Merge "promote-container-image: use generic tag removal role"
This commit is contained in:
commit
e3804cb3c4
@ -100,7 +100,10 @@ Once this role completes, the temporary upload tags are no longer
|
|||||||
required. The role removes the change-id tags from the repository in
|
required. The role removes the change-id tags from the repository in
|
||||||
the registry, and removes any similar change-ids tags. This keeps the
|
the registry, and removes any similar change-ids tags. This keeps the
|
||||||
repository tidy in the case that gated changes fail to merge after
|
repository tidy in the case that gated changes fail to merge after
|
||||||
uploading their staged images.
|
uploading their staged images. Remvoing these tags is a registry
|
||||||
|
specific operation. You should double check the ``api_token``
|
||||||
|
requirements for your registry described below. For more details see
|
||||||
|
:zuul:role:`remove-registry-tag`.
|
||||||
|
|
||||||
In ``intermediate-registry`` mode, this role queries Zuul to find the
|
In ``intermediate-registry`` mode, this role queries Zuul to find the
|
||||||
build performed by the build role in the ``gate``. It then copies
|
build performed by the build role in the ``gate``. It then copies
|
||||||
@ -179,6 +182,22 @@ using the roles described here.
|
|||||||
|
|
||||||
repository: "^myorgname/{{ zuul.project.short_name }}.*"
|
repository: "^myorgname/{{ zuul.project.short_name }}.*"
|
||||||
|
|
||||||
|
.. zuul:rolevar:: api_token
|
||||||
|
|
||||||
|
Optional; When using the promote roles, the registry API is
|
||||||
|
used to remove temporary tags. if your registry requires a
|
||||||
|
token to talk to the registry API, add it here. This is
|
||||||
|
registry dependent; some allow API access via the
|
||||||
|
username/password, but others require issuing a separate
|
||||||
|
token. For more details see
|
||||||
|
:zuul:role:`remove-registry-tag`. Some examples:
|
||||||
|
|
||||||
|
* **docker** : API is access via username/password, does not
|
||||||
|
require token.
|
||||||
|
* **quay.io** : A token must be generated from an
|
||||||
|
"application" that a user has allowed to operate on its
|
||||||
|
behalf. See `<https://docs.quay.io/api/>`__.
|
||||||
|
|
||||||
.. zuul:rolevar:: container_images
|
.. zuul:rolevar:: container_images
|
||||||
:type: list
|
:type: list
|
||||||
|
|
||||||
|
@ -23,10 +23,3 @@
|
|||||||
loop_control:
|
loop_control:
|
||||||
loop_var: zj_image
|
loop_var: zj_image
|
||||||
include_tasks: promote-retag.yaml
|
include_tasks: promote-retag.yaml
|
||||||
|
|
||||||
# The docker roles prune obsolete tags here, but that relies on a
|
|
||||||
# timestamp to make sure we're not deleting in-progress tags (that the
|
|
||||||
# gate pipeline may be uploading at the same time we're promoting).
|
|
||||||
# That timestamp is not available with skopeo list-tags, so some other
|
|
||||||
# mechanism will need to be devised to clean them up. In the
|
|
||||||
# meantime, we hope that the cleanup in promote-retag succeeds.
|
|
||||||
|
@ -10,29 +10,10 @@
|
|||||||
retries: 3
|
retries: 3
|
||||||
delay: 30
|
delay: 30
|
||||||
|
|
||||||
# NOTE(ianw) 2023-03-27 : It is actually quite difficult to delete a
|
- name: Delete the temporary change tag we just renamed
|
||||||
# tag in a generic way...
|
include_role:
|
||||||
#
|
name: remove-registry-tag
|
||||||
# The OCI distribution spec does has specified for a while that you
|
vars:
|
||||||
# should be able to delete a tag with the registry API using DELETE
|
remove_registry_tag_repository: '{{ zj_image.repository }}'
|
||||||
# /v2/<name>/manifests/tag [1] but this is basically not implemented
|
remove_registry_tag_tag: '{{ promote_tag_prefix }}_{{ zj_image_tag }}'
|
||||||
# on any registry. So that's out.
|
no_log: true
|
||||||
#
|
|
||||||
# "skopeo delete" dereferences the tag to a digest and deletes that.
|
|
||||||
# This is not what we want, as it deletes *all* tags pointing to it.
|
|
||||||
# This is probably not what people want (see many github issues!) but
|
|
||||||
# now it's like that, it's difficult to change. The man page now
|
|
||||||
# gives all sorts of caveats [2].
|
|
||||||
#
|
|
||||||
# So that leaves deleting tags via individual API's specified by each
|
|
||||||
# provider. This is what promote-docker-image currently does (via the
|
|
||||||
# hub API at hub.docker.com). quay.io also allows this via API, but
|
|
||||||
# implements getting an API token differently to hub.docker.com.
|
|
||||||
# artifactory also allows it via it's API.
|
|
||||||
#
|
|
||||||
# [1] https://github.com/opencontainers/distribution-spec/blob/v1.0/spec.md#deleting-tags
|
|
||||||
# [2] https://github.com/containers/skopeo/blob/main/docs/skopeo-delete.1.md
|
|
||||||
|
|
||||||
- name: Delete the current change tag
|
|
||||||
debug:
|
|
||||||
msg: 'We currently do not delete old tags'
|
|
||||||
|
@ -17,3 +17,12 @@
|
|||||||
always:
|
always:
|
||||||
- name: Log out of registry
|
- name: Log out of registry
|
||||||
command: "skopeo logout {{ zj_image.registry }}"
|
command: "skopeo logout {{ zj_image.registry }}"
|
||||||
|
|
||||||
|
# If a gate job failed, we might have uploaded and leaked tags. This
|
||||||
|
# cleans up anything around for more than 24 hours
|
||||||
|
- name: Cleanup leaked images
|
||||||
|
include_role:
|
||||||
|
name: remove-registry-tag
|
||||||
|
vars:
|
||||||
|
remove_registry_tag_repository: '{{ zj_image.repository }}'
|
||||||
|
no_log: true
|
||||||
|
Loading…
Reference in New Issue
Block a user