Add containerfile (#3)

Signed-off-by: Christian Berendt <[email protected]>
osism · Jun 19, 2024 · 4982e2d · 4982e2d
1 parent d15b223
commit 4982e2d
Show file tree

Hide file tree

Showing 6 changed files with 150 additions and 0 deletions.
diff --git a/.yamllint.yml b/.yamllint.yml
@@ -0,0 +1,6 @@
+---
+extends: default
+
+rules:
+  comments: enable
+  line-length: disable
diff --git a/.zuul.yaml b/.zuul.yaml
@@ -1,14 +1,24 @@
 ---
+- job:
+    name: osism-kubernetes-build
+    pre-run: playbooks/pre.yml
+    run: playbooks/build.yml
+    vars:
+      docker_namespace: osism
+      docker_registry: osism.harbor.regio.digital
+
 - project:
     merge-mode: squash-merge
     default-branch: main
     check:
       jobs:
         - hadolint
+        - osism-kubernetes-build
         - yamllint
     gate:
       jobs:
         - hadolint
+        - osism-kubernetes-build
         - yamllint
     periodic-daily:
       jobs:

diff --git a/Containerfile b/Containerfile
@@ -0,0 +1,33 @@
+ARG PYTHON_VERSION=3.12
+FROM python:${PYTHON_VERSION}-slim-bookworm as builder
+
+ARG USER_ID=45000
+ARG GROUP_ID=45000
+ARG GROUP_ID_DOCKER=999
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# hadolint ignore=DL3003
+RUN <<EOF
+# add user
+groupadd -g "$GROUP_ID" dragon
+groupadd -g "$GROUP_ID_DOCKER" docker
+useradd -l -g dragon -G docker -u "$USER_ID" -m -d /ansible dragon
+
+# create required directories
+mkdir -p \
+  /ansible \
+  /interface \
+  /share
+
+# set correct permssions
+chown -R dragon: /ansible /share /interface
+EOF
+
+USER dragon
+
+ARG PYTHON_VERSION=3.12
+FROM python:${PYTHON_VERSION}-slim-bookworm
+
+COPY --link --from=builder / /
+USER dragon
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1 @@
+Containerfile
diff --git a/playbooks/build.yml b/playbooks/build.yml
@@ -0,0 +1,86 @@
+---
+- name: Build osism-kubernetes image
+  hosts: all
+
+  environment:
+    registry: "{{ docker_registry | default('osism.harbor.regio.digital') }}"
+    repository: "{{ docker_namespace | default('osism') }}/osism-kubernetes"
+    version: "{{ zuul['tag'] | default('latest') }}"
+
+  tasks:
+    - name: Log into registry
+      community.docker.docker_login:
+        registry_url: "{{ docker_registry }}"
+        username: "{{ secret.DOCKER_USERNAME }}"
+        password: "{{ secret.DOCKER_PASSWORD }}"
+      when: push_image | default(false) | bool
+      no_log: true
+
+    - name: Run build script
+      ansible.builtin.shell:
+        executable: /bin/bash
+        chdir: "{{ zuul.project.src_dir | default('.') }}"
+        cmd: |
+          set -e
+          set -o pipefail
+          set -x
+
+          # This is a way to use this job also in other repositories
+          # (osism/cfg-generics, osism/defaults, ..). The assumption
+          # is that if no Containerfile is available, the job was executed
+          # from one of the other repositories. There are probably more
+          # elegant ways to solve this, but it is good enough for now.
+          if [[ ! -e Containerfile ]]; then
+              git clone https://github.com/osism/container-image-osism-kubernetes.git container-image
+              pushd container-image
+          fi
+
+          created=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          revision=$(git rev-parse --short HEAD)
+
+          if [[ -n $registry ]]; then
+              repository="$registry/$repository"
+          fi
+
+          docker buildx build \
+              --build-arg "VERSION=$version" \
+              --label "org.opencontainers.image.created=$created" \
+              --label "org.opencontainers.image.documentation=https://osism.tech/docs/" \
+              --label "org.opencontainers.image.licenses=ASL 2.0" \
+              --label "org.opencontainers.image.revision=$revision" \
+              --label "org.opencontainers.image.source=https://github.com/osism/container-image-osism-kubernetes" \
+              --label "org.opencontainers.image.title=osism-kubernetes" \
+              --label "org.opencontainers.image.url=https://quay.io/organization/osism" \
+              --label "org.opencontainers.image.vendor=OSISM GmbH" \
+              --label "org.opencontainers.image.version=$version" \
+              --load \
+              --tag "$revision" \
+              .  # <-- there is a dot
+      changed_when: true
+
+    - name: Run push script
+      ansible.builtin.shell:
+        executable: /bin/bash
+        chdir: "{{ zuul.project.src_dir | default('.') }}"
+        cmd: |
+          set -e
+          set -o pipefail
+          set -x
+
+          # If the way described above is used, we must first change to
+          # the container-image directory to obtain the correct revision.
+          if [[ ! -e Containerfile ]]; then
+              pushd container-image
+          fi
+
+          revision=$(git rev-parse --short HEAD)
+
+          if [[ -n $registry ]]; then
+              repository="$registry/$repository"
+          fi
+
+          docker tag "$revision" "$repository:$version"
+          docker push "$repository:$version"
+
+      when: push_image | default(false) | bool
+      changed_when: true
diff --git a/playbooks/pre.yml b/playbooks/pre.yml
@@ -0,0 +1,14 @@
+---
+- name: Run preparations
+  hosts: all
+
+  tasks:
+    - name: Install required packages
+      become: true
+      ansible.builtin.apt:
+        name:
+          - python3-docker
+          - python3-requests
+
+  roles:
+    - ensure-docker