Merge remote-tracking branch 'origin/feat/gitlab-runner'

11221daa · Sheogorath · ea68932d · 9f22d6db · 11221daa · 11221daa
Verified Commit 11221daa authored 2 years ago by Sheogorath
--- a/apps/base/gitlab-runner/kustomization.yaml
+++ b/apps/base/gitlab-runner/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitlab-runner
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - ../../../shared/networkpolicies/allow-from-same-namespace.yaml
+  - ../../../shared/networkpolicies/allow-from-monitoring.yaml
+patchesStrategicMerge:
+  - networkpolicy.yaml
--- a/apps/base/gitlab-runner/namespace.yaml
+++ b/apps/base/gitlab-runner/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitlab-runner
+  labels:
+    name: gitlab-runner
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitlab-runner-reconciler
+  namespace: gitlab-runner
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gitlab-runner-reconciler
+  namespace: gitlab-runner
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gitlab-runner-reconciler
+  namespace: gitlab-runner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gitlab-runner-reconciler
+subjects:
+  - kind: ServiceAccount
+    name: gitlab-runner-reconciler
+    namespace: gitlab-runner
--- a/apps/base/gitlab-runner/networkpolicy.yaml
+++ b/apps/base/gitlab-runner/networkpolicy.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-monitoring
+spec:
+  podSelector:
+    matchLabels:
+      chart: gitlab-runner
--- a/apps/base/gitlab-runner/release.yaml
+++ b/apps/base/gitlab-runner/release.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: gitlab-runner
+  namespace: gitlab-runner
+spec:
+  serviceAccountName: gitlab-runner-reconciler
+  timeout: 15m
+  releaseName: gitlab-runner
+  chart:
+    spec:
+      chart: gitlab-runner
+      sourceRef:
+        kind: HelmRepository
+        name: gitlab-runner
+        namespace: gitlab-runner
+      version: 0.45.0
+  interval: 5m
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  valuesFrom:
+    - kind: ConfigMap
+      name: gitlab-runner-base-values
+      valuesKey: values.yaml
+    - kind: Secret
+      name: gitlab-runner-override-values
+      valuesKey: values-overrides.yaml
+      optional: true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitlab-runner-base-values
+  namespace: gitlab-runner
+data:
+  values.yaml: |
+    rbac:
+      create: true
+      rules:
+        - resources:
+            - configmaps
+            - pods
+            - pods/attach
+            - secrets
+            - services
+          verbs:
+            - get
+            - list
+            - watch
+            - create
+            - patch
+            - update
+            - delete
+        - apiGroups:
+            - ""
+          resources:
+            - pods/exec
+          verbs:
+            - create
+            - patch
+            - delete
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+    service:
+      enabled: true
+    unregisterRunners: true
+    resources:
+      requests:
+        memory: 128Mi
+        cpu: 100m
+      limits:
+        memory: 256Mi
+        cpu: 200m
--- a/apps/base/gitlab-runner/repository.yaml
+++ b/apps/base/gitlab-runner/repository.yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: gitlab-runner
+  namespace: gitlab-runner
+spec:
+  interval: 30m
+  url: https://charts.gitlab.io/
--- a/apps/k8s01/gitlab-runner/gitlab-runner-values.yaml
+++ b/apps/k8s01/gitlab-runner/gitlab-runner-values.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitlab-runner-override-values
+    namespace: gitlab-runner
+type: Opaque
+stringData:
+    values-overrides.yaml: ENC[AES256_GCM,data:bWZxurNQJ1Vd67CNjiQD6ucukgq2Xd1w/tPkIXX24t5YvWLhO+I6/8SjMQkd59LbUdX8PAtoBpz/GGcNPXPCcRdKTmrLydtUOJEq3tbgaHax+wFPzaLjPQeNEPyP3+qxdYYYkHV9sU8hEU8MgwG7lMqphQ8WRZHvU1UZ2l0bE87a81aagBIdKj9Z3VxCUG3m/Vd74oV8aFHzMvWpgipyx6EjMWhY4d27jTgdyTZFXf5TMFtR/vS/HU4DNw1OAJ9jJ6hxd0fv0q+4PuIgLp6Gpu0E6l/idqE3o9Q0plzWmfE9OJz//dB5e2PklGAiFE88jsx4gqXKgkH+P9aNk2bydi6dJosSLANsFmC5mKEiVOOVL64WmS1iWGpuFFM+mWCUcsX3QHpzPhtBR2bXmYTK+eCjKF1lXbtA88ffqJCZW81Eo/VlHQEaOagiXgRulkIilAAWegO8Aq8IBLyrOQ+8XEaTYgxBZdH7Yd9zrMaBLIzCVOZi5eBu040bG+TuTjzj1UhwWUoWAfwi96ghYWnIQPzXLEWlWB0XIc9PD5Gei0vmO4KZeWEGoQ0LItQb/Qc1xD+BA4cBAZsVdMQs3kezlj7NlfrCMG7i5MpHsgjNq8/u49PreSBg4E/1qMvjiuQgDBOnzxnXBJvawG12LlrLNKRfBgwj0Jg6E4cyZmZ/TPPwCvNjPNbr7Mid9F5e8rDCQIXHzOahCOpgeiBz3ig6EQ2w0SMrOnESJic9xOHfdPJfiS/LDOdtgu5qKRhAU8cs6gZw1+fGbBGI1geDzelz7uXrJmCPu6BUyFc+PmtPlErs0OCQxPhZfPO8lr3EslBAS4sU6G6bFoQszfv26FqdrgoQeyTiFpm2yFlNejRaAtUbCXC2HplJaS7azv6WiwPudSpZ+iNQVGqUJUCe6lJzjo8hZ33FVHZGRLQwOqNMNHZgQAMNZNLfIOD4cms53YhtHSGrAE1zfiyyBIgwDL16fIcwdwPkIlw596kcEmpkqd5/cDwcu/LfcqwLLul0XuKfxe/2BPlTq5ys0mERr3ltKNPSSk/WTT0cj6WjvpqLTWKVKzan4B+pGVYML4uz0Eadp31ntWqn+HJSRmS2MsXq9bPl2IJDdqmywZlJD6VwykWFyFA70T4xNwfcRsADWoFXS/7S1zR6QZbDSkXZb5pk+yPnULWwVNDU0IcW/K/55IdR2QzlE8W5cXRJfGnGWqSF9yLTCl/GhJ0Dg0/HZwayxRr4PhN8Gd1Z2xKYyJIy/LjpMnOoxKsWRvxNjvvFBWqH0CZmNGcoSvIOsgjWp4K1odth2Ek/zOWlUxX1PCK2+eEjW+pv31mLLlWjG1sduZgylS6G0qj8jhJgb8T8YAm5+nrxbF/EJkSxxa2jfWH5peE05irK2hErhqx4h29+oPdgpi1QWPoV4WrBfve3Btw6oY9XIi3IAHloG+f2mg9QfxrCnw8dtaEgCCjGx/nMIY+GP5s7gC629c/ZrYEj8mwmzFkUy6AHdxANSaFxUgu+z34Dgvi1yasCeitnzKdCxepm+kiNwiLr0ZKMTFlZhAqYpFRjAupC28yjL88cBlRdOsWCuDXnY6leMqTveelJvw==,iv:YOK/Z5HS9+hzLjtqGFx0ZbHpjMmaxkFXpYKmuUr8vNo=,tag:Vt9Pj+t/8CkFot6oWq5GJQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-09-23T23:52:46Z"
+    mac: ENC[AES256_GCM,data:2XUR6CKywoq0f3m+APd4pNvaUaFiVq5X8XAwyWDl+rGWio4C6EQXxyY7W+Sr5lZP1q3wK4/jXv5FiHVlvRjTUD9et8iXeDU+qzF84rJt1b2go7+ocUhRZCkeJEqGkTX7snCBz/oDvb9ddFB6qKV23niGb2ovA+N/xXA1DBbWHxE=,iv:s93B2Dd0ANzHsWGV9lXdlORzMJeCo1gAIWyd+ZaU37I=,tag:GmLjFKKhfWfF25ukV+Mspg==,type:str]
+    pgp:
+        - created_at: "2022-03-22T22:26:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+            wcFMA7kpg2bgzVHcARAApcdDAfEgx93xGtkm4f7xTuRhvUyl8lw85rIHbWcAveYU
+            ayU88OLaoQyeZDZkOXbtxMHpry8GbId6vPAJ7KflT2eMP0A4uQGSSCQO6+5QcaYg
+            sbO/zT4vdprN7icLbvmmoK2Dh+hOo5Z7/7YGmdJfaaATzT2BGL/cVS1bonI83vXR
+            lzlW/DglIe7oNEKGVT5vWR5uGvq/dJwSRe/34eutEnJuV30imxHOcpxy3uXJFFXJ
+            3eKTk8dNLz3UE3IeUjbFdPFZYU+grOAOOCZRK0IOYFn+SF7E3dewgiwEdaXzz3gK
+            /6aEMEmf5vyVqn9jOaqZhKRqE7tW5HnhwIIlxcMPhkLVZvYf4F2EDA5f12C2hdp0
+            s7fFhU7v5GgFaHMJuaWVPxDnWTrNIst9bgeJv/N4RVfrLifrZJcqa9lE8ou0iCr5
+            dLi9d6UjsgWAREIViz+Uz7dJQ9QeJ6PGYgg/xgf0ihJFG7sx+TBG58DKb3G3tyUV
+            8hfK8Ou9m+zYnd13mJ2mV3rY0rmXusT+NcqTG2G4bBG5NimGpJS3rO7tAjjp/8sN
+            hMM46ay0vVTUXx1FwmjUFDG1e4sc7fKxTaCBizMjeUfZpAOiy/10YQmrFHBsftpo
+            K5j0nFMoG9NeO+2ffEmLhRtxvMe3WpINk7du3F624rYIGCB0aNUP69FCeJKuUQHS
+            5gH5AwnxOAtQakDksfLxJhUG1NlaS0iAFkZkTTibvOJwsY9L/scDDQlseb5zBKaZ
+            sOPwmn6hL4KavxF9BPG33ILkZKbkcvlaTlAMMY3iBs+MZeIB4+i/AA==
+            =SQqg
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-03-22T22:26:35Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+            hQIMA4oYbIHZIrAPAQ//fGGoDT5KfsG/o6r5xhDHSc0IFH6zT2TFIB6TuA5SwHfV
+            8t3IeKD0bE//4f8AxGAVocw+AetolwrQL/Tl+n0UV9P44Jeh5VlCAGltHcowR53o
+            zdjS3+i9K3OOvQFhF+aYrPcnc+aTn9KbptHCam0w+Lr2UkYSAPAZHsBcoMp24mHX
+            6A+5kP1kaRzFzEn4TCNeTt13W1AsJIoSagkBWfYRBkRPk1OzGOuYqX6yeqj7a0kM
+            8uiloTQgWOiBSOyRtxUJi87CTrMXyb0F2E9HMyhgRnzF0YX0ZU0UVG8MNdRL8eFD
+            WYY68OK7DQw3zlJubscYQ2jltxKcq5g9qUCw/sXaNurtohIx9UeaHtfp036EMb22
+            5StgGEnBirUzfSrQGT3kuj20lcMtQAr/d1UsmQNjB36eOZSrx0m80pO8JVYL62/O
+            HLYnAHU52aAPtE7brNEVg4yRLCbWyVY3Z3H9OaTVXwNIMFoMEgkHHnNlsb+1ZnhV
+            cStKMO3H6W8eXQi3VGIVNhuC1ltsxHQL1I22Kr41JEnuaB9Jy5bsEbrO4XGyDdte
+            hMI8Gx+0KZAMlKuZKLS6sMa4oVnQTy8w20PtVrrS0zDrQRPpxBrOgzjrNeMj9FpS
+            q/efiCAOBc8eVd8N/7j66UItwrysfmIfsHWfoPotS7F6WmUHeAyoWjfcvTZyd4bU
+            ZgEJAhAtdCnHNvUSl5O9XZuSu51pRwj+O72kZXRSJWv7GTT9dsRfuM5Dy9A/tuVI
+            BuZraI4JyAWb2KbkM6onp3Rh9IcLuzqEYm/ETktxTtO1HlcVPJ2NMcFgTCzaIGX9
+            +rtkG7tPbA==
+            =tvBa
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey)$
+    version: 3.7.1
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitlab-runner-cache-access
+    namespace: gitlab-runner
+type: Opaque
+stringData:
+    accesskey: ENC[AES256_GCM,data:fYhPmeKYvn1dV8ct0IgDJhdG3A==,iv:enM9VEsc7DtcA/7u3zDjCafhvML2kNTKCL300/TLAP0=,tag:qa1yFwdmp9m9AhWAYQ3UNw==,type:str]
+    secretkey: ENC[AES256_GCM,data:1S3Lxznx5U7NjZg4Ptb6gNgHTPJBplnF3osCSx5DqQ3xSToFxgpTTA==,iv:NsYKWJt5zwIQqYLGKW7u4peubw0XxB61ozqkm7LyFbg=,tag:w1Tby5venIviBBGoW4LbQw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-09-23T23:52:46Z"
+    mac: ENC[AES256_GCM,data:2XUR6CKywoq0f3m+APd4pNvaUaFiVq5X8XAwyWDl+rGWio4C6EQXxyY7W+Sr5lZP1q3wK4/jXv5FiHVlvRjTUD9et8iXeDU+qzF84rJt1b2go7+ocUhRZCkeJEqGkTX7snCBz/oDvb9ddFB6qKV23niGb2ovA+N/xXA1DBbWHxE=,iv:s93B2Dd0ANzHsWGV9lXdlORzMJeCo1gAIWyd+ZaU37I=,tag:GmLjFKKhfWfF25ukV+Mspg==,type:str]
+    pgp:
+        - created_at: "2022-03-22T22:26:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+            wcFMA7kpg2bgzVHcARAApcdDAfEgx93xGtkm4f7xTuRhvUyl8lw85rIHbWcAveYU
+            ayU88OLaoQyeZDZkOXbtxMHpry8GbId6vPAJ7KflT2eMP0A4uQGSSCQO6+5QcaYg
+            sbO/zT4vdprN7icLbvmmoK2Dh+hOo5Z7/7YGmdJfaaATzT2BGL/cVS1bonI83vXR
+            lzlW/DglIe7oNEKGVT5vWR5uGvq/dJwSRe/34eutEnJuV30imxHOcpxy3uXJFFXJ
+            3eKTk8dNLz3UE3IeUjbFdPFZYU+grOAOOCZRK0IOYFn+SF7E3dewgiwEdaXzz3gK
+            /6aEMEmf5vyVqn9jOaqZhKRqE7tW5HnhwIIlxcMPhkLVZvYf4F2EDA5f12C2hdp0
+            s7fFhU7v5GgFaHMJuaWVPxDnWTrNIst9bgeJv/N4RVfrLifrZJcqa9lE8ou0iCr5
+            dLi9d6UjsgWAREIViz+Uz7dJQ9QeJ6PGYgg/xgf0ihJFG7sx+TBG58DKb3G3tyUV
+            8hfK8Ou9m+zYnd13mJ2mV3rY0rmXusT+NcqTG2G4bBG5NimGpJS3rO7tAjjp/8sN
+            hMM46ay0vVTUXx1FwmjUFDG1e4sc7fKxTaCBizMjeUfZpAOiy/10YQmrFHBsftpo
+            K5j0nFMoG9NeO+2ffEmLhRtxvMe3WpINk7du3F624rYIGCB0aNUP69FCeJKuUQHS
+            5gH5AwnxOAtQakDksfLxJhUG1NlaS0iAFkZkTTibvOJwsY9L/scDDQlseb5zBKaZ
+            sOPwmn6hL4KavxF9BPG33ILkZKbkcvlaTlAMMY3iBs+MZeIB4+i/AA==
+            =SQqg
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-03-22T22:26:35Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+            hQIMA4oYbIHZIrAPAQ//fGGoDT5KfsG/o6r5xhDHSc0IFH6zT2TFIB6TuA5SwHfV
+            8t3IeKD0bE//4f8AxGAVocw+AetolwrQL/Tl+n0UV9P44Jeh5VlCAGltHcowR53o
+            zdjS3+i9K3OOvQFhF+aYrPcnc+aTn9KbptHCam0w+Lr2UkYSAPAZHsBcoMp24mHX
+            6A+5kP1kaRzFzEn4TCNeTt13W1AsJIoSagkBWfYRBkRPk1OzGOuYqX6yeqj7a0kM
+            8uiloTQgWOiBSOyRtxUJi87CTrMXyb0F2E9HMyhgRnzF0YX0ZU0UVG8MNdRL8eFD
+            WYY68OK7DQw3zlJubscYQ2jltxKcq5g9qUCw/sXaNurtohIx9UeaHtfp036EMb22
+            5StgGEnBirUzfSrQGT3kuj20lcMtQAr/d1UsmQNjB36eOZSrx0m80pO8JVYL62/O
+            HLYnAHU52aAPtE7brNEVg4yRLCbWyVY3Z3H9OaTVXwNIMFoMEgkHHnNlsb+1ZnhV
+            cStKMO3H6W8eXQi3VGIVNhuC1ltsxHQL1I22Kr41JEnuaB9Jy5bsEbrO4XGyDdte
+            hMI8Gx+0KZAMlKuZKLS6sMa4oVnQTy8w20PtVrrS0zDrQRPpxBrOgzjrNeMj9FpS
+            q/efiCAOBc8eVd8N/7j66UItwrysfmIfsHWfoPotS7F6WmUHeAyoWjfcvTZyd4bU
+            ZgEJAhAtdCnHNvUSl5O9XZuSu51pRwj+O72kZXRSJWv7GTT9dsRfuM5Dy9A/tuVI
+            BuZraI4JyAWb2KbkM6onp3Rh9IcLuzqEYm/ETktxTtO1HlcVPJ2NMcFgTCzaIGX9
+            +rtkG7tPbA==
+            =tvBa
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey)$
+    version: 3.7.1
--- a/apps/k8s01/gitlab-runner/kustomization.yaml
+++ b/apps/k8s01/gitlab-runner/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitlab-runner
+resources:
+  - ../../base/gitlab-runner
+  - gitlab-runner-values.yaml
+  - resourcequota.yaml
--- a/apps/k8s01/gitlab-runner/resourcequota.yaml
+++ b/apps/k8s01/gitlab-runner/resourcequota.yaml
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: build-namespace
+spec:
+  hard:
+    requests.cpu: "3"
+    requests.memory: 16Gi
+    limits.cpu: "12"
+    limits.memory: 24Gi
--- a/images/.utils/gitlab-ci.yaml
+++ b/images/.utils/gitlab-ci.yaml
@@ -7,53 +7,48 @@
          - koolbox
          - synadm
+container-build-release:
-container-build:
  stage: build
-  image: quay.io/sheogorath/build-ah-engine:2.1.2
  extends: .container-matrix
-  before_script:
+  image:
-    - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+    name: gcr.io/kaniko-project/executor:v1.9.0-debug
+    entrypoint: [""]
  script:
-    - |
+    -  export $(cat "${CI_PROJECT_DIR}/images/.release")
-      cd images/${IMAGE}
+    - /kaniko/executor
-      source .release
+      --context "${CI_PROJECT_DIR}/images/${IMAGE}"
-      podman build --pull \
+      --dockerfile "${CI_PROJECT_DIR}/images/${IMAGE}/Dockerfile"
-      --label "org.opencontainers.image.source=$CI_PROJECT_URL/-/tree/$CI_COMMIT_SHA/images/${IMAGE}" \
+      --label "org.opencontainers.image.source=$CI_PROJECT_URL/-/tree/$CI_COMMIT_SHA/images/${IMAGE}"
-      --label "org.opencontainers.image.revision=$CI_COMMIT_SHA" \
+      --label "org.opencontainers.image.revision=$CI_COMMIT_SHA"
-      --label "org.opencontainers.image.created=$(date --rfc-3339 ns)" \
+      --label "org.opencontainers.image.title=${IMAGE}"
-      --label "org.opencontainers.image.title=${IMAGE}" \
+      --reproducible
-      -t "quay.io/shivering-isles/${IMAGE}:${release}" \
+      --destination "quay.io/shivering-isles/${IMAGE}:${release}"
-      --format docker \
-      .
-    - podman push "quay.io/shivering-isles/${IMAGE}:${release}"
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
      changes:
        - images/${IMAGE}/.release
 container-build-dev:
  stage: build
-  image: quay.io/sheogorath/build-ah-engine:2.1.2
  extends: .container-matrix
-  before_script:
+  image:
-    - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+    name: gcr.io/kaniko-project/executor:v1.9.0-debug
+    entrypoint: [""]
  script:
-    - |
+    - /kaniko/executor
-      cd images/${IMAGE}
+      --context "${CI_PROJECT_DIR}/images/${IMAGE}"
-      podman build --pull \
+      --dockerfile "${CI_PROJECT_DIR}/images/${IMAGE}/Dockerfile"
-      --label "org.opencontainers.image.source=$CI_PROJECT_URL/-/tree/$CI_COMMIT_SHA/images/${IMAGE}" \
+      --label "org.opencontainers.image.source=$CI_PROJECT_URL/-/tree/$CI_COMMIT_SHA/images/${IMAGE}"
-      --label "org.opencontainers.image.revision=$CI_COMMIT_SHA" \
+      --label "org.opencontainers.image.revision=$CI_COMMIT_SHA"
-      --label "org.opencontainers.image.created=$(date --rfc-3339 ns)" \
+      --label "org.opencontainers.image.title=${IMAGE}"
-      --label "org.opencontainers.image.title=${IMAGE}" \
+      --label "quay.expires-after=12w"
-      --label "quay.expires-after=12w" \
+      --reproducible
-      -t "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}" \
+      --destination "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}"
-      --format docker \
+      --destination "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_REF_SLUG}"
-      .
-    - podman push "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}"
-    - podman push "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}" "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_REF_SLUG}"
  rules:
    - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
      changes:
        - images/${IMAGE}/*
        - images/.utils/*