From e8564dc44f54b15dc34c9cce17d5e302c618d58e Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Fri, 14 Jun 2019 13:28:47 -0400
Subject: Cirrus: Print images that should be pruned

Over time unless they're removed, the project could grow quite a large
collection of VM images.  While generally cheap (less than a penny each,
per month), these will become a significant cost item if not kept
in-check.

Add a specialized container for handling image-pruning, but limit
it to only finding and printing (not actually deleting) images.

Also update the image-building workflow so that base-images used to
compose cache-images are also labeled with metadata.

N/B: As an additional safeguard, the service account which
     executes the new container in production *DOES NOT*
     have access to delete images.  This can be enabled
     by adding the GCE IAM role: CustomComputeImagePrune

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 .cirrus.yml | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

(limited to '.cirrus.yml')

diff --git a/.cirrus.yml b/.cirrus.yml
index e9e843be6..33162e49f 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -261,7 +261,7 @@ meta_task:
         cpu: 1
         memory: 1
 
-    env:
+    env: &meta_env_vars
         # Space-separated list of images used by this repository state
         IMGNAMES: >-
             ${FEDORA_CACHE_IMAGE_NAME}
@@ -277,6 +277,31 @@ meta_task:
 
     timeout_in: 10m
 
+    # Cirrus-CI ignores entrypoint defined in image
+    script: '/usr/local/bin/entrypoint.sh |& ${TIMESTAMP}'
+
+
+# Remove old and disused images based on labels set by meta_task
+image_prune_task:
+
+    # Do not run this frequently
+    only_if: $CIRRUS_BRANCH == 'master'
+
+    depends_on:
+        - "meta"
+
+    container:
+        image: "quay.io/libpod/imgprune:latest"  # see contrib/imgprune
+        cpu: 1
+        memory: 1
+
+    env:
+        <<: *meta_env_vars
+        GCPJSON: ENCRYPTED[4c11d8e09c904c30fc70eecb95c73dec0ddf19976f9b981a0f80f3f6599e8f990bcef93c253ac0277f200850d98528e7]
+        GCPNAME: ENCRYPTED[7f54557ba6e5a437f11283a53e71baec9ca546f48a9835538cc54d297f79968eb1337d4596a1025b14f9d1c5723fbd29]
+
+    timeout_in: 10m
+
     script: '/usr/local/bin/entrypoint.sh |& ${TIMESTAMP}'
 
 
-- 
cgit v1.2.3-54-g00ecf