Merge pull request #2426 from minrk/ovh-no-chart

ovh2 doesn't actually need chart in registry

Author: minrk

.github/workflows/cd.yml

@@ -237,8 +237,6 @@ jobs:
           - federation_member: ovh2
             binder_url: https://ovh2.mybinder.org
             hub_url: https://hub.ovh2.mybinder.org
-            # image-prefix should match ovh registry config in secrets/config/ovh.yaml
-            chartpress_args: "--push --image-prefix=2lmrrh8f.gra7.container-registry.ovh.net/mybinder-chart/mybinder-"
             helm_version: ""
             experimental: false
 
@@ -304,15 +302,6 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME_OVH }}
           password: ${{ secrets.DOCKER_PASSWORD_OVH }}
 
-      - name: "Stage 3: Login to Docker registry (OVH2)"
-        if: matrix.federation_member == 'ovh2'
-        uses: azure/docker-login@v1
-        with:
-          login-server: 2lmrrh8f.gra7.container-registry.ovh.net
-          username: ${{ secrets.DOCKER_USERNAME_OVH2 }}
-          # terraform output registry_chartpress_token
-          password: ${{ secrets.DOCKER_PASSWORD_OVH2 }}
-
       - name: "Stage 3: Run chartpress to update values.yaml"
         run: |
           chartpress ${{ matrix.chartpress_args || '--skip-build' }}

terraform/ovh/main.tf

@@ -168,39 +168,12 @@ provider "harbor" {
   password = ovh_cloud_project_containerregistry_user.admin.password
 }
 
-# chart images go in mybinder-chart
-resource "harbor_project" "mybinder-chart" {
-  name = "mybinder-chart"
-  # chart images need to be public
-  # because we can't have two pull secrets for one registry,
-  # and harbor < 2.2 can't grant read-only access to more than one project
-  # on the same registry
-  public = true
-}
-
 # user builds go in mybinder-builds
 # these are separate for easier separation of retention policies
 resource "harbor_project" "mybinder-builds" {
   name = "mybinder-builds"
 }
 
-
-# TODO: robot accounts change with harbor 2.2 / harbor-provider 3.0
-# in particular, we can drop the two separate pullers
-resource "harbor_robot_account" "chartpress" {
-  name        = "chartpress"
-  description = "mybinder chartpress: access to push new chart images"
-  project_id  = harbor_project.mybinder-chart.id
-  actions     = ["push", "pull"]
-}
-
-resource "harbor_robot_account" "chart-puller" {
-  name        = "chart-puller"
-  description = "pull mybinder chart images"
-  project_id  = harbor_project.mybinder-chart.id
-  actions     = ["pull"]
-}
-
 resource "harbor_robot_account" "builder" {
   name        = "builder"
   description = "BinderHub builder: push new user images"
@@ -230,22 +203,6 @@ resource "harbor_robot_account" "user-puller" {
 #     n_days_since_last_push = 7
 #   }
 # }
-#
-# resource "harbor_retention_policy" "chart" {
-#   scope    = harbor_project.mybinder-chart.id
-#   schedule = "weekly"
-#   # keep the most recent 5 versions
-#   # (by both push and pull, which should usually be the same)
-#   rule {
-#     most_recently_pulled = 5
-#   }
-#   rule {
-#     most_recently_pushed = 5
-#   }
-#   rule {
-#     n_days_since_last_push = 7
-#   }
-# }
 
 resource "harbor_garbage_collection" "gc" {
   schedule        = "weekly"
@@ -269,16 +226,6 @@ output "registry_admin_password" {
   sensitive = true
 }
 
-output "registry_chartpress_token" {
-  value     = harbor_robot_account.chartpress.token
-  sensitive = true
-}
-
-output "registry_chart_puller_token" {
-  value     = harbor_robot_account.chart-puller.token
-  sensitive = true
-}
-
 output "registry_builder_token" {
   value     = harbor_robot_account.builder.token
   sensitive = true