From 49db1c47eebb7e20b2a80c0f90cc711aba386a83 Mon Sep 17 00:00:00 2001
From: Anton Chaporgin <chapson@neon.tech>
Date: Wed, 24 Jul 2024 17:44:49 +0300
Subject: [PATCH] [neon/azure] impr: push directly into ACR

As we observed [^1], messing up with compute image, trying to use an unexistent one, results in cplane schedules too many pods for the pool that cannot pull the image because it does not exist, reaching out to the docker hub too often, which results in our token being rate-limited. So, we need to push the images directly into ACR, instead of using pull-through cache.

[^1]: https://neondb.slack.com/archives/C06SJG60FRB/p1721749525396229
---
 .github/workflows/build_and_test.yml | 56 ++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index cb7655e039..61dd92b31b 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -783,6 +783,10 @@ jobs:
 
   neon-image:
     needs: [ neon-image-arch, tag ]
+    permissions: # This is for Azure login to work.
+      id-token: write
+      contents: read
+    environment: dev
     runs-on: ubuntu-22.04
 
     steps:
@@ -808,6 +812,18 @@ jobs:
           docker buildx imagetools create -t 369495373322.dkr.ecr.eu-central-1.amazonaws.com/neon:${{ needs.tag.outputs.build-tag }} \
                                                                                 neondatabase/neon:${{ needs.tag.outputs.build-tag }}
 
+      - name: Azure login
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a  # @v2.1.1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Copy docker images to ACR-dev
+        run: |
+          docker buildx imagetools create -t neoneastus2.azurecr.io/neondatabase/neon:${{ needs.tag.outputs.build-tag }} \
+                                             neondatabase/neon:${{ needs.tag.outputs.build-tag }}
+
   compute-node-image-arch:
     needs: [ check-permissions, build-build-tools-image, tag ]
     strategy:
@@ -913,6 +929,10 @@ jobs:
           rm -rf .docker-custom
 
   compute-node-image:
+    permissions: # This is for Azure login to work.
+      id-token: write
+      contents: read
+    environment: dev
     needs: [ compute-node-image-arch, tag ]
     runs-on: ubuntu-22.04
 
@@ -963,6 +983,24 @@ jobs:
           docker buildx imagetools create -t 369495373322.dkr.ecr.eu-central-1.amazonaws.com/compute-tools:${{ needs.tag.outputs.build-tag }} \
                                                                                 neondatabase/compute-tools:${{ needs.tag.outputs.build-tag }}
 
+      - name: Azure login
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a  # @v2.1.1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Push multi-arch compute-node-${{ matrix.version }} image to ACR
+        run: |
+          docker buildx imagetools create -t neoneastus2.azurecr.io/neondatabase/compute-node-${{ matrix.version }}:${{ needs.tag.outputs.build-tag }} \
+                                                                                neondatabase/compute-node-${{ matrix.version }}:${{ needs.tag.outputs.build-tag }}
+
+      - name: Push multi-arch compute-tools image to ACR
+        if: matrix.version == 'v16'
+        run: |
+          docker buildx imagetools create -t neoneastus2.azurecr.io/neondatabase/compute-tools:${{ needs.tag.outputs.build-tag }} \
+                                                                                neondatabase/compute-tools:${{ needs.tag.outputs.build-tag }}
+
   vm-compute-node-image:
     needs: [ check-permissions, tag, compute-node-image ]
     runs-on: [ self-hosted, gen3, large ]
@@ -1085,6 +1123,10 @@ jobs:
           rm -rf .docker-custom
 
   promote-images:
+    permissions: # This is for Azure login to work.
+      id-token: write
+      contents: read
+    environment: dev
     needs: [ check-permissions, tag, test-images, vm-compute-node-image ]
     runs-on: ubuntu-22.04
 
@@ -1111,6 +1153,20 @@ jobs:
                                                neondatabase/vm-compute-node-${version}:${{ needs.tag.outputs.build-tag }}
           done
 
+      - name: Azure login
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a  # @v2.1.1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Copy docker images to ACR-dev
+        run: |
+          for version in ${VERSIONS}; do
+          docker buildx imagetools create -t neoneastus2.azurecr.io/neondatabase/vm-compute-node-${version}:${{ needs.tag.outputs.build-tag }} \
+                                             neondatabase/vm-compute-node-${version}:${{ needs.tag.outputs.build-tag }}
+          done
+
       - name: Add latest tag to images
         if: github.ref_name == 'main'
         run: |