diff --git a/Jenkinsfile b/Jenkinsfile index 4b3d390..7c9c589 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -2,80 +2,127 @@ pipeline { agent { kubernetes { label 'harbor-arm-build' - defaultContainer 'git' + defaultContainer 'builder' yaml """ apiVersion: v1 kind: Pod spec: + securityContext: + runAsUser: 0 containers: - - name: git - image: alpine/git:2.45.2 - command: ['cat'] - tty: true + - name: dind + image: docker:27-dind + securityContext: + privileged: true + env: + - name: DOCKER_TLS_CERTDIR + value: "" + args: + - --mtu=1400 + - --insecure-registry=registry.bstein.dev volumeMounts: - - mountPath: /home/jenkins/agent - name: workspace-volume - - name: kaniko - image: gcr.io/kaniko-project/executor:v1.23.2-debug - command: ['cat'] + - name: dind-storage + mountPath: /var/lib/docker + - name: builder + image: docker:27 + command: ["cat"] tty: true + env: + - name: DOCKER_HOST + value: tcp://localhost:2375 + - name: DOCKER_TLS_CERTDIR + value: "" volumeMounts: - - mountPath: /home/jenkins/agent - name: workspace-volume - - mountPath: /kaniko/.docker - name: docker-config + - name: workspace-volume + mountPath: /home/jenkins/agent + - name: dind-storage + mountPath: /var/lib/docker volumes: - name: workspace-volume emptyDir: {} - - name: docker-config - secret: - secretName: harbor-robot-pipeline - items: - - key: .dockerconfigjson - path: config.json + - name: dind-storage + emptyDir: {} """ } } environment { - REGISTRY = 'registry.bstein.dev' - IMAGE = 'infra/harbor-arm-build' + VERSION = 'v2.14.1' + TAG_SUFFIX = '-arm64' + REGISTRY = 'registry.bstein.dev/infra' + HARBOR_TARBALL = "https://github.com/goharbor/harbor/archive/refs/tags/${VERSION}.tar.gz" + } + options { + disableConcurrentBuilds() } stages { - stage('Checkout') { + stage('Checkout Jenkinsfile') { steps { - container('git') { - git credentialsId: 'gitea-pat', url: 'https://scm.bstein.dev/bstein/harbor-arm-build.git' - } + git credentialsId: 'gitea-pat', url: 'https://scm.bstein.dev/bstein/harbor-arm-build.git' } } - stage('Build & Push (kaniko)') { + + stage('Prep toolchain') { steps { - container('kaniko') { + container('builder') { sh ''' - set -euo pipefail - cat > app.sh <<'APP' - #!/usr/bin/env bash - echo "hello harbor arm build $(date)" - APP - chmod +x app.sh - - cat > Dockerfile <<'DOCKER' - FROM alpine:3.20 - COPY app.sh /usr/local/bin/app.sh - RUN chmod +x /usr/local/bin/app.sh - ENTRYPOINT ["/usr/local/bin/app.sh"] - DOCKER - - /kaniko/executor \ - --context "${PWD}" \ - --dockerfile "${PWD}/Dockerfile" \ - --destination "${REGISTRY}/${IMAGE}:latest" \ - --snapshotMode=redo \ - --single-snapshot \ - --verbosity=info + set -euo pipefail + apk add --no-cache bash curl make tar gzip git coreutils ''' } } } + + stage('Fetch harbor source') { + steps { + container('builder') { + sh ''' + set -euo pipefail + rm -rf harbor-src + mkdir -p harbor-src + curl -sSL "${HARBOR_TARBALL}" | tar xz -C harbor-src + ''' + } + } + } + + stage('Build & push arm64 images') { + environment { + VERSIONTAG = "${VERSION}${TAG_SUFFIX}" + } + steps { + container('builder') { + withCredentials([usernamePassword(credentialsId: 'harbor-robot', passwordVariable: 'HPASS', usernameVariable: 'HUSER')]) { + sh ''' + set -euo pipefail + SRC_DIR=$(find harbor-src -maxdepth 1 -type d -name "harbor-*" | head -n1) + cd "${SRC_DIR}" + + docker login -u "${HUSER}" -p "${HPASS}" "$(echo "${REGISTRY}" | cut -d/ -f1)" + + export VERSIONTAG="${VERSIONTAG}" + export BASEIMAGETAG="${VERSIONTAG}" + export IMAGENAMESPACE="${REGISTRY}" + export BASEIMAGENAMESPACE="${REGISTRY}" + export PULL_BASE_FROM_DOCKERHUB=false + export BUILD_BASE=true + export PUSHBASEIMAGE=true + export BUILDTRIVYADP=false + export BUILD_INSTALLER=false + export REGISTRYUSER="${HUSER}" + export REGISTRYPASSWORD="${HPASS}" + + make compile + make build + make pushimage + ''' + } + } + } + } + } + post { + always { + cleanWs() + } } }