Feature: fail oc:build if image tag already exist

[lbruun]

Some Docker Registries have a feature which disallows re-deploy of the same tag. This is good for several reasons.
(btw: there are differences in how "clever" such feature is in the registries which supports it, for example compare Azure, AWS, Harbor Registry, etc)

The benefits of having immutable build artifacts are well known. It is also well-known why it doesn't make sense for image consumers to use SHA tags (it is obscure and undecipherable for humans). This is why the various makers of Docker Registries have scrambled to provide immutable tag feature.

But what if the target registry supports no such feature? (looking at you OpenShift)

In such case we have no other option than to have the "deny" feature in the build pipeline, i.e. reject the build if tag already exist in the target registry.

Such feature is hereby proposed on the oc:build goal.

I propose two new configuration properties on this goal:

• failBuildOnImageTagExist: (boolean). fails the build if the requested image tag already exists in the target Docker Registry. Defaults to false.

• failBuildOnImageTagExistPattern (string) : Only performs the check if the tag name matches the regexp pattern given here. Only has relevance when failBuildOnImageTagExist is true. Defaults to ".*". (Justification: with this feature we can limit the feature to only certain tag name patterns. For example we may never want to replace existing tags with the word "FINAL" in the tag name, but replacing for other tag values is perfectly acceptable.

I'm fully aware that this will require an additional round-trip to the target Docker Registry: before initiating the build the plugin first needs to query for existing tags and evaluate those. In other words: the Maven build will take longer to execute with this feature enabled. Which is why it must be an opt-in feature.

I void this feature request if OpenShift will some day follow its competitors and implement tag name protection at the registry itself. :-)