9 Commits

Author SHA1 Message Date
James E. Blair
f381cc328b Update promote-container-image to copy from intermediate registry
Change-Id: Ia24bbd101e01ab371ceacfed006b5ff806418a97
2023-04-12 11:36:26 -07:00
Ian Wienand
9df7c8eb70
promote-container-image: use generic tag removal role
This uses the generic tag removal role added with
I7f2d9d00024e34451e2d20b2c2f8171ecd151943 to cleanup the promote tag
and any leaked tags.

Change-Id: I3f1b82d63874ee886048b9ccabe616a60dc09434
2023-04-04 09:56:18 +10:00
Ian Wienand
0a64d51c3d
promote-container-image: add promote_container_image_method
After recent conversations, we've come to the conclusion it will be
good to have two models of promotion

 - using tags, where gate directly uploads to the final repository and
   promote retags the image.

 - from an intermediate-registry, where upload stores the built image
   in an i-r and the promote step uploads to the final registry.

To facilitate this, we add a "promote_container_image_method" flag to
the promote roles.

The documentation is expanded to explain how all this is intended to
work together.

These roles haven't been publicised yet, but this should be a no-op as
it defaults to tags, which is the current operation.

c.f. Ia24bbd101e01ab371ceacfed006b5ff806418a97

Change-Id: I1c25f60f835b1cab983bcdd169eeffc0e250a56c
2023-04-04 09:50:17 +10:00
Ian Wienand
51e437c2f1
promote-image-container: do not delete tags
As noted inline, currently promote-image-container uses skopeo to
delete tags which is not the semantics we want.  This results in the
whole image being removed.

For safety we remove this call; we have two solutions in follow-ons
(deleting tags directly from the registry with a generic tag, and
promoting images from the intermediate registry).

Change-Id: I4b257f593275413da9a50a0cc64e13638e7f94cb
2023-03-30 08:30:33 +11:00
James E. Blair
6fd25dc10d Add --insecure-policy to skopeo promote command
We don't seem to have a policy file available in zuul-bwrap, but
we also don't really need it for this operation, so just tell skopeo
to skip it.

Also, fix the registry logout command.

Change-Id: I18ad59ffa8e8e80a720e798ab2bb81ea5d19619a
2023-03-23 18:56:02 -07:00
James E. Blair
e07ed8b5d9 Move container-image-promote login block
This should be inside the zk_image loop.  Also, try to log out
as well.

Change-Id: Id569b8a46c373e1c0b7b48d97ad45c893298fedf
2023-03-23 18:19:23 -07:00
James E. Blair
a3a38ee2a2 Handle credential repository not being defined in container roles
This attribute is optional.

Change-Id: I0875b25d07f5fde0f6c3a3b62c0dac93770ffc49
2023-03-23 15:33:36 -07:00
James E. Blair
8d5c65153f Add container repository cred permission checks
The docker roles perform permission checks to verify that the
owner of the credential is okay with a job uploading to a given
repo.  The container roles document that they perform the same
check, but that wasn't implemented.  This change implements it.

Change-Id: I1fa7ad985664688de76f0fcc280fbfea4f02fb7c
2023-03-21 10:18:37 -07:00
okozachenko
0c3b87f20e Add promote-container-image role
This role uses skopeo to perform image operations.

Also update the container roles docs to add missing documentation
for the already existing upload-container-image role.  Clarify
some ambiguity about the registry and repository attributes of
the container images data structure.

Change-Id: Ib66c85daf0edacf0dd797ab34b0d629f99c7111b
Co-Authored-By: James E. Blair <jim@acmegating.com>
2023-03-21 10:17:49 -07:00