Synchronise component images (#209)

* Add default mirror configuration for StackHPC GH packages

* Add an image sync step to CI

.github/workflows/ensure-capi-images.yaml

@@ -2,7 +2,7 @@ name: Ensure CAPI images
 on:
   workflow_call:
     inputs:
-      ref-under-test:
+      ref:
         type: string
         description: The Git ref under test.
         required: true
@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ inputs.ref-under-test }}
+          ref: ${{ inputs.ref }}
 
       - name: Fetch image details
         id: images
@@ -58,7 +58,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ inputs.ref-under-test }}
+          ref: ${{ inputs.ref }}
         if: ${{ !matrix.skip }}
 
       - name: Write cloud credential

.github/workflows/lint.yaml

@@ -2,7 +2,7 @@ name: Helm Lint
 on:
   workflow_call:
     inputs:
-      ref-under-test:
+      ref:
         type: string
         description: The Git ref under test.
         required: true
@@ -14,7 +14,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ inputs.ref-under-test }}
+          ref: ${{ inputs.ref }}
           fetch-depth: 0
 
       - name: Set up Helm

.github/workflows/main.yaml

@@ -12,23 +12,30 @@ jobs:
   lint:
     uses: ./.github/workflows/lint.yaml
     with:
-      ref-under-test: ${{ github.sha }}
+      ref: ${{ github.sha }}
+
+  mirror_container_images:
+    needs: [lint]
+    uses: ./.github/workflows/sync-images.yaml
+    secrets: inherit
+    with:
+      ref: ${{ github.sha }}
 
   ensure_capi_images:
     needs: [lint]
     uses: ./.github/workflows/ensure-capi-images.yaml
     secrets: inherit
     with:
-      ref-under-test: ${{ github.sha }}
+      ref: ${{ github.sha }}
 
   test:
-    needs: [ensure_capi_images]
+    needs: [mirror_container_images, ensure_capi_images]
     uses: ./.github/workflows/test.yaml
     secrets: inherit
     with:
       # Pass the images as JSON
       images: ${{ toJSON(needs.ensure_capi_images.outputs) }}
       # We want to test the current sha
-      ref-under-test: ${{ github.sha }}
+      ref: ${{ github.sha }}
       # Only run the sanity check on main
       tests-full: false

.github/workflows/pr.yaml

@@ -28,24 +28,31 @@ jobs:
     needs: [wait_for_approval]
     uses: ./.github/workflows/lint.yaml
     with:
-      ref-under-test: ${{ github.event.pull_request.head.sha }}
+      ref: ${{ github.event.pull_request.head.sha }}
+
+  mirror_container_images:
+    needs: [lint]
+    uses: ./.github/workflows/sync-images.yaml
+    secrets: inherit
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}
 
   ensure_capi_images:
     needs: [lint]
     uses: ./.github/workflows/ensure-capi-images.yaml
     secrets: inherit
     with:
-      ref-under-test: ${{ github.event.pull_request.head.sha }}
+      ref: ${{ github.event.pull_request.head.sha }}
 
   test:
-    needs: [ensure_capi_images]
+    needs: [mirror_container_images, ensure_capi_images]
     uses: ./.github/workflows/test.yaml
     secrets: inherit
     with:
       # Pass the images as JSON
       images: ${{ toJSON(needs.ensure_capi_images.outputs) }}
       # We want to test the code in the PR
-      ref-under-test: ${{ github.event.pull_request.head.sha }}
+      ref: ${{ github.event.pull_request.head.sha }}
       # If the PR is in draft, just run a sanity check
       # If the PR is in review, run the full test suite
       tests-full: ${{ !github.event.pull_request.draft }}

.github/workflows/sync-images.yaml

@@ -0,0 +1,34 @@
+name: sync images
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        description: The Git ref to use in the checkout.
+
+jobs:
+  sync_images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Install skopeo
+        run: sudo apt-get -y update && sudo apt-get install -y skopeo
+
+      # Just sync all the images in all the manifests to GitHub packages
+      - name: Sync component images
+        run: |-
+          set -ex
+          for manifest in $(ls ./skopeo-manifests/*.yaml); do
+            skopeo sync \
+              --src yaml \
+              --dest docker \
+              --dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
+              --scoped \
+              --all \
+              "$manifest" \
+              ghcr.io/stackhpc
+          done

.github/workflows/test.yaml

@@ -5,7 +5,7 @@ on:
       images:
         type: string
         description: JSON-encoded dictionary of images and versions
-      ref-under-test:
+      ref:
         type: string
         description: The Git ref under test.
         required: true
@@ -26,7 +26,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ inputs.ref-under-test }}
+          ref: ${{ inputs.ref }}
 
       - name: Create kind cluster
         uses: helm/kind-action@v1.8.0
@@ -48,9 +48,6 @@ jobs:
                 auth:
                   project_id: ${{ secrets.PROJECT_ID }}
                 verify: false
-            registryMirrors:
-              docker.io:
-                - ${{ secrets.DOCKER_HUB_MIRROR_URL }}
             controlPlane:
               machineFlavor: ${{ secrets.CONTROL_PLANE_FLAVOR }}
               machineCount: 1
@@ -107,7 +104,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ inputs.ref-under-test }}
+          ref: ${{ inputs.ref }}
 
       - name: Create kind cluster
         uses: helm/kind-action@v1.8.0
@@ -129,9 +126,6 @@ jobs:
                 auth:
                   project_id: ${{ secrets.PROJECT_ID }}
                 verify: false
-            registryMirrors:
-              docker.io:
-                - ${{ secrets.DOCKER_HUB_MIRROR_URL }}
             clusterNetworking:
               externalNetworkId: ${{ secrets.EXTERNAL_NETWORK_ID }}
               internalNetwork:
@@ -187,7 +181,7 @@ jobs:
       - name: Checkout current
         uses: actions/checkout@v3
         with:
-          ref: ${{ inputs.ref-under-test }}
+          ref: ${{ inputs.ref }}
           path: current
 
       - name: Get latest tag
@@ -217,9 +211,6 @@ jobs:
                 auth:
                   project_id: ${{ secrets.PROJECT_ID }}
                 verify: false
-            registryMirrors:
-              docker.io:
-                - ${{ secrets.DOCKER_HUB_MIRROR_URL }}
             clusterNetworking:
               externalNetworkId: ${{ secrets.EXTERNAL_NETWORK_ID }}
               internalNetwork:

charts/openstack-cluster/values.yaml

@@ -71,18 +71,25 @@ clusterNetworking:
     nodeCidr: 192.168.3.0/24
 
 # Settings for registry mirrors
-registryMirrors: {}
+# When a mirror is set, it will be tried for images but will fall back to the
+# upstream registry if the image pull fails
+# By default, use images mirrored to the StackHPC GitHub packages when possible
+registryMirrors:
   # docker.io:
   #   upstream: https://registry-1.docker.io
   #   mirrors:
   #     - url: https://registry.my.domain/v2/dockerhub-public
   #       capabilities: ["pull", "resolve"]
-
-# Settings for node-level registry auth
-registryAuth: {}
-  # registry-1.docker.io:
-  #   username: "<username>"
-  #   password: "<password>"
+  docker.io:
+    - https://ghcr.io/v2/stackhpc/docker.io
+  ghcr.io:
+    - https://ghcr.io/v2/stackhpc/ghcr.io
+  nvcr.io:
+    - https://ghcr.io/v2/stackhpc/nvcr.io
+  quay.io:
+    - https://ghcr.io/v2/stackhpc/quay.io
+  registry.k8s.io:
+    - https://ghcr.io/v2/stackhpc/registry.k8s.io
 
 # A map of trusted CAs to add to the system trust on cluster nodes
 trustedCAs: {}
@@ -119,7 +126,6 @@ apiServer:
   # The port to use for the API server
   port: 6443
 
-
 # Set osDistro used. ubuntu, flatcar, etc.
 osDistro: ubuntu
 #