promote-container-image: use generic tag removal role

This uses the generic tag removal role added with
I7f2d9d00024e34451e2d20b2c2f8171ecd151943 to cleanup the promote tag
and any leaked tags.

Change-Id: I3f1b82d63874ee886048b9ccabe616a60dc09434
This commit is contained in:
Ian Wienand 2023-03-28 17:10:50 +11:00
parent fec27296c8
commit 9df7c8eb70
No known key found for this signature in database
4 changed files with 36 additions and 34 deletions

View File

@ -100,7 +100,10 @@ Once this role completes, the temporary upload tags are no longer
required. The role removes the change-id tags from the repository in required. The role removes the change-id tags from the repository in
the registry, and removes any similar change-ids tags. This keeps the the registry, and removes any similar change-ids tags. This keeps the
repository tidy in the case that gated changes fail to merge after repository tidy in the case that gated changes fail to merge after
uploading their staged images. uploading their staged images. Remvoing these tags is a registry
specific operation. You should double check the ``api_token``
requirements for your registry described below. For more details see
:zuul:role:`remove-registry-tag`.
In ``intermediate-registry`` mode, this role queries Zuul to find the In ``intermediate-registry`` mode, this role queries Zuul to find the
build performed by the build role in the ``gate``. It then copies build performed by the build role in the ``gate``. It then copies
@ -179,6 +182,22 @@ using the roles described here.
repository: "^myorgname/{{ zuul.project.short_name }}.*" repository: "^myorgname/{{ zuul.project.short_name }}.*"
.. zuul:rolevar:: api_token
Optional; When using the promote roles, the registry API is
used to remove temporary tags. if your registry requires a
token to talk to the registry API, add it here. This is
registry dependent; some allow API access via the
username/password, but others require issuing a separate
token. For more details see
:zuul:role:`remove-registry-tag`. Some examples:
* **docker** : API is access via username/password, does not
require token.
* **quay.io** : A token must be generated from an
"application" that a user has allowed to operate on its
behalf. See `<https://docs.quay.io/api/>`__.
.. zuul:rolevar:: container_images .. zuul:rolevar:: container_images
:type: list :type: list

View File

@ -23,10 +23,3 @@
loop_control: loop_control:
loop_var: zj_image loop_var: zj_image
include_tasks: promote-retag.yaml include_tasks: promote-retag.yaml
# The docker roles prune obsolete tags here, but that relies on a
# timestamp to make sure we're not deleting in-progress tags (that the
# gate pipeline may be uploading at the same time we're promoting).
# That timestamp is not available with skopeo list-tags, so some other
# mechanism will need to be devised to clean them up. In the
# meantime, we hope that the cleanup in promote-retag succeeds.

View File

@ -10,29 +10,10 @@
retries: 3 retries: 3
delay: 30 delay: 30
# NOTE(ianw) 2023-03-27 : It is actually quite difficult to delete a - name: Delete the temporary change tag we just renamed
# tag in a generic way... include_role:
# name: remove-registry-tag
# The OCI distribution spec does has specified for a while that you vars:
# should be able to delete a tag with the registry API using DELETE remove_registry_tag_repository: '{{ zj_image.repository }}'
# /v2/<name>/manifests/tag [1] but this is basically not implemented remove_registry_tag_tag: '{{ promote_tag_prefix }}_{{ zj_image_tag }}'
# on any registry. So that's out. no_log: true
#
# "skopeo delete" dereferences the tag to a digest and deletes that.
# This is not what we want, as it deletes *all* tags pointing to it.
# This is probably not what people want (see many github issues!) but
# now it's like that, it's difficult to change. The man page now
# gives all sorts of caveats [2].
#
# So that leaves deleting tags via individual API's specified by each
# provider. This is what promote-docker-image currently does (via the
# hub API at hub.docker.com). quay.io also allows this via API, but
# implements getting an API token differently to hub.docker.com.
# artifactory also allows it via it's API.
#
# [1] https://github.com/opencontainers/distribution-spec/blob/v1.0/spec.md#deleting-tags
# [2] https://github.com/containers/skopeo/blob/main/docs/skopeo-delete.1.md
- name: Delete the current change tag
debug:
msg: 'We currently do not delete old tags'

View File

@ -17,3 +17,12 @@
always: always:
- name: Log out of registry - name: Log out of registry
command: "skopeo logout {{ zj_image.registry }}" command: "skopeo logout {{ zj_image.registry }}"
# If a gate job failed, we might have uploaded and leaked tags. This
# cleans up anything around for more than 24 hours
- name: Cleanup leaked images
include_role:
name: remove-registry-tag
vars:
remove_registry_tag_repository: '{{ zj_image.repository }}'
no_log: true