Currently this no_logs the entire selection and delete loop, which is
probably maximal efficiency but makes it very hard to debug on failure
(which we are seeing). This extracts the list creation and uri call
so we can see the tags it is trying to delete.
Change-Id: I93fd19aedaa9fc328a1a347986a5f0c20439d476
Change Ibc84e4f3fb18331ff6e2eb01037254be65dc53f5 removed the {{ from
this, which Ansible does warn about. However it then started failing.
Upon local testing, I could see
The conditional check 'ansible_date_time.iso8601 |
regex_replace('^(....-..-..)T(..:..:..).*Z', '\\1 \\2') |
to_datetime' failed. The error was: time data '\\x01 \\x02' does not
match format '%Y-%m-%d %H:%M:%S
So for whatever reason, without the surrounding {{ }} the
regex_replace is getting turned into the string "\\1 \\2" -- not the
first and second results of the match. Double quoting seems to fix
this.
Change-Id: I689385a3eb8b9ce373ff579c72cd29e46ebcaf8b
It seems likely that new versions of buildx are uploading manifests in
the OCI manifest format, which needs to be explicitly accepted in the
headers.
Change-Id: Ie2b908b7019389087ea37058bed15760619e48c6
We've seen a case where we can still push and pull tags from dockerhub,
but the web UI and API seem out of sync with the actual registry. In
this case, we would like to continue, even though it will leave some
unused tags in the repo (they can be cleaned up later if they ever
show up).
Change-Id: If000163a321c869c46cfed4233c2ea42c3e8471b
Use '{{ zuul.pipeline }}' tag prefix in *-docker-image instead of
'change_{{ zuul.change }}' one when zuul.change is not provided, that is
the case with periodic jobs. This allows to build, upload and promote images
using periodic jobs e.g:
- project:
periodic:
- project-buildset-registry
- project-build-image1:
dependencies:
- name: project-buildset-registry
- project-build-image2:
dependencies:
- name: project-buildset-registry
# pulls from buildset registry and tests both images
- project-test:
dependencies:
- name: project-build-image1
- name: project-build-image2
# pre-pulls images from buildset registry for fast build
- project-upload-image1:
dependencies:
- name: project-test
- project-upload-image2:
dependencies:
- name: project-test
- project-promote:
dependencies:
- name: project-upload-image1
- name: project-upload-image2
This fuctionality will allow to keep latest images up to date for the
case when image incorporates continuously updating code from multiple
repositories.
Using true ternary for tag evaluation because ternary filter requires
all passed to it variables be defined or defaulted [0].
[0] https://github.com/ansible/ansible/issues/51276
Change-Id: I8eb7d2baa24905e7aac51fce0b2f9b1f24f037f9
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
This uses a new method of calculating the cutoff time which does not
require executing code on the executor.
Change-Id: I92e71727e24281a31cb7caf0b78dd17a5aaae129
Co-Authored-By: Clark Boylan <clark.boylan@gmail.com>
This was relying on a bug in the executor. It's not critical
functionality, so just avoid it for now.
Change-Id: I6069150324d0b921cdb8cbc6902e74ec2a6036cc
A multi-arch manifist is a manifest list which has a different content-type
than a regular manifest. In order to re-tag the image correctly, tell
docker hub that we can accept both kinds of manifests, and re-upload
the one that it gives us. This will be a manifest list if it exists, or
a regular manifest if it doesn't.
Change-Id: I7863b0c824c0b3cb20f94ba67399e823a216092b
Adds yamllint to the linters with a minimal configuration, some
rules are disabled to allow us to fix them in follow-ups, if
we agree on them.
Fixes invalid YAML file containing characters inside block.
Fixes few minor linting issues.
Change-Id: I936fe2c997597972d884c5fc62655d28e8aaf8c5
The variable was changed inside the role from image to zj_image but the
included task file did not use the new variable name. This patch fixes
this.
Change-Id: Ibe3acbd0881da24ec9c2f636d777885a309bdf98
This adds a custom ansible-lint rule at .rules/ZuulJobsNamespaceLoopVar.py
that enforces the loop var policy described at:
https://zuul-ci.org/docs/zuul-jobs/policy.html#ansible-loops-in-roles
It also updates existing roles to follow the policy.
Change-Id: I92b2ff56a1c2702542fc07b316f1809087a4c92f
The uri module faithfully passes the entire string, even if it has
trailing whitespace such as a newline. The zuul encrypt_secret
command currently does not trim, so if echo was used instead of
echo -n this can fail in a hard to debug manner.
Change-Id: Ic9525ac2925b6639f58604ca40dc878d20511ff8
We have to be careful about avoiding outer loop loop_var conflicts in
ansible. Because the zuul-jobs roles are meant to be reconsumed
elsewhere we should not use 'item' loopvars and instead set them to
something a bit more unique.
We use a zj_ prefix to try and be unique to this repo and document this
convention.
Change-Id: I20b9327a914890e9eafcb2b36dc8c23fb472bc8f
The missing "." from the content-type headers was causing us
to downgrade image manifests from v1 to to v2 when promoting them.
That can cause problems since many tools no longer support v1
manifests.
Notably, the docker registry is one of them.
Change-Id: I35a5d29933669b80b49578587ebe6db8e13e62ad
So that users can specify two docker image builds for the same
repository, but with different tags, ensure that the temporary
change_ tag attached to the image also includes the final tag
name.
This allows this configuration to work:
docker_images:
- repository: foo/image
context: opensuse
tags:
- opensuse-latest
- repository: foo/image
context: ubuntu
tags:
- ubuntu-latest
Change-Id: I917dcf8a74fc864ea06dc70bdb3e212dc170eb48
This allows us to construct a job which allows users to pass in a
secret (via pass-to-parent) which includes not only the user/pass,
but also a restriction for what docker image repositories may be
accessed using that user/pass. This allows an operator to create
one credential, and then use that credential in multiple secrets
for multiple projects, each with a distinct restriction on where
images may be uploaded.
Change-Id: I7a3cf97a16d34c76df8601990954e1f2b0e498f5
These probably should have been prefixed to start with. The roles
are brand new, not publicised, and likely not widely used. I think
we can merge this without announcement or deprecation.
Change-Id: I7825ef6fee1325b6d4fcc179032652eb5530d016
Ian Wienand