Deploying a specific image tag in OpenShift Origin from image stream

问题

I have configured my Gitlab CI pipelines so that they build an OCI image with Docker-in-Docker and upload it to Gitlab's own registry.

Now, I want to deploy images built in my CI pipelines to OpenShift Origin. All images in the registry are tagged with $CI_COMMIT_SHORT_SHA (i.e.: I do not use "latest").

How can I do that?

This is what I have tried so far:

  before_script:
    - oc login --server="$OPENSHIFT_SERVER" --token="$OPENSHIFT_TOKEN"
    - oc project myproject
  script:
    - oc tag registry.gitlab.com/myproject/backend:$CI_COMMIT_SHORT_SHA backend:$CI_COMMIT_SHORT_SHA
    - oc import-image backend:$CI_COMMIT_SHORT_SHA
    - oc set image dc/backend backend=myproject/backend:$CI_COMMIT_SHORT_SHA
    - oc rollout latest backend

Everything seems to work fine until oc set image. I would expect it to change the deployment configuration to use the specified image tag ($CI_COMMIT_SHORT_SHA), but it seems the configuration is not really modified and so, the rollout still deploys the old (previous) image.

What am I missing? Is there a better way to deploy a specific tag from a private registry?

Update

Here is my deployment configuration:

kind: DeploymentConfig
apiVersion: apps.openshift.io/v1
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
  selfLink: /apis/apps.openshift.io/v1/namespaces/myproject/deploymentconfigs/backend
  resourceVersion: '38635053'
  name: backend
  uid: 02809a3d-...
  creationTimestamp: '2019-10-14T23:04:43Z'
  generation: 7
  namespace: myproject
  labels:
    app: backend
spec:
  strategy:
    type: Rolling
    rollingParams:
      updatePeriodSeconds: 1
      intervalSeconds: 1
      timeoutSeconds: 600
      maxUnavailable: 25%
      maxSurge: 25%
    resources: {}
    activeDeadlineSeconds: 21600
  triggers:
    - type: ConfigChange
    - type: ImageChange
      imageChangeParams:
        automatic: true
        containerNames:
          - backend
        from:
          kind: ImageStreamTag
          namespace: myproject
          name: 'backend:094971ea'
        lastTriggeredImage: >-
          registry.gitlab.com/myproject/backend@sha256:ebce...
  replicas: 1
  revisionHistoryLimit: 10
  test: false
  selector:
    app: backend
    deploymentconfig: backend
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: backend
        deploymentconfig: backend
      annotations:
        openshift.io/generated-by: OpenShiftNewApp
    spec:
      containers:
        - name: backend
          image: >-
            registry.gitlab.com/myproject/backend@sha256:ebce...
          ports:
            - containerPort: 8080
              protocol: TCP
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
status:
  observedGeneration: 7
  details:
    message: image change
    causes:
      - type: ImageChange
        imageTrigger:
          from:
            kind: DockerImage
            name: >-
              registry.gitlab.com/myproject/backend@sha256:ebce...
  availableReplicas: 1
  unavailableReplicas: 0
  latestVersion: 4
  updatedReplicas: 1
  conditions:
    - type: Available
      status: 'True'
      lastUpdateTime: '2019-10-14T23:57:51Z'
      lastTransitionTime: '2019-10-14T23:57:51Z'
      message: Deployment config has minimum availability.
    - type: Progressing
      status: 'True'
      lastUpdateTime: '2019-10-16T20:09:20Z'
      lastTransitionTime: '2019-10-16T20:09:17Z'
      reason: NewReplicationControllerAvailable
      message: replication controller "backend-4" successfully rolled out
  replicas: 1
  readyReplicas: 1

回答1:

One way to "solve" this is that the ImageChange trigger listen to something other then a specific commit id. Some logical name that does not exist as a tag in docker. Say "default".

If you do that then in your script the only thing you need to do is

    - oc tag registry.gitlab.com/myproject/backend:$CI_COMMIT_SHORT_SHA backend:default

OpenShift will then take care of updating the image in the DeploymentConfig and rolling out a new deploy for you.

OP asked for a reason why not using latest. Latest is kind of "magical" in that if you push to a image in a registry without a tag it will name that tag latest. This makes it very easy to overwrite it by accident.

So lets say you use "latest" as the tag that you listen to in the ImageStream. What happends if somebody imports the imageStream? It will fetch the latest tag an overwrite what you have manually tagged.

If you want this kind of control in your pipeline use a ImageStreamTag name that does not exist in your docker registry like I said above.

来源：https://stackoverflow.com/questions/58421160/deploying-a-specific-image-tag-in-openshift-origin-from-image-stream