From 9df7c8eb70c7b76be46545f2eb1b9e9eb49e10cd Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 28 Mar 2023 17:10:50 +1100 Subject: [PATCH] promote-container-image: use generic tag removal role This uses the generic tag removal role added with I7f2d9d00024e34451e2d20b2c2f8171ecd151943 to cleanup the promote tag and any leaked tags. Change-Id: I3f1b82d63874ee886048b9ccabe616a60dc09434 --- roles/build-container-image/common.rst | 21 +++++++++++- .../tasks/promote-from-tag.yaml | 7 ---- .../tasks/promote-retag-inner.yaml | 33 ++++--------------- .../tasks/promote-retag.yaml | 9 +++++ 4 files changed, 36 insertions(+), 34 deletions(-) diff --git a/roles/build-container-image/common.rst b/roles/build-container-image/common.rst index 737887001..4ae76cd3e 100644 --- a/roles/build-container-image/common.rst +++ b/roles/build-container-image/common.rst @@ -100,7 +100,10 @@ Once this role completes, the temporary upload tags are no longer required. The role removes the change-id tags from the repository in the registry, and removes any similar change-ids tags. This keeps the repository tidy in the case that gated changes fail to merge after -uploading their staged images. +uploading their staged images. Remvoing these tags is a registry +specific operation. You should double check the ``api_token`` +requirements for your registry described below. For more details see +:zuul:role:`remove-registry-tag`. In ``intermediate-registry`` mode, this role queries Zuul to find the build performed by the build role in the ``gate``. It then copies @@ -179,6 +182,22 @@ using the roles described here. repository: "^myorgname/{{ zuul.project.short_name }}.*" + .. zuul:rolevar:: api_token + + Optional; When using the promote roles, the registry API is + used to remove temporary tags. if your registry requires a + token to talk to the registry API, add it here. This is + registry dependent; some allow API access via the + username/password, but others require issuing a separate + token. For more details see + :zuul:role:`remove-registry-tag`. Some examples: + + * **docker** : API is access via username/password, does not + require token. + * **quay.io** : A token must be generated from an + "application" that a user has allowed to operate on its + behalf. See ``__. + .. zuul:rolevar:: container_images :type: list diff --git a/roles/promote-container-image/tasks/promote-from-tag.yaml b/roles/promote-container-image/tasks/promote-from-tag.yaml index 2a14f2e15..fb4a96d6c 100644 --- a/roles/promote-container-image/tasks/promote-from-tag.yaml +++ b/roles/promote-container-image/tasks/promote-from-tag.yaml @@ -23,10 +23,3 @@ loop_control: loop_var: zj_image include_tasks: promote-retag.yaml - -# The docker roles prune obsolete tags here, but that relies on a -# timestamp to make sure we're not deleting in-progress tags (that the -# gate pipeline may be uploading at the same time we're promoting). -# That timestamp is not available with skopeo list-tags, so some other -# mechanism will need to be devised to clean them up. In the -# meantime, we hope that the cleanup in promote-retag succeeds. diff --git a/roles/promote-container-image/tasks/promote-retag-inner.yaml b/roles/promote-container-image/tasks/promote-retag-inner.yaml index 96b5f9b19..5a4dfee8c 100644 --- a/roles/promote-container-image/tasks/promote-retag-inner.yaml +++ b/roles/promote-container-image/tasks/promote-retag-inner.yaml @@ -10,29 +10,10 @@ retries: 3 delay: 30 -# NOTE(ianw) 2023-03-27 : It is actually quite difficult to delete a -# tag in a generic way... -# -# The OCI distribution spec does has specified for a while that you -# should be able to delete a tag with the registry API using DELETE -# /v2//manifests/tag [1] but this is basically not implemented -# on any registry. So that's out. -# -# "skopeo delete" dereferences the tag to a digest and deletes that. -# This is not what we want, as it deletes *all* tags pointing to it. -# This is probably not what people want (see many github issues!) but -# now it's like that, it's difficult to change. The man page now -# gives all sorts of caveats [2]. -# -# So that leaves deleting tags via individual API's specified by each -# provider. This is what promote-docker-image currently does (via the -# hub API at hub.docker.com). quay.io also allows this via API, but -# implements getting an API token differently to hub.docker.com. -# artifactory also allows it via it's API. -# -# [1] https://github.com/opencontainers/distribution-spec/blob/v1.0/spec.md#deleting-tags -# [2] https://github.com/containers/skopeo/blob/main/docs/skopeo-delete.1.md - -- name: Delete the current change tag - debug: - msg: 'We currently do not delete old tags' +- name: Delete the temporary change tag we just renamed + include_role: + name: remove-registry-tag + vars: + remove_registry_tag_repository: '{{ zj_image.repository }}' + remove_registry_tag_tag: '{{ promote_tag_prefix }}_{{ zj_image_tag }}' + no_log: true diff --git a/roles/promote-container-image/tasks/promote-retag.yaml b/roles/promote-container-image/tasks/promote-retag.yaml index 270a71658..dbe453872 100644 --- a/roles/promote-container-image/tasks/promote-retag.yaml +++ b/roles/promote-container-image/tasks/promote-retag.yaml @@ -17,3 +17,12 @@ always: - name: Log out of registry command: "skopeo logout {{ zj_image.registry }}" + +# If a gate job failed, we might have uploaded and leaked tags. This +# cleans up anything around for more than 24 hours +- name: Cleanup leaked images + include_role: + name: remove-registry-tag + vars: + remove_registry_tag_repository: '{{ zj_image.repository }}' + no_log: true