Push edge image to Dockerhub on every successful master build

[aloncarmel111]

Currently, only release version are push to Dockerhub. When users/components pulling the latest tag, they pull the latest release, not the head of master We can add to our pipeline step to create edge tag and push image on every build. The benefit to used this tag: we had a lot of components consuming Conjur old release or latest version from Dockerhub and we don't want to wait until release time to determine changes impacts.

[orenbm]

Thanks for getting this @aloncarmel111 ! I actually thought of doing this about a week ago. Currently we push the latest image on every green build to our internal repo, and push to Dockerhub on official releases.

Before you go and change this behaviour I would like to get some thoughts from @cyberark/conjur-core-team on why they chose to do this. Do we want the latest image on Dockerhub to be the latest released or latest green master build?

[izgeri]

here are some thoughts that I have:

there are big benefits to our test suite of publishing the latest tag on every master build. doing this means we’d have our integration tests run against the conjur master build instead of waiting for tags, and we'd get earlier feedback if something on master was breaking an integration (though, ideally, we're using the feedback that we get now to improve the test suite in this repo to catch these issues as early as possible).

on the other hand, it might be a degraded experience for end users if there’s additional testing that we do (or should do) before tags, like validating the upgrade process. now, maybe users maintaining conjur and managing its upgrade process will specify the tags and not pull from latest as a rule, but since we provide no clear instructions on this yet I have low confidence that we can expect users to operate conjur this way.

in sum, I'm not totally opposed to adding this ability (push to latest on master build). but I think if we do it, it will require clearer documentation for consumers on what each image tag means and how we recommend they use them. which is a good idea for us to do regardless of the decision we make here.

[aloncarmel111]

what about create edge tag contains the head of master and push on every green build.

[izgeri]

actually, thinking about this more I like the idea of having master push an edge image to dockerhub with every master build. then we can update downstream integration tests to pull and run this image.

what does everyone else think? if this sounds good, can the acceptance criteria for this card be:

• [ ] Update pipeline to publish edge-tagged image to Dockerhub on master builds
• [ ] Update downstream projects to run edge instead of latest in their docker-compose integration test environments (at least for all components in the Conjur OSS suite
• [ ] Update README to include a section on what our Docker tags mean:

  If you are deploying Conjur for the first time or upgrading a current Conjur deployment, use the version from the latest Conjur OSS Suite release. If you'd like to experiment with the latest tagged image, you can use the latest tag in DockerHub. If you'd like to experiment with the latest master branch build of Conjur, you can use the edge tag in DockerHub.

We can split these out into separate issues if we need to, but I think this is the set of things I'd like to see done as part of this.

[sgnn7]

I like the edge approach too but we need a bit better setup for splitting the risk profiles more fine-grained so maybe we need:

• stable for versions we know are good and haven't had problems in a while
• latest for releases
• edge for master builds

[izgeri]

I 100% agree Srdjan - I'd love to see stable for the solid versions. maybe the suite release should update the stable conjur image?