promote-container-image: use generic tag removal role
This uses the generic tag removal role added with I7f2d9d00024e34451e2d20b2c2f8171ecd151943 to cleanup the promote tag and any leaked tags. Change-Id: I3f1b82d63874ee886048b9ccabe616a60dc09434
This commit is contained in:
parent
fec27296c8
commit
9df7c8eb70
@ -100,7 +100,10 @@ Once this role completes, the temporary upload tags are no longer
|
||||
required. The role removes the change-id tags from the repository in
|
||||
the registry, and removes any similar change-ids tags. This keeps the
|
||||
repository tidy in the case that gated changes fail to merge after
|
||||
uploading their staged images.
|
||||
uploading their staged images. Remvoing these tags is a registry
|
||||
specific operation. You should double check the ``api_token``
|
||||
requirements for your registry described below. For more details see
|
||||
:zuul:role:`remove-registry-tag`.
|
||||
|
||||
In ``intermediate-registry`` mode, this role queries Zuul to find the
|
||||
build performed by the build role in the ``gate``. It then copies
|
||||
@ -179,6 +182,22 @@ using the roles described here.
|
||||
|
||||
repository: "^myorgname/{{ zuul.project.short_name }}.*"
|
||||
|
||||
.. zuul:rolevar:: api_token
|
||||
|
||||
Optional; When using the promote roles, the registry API is
|
||||
used to remove temporary tags. if your registry requires a
|
||||
token to talk to the registry API, add it here. This is
|
||||
registry dependent; some allow API access via the
|
||||
username/password, but others require issuing a separate
|
||||
token. For more details see
|
||||
:zuul:role:`remove-registry-tag`. Some examples:
|
||||
|
||||
* **docker** : API is access via username/password, does not
|
||||
require token.
|
||||
* **quay.io** : A token must be generated from an
|
||||
"application" that a user has allowed to operate on its
|
||||
behalf. See `<https://docs.quay.io/api/>`__.
|
||||
|
||||
.. zuul:rolevar:: container_images
|
||||
:type: list
|
||||
|
||||
|
@ -23,10 +23,3 @@
|
||||
loop_control:
|
||||
loop_var: zj_image
|
||||
include_tasks: promote-retag.yaml
|
||||
|
||||
# The docker roles prune obsolete tags here, but that relies on a
|
||||
# timestamp to make sure we're not deleting in-progress tags (that the
|
||||
# gate pipeline may be uploading at the same time we're promoting).
|
||||
# That timestamp is not available with skopeo list-tags, so some other
|
||||
# mechanism will need to be devised to clean them up. In the
|
||||
# meantime, we hope that the cleanup in promote-retag succeeds.
|
||||
|
@ -10,29 +10,10 @@
|
||||
retries: 3
|
||||
delay: 30
|
||||
|
||||
# NOTE(ianw) 2023-03-27 : It is actually quite difficult to delete a
|
||||
# tag in a generic way...
|
||||
#
|
||||
# The OCI distribution spec does has specified for a while that you
|
||||
# should be able to delete a tag with the registry API using DELETE
|
||||
# /v2/<name>/manifests/tag [1] but this is basically not implemented
|
||||
# on any registry. So that's out.
|
||||
#
|
||||
# "skopeo delete" dereferences the tag to a digest and deletes that.
|
||||
# This is not what we want, as it deletes *all* tags pointing to it.
|
||||
# This is probably not what people want (see many github issues!) but
|
||||
# now it's like that, it's difficult to change. The man page now
|
||||
# gives all sorts of caveats [2].
|
||||
#
|
||||
# So that leaves deleting tags via individual API's specified by each
|
||||
# provider. This is what promote-docker-image currently does (via the
|
||||
# hub API at hub.docker.com). quay.io also allows this via API, but
|
||||
# implements getting an API token differently to hub.docker.com.
|
||||
# artifactory also allows it via it's API.
|
||||
#
|
||||
# [1] https://github.com/opencontainers/distribution-spec/blob/v1.0/spec.md#deleting-tags
|
||||
# [2] https://github.com/containers/skopeo/blob/main/docs/skopeo-delete.1.md
|
||||
|
||||
- name: Delete the current change tag
|
||||
debug:
|
||||
msg: 'We currently do not delete old tags'
|
||||
- name: Delete the temporary change tag we just renamed
|
||||
include_role:
|
||||
name: remove-registry-tag
|
||||
vars:
|
||||
remove_registry_tag_repository: '{{ zj_image.repository }}'
|
||||
remove_registry_tag_tag: '{{ promote_tag_prefix }}_{{ zj_image_tag }}'
|
||||
no_log: true
|
||||
|
@ -17,3 +17,12 @@
|
||||
always:
|
||||
- name: Log out of registry
|
||||
command: "skopeo logout {{ zj_image.registry }}"
|
||||
|
||||
# If a gate job failed, we might have uploaded and leaked tags. This
|
||||
# cleans up anything around for more than 24 hours
|
||||
- name: Cleanup leaked images
|
||||
include_role:
|
||||
name: remove-registry-tag
|
||||
vars:
|
||||
remove_registry_tag_repository: '{{ zj_image.repository }}'
|
||||
no_log: true
|
||||
|
Loading…
Reference in New Issue
Block a user