release: Copy oscontainer to quay.io

This is a bit hacky but should work.  My initial goal here
is just automated uploads of our builds, so that we can
start getting a better feel for managing "ostree-in-container"
releases.

We should sync to `quay.io/coreos` but that needs someone to set that up.

Also, I'd like to make the destination configurable in the same
way as the S3 bucket, proposal PR in coreos/fedora-coreos-config#1175

Closes: coreos#359

HACKING.md

@@ -218,6 +218,13 @@ uuidgen -r > secret
 oc create secret generic github-webhook-shared-secret --from-file=secret
 ```
 
+### [PROD] Create quay.io image push secret
+
+This secret is used to push the resulting OCI image to Quay.io
+
+1. Obtain the file `oscontainer-secret` from BitWarden.
+2. Run: `$ oc create secret generic oscontainer-secret --from-file=dockercfg=oscontainer-secret`.
+
 ### Create a Jenkins instance with a persistent volume backing store
 
 ```

Jenkinsfile.release

@@ -60,6 +60,10 @@ echo "Final podspec: ${pod}"
 // use a unique label to force Kubernetes to provision a separate pod per run
 def pod_label = "cosa-${UUID.randomUUID().toString()}"
 
+// Destination for OCI image push
+// TODO: Change this to quay.io/fedora/coreos per https://fedoraproject.org/wiki/Changes/OstreeNativeContainer
+def quay_registry = "quay.io/coreos-assembler/fcos"
+
 // We just lock here out of an abundance of caution in case somehow two release
 // jobs run for the same stream, but that really shouldn't happen. Anyway, if it
 // *does*, this makes sure they're run serially.
@@ -83,11 +87,19 @@ podTemplate(cloud: 'openshift', label: pod_label, yaml: pod) {
             shwrap("""
             export AWS_CONFIG_FILE=\${AWS_FCOS_BUILDS_BOT_CONFIG}
             cosa init --branch ${params.STREAM} https://github.com/coreos/fedora-coreos-config
-            cosa buildfetch --build=${params.VERSION} \
+            cosa buildfetch --artifact=ostree --build=${params.VERSION} \
                 --arch=all --url=s3://${s3_stream_dir}/builds
             """)
         }
 
+        stage('Sync oscontainer to quay.io') {
+            withCredentials([file(credentialsId: 'oscontainer-secret', variable: 'OSCONTAINER_SECRET')]) {
+                shwrap("""
+                skopeo copy --authfile="${OSCONTAINER_SECRET}" "oci-archive://\$(cosa meta --image-path ostree)" "docker://${quay_registry}:${params.STREAM}"
+                """)
+            }
+        }
+
         for (basearch in params.ARCHES.split()) {
             def meta_json = "builds/${params.VERSION}/${basearch}/meta.json"
             def meta = readJSON file: meta_json

jenkins/config/oscontainer-secret.yaml

@@ -0,0 +1,13 @@
+credentials:
+  system:
+    domainCredentials:
+      - credentials:
+        - file:
+            scope: GLOBAL
+            fileName: oscontainer-secret
+            id: oscontainer-secret
+            # Secret must be base64-encoded
+            # See: https://github.com/jenkinsci/configuration-as-code-plugin/issues/884
+            secretBytes: "${base64:${oscontainer-secret/dockerconfig}}"
+            description: Push secret for quay.io/coreos-assembler/fcos
+

manifests/jenkins.yaml

@@ -138,6 +138,9 @@ objects:
           - name: fcos-aarch64-builder
             mountPath: /var/run/secrets/fcos-aarch64-builder
             readOnly: true
+          - name: oscontainer-secret
+            mountPath: /var/run/secrets/oscontainer-secret
+            readOnly: true
         dnsPolicy: ClusterFirst
         restartPolicy: Always
         serviceAccountName: ${JENKINS_SERVICE_NAME}
@@ -173,6 +176,10 @@ objects:
           secret:
             secretName: fcos-aarch64-builder
             optional: true
+        - name: oscontainer-secret
+          secret:
+            secretName: oscontainer-secret
+            optional: true
     triggers:
     - imageChangeParams:
         automatic: true