From ba9e7548687d64aefcebfe83909f3633ea1b177c Mon Sep 17 00:00:00 2001
From: bstein <bstein@noreply.scm.bstein.dev>
Date: Wed, 17 Dec 2025 01:52:53 -0300
Subject: [PATCH] ci: push to harbor via dockerconfig secret

---
 Jenkinsfile | 57 ++++++++++++++++++++++++++++++-----------------------
 1 file changed, 32 insertions(+), 25 deletions(-)

diff --git a/Jenkinsfile b/Jenkinsfile
index 7c9c589..8df7654 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -7,8 +7,6 @@ pipeline {
 apiVersion: v1
 kind: Pod
 spec:
-  securityContext:
-    runAsUser: 0
   containers:
   - name: dind
     image: docker:27-dind
@@ -19,7 +17,6 @@ spec:
       value: ""
     args:
     - --mtu=1400
-    - --insecure-registry=registry.bstein.dev
     volumeMounts:
     - name: dind-storage
       mountPath: /var/lib/docker
@@ -37,7 +34,15 @@ spec:
       mountPath: /home/jenkins/agent
     - name: dind-storage
       mountPath: /var/lib/docker
+    - name: docker-config
+      mountPath: /root/.docker
   volumes:
+  - name: docker-config
+    secret:
+      secretName: harbor-robot-pipeline
+      items:
+      - key: .dockerconfigjson
+        path: config.json
   - name: workspace-volume
     emptyDir: {}
   - name: dind-storage
@@ -91,31 +96,33 @@ spec:
       }
       steps {
         container('builder') {
-          withCredentials([usernamePassword(credentialsId: 'harbor-robot', passwordVariable: 'HPASS', usernameVariable: 'HUSER')]) {
-            sh '''
-              set -euo pipefail
-              SRC_DIR=$(find harbor-src -maxdepth 1 -type d -name "harbor-*" | head -n1)
-              cd "${SRC_DIR}"
+          sh '''
+            set -euo pipefail
 
-              docker login -u "${HUSER}" -p "${HPASS}" "$(echo "${REGISTRY}" | cut -d/ -f1)"
+            SRC_DIR=$(find harbor-src -maxdepth 1 -type d -name "harbor-*" | head -n1)
+            cd "${SRC_DIR}"
 
-              export VERSIONTAG="${VERSIONTAG}"
-              export BASEIMAGETAG="${VERSIONTAG}"
-              export IMAGENAMESPACE="${REGISTRY}"
-              export BASEIMAGENAMESPACE="${REGISTRY}"
-              export PULL_BASE_FROM_DOCKERHUB=false
-              export BUILD_BASE=true
-              export PUSHBASEIMAGE=true
-              export BUILDTRIVYADP=false
-              export BUILD_INSTALLER=false
-              export REGISTRYUSER="${HUSER}"
-              export REGISTRYPASSWORD="${HPASS}"
+            export VERSIONTAG="${VERSIONTAG}"
+            export BASEIMAGETAG="${VERSIONTAG}"
+            export IMAGENAMESPACE="${REGISTRY}"
+            export BASEIMAGENAMESPACE="${REGISTRY}"
+            export PULL_BASE_FROM_DOCKERHUB=false
+            export BUILD_BASE=true
+            export BUILDTRIVYADP=false
+            export BUILD_INSTALLER=false
 
-              make compile
-              make build
-              make pushimage
-            '''
-          }
+            make compile
+            make build
+
+            # Push every image we just built for this tag under our namespace.
+            docker images --format '{{.Repository}}:{{.Tag}}' \
+              | awk -v ns="${REGISTRY}/" -v tag="${VERSIONTAG}" 'index($0, ns)==1 && $0 ~ ":"tag"$"' \
+              | sort -u \
+              | while read -r img; do
+                  echo "Pushing ${img}"
+                  docker push "${img}"
+                done
+          '''
         }
       }
     }