5dcc397840
The docker toolchain is a bit of a walled garden and speculative image builds work great by default as long as docker.io is your image registry. As soon as you start trying to host images elsewhere it becomes a lot more complicated to use speculatively built images during docker image builds. Update our existing registry role test jobs to use images hosted somewhere other than docker.io to force us onto the less happy code path, then verify that we are able to build images from speculative states using docker. This should give us decent coverage that everything works as expected. Change-Id: I4801f98a0ef1aab01b4bc3b6e6576800efacbac4
216 lines
8.6 KiB
YAML
216 lines
8.6 KiB
YAML
# Run the intermediate registry on this host, and also build an image
|
|
# and place it in the registry to simulate an artifact from a previous
|
|
# build which has been passed to this one (so that we can test pulling
|
|
# from the intermediate registry in the correct order).
|
|
|
|
- hosts: intermediate-registry
|
|
name: Set up the intermediate registry and add a build
|
|
tasks:
|
|
- name: Include intermediate registry vars
|
|
include_vars: vars/intermediate-registry-auth.yaml
|
|
- name: Include previous build vars
|
|
include_vars: vars/previous-build.yaml
|
|
- name: Run the intermediate registry
|
|
include_role:
|
|
name: run-test-intermediate-registry
|
|
- name: Install the intermediate registry cert
|
|
include_role:
|
|
name: ensure-registry-cert
|
|
vars:
|
|
registry_host: localhost
|
|
registry_port: 5000
|
|
registry_cert: "{{ intermediate_registry_tls_cert }}"
|
|
- name: Set up user credentials for the intermediate registry
|
|
include_role:
|
|
name: intermediate-registry-user-config
|
|
- name: "Build a container image for the previous build with docker roles"
|
|
when: container_role == 'docker'
|
|
include_role:
|
|
name: "build-docker-image"
|
|
vars:
|
|
docker_images:
|
|
- context: test-playbooks/registry/docker
|
|
repository: "{{ previous_build_repository }}"
|
|
- name: "Build a container image for the previous build with container-image roles"
|
|
when: container_role != 'docker'
|
|
include_role:
|
|
name: "build-container-image"
|
|
vars:
|
|
container_images:
|
|
- context: test-playbooks/registry/docker
|
|
repository: "{{ previous_build_repository }}"
|
|
- name: Tag the previous build
|
|
command: "{{ container_command }} tag {{ previous_build_repository }}:latest localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest"
|
|
- name: Push the previous build to the intermediate registry
|
|
command: "{{ container_command }} push localhost:5000/{{ previous_build_repository }}:{{ previous_build_uuid }}_latest"
|
|
|
|
# This is also essentially pre-configuration for the real test of the
|
|
# roles. This sets up a fake executor (since we can't run the
|
|
# necessary commands untrusted on the real one).
|
|
|
|
- hosts: executor
|
|
name: Set up a simulated executor
|
|
tasks:
|
|
- name: Include intermediate registry vars
|
|
include_vars: vars/intermediate-registry-auth.yaml
|
|
- name: Create simulated zuul work directory
|
|
become: true
|
|
file:
|
|
state: directory
|
|
path: "{{ zuul.executor.work_root }}"
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
- name: Install the intermediate registry cert
|
|
include_role:
|
|
name: ensure-registry-cert
|
|
vars:
|
|
registry_host: "{{ intermediate_registry.host }}"
|
|
registry_port: "{{ intermediate_registry.port }}"
|
|
registry_cert: "{{ intermediate_registry_tls_cert }}"
|
|
- name: Make /etc/docker directory zuul-owned
|
|
become: true
|
|
file:
|
|
state: directory
|
|
path: "/etc/docker"
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
recurse: true
|
|
- name: Configure /etc/hosts for intermediate registry
|
|
become: true
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
state: present
|
|
regex: "^{{ hostvars['intermediate-registry'].nodepool.private_ipv4 }}\t{{ intermediate_registry.host }}$"
|
|
line: "{{ hostvars['intermediate-registry'].nodepool.private_ipv4 }}\t{{ intermediate_registry.host }}"
|
|
insertafter: EOF
|
|
|
|
# This begins the simulation of what we would expect to happen in a
|
|
# normal job.
|
|
|
|
- hosts: builder
|
|
name: Test the buildset registry roles
|
|
roles:
|
|
- run-buildset-registry
|
|
- use-buildset-registry
|
|
|
|
- hosts: executor
|
|
name: Test pulling from the intermediate registry
|
|
tasks:
|
|
- name: Include intermediate registry vars
|
|
include_vars: vars/intermediate-registry-auth.yaml
|
|
- name: Include previous build vars
|
|
include_vars: vars/previous-build.yaml
|
|
- name: Run pull-from-intermediate-registry role
|
|
include_role:
|
|
name: pull-from-intermediate-registry
|
|
vars:
|
|
zuul_artifacts: "{{ previous_build_zuul.artifacts }}"
|
|
|
|
# This simulates a build actually using the previous build.
|
|
# This only works for podman because docker cannot use speculative images
|
|
# hosted outside of docker.io during normal operations. That only works
|
|
# with buildkit and image building when using docker.
|
|
|
|
- hosts: builder
|
|
name: Test that the previous build is available
|
|
tasks:
|
|
- name: Simple checks when using podman
|
|
when: container_command != 'docker'
|
|
block:
|
|
- name: Include intermediate registry vars
|
|
include_vars: vars/intermediate-registry-auth.yaml
|
|
- name: Include previous build vars
|
|
include_vars: vars/previous-build.yaml
|
|
- name: Pull the previous build from buildset registry to the builder host
|
|
command: "{{ container_command }} pull {{ previous_build_repository }}:latest"
|
|
- name: "Show local container images for debugging"
|
|
command: "{{ container_command }} image ls"
|
|
- name: Verify previously built image is in buildset registry
|
|
command: "{{ container_command }} image inspect {{ previous_build_repository }}:latest"
|
|
- name: Remove the image from local storage to force fetching from the buildset registry
|
|
command: "{{ container_command }} image prune --all --force"
|
|
|
|
# Back to straightforward use of the roles under test.
|
|
|
|
- hosts: builder
|
|
name: Test building a container image
|
|
tasks:
|
|
|
|
- name: Create fake sibling projects
|
|
command: >-
|
|
mkdir -p src/opendev.org/project/fake-sibling &&
|
|
mkdir -p src/openstack.org/project/fake-sibling &&
|
|
touch src/opendev.org/project/fake-sibling/file &&
|
|
touch src/openstack.org/project/fake-sibling/file
|
|
|
|
- name: Build docker image
|
|
include_role:
|
|
name: "build-{{ (container_role == 'docker') | ternary('docker', 'container') }}-image"
|
|
vars:
|
|
_normal_docker_images:
|
|
- context: test-playbooks/registry/docker-siblings
|
|
repository: downstream/image
|
|
siblings:
|
|
- opendev.org/project/fake-sibling
|
|
- openstack.org/project/fake-sibling
|
|
target: first
|
|
- context: test-playbooks/registry/docker-siblings
|
|
repository: downstream/image2
|
|
target: second
|
|
siblings:
|
|
- opendev.org/project/fake-sibling
|
|
- openstack.org/project/fake-sibling
|
|
_arch_docker_images:
|
|
- context: test-playbooks/registry/docker-siblings
|
|
repository: downstream/image
|
|
target: first
|
|
siblings:
|
|
- opendev.org/project/fake-sibling
|
|
- openstack.org/project/fake-sibling
|
|
arch: ['linux/amd64', 'linux/arm64']
|
|
- context: test-playbooks/registry/docker-siblings
|
|
repository: downstream/image2
|
|
target: second
|
|
siblings:
|
|
- opendev.org/project/fake-sibling
|
|
- openstack.org/project/fake-sibling
|
|
arch: ['linux/amd64', 'linux/arm64']
|
|
docker_images: "{{ multiarch | ternary(_arch_docker_images, _normal_docker_images) }}"
|
|
container_images: "{{ docker_images }}"
|
|
- hosts: executor
|
|
name: Test pushing to the intermediate registry
|
|
tasks:
|
|
- name: Include intermediate registry vars
|
|
include_vars: vars/intermediate-registry-auth.yaml
|
|
- name: Run push-to-intermediate-registry role
|
|
include_role:
|
|
name: push-to-intermediate-registry
|
|
vars:
|
|
_normal_docker_images:
|
|
- context: playbooks/registry/docker
|
|
repository: downstream/image
|
|
_arch_docker_images:
|
|
- context: playbooks/registry/docker
|
|
repository: downstream/image
|
|
arch: ['linux/amd64', 'linux/arm64']
|
|
docker_images: "{{ multiarch | ternary(_arch_docker_images, _normal_docker_images) }}"
|
|
container_images: "{{ docker_images }}"
|
|
|
|
# And finally an external verification step.
|
|
|
|
- hosts: executor
|
|
name: Test that the newly built image was pushed to the intermediate registry
|
|
tasks:
|
|
- name: Include intermediate registry vars
|
|
include_vars: vars/intermediate-registry-auth.yaml
|
|
- name: Fetch intermediate registry catalog
|
|
uri:
|
|
url: "https://{{ intermediate_registry.host }}:{{ intermediate_registry.port }}/v2/_catalog"
|
|
validate_certs: false
|
|
user: "{{ intermediate_registry.username }}"
|
|
password: "{{ intermediate_registry.password }}"
|
|
register: catalog
|
|
- name: Verify newly built image is in intermediate registry catalog
|
|
assert:
|
|
that: "'downstream/image' in catalog.json.repositories"
|