From 28d0cab76fe0fcfff0a3441030950caaffe07ed4 Mon Sep 17 00:00:00 2001 From: Mohammed Naser Date: Wed, 3 Apr 2024 16:40:47 -0400 Subject: [PATCH] ci: use buildset registry With this change, we start up a temporary registry which we build all images inside of and publish things into. Once we have the images built, we hand over this registry to the other jobs so that they can use the built jobs. Signed-off-by: Mohammed Naser --- zuul.d/jobs.yaml | 12 ++-- .../pre.yml | 2 + .../run.yml | 60 +++++++++++++++++-- zuul.d/project.yaml | 2 +- 4 files changed, 64 insertions(+), 12 deletions(-) rename zuul.d/playbooks/{build-images => buildset-registry}/pre.yml (92%) rename zuul.d/playbooks/{build-images => buildset-registry}/run.yml (50%) diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index e1762f462..03917a89b 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -13,15 +13,15 @@ # under the License. - job: - name: atmosphere-build-images - pre-run: zuul.d/playbooks/build-images/pre.yml - run: zuul.d/playbooks/build-images/run.yml + name: atmosphere-buildset-registry + pre-run: zuul.d/playbooks/buildset-registry/pre.yml + run: zuul.d/playbooks/buildset-registry/run.yml ansible-split-streams: true - job: name: atmosphere-upload-images - parent: atmosphere-build-images - run: zuul.d/playbooks/build-images/run.yml + parent: atmosphere-buildset-registry + run: zuul.d/playbooks/buildset-registry/run.yml secrets: - registry_credentials - cosign_key @@ -33,6 +33,8 @@ pre-run: zuul.d/playbooks/molecule/pre.yml run: zuul.d/playbooks/molecule/run.yml post-run: zuul.d/playbooks/molecule/post.yml + dependencies: + - atmosphere-buildset-registry - job: name: atmosphere-molecule-keycloak diff --git a/zuul.d/playbooks/build-images/pre.yml b/zuul.d/playbooks/buildset-registry/pre.yml similarity index 92% rename from zuul.d/playbooks/build-images/pre.yml rename to zuul.d/playbooks/buildset-registry/pre.yml index 6b51ca1f8..81304bb42 100644 --- a/zuul.d/playbooks/build-images/pre.yml +++ b/zuul.d/playbooks/buildset-registry/pre.yml @@ -16,3 +16,5 @@ hosts: all roles: - ensure-docker + - run-buildset-registry + - use-buildset-registry diff --git a/zuul.d/playbooks/build-images/run.yml b/zuul.d/playbooks/buildset-registry/run.yml similarity index 50% rename from zuul.d/playbooks/build-images/run.yml rename to zuul.d/playbooks/buildset-registry/run.yml index 851154b76..84524fd55 100644 --- a/zuul.d/playbooks/build-images/run.yml +++ b/zuul.d/playbooks/buildset-registry/run.yml @@ -15,22 +15,70 @@ - name: Build images hosts: all tasks: + # NOTE(mnaser): This can be removed once the following merges + # https://review.opendev.org/c/zuul/zuul-jobs/+/915025 + - name: Load "buildset_registry" fact + block: + - name: Check for results.json + stat: + path: "{{ zuul.executor.result_data_file }}" + register: result_json_stat + delegate_to: localhost + - name: Load information from zuul_return + no_log: true + set_fact: + buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}" + when: + - buildset_registry is not defined + - result_json_stat.stat.exists + - result_json_stat.stat.size > 0 + - "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')" + + - name: Configure Buildkit certificates + when: buildset_registry is defined and buildset_registry.cert + become: true + block: + - name: Create a folder for the certificates + ansible.builtin.file: + path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}" + state: directory + - name: Copy the certificate + ansible.builtin.copy: + content: "{{ buildset_registry.cert }}" + dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt" + - name: Create a buildkitd.toml file + ansible.builtin.copy: + dest: /etc/buildkitd.toml + content: | + [registry."{{ buildset_registry.host }}:{{ buildset_registry.port }}"] + ca=["/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"] + - name: Create builder - ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container + ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container {% if buildset_registry.cert %}--config /etc/buildkitd.toml{% endif %} - - name: Log into registry + - name: Point registry to Atmosphere if in post pipeline when: zuul.pipeline == 'post' + no_log: true + ansible.builtin.set_fact: + buildset_registry: + host: registry.atmosphere.dev + port: 5000 + username: "{{ registry_credentials.username }}" + password: "{{ registry_credentials.password }}" + + - name: Log into registry docker_login: - registry: registry.atmosphere.dev - username: "{{ registry_credentials.username }}" - password: "{{ registry_credentials.password }}" + registry: "{{ buildset_registry.host }}:{{ buildset_registry.port }}" + username: "{{ buildset_registry.username }}" + password: "{{ buildset_registry.password }}" - name: Build images ansible.builtin.shell: | - docker buildx bake --builder=atmosphere --provenance --sbom=true {% if zuul.pipeline == 'post' %}--push{% endif %} + docker buildx bake --builder=atmosphere --provenance --sbom=true --push args: chdir: "{{ zuul.project.src_dir }}" environment: + REGISTRY: "{{ buildset_registry.host }}:{{ buildset_registry.port }}/library" PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}" - name: Get list of images built diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 6f3f0a9dd..55e21fa8d 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -15,7 +15,7 @@ - project: check: jobs: - - atmosphere-build-images + - atmosphere-buildset-registry - atmosphere-molecule-aio-openvswitch - atmosphere-molecule-aio-ovn - atmosphere-molecule-csi-local-path-provisioner