Fix Docker container publishing: fix README link, add docs, re-enable Docker Hub channel tagging

- Fix README: wrong Habitat Builder link pointed to 'chef-server' origin instead
  of the actual 'chef' origin (all plan.sh files use pkg_origin=chef)
- Add 'Published Docker Containers' section to README documenting all 6 containers
  published to Docker Hub (oc_erchef, bookshelf, oc_bifrost, oc_id, chef-server-nginx,
  chef-server-ctl), how Habitat Builder builds them, and how channel tags are applied
- Re-enable Docker Hub container channel tagging in promote_harts_and_containers.sh:
  the docker pull/tag/push block was entirely commented out, meaning channel-tagged
  images like chef/oc_erchef:stable were never being published despite the docker-compose.yml
  relying on them
- Add Docker Hub login (via Vault) before docker push commands
- Fix openresty-noroot skip logic (it has no export_targets=[docker] in .bldr.toml)
- Replace stale TODO/broken-pipeline comments with clear explanatory comments

Co-authored-by: brianLoomis <90281862+brianLoomis@users.noreply.github.com>
Agent-Logs-Url: https://github.com/chef/chef-server/sessions/484aed12-f0be-4fa2-b8b0-d5c0b1f491e7

Author: Copilot

.expeditor/promote_harts_and_containers.sh

@@ -12,6 +12,12 @@ fi
 HAB_AUTH_TOKEN=$(vault kv get -field auth_token account/static/habitat/chef-ci)
 export HAB_AUTH_TOKEN
 
+# Authenticate with Docker Hub so we can re-tag and push container images
+DOCKER_HUB_TOKEN=$(vault kv get -field token account/static/docker-hub/chef-ci)
+export DOCKER_HUB_USERNAME
+DOCKER_HUB_USERNAME=$(vault kv get -field username account/static/docker-hub/chef-ci)
+echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USERNAME}" --password-stdin
+
 # EXPEDITOR_VERSION and EXPEDITOR_CHANNEL are passed in via Expeditor when an omnibus package of
 # version EXPEDITOR_VERSION is promoted to EXPEDITOR_CHANNEL
 
@@ -21,7 +27,14 @@ aws s3 cp "s3://chef-automate-artifacts/manifests/chef-server/${EXPEDITOR_VERSIO
 # Download or create the versions file
 aws s3 cp "s3://chef-automate-artifacts/${EXPEDITOR_CHANNEL}/latest/chef-server/versions.json" existing-versions.json --profile chef-cd || echo "[]" > existing-versions.json
 
-# Promote the artifacts in Habitat Depot
+# Promote the artifacts in Habitat Depot and re-tag Docker Hub container images
+# with the release channel name (e.g. current, stable) and optionally 'latest'.
+#
+# Each chef/* package with export_targets = ["docker"] in .bldr.toml is automatically
+# exported to Docker Hub by Habitat Builder with a versioned tag
+# (e.g. chef/oc_erchef:14.0.1-20231015). The block below pulls that image and
+# re-tags it with the channel name so consumers can reference
+# chef/oc_erchef:stable or chef/oc_erchef:current rather than a specific build id.
 jq -r -c ".packages[]" manifest.json | while read service_ident; do
   # service_ident will look like: chef/oc_erchef/12.18.2/20180806132701
   pkg_origin=$(echo $service_ident | cut -d / -f 1) # chef
@@ -35,29 +48,28 @@ jq -r -c ".packages[]" manifest.json | while read service_ident; do
   else
     echo "Promoting ${service_ident} hart to the ${EXPEDITOR_CHANNEL} channel"
     hab pkg promote "${service_ident}" "${EXPEDITOR_CHANNEL}"
-    # The pipeline has been improved, breaking this. I'm told to fix
-    # it requires doing something different.
-    #
-    # TODO: remove this if we begin creating a container for `chef/openresty-noroot`
-    # if [ "$pkg_name" = "openresty-noroot" ];
-    # then
-    #   echo "Skipping promotion of container for ${service_ident}"
-    #   continue
-    # fi
-    #
-    # echo "Promoting ${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release} container to ${EXPEDITOR_CHANNEL} tag"
-    # docker pull "${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release}"
-    # docker tag "${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release}" "${pkg_origin}/${pkg_name}:${EXPEDITOR_CHANNEL}"
-    # docker push "${pkg_origin}/${pkg_name}:${EXPEDITOR_CHANNEL}"
-    #
-    # if [ "${EXPEDITOR_CHANNEL}" = "stable" ];
-    # then
-    #   docker tag "${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release}" "${pkg_origin}/${pkg_name}:latest"
-    #   docker push "${pkg_origin}/${pkg_name}:latest"
-    #   docker rmi "${pkg_origin}/${pkg_name}:latest"
-    # fi
-    #
-    # docker rmi "${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release}" "${pkg_origin}/${pkg_name}:${EXPEDITOR_CHANNEL}"
+
+    # openresty-noroot does not have export_targets = ["docker"] in .bldr.toml
+    # so no Docker image is published for it; skip container promotion.
+    if [ "$pkg_name" = "openresty-noroot" ];
+    then
+      echo "Skipping container promotion for ${service_ident} (no Docker export configured)"
+      continue
+    fi
+
+    echo "Promoting ${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release} container to ${EXPEDITOR_CHANNEL} tag"
+    docker pull "${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release}"
+    docker tag "${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release}" "${pkg_origin}/${pkg_name}:${EXPEDITOR_CHANNEL}"
+    docker push "${pkg_origin}/${pkg_name}:${EXPEDITOR_CHANNEL}"
+
+    if [ "${EXPEDITOR_CHANNEL}" = "stable" ];
+    then
+      docker tag "${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release}" "${pkg_origin}/${pkg_name}:latest"
+      docker push "${pkg_origin}/${pkg_name}:latest"
+      docker rmi "${pkg_origin}/${pkg_name}:latest"
+    fi
+
+    docker rmi "${pkg_origin}/${pkg_name}:${pkg_version}-${pkg_release}" "${pkg_origin}/${pkg_name}:${EXPEDITOR_CHANNEL}"
   fi
 done
 

README.md

@@ -61,7 +61,7 @@ Once the build is complete, the package should be in omnibus/pkg. By default the
 
 ## Habitized Chef Infra Server
 
-The following components now exist as Habitat packages and are available [here](https://bldr.habitat.sh/#/origins/chef-server/packages):
+The following components now exist as Habitat packages and are available [here](https://bldr.habitat.sh/#/origins/chef/packages):
 
 * nginx
 * bookshelf
@@ -76,6 +76,25 @@ To build the packages locally:
 ./habitat_pkgs_build.sh
 ```
 
+### Published Docker Containers
+
+The following containers are published to [Docker Hub](https://hub.docker.com/u/chef) under the `chef` organization:
+
+| Container | Docker Hub |
+|-----------|-----------|
+| `chef-server-nginx` | [hub.docker.com/r/chef/chef-server-nginx](https://hub.docker.com/r/chef/chef-server-nginx) |
+| `bookshelf` | [hub.docker.com/r/chef/bookshelf](https://hub.docker.com/r/chef/bookshelf) |
+| `oc_id` | [hub.docker.com/r/chef/oc_id](https://hub.docker.com/r/chef/oc_id) |
+| `oc_erchef` | [hub.docker.com/r/chef/oc_erchef](https://hub.docker.com/r/chef/oc_erchef) |
+| `oc_bifrost` | [hub.docker.com/r/chef/oc_bifrost](https://hub.docker.com/r/chef/oc_bifrost) |
+| `chef-server-ctl` | [hub.docker.com/r/chef/chef-server-ctl](https://hub.docker.com/r/chef/chef-server-ctl) |
+
+Container images are built by [Habitat Builder](https://bldr.habitat.sh) using the `export_targets = ["docker"]` configuration in `.bldr.toml`. Each component plan (`src/<component>/habitat/plan.sh`) uses `pkg_origin=chef`, which determines the Docker Hub organization name.
+
+When an omnibus package is promoted to the `current`, `stable`, or `LTS-2024` channel, the Expeditor CI pipeline runs `.expeditor/promote_harts_and_containers.sh`, which promotes the corresponding Habitat packages and re-tags the Docker images with the channel name (e.g., `chef/oc_erchef:stable`, `chef/oc_erchef:current`) and updates `latest` when promoted to `stable`.
+
+### Running Chef Infra Server with Docker Compose
+
 A top-level `docker-compose.yml` file exists for running Chef Infra Server from Habitized Docker images:
 
 ```shell