Browse Source

Update docker image roles

* In the build-image role, push to the buildset registry if it is defined.
* In the intermediate registry push and pull roles, ensure that the
  buildset registry TLS cert is in place.  This is a self-signed cert,
  and so needs to be written for each run.  This happens inside
  bubblewrap where we have permission to write to /etc, which is an
  ephemeral volume.

Change-Id: I47781d8a7adb93817dfe9266e2f4ad5fd829385c
changes/87/637387/1
James E. Blair 3 months ago
parent
commit
71b7cb0ae5

+ 12
- 0
roles/build-docker-image/tasks/main.yaml View File

@@ -1,3 +1,9 @@
1
+# This can be removed if we add this functionality to Zuul directly
2
+- name: Load information from zuul_return
3
+  when: buildset_registry is not defined
4
+  set_fact:
5
+    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
6
+  ignore_errors: true
1 7
 - name: Build a docker image
2 8
   command: >-
3 9
     docker build {{ item.path | default('.') }} -f {{ item.dockerfile | default(docker_dockerfile) }}
@@ -14,3 +20,9 @@
14 20
   args:
15 21
     chdir: "{{ zuul_work_dir }}/{{ item.context }}"
16 22
   loop: "{{ docker_images }}"
23
+- name: Push image to buildset registry
24
+  when: buildset_registry is defined
25
+  include_tasks: push.yaml
26
+  loop: "{{ docker_images }}"
27
+  loop_control:
28
+    loop_var: image

+ 7
- 0
roles/build-docker-image/tasks/push.yaml View File

@@ -0,0 +1,7 @@
1
+- name: Push tag to buildset registry
2
+  command: >-
3
+    docker tag {{ image.repository }}:{{ image_tag }} {{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
4
+    docker push {{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
5
+  loop: "{{ image.tags | default(['latest']) }}"
6
+  loop_control:
7
+    loop_var: image_tag

+ 8
- 0
roles/pull-from-intermediate-registry/tasks/main.yaml View File

@@ -1,3 +1,11 @@
1
+- name: Ensure registry cert directory exists
2
+  file:
3
+    path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/"
4
+    state: directory
5
+- name: Write registry TLS certificate
6
+  copy:
7
+    content: "{{ buildset_registry.cert }}"
8
+    dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
1 9
 - name: Pull artifact from intermediate registry
2 10
   command: >-
3 11
     skopeo --insecure-policy copy

+ 8
- 0
roles/push-to-intermediate-registry/tasks/main.yaml View File

@@ -3,6 +3,14 @@
3 3
   when: buildset_registry is not defined
4 4
   set_fact:
5 5
     buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
6
+- name: Ensure registry cert directory exists
7
+  file:
8
+    path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/"
9
+    state: directory
10
+- name: Write registry TLS certificate
11
+  copy:
12
+    content: "{{ buildset_registry.cert }}"
13
+    dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
6 14
 - name: Push image to intermediate registry
7 15
   include_tasks: push.yaml
8 16
   loop: "{{ docker_images }}"

+ 1
- 1
roles/push-to-intermediate-registry/tasks/push.yaml View File

@@ -4,7 +4,7 @@
4 4
     --src-creds={{ buildset_registry.username }}:{{ buildset_registry.password }}
5 5
     --dest-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }}
6 6
     docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
7
-    docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag}}
7
+    docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
8 8
   loop: "{{ image.tags | default(['latest']) }}"
9 9
   loop_control:
10 10
     loop_var: image_tag

Loading…
Cancel
Save