ci: use buildset registry

With this change, we start up a temporary registry which we build all images inside of and publish things into. Once we have the images built, we hand over this registry to the other jobs so that they can use the built jobs. Signed-off-by: Mohammed Naser <[email protected]>
vexxhost · Apr 3, 2024 · 28d0cab · 28d0cab
1 parent cb5d9c3
commit 28d0cab
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 12 deletions.
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
@@ -13,15 +13,15 @@
 # under the License.
 
 - job:
-    name: atmosphere-build-images
-    pre-run: zuul.d/playbooks/build-images/pre.yml
-    run: zuul.d/playbooks/build-images/run.yml
+    name: atmosphere-buildset-registry
+    pre-run: zuul.d/playbooks/buildset-registry/pre.yml
+    run: zuul.d/playbooks/buildset-registry/run.yml
     ansible-split-streams: true
 
 - job:
     name: atmosphere-upload-images
-    parent: atmosphere-build-images
-    run: zuul.d/playbooks/build-images/run.yml
+    parent: atmosphere-buildset-registry
+    run: zuul.d/playbooks/buildset-registry/run.yml
     secrets:
       - registry_credentials
       - cosign_key
@@ -33,6 +33,8 @@
     pre-run: zuul.d/playbooks/molecule/pre.yml
     run: zuul.d/playbooks/molecule/run.yml
     post-run: zuul.d/playbooks/molecule/post.yml
+    dependencies:
+      - atmosphere-buildset-registry
 
 - job:
     name: atmosphere-molecule-keycloak

diff --git a/zuul.d/playbooks/build-images/pre.yml → zuul.d/playbooks/buildset-registry/pre.yml b/zuul.d/playbooks/build-images/pre.yml → zuul.d/playbooks/buildset-registry/pre.yml
@@ -16,3 +16,5 @@
   hosts: all
   roles:
     - ensure-docker
+    - run-buildset-registry
+    - use-buildset-registry
diff --git a/zuul.d/playbooks/build-images/run.yml → zuul.d/playbooks/buildset-registry/run.yml b/zuul.d/playbooks/build-images/run.yml → zuul.d/playbooks/buildset-registry/run.yml
@@ -15,22 +15,70 @@
 - name: Build images
   hosts: all
   tasks:
+    # NOTE(mnaser): This can be removed once the following merges
+    #               https://review.opendev.org/c/zuul/zuul-jobs/+/915025
+    - name: Load "buildset_registry" fact
+      block:
+        - name: Check for results.json
+          stat:
+            path: "{{ zuul.executor.result_data_file }}"
+          register: result_json_stat
+          delegate_to: localhost
+        - name: Load information from zuul_return
+          no_log: true
+          set_fact:
+            buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
+          when:
+            - buildset_registry is not defined
+            - result_json_stat.stat.exists
+            - result_json_stat.stat.size > 0
+            - "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')"
+
+    - name: Configure Buildkit certificates
+      when: buildset_registry is defined and buildset_registry.cert
+      become: true
+      block:
+        - name: Create a folder for the certificates
+          ansible.builtin.file:
+            path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}"
+            state: directory
+        - name: Copy the certificate
+          ansible.builtin.copy:
+            content: "{{ buildset_registry.cert }}"
+            dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
+        - name: Create a buildkitd.toml file
+          ansible.builtin.copy:
+            dest: /etc/buildkitd.toml
+            content: |
+              [registry."{{ buildset_registry.host }}:{{ buildset_registry.port }}"]
+                ca=["/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"]
+
     - name: Create builder
-      ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container
+      ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container {% if buildset_registry.cert %}--config /etc/buildkitd.toml{% endif %}
 
-    - name: Log into registry
+    - name: Point registry to Atmosphere if in post pipeline
       when: zuul.pipeline == 'post'
+      no_log: true
+      ansible.builtin.set_fact:
+        buildset_registry:
+          host: registry.atmosphere.dev
+          port: 5000
+          username: "{{ registry_credentials.username }}"
+          password: "{{ registry_credentials.password }}"
+
+    - name: Log into registry
       docker_login:
-        registry: registry.atmosphere.dev
-        username: "{{ registry_credentials.username }}"
-        password: "{{ registry_credentials.password }}"
+        registry: "{{ buildset_registry.host }}:{{ buildset_registry.port }}"
+        username: "{{ buildset_registry.username }}"
+        password: "{{ buildset_registry.password }}"
 
     - name: Build images
       ansible.builtin.shell: |
-        docker buildx bake --builder=atmosphere --provenance --sbom=true {% if zuul.pipeline == 'post' %}--push{% endif %}
+        docker buildx bake --builder=atmosphere --provenance --sbom=true --push
       args:
         chdir: "{{ zuul.project.src_dir }}"
       environment:
+        REGISTRY: "{{ buildset_registry.host }}:{{ buildset_registry.port }}/library"
         PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}"
 
     - name: Get list of images built

diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
@@ -15,7 +15,7 @@
 - project:
     check:
       jobs:
-        - atmosphere-build-images
+        - atmosphere-buildset-registry
         - atmosphere-molecule-aio-openvswitch
         - atmosphere-molecule-aio-ovn
         - atmosphere-molecule-csi-local-path-provisioner