zuul-jobs/roles/build-container-image/tasks/setup-buildx.yaml

- name: Update qemu-static container settings
  command: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
  when: ansible_architecture == 'x86_64'

- name: Create builder
  command: "docker buildx create --name mybuilder --node {{ inventory_hostname | replace('-', '_') }} --driver-opt network=host{% if buildset_registry is defined %} --config /etc/buildkit/buildkitd.toml {% endif %}"
  when: inventory_hostname == ansible_play_hosts[0]

- name: Add host key to known_hosts
  shell: "ssh-keyscan -H {{ ansible_host }} >> ~/.ssh/known_hosts"
  when: inventory_hostname != ansible_play_hosts[0]
  delegate_to: "{{ ansible_play_hosts[0] }}"

- name: Append builders from other nodes
  command: "docker buildx create --append --name mybuilder --node {{ inventory_hostname | replace('-', '_') }} --driver-opt network=host{% if buildset_registry is defined %} --config /etc/buildkit/buildkitd.toml {% endif %} ssh://{{ ansible_user }}@{{ ansible_host }}"
  when: inventory_hostname != ansible_play_hosts[0]
  delegate_to: "{{ ansible_play_hosts[0] }}"

- name: Use builder
  command: docker buildx use mybuilder
  when: inventory_hostname == ansible_play_hosts[0]

- name: Bootstrap builder
  command: docker buildx inspect --bootstrap
  when: inventory_hostname == ansible_play_hosts[0]

- name: Make tempfile for registry TLS certificate
  tempfile:
    state: file
  register: buildkit_cert_tmp

- name: Write buildset registry TLS certificate
  become: true
  copy:
    content: "{{ buildset_registry.cert }}"
    dest: "{{ buildkit_cert_tmp.path }}"
    mode: preserve
  when: buildset_registry is defined and buildset_registry.cert

- name: Copy buildset registry TLS cert into worker container
  command: "docker cp {{ buildkit_cert_tmp.path }} buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/usr/local/share/ca-certificates"
  when: buildset_registry is defined and buildset_registry.cert

- name: Update CA certs in worker container
  command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} update-ca-certificates"
  when: buildset_registry is defined and buildset_registry.cert

- name: Remove TLS cert tempfile
  file:
    state: absent
    path: '{{ buildkit_cert_tmp.path }}'
  when: buildset_registry is defined and buildset_registry.cert

- name: Make tempfile for /etc/hosts
  tempfile:
    state: file
  register: etc_hosts_tmp

- name: Copy /etc/hosts for editing
  command: "docker cp buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/etc/hosts {{ etc_hosts_tmp.path }}"

# Docker buildx has its own /etc/hosts in the builder image.
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
  become: yes
  lineinfile:
    path: '{{ etc_hosts_tmp.path }}'
    state: present
    regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset-registry$"
    line: "{{ buildset_registry.host }}\tzuul-jobs.buildset-registry"
    insertafter: EOF
  when: buildset_registry is defined and buildset_registry.host | ipaddr

- name: Unmount the /etc/hosts mount
  command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} umount /etc/hosts"

# NOTE(mordred) This is done in two steps. Even though we've unmounted /etc/hosts
# in the previous step, when we try to copy the file back directly, we get:
#   unlinkat /etc/hosts: device or resource busy
- name: Copy modified hosts file back in
  command: "docker cp {{ etc_hosts_tmp.path }} buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/etc/new-hosts"

- name: Copy modified hosts file into place
  command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} cp /etc/new-hosts /etc/hosts"

- name: Remove tempfile for /etc/hosts
  file:
    state: absent
    path: '{{ etc_hosts_tmp.path }}'