pipeline {
  agent {
    kubernetes {
      label 'harbor-arm-build'
      defaultContainer 'builder'
      yaml """
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: dind
    image: docker:27-dind
    securityContext:
      privileged: true
    env:
    - name: DOCKER_TLS_CERTDIR
      value: ""
    args:
    - --mtu=1400
    volumeMounts:
    - name: dind-storage
      mountPath: /var/lib/docker
  - name: builder
    image: docker:27
    command: ["cat"]
    tty: true
    env:
    - name: DOCKER_HOST
      value: tcp://localhost:2375
    - name: DOCKER_TLS_CERTDIR
      value: ""
    volumeMounts:
    - name: workspace-volume
      mountPath: /home/jenkins/agent
    - name: dind-storage
      mountPath: /var/lib/docker
    - name: docker-config
      mountPath: /root/.docker
  volumes:
  - name: docker-config
    secret:
      secretName: harbor-robot-pipeline
      items:
      - key: .dockerconfigjson
        path: config.json
  - name: workspace-volume
    emptyDir: {}
  - name: dind-storage
    emptyDir: {}
"""
    }
  }
  environment {
    VERSION     = 'v2.14.1'
    TAG_SUFFIX  = '-arm64'
    REGISTRY    = 'registry.bstein.dev/infra'
    HARBOR_TARBALL = "https://github.com/goharbor/harbor/archive/refs/tags/${VERSION}.tar.gz"
  }
  options {
    disableConcurrentBuilds()
  }
  stages {
    stage('Checkout Jenkinsfile') {
      steps {
        git credentialsId: 'gitea-pat', url: 'https://scm.bstein.dev/bstein/harbor-arm-build.git'
      }
    }

    stage('Prep toolchain') {
      steps {
        container('builder') {
          sh '''
            set -euo pipefail
            apk add --no-cache bash curl make tar gzip git coreutils
          '''
        }
      }
    }

    stage('Fetch harbor source') {
      steps {
        container('builder') {
          sh '''
            set -euo pipefail
            rm -rf harbor-src
            mkdir -p harbor-src
            curl -sSL "${HARBOR_TARBALL}" | tar xz -C harbor-src
          '''
        }
      }
    }

    stage('Build & push arm64 images') {
      environment {
        VERSIONTAG = "${VERSION}${TAG_SUFFIX}"
      }
      steps {
        container('builder') {
          sh '''
            set -euo pipefail

            SRC_DIR=$(find harbor-src -maxdepth 1 -type d -name "harbor-*" | head -n1)
            cd "${SRC_DIR}"

            export VERSIONTAG="${VERSIONTAG}"
            export BASEIMAGETAG="${VERSIONTAG}"
            export IMAGENAMESPACE="${REGISTRY}"
            export BASEIMAGENAMESPACE="${REGISTRY}"
            export PULL_BASE_FROM_DOCKERHUB=false
            export BUILD_BASE=true
            export BUILDTRIVYADP=false
            export BUILD_INSTALLER=true

            make compile
            make build

            # Retag a few upstream image names to our internal naming convention
            # (so Helm values can keep using `harbor-*` consistently).
            docker tag "${REGISTRY}/prepare:${VERSIONTAG}" "${REGISTRY}/harbor-prepare:${VERSIONTAG}" || true
            docker tag "${REGISTRY}/redis-photon:${VERSIONTAG}" "${REGISTRY}/harbor-redis:${VERSIONTAG}" || true
            docker tag "${REGISTRY}/nginx-photon:${VERSIONTAG}" "${REGISTRY}/harbor-nginx:${VERSIONTAG}" || true
            docker tag "${REGISTRY}/registry-photon:${VERSIONTAG}" "${REGISTRY}/harbor-registry:${VERSIONTAG}" || true

            # Push every image we just built for this tag under our namespace.
            docker images --format '{{.Repository}}:{{.Tag}}' \
              | awk -v ns="${REGISTRY}/" -v tag="${VERSIONTAG}" 'index($0, ns)==1 && $0 ~ ":"tag"$"' \
              | sort -u \
              | while read -r img; do
                  echo "Pushing ${img}"
                  docker push "${img}"
                done
          '''
        }
      }
    }
  }
  post {
    always {
      cleanWs()
    }
  }
}