Gracefully handle use of intermediate registry in container upload role

For symmetry and ease of transition between the docker specific
jobs/roles and generic container jobs/roles it is advantageous to have
the container upload role skip pushing artifacts to the final registry
location if we are relying on the intermediate registry instead.

Update the container upload role to skip pushing to the actual registry
if the promote var is set to intermediate registry. This allows us to
avoid reshuffling all of our jobs as we migrate between the two
implementations.

Change-Id: I3cae9e03517cb0a5ce8e9369bf43fd052cac97ff
This commit is contained in:
Clark Boylan 2023-05-09 08:45:55 -07:00
parent 839de7f899
commit 5994ce4049
3 changed files with 47 additions and 30 deletions

View File

@ -58,13 +58,13 @@ Summary:
*Promotion via intermediate registry* *Promotion via intermediate registry*
Note that as of 2023-03, this path is not fully implemented. It is The :zuul:job:`build-container-image` runs in the `check` pipeline.
documented here for compeleteness. It will build images then upload them to an intermediate registry.
The :zuul:job:`build-container-image` runs in the `check` pipeline, The :zuul:job:`upload-container-image` job runs in the `gate`. With
but also in the `gate` pipeline. Usually in both cases the job builds this promotion method it will build and upload images to an intermediate
and uploads the images to an intermediate registry; but at least the registry. No images will be pushed to the upstream registry until
`gate` pipeline job must.. promotion occurs.
The :zuul:job:`promote-container-image` job is designed to be used in The :zuul:job:`promote-container-image` job is designed to be used in
a post-merge `promote` pipeline. It requires no nodes and run on the a post-merge `promote` pipeline. It requires no nodes and run on the
@ -94,7 +94,7 @@ between upload and promote steps in this model.
Summary: Summary:
* :zuul:job:`build-container-image` in `check` * :zuul:job:`build-container-image` in `check`
* :zuul:job:`build-container-image` in `gate`. This must push to an * :zuul:job:`upload-container-image` in `gate`. This must push to an
intermediate registry. intermediate registry.
* :zuul:job:`promote-container-image` in `promote` with * :zuul:job:`promote-container-image` in `promote` with
``promote_container_method: intermediate-registry`` ``promote_container_method: intermediate-registry``

View File

@ -45,6 +45,10 @@ registry. It can be used in one of two modes:
to by ``<tag>`` will now reflect the underlying code closing the to by ``<tag>`` will now reflect the underlying code closing the
out-of-sync window. out-of-sync window.
When running in this mode uploads are only made if
``promote_container_image_method`` is unset or set to ``tag``.
Otherwise we skip upload to the registry.
2. The second mode allows for use of this job in `release` and `tag` 2. The second mode allows for use of this job in `release` and `tag`
pipelines to directly upload a release build with the final set of pipelines to directly upload a release build with the final set of
tags. tags.
@ -266,4 +270,12 @@ promote job assumes `skopeo` is available on the executor.
A dictionary of key value pairs to add to the container build environment. A dictionary of key value pairs to add to the container build environment.
This may be useful to enable buildkit with docker builds for example. This may be useful to enable buildkit with docker builds for example.
.. zuul:rolevar:: promote_container_image_method
:default: tag
A string value indicating whether or not we upload images to the upstream
registry pre merge then promote that upload via a retag (``tag``) or we
upload to a downstream registry and later fetch and promote that to the
upstream registry post merge (``intermediate-registry``).
.. _anchors: https://yaml.org/spec/1.2/spec.html#&%20anchor// .. _anchors: https://yaml.org/spec/1.2/spec.html#&%20anchor//

View File

@ -1,25 +1,30 @@
- name: Verify repository names - name: Control when we push to the upstream registry
when: | # We only want to push upstream if we are in a release / tag pipeline or
container_registry_credentials is defined # if we are using the tag promotion method.
and zj_image.registry not in container_registry_credentials block:
loop: "{{ container_images }}" - name: Verify repository names
loop_control: when: |
loop_var: zj_image container_registry_credentials is defined
fail: and zj_image.registry not in container_registry_credentials
msg: "{{ zj_image.registry }} credentials not found" loop: "{{ container_images }}"
loop_control:
loop_var: zj_image
fail:
msg: "{{ zj_image.registry }} credentials not found"
- name: Verify repository permission - name: Verify repository permission
when: | when: |
container_registry_credentials[zj_image.registry].repository is defined and container_registry_credentials[zj_image.registry].repository is defined and
not zj_image.repository | regex_search(container_registry_credentials[zj_image.registry].repository) not zj_image.repository | regex_search(container_registry_credentials[zj_image.registry].repository)
loop: "{{ container_images }}" loop: "{{ container_images }}"
loop_control: loop_control:
loop_var: zj_image loop_var: zj_image
fail: fail:
msg: "{{ zj_image.repository }} not permitted by {{ container_registry_credentials[zj_image.registry].repository }}" msg: "{{ zj_image.repository }} not permitted by {{ container_registry_credentials[zj_image.registry].repository }}"
- name: Upload image to container registry - name: Upload image to container registry
loop: "{{ container_images }}" loop: "{{ container_images }}"
loop_control: loop_control:
loop_var: zj_image loop_var: zj_image
include_tasks: push.yaml include_tasks: push.yaml
when: not upload_container_image_promote|default(true) or promote_container_image_method|default('tag') == 'tag'