name.startswith('change_')
+  uri:
+    url: "https://hub.docker.com/v2/repositories/{{ image.repository }}/tags/{{ docker_tag.name }}/"
+    method: DELETE
+    status_code: 204
+    headers:
+      Authorization: "JWT {{ jwt_token.json.token }}"

playbooks/zuul/build-image/promote-retag.yaml

@@ -1,7 +1,7 @@
 - name: Get dockerhub token
   no_log: true
   uri:
-    url: "https://auth.docker.io/token?service=registry.docker.io&scope=repository:{{image.repository}}:pull,push"
+    url: "https://auth.docker.io/token?service=registry.docker.io&scope=repository:{{ image.repository }}:pull,push"
     user: "{{ credentials.username }}"
     password: "{{ credentials.password }}"
     force_basic_auth: true
@@ -9,7 +9,7 @@
 - name: Get manifest
   no_log: true
   uri:
-    url: "https://registry.hub.docker.com/v2/{{image.repository}}/manifests/change_{{zuul.change}}"
+    url: "https://registry.hub.docker.com/v2/{{ image.repository }}/manifests/change_{{ zuul.change }}"
     status_code: 200
     headers:
       Accept: "application/vnd.docker.distribution.manifestv2+json"
@@ -22,10 +22,18 @@
   loop_control:
     loop_var: new_tag
   uri:
-    url: "https://registry.hub.docker.com/v2/{{image.repository}}/manifests/{{ new_tag }}"
+    url: "https://registry.hub.docker.com/v2/{{ image.repository }}/manifests/{{ new_tag }}"
     method: PUT
     status_code: 201
     body: "{{ manifest.content | string }}"
     headers:
       Content-Type: "application/vnd.docker.distribution.manifestv2+json"
       Authorization: "Bearer {{ token.json.token }}"
+- name: Delete the current change tag
+  no_log: true
+  uri:
+    url: "https://hub.docker.com/v2/repositories/{{ image.repository }}/tags/change_{{ zuul.change }}/"
+    method: DELETE
+    status_code: 204
+    headers:
+      Authorization: "JWT {{ jwt_token.json.token }}"

playbooks/zuul/build-image/promote.yaml

@@ -1,10 +1,22 @@
 - hosts: localhost
   tasks:
-    - name: Promote dockerhub image
-      when: credentials is defined
-      block:
-        - name: Promote image
-          loop: "{{ images }}"
-          loop_control:
-            loop_var: image
-          include_tasks: promote-retag.yaml
+    # This is used by the delete tasks
+    - name: Get dockerhub JWT token
+      no_log: true
+      uri:
+        url: "https://hub.docker.com/v2/users/login/"
+        body_format: json
+        body:
+          username: "{{ credentials.username }}"
+          password: "{{ credentials.password }}"
+      register: jwt_token
+    - name: Promote image
+      loop: "{{ images }}"
+      loop_control:
+        loop_var: image
+      include_tasks: promote-retag.yaml
+    - name: Delete obsolete tags
+      loop: "{{ images }}"
+      loop_control:
+        loop_var: image
+      include_tasks: promote-delete-tag.yaml