Commit Graph

19 Commits

Author SHA1 Message Date
Paul Belanger c3309e045a Always log out of docker registry after upload
Make sure we always log out of the docker registry, as not to allow
other playbooks to use the session.

Change-Id: I65fb71884b08802b5537ecef7304129cdeb952c3
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2020-11-12 14:01:57 -05:00
Andrii Ostapenko ef47a743b6
Add ability to use *-docker-image roles in periodic jobs
Use '{{ zuul.pipeline }}' tag prefix in *-docker-image instead of
'change_{{ zuul.change }}' one when zuul.change is not provided, that is
the case with periodic jobs. This allows to build, upload and promote images
using periodic jobs e.g:

- project:
    periodic:
      - project-buildset-registry

      - project-build-image1:
          dependencies:
            - name: project-buildset-registry
      - project-build-image2:
          dependencies:
            - name: project-buildset-registry

      # pulls from buildset registry and tests both images
      - project-test:
          dependencies:
            - name: project-build-image1
            - name: project-build-image2

      # pre-pulls images from buildset registry for fast build
      - project-upload-image1:
          dependencies:
            - name: project-test
      - project-upload-image2:
          dependencies:
            - name: project-test

      - project-promote:
          dependencies:
            - name: project-upload-image1
            - name: project-upload-image2

This fuctionality will allow to keep latest images up to date for the
case when image incorporates continuously updating code from multiple
repositories.

Using true ternary for tag evaluation because ternary filter requires
all passed to it variables be defined or defaulted [0].

[0] https://github.com/ansible/ansible/issues/51276

Change-Id: I8eb7d2baa24905e7aac51fce0b2f9b1f24f037f9
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-09-25 14:22:17 -05:00
Albin Vass 06e35b2125 Test multiarch release builds and use temp registry with buildx
When using docker buildx to build a container image, use a temporary
registry to receive the built image instead of requiring a buildset
registry.

A multi-arch test is also added with a publication registry
using the same task list to reduce duplication.

Change-Id: Ib20d1c97f6cb63e0ff9d8888ea792d1941cd8690
Co-Authored-By: James E. Blair <jeblair@redhat.com>
2020-07-01 10:29:31 -07:00
Albin Vass 0f55195335 Add tests for upload-docker-image
This also adds support for using a self hosted registry
with the docker roles.

Change-Id: I43caf46cfcc5d335ce14d72ad2abbef732b24645
2020-06-22 06:55:11 -07:00
James E. Blair d46b41857c Fix upload-docker-image when in release pipeline
The zuul.change variable isn't defined when run in a tag-based
release pipeline.  Even though it's wrapped in a ternary operator,
it is still dereferenced even if it's not used.  Make sure we
dereference it safely.

Change-Id: I215a003493603de99296035d77eee64cc66e83f1
2020-06-12 13:57:09 -07:00
James E. Blair bf43f5bb8c Allow upload-docker-image role to be used outside of promote
This adds an option to the upload-docker-image role so that a job
can be written to run build-docker-image and upload-docker-image
in a release pipeline.  This lets users build tagged docker images
from release tags rather than using the promote pipeline (which
may have built the image before a release git tag was applied).

Change-Id: Id28d0a85e02e56640911c44ddbfff7b38547b0b4
2020-06-10 09:56:40 -07:00
Monty Taylor 64741aa73d Don't upload to the tag with buildx - only to the change tag
This is a copy/pasta error from pulling this logic over from build.
We need to upload to dockerhub but only to the change_ version
of the tag.

Change-Id: I19d1b326ad2c5b1cef846f47e667f3c3480582e7
2020-05-07 18:17:59 -05:00
Monty Taylor bd1ee92542 Process siblings in upload-image push
Otherwise the context might be different and we might have to
rebuild, which would be silly. I mean, not like this isn't
silly already.

Change-Id: I3651390581ad1b4ae66ed336825f60284bd7c4ad
2020-05-07 17:01:35 -05:00
Monty Taylor 53118e79ea Actually include platform in the upload build
It's awesome, we used buildx to push to docker hub. What we forgot
to do is pass the arch argument.

Change-Id: I99025544f7a8aea651e9562041af859a38cddbfc
2020-05-07 16:57:50 -05:00
Monty Taylor 48afa2248f Add docker_dockerfile to upload-docker-image defaults
We document it in the docs as a common thing, but we never needed
it. After the previous patch to use buildx routines for upload,
we need to define the default.

Change-Id: Idf0ed40d125c8cfc2eb4a381035b154c9bc2c1c5
2020-05-07 12:07:36 -05:00
Monty Taylor dfb3884440 Upload images to dockerhub with buildx when using buildx
If we build multi-arch images with buildx we also need to push to
dockerhub using buildx, because otherwise we're just pushing
the single-arch image we fetched back from the buildset registry
for the local cache.

Change-Id: If8b95a708e4f0d24e959317b803f5c9379a8b62b
2020-05-07 09:23:56 -05:00
Albin Vass bee0c6ae2f ansible-lint: use matchplay instead of matchtask
For some reason matchtask doesn't match includes, matchplay does so use
that instead.

Change-Id: I040f7f3394503e92d06c05e8ff671a43b14baebc
2020-05-05 20:42:38 +02:00
Clark Boylan 4ed66807a0 Use unique loop vars to avoid conflicts
We have to be careful about avoiding outer loop loop_var conflicts in
ansible. Because the zuul-jobs roles are meant to be reconsumed
elsewhere we should not use 'item' loopvars and instead set them to
something a bit more unique.

We use a zj_ prefix to try and be unique to this repo and document this
convention.

Change-Id: I20b9327a914890e9eafcb2b36dc8c23fb472bc8f
2020-02-04 12:23:36 -08:00
James E. Blair e35c529bac Retry pushes to dockerhub
To deal with things like 502 bad gateway errors.

Change-Id: Iaa745394baafcdfedc188f8503b7c7fc9ee92f5b
2019-09-20 09:50:44 -07:00
James E. Blair 2da8976da0 Fix typo in docker push role
Change-Id: I0fa24d646cdb990d7a5e1d79a8da7095fd5a90af
2019-03-01 13:06:39 -08:00
James E. Blair 885f02e217 Handle multiple docker images with the same repository
So that users can specify two docker image builds for the same
repository, but with different tags, ensure that the temporary
change_ tag attached to the image also includes the final tag
name.

This allows this configuration to work:

docker_images:
  - repository: foo/image
    context: opensuse
    tags:
      - opensuse-latest
  - repository: foo/image
    context: ubuntu
    tags:
      - ubuntu-latest

Change-Id: I917dcf8a74fc864ea06dc70bdb3e212dc170eb48
2019-02-27 11:08:44 -08:00
James E. Blair 3e3f836435 docker: add ability to restrict repository names
This allows us to construct a job which allows users to pass in a
secret (via pass-to-parent) which includes not only the user/pass,
but also a restriction for what docker image repositories may be
accessed using that user/pass.  This allows an operator to create
one credential, and then use that credential in multiple secrets
for multiple projects, each with a distinct restriction on where
images may be uploaded.

Change-Id: I7a3cf97a16d34c76df8601990954e1f2b0e498f5
2019-01-18 09:43:11 -08:00
James E. Blair 1c827e4761 docker: prefix role vars
These probably should have been prefixed to start with.  The roles
are brand new, not publicised, and likely not widely used.  I think
we can merge this without announcement or deprecation.

Change-Id: I7825ef6fee1325b6d4fcc179032652eb5530d016
2019-01-17 11:28:37 -08:00
James E. Blair 8640466183 Add docker image promotion roles
This adds three roles which can be used to build a docker image
promotion system.

Change-Id: Iefd9278cdb90bbbaab93a4d23c055e9289fde5ba
2019-01-15 14:03:00 -08:00