Use skopeo to perform server side only copy of container images

Description

Currently, the .docker-tag job pulls an image before tagging it, which creates unnecessary network overhead. We should refactor this job to use skopeo copy for server-side copying, eliminating the need to download and upload the same image layers.

Requirements

Replace current pull-and-tag workflow with skopeo copy
Implement secure authentication using skopeo login --password-stdin
Enable --dest-precompute-digests flag to avoid round trips
Enforce TLS verification with --dest-tls-verify flag
Support multi-architecture images using --multi-arch=all flag

Expected Benefits

Reduced network bandwidth usage
Faster tagging operations
Improved security with proper authentication and TLS verification
Maintained support for multi-architecture images

Implementation plan

The new flow will look something like the following. Further iteration will be needed.

.docker_tag:
  image: ${BUILD_IMAGES}/skopeo
  script:
    - skopeo -v
    - |
      if [ -n "$CS_DEPLOY_USERNAME" ] && [ -n "$CS_DEPLOY_PASSWORD" ] && [ -n "$IMAGE_TAG" ]; then
        echo "$CS_DEPLOY_PASSWORD" | skopeo login "$DEPLOY_REGISTRY" -u "$CS_DEPLOY_USERNAME" --password-stdin
      else
        echo $CI_JOB_TOKEN | skopeo login $CI_REGISTRY -u gitlab-ci-token --password-stdin
      fi
    - |
      TARGET_IMAGE=$CI_REGISTRY_IMAGE:${IMAGE_TAG:-$CI_JOB_NAME}$IMAGE_TAG_POSTFIX
      skopeo copy --multi-arch=all [REQUIRED_FLAGS] docker://$SOURCE_IMAGE docker://$TARGET_IMAGE

Note

It might be good to extract this into a separate script that can be tested with default variables. For example, there could be a skopeo_login, skopeo_tmp_deploy and a skopeo_prod_deploy script.

Description was generated using AI

Edited Apr 25, 2025 by Oscar Tovar