Skip to content

Commit 755b73a

Browse files
jlebonjlebon
committed
jobs/build-node-image: label images with manifest list tag
ART needs to be able to, from an x86_64 nightly, derive an s390x version of it. They used to be able to do this before the layering work by looking at the build ID, but now the source of truth is the manifest list, which is a moving target. Enable this by adding the manifest list tag to all the built images. This feels like a layering violation of course. I think the more appropriate fix for this is to better keep track of the manifest lists used from the start when building arch-specific nightlies, but for now at least let's not break current workflows. And anyway, all this will have to be reworked for Konflux.
1 parent 912e3ce commit 755b73a

1 file changed

Lines changed: 22 additions & 2 deletions

File tree

jobs/build-node-image.Jenkinsfile

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,17 @@ lock(resource: "build-node-image") {
6868
def timestamp = now.format(java.time.format.DateTimeFormatter.ofPattern("yyyyMMddHHmm"))
6969
def (registry_staging_repo, registry_staging_tags, registry_prod_repo, registry_prod_tags) = pipeutils.get_ocp_node_registry_repo(pipecfg, params.RELEASE, timestamp)
7070

71+
// Get the tag that's unique
72+
def unique_tag = ""
73+
for (tag in registry_prod_tags) {
74+
if (tag.contains(timestamp)) {
75+
if (unique_tag != "") {
76+
error("Multiple unique tags found: ${registry_prod_tags}")
77+
}
78+
unique_tag = tag
79+
}
80+
}
81+
7182
// `staging_tags` is a list to stay consistent with the `prod` objects,
7283
// but we only need a single tag here since it's used solely for storing
7384
// intermediary images before they are referenced in a multi-arch manifest.
@@ -93,6 +104,11 @@ lock(resource: "build-node-image") {
93104
stage('Build Node Image') {
94105
withCredentials([file(credentialsId: 'oscontainer-push-registry-secret', variable: 'REGISTRY_AUTH_FILE')]) {
95106
def build_from = params.FROM ?: stream_info.from
107+
def label_args = []
108+
if (unique_tag != "") {
109+
label_args = ["--label", "coreos.build.manifest-list-tag=${unique_tag}"]
110+
}
111+
96112
node_image_manifest_digest = pipeutils.build_and_push_image(arches: arches,
97113
src_commit: commit,
98114
src_url: src_config_url,
@@ -102,13 +118,17 @@ lock(resource: "build-node-image") {
102118
secret: "id=yumrepos,src=${yumrepos_file}", // notsecret (for secret scanners)
103119
from: build_from,
104120
v2s2: v2s2,
105-
extra_build_args: ["--security-opt label=disable", "--mount-host-ca-certs", "--force"])
121+
extra_build_args: ["--security-opt label=disable", "--mount-host-ca-certs", "--force"] + label_args)
106122
}
107123
}
108124
stage('Build Extensions Image') {
109125
withCredentials([file(credentialsId: 'oscontainer-push-registry-secret', variable: 'REGISTRY_AUTH_FILE')]) {
110126
// Use the node image as from
111127
def build_from = "${registry_staging_repo}@${node_image_manifest_digest}"
128+
def label_args = []
129+
if (unique_tag != "") {
130+
label_args = ["--label", "coreos.build.manifest-list-tag=${unique_tag}-extensions"]
131+
}
112132
extensions_image_manifest_digest = pipeutils.build_and_push_image(arches: arches,
113133
src_commit: commit,
114134
src_url: src_config_url,
@@ -119,7 +139,7 @@ lock(resource: "build-node-image") {
119139
from: build_from,
120140
v2s2: v2s2,
121141
extra_build_args: ["--security-opt label=disable", "--mount-host-ca-certs",
122-
"--git-containerfile", "extensions/Dockerfile", "--force"])
142+
"--git-containerfile", "extensions/Dockerfile", "--force"] + label_args)
123143
}
124144
}
125145
stage("Release Manifests") {

0 commit comments

Comments
 (0)