zuul
/
zuul-jobs
Code Issues Proposed changes

Update ensure-quay-repo to run opportunistically 

This updates the new ensure-quay-repo to run opportunistically if the
registry_type image flag is set to quay and the registry credentials
matching the container image has an api token defined. This will allow
us to include this role in base jobs and it will do what we need it to
do without impacting docker based images or quay managed images that
don't need automatic creation.

Change-Id: Ia419578bf0a27293757c5f723873e9930ee2c489
This commit is contained in:
Clark Boylan 2023-04-25 15:21:57 -07:00
parent 0e6df8d38f
commit 58f408cfac
2 changed files with 65 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
roles/ensure-quay-repo/README.rst
View File

@ -19,6 +19,19 @@ When invoking this role you should set no_log: true on the
``container_registry_credentials`` variable used by the other container
roles. Specify an ``api_token`` which is issued from an application
assigned to an organisation. See `<https://docs.quay.io/api/>`__
This application API token needs create permissions. If the registry
name is quay.io we know that the registry type is ``quay``. If you are
running a private Quay installation you can manually set
``type`` to ``quay`` to force this behavior.
This role will only take action on image repos that map to
container registries for which both an ``api_token`` is set and
``type`` can be determined to be ``quay``.
You may also set ``api_url`` on the registry credentials if the
API is not hosted at the root of the registry name. Most installations
should be able to ignore this and use the default of
``https://{{ $name }}``.
Example:
@ -26,7 +39,9 @@ When invoking this role you should set no_log: true on the
container_registry_credentials:
quay.io:
type: 'quay'
api_token: 'abcd1234'
api_url: 'https://quay.io'
.. zuul:rolevar:: container_images
:type: list
@ -36,10 +51,8 @@ When invoking this role you should set no_log: true on the
is in the same format as the ``container_images`` variable used by other
container roles. Specify a ``registry`` (this should match up with your
credentials to locate the api token), ``namespace``, ``repo_shortname``,
``repo_description``, ``visibility``, and ``api_url`` attributes.
By default visibility will be ``public`` and ``api_url`` will be
``https://{{ registry }}``.
``repo_description``, and ``visibility`` attributes. By default
visibility will be ``public``.
Example:

91
roles/ensure-quay-repo/tasks/create.yaml
View File

@ -1,49 +1,54 @@
- name: Set quay_root_url
set_fact:
quay_root_url: "https://{{ zj_image.registry }}"
when: zj_image.api_url is not defined
- name: Only run when necessary items are present
block:
- name: Set quay_root_url
set_fact:
quay_root_url: "https://{{ zj_image.registry }}"
when: container_registry_credentials[zj_image.registry].api_url is not defined
- name: Alias api_url
set_fact:
quay_root_url: "{{ zj_image.api_url }}"
when: zj_image.api_url is defined
- name: Alias api_url
set_fact:
quay_root_url: "{{ container_registry_credentials[zj_image.registry].api_url }}"
when: container_registry_credentials[zj_image.registry].api_url is defined
- name: Set quay_repo_visibility
set_fact:
quay_repo_visibility: "public"
when: zj_image.visibility is not defined
- name: Set quay_repo_visibility
set_fact:
quay_repo_visibility: "public"
when: zj_image.visibility is not defined
- name: Alias visibility
set_fact:
quay_repo_visibility: "{{ zj_image.visibility }}"
when: zj_image.visibility is defined
- name: Alias visibility
set_fact:
quay_repo_visibility: "{{ zj_image.visibility }}"
when: zj_image.visibility is defined
- name: Create the repo in quay
no_log: true
uri:
url: "{{ quay_root_url }}/api/v1/repository"
method: POST
body_format: json
body:
namespace: "{{ zj_image.namespace }}"
repository: "{{ zj_image.repo_shortname}}"
description: "{{ zj_image.repo_description }}"
visibility: "{{ quay_repo_visibility }}"
headers:
Content-Type: application/json
Authorization: "Bearer {{ container_registry_credentials[zj_image.registry].api_token }}"
status_code:
- 201
# 400 is returned when the repo already exists.
# We double check this below.
- 400
register: quay_repo_create
delay: 5
retries: 3
- name: Create the repo in quay
no_log: true
uri:
url: "{{ quay_root_url }}/api/v1/repository"
method: POST
body_format: json
body:
namespace: "{{ zj_image.namespace }}"
repository: "{{ zj_image.repo_shortname}}"
description: "{{ zj_image.repo_description }}"
visibility: "{{ quay_repo_visibility }}"
headers:
Content-Type: application/json
Authorization: "Bearer {{ container_registry_credentials[zj_image.registry].api_token }}"
status_code:
- 201
# 400 is returned when the repo already exists.
# We double check this below.
- 400
register: quay_repo_create
delay: 5
retries: 3
- name: Fail if repo doesn't exist and we got a 400 status code
- name: Fail if repo doesn't exist and we got a 400 status code
when:
- quay_repo_create.status == 400
- "'error_message' not in quay_repo_create.json or ('error_message' in quay_repo_create.json and quay_repo_create.json.error_message != 'Repository already exists')"
fail:
msg: "Could not create {{ quay_root_url }}/{{ zj_image.namespace }}/{{ zj_image.repo_shortname }}"
when:
- quay_repo_create.status == 400
- "'error_message' not in quay_repo_create.json or ('error_message' in quay_repo_create.json and quay_repo_create.json.error_message != 'Repository already exists')"
fail:
msg: "Could not create {{ quay_root_url }}/{{ zj_image.namespace }}/{{ zj_image.repo_shortname }}"
- zj_image.registry == 'quay.io' or (container_registry_credentials[zj_image.registry].type is defined and container_registry_credentials[zj_image.registry].type == 'quay')
- container_registry_credentials[zj_image.registry].api_token is defined