Page MenuHomePhabricator

[tbs] fix/improve the updating of the buildpack/tekton images in the local repo
Closed, ResolvedPublic5 Estimated Story Points

Description

Currently we have a cookbook wmcs.toolforge.buildservice.upload_images_to_repo that updates the images of lifecycle,
builder and tekton related to the given tags, but there's the distroless/base one that does not use a tag, but sha,
for which we need back the sha of the uploaded image before we can create the commit in the buildservice repo to pull
that sha, but that only happens after pushing the image.

So this task is to somehow give back a summary of what is it that you have to patch in the bulidservice repo to get the
newly updated images working.

Event Timeline

Hello @dcaro , playing around a bit with the cookbook cookbooks/wmcs/toolforge/buildservice/upload_images_to_repo.py with @fnegri , we found out that the hash of the updated distroless image is already being printed to the command line, and the file buildservice/deploy/base-tekton/tekton-pipelines-controller-patch.json is already embedding the docker-registry.tools.wmflabs.org/toolforge-distroless-base@sha256:eebb155bd1116e3b67e2ce43244f9c9958df0cbb75a84c231565fae2ed87c9f4 image. To update, we only need to change the hash of the image above to the current value. This task is about improving this process, but it's unclear what improvement means in this case.

  1. Are we to research and find a way to make it possible that we no longer need to manually change the hash in the buildservice repo?
  2. Or are we to make make changes to the cookbook to somehow make it clearer that the hash being printed to the commandline for the docker push command should be copied and manually added to the buildservice repo?

Hello @dcaro , playing around a bit with the cookbook cookbooks/wmcs/toolforge/buildservice/upload_images_to_repo.py with @fnegri , we found out that the hash of the updated distroless image is already being printed to the command line, and the file buildservice/deploy/base-tekton/tekton-pipelines-controller-patch.json is already embedding the docker-registry.tools.wmflabs.org/toolforge-distroless-base@sha256:eebb155bd1116e3b67e2ce43244f9c9958df0cbb75a84c231565fae2ed87c9f4 image. To update, we only need to change the hash of the image above to the current value. This task is about improving this process, but it's unclear what improvement means in this case.

  1. Are we to research and find a way to make it possible that we no longer need to manually change the hash in the buildservice repo?

This is out of the original scope of the task, but if you want to try to tackle it you are welcome to :), it might get tricky as we don't really have yet anything like that.

  1. Or are we to make make changes to the cookbook to somehow make it clearer that the hash being printed to the commandline for the docker push command should be copied and manually added to the buildservice repo?

This was the original scope yep, maybe just printing a message like:

Don't forget to update the file `buildservice/deploy/base-tekton/tekton-pipelines-controller-patch.json` in the bulidservice repo with the contents:
----
<...>
docker-registry.tools.wmflabs.org/toolforge-distroless-base@sha256:<new_hash>
<...>
----

or similar

Ok I think it's clear now, thank you!

Change 859582 had a related patch set uploaded (by Raymond Ndibe; author: Raymond Ndibe):

[operations/cookbooks@wmcs] cookbooks: print out instructions on next step after updating the buildpack/tekton images in the local repo

https://gerrit.wikimedia.org/r/859582

Change 859582 merged by jenkins-bot:

[operations/cookbooks@wmcs] cookbooks: print out instructions on next step after updating the buildpack/tekton images in the local repository

https://gerrit.wikimedia.org/r/859582