wrap skopeo push in withCredentials block

Jenkinsfile.release

@@ -60,6 +60,10 @@ echo "Final podspec: ${pod}"
 // use a unique label to force Kubernetes to provision a separate pod per run
 def pod_label = "cosa-${UUID.randomUUID().toString()}"
 
+// Destination for OCI image push
+// TODO: Change this to quay.io/fedora/coreos per https://fedoraproject.org/wiki/Changes/OstreeNativeContainer
+def quay_registry = "quay.io/coreos-assembler/fcos"
+
 // We just lock here out of an abundance of caution in case somehow two release
 // jobs run for the same stream, but that really shouldn't happen. Anyway, if it
 // *does*, this makes sure they're run serially.
@@ -83,22 +87,17 @@ podTemplate(cloud: 'openshift', label: pod_label, yaml: pod) {
             shwrap("""
             export AWS_CONFIG_FILE=\${AWS_FCOS_BUILDS_BOT_CONFIG}
             cosa init --branch ${params.STREAM} https://github.com/coreos/fedora-coreos-config
-            cosa buildfetch --build=${params.VERSION} \
+            cosa buildfetch --artifact=ostree --build=${params.VERSION} \
                 --arch=all --url=s3://${s3_stream_dir}/builds
-            cosa buildprep --ostree --build=${params.VERSION} \
-                --arch=all s3://${s3_stream_dir}/builds
             """)
         }
 
-        def oscontainer_secret = "/run/kubernetes/secrets/oscontainer-registry/dockercfg";
-        if (utils.pathExists(oscontainer_secret)) {
         stage('Sync oscontainer to quay.io') {
-            shwrap("""ociarchive=\$(cosa meta --image-path ostree)
-                    case \${ociarchive} in
-                      *ociarchive) skopeo copy --authfile=$oscontainer_secret oci-archive://\${ociarchive} docker://quay.io/cgwalters/fcos:${params.STREAM};;
-                      *) echo Build not configured as oci ;;
-                    esac""")
-        }
+            withCredentials([file(credentialsId: 'oscontainer-secret', variable: 'OSCONTAINER_SECRET')]) {
+                shwrap("""
+                skopeo copy --authfile="${OSCONTAINER_SECRET}" "oci-archive://\$(cosa meta --image-path ostree)" "docker://${quay_registry}:${params.STREAM}"
+                """)
+            }
         }
 
         for (basearch in params.ARCHES.split()) {

jenkins/config/oscontainer-secret.yaml

@@ -2,8 +2,12 @@ credentials:
   system:
     domainCredentials:
       - credentials:
-        - string:
+        - file:
             scope: GLOBAL
+            fileName: oscontainer-secret
             id: oscontainer-secret
-            secret: ${oscontainer-secret/dockerconfig}
+            # Secret must be base64-encoded
+            # See: https://github.com/jenkinsci/configuration-as-code-plugin/issues/884
+            secretBytes: "${base64:${oscontainer-secret/dockerconfig}}"
             description: Push secret for quay.io/coreos-assembler/fcos
+

manifests/pod.yaml

@@ -54,9 +54,6 @@ spec:
      - name: fedora-messaging-coreos-key
        mountPath: /run/kubernetes/secrets/fedora-messaging-coreos-key
        readOnly: true
-     - name: oscontainer-registry
-       mountPath: /run/kubernetes/secrets/oscontainer-registry
-       readOnly: true
      securityContext:
        privileged: false
      resources:
@@ -106,8 +103,3 @@ spec:
     secret:
       secretName: fedora-messaging-coreos-key
       optional: true
-  # Used to push the built OCI OS container to quay
-  - name: oscontainer-registry
-    secret:
-      secretName: oscontainer-registry
-      optional: true