diff --git a/.gitea/workflows/deploy-verso.yml b/.gitea/workflows/deploy-verso.yml index 03406f1c35..037deb8148 100644 --- a/.gitea/workflows/deploy-verso.yml +++ b/.gitea/workflows/deploy-verso.yml @@ -19,21 +19,6 @@ jobs: run: | kubectl -n ci delete job verso-buildkit --ignore-not-found=true --wait=true - # buildkitd config: mark the in-cluster registry as http (insecure) - # so the second build can resolve/pull the base image we just pushed. - cat <<'EOF' | kubectl apply -f - - apiVersion: v1 - kind: ConfigMap - metadata: - name: verso-buildkitd-config - namespace: ci - data: - buildkitd.toml: | - [registry."registry.git.svc.cluster.local:5000"] - http = true - insecure = true - EOF - cat <<'EOF' | kubectl apply -f - apiVersion: batch/v1 kind: Job @@ -71,10 +56,15 @@ jobs: # the Traefik ingress, whose read timeout was killing the # multi-GB TeX Live layer upload mid-stream. The base # image is pulled back in for the second build, so the - # registry must be marked insecure for both push and pull - # (buildkitd.toml handles the pull/resolve side). + # registry must be marked insecure for both push and pull. + # Write buildkitd.toml inside the container (no extra + # k8s resources needed) so the second build's pull/resolve + # treats the registry as http. REG=registry.git.svc.cluster.local:5000 + mkdir -p /etc/buildkit + printf '[registry."%s"]\n http = true\n insecure = true\n' "$REG" > /etc/buildkit/buildkitd.toml + buildctl-daemonless.sh build \ --frontend=dockerfile.v0 \ --local context=/workspace/repo \ @@ -92,15 +82,10 @@ jobs: volumeMounts: - name: workspace mountPath: /workspace - - name: buildkitd-config - mountPath: /etc/buildkit volumes: - name: workspace emptyDir: {} - - name: buildkitd-config - configMap: - name: verso-buildkitd-config EOF - name: Wait for build