zuul/zuul-jobs
Code Issues Proposed changes

Update docker image roles

Browse Source 
* In the build-image role, push to the buildset registry if it is defined.
* In the intermediate registry push and pull roles, ensure that the
  buildset registry TLS cert is in place.  This is a self-signed cert,
  and so needs to be written for each run.  This happens inside
  bubblewrap where we have permission to write to /etc, which is an
  ephemeral volume.

Change-Id: I47781d8a7adb93817dfe9266e2f4ad5fd829385c
This commit is contained in:
James E. Blair 2019-02-16 10:02:48 -08:00
parent ee1b1ea2e4
commit 71b7cb0ae5
5 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
roles/build-docker-image/tasks/main.yaml
View File

@ -1,3 +1,9 @@
# This can be removed if we add this functionality to Zuul directly
- name: Load information from zuul_return
when: buildset_registry is not defined
set_fact:
buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
ignore_errors: true
- name: Build a docker image
command: >-
docker build {{ item.path | default('.') }} -f {{ item.dockerfile | default(docker_dockerfile) }}
@ -14,3 +20,9 @@
args:
chdir: "{{ zuul_work_dir }}/{{ item.context }}"
loop: "{{ docker_images }}"
- name: Push image to buildset registry
when: buildset_registry is defined
include_tasks: push.yaml
loop: "{{ docker_images }}"
loop_control:
loop_var: image

7
roles/build-docker-image/tasks/push.yaml Normal file
View File

@ -0,0 +1,7 @@
- name: Push tag to buildset registry
command: >-
docker tag {{ image.repository }}:{{ image_tag }} {{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
docker push {{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
loop: "{{ image.tags | default(['latest']) }}"
loop_control:
loop_var: image_tag

8
roles/pull-from-intermediate-registry/tasks/main.yaml
View File

@ -1,3 +1,11 @@
- name: Ensure registry cert directory exists
file:
path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/"
state: directory
- name: Write registry TLS certificate
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
- name: Pull artifact from intermediate registry
command: >-
skopeo --insecure-policy copy

8
roles/push-to-intermediate-registry/tasks/main.yaml
View File

@ -3,6 +3,14 @@
when: buildset_registry is not defined
set_fact:
buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
- name: Ensure registry cert directory exists
file:
path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/"
state: directory
- name: Write registry TLS certificate
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
- name: Push image to intermediate registry
include_tasks: push.yaml
loop: "{{ docker_images }}"

2
roles/push-to-intermediate-registry/tasks/push.yaml
View File

@ -4,7 +4,7 @@
--src-creds={{ buildset_registry.username }}:{{ buildset_registry.password }}
--dest-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }}
docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag}}
docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
loop: "{{ image.tags | default(['latest']) }}"
loop_control:
loop_var: image_tag