-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
With this change, we start up a temporary registry which we build all images inside of and publish things into. Once we have the images built, we hand over this registry to the other jobs so that they can use the built jobs. Signed-off-by: Mohammed Naser <[email protected]>
- Loading branch information
Showing
5 changed files
with
151 additions
and
88 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,3 +16,5 @@ | |
hosts: all | ||
roles: | ||
- ensure-docker | ||
- run-buildset-registry | ||
- use-buildset-registry |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
# Copyright (c) 2024 VEXXHOST, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
- name: Build images | ||
hosts: all | ||
tasks: | ||
# NOTE(mnaser): This can be removed once the following merges | ||
# https://review.opendev.org/c/zuul/zuul-jobs/+/915025 | ||
- name: Load "buildset_registry" fact | ||
block: | ||
- name: Check for results.json | ||
stat: | ||
path: "{{ zuul.executor.result_data_file }}" | ||
register: result_json_stat | ||
delegate_to: localhost | ||
- name: Load information from zuul_return | ||
no_log: true | ||
set_fact: | ||
buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}" | ||
when: | ||
- buildset_registry is not defined | ||
- result_json_stat.stat.exists | ||
- result_json_stat.stat.size > 0 | ||
- "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')" | ||
|
||
- name: Configure Buildkit certificates | ||
when: buildset_registry is defined and buildset_registry.cert | ||
become: true | ||
block: | ||
- name: Create a folder for the certificates | ||
ansible.builtin.file: | ||
path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}" | ||
state: directory | ||
- name: Copy the certificate | ||
ansible.builtin.copy: | ||
content: "{{ buildset_registry.cert }}" | ||
dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt" | ||
- name: Create a buildkitd.toml file | ||
ansible.builtin.copy: | ||
dest: /etc/buildkitd.toml | ||
content: | | ||
[registry."{{ buildset_registry.host }}:{{ buildset_registry.port }}"] | ||
ca=["/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"] | ||
- name: Create builder | ||
ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container {% if buildset_registry.cert %}--config /etc/buildkitd.toml{% endif %} | ||
|
||
- name: Point registry to Atmosphere if in post pipeline | ||
when: zuul.pipeline == 'post' | ||
no_log: true | ||
ansible.builtin.set_fact: | ||
buildset_registry: | ||
host: registry.atmosphere.dev | ||
port: 5000 | ||
username: "{{ registry_credentials.username }}" | ||
password: "{{ registry_credentials.password }}" | ||
|
||
- name: Log into registry | ||
docker_login: | ||
registry: "{{ buildset_registry.host }}:{{ buildset_registry.port }}" | ||
username: "{{ buildset_registry.username }}" | ||
password: "{{ buildset_registry.password }}" | ||
|
||
- name: Build images | ||
ansible.builtin.shell: | | ||
docker buildx bake --builder=atmosphere --provenance --sbom=true --push | ||
args: | ||
chdir: "{{ zuul.project.src_dir }}" | ||
environment: | ||
REGISTRY: "{{ buildset_registry.host }}:{{ buildset_registry.port }}/library" | ||
PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}" | ||
|
||
- name: Get list of images built | ||
ansible.builtin.shell: docker buildx bake --print | ||
args: | ||
chdir: "{{ zuul.project.src_dir }}" | ||
environment: | ||
REGISTRY: "{{ buildset_registry.host }}:{{ buildset_registry.port }}/library" | ||
register: images_built_json | ||
|
||
- name: Set fact with list of images | ||
set_fact: | ||
images_built: "{{ images_built_json.stdout | from_json | json_query('target.*.tags[?@] | []') }}" | ||
|
||
- name: Sign images | ||
when: zuul.pipeline == 'post' | ||
block: | ||
- name: Download cosign binary | ||
become: true | ||
ansible.builtin.get_url: | ||
url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 | ||
dest: /usr/local/bin/cosign | ||
mode: 0755 | ||
|
||
- name: Copy the cosign private key | ||
copy: | ||
content: "{{ cosign_key.private }}" | ||
dest: cosign.key | ||
|
||
- name: Sign images | ||
ansible.builtin.shell: | | ||
cosign sign -y --recursive --key cosign.key {{ item }} | ||
loop: "{{ images_built }}" | ||
|
||
- name: Delete the cosign private key | ||
file: | ||
path: cosign.key | ||
state: absent | ||
|
||
- name: Return Zuul artifacts for images | ||
zuul_return: | ||
data: | ||
zuul: | ||
artifacts: | ||
- name: "{{ item }}" | ||
url: "docker://{{ item }}" | ||
metadata: | ||
type: container_image | ||
repository: "{{ item.split(':')[0] }}" | ||
tag: "{{ item.split(':')[1] }}" | ||
loop: "{{ images_built }}" | ||
|
||
- name: Yield to other jobs | ||
hosts: localhost | ||
tasks: | ||
- name: Pause the job | ||
zuul_return: | ||
data: | ||
zuul: | ||
pause: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters