Build "master" images in "main" (#1090)
Signed-off-by: Mohammed Naser <mnaser@vexxhost.com>
diff --git a/zuul.d/playbooks/buildset-registry/pre.yml b/zuul.d/playbooks/buildset-registry/pre.yml
deleted file mode 100644
index 81304bb..0000000
--- a/zuul.d/playbooks/buildset-registry/pre.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Copyright (c) 2024 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-- name: Prepare host for building images
- hosts: all
- roles:
- - ensure-docker
- - run-buildset-registry
- - use-buildset-registry
diff --git a/zuul.d/playbooks/buildset-registry/run.yml b/zuul.d/playbooks/buildset-registry/run.yml
deleted file mode 100644
index 7f8118c..0000000
--- a/zuul.d/playbooks/buildset-registry/run.yml
+++ /dev/null
@@ -1,159 +0,0 @@
-# Copyright (c) 2024 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-- name: Build images
- hosts: all
- tasks:
- # NOTE(mnaser): This can be removed once the following merges
- # https://review.opendev.org/c/zuul/zuul-jobs/+/915025
- - name: Load "buildset_registry" fact
- block:
- - name: Check for results.json
- stat:
- path: "{{ zuul.executor.result_data_file }}"
- register: result_json_stat
- delegate_to: localhost
- - name: Load information from zuul_return
- no_log: true
- set_fact:
- buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
- when:
- - buildset_registry is not defined
- - result_json_stat.stat.exists
- - result_json_stat.stat.size > 0
- - "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')"
-
- - name: Configure Buildkit certificates
- when: buildset_registry is defined and buildset_registry.cert
- become: true
- block:
- - name: Create a folder for the certificates
- ansible.builtin.file:
- path: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}"
- state: directory
- - name: Copy the certificate
- ansible.builtin.copy:
- content: "{{ buildset_registry.cert }}"
- dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
- - name: Create a buildkitd.toml file
- ansible.builtin.copy:
- dest: /etc/buildkitd.toml
- content: |
- [registry."{{ buildset_registry.host }}:{{ buildset_registry.port }}"]
- ca=["/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"]
-
- - name: Create builder
- ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container {% if buildset_registry.cert %}--config /etc/buildkitd.toml{% endif %}
-
- - name: Point registry to Atmosphere if in post pipeline
- when: zuul.pipeline == 'post'
- no_log: true
- ansible.builtin.set_fact:
- buildset_registry:
- host: registry.atmosphere.dev
- port: 443
- username: "{{ registry_credentials.username }}"
- password: "{{ registry_credentials.password }}"
-
- - name: Log into registry
- docker_login:
- registry: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}"
- username: "{{ buildset_registry.username }}"
- password: "{{ buildset_registry.password }}"
-
- - name: Build images
- ansible.builtin.shell: |
- docker buildx bake --builder=atmosphere --provenance --sbom=true --push
- args:
- chdir: "{{ zuul.project.src_dir }}"
- environment:
- REGISTRY: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}/library"
- PUSH_TO_CACHE: "{{ zuul.pipeline == 'post' }}"
-
- - name: Get list of images built
- ansible.builtin.shell: docker buildx bake --print
- args:
- chdir: "{{ zuul.project.src_dir }}"
- environment:
- REGISTRY: "{{ buildset_registry.host }}{% if buildset_registry.port != 443 %}:{{ buildset_registry.port }}{% endif %}/library"
- register: images_built_json
-
- - name: Set fact with list of images
- set_fact:
- images_built: "{{ images_built_json.stdout | from_json | json_query('target.*.tags[?@] | []') }}"
-
- - name: Sign images
- when: zuul.pipeline == 'post'
- block:
- - name: Download cosign binary
- become: true
- ansible.builtin.get_url:
- url: https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
- dest: /usr/local/bin/cosign
- mode: 0755
-
- - name: Determine the digest for the images
- ansible.builtin.shell: |
- cosign triangulate --type=digest {{ item }}
- loop: "{{ images_built }}"
- register: cosign_digest
-
- - name: Copy the cosign public key
- copy:
- content: "{{ cosign_key.public }}"
- dest: cosign.pub
-
- - name: Verify which images are signed
- ignore_errors: true
- ansible.builtin.shell: |
- cosign verify --key cosign.pub --output json {{ item }}
- loop: "{{ cosign_digest.results | map(attribute='stdout') | list | unique }}"
- register: cosign_verify
-
- - name: Copy the cosign private key
- copy:
- content: "{{ cosign_key.private }}"
- dest: cosign.key
-
- - name: Sign images
- ansible.builtin.shell: |
- cosign sign -y --recursive --key cosign.key {{ item }}
- loop: "{{ cosign_verify.results | selectattr('failed', 'equalto', true) | map(attribute='item') | list }}"
-
- - name: Delete the cosign private key
- file:
- path: cosign.key
- state: absent
-
- - name: Return Zuul artifacts for images
- zuul_return:
- data:
- zuul:
- artifacts:
- - name: "{{ item }}"
- url: "docker://{{ item }}"
- metadata:
- type: container_image
- repository: "{{ item.split(':')[0] }}"
- tag: "{{ item.split(':')[1] }}"
- loop: "{{ images_built }}"
-
-- name: Yield to other jobs
- hosts: localhost
- tasks:
- - name: Pause the job
- zuul_return:
- data:
- zuul:
- pause: true
diff --git a/zuul.d/playbooks/molecule/pre.yml b/zuul.d/playbooks/molecule/pre.yml
index f9f2213..a4bc692 100644
--- a/zuul.d/playbooks/molecule/pre.yml
+++ b/zuul.d/playbooks/molecule/pre.yml
@@ -59,8 +59,15 @@
- name: Replace the registry in image manifest
ansible.builtin.replace:
path: "{{ zuul.project.src_dir }}/roles/defaults/vars/main.yml"
- regexp: "registry.atmosphere.dev/library/([^@]*)@sha256:[a-fA-F0-9]{64}"
- replace: '{{ buildset_registry.host }}:{{ buildset_registry.port }}/library/\1'
+ regexp: "{{ repo }}:{{ tag }}"
+ replace: '{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ repo }}:{{ tag }}'
+ loop: "{{ zuul.artifacts | default([]) }}"
+ loop_control:
+ loop_var: zj_zuul_artifact
+ when: "'metadata' in zj_zuul_artifact and zj_zuul_artifact.metadata.type | default('') == 'container_image'"
+ vars:
+ repo: "{{ zj_zuul_artifact.metadata.repository }}"
+ tag: "{{ zj_zuul_artifact.metadata.tag }}"
# TODO(mnaser): Drop this when we move to PBR
- name: Add current folder to Git's safe directories