Skip to content

Commit

Permalink
ci: use buildset registry
Browse files Browse the repository at this point in the history
With this change, we start up a temporary registry which we build
all images inside of and publish things into.  Once we have the
images built, we hand over this registry to the other jobs so that
they can use the built jobs.

Signed-off-by: Mohammed Naser <[email protected]>
  • Loading branch information
mnaser committed Apr 3, 2024
1 parent cb5d9c3 commit f017c79
Show file tree
Hide file tree
Showing 5 changed files with 151 additions and 88 deletions.
12 changes: 7 additions & 5 deletions zuul.d/jobs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,15 @@
# under the License.

- job:
name: atmosphere-build-images
pre-run: zuul.d/playbooks/build-images/pre.yml
run: zuul.d/playbooks/build-images/run.yml
name: atmosphere-buildset-registry
pre-run: zuul.d/playbooks/buildset-registry/pre.yml
run: zuul.d/playbooks/buildset-registry/run.yml
ansible-split-streams: true

- job:
name: atmosphere-upload-images
parent: atmosphere-build-images
run: zuul.d/playbooks/build-images/run.yml
parent: atmosphere-buildset-registry
run: zuul.d/playbooks/buildset-registry/run.yml
secrets:
- registry_credentials
- cosign_key
Expand All @@ -33,6 +33,8 @@
pre-run: zuul.d/playbooks/molecule/pre.yml
run: zuul.d/playbooks/molecule/run.yml
post-run: zuul.d/playbooks/molecule/post.yml
dependencies:
- atmosphere-buildset-registry

- job:
name: atmosphere-molecule-keycloak
Expand Down
82 changes: 0 additions & 82 deletions zuul.d/playbooks/build-images/run.yml

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,5 @@
hosts: all
roles:
- ensure-docker
- run-buildset-registry
- use-buildset-registry
141 changes: 141 additions & 0 deletions zuul.d/playbooks/buildset-registry/run.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
# Copyright (c) 2024 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Build images
hosts: all
tasks:
# NOTE(mnaser): This can be removed once the following merges
# https://review.opendev.org/c/zuul/zuul-jobs/+/915025
- name: Load "buildset_registry" fact
block:
- name: Check for results.json
stat:
path: "{{ zuul.executor.result_data_file }}"
register: result_json_stat
delegate_to: localhost
- name: Load information from zuul_return
no_log: true
set_fact:
buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
when:
- buildset_registry is not defined
- result_json_stat.stat.exists
- result_json_stat.stat.size > 0
- "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')"

- name: Configure Buildkit certificates
when: buildset_registry is defined and buildset_registry.cert
become: true
block:
- name: Create a folder for the certificates
ansible.builtin.file:
path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}"
state: directory
- name: Copy the certificate
ansible.builtin.copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
- name: Create a buildkitd.toml file
ansible.builtin.copy:
dest: /etc/buildkitd.toml
content: |
[registry."{{ buildset_registry.host }}:{{ buildset_registry.port }}"]
ca=["/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"]
- name: Create builder
ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container {% if buildset_registry.cert %}--config /etc/buildkitd.toml{% endif %}

- name: Point registry to Atmosphere if in post pipeline
when: zuul.pipeline == 'post'
no_log: true
ansible.builtin.set_fact:
buildset_registry:
host: registry.atmosphere.dev
port: 5000
username: "{{ registry_credentials.username }}"
password: "{{ registry_credentials.password }}"

- name: Log into registry
docker_login:
registry: "{{ buildset_registry.host }}:{{ buildset_registry.port }}"
username: "{{ buildset_registry.username }}"
password: "{{ buildset_registry.password }}"

- name: Build images
ansible.builtin.shell: |
docker buildx bake --builder=atmosphere --provenance --sbom=true --push
args:
chdir: "{{ zuul.project.src_dir }}"
environment:
REGISTRY: "{{ buildset_registry.host }}:{{ buildset_registry.port }}/library"
PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}"

- name: Get list of images built
ansible.builtin.shell: docker buildx bake --print
args:
chdir: "{{ zuul.project.src_dir }}"
environment:
REGISTRY: "{{ buildset_registry.host }}:{{ buildset_registry.port }}/library"
register: images_built_json

- name: Set fact with list of images
set_fact:
images_built: "{{ images_built_json.stdout | from_json | json_query('target.*.tags[?@] | []') }}"

- name: Sign images
when: zuul.pipeline == 'post'
block:
- name: Download cosign binary
become: true
ansible.builtin.get_url:
url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
dest: /usr/local/bin/cosign
mode: 0755

- name: Copy the cosign private key
copy:
content: "{{ cosign_key.private }}"
dest: cosign.key

- name: Sign images
ansible.builtin.shell: |
cosign sign -y --recursive --key cosign.key {{ item }}
loop: "{{ images_built }}"

- name: Delete the cosign private key
file:
path: cosign.key
state: absent

- name: Return Zuul artifacts for images
zuul_return:
data:
zuul:
artifacts:
- name: "{{ item }}"
url: "docker://{{ item }}"
metadata:
type: container_image
repository: "{{ item.split(':')[0] }}"
tag: "{{ item.split(':')[1] }}"
loop: "{{ images_built }}"

- name: Yield to other jobs
hosts: localhost
tasks:
- name: Pause the job
zuul_return:
data:
zuul:
pause: true
2 changes: 1 addition & 1 deletion zuul.d/project.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
- project:
check:
jobs:
- atmosphere-build-images
- atmosphere-buildset-registry
- atmosphere-molecule-aio-openvswitch
- atmosphere-molecule-aio-ovn
- atmosphere-molecule-csi-local-path-provisioner
Expand Down

0 comments on commit f017c79

Please sign in to comment.