Add podman CI test.yml scenario (requires registry)

Author: manics

.github/workflows/test.yml

@@ -55,6 +55,8 @@ jobs:
           - main
           - auth
           - helm
+        test-variation:
+          - ""
         include:
           # Chart.yaml contains the chart's oldest supported k8s version, we
           # test against that and the oldest known supported helm cli version
@@ -70,19 +72,49 @@ jobs:
             # upgrade-from represents a release channel, see: https://jupyterhub.github.io/helm-chart/info.json
             upgrade-from: dev
             upgrade-from-extra-args: ""
+          - k3s-channel: v1.25
+            test: helm
+            test-variation: podman
+            local-chart-extra-args: >-
+              --values testing/k8s-binder-k8s-hub/binderhub-chart+podman.yaml
+              --set config.BinderHub.image_prefix=$REGISTRY_HOST/test/
+              --set registry.url=http://$REGISTRY_HOST
+
+    services:
+      registry:
+        image: docker.io/library/registry:latest
+        ports:
+          - 5000:5000
+
     steps:
       - uses: actions/checkout@v3
         with:
           # chartpress requires the full history
           fetch-depth: 0
 
+      - name: Set registry host
+        if: matrix.test-variation == 'podman'
+        run: |
+          REGISTRY_HOST=$(hostname -I | awk '{print $1}'):5000
+          echo REGISTRY_HOST="$REGISTRY_HOST" >> $GITHUB_ENV
+
+          # Allow k3s to pull from private registry
+          # https://docs.k3s.io/installation/private-registry
+          sudo mkdir -p /etc/rancher/k3s/
+          cat << EOF | sudo tee /etc/rancher/k3s/registries.yaml
+          mirrors:
+            "$REGISTRY_HOST":
+              endpoint:
+                - "http://$REGISTRY_HOST"
+          EOF
+
       - uses: jupyterhub/action-k3s-helm@v3
         with:
           k3s-channel: ${{ matrix.k3s-channel }}
           helm-version: ${{ matrix.helm-version }}
           metrics-enabled: false
           traefik-enabled: false
-          docker-enabled: true
+          docker-enabled: ${{ matrix.test-variation != 'podman' }}
 
       - name: Setup OS level dependencies
         run: |
@@ -145,9 +177,17 @@ jobs:
         run: |
           export DOCKER_BUILDKIT=1
 
+          CHARTPRESS_ARGS=
+          if [ "${{ matrix.test-variation }}" = "podman" ]; then
+            CHARTPRESS_ARGS="--image-prefix localhost:5000/binderhub- --push"
+
+            # Allow the pink pod to push to the non-https GitHub workflow registry
+            envsubst < testing/k8s-binder-k8s-hub/cm-insecure-registries.yaml | kubectl apply -f -
+          fi
+
           # Use chartpress to create the helm chart and build its images
           helm dependency update ./helm-chart/binderhub
-          (cd helm-chart && chartpress)
+          (cd helm-chart && chartpress $CHARTPRESS_ARGS)
           git --no-pager diff --color=always
 
       - name: Generate values.schema.json from schema.yaml

testing/k8s-binder-k8s-hub/binderhub-chart+podman.yaml

@@ -0,0 +1,20 @@
+# Additional configuration for testing podman
+# You must create configmap/insecure-registries first to allow testing with an
+# insecure http registry
+
+config:
+  BinderHub:
+    use_registry: true
+
+imageBuilderType: pink
+
+pink:
+  daemonset:
+    extraVolumeMounts:
+      - name: insecure-registries
+        mountPath: /etc/containers/registries.conf.d/100-insecure-registries.conf
+        subPath: 100-insecure-registries.conf
+    extraVolumes:
+      - name: insecure-registries
+        configMap:
+          name: insecure-registries

testing/k8s-binder-k8s-hub/cm-insecure-registries.yaml

@@ -0,0 +1,12 @@
+# REGISTRY_HOST='HOST:PORT' envsubst < cm-insecure-registries.yaml | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: insecure-registries
+data:
+  100-insecure-registries.conf: |
+    # https://www.redhat.com/sysadmin/manage-container-registries
+    unqualified-search-registries = ["docker.io"]
+    [[registry]]
+    location="$REGISTRY_HOST"
+    insecure=true