Merge pull request #50 from embik/kcp-build-image-on-prow

🌱 Move builds for `ghcr.io/kcp-dev/infra/build` to prow
kcp-dev · Jun 13, 2023 · 27bd350 · 27bd350
2 parents d6f64e5 + f380cf0
commit 27bd350
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 67 deletions.
diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
diff --git a/images/build/env b/images/build/env
@@ -1,3 +1,3 @@
-BUILD_IMAGE_TAG=1.19.9-2
+BUILD_IMAGE_TAG=1.19.9-3
 GO_IMAGE_VERSION=1.19.9
 K8S_VERSION=1.26.3
diff --git a/images/build/hack/build-image.sh b/images/build/hack/build-image.sh
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 The KCP Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -euo pipefail
+
+# in CI, make use of the registry mirror to avoid getting rate limited
+if [ -n "${DOCKER_REGISTRY_MIRROR_ADDR:-}" ]; then
+  # remove "http://" or "https://" prefix
+  mirror="$(echo "$DOCKER_REGISTRY_MIRROR_ADDR" | awk -F// '{print $NF}')"
+
+  echo "Configuring registry mirror for docker.io ..."
+
+  cat <<EOF > /etc/containers/registries.conf.d/mirror.conf
+[[registry]]
+prefix = "docker.io"
+insecure = true
+location = "$mirror"
+EOF
+fi
+
+repository=ghcr.io/kcp-dev/infra/build
+architectures="amd64"
+
+cd ./images/build
+
+# read configuration file for build image
+source ./env
+
+image="$repository:${BUILD_IMAGE_TAG}"
+echo "Building container image $image ..."
+
+# build image for all architectures
+for arch in $architectures; do
+  fullTag="$image-$arch"
+
+  echo "Building $version-$arch ..."
+  buildah build-using-dockerfile \
+    --file Dockerfile \
+    --tag "$fullTag" \
+    --arch "$arch" \
+    --override-arch "$arch" \
+    --build-arg "GO_VERSION=${GO_IMAGE_VERSION}" \
+    --build-arg "K8S_VERSION=${K8S_VERSION}"
+    --format=docker \
+    .
+done
+
+echo "Creating manifest $image ..."
+buildah manifest create "$image"
+for arch in $architectures; do
+  buildah manifest add "$image" "$image-$arch"
+done
+
+# push manifest, except in presubmits
+if [ -z "${DRY_RUN:-}" ]; then
+  echo "Logging into GHCR ..."
+  buildah login --username "$KCP_GHCR_USERNAME" --password "$KCP_GHCR_PASSWORD" ghcr.io
+
+  echo "Pushing manifest and images ..."
+  buildah manifest push --all "$image" "docker://$image"
+else
+  echo "Not pushing images because \$DRY_RUN is set."
+fi
+
+echo "Done."
diff --git a/prow/jobs/infra/infra-postsubmits.yaml b/prow/jobs/infra/infra-postsubmits.yaml
@@ -41,3 +41,27 @@ postsubmits:
                 value: /etc/prow/kubeconfig/kubeconfig
               - name: KUBE_CONTEXT
                 value: default
+
+    - name: post-infra-publish-images-build
+      decorate: true
+      clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
+      cluster: prow # GHCR credentials are only available here
+      labels:
+        preset-ghcr-credentials: "true"
+      branches:
+        - ^main$
+      # this forces to bump the image tag in this file to get a
+      # new image build
+      run_if_changed: '^images/build/env$'
+      spec:
+        containers:
+          - image: quay.io/containers/buildah:v1.30.0
+            command:
+              - images/build/hack/build-image.sh
+            # docker-in-docker needs privileged mode
+            securityContext:
+              privileged: true
+            resources:
+              requests:
+                cpu: 2
+                memory: 3Gi
diff --git a/prow/jobs/infra/infra-presubmits.yaml b/prow/jobs/infra/infra-presubmits.yaml
@@ -60,3 +60,26 @@ presubmits:
           secret:
             secretName: github-token
 
+    - name: pull-infra-images-build
+      decorate: true
+      clone_uri: "ssh://git@github.com/kcp-dev/infra.git"
+      # this forces to bump the image tag in this file to get a
+      # new image build
+      run_if_changed: '^images/build/env$'
+      labels:
+        preset-goproxy: "true"
+      spec:
+        containers:
+          - image: quay.io/containers/buildah:v1.30.0
+            command:
+              - images/build/hack/build-image.sh
+            # docker-in-docker needs privileged mode
+            securityContext:
+              privileged: true
+            env:
+              - name: DRY_RUN
+                value: '1'
+            resources:
+              requests:
+                memory: 1Gi
+                cpu: 1