use-buildset-registry: Add podman support

Change-Id: I41718073962c8e7eb3d8810276e550fb84bd6e99
This commit is contained in:
James E. Blair 2019-11-19 09:55:58 -08:00
parent b583530f2b
commit d48667a3c5
20 changed files with 280 additions and 107 deletions

View File

@ -74,13 +74,18 @@
mode: 0600 mode: 0600
# Pull the images # Pull the images
# To support usage with both docker and podman, the buildset registry
# keeps "docker.io" entries un-namespaced, and any other namespaces
# are namespaced. Therefore, if we see docker.io in the repository
# name, we strip it here.
- name: Pull artifacts from intermediate registry - name: Pull artifacts from intermediate registry
block: block:
- name: Pull artifacts from intermediate registry - name: Pull artifacts from intermediate registry
command: >- command: >-
skopeo --insecure-policy copy skopeo --insecure-policy copy
{{ item.url }} {{ item.url }}
docker://127.0.0.1:{{ socat_port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }} docker://127.0.0.1:{{ socat_port }}/{{ item.metadata.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ item.metadata.tag }}
retries: 3 retries: 3
register: result register: result
until: result is success until: result is success

View File

@ -1,7 +1,11 @@
# To support usage with both docker and podman, the buildset registry
# keeps "docker.io" entries un-namespaced, and any other namespaces
# are namespaced. Therefore, if we see docker.io in the repository
# name, we strip it here.
- name: Push tag to intermediate registry - name: Push tag to intermediate registry
command: >- command: >-
skopeo --insecure-policy copy skopeo --insecure-policy copy
docker://127.0.0.1:{{ socat_port }}/{{ image.repository }}:{{ image_tag }} docker://127.0.0.1:{{ socat_port }}/{{ image.repository | regex_replace('^docker\.io/(.*)', '\1') }}:{{ image_tag }}
docker://{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port }}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }} docker://{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port }}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
retries: 3 retries: 3
register: result register: result

View File

@ -1,4 +1,4 @@
Runs a docker registry for the use of this buildset. Runs a container registry for the use of this buildset.
This may be used for a single job running on a single node, or it may This may be used for a single job running on a single node, or it may
be used at the root of a job graph so that multiple jobs running for a be used at the root of a job graph so that multiple jobs running for a
@ -16,6 +16,12 @@ single change can share the registry.
The port on which the registry should listen. The port on which the registry should listen.
.. zuul:rolevar:: container_command
:default: docker
The command to use to run the registry container (E.g., ``podman``).
**Return Values** **Return Values**
.. zuul:rolevar:: buildset_registry .. zuul:rolevar:: buildset_registry

View File

@ -1,2 +1,3 @@
buildset_registry_root: "{{ ansible_user_dir }}/buildset_registry" buildset_registry_root: "{{ ansible_user_dir }}/buildset_registry"
buildset_registry_port: 5000 buildset_registry_port: 5000
container_command: docker

View File

@ -2,18 +2,18 @@
become: yes become: yes
package: package:
name: name:
- python-docker
- openssl - openssl
- python-passlib - python-passlib
- socat
state: present state: present
when: ansible_python_version is version('3', '<') when: ansible_python_version is version('3', '<')
- name: Install packages - name: Install packages
become: yes become: yes
package: package:
name: name:
- python3-docker
- openssl - openssl
- python3-passlib - python3-passlib
- socat
state: present state: present
when: ansible_python_version is version('3', '>=') when: ansible_python_version is version('3', '>=')
- name: Ensure registry volume directories exists - name: Ensure registry volume directories exists
@ -41,16 +41,21 @@
set_fact: set_fact:
certificate: "{{ certificate.content | b64decode }}" certificate: "{{ certificate.content | b64decode }}"
- name: Start the buildset registry - name: Start the buildset registry
docker_container: command: >-
name: "{{ (buildset_registry_port == 5000) | ternary('buildset_registry', 'buildset_registry_' + buildset_registry_port|string) }}" {{ container_command }} run -d
image: zuul/zuul-registry:latest --name="{{ (buildset_registry_port == 5000) | ternary('buildset_registry', 'buildset_registry_' + buildset_registry_port|string) }}"
state: started --restart=always
restart_policy: always --publish="1{{ buildset_registry_port }}:5000"
ports: --volume="{{ buildset_registry_root }}/tls:/tls"
- "{{ buildset_registry_port }}:5000" --volume="{{ buildset_registry_root }}/conf:/conf"
volumes: docker.io/zuul/zuul-registry:latest
- "{{ buildset_registry_root }}/tls:/tls"
- "{{ buildset_registry_root }}/conf:/conf" # Start a socat tunnel to the buildset registry to work around
# https://github.com/containers/libpod/issues/4311
# in case we're using podman.
- name: Start socat to work around https://github.com/containers/libpod/issues/4311
shell: "socat -d -d TCP6-LISTEN:{{ buildset_registry_port }},fork TCP:127.0.0.1:1{{ buildset_registry_port }} 2> {{ buildset_registry_root }}/socat_port &"
- name: Set registry information fact - name: Set registry information fact
set_fact: set_fact:
buildset_registry: buildset_registry:

View File

@ -35,3 +35,15 @@ Use this role on any host which should use the buildset registry.
The system user to configure to use the docker registry. The The system user to configure to use the docker registry. The
docker configuration file for this user will be updated. By docker configuration file for this user will be updated. By
default, the user Ansible is running as. default, the user Ansible is running as.
.. zuul:rolevar:: buildset_registry_namespaces
:default: ['docker.io', 'quay.io', 'gcr.io']
The namespaces that the buildset registry supports. The buildset
registry will be consulted first for images in these namespaces.
Any others will be fetched only from their upstream sources.
Add any local or third-party registries necessary here.
The default may change in the future as more general-purpose public
registries become known.

View File

View File

@ -0,0 +1,4 @@
buildset_registry_namespaces:
- docker.io
- quay.io
- gcr.io

View File

@ -0,0 +1,77 @@
# Copyright 2019 Red Hat, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils import remarshal
def get_location(prefix, location):
# To support usage with both docker and podman, the buildset
# registry keeps "docker.io" entries un-namespaced.
if prefix == 'docker.io':
return location
else:
return location + '/' + prefix
def ansible_main():
module = AnsibleModule(
argument_spec=dict(
path=dict(required=True, type='path'),
buildset_registry=dict(type='raw'),
buildset_registry_alias=dict(type='str'),
namespaces=dict(type='raw'),
)
)
p = module.params
location = '%s:%s' % (p['buildset_registry_alias'],
p['buildset_registry']['port'])
if os.path.exists(p['path']):
with open(p['path'], 'rb') as f:
input_data = f.read()
data = remarshal.decode('toml', input_data, True)
else:
data = {}
unseen = set(p['namespaces'])
if 'registry' not in data:
data['registry'] = []
for reg in data['registry']:
if reg['prefix'] in unseen:
unseen.remove(reg['prefix'])
else:
continue
mirrors = reg.setdefault('mirror', [])
mirrors.insert(0, {
'location': get_location(reg['prefix'], location)})
for prefix in unseen:
mirrors = [{'location': get_location(prefix, location)},
{'location': prefix}]
reg = {'prefix': prefix,
'location': prefix,
'mirror': mirrors}
data['registry'].append(reg)
output_data = remarshal.encode_toml(data, True)
with open(p['path'], 'wb') as f:
f.write(output_data.encode('utf8'))
module.exit_json(changed=True, data=data)
if __name__ == '__main__':
ansible_main()

View File

@ -23,16 +23,14 @@
file: file:
state: directory state: directory
path: /etc/docker path: /etc/docker
- name: Ensure buildset registry cert directory exists
become: true
file:
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
state: directory
- name: Write buildset registry TLS certificate - name: Write buildset registry TLS certificate
become: true become: true
copy: copy:
content: "{{ buildset_registry.cert }}" content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt" dest: "/usr/local/share/ca-certificates/buildset-registry.crt"
- name: Update CA certs
command: update-ca-certificates
become: true
# Update daemon config # Update daemon config
- name: Check if docker daemon configuration exists - name: Check if docker daemon configuration exists
@ -73,6 +71,19 @@
register: docker_restart register: docker_restart
failed_when: docker_restart is failed and not 'Could not find the requested service' in docker_restart.msg failed_when: docker_restart is failed and not 'Could not find the requested service' in docker_restart.msg
- name: Ensure containers directory exists
become: yes
file:
state: directory
path: /etc/containers
- name: Modify registries.conf
become: yes
modify_registries_conf:
path: /etc/containers/registries.conf
buildset_registry: "{{ buildset_registry }}"
buildset_registry_alias: "{{ buildset_registry_alias }}"
namespaces: "{{ buildset_registry_namespaces }}"
# We use 'block' here to cause the become to apply to all the tasks # We use 'block' here to cause the become to apply to all the tasks
# (which does not automatically happen with include_tasks). # (which does not automatically happen with include_tasks).
- name: Update docker user config to use buildset registry - name: Update docker user config to use buildset registry

View File

@ -37,6 +37,10 @@
content: "{{ docker_config | to_nice_json }}" content: "{{ docker_config | to_nice_json }}"
dest: "~/.docker/config.json" dest: "~/.docker/config.json"
mode: 0600 mode: 0600
- name: Write containers auth configuration
copy:
content: "{{ docker_config | to_nice_json }}"
dest: "/run/user/{{ ansible_user_uid }}/auth.json"
- name: Check if /var/lib/kubelet exists - name: Check if /var/lib/kubelet exists
stat: stat:
path: /var/lib/kubelet path: /var/lib/kubelet

View File

@ -1,2 +1,2 @@
FROM debian:testing FROM docker.io/library/debian:testing
CMD echo "Zuul container test"; sleep infinity CMD echo "Zuul container test"; sleep infinity

View File

@ -1,4 +1,5 @@
- name: Ensure registry volume directories exists - name: Ensure registry volume directories exists
become: true
file: file:
state: directory state: directory
path: "/var/registry/{{ item }}" path: "/var/registry/{{ item }}"
@ -6,6 +7,7 @@
- certs - certs
- auth - auth
- name: Install python packages - name: Install python packages
become: true
package: package:
name: name:
- python3-docker - python3-docker
@ -13,6 +15,7 @@
- python3-bcrypt - python3-bcrypt
state: present state: present
- name: Write htpassword file - name: Write htpassword file
become: true
htpasswd: htpasswd:
create: true create: true
crypt_scheme: bcrypt crypt_scheme: bcrypt
@ -20,27 +23,26 @@
name: "{{ intermediate_registry.username }}" name: "{{ intermediate_registry.username }}"
password: "{{ intermediate_registry.password }}" password: "{{ intermediate_registry.password }}"
- name: Write TLS private key - name: Write TLS private key
become: true
copy: copy:
content: "{{ intermediate_registry_tls_key }}" content: "{{ intermediate_registry_tls_key }}"
dest: /var/registry/certs/domain.key dest: /var/registry/certs/domain.key
- name: Write TLS certificate - name: Write TLS certificate
become: true
copy: copy:
content: "{{ intermediate_registry_tls_cert }}{{ intermediate_registry_tls_chain | default('') }}" content: "{{ intermediate_registry_tls_cert }}{{ intermediate_registry_tls_chain | default('') }}"
dest: /var/registry/certs/domain.crt dest: /var/registry/certs/domain.crt
- name: Start intermediate docker registry - name: Start intermediate docker registry
docker_container: command: >-
name: intermediate_registry {{ container_command }} run -d
image: registry:2 --name="intermediate_registry"
state: started --restart=always
restart_policy: always --network=host
ports: --env REGISTRY_HTTP_TLS_CERTIFICATE="/certs/domain.crt"
- "5000:5000" --env REGISTRY_HTTP_TLS_KEY="/certs/domain.key"
env: --env REGISTRY_AUTH="htpasswd"
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt --env REGISTRY_AUTH_HTPASSWD_PATH="/auth/htpasswd"
REGISTRY_HTTP_TLS_KEY: /certs/domain.key --env REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm"
REGISTRY_AUTH: htpasswd --volume="/var/registry/certs:/certs"
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd --volume="/var/registry/auth:/auth"
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm docker.io/library/registry:2
volumes:
- "/var/registry/certs:/certs"
- "/var/registry/auth:/auth"

View File

@ -1,24 +1,24 @@
- hosts: all - hosts: all
tasks: tasks:
- name: List containers - name: List containers
command: "docker ps -a --format '{{ '{{ .Names }}' }}'" command: "{{ container_command }} ps -a --format '{{ '{{ .Names }}' }}'"
register: docker_containers register: docker_containers
ignore_errors: true ignore_errors: true
- name: Create container log dir - name: Create container log dir
file: file:
path: "{{ ansible_user_dir }}/zuul-output/logs/docker" path: "{{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}"
state: directory state: directory
- name: Save container logs - name: Save container logs
loop: "{{ docker_containers.stdout_lines | default([]) }}" loop: "{{ docker_containers.stdout_lines | default([]) }}"
shell: "docker logs {{ item }} &> {{ ansible_user_dir }}/zuul-output/logs/docker/{{ item }}.txt" shell: "{{ container_command }} logs {{ item }} &> {{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}/{{ item }}.txt"
args: args:
executable: /bin/bash executable: /bin/bash
ignore_errors: true ignore_errors: true
- name: Open container logs permissions - name: Open container logs permissions
file: file:
dest: "{{ ansible_user_dir }}/zuul-output/logs/docker" dest: "{{ ansible_user_dir }}/zuul-output/logs/{{ container_command }}"
mode: u=rwX,g=rX,o=rX mode: u=rwX,g=rX,o=rX
recurse: yes recurse: yes

View File

@ -4,10 +4,11 @@
# though that obviously happens in configuration management rather # though that obviously happens in configuration management rather
# than a job). # than a job).
- hosts: builder:intermediate-registry - hosts: builder:intermediate-registry
name: Set up docker and iptables configuration for registry hosts name: "Set up container system and iptables configuration for registry hosts"
roles:
- install-docker
tasks: tasks:
- name: Install container system
include_role:
name: "install-{{ container_command }}"
- name: Open the IPv4 port for the buildset registry - name: Open the IPv4 port for the buildset registry
become: true become: true
iptables: iptables:

View File

@ -13,8 +13,6 @@
- name: Run the intermediate registry - name: Run the intermediate registry
include_role: include_role:
name: run-test-intermediate-registry name: run-test-intermediate-registry
apply:
become: true
- name: Install the intermediate registry cert - name: Install the intermediate registry cert
include_role: include_role:
name: install-registry-cert name: install-registry-cert
@ -25,17 +23,18 @@
- name: Set up user credentials for the intermediate registry - name: Set up user credentials for the intermediate registry
include_role: include_role:
name: intermediate-registry-user-config name: intermediate-registry-user-config
- name: Build a docker image for the previous build - name: "Build a container image for the previous build"
include_role: include_role:
name: build-docker-image name: "build-{{ (container_command == 'docker') | ternary('docker', 'container') }}-image"
vars: vars:
docker_images: docker_images:
- context: test-playbooks/registry/docker - context: test-playbooks/registry/docker
repository: "{{ previous_build_repository }}" repository: "{{ previous_build_repository }}"
container_images: "{{ docker_images }}"
- name: Tag the previous build - name: Tag the previous build
command: "docker tag {{ previous_build_repository }}:latest localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" command: "{{ container_command }} tag {{ previous_build_repository }}:latest localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest"
- name: Push the previous build to the intermediate registry - name: Push the previous build to the intermediate registry
command: "docker push localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest" command: "{{ container_command }} push localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest"
# This is also essentially pre-configuration for the real test of the # This is also essentially pre-configuration for the real test of the
# roles. This sets up a fake executor (since we can't run the # roles. This sets up a fake executor (since we can't run the
@ -112,16 +111,16 @@
- name: Include previous build vars - name: Include previous build vars
include_vars: vars/previous-build.yaml include_vars: vars/previous-build.yaml
- name: Pull the previous build from buildset registry to the builder host - name: Pull the previous build from buildset registry to the builder host
command: "docker pull {{ previous_build_repository }}:latest" command: "{{ container_command }} pull {{ previous_build_repository }}:latest"
- name: Show local docker images for debugging - name: "Show local container images for debugging"
command: "docker image ls" command: "{{ container_command }} image ls"
- name: Verify previously built image is in buildset registry - name: Verify previously built image is in buildset registry
command: "docker image inspect {{ previous_build_repository }}:latest" command: "{{ container_command }} image inspect {{ previous_build_repository }}:latest"
# Back to straightforward use of the roles under test. # Back to straightforward use of the roles under test.
- hosts: builder - hosts: builder
name: Test building a docker image name: Test building a container image
tasks: tasks:
- name: Create fake sibling projects - name: Create fake sibling projects
@ -133,7 +132,7 @@
- name: Build docker image - name: Build docker image
include_role: include_role:
name: build-docker-image name: "build-{{ (container_command == 'docker') | ternary('docker', 'container') }}-image"
vars: vars:
docker_images: docker_images:
- context: test-playbooks/registry/docker - context: test-playbooks/registry/docker
@ -141,6 +140,7 @@
siblings: siblings:
- opendev.org/fake-sibling-1 - opendev.org/fake-sibling-1
- opendev.org/fake-sibling-2 - opendev.org/fake-sibling-2
container_images: "{{ docker_images }}"
- hosts: executor - hosts: executor
name: Test pushing to the intermediate registry name: Test pushing to the intermediate registry
@ -154,6 +154,7 @@
docker_images: docker_images:
- context: playbooks/registry/docker - context: playbooks/registry/docker
repository: downstream/image repository: downstream/image
container_images: "{{ docker_images }}"
# And finally an external verification step. # And finally an external verification step.

View File

@ -3,56 +3,59 @@ intermediate_registry:
port: 5000 port: 5000
username: "zuul" username: "zuul"
password: dQI83awO8Akuw0WU password: dQI83awO8Akuw0WU
# openssl req -x509 -newkey rsa:2048 -keyout cert.key -out cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN=zuul-jobs.intermediate-registry' -addext 'subjectAltName = DNS:zuul-jobs.intermediate-registry,DNS:localhost,IP:127.0.0.1'
intermediate_registry_tls_key: | intermediate_registry_tls_key: |
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYkpjfIz7bziCa MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC46dQ/20Zsjel3
mFrWqQ84ldeAs2jvSKs2JG0RhYNNLokr2AU/5TUvqtAisyyd5AX5dBHQ7u/7Vgmj 7D2F+9+9WqslsIWfiP+zsqsz+/K5ngkdYyBEjYCBAUoLmGY/6/HkvZRBYE79R2FK
towt7loFfAG/2/rpdSGi2Njx11roBUoDsjwdE9w3aNnrDvOCyJcepx5TWYS86+vZ gjKIIo/bElKI4H6jq2nke5No+nroPXRlFh7wu0yP+U3P6pSaaDKJuJ5mMXxcboZE
IqodvdnuoWTk9VuolWfHsCgPRQV4uwMbIC5kbv2o4FORsOEzbuRfCEX9UTcAMEGg z8TyjRs1+RaFo+walNNfcA/ZOg8JRWV5Fe4JBw7GjgR6GH265h6zppakg801rFXV
K/m/kM/valkrYeBbLILsOcivg4Jh0m+PFC7NTcQFo+uwpZzZvlNtVbmQ3LqkHDAE zbf9sCRz7ic3vpNywGgz8klwqQVR3H1GlZ5zvlDr6/lPin+YwlXRd1wgRfFIima9
KDK94uBcQtdYjvvl6UZ+pNo+puD9iakYtcpQFuU8rpavMLE87+SuPVgi2Rk6QtTz K+IU+nymnBExInO5AyomolpN+bn4bnrx6q2l/FKWvEssVKZPPjT8v7lbzBiXxvb2
OAP2mDMJAgMBAAECggEBANM9MfS7WQ1mIXEI19l2roz/wmIbHGgAllbJ8sRbWLWI AKYmNjL5AgMBAAECggEARnqBNpGKBwgT62x0iqPUxGRRhT0BwSvDYieAT4EBI7RT
hW0JWB15gIYM8tRVtVgP2C/3IYWL+PFKez5+yH3odU/SI5ayhyr8/6DqJ7jD2Dxl fwrwGpDgYMswALlmh4iTmv6TClP951WUhISZY//gWrxiDt+aBSHpa3eaWNHXlLsP
JEs0puOpwmsdTyixvZy78IKKeM7NiuYGq1VwNUOrMQ1LyLB2DUAC8mXYkUpLhUm6 qRPEWTbaWKnJ+axMVYnPcWSXoxXLc6OAs6uJQnV74Jd++RLgg8Ujx2V79OzHHF3c
O4wVaGie7XwMOJazRs66ceU9k7Nuv3b57yc3PN2bzTqYUVjmJ1XeuAiBJaAeHts6 AwwH1NHHWXPaxrItB+nLiV0Q9eQh5nibW12IFmyknYaAeYmanzVwDplBubtsS1T3
NfG1+vO9xLXIRTRWvDGKByNsYJJLLPOXZkQZZFYYe8TTduxyCmZgShY6sZmmnWua X1kjUUaG58qCT/XyyM4YvagaDyy75T6J4XYnRsV7b/FKwc8FuF0vgbI+yY3B8nrz
cAdBL6b/5B3PZ2SkhdLHklaZmH8PTeAoqI2RDz/8eIECgYEA8gofU8LrK1Xjgrig h4z14QLNvNmUiGbkJRpDzKQb/BeWvT/GPXzvD2ObHQKBgQDfrxIiO4bWa+IjJNSn
ItQxYxqZCrggm9lMMcaADc7u3nff68NyImZ5bSXhvZCu74cAIMx12HbU1UvSCsQ4 FySIBBoKzh70LC8ElQ8AkrzjeucgtPQIY0zJcdT9nhAcS4mYqw4tp1snhm9mbyuB
/cncHrlBOzG529878+iWgiUrJ29GsQiHGj+qHA4qGBSP0Qan7ISunskj4GezTeHd huF83MwNFJ/O46IrWWpji0fXKQGgmPNex7yDGHYaVAE/nbzajGXXlGB1+w3tHCvM
/A3oTn5rLuld9V++647O35lXArkCgYEA5RBwV5nle49UT38hNqL/K+TUX5oZJXB8 1fxKxtLURHNtjfDBZUqDcz+PhwKBgQDToNXiMo5fKc3PninxaHrjnDQmDxk5t1y6
Xl9FT1L799toHUPEWEkSpf7Suf1hDwv6+tsIPO6tN7YirxK390JRxPaT948J8n1d hEOTJf12BJDw4syh3YzxFcAH0CA47OTy7o7dMZVt5RZ53XKR5fbYfKD7KGX/claw
TkurGDs1uwLQdUWgXIwvQ8ms+8rYvTU7vg2hI7/BZhH09LmGCiYSwnem0QYXjGnc sfutpskuVgFj4pnwShylFB6dQueFiHcWHf/DjMJmKyNM1dxzZcfqnH6P7FZaiYoW
kk56VeExytECgYBmBDw2Ctcied4eEAF3DKcQVXqiGP+tkMZbyIXazBjEbhRUhBmM eoLdy1vJfwKBgQCtTL845HOgNq9aWROkbQqxkrP2gSF8Pasj2rRn1kgf2j2tmmSj
RFLz3V6rjtsdHHLCYEtfhJ6qlH2gihpXZgjAbmb/MzNaaFoVsTgW/OGWioFqRuTi BwQb4mSJJegHdAKj1ItEla/K3J38d872KGEU0yAIVl1F9hjTixAhFWzQZwXKvhV3
/GiP0KyPX8NKYBrRRw9u3+qeQDdEIWp2Pcpno0M8D6LJtKR9FsE9X51cCQKBgQCs 7jnAO7hsx368IeKKVFInBt8BKUPt23CX34X7DTWUnX/sdhb8TxS+6RBqiwKBgQCF
8u5/ldjoo91acHhZUlQrhgi7bhQSao3ciz4/mD5ac7R2dBYpOnL0FiRw/VhtDfSf 3GAtuejQTPL/9n11U68XtcBOqpI8Lb2bxPmxZABU3EKJ/AuP/0GdZTKYPo+DMmUH
twTPTL5IVCJ34UA5Vj964VnzDnLKPdFXLlauYvY8jvFpufpMJiQBoKIVMqDWqvzC PNplE23/mz6CSw6jNqDTAtIYy87oq3wmPA6EItFyW7h5Y+YXVemUiYtr0dv8XPtm
kHPcFAon0OMMa49C1mBPqBuxslHRWJSLeulvMipwIQKBgDFzDTH49cmKP8YQmCuT pAcZvDliwrqLaWMOIz03K1Hq24Urs4ADA+8vN+iRJQKBgQCtNXP4sTXjRhO+leiM
vC5PJJ+hutbf/dOVJuOZ5KlKwnRkbMwoamYKrkjgmWMBgtzyz12/a46lZ58ul4xW 3YXc/qBof9TNlMcKS0g6C0s/+KFZ1CG3DbN0CizDCxqYWedOB7CKWklmfg7ENEhL
1fKw/nx8uQcbnKnigyjsAUzI9FgBR4d10cYdxPlfYVmj4TAUA3os5Gu6VKySy6SV NI6NTo10Q376UZE1+TmaWjGdIdvaxDnUeabSeqUXQxinWOS1pGzMgwXULw1BMLCq
xuHEIA6nFsXLXGBu25vI5tEv Zy9ZnBgOFe2NJl4U7EN8Xdmfrw==
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
intermediate_registry_tls_cert: | intermediate_registry_tls_cert: |
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIJANpxowfzYw4vMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV MIIEKDCCAxCgAwIBAgIUWVQQugUNh53VhvVfb3S49zw3GvgwDQYJKoZIhvcNAQEL
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX BQAwgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRAwDgYDVQQH
aWRnaXRzIFB0eSBMdGQxKDAmBgNVBAMMH3p1dWwtam9icy5pbnRlcm1lZGlhdGUt DAdPYWtsYW5kMRUwEwYDVQQKDAxDb21wYW55IE5hbWUxDDAKBgNVBAsMA09yZzEo
cmVnaXN0cnkwHhcNMTkwNTMwMjAwOTQxWhcNMzkwNTI1MjAwOTQxWjBvMQswCQYD MCYGA1UEAwwfenV1bC1qb2JzLmludGVybWVkaWF0ZS1yZWdpc3RyeTAeFw0xOTEx
VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg MjExODQ5MjhaFw0yMDExMjAxODQ5MjhaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UE
V2lkZ2l0cyBQdHkgTHRkMSgwJgYDVQQDDB96dXVsLWpvYnMuaW50ZXJtZWRpYXRl CAwKQ2FsaWZvcm5pYTEQMA4GA1UEBwwHT2FrbGFuZDEVMBMGA1UECgwMQ29tcGFu
LXJlZ2lzdHJ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2JKY3yM+ eSBOYW1lMQwwCgYDVQQLDANPcmcxKDAmBgNVBAMMH3p1dWwtam9icy5pbnRlcm1l
284gmpha1qkPOJXXgLNo70irNiRtEYWDTS6JK9gFP+U1L6rQIrMsneQF+XQR0O7v ZGlhdGUtcmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4
+1YJo7aMLe5aBXwBv9v66XUhotjY8dda6AVKA7I8HRPcN2jZ6w7zgsiXHqceU1mE 6dQ/20Zsjel37D2F+9+9WqslsIWfiP+zsqsz+/K5ngkdYyBEjYCBAUoLmGY/6/Hk
vOvr2SKqHb3Z7qFk5PVbqJVnx7AoD0UFeLsDGyAuZG79qOBTkbDhM27kXwhF/VE3 vZRBYE79R2FKgjKIIo/bElKI4H6jq2nke5No+nroPXRlFh7wu0yP+U3P6pSaaDKJ
ADBBoCv5v5DP72pZK2HgWyyC7DnIr4OCYdJvjxQuzU3EBaPrsKWc2b5TbVW5kNy6 uJ5mMXxcboZEz8TyjRs1+RaFo+walNNfcA/ZOg8JRWV5Fe4JBw7GjgR6GH265h6z
pBwwBCgyveLgXELXWI775elGfqTaPqbg/YmpGLXKUBblPK6WrzCxPO/krj1YItkZ ppakg801rFXVzbf9sCRz7ic3vpNywGgz8klwqQVR3H1GlZ5zvlDr6/lPin+YwlXR
OkLU8zgD9pgzCQIDAQABo1MwUTAdBgNVHQ4EFgQU00qH9bMUPRacZwgvBgczgR8Z d1wgRfFIima9K+IU+nymnBExInO5AyomolpN+bn4bnrx6q2l/FKWvEssVKZPPjT8
424wHwYDVR0jBBgwFoAU00qH9bMUPRacZwgvBgczgR8Z424wDwYDVR0TAQH/BAUw v7lbzBiXxvb2AKYmNjL5AgMBAAGjgZEwgY4wHQYDVR0OBBYEFCXcx6YJW0L1JMSA
AwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHEX2Tw19w5okaJ+6gHMFjA338ffwU9n5 rQDbbc9LyQN3MB8GA1UdIwQYMBaAFCXcx6YJW0L1JMSArQDbbc9LyQN3MA8GA1Ud
2piBMypbYr50yyPyUaTmz4SIBsTLkIWu00a0pdo9pqZDnv1KwxtJtP4o4qQXhMd4 EwEB/wQFMAMBAf8wOwYDVR0RBDQwMoIfenV1bC1qb2JzLmludGVybWVkaWF0ZS1y
Ve3FFF+6AMaOy5y5+hRkE8iHOOik/rNPFqkVDatNGuOMSNYO/jUFXc+C6Ol7gM/J ZWdpc3RyeYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBMQR4u
edyWaafjQbvdKapKPbdP4Y69R8OlRTNK1lJMIGJrsCdaeaK4EpLpbJPHnagIMdmQ bcdeS6ML/X/BLh3HBjWf0DYobU5GVBoMC9c+L9Fxh82ck/CAK3Oeozr9iHFu5YLj
HDsTf978weRrjJ4JEODTabsKVHKyx0GBwe8CmR0NzpfO2ORCyNUO1rLK2rzh5YTQ OsJWlAbRl0Getz7HOnVH9rMyL/ac9c99CKixjY1Vsf49x1itpOQULoZ+zJixFROk
qKGyfY0DAyiSHxKaUeGiskc4/WMxaYv2FzD63Xvzmot9atSwCMjN1A== 07KhnkaqsYs4SIfDSoa18UmBROEVT2y7yT0uYAwyxwMtZVJWUg7L9OuxPE/tMB0/
NyNwMzhdKBL0V54rXH0dxOQ0yE5mGkaOOgKS5x43r78xRRNZ3JM5iRj3S0P75Nbg
YDvkkOd0Pf+5UPBJyc4wh5TA+vOrU63lKa6RwIWIbA+xXJn5WJQFoQOjO2dCcEka
8p2tutWB2+G+3F12
-----END CERTIFICATE----- -----END CERTIFICATE-----
#intermediate_registry_tls_chain

View File

@ -2,7 +2,7 @@
# buildset via provides/requires. This build should be copied from # buildset via provides/requires. This build should be copied from
# the intermediate registry to the buildset registry. # the intermediate registry to the buildset registry.
previous_build_repository: upstream/image previous_build_repository: docker.io/upstream/image
previous_build_uuid: 48a84fe22a744cb5b0310f396358d912 previous_build_uuid: 48a84fe22a744cb5b0310f396358d912
previous_build_zuul: previous_build_zuul:
artifacts: artifacts:

View File

@ -1,5 +1,5 @@
- job: - job:
name: zuul-jobs-test-registry name: zuul-jobs-test-registry-docker
description: | description: |
Test the intermediate registry roles. Test the intermediate registry roles.
@ -17,6 +17,38 @@
pre-run: test-playbooks/registry/test-registry-pre.yaml pre-run: test-playbooks/registry/test-registry-pre.yaml
run: test-playbooks/registry/test-registry.yaml run: test-playbooks/registry/test-registry.yaml
post-run: test-playbooks/registry/test-registry-post.yaml post-run: test-playbooks/registry/test-registry-post.yaml
vars:
container_command: docker
nodeset:
nodes:
- name: intermediate-registry
label: ubuntu-bionic
- name: executor
label: ubuntu-bionic
- name: builder
label: ubuntu-bionic
- job:
name: zuul-jobs-test-registry-podman
description: |
Test the intermediate registry roles.
This job tests changes to the intermediate registry roles using
podman rather than docker. It is not meant to be used directly
but rather run on changes to roles in the zuul-jobs repo.
files:
- roles/pull-from-intermediate-registry/.*
- roles/push-to-intermediate-registry/.*
- roles/install-podman/.*
- roles/build-container-image/.*
- roles/run-buildset-registry/.*
- roles/use-buildset-registry/.*
- test-playbooks/registry/.*
pre-run: test-playbooks/registry/test-registry-pre.yaml
run: test-playbooks/registry/test-registry.yaml
post-run: test-playbooks/registry/test-registry-post.yaml
vars:
container_command: podman
nodeset: nodeset:
nodes: nodes:
- name: intermediate-registry - name: intermediate-registry
@ -52,6 +84,8 @@
pre-run: test-playbooks/registry/buildset-registry-pre.yaml pre-run: test-playbooks/registry/buildset-registry-pre.yaml
run: test-playbooks/registry/buildset-registry.yaml run: test-playbooks/registry/buildset-registry.yaml
post-run: test-playbooks/registry/test-registry-post.yaml post-run: test-playbooks/registry/test-registry-post.yaml
vars:
container_command: docker
- job: - job:
name: zuul-jobs-test-registry-buildset-registry-k8s-docker name: zuul-jobs-test-registry-buildset-registry-k8s-docker
@ -74,6 +108,8 @@
post-run: post-run:
- test-playbooks/registry/buildset-registry-k8s-docker-post.yaml - test-playbooks/registry/buildset-registry-k8s-docker-post.yaml
- test-playbooks/registry/test-registry-post.yaml - test-playbooks/registry/test-registry-post.yaml
vars:
container_command: docker
- job: - job:
name: zuul-jobs-test-install-kubernetes-docker name: zuul-jobs-test-install-kubernetes-docker
@ -126,7 +162,8 @@
- project: - project:
check: check:
jobs: &id001 jobs: &id001
- zuul-jobs-test-registry - zuul-jobs-test-registry-docker
- zuul-jobs-test-registry-podman
- zuul-jobs-test-registry-buildset-registry - zuul-jobs-test-registry-buildset-registry
- zuul-jobs-test-registry-buildset-registry-k8s-docker - zuul-jobs-test-registry-buildset-registry-k8s-docker
- zuul-jobs-test-install-kubernetes-docker - zuul-jobs-test-install-kubernetes-docker