Make use of harbor.freedesktop.org for CI
This issue is a checklist for infra admins mostly.
We are switching messa to use a new managed registry we host to reduce the google platform costs.
Users of mesa shouldn't see a difference.
-
create a mesa project on the new registry and give the maintainer access to the group (harbor admins only) -
manually import the currently deployed tags that are meant to stay around (repeat that step for any images we want to keep):
# example for registry.freedesktop.org/freedesktop/ci-templates/aarch64/container-build-base:*
PROJECT=freedesktop/ci-templates; REPO=aarch64/container-build-base; KNOWN_TAG=2022-09-02.0; \
for tag in $(skopeo inspect docker://registry.freedesktop.org/$PROJECT/$REPO:$KNOWN_TAG | jq -r '.RepoTags[]'); \
do \
IMAGE="$REPO:$tag" ; \
skopeo copy docker://registry.freedesktop.org/$PROJECT/$IMAGE \
docker://harbor.freedesktop.org/$PROJECT/$IMAGE; \
done
-
in harbor, set up retention tag policy for mesa (this will allow admins to know which tags need replication): -
keep defined tags (example from ci-templates): -
repositories matching: ci-templates/{x86_64,aarch64}/*-base -
retain always -
tags matching **
-
-
purge everything else: -
repositories matching: ci-templates/** -
retain the most recently pushed # artifacts: 2 -
tags matching **
-
-
Do some dry runs to see if this is OK -
Eventually set up a schedule to run this daily
-
-
create a mesa gitlab group token with read/write registry -
add a new endpoint registry in harbor.fd.o (admins only) -
Provider: gitlab -
Name: mesa-w-gitlab -
Endpoint URL: https://registry.freedesktop.org -
Access ID: mesa -
Access Secret: the token from above
-
-
setup replication in harbor so we also push the images to registry.freededktop.org (admins only): -
Name: mesa_mesa_tag -
Push Based - Source resource filter (see above retention rules):
-
mesa/mesa/tags* -
leave blank for the rest in that category
-
-
Destination registry: mesa-w-gitlab - Destination:
-
Namespace: mesa -
Flattening: Flatten 1 Level
-
-
Trigger Mode: Event Based -
Bandwidth: -1 -
Options: uncheck Override
-
-
ensure pipelines are running as merge request pipelines:
workflow:
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
- if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
when: never
- if: $CI_COMMIT_BRANCH
-
replace at the gitlab project level the following variables: -
CI_REGISTRY
: harbor.freedesktop.org -
CI_REGISTRY_IMAGE
: harbor.freedesktop.org/mesa/mesa -
CI_REGISTRY_USER
: robot@mesa+gitlab-mesa -
CI_REGISTRY_PASSWORD
: <some very long password from a robot account on harbor
-
Edited by Benjamin Tissoires