Step: ocm-ci-image-mirror

This workflow mirrors an image from the CI Registry to a given image ref.

Container image used for this step: open-cluster-management/builder:go1.16-linux

open-cluster-management/builder:go1.16-linux resolves to an image imported from the specified imagestream tag on the build farm (documentation).

Environment

In addition to the default environment, the step exposes the following:

Variable Name Type Variable Content
SOURCE_IMAGE_REF Dependency[?] Pull specification for src image
SECRETS_PATH Parameter[?] The directory where credentials will be mounted. (default: /secrets)
GITHUB_SECRET Parameter[?] The name of the kube secret that contains the GitHub token file. (default: acm-cicd-github)
GITHUB_SECRET_FILE Parameter[?] THe name of the file in GITHUB_SECRET containing the GitHub token. (default: token)
GITHUB_USER Parameter[?] The GitHub user name. (default: acm-cicd-prow-bot)
RELEASE_REPO Parameter[?] The GitHub repo where ACM release data is stored. Do not include the "https://" prefix or the ".git" suffix. (default: github.com/open-cluster-management/release)
RELEASE_REF Parameter[?] The branch name for the release in the RELEASE_REPO. Default is blank this should only be used when the IMAGE_REPO release branch doesn't match the release branch name in the RELEASE_REPO.
REGISTRY_SECRET Parameter[?] The name of the kube secret that contains the registry token file. (default: acm-cicd-quay-push)
REGISTRY_SECRET_FILE Parameter[?] The name of the file in REGSITRY_SECRET with the contents of the .docker/config.json file encoded in base64. (default: token)
REGISTRY_HOST Parameter[?] The hostname (and port) of the destination registry. (default: quay.io)
REGISTRY_ORG Parameter[?] The organization of the destination image reference. (default: open-cluster-management)
IMAGE_REPO Parameter[?] The repository name of the destination image reference. If blank, the COMPONENT_NAME file will be used.
IMAGE_TAG Parameter[?] The tag for the destination image reference. If blank, the tag for a presubmit will be <version>-PR<pull_num>-<commit_sha> and for a postsubmit will be <version>-<commit_sha>.

Source Code

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/bin/bash

# This is to satisfy shellcheck SC2153
export RELEASE_REPO=${RELEASE_REPO}

export HOME=/tmp/home
mkdir -p "$HOME/.docker"
cd "$HOME" || exit 1

# log function
log_file="${ARTIFACT_DIR}/mirror.log"
log() {
    local ts
    ts=$(date --iso-8601=seconds)
    echo "$ts" "$@" | tee -a "$log_file"
}

# Setup GitHub credentials
GITHUB_TOKEN_FILE="$SECRETS_PATH/$GITHUB_SECRET/$GITHUB_SECRET_FILE"
log "Setting up git credentials."
if [[ ! -r "${GITHUB_TOKEN_FILE}" ]]; then
    log "ERROR GitHub token file missing or not readable: $GITHUB_TOKEN_FILE"
    exit 1
fi
GITHUB_TOKEN=$(cat "$GITHUB_TOKEN_FILE")
COMPONENT_REPO="github.com/${REPO_OWNER}/${REPO_NAME}"
{
    echo "https://${GITHUB_USER}:${GITHUB_TOKEN}@${COMPONENT_REPO}.git"
    echo "https://${GITHUB_USER}:${GITHUB_TOKEN}@${RELEASE_REPO}.git"
} >> ghcreds
git config --global credential.helper 'store --file=ghcreds'

# Set up repo URLs
component_url="https://${COMPONENT_REPO}.git"
release_url="https://${RELEASE_REPO}.git"

# Clone repos
component_dir="$HOME/component"
release_dir="$HOME/release"

git clone "$component_url" "$component_dir" || {
    log "ERROR Could not clone component repo $component_url"
    exit 1
}

git clone "$release_url" "$release_dir" || {
    log "ERROR Could not clone release repo $release_url"
    exit 1
}

# Determine current release branch
branch="${PULL_BASE_REF}"
log "INFO The base branch is $branch"

if [[ -n "$RELEASE_REF" ]]; then
    log "INFO RELEASE_REF variable is set. Using $RELEASE_REF as branch."
    branch="${RELEASE_REF}"
fi

if [[ "$branch" == "main" || "$branch" == "master" ]]; then
    log "INFO Base branch is either main or master."
    log "     Need to get current release branch from release repo at $RELEASE_REPO"
    branch=$(cat "${release_dir}/CURRENT_RELEASE")
    log "     Branch from CURRENT_RELEASE is $branch"
fi

# Validate release branch. We can only run on release-x.y branches.
if [[ ! ("$branch" =~ ^release-[0-9]+\.[0-9]+$ || "$branch" =~ ^backplane-[0-9]+\.[0-9]+$) ]]; then
    log "ERROR Branch $branch is not a release or backplane branch."
    log "      Base branch of PR must match release-x.y or backplane-x.y"
    exit 1
fi

# Get current Z-stream version
cd "$release_dir" || exit 1
git checkout "$branch" || {
    log "ERROR Could not checkout branch $branch in release repo"
    exit 1
}
release=$(cat "$release_dir/Z_RELEASE_VERSION")
log "INFO Z-stream version is $release"

# Get IMAGE_REPO if not provided
if [[ -z "$IMAGE_REPO" ]]; then
    log "INFO Getting destination image repo name from COMPONENT_NAME"
    IMAGE_REPO=$(cat "${component_dir}/COMPONENT_NAME")
    log "     Image repo from COMPONENT_NAME is $IMAGE_REPO"
fi
log "INFO Image repo is $IMAGE_REPO"

# Get IMAGE_TAG if not provided
if [[ -z "$IMAGE_TAG" ]]; then
    case "$JOB_TYPE" in
        presubmit)
            log "INFO Building default image tag for a $JOB_TYPE job"
            IMAGE_TAG="${release}-PR${PULL_NUMBER}-${PULL_PULL_SHA}"
            ;;
        postsubmit)
            log "INFO Building default image tag for a $JOB_TYPE job"
            IMAGE_TAG="${release}-${PULL_BASE_SHA}"
            ;;
        *)
            log "ERROR Cannot publish an image from a $JOB_TYPE job"
            exit 1
            ;;
    esac
fi
log "INFO Image tag is $IMAGE_TAG"

# Setup registry credentials
REGISTRY_TOKEN_FILE="$SECRETS_PATH/$REGISTRY_SECRET/$REGISTRY_SECRET_FILE"

if [[ ! -r "$REGISTRY_TOKEN_FILE" ]]; then
    log "ERROR Registry secret file not found: $REGISTRY_TOKEN_FILE"
    exit 1
fi

config_file="$HOME/.docker/config.json"
base64 -d < "$REGISTRY_TOKEN_FILE" > "$config_file" || {
    log "ERROR Could not base64 decode registry secret file"
    log "      From: $REGISTRY_TOKEN_FILE"
    log "      To  : $config_file"
}

# Build destination image reference
DESTINATION_IMAGE_REF="$REGISTRY_HOST/$REGISTRY_ORG/$IMAGE_REPO:$IMAGE_TAG"

log "INFO Mirroring Image"
log "     From: $SOURCE_IMAGE_REF"
log "     To  : $DESTINATION_IMAGE_REF"
oc image mirror "$SOURCE_IMAGE_REF" "$DESTINATION_IMAGE_REF" || {
    log "ERROR Unable to mirror image"
    exit 1
}

log "INFO Mirroring complete."

Properties

Property Value Description
Resource requests (cpu) 100m Used in .resources.requests of the pod running this step.
Resource requests (memory) 100Mi Used in .resources.requests of the pod running this step.

GitHub Link:

https://github.com/openshift/release/blob/master/ci-operator/step-registry/ocm/ci/image-mirror/ocm-ci-image-mirror-ref.yaml

Owners:

Approvers:

Source code for this page located on GitHub