From 5dcc397840ac80f57c966a55af1f10c43b4747f3 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Thu, 28 Aug 2025 13:15:45 -0700
Subject: [PATCH] Update registry tests to better cover speculative image
 builds

The docker toolchain is a bit of a walled garden and speculative image
builds work great by default as long as docker.io is your image
registry. As soon as you start trying to host images elsewhere it
becomes a lot more complicated to use speculatively built images during
docker image builds.

Update our existing registry role test jobs to use images hosted
somewhere other than docker.io to force us onto the less happy code
path, then verify that we are able to build images from speculative
states using docker. This should give us decent coverage that everything
works as expected.

Change-Id: I4801f98a0ef1aab01b4bc3b6e6576800efacbac4
---
 .../registry/docker-siblings/Dockerfile       |  2 +-
 test-playbooks/registry/test-registry.yaml    | 34 +++++---
 .../registry/vars/previous-build.yaml         |  2 +-
 zuul-tests.d/container-roles-jobs.yaml        | 81 ++++++++++++++++++-
 4 files changed, 102 insertions(+), 17 deletions(-)

diff --git a/test-playbooks/registry/docker-siblings/Dockerfile b/test-playbooks/registry/docker-siblings/Dockerfile
index dcf797db5..f9e28ca6f 100644
--- a/test-playbooks/registry/docker-siblings/Dockerfile
+++ b/test-playbooks/registry/docker-siblings/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/upstream/image as first
+FROM quay.io/opendevorg/imagedoesnotexist as first
 ARG ZUUL_SIBLINGS=""
 RUN echo "Zuul siblings: ${ZUUL_SIBLINGS}"
 RUN cp /test-nonce /test-nonce-is-there
diff --git a/test-playbooks/registry/test-registry.yaml b/test-playbooks/registry/test-registry.yaml
index f85a4badc..a823f2e7b 100644
--- a/test-playbooks/registry/test-registry.yaml
+++ b/test-playbooks/registry/test-registry.yaml
@@ -24,7 +24,7 @@
       include_role:
         name: intermediate-registry-user-config
     - name: "Build a container image for the previous build with docker roles"
-      when: container_command == 'docker'
+      when: container_role == 'docker'
       include_role:
         name: "build-docker-image"
       vars:
@@ -32,7 +32,7 @@
           - context: test-playbooks/registry/docker
             repository: "{{ previous_build_repository }}"
     - name: "Build a container image for the previous build with container-image roles"
-      when: container_command != 'docker'
+      when: container_role != 'docker'
       include_role:
         name: "build-container-image"
       vars:
@@ -107,20 +107,28 @@
         zuul_artifacts: "{{ previous_build_zuul.artifacts }}"
 
 # This simulates a build actually using the previous build.
+# This only works for podman because docker cannot use speculative images
+# hosted outside of docker.io during normal operations. That only works
+# with buildkit and image building when using docker.
 
 - hosts: builder
   name: Test that the previous build is available
   tasks:
-    - name: Include intermediate registry vars
-      include_vars: vars/intermediate-registry-auth.yaml
-    - name: Include previous build vars
-      include_vars: vars/previous-build.yaml
-    - name: Pull the previous build from buildset registry to the builder host
-      command: "{{ container_command }} pull {{ previous_build_repository }}:latest"
-    - name: "Show local container images for debugging"
-      command: "{{ container_command }} image ls"
-    - name: Verify previously built image is in buildset registry
-      command: "{{ container_command }} image inspect {{ previous_build_repository }}:latest"
+    - name: Simple checks when using podman
+      when: container_command != 'docker'
+      block:
+        - name: Include intermediate registry vars
+          include_vars: vars/intermediate-registry-auth.yaml
+        - name: Include previous build vars
+          include_vars: vars/previous-build.yaml
+        - name: Pull the previous build from buildset registry to the builder host
+          command: "{{ container_command }} pull {{ previous_build_repository }}:latest"
+        - name: "Show local container images for debugging"
+          command: "{{ container_command }} image ls"
+        - name: Verify previously built image is in buildset registry
+          command: "{{ container_command }} image inspect {{ previous_build_repository }}:latest"
+        - name: Remove the image from local storage to force fetching from the buildset registry
+          command: "{{ container_command }} image prune --all --force"
 
 # Back to straightforward use of the roles under test.
 
@@ -137,7 +145,7 @@
 
     - name: Build docker image
       include_role:
-        name: "build-{{ (container_command == 'docker') | ternary('docker', 'container') }}-image"
+        name: "build-{{ (container_role == 'docker') | ternary('docker', 'container') }}-image"
       vars:
         _normal_docker_images:
           - context: test-playbooks/registry/docker-siblings
diff --git a/test-playbooks/registry/vars/previous-build.yaml b/test-playbooks/registry/vars/previous-build.yaml
index ad1b74e60..032cce062 100644
--- a/test-playbooks/registry/vars/previous-build.yaml
+++ b/test-playbooks/registry/vars/previous-build.yaml
@@ -2,7 +2,7 @@
 # buildset via provides/requires.  This build should be copied from
 # the intermediate registry to the buildset registry.
 
-previous_build_repository: docker.io/upstream/image
+previous_build_repository: quay.io/opendevorg/imagedoesnotexist
 previous_build_uuid: 48a84fe22a744cb5b0310f396358d912
 previous_build_zuul:
   artifacts:
diff --git a/zuul-tests.d/container-roles-jobs.yaml b/zuul-tests.d/container-roles-jobs.yaml
index 32036eed9..355843b60 100644
--- a/zuul-tests.d/container-roles-jobs.yaml
+++ b/zuul-tests.d/container-roles-jobs.yaml
@@ -241,6 +241,7 @@
     post-run: test-playbooks/registry/test-registry-post.yaml
     vars:
       container_command: docker
+      container_role: docker
       multiarch: false
     nodeset: &registry_nodeset
       nodes:
@@ -250,6 +251,26 @@
           label: debian-bookworm
         - name: builder
           label: ubuntu-jammy
+    # Docker can't currently build with speculative states hosted anywhere
+    # but docker.io. This is nonvoting as we're using quay.io as the
+    # registry. A followup will fix this issue and make the test voting.
+    voting: false
+
+- job:
+    name: zuul-jobs-test-registry-docker-container-role
+    parent: zuul-jobs-test-registry-docker
+    description: |
+      Test the intermediate registry roles.
+
+      Like its parent this tests the intermediate registry roles. The
+      difference here is we test with build-container-image to check
+      compatibility with that role using docker as the command.
+    vars:
+      container_role: container
+    # Docker can't currently build with speculative states hosted anywhere
+    # but docker.io. This is nonvoting as we're using quay.io as the
+    # registry. A followup will fix this issue and make the test voting.
+    voting: false
 
 - job:
     name: zuul-jobs-test-registry-docker-multiarch
@@ -272,9 +293,22 @@
     post-run: test-playbooks/registry/test-registry-post.yaml
     vars:
       container_command: docker
+      container_role: docker
       multiarch: true
     nodeset: *registry_nodeset
 
+- job:
+    name: zuul-jobs-test-registry-docker-container-role-multiarch
+    parent: zuul-jobs-test-registry-docker-multiarch
+    description: |
+      Test the intermediate registry roles with multiarch.
+
+      Like its parent this tests the intermediate registry roles. The
+      difference here is we test with build-container-image to check
+      compatibility with that role using docker as the command.
+    vars:
+      container_role: container
+
 - job:
     name: zuul-jobs-test-registry-podman
     description: |
@@ -297,6 +331,7 @@
     post-run: test-playbooks/registry/test-registry-post.yaml
     vars:
       container_command: podman
+      container_role: container
       multiarch: false
     nodeset: *registry_nodeset
 
@@ -713,7 +748,7 @@
 
 - project:
     check:
-      jobs: &id001
+      jobs:
         - zuul-jobs-test-ensure-docker-centos-9-stream
         - zuul-jobs-test-ensure-docker-debian-bookworm
         - zuul-jobs-test-ensure-docker-debian-bullseye
@@ -730,7 +765,9 @@
         - zuul-jobs-test-build-docker-image-release
         - zuul-jobs-test-build-docker-image-release-multiarch
         - zuul-jobs-test-registry-docker
+        - zuul-jobs-test-registry-docker-container-role
         - zuul-jobs-test-registry-docker-multiarch
+        - zuul-jobs-test-registry-docker-container-role-multiarch
         - zuul-jobs-test-registry-podman
         - zuul-jobs-test-registry-buildset-registry
         - zuul-jobs-test-registry-buildset-registry-k8s-microk8s
@@ -755,6 +792,46 @@
         - zuul-jobs-test-ensure-podman-debian-bullseye
         - zuul-jobs-test-mirror-container-images
     gate:
-      jobs: *id001
+      jobs: &id001
+        - zuul-jobs-test-ensure-docker-centos-9-stream
+        - zuul-jobs-test-ensure-docker-debian-bookworm
+        - zuul-jobs-test-ensure-docker-debian-bullseye
+        - zuul-jobs-test-ensure-docker-ubuntu-focal
+        - zuul-jobs-test-ensure-docker-ubuntu-jammy
+        - zuul-jobs-test-ensure-docker-ubuntu-noble
+        - zuul-jobs-test-build-container-image-docker-release
+        - zuul-jobs-test-build-container-image-docker-release-multiarch
+        - zuul-jobs-test-build-container-image-docker-release-multiarch-multinode
+        - zuul-jobs-test-build-container-image-podman-release
+        - zuul-jobs-test-build-container-image-docker-promote
+        - zuul-jobs-test-build-container-image-docker-promote-multiarch
+        - zuul-jobs-test-build-container-image-podman-promote
+        - zuul-jobs-test-build-docker-image-release
+        - zuul-jobs-test-build-docker-image-release-multiarch
+        - zuul-jobs-test-registry-docker-multiarch
+        - zuul-jobs-test-registry-docker-container-role-multiarch
+        - zuul-jobs-test-registry-podman
+        - zuul-jobs-test-registry-buildset-registry
+        - zuul-jobs-test-registry-buildset-registry-k8s-microk8s
+        - zuul-jobs-test-registry-buildset-registry-k8s-crio
+        - zuul-jobs-test-ensure-kubernetes-crio-ubuntu-focal
+        - zuul-jobs-test-ensure-kubernetes-podman-ubuntu-noble
+        - zuul-jobs-test-ensure-kubernetes-microk8s-ubuntu-jammy
+        - zuul-jobs-test-ensure-kubernetes-microk8s-debian-bookworm
+        - zuul-jobs-test-ensure-podman-debian-bookworm
+        - zuul-jobs-test-ensure-podman-debian-bullseye
+        - zuul-jobs-test-ensure-podman-ubuntu-jammy
+        - zuul-jobs-test-ensure-podman-ubuntu-noble
+        - zuul-jobs-test-ensure-podman-socket-debian-bookworm
+        - zuul-jobs-test-ensure-podman-socket-debian-bullseye
+        - zuul-jobs-test-ensure-podman-socket-ubuntu-jammy
+        - zuul-jobs-test-ensure-podman-socket-ubuntu-noble
+        - zuul-jobs-test-ensure-skopeo-debian-bookworm
+        - zuul-jobs-test-ensure-skopeo-debian-bullseye
+        - zuul-jobs-test-ensure-skopeo-ubuntu-focal
+        - zuul-jobs-test-ensure-skopeo-ubuntu-jammy
+        - zuul-jobs-test-ensure-skopeo-ubuntu-noble
+        - zuul-jobs-test-ensure-podman-debian-bullseye
+        - zuul-jobs-test-mirror-container-images
     periodic-weekly:
       jobs: *id001