pipeline {
  agent {
    kubernetes {
      label 'harbor-arm-build'
      defaultContainer 'builder'
      yaml """
apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsUser: 0
  containers:
  - name: dind
    image: docker:27-dind
    securityContext:
      privileged: true
    env:
    - name: DOCKER_TLS_CERTDIR
      value: ""
    args:
    - --mtu=1400
    - --insecure-registry=registry.bstein.dev
    volumeMounts:
    - name: dind-storage
      mountPath: /var/lib/docker
  - name: builder
    image: docker:27
    command: ["cat"]
    tty: true
    env:
    - name: DOCKER_HOST
      value: tcp://localhost:2375
    - name: DOCKER_TLS_CERTDIR
      value: ""
    volumeMounts:
    - name: workspace-volume
      mountPath: /home/jenkins/agent
    - name: dind-storage
      mountPath: /var/lib/docker
  volumes:
  - name: workspace-volume
    emptyDir: {}
  - name: dind-storage
    emptyDir: {}
"""
    }
  }
  environment {
    VERSION     = 'v2.14.1'
    TAG_SUFFIX  = '-arm64'
    REGISTRY    = 'registry.bstein.dev/infra'
    HARBOR_TARBALL = "https://github.com/goharbor/harbor/archive/refs/tags/${VERSION}.tar.gz"
  }
  options {
    disableConcurrentBuilds()
  }
  stages {
    stage('Checkout Jenkinsfile') {
      steps {
        git credentialsId: 'gitea-pat', url: 'https://scm.bstein.dev/bstein/harbor-arm-build.git'
      }
    }

    stage('Prep toolchain') {
      steps {
        container('builder') {
          sh '''
            set -euo pipefail
            apk add --no-cache bash curl make tar gzip git coreutils
          '''
        }
      }
    }

    stage('Fetch harbor source') {
      steps {
        container('builder') {
          sh '''
            set -euo pipefail
            rm -rf harbor-src
            mkdir -p harbor-src
            curl -sSL "${HARBOR_TARBALL}" | tar xz -C harbor-src
          '''
        }
      }
    }

    stage('Build & push arm64 images') {
      environment {
        VERSIONTAG = "${VERSION}${TAG_SUFFIX}"
      }
      steps {
        container('builder') {
          withCredentials([usernamePassword(credentialsId: 'harbor-robot', passwordVariable: 'HPASS', usernameVariable: 'HUSER')]) {
            sh '''
              set -euo pipefail
              SRC_DIR=$(find harbor-src -maxdepth 1 -type d -name "harbor-*" | head -n1)
              cd "${SRC_DIR}"

              docker login -u "${HUSER}" -p "${HPASS}" "$(echo "${REGISTRY}" | cut -d/ -f1)"

              export VERSIONTAG="${VERSIONTAG}"
              export BASEIMAGETAG="${VERSIONTAG}"
              export IMAGENAMESPACE="${REGISTRY}"
              export BASEIMAGENAMESPACE="${REGISTRY}"
              export PULL_BASE_FROM_DOCKERHUB=false
              export BUILD_BASE=true
              export PUSHBASEIMAGE=true
              export BUILDTRIVYADP=false
              export BUILD_INSTALLER=false
              export REGISTRYUSER="${HUSER}"
              export REGISTRYPASSWORD="${HPASS}"

              make compile
              make build
              make pushimage
            '''
          }
        }
      }
    }
  }
  post {
    always {
      cleanWs()
    }
  }
}