Add delivery stage

[avisiedo]

Add delivery stage that:

• Push master branch images as: quay.io/freeipa/freeipa-openshift-container/freeipa-openshift-container:\
• push other branches and pull requests as: quay.io/freeipa/freeipa-openshift-container/freeipa-openshift-container:\-\

https://quay.io/repository/freeipa/freeipa-openshift-container

[frasertweedale]

Travis is not happy; seems to be something about the workspaces key in .travis.yml: https://travis-ci.org/github/freeipa/freeipa-openshift-container/jobs/721212239/config.

[avisiedo]

It is very odd. The same pipeline works perfectly here: https://travis-ci.org/github/avisiedo/freeipa-openshift-container/builds/721412482

But it is not working for the PR. I have double checked the secrets several times, and everything looks good.

I have detected something odd in the log output, and looks like some lines are trimmed missing information (such as the arg --passwd-stdin when doing docker login command). This evoke to fail when the image is pushed as docker was not logged in at quay.io properly. Trying different approaches to see if something works. It seems a bug in travis-ci, unless I am missing something.

---

Here the odd output:

$docker load -i local-freeipa-server-$dockerfile.tar
echo "$DOCKER_PASSWORD" | $docker login -u "$DOCKER_USERNAME" --password-stdin "${IMAGE_TAG_BASE%%/*}"
# [ -e $HOME/.docker ] || mkdir -p $HOME/.docker
# cat > $HOME/.docker/config.json <<EOF
# {
#   "auths": {
#     "${IMAGE_TAG_BASE%%/*}": {
#       "auth": "$( echo -n "${DOCKER_USERNAME}:${DOCKER_PASSWORD}" | base64 --wrap=0 )",
#       "email": ""
#     }
#   }
# }
# EOF
set -x
if [ "${TRAVIS_BRANCH}" == "master" ] && [ "${TRAVIS_EVENT_TYPE}" != "pull_request" ]
then
  export FINAL_TAG="${IMAGE_TAG_BASE}:${dockerfile}"
else
  export GIT_HASH="$( git rev-parse HEAD 2>/dev/null )"
  export FINAL_TAG="${IMAGE_TAG_BASE}:${dockerfile}-${GIT_HASH}"
fi
$docker tag local/freeipa-server:${dockerfile} ${FINAL_TAG} || exit $?
$docker --log-level debug push ${FINAL_TAG} || exit $?
age: local/freeipa-server:fedora-32
Must provide --username with --password-stdin
++'[' master == master ']'
++'[' pull_request '!=' pull_request ']'
+++git rev-parse HEAD
++export GIT_HASH=9976e93f1f0e9c4cc40fb5aa86f51a482e6952fa
++GIT_HASH=9976e93f1f0e9c4cc40fb5aa86f51a482e6952fa
++export FINAL_TAG=quay.io/freeipa/freeipa-openshift-container:fedora-32-9976e93f1f0e9c4cc40fb5aa86f51a482e6952fa
++FINAL_TAG=quay.io/freeipa/freeipa-openshift-container:fedora-32-9976e93f1f0e9c4cc40fb5aa86f51a482e6952fa
++docker tag local/freeipa-server:fedora-32 quay.io/freeipa/freeipa-openshift-container:fedora-32-9976e93f1f0e9c4cc40fb5aa86f51a482e6952fa
++docker --log-level debug push quay.io/freeipa/freeipa-openshift-container:fedora-32-9976e93f1f0e9c4cc40fb5aa86f51a482e6952fa
The push refers to repository [quay.io/freeipa/freeipa-openshift-container]

The line below:

age: local/freeipa-server:fedora-32

it should be this:

Loaded image: local/freeipa-server:fedora-32

And the line:

Must provide --username with --password-stdin

makes me thing that something wrong is happening that evoke to miss some parts of the input/outputs (a bug). Or more probably I am missing something, that I didn't see yet. (this explain the missed characters: https://travis-ci.community/t/missing-text-from-job-output-when-using-ansi-escape-sequences/9516).

• Trying to run every line without a block (one entry to the script per line, instead a unique block for all the lines to be executed), to see if that change something in the execution.

---

And this is the settings in travis-ci:

[avisiedo]

References to the last current executions in the pipelines:

• ERROR: this PR: https://travis-ci.org/github/freeipa/freeipa-openshift-container/builds/721607991
• SUCCESS: the source branch: https://travis-ci.org/github/avisiedo/freeipa-openshift-container/builds/721607938

[avisiedo]

I have modified the lint stage for making a quick test, and see what happens.

• I have set up for freeipa/freeipa-openshift-container travis-ci settings the varibles below:
  • secret MY_SECRET_VAR with value "this_is_my+secret" (or something like that)

  • public var MY_PUBLIC_VAR with value "this_is_my+public_value"

    travis-ci.org is not setting the secrets when running the steps for the PR as it can be seen here: https://travis-ci.org/github/freeipa/freeipa-openshift-container/jobs/721666706

Setting environment variables from repository settings
$ export IMAGE_TAG_BASE=quay.io/freeipa/freeipa-openshift-container
$ export MY_PUBLIC_VAR=this_is_my+public_value

---

The same in my personal repo look like the below here: https://travis-ci.org/github/avisiedo/freeipa-openshift-container/jobs/721666731

Setting environment variables from repository settings
$ export IMAGE_TAG_BASE=quay.io/avisied0/freeipa-openshift-container
$ export DOCKER_USERNAME=[secure]
$ export DOCKER_PASSWORD=[secure]
$ export MY_SECRET_VAR=[secure]
$ export MY_PUBLIC_VAR=this_is_my+public_var

[avisiedo]

Requested some help to travis-ci community here: https://travis-ci.community/t/secrets-are-not-imported-in-the-pipeline/9742

[avisiedo]

The situation that is happening is explained here: https://docs.travis-ci.com/user/pull-requests/#pull-requests-and-security-restrictions

The delivery stage is modified so it does nothing when running in a pull request. Thanks to travis-ci community to point that out.

[frasertweedale]

@avisiedo good work. Glad you got to the bottom of the issue and I'm happy with the resolution. Merging.

[avisiedo]

Thank you mate! :)