release: Copy oscontainer to quay.io #383
Conversation
This is a bit hacky but should work. My initial goal here is just automated uploads of our builds, so that we can start getting a better feel for managing "ostree-in-container" releases. We should sync to `quay.io/coreos` but that needs someone to set that up. Also, I'd like to make the destination configurable in the same way as the S3 bucket, proposal PR in coreos/fedora-coreos-config#1175 Closes: coreos#359
|
Enabling this requires: |
| - name: oscontainer-registry | ||
| mountPath: /run/kubernetes/secrets/oscontainer-registry | ||
| readOnly: true |
There was a problem hiding this comment.
So one recent-ish move is going away from the "all secrets mounted into the cosa pod" model towards Jenkins secrets. See e.g. 7449712.
So concretely, this would mean doing it like this:
- a JCASC drop-in to define the Jenkins credential: https://github.com/coreos/fedora-coreos-pipeline/blob/main/jenkins/config/github-coreosbot.yaml
- using
withCredentialsto mount it into scope just for the bit you need, e.g.fedora-coreos-pipeline/jobs/bump-lockfile.Jenkinsfile
Lines 192 to 197 in 90e9f3b
There was a problem hiding this comment.
OK. I understand the reasons for that, but this is not very DRY. Maybe we can figure out how to automatically scrape all relevant secrets from the namespace into Jenkins creds.
Alternatively, one approach is to run separate pods with separate creds, but that would entail a lot more state juggling.
There was a problem hiding this comment.
Having something which auto-generates creds from OpenShift secrets makes sense to me. It doesn't seem like JCASC natively supports this, though it wouldn't be hard to just write a script which generates the drop-ins based on an annotation or something.
| --arch=all s3://${s3_stream_dir}/builds | ||
| """) | ||
| } | ||
|
|
||
| def oscontainer_secret = "/run/kubernetes/secrets/oscontainer-registry/dockercfg"; | ||
| if (utils.pathExists(oscontainer_secret)) { |
There was a problem hiding this comment.
Maybe for now, let's conditionalize this on non-production builds to start with?
| stage('Sync oscontainer to quay.io') { | ||
| shwrap("""ociarchive=\$(cosa meta --image-path ostree) | ||
| case \${ociarchive} in | ||
| *ociarchive) skopeo copy --authfile=$oscontainer_secret oci-archive://\${ociarchive} docker://quay.io/cgwalters/fcos:${params.STREAM};; |
There was a problem hiding this comment.
I'll try to get an answer to #359 (comment) so we can update this.
|
Superceded by #457 |
This is a bit hacky but should work. My initial goal here
is just automated uploads of our builds, so that we can
start getting a better feel for managing "ostree-in-container"
releases.
We should sync to
quay.io/coreosbut that needs someone to set that up.Also, I'd like to make the destination configurable in the same
way as the S3 bucket, proposal PR in coreos/fedora-coreos-config#1175
Closes: #359