Gracefully handle use of intermediate registry in container upload role
For symmetry and ease of transition between the docker specific jobs/roles and generic container jobs/roles it is advantageous to have the container upload role skip pushing artifacts to the final registry location if we are relying on the intermediate registry instead. Update the container upload role to skip pushing to the actual registry if the promote var is set to intermediate registry. This allows us to avoid reshuffling all of our jobs as we migrate between the two implementations. Change-Id: I3cae9e03517cb0a5ce8e9369bf43fd052cac97ff
This commit is contained in:
parent
839de7f899
commit
5994ce4049
@ -58,13 +58,13 @@ Summary:
|
|||||||
|
|
||||||
*Promotion via intermediate registry*
|
*Promotion via intermediate registry*
|
||||||
|
|
||||||
Note that as of 2023-03, this path is not fully implemented. It is
|
The :zuul:job:`build-container-image` runs in the `check` pipeline.
|
||||||
documented here for compeleteness.
|
It will build images then upload them to an intermediate registry.
|
||||||
|
|
||||||
The :zuul:job:`build-container-image` runs in the `check` pipeline,
|
The :zuul:job:`upload-container-image` job runs in the `gate`. With
|
||||||
but also in the `gate` pipeline. Usually in both cases the job builds
|
this promotion method it will build and upload images to an intermediate
|
||||||
and uploads the images to an intermediate registry; but at least the
|
registry. No images will be pushed to the upstream registry until
|
||||||
`gate` pipeline job must..
|
promotion occurs.
|
||||||
|
|
||||||
The :zuul:job:`promote-container-image` job is designed to be used in
|
The :zuul:job:`promote-container-image` job is designed to be used in
|
||||||
a post-merge `promote` pipeline. It requires no nodes and run on the
|
a post-merge `promote` pipeline. It requires no nodes and run on the
|
||||||
@ -94,7 +94,7 @@ between upload and promote steps in this model.
|
|||||||
Summary:
|
Summary:
|
||||||
|
|
||||||
* :zuul:job:`build-container-image` in `check`
|
* :zuul:job:`build-container-image` in `check`
|
||||||
* :zuul:job:`build-container-image` in `gate`. This must push to an
|
* :zuul:job:`upload-container-image` in `gate`. This must push to an
|
||||||
intermediate registry.
|
intermediate registry.
|
||||||
* :zuul:job:`promote-container-image` in `promote` with
|
* :zuul:job:`promote-container-image` in `promote` with
|
||||||
``promote_container_method: intermediate-registry``
|
``promote_container_method: intermediate-registry``
|
||||||
|
@ -45,6 +45,10 @@ registry. It can be used in one of two modes:
|
|||||||
to by ``<tag>`` will now reflect the underlying code closing the
|
to by ``<tag>`` will now reflect the underlying code closing the
|
||||||
out-of-sync window.
|
out-of-sync window.
|
||||||
|
|
||||||
|
When running in this mode uploads are only made if
|
||||||
|
``promote_container_image_method`` is unset or set to ``tag``.
|
||||||
|
Otherwise we skip upload to the registry.
|
||||||
|
|
||||||
2. The second mode allows for use of this job in `release` and `tag`
|
2. The second mode allows for use of this job in `release` and `tag`
|
||||||
pipelines to directly upload a release build with the final set of
|
pipelines to directly upload a release build with the final set of
|
||||||
tags.
|
tags.
|
||||||
@ -266,4 +270,12 @@ promote job assumes `skopeo` is available on the executor.
|
|||||||
A dictionary of key value pairs to add to the container build environment.
|
A dictionary of key value pairs to add to the container build environment.
|
||||||
This may be useful to enable buildkit with docker builds for example.
|
This may be useful to enable buildkit with docker builds for example.
|
||||||
|
|
||||||
|
.. zuul:rolevar:: promote_container_image_method
|
||||||
|
:default: tag
|
||||||
|
|
||||||
|
A string value indicating whether or not we upload images to the upstream
|
||||||
|
registry pre merge then promote that upload via a retag (``tag``) or we
|
||||||
|
upload to a downstream registry and later fetch and promote that to the
|
||||||
|
upstream registry post merge (``intermediate-registry``).
|
||||||
|
|
||||||
.. _anchors: https://yaml.org/spec/1.2/spec.html#&%20anchor//
|
.. _anchors: https://yaml.org/spec/1.2/spec.html#&%20anchor//
|
||||||
|
@ -1,25 +1,30 @@
|
|||||||
- name: Verify repository names
|
- name: Control when we push to the upstream registry
|
||||||
when: |
|
# We only want to push upstream if we are in a release / tag pipeline or
|
||||||
container_registry_credentials is defined
|
# if we are using the tag promotion method.
|
||||||
and zj_image.registry not in container_registry_credentials
|
block:
|
||||||
loop: "{{ container_images }}"
|
- name: Verify repository names
|
||||||
loop_control:
|
when: |
|
||||||
loop_var: zj_image
|
container_registry_credentials is defined
|
||||||
fail:
|
and zj_image.registry not in container_registry_credentials
|
||||||
msg: "{{ zj_image.registry }} credentials not found"
|
loop: "{{ container_images }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: zj_image
|
||||||
|
fail:
|
||||||
|
msg: "{{ zj_image.registry }} credentials not found"
|
||||||
|
|
||||||
- name: Verify repository permission
|
- name: Verify repository permission
|
||||||
when: |
|
when: |
|
||||||
container_registry_credentials[zj_image.registry].repository is defined and
|
container_registry_credentials[zj_image.registry].repository is defined and
|
||||||
not zj_image.repository | regex_search(container_registry_credentials[zj_image.registry].repository)
|
not zj_image.repository | regex_search(container_registry_credentials[zj_image.registry].repository)
|
||||||
loop: "{{ container_images }}"
|
loop: "{{ container_images }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: zj_image
|
loop_var: zj_image
|
||||||
fail:
|
fail:
|
||||||
msg: "{{ zj_image.repository }} not permitted by {{ container_registry_credentials[zj_image.registry].repository }}"
|
msg: "{{ zj_image.repository }} not permitted by {{ container_registry_credentials[zj_image.registry].repository }}"
|
||||||
|
|
||||||
- name: Upload image to container registry
|
- name: Upload image to container registry
|
||||||
loop: "{{ container_images }}"
|
loop: "{{ container_images }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: zj_image
|
loop_var: zj_image
|
||||||
include_tasks: push.yaml
|
include_tasks: push.yaml
|
||||||
|
when: not upload_container_image_promote|default(true) or promote_container_image_method|default('tag') == 'tag'
|
||||||
|
Loading…
Reference in New Issue
Block a user