-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release: Copy oscontainer to quay.io #457
release: Copy oscontainer to quay.io #457
Conversation
318bbc9
to
0d430c9
Compare
manifests/pod.yaml
Outdated
@@ -54,6 +54,9 @@ spec: | |||
- name: fedora-messaging-coreos-key | |||
mountPath: /run/kubernetes/secrets/fedora-messaging-coreos-key | |||
readOnly: true | |||
- name: oscontainer-registry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pod shouldn't need the secret mounted in since we're using withCredentials
.
Jenkinsfile.release
Outdated
@@ -85,9 +85,21 @@ podTemplate(cloud: 'openshift', label: pod_label, yaml: pod) { | |||
cosa init --branch ${params.STREAM} https://github.com/coreos/fedora-coreos-config | |||
cosa buildfetch --build=${params.VERSION} \ | |||
--arch=all --url=s3://${s3_stream_dir}/builds | |||
cosa buildprep --ostree --build=${params.VERSION} \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can add --artifact ostree
to the previous buildfetch
call instead.
Jenkinsfile.release
Outdated
withCredentials([string(credentialsId: "oscontainer-secret", variable: "OSCONTAINER_SECRET")]) { | ||
shwrap("""ociarchive=\$(cosa meta --image-path ostree) | ||
case \${ociarchive} in | ||
*ociarchive) skopeo copy --authfile=<($OSCONTAINER_SECRET) oci-archive://\${ociarchive} docker://quay.io/coreos-assembler/fcos:${params.STREAM};; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be good to const-ify the quay.io URL here at the beginning of the file for clarity. And also a comment there that says long-term we want quay.io/fedora/coreos
as per https://fedoraproject.org/wiki/Changes/OstreeNativeContainer.
Jenkinsfile.release
Outdated
stage('Sync oscontainer to quay.io') { | ||
withCredentials([string(credentialsId: "oscontainer-secret", variable: "OSCONTAINER_SECRET")]) { | ||
shwrap("""ociarchive=\$(cosa meta --image-path ostree) | ||
case \${ociarchive} in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All streams use ociarchive now and at some point we'll probably rip out the old support for .tar in cosa. So I think we can just simplify this logic here.
system: | ||
domainCredentials: | ||
- credentials: | ||
- string: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool with this, though feels like a secret file would be more appropriate for this instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was originally intending to do that, I just couldn't find the syntax for some reason. Thanks for the pointer!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It took a bit of trial-and-error. The short version is that you have to base64-encode the file contents to make it work.
bcde517
to
11c641c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, looks great!
Final bits:
- Can you squash your two commits into one?
- Can you add a section in HACKING.md about the new secret similar to the other ones?
This is a bit hacky but should work. My initial goal here is just automated uploads of our builds, so that we can start getting a better feel for managing "ostree-in-container" releases. We should sync to `quay.io/coreos` but that needs someone to set that up. Also, I'd like to make the destination configurable in the same way as the S3 bucket, proposal PR in coreos/fedora-coreos-config#1175 Closes: coreos#359
11c641c
to
ffa2b9b
Compare
Done! |
This is ready for merge. Waiting until our current test runs in the new infra are over before I get it in and redeploy Jenkins. |
I totally missed this until now but: when I said to squash your commits I meant have a single commit on top of Colin's commit. Authorship recognition is important and you did some nice cleanups and testing for this. Sorry for not noticing earlier! |
In this case the Co-authored-by tag seems best but for the record I don't think this is a big deal from my PoV - just something to keep in mind elsewhere! I particularly try to preserve credit in the case of a new contributor to a project submitting a PR, and then I need to changes on top. But that's not this case really. Anyways - cool to see this landed! |
No worries! I thought about it almost immediately after I squashed it. |
This PR is intended to supercede and incorporates elements of: #383