Add intermediate registry push/pull roles

Change-Id: Ie2554005f924d2736d1f1fd1c51cfd5ca9e09199
Depends-On: https://review.openstack.org/634825

roles/pull-from-intermediate-registry/README.rst

@@ -0,0 +1,62 @@
+Pull artifacts from the intermediate registry
+
+This role will pull any artifacts built for changes ahead of this
+change which have been placed in an intermediate registry into the
+buildset registry for this buildset.
+
+Run this in a trusted pre-playbook at the start of a job (which, in
+the case of multiple dependent jobs in a buildset, should be at the
+root of the job dependency graph).
+
+This requires the :zuul:role:`run-buildset-registry` role already
+applied.  It also requires an externally managed "intermediate"
+registry operating for the use of Zuul, and it requires "skopeo" to be
+installed on the Zuul executors.
+
+**Role Variables**
+
+.. zuul:rolevar:: buildset_registry
+
+   Information about the registry, as returned by
+   :zuul:role:`run-buildset-registry`.
+
+   .. zuul:rolevar:: host
+
+      The host (IP address) of the registry.
+
+   .. zuul:rolevar:: port
+
+      The port on which the registry is listening.
+
+   .. zuul:rolevar:: username
+
+      The username used to access the registry via HTTP basic auth.
+
+   .. zuul:rolevar:: password
+
+      The password used to access the registry via HTTP basic auth.
+
+   .. zuul:rolevar:: cert
+
+      The (self-signed) certificate used by the registry.
+
+.. zuul:rolevar:: intermediate_registry
+
+   Information about the registry.  This is expected to be provided as
+   a secret.
+
+   .. zuul:rolevar:: host
+
+      The host (IP address) of the registry.
+
+   .. zuul:rolevar:: port
+
+      The port on which the registry is listening.
+
+   .. zuul:rolevar:: username
+
+      The username used to access the registry via HTTP basic auth.
+
+   .. zuul:rolevar:: password
+
+      The password used to access the registry via HTTP basic auth.

roles/pull-from-intermediate-registry/tasks/main.yaml

@@ -0,0 +1,10 @@
+- name: Pull artifact from intermediate registry
+  command: >-
+    skopeo copy
+    --src-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }}
+    --dest-creds={{ buildset_registry.username }}:{{ buildset_registry.password }}
+    {{ item.url }}
+    docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }}
+  when: "item.metadata.type | default('') == 'container_image'"
+  loop: "{{ zuul.artifacts }}"
+  no_log: true

roles/push-to-intermediate-registry/README.rst

@@ -0,0 +1,75 @@
+Push artifacts to the intermediate registry
+
+This role will push any images built by
+:zuul:role:`build-docker-image` into an intermediate registry.
+
+Run this in a trusted post-playbook at the end of a job after the
+image build.
+
+This requires the :zuul:role:`run-buildset-registry` role already
+applied.  It also requires an externally managed "intermediate"
+registry operating for the use of Zuul, and it requires "skopeo" to be
+installed on the Zuul executors.
+
+**Role Variables**
+
+.. zuul:rolevar:: buildset_registry
+
+   Information about the registry, as returned by
+   :zuul:role:`run-buildset-registry`.
+
+   .. zuul:rolevar:: host
+
+      The host (IP address) of the registry.
+
+   .. zuul:rolevar:: port
+
+      The port on which the registry is listening.
+
+   .. zuul:rolevar:: username
+
+      The username used to access the registry via HTTP basic auth.
+
+   .. zuul:rolevar:: password
+
+      The password used to access the registry via HTTP basic auth.
+
+   .. zuul:rolevar:: cert
+
+      The (self-signed) certificate used by the registry.
+
+.. zuul:rolevar:: intermediate_registry
+
+   Information about the registry.  This is expected to be provided as
+   a secret.
+
+   .. zuul:rolevar:: host
+
+      The host (IP address) of the registry.
+
+   .. zuul:rolevar:: port
+
+      The port on which the registry is listening.
+
+   .. zuul:rolevar:: username
+
+      The username used to access the registry via HTTP basic auth.
+
+   .. zuul:rolevar:: password
+
+      The password used to access the registry via HTTP basic auth.
+
+.. zuul:rolevar:: docker_images
+   :type: list
+
+   A list of images built.  Each item in the list should have:
+
+   .. zuul:rolevar:: repository
+
+      The name of the target repository for the image.
+
+   .. zuul:rolevar:: tags
+      :type: list
+      :default: ['latest']
+
+      A list of tags to be added to the image.

roles/push-to-intermediate-registry/tasks/main.yaml

@@ -0,0 +1,5 @@
+- name: Push image to intermediate registry
+  include_tasks: push.yaml
+  loop: docker_images
+  loop_control:
+    loop_var: image

roles/push-to-intermediate-registry/tasks/push.yaml

@@ -0,0 +1,26 @@
+- name: Push tag to intermediate registry
+  command: >-
+    skopeo copy
+    --src-creds={{ buildset_registry.username }}:{{ buildset_registry.password }}
+    --dest-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }}
+    docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
+    docker://{{ intermediate_registry.hostname }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag}}
+  loop: "{{ image.tags }}"
+  loop_control:
+    loop_var: image_tag
+  no_log: true
+
+- name: Return artifact to Zuul
+  zuul_return:
+    data:
+      zuul:
+        artifacts:
+          "image_{{ image.repository }}:{{ image_tag }}":
+            url: "docker://{{ intermediate_registry.hostname }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag}}"
+            metadata:
+              type: container_image
+              repository: "{{ image.repository }}"
+              tag: "{{ image_tag }}"
+  loop: "{{ image.tags }}"
+  loop_control:
+    loop_var: image_tag