promote-container-image: use generic tag removal role

This uses the generic tag removal role added with
I7f2d9d00024e34451e2d20b2c2f8171ecd151943 to cleanup the promote tag
and any leaked tags.

Change-Id: I3f1b82d63874ee886048b9ccabe616a60dc09434
This commit is contained in:
Ian Wienand 2023-03-28 17:10:50 +11:00
parent fec27296c8
commit 9df7c8eb70
No known key found for this signature in database
4 changed files with 36 additions and 34 deletions

View File

@ -100,7 +100,10 @@ Once this role completes, the temporary upload tags are no longer
required. The role removes the change-id tags from the repository in
the registry, and removes any similar change-ids tags. This keeps the
repository tidy in the case that gated changes fail to merge after
uploading their staged images.
uploading their staged images. Remvoing these tags is a registry
specific operation. You should double check the ``api_token``
requirements for your registry described below. For more details see
:zuul:role:`remove-registry-tag`.
In ``intermediate-registry`` mode, this role queries Zuul to find the
build performed by the build role in the ``gate``. It then copies
@ -179,6 +182,22 @@ using the roles described here.
repository: "^myorgname/{{ zuul.project.short_name }}.*"
.. zuul:rolevar:: api_token
Optional; When using the promote roles, the registry API is
used to remove temporary tags. if your registry requires a
token to talk to the registry API, add it here. This is
registry dependent; some allow API access via the
username/password, but others require issuing a separate
token. For more details see
:zuul:role:`remove-registry-tag`. Some examples:
* **docker** : API is access via username/password, does not
require token.
* **quay.io** : A token must be generated from an
"application" that a user has allowed to operate on its
behalf. See `<https://docs.quay.io/api/>`__.
.. zuul:rolevar:: container_images
:type: list

View File

@ -23,10 +23,3 @@
loop_control:
loop_var: zj_image
include_tasks: promote-retag.yaml
# The docker roles prune obsolete tags here, but that relies on a
# timestamp to make sure we're not deleting in-progress tags (that the
# gate pipeline may be uploading at the same time we're promoting).
# That timestamp is not available with skopeo list-tags, so some other
# mechanism will need to be devised to clean them up. In the
# meantime, we hope that the cleanup in promote-retag succeeds.

View File

@ -10,29 +10,10 @@
retries: 3
delay: 30
# NOTE(ianw) 2023-03-27 : It is actually quite difficult to delete a
# tag in a generic way...
#
# The OCI distribution spec does has specified for a while that you
# should be able to delete a tag with the registry API using DELETE
# /v2/<name>/manifests/tag [1] but this is basically not implemented
# on any registry. So that's out.
#
# "skopeo delete" dereferences the tag to a digest and deletes that.
# This is not what we want, as it deletes *all* tags pointing to it.
# This is probably not what people want (see many github issues!) but
# now it's like that, it's difficult to change. The man page now
# gives all sorts of caveats [2].
#
# So that leaves deleting tags via individual API's specified by each
# provider. This is what promote-docker-image currently does (via the
# hub API at hub.docker.com). quay.io also allows this via API, but
# implements getting an API token differently to hub.docker.com.
# artifactory also allows it via it's API.
#
# [1] https://github.com/opencontainers/distribution-spec/blob/v1.0/spec.md#deleting-tags
# [2] https://github.com/containers/skopeo/blob/main/docs/skopeo-delete.1.md
- name: Delete the current change tag
debug:
msg: 'We currently do not delete old tags'
- name: Delete the temporary change tag we just renamed
include_role:
name: remove-registry-tag
vars:
remove_registry_tag_repository: '{{ zj_image.repository }}'
remove_registry_tag_tag: '{{ promote_tag_prefix }}_{{ zj_image_tag }}'
no_log: true

View File

@ -17,3 +17,12 @@
always:
- name: Log out of registry
command: "skopeo logout {{ zj_image.registry }}"
# If a gate job failed, we might have uploaded and leaked tags. This
# cleans up anything around for more than 24 hours
- name: Cleanup leaked images
include_role:
name: remove-registry-tag
vars:
remove_registry_tag_repository: '{{ zj_image.repository }}'
no_log: true