Skip to content

Introduce IMAGE_TAG_SUFFIX and TMP_IMAGE_PATH

Fabien Catteau requested to merge IMAGE_TAG_SUFFIX into master

What does this MR do?

Introduce IMAGE_TAG_SUFFIX, and add to the the tag of the temporary image, and to the tag of the official image.

  • Leverage IMAGE_TAG_SUFFIX to simplify the fips job: they simply inherit from other jobs, and set IMAGE_TAG_SUFFIX to -fips. (build tmp image also has a new DOCKERFILE variable to build the -fips image using Dockerfile.fips.)
  • IMAGE_TAG_SUFFIX can also be leveraged in gemnasium-python to build -python-3.9 images. See https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/-/pipelines/515890497.
  • Also, it becomes possible to use IMAGE_TAG_SUFFIX in matrix:parallel, and have a single job definition build FIPS and non-FIPS images. See PoC: !294 (closed)

release major fips and release minor fips have been added because there needed to release the FIPS image of Gemnasium, and because it becomes safer to introduce these new jobs w/o introducing discrepancies.

Introduce IMAGE_PATH and TMP_IMAGE_PATH to control the path of the images. Today the temporary image is CI_REGISTRY_IMAGE/tmp, and the published image is CI_REGISTRY_IMAGE. With this change, it because possible to push the temporary and the published image to other location. See gitlab-org/gitlab#198361 (closed) for a use case, and https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/pipelines/515894474 for a PoC.

NOTE: The two changes are not directly related, but I believe it makes sense to do both at once because we had to test the pipelines manually, and to ensure consistency.

What are the relevant issue numbers?

Testing

release major fips and release minor fips have NOT been tested because they require a git tag or the master branch, and would result in publishing official images.

Edited by Fabien Catteau

Merge request reports