Introduce IMAGE_TAG_SUFFIX and TMP_IMAGE_PATH
What does this MR do?
Introduce IMAGE_TAG_SUFFIX
, and add to the the tag of the temporary image, and to the tag of the official image.
- Leverage
IMAGE_TAG_SUFFIX
to simplify thefips
job: they simply inherit from other jobs, and setIMAGE_TAG_SUFFIX
to-fips
. (build tmp image
also has a newDOCKERFILE
variable to build the-fips
image usingDockerfile.fips
.) -
IMAGE_TAG_SUFFIX
can also be leveraged ingemnasium-python
to build-python-3.9
images. See https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/-/pipelines/515890497. - Also, it becomes possible to use
IMAGE_TAG_SUFFIX
inmatrix:parallel
, and have a single job definition build FIPS and non-FIPS images. See PoC: !294 (closed)
release major fips
and release minor fips
have been added because there needed to release the FIPS image of Gemnasium, and because it becomes safer to introduce these new jobs w/o introducing discrepancies.
Introduce IMAGE_PATH
and TMP_IMAGE_PATH
to control the path of the images. Today the temporary image is CI_REGISTRY_IMAGE/tmp
, and the published image is CI_REGISTRY_IMAGE
. With this change, it because possible to push the temporary and the published image to other location. See gitlab-org/gitlab#198361 (closed) for a use case, and https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/pipelines/515894474 for a PoC.
NOTE: The two changes are not directly related, but I believe it makes sense to do both at once because we had to test the pipelines manually, and to ensure consistency.
What are the relevant issue numbers?
Testing
- Override
TMP_IMAGE_PATH
andIMAGE_PATH
in child pipeline - Build
-fips
images, and leverageIMAGE_TAG_SUFFIX
to build-python-3.9
as well
release major fips
and release minor fips
have NOT been tested because they require a git tag or the master branch, and would result in publishing official images.