Update ensure-quay-repo to run opportunistically

This updates the new ensure-quay-repo to run opportunistically if the registry_type image flag is set to quay and the registry credentials matching the container image has an api token defined. This will allow us to include this role in base jobs and it will do what we need it to do without impacting docker based images or quay managed images that don't need automatic creation. Change-Id: Ia419578bf0a27293757c5f723873e9930ee2c489
2023-04-25 15:21:57 -07:00 · 2023-04-25 15:21:57 -07:00 · 58f408cfac
commit 58f408cfac
parent 0e6df8d38f
2 changed files with 65 additions and 47 deletions
--- a/roles/ensure-quay-repo/README.rst
+++ b/roles/ensure-quay-repo/README.rst
@ -19,6 +19,19 @@ When invoking this role you should set no_log: true on the
   ``container_registry_credentials`` variable used by the other container
   roles. Specify an ``api_token`` which is issued from an application
   assigned to an organisation.  See `<https://docs.quay.io/api/>`__
+   This application API token needs create permissions. If the registry
+   name is quay.io we know that the registry type is ``quay``. If you are
+   running a private Quay installation you can manually set
+   ``type`` to ``quay`` to force this behavior.
+
+   This role will only take action on image repos that map to
+   container registries for which both an ``api_token`` is set and
+   ``type`` can be determined to be ``quay``.
+
+   You may also set ``api_url`` on the registry credentials if the
+   API is not hosted at the root of the registry name. Most installations
+   should be able to ignore this and use the default of
+   ``https://{{ $name }}``.

   Example:

@ -26,7 +39,9 @@ When invoking this role you should set no_log: true on the

      container_registry_credentials:
        quay.io:
+          type: 'quay'
          api_token: 'abcd1234'
+          api_url: 'https://quay.io'

 .. zuul:rolevar:: container_images
   :type: list
@ -36,10 +51,8 @@ When invoking this role you should set no_log: true on the
   is in the same format as the ``container_images`` variable used by other
   container roles. Specify a ``registry`` (this should match up with your
   credentials to locate the api token), ``namespace``, ``repo_shortname``,
-   ``repo_description``, ``visibility``, and ``api_url`` attributes.
-
-   By default visibility will be ``public`` and ``api_url`` will be
-   ``https://{{ registry }}``.
+   ``repo_description``, and ``visibility`` attributes. By default
+   visibility will be ``public``.

   Example:

--- a/roles/ensure-quay-repo/tasks/create.yaml
+++ b/roles/ensure-quay-repo/tasks/create.yaml
@ -1,12 +1,14 @@
+- name: Only run when necessary items are present
+  block:
    - name: Set quay_root_url
      set_fact:
        quay_root_url: "https://{{ zj_image.registry }}"
-  when: zj_image.api_url is not defined
+      when: container_registry_credentials[zj_image.registry].api_url is not defined

    - name: Alias api_url
      set_fact:
-    quay_root_url: "{{ zj_image.api_url }}"
-  when: zj_image.api_url is defined
+        quay_root_url: "{{ container_registry_credentials[zj_image.registry].api_url }}"
+      when: container_registry_credentials[zj_image.registry].api_url is defined

    - name: Set quay_repo_visibility
      set_fact:
@ -47,3 +49,6 @@
        - "'error_message' not in quay_repo_create.json or ('error_message' in quay_repo_create.json and quay_repo_create.json.error_message != 'Repository already exists')"
      fail:
        msg: "Could not create {{ quay_root_url }}/{{ zj_image.namespace }}/{{ zj_image.repo_shortname }}"
+  when:
+    - zj_image.registry == 'quay.io' or (container_registry_credentials[zj_image.registry].type is defined and container_registry_credentials[zj_image.registry].type == 'quay')
+    - container_registry_credentials[zj_image.registry].api_token is defined