cmd/cip: Default to non-production runs with --confirm

[justaugustus]

What type of PR is this?

/kind bug regression
/priority critical-urgent

What this PR does / why we need it:

• test-e2e: Minor cleanup for cmp.Diff() output

• cmd/cip: Use --confirm instead of --dry-run

  Similar to our --nomock flags for other tools, we use a --confirm
  flag for cip, since the default nil value for booleans is false.

  Meaning: If --dry-run is not explicitly set to true, our tooling
  will initiate an image promotion.

• Flip confirm logic in cip/cip-auditor e2e MakeSyncContext() calls

/assign @hasheddan @xmudrii
cc: @kubernetes-sigs/release-engineering

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

- cmd/cip: Use `--confirm` instead of `--dry-run`

  Similar to our `--nomock` flags for other tools, we use a `--confirm`
  flag for `cip`, since the default nil value for booleans is `false`.
  
  Meaning: If `--dry-run` is not explicitly set to `true`, our tooling
  will initiate an image promotion.

[justaugustus]

(Needed to flip the flag in the e2e test as well. Fixed in 6a5b04a.)

[justaugustus]

checking snapshots BEFORE promotion:
execing cmd bazel [run --workspace_status_command=/home/prow/go/src/sigs.k8s.io/k8s-container-image-promoter/workspace_status.sh //cmd/cip:cip -- run --snapshot=us.gcr.io/k8s-cip-test-prod/golden-bar]
time="2020-12-01T00:58:09Z" level=fatal msg="<<<<<<< got (type []inventory.Image)\n[{bar map[sha256:610b1ef6fec876146dee2b2846c890b566d26f235d7ea8982056a3e84bd35929:[1.0]]}]\n=======\n[]\n>>>>>>> expected (type []inventory.Image)" 

???

grumbles
/test pull-cip-e2e

[justaugustus]

Local run:

$ time bazel run --workspace_status_command=$(pwd)/workspace_status.sh //cmd/cip:cip -- run --snapshot=us.gcr.io/k8s-cip-test-prod/golden-bar
INFO: Analyzed target //cmd/cip:cip (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //cmd/cip:cip up-to-date:
  bazel-bin/cmd/cip/cip_/cip
INFO: Elapsed time: 2.650s, Critical Path: 2.49s
INFO: 13 processes: 13 linux-sandbox.
INFO: Build completed successfully, 14 total actions
INFO: Build completed successfully, 14 total actions
INFO Request {us.gcr.io/k8s-cip-test-prod/golden-bar   true}: OK 
INFO Request {us.gcr.io/k8s-cip-test-prod/golden-bar/bar   false}: OK 
- name: bar
  dmap:
    "sha256:610b1ef6fec876146dee2b2846c890b566d26f235d7ea8982056a3e84bd35929": ["1.0"]

real	0m4.111s
user	0m0.125s
sys	0m0.064s

[justaugustus]

Oh hello, auditor flake?
/test pull-cip-auditor-e2e

[hasheddan]

/lgtm

[saschagrunert]

/retest

[saschagrunert]

The CI issue seems reproducible to me. 🤔

[listx]

I feel like maybe it used default to true and then somewhere in the churn of #273 that got lost?

Yeah that seems likely. FTR every deployed instance of CIP in recent memory (including the current version v2.4.1 that's seeing presubmit/postsubmit usage) has always had --dry-run=true as the default.

[justaugustus]

Yeah that seems likely. FTR every deployed instance of CIP in recent memory (including the current version v2.4.1 that's seeing presubmit/postsubmit usage) has always had --dry-run=true as the default.

Right, we haven't changed the actual cip run invocations for CI jobs, but the default behavior/underlying implementation is what needs to be fixed.

[justaugustus]

Just to capture some things from Slack:

This line creates a new set of options:
https://github.com/kubernetes-sigs/k8s-container-image-promoter/blob/97e351eb08d2af791f1a62ead66e5291398c4f0b/cmd/cip/cmd/root.go#L38

The options themselves: https://github.com/kubernetes-sigs/k8s-container-image-promoter/blob/97e351eb08d2af791f1a62ead66e5291398c4f0b/legacy/cli/root.go#L25-L28

If --dry-run is never set, it will be its nil value, which is false AKA unconditional promotion, which is what we don't want.
We'll proceed w/ --confirm as the flag name (to improve readability and make it a little more consistent with other tools across the community).

[justaugustus]

(rebasing for handoff)
I've asked @puerco to take over this branch/work in https://kubernetes.slack.com/archives/CJH2GBF7Y/p1631539082071700.
/assign @puerco

[justaugustus]

@puerco -- Nice work! 🎉
/hold cancel

[puerco]

Reviewing @justaugustus commits :)
/lgtm

[justaugustus]

Symbolic LGTM for @puerco's fixes (even though the bot will yell at me):
/lgtm
/approve
/honk

[k8s-ci-robot]

@justaugustus: you cannot LGTM your own PR.

In response to this:

Symbolic LGTM for @puerco's fixes (even though the bot will yell at me):
/lgtm
/approve
/honk

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@justaugustus:

In response to this:

Symbolic LGTM for @puerco's fixes (even though the bot will yell at me):
/lgtm
/approve
/honk

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hasheddan, justaugustus, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justaugustus,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment