-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release: Copy oscontainer to quay.io #383
Conversation
This is a bit hacky but should work. My initial goal here is just automated uploads of our builds, so that we can start getting a better feel for managing "ostree-in-container" releases. We should sync to `quay.io/coreos` but that needs someone to set that up. Also, I'd like to make the destination configurable in the same way as the S3 bucket, proposal PR in coreos/fedora-coreos-config#1175 Closes: coreos#359
Enabling this requires:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add an [OPTIONAL]
section to the HACKING.md about how to provision the secret?
- name: oscontainer-registry | ||
mountPath: /run/kubernetes/secrets/oscontainer-registry | ||
readOnly: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So one recent-ish move is going away from the "all secrets mounted into the cosa pod" model towards Jenkins secrets. See e.g. 7449712.
So concretely, this would mean doing it like this:
- a JCASC drop-in to define the Jenkins credential: https://github.com/coreos/fedora-coreos-pipeline/blob/main/jenkins/config/github-coreosbot.yaml
- using
withCredentials
to mount it into scope just for the bit you need, e.g.fedora-coreos-pipeline/jobs/bump-lockfile.Jenkinsfile
Lines 192 to 197 in 90e9f3b
withCredentials([usernamePassword(credentialsId: botCreds, usernameVariable: 'GHUSER', passwordVariable: 'GHTOKEN')]) { // should gracefully handle race conditions here sh("git -C src/config push https://\${GHUSER}:\${GHTOKEN}@github.com/${repo} ${branch}") }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. I understand the reasons for that, but this is not very DRY. Maybe we can figure out how to automatically scrape all relevant secrets from the namespace into Jenkins creds.
Alternatively, one approach is to run separate pods with separate creds, but that would entail a lot more state juggling.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having something which auto-generates creds from OpenShift secrets makes sense to me. It doesn't seem like JCASC natively supports this, though it wouldn't be hard to just write a script which generates the drop-ins based on an annotation or something.
--arch=all s3://${s3_stream_dir}/builds | ||
""") | ||
} | ||
|
||
def oscontainer_secret = "/run/kubernetes/secrets/oscontainer-registry/dockercfg"; | ||
if (utils.pathExists(oscontainer_secret)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe for now, let's conditionalize this on non-production builds to start with?
stage('Sync oscontainer to quay.io') { | ||
shwrap("""ociarchive=\$(cosa meta --image-path ostree) | ||
case \${ociarchive} in | ||
*ociarchive) skopeo copy --authfile=$oscontainer_secret oci-archive://\${ociarchive} docker://quay.io/cgwalters/fcos:${params.STREAM};; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll try to get an answer to #359 (comment) so we can update this.
Superceded by #457 |
This is a bit hacky but should work. My initial goal here
is just automated uploads of our builds, so that we can
start getting a better feel for managing "ostree-in-container"
releases.
We should sync to
quay.io/coreos
but that needs someone to set that up.Also, I'd like to make the destination configurable in the same
way as the S3 bucket, proposal PR in coreos/fedora-coreos-config#1175
Closes: #359