From 25acfdfffc244d4e250b6963ba338ea053bb86c9 Mon Sep 17 00:00:00 2001
From: Dusty Mabe <dusty@dustymabe.com>
Date: Mon, 1 May 2023 13:57:48 -0400
Subject: [PATCH] config: add container image tags to push to and drop
 add_build_tags

This commit updates the config to be able to specify which tags to
push to inside the registry_repos definition. For example, we went
from:

  oscontainer: quay.io/fedora/fedora-coreos

to:

  oscontainer:
    repo: quay.io/fedora/fedora-coreos
    tags: ["${STREAM}"]

This allows us to do things like embed any needed "tag_suffix" in
the config rather than in the code. i.e. downstream now our extensions
container entry will look like:

  extensions:
    repo: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    tags: ["${STREAM}-extensions", "${VERSION}-extensions"]

It also means we can now get rid of the `add_build_tag` hack that
we had in the past.
---
 config.yaml              |  8 ++++++--
 docs/config.yaml         | 43 ++++++++++++++++++++++++++--------------
 jobs/release.Jenkinsfile | 28 ++++++++++----------------
 utils.groovy             | 22 +++++++++++++++++++-
 4 files changed, 65 insertions(+), 36 deletions(-)

diff --git a/config.yaml b/config.yaml
index 7c33dd086..cb0d7f8db 100644
--- a/config.yaml
+++ b/config.yaml
@@ -42,8 +42,12 @@ s3:
   acl: public-read
 
 registry_repos:
-  oscontainer: quay.io/fedora/fedora-coreos
-  kubevirt: quay.io/fedora/fedora-coreos-kubevirt
+  oscontainer:
+    repo: quay.io/fedora/fedora-coreos
+    tags: ["${STREAM}"]
+  kubevirt:
+    repo: quay.io/fedora/fedora-coreos-kubevirt
+    tags: ["${STREAM}"]
 
 versionary_hack: true
 
diff --git a/docs/config.yaml b/docs/config.yaml
index db656f71b..0473ffa54 100644
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -72,8 +72,10 @@ streams:
           - vmware
       # OPTIONAL: stream-specific container repos to push to
       additional_registry_repos:
-        oscontainer_old: registry.ci.openshift.org/rhcos-devel/machine-os-oci-content
-        legacy_oscontainer_old: registry.ci.openshift.org/rhcos-devel/machine-os-content
+        oscontainer_old:
+          repo: registry.ci.openshift.org/rhcos-devel/machine-os-oci-content
+        legacy_oscontainer_old:
+          repo: registry.ci.openshift.org/rhcos-devel/machine-os-content
       # OPTIONAL: override default coreos-assembler image to build with
       cosa_img: quay.io/coreos-assembler/coreos-assembler:stable
       # OPTIONAL/TEMPORARY: Override default coreos-assembler image to use for
@@ -112,20 +114,31 @@ s3:
 
 # OPTIONAL: container registry-related keys
 registry_repos:
-  # OPTIONAL: repo to which to push oscontainer
-  oscontainer: quay.io/fedora/fedora-coreos
+  # OPTIONAL: repo and tags to which to push oscontainer
+  oscontainer:
+    # REQUIRED: repo name
+    repo: quay.io/fedora/fedora-coreos
+    # REQUIRED: list of tags to create/overwrite when pushing
+    #           STREAM and VERSION are supported for templating
+    tags: ["${STREAM}"]
   # OPTIONAL/TEMPORARY: additional repo to which to push oscontainer
-  oscontainer_old: quay.io/coreos-assembler/fcos
-  # OPTIONAL: repo to which to push legacy oscontainer
-  legacy_oscontainer: quay.io/openshift-release-dev/rhel-coreos-dev
-  # OPTIONAL/TEMPORARY: additional repo to which to push oscontainer
-  legacy_oscontainer_old: registry.ci.openshift.org/rhcos/rhel-coreos
-  # OPTIONAL: repo to which to push the extensions container
-  extensions: quay.io/openshift-release-dev/rhel-coreos-extensions-dev
-  # OPTIONAL: repo to which to push kubevirt containerdisk container
-  kubevirt: quay.io/fedora/fedora-coreos-kubevirt
-  # OPTIONAL: whether to also tag images with build ID
-  add_build_tag: true
+  oscontainer_old:
+    repo: quay.io/coreos-assembler/fcos
+  # OPTIONAL: repo and tags to which to push legacy oscontainer
+  legacy_oscontainer:
+    repo: quay.io/openshift-release-dev/rhel-coreos-dev
+    tags: ["${STREAM}-legacy", "${VERSION}-legacy"]
+  # OPTIONAL/TEMPORARY: additional repo to which to push legacy oscontainer
+  legacy_oscontainer_old:
+    repo: registry.ci.openshift.org/rhcos/rhel-coreos
+  # OPTIONAL: repo and tags to which to push the extensions container
+  extensions:
+    repo: quay.io/openshift-release-dev/rhel-coreos-extensions-dev
+    tags: ["${STREAM}-extensions", "${VERSION}-extensions"]
+  # OPTIONAL: repo and tags to which to push kubevirt containerdisk container
+  kubevirt:
+    repo: quay.io/fedora/fedora-coreos-kubevirt
+    tags: ["${STREAM}"]
   # OPTIONAL: whether to push in v2s2 format rather than OCI
   v2s2: true
 
diff --git a/jobs/release.Jenkinsfile b/jobs/release.Jenkinsfile
index 0e486aa1e..dd98f5cb0 100644
--- a/jobs/release.Jenkinsfile
+++ b/jobs/release.Jenkinsfile
@@ -196,7 +196,8 @@ lock(resource: "release-${params.STREAM}", extra: locks) {
             }
         }
 
-        def registry_repos = pipeutils.get_registry_repos(pipecfg, params.STREAM)
+        def registry_repos = pipeutils.get_registry_repos(
+                                pipecfg, params.STREAM, params.VERSION)
 
         // [config.yaml name -> [meta.json artifact name, meta.json toplevel name, tag suffix]]
         // The config.yaml name is the name used in the `registry_repos` object. The
@@ -206,10 +207,10 @@ lock(resource: "release-${params.STREAM}", extra: locks) {
         // could be made configurable in the future. For now since FCOS doesn't need it and
         // OCP ART doesn't actually care what the tag name is (it's just to stop GC), we
         // hardcode it.
-        def push_containers = ['oscontainer': ['ostree', 'base-oscontainer', ''],
-                               'kubevirt': ['kubevirt', 'kubevirt', ''],
-                               'extensions': ['extensions-container', 'extensions-container', '-extensions'],
-                               'legacy_oscontainer': ['legacy-oscontainer', 'oscontainer', '-legacy']]
+        def push_containers = ['oscontainer': ['ostree', 'base-oscontainer'],
+                               'kubevirt': ['kubevirt', 'kubevirt'],
+                               'extensions': ['extensions-container', 'extensions-container'],
+                               'legacy_oscontainer': ['legacy-oscontainer', 'oscontainer']]
 
         // XXX: hack: on releases that don't support pushing the
         // base-oscontainer, remove it from the list.
@@ -239,19 +240,10 @@ lock(resource: "release-${params.STREAM}", extra: locks) {
                 parallel push_containers.collectEntries{configname, val -> [configname, {
                     withCredentials([file(variable: 'REGISTRY_SECRET',
                                           credentialsId: 'oscontainer-push-registry-secret')]) {
-                        def repo = registry_repos[configname]
-                        def (artifact, metajsonname, tag_suffix) = val
-                        if (pipecfg.hotfix) {
-                            // this is a hotfix build; include the hotfix name
-                            // in the tag suffix so we don't clobber official
-                            // tags
-                            tag_suffix += "-hotfix-${pipecfg.hotfix.name}"
-                        }
+                        def repo = registry_repos[configname]['registry']
+                        def (artifact, metajsonname) = val
+                        def tag_args = registry_repos[configname].tags.collect{"--tag=$it"}
                         def v2s2_arg = registry_repos.v2s2 ? "--v2s2" : ""
-                        def tag_args = ["--tag=${params.STREAM}${tag_suffix}"]
-                        if (registry_repos.add_build_tag) {
-                            tag_args += "--tag=${params.VERSION}${tag_suffix}"
-                        }
                         shwrap("""
                         export STORAGE_DRIVER=vfs # https://github.com/coreos/fedora-coreos-pipeline/issues/723#issuecomment-1297668507
                         cosa push-container-manifest --auth=\${REGISTRY_SECRET} \
@@ -260,7 +252,7 @@ lock(resource: "release-${params.STREAM}", extra: locks) {
                             --build=${params.VERSION} ${v2s2_arg}
                         """)
 
-                        def old_repo = registry_repos["${configname}_old"]
+                        def old_repo = registry_repos."${configname}_old"?.repo
                         if (old_repo) {
                             // a separate credential for the old location is optional; we support it
                             // being merged as part of oscontainer-push-registry-secret
diff --git a/utils.groovy b/utils.groovy
index 6bcb8e262..3a38a8163 100644
--- a/utils.groovy
+++ b/utils.groovy
@@ -417,10 +417,30 @@ def build_artifacts(pipecfg, stream, basearch) {
     utils.runParallel(parallelruns, maxRuns)
 }
 
-def get_registry_repos(pipecfg, stream) {
+def get_registry_repos(pipecfg, stream, version) {
     def registry_repos = pipecfg.registry_repos ?: [:]
     // merge top-level registry_repos with stream-specific bits
     registry_repos += pipecfg.streams[stream].additional_registry_repos ?: [:]
+    for (repo in (registry_repos.keySet() as List)) {
+        if (repo == 'v2s2') {
+            // this is a boolean option, not a registry repo
+            continue
+        }
+        if (registry_repos[repo].tags) {
+            def processed_tags = []
+            for (tag in registry_repos."${repo}".tags) {
+                tag = utils.substituteStr(tag, [STREAM: stream, VERSION: version])
+                if (pipecfg.hotfix) {
+                    // this is a hotfix build; include the hotfix name
+                    // in the tag suffix so we don't clobber official
+                    // tags
+                    tag += "-hotfix-${pipecfg.hotfix.name}"
+                }
+                processed_tags += tag
+            }
+            registry_repos[repo]['tags'] = processed_tags
+        }
+    }
     return registry_repos
 }