From ba6d0472ce07acfd3eb873058bca1c7cb631b2d4 Mon Sep 17 00:00:00 2001 From: vomba Date: Tue, 21 Oct 2025 14:59:20 +0200 Subject: [PATCH 1/8] add workflow update workflow add default value to workflow inputs update workflow testing default values test run update workflow update pin ansible version ansible ver ansible ver ansible-core ver update workflow update remove custom role (temporary) add azure build step add SP login update azure envs fix typo add cache add key testing azure add gh token fix cache update workflow seperate jobs update update logs remove cahce from azure test update update fix typo add artifact upload update store step update path add store workflow add input add install openstckclient fix fix command add image-builder workflow fix branch name testing sed typo create tag quotes echo fix add docker login update openstack to use container remove checkout change workflow update .dockerignore update workflow add option testing binbash hostname test test try deps testing testing typo test enable kvm add logs env TEST test mount mount change mount change kvm testing upload artifact update mount rw add user mdkir privileged test testing enable azure add elastx store update storing inherit secrets fix naming add safespring store add safespring store change auth safespring verbose change openstack final add sshca role testing enable image builder update builder add sshca role build new image run build add volume testing add docker image add envs final1 --- .github/workflows/build-azure-capi-image.yml | 81 +++++++++++++++++++ .github/workflows/build-capi-vm-images.yml | 47 +++++++++++ .github/workflows/build-image-builder.yml | 46 +++++++++++ .../workflows/build-openstack-capi-image.yml | 77 ++++++++++++++++++ .../store-openstack-capi-image-elastx.yml | 49 +++++++++++ .../store-openstack-capi-image-safespring.yml | 50 ++++++++++++ images/capi/.dockerignore | 1 + images/capi/Dockerfile | 1 + .../capi/ansible/roles/sshca/files/ssh_ca.pub | 0 .../capi/ansible/roles/sshca/tasks/main.yml | 18 +++++ images/capi/template.json | 38 +++++++++ 11 files changed, 408 insertions(+) create mode 100644 .github/workflows/build-azure-capi-image.yml create mode 100644 .github/workflows/build-capi-vm-images.yml create mode 100644 .github/workflows/build-image-builder.yml create mode 100644 .github/workflows/build-openstack-capi-image.yml create mode 100644 .github/workflows/store-openstack-capi-image-elastx.yml create mode 100644 .github/workflows/store-openstack-capi-image-safespring.yml create mode 100644 images/capi/ansible/roles/sshca/files/ssh_ca.pub create mode 100644 images/capi/ansible/roles/sshca/tasks/main.yml create mode 100644 images/capi/template.json diff --git a/.github/workflows/build-azure-capi-image.yml b/.github/workflows/build-azure-capi-image.yml new file mode 100644 index 0000000000..c81d227768 --- /dev/null +++ b/.github/workflows/build-azure-capi-image.yml @@ -0,0 +1,81 @@ +name: Build Azure CAPI VM image + +on: + workflow_dispatch: + inputs: + version: + description: Kuberentes version + required: true + type: string + tag: + description: ck8s-capi tag + required: true + type: string + workflow_call: + inputs: + version: + description: Kubernetes version + required: true + type: string + + tag: + description: ck8s-capi tag + required: true + type: string + +env: + version: ${{ inputs.version }} + tag: ${{ inputs.tag }} + docker_image: "ghcr.io/elastisys/image-builder-amd64:Automate-production-of-CAPI-VM-images-09c9dac9dc61dc069b72ac55e654cbe1a9190911" + +defaults: + run: + working-directory: ./images/capi + shell: bash + +jobs: + build-image: + runs-on: ubuntu-24.04 + steps: + - name: Checkout repo + uses: actions/checkout@v5 + + - name: replace variables + run: | + package="${version}-1.1" + series="${version%.*}" + + sed -r \ + -e "s/\\\$KUBERNETES_SERIES/${series}/" \ + -e "s/\\\$KUBERNETES_VERSION/${version}/" \ + -e "s/\\\$KUBERNETES_DEB_VERSION/${package}/" \ + -e "s/\\\$IMAGE_TAG/${tag}/" \ + <"template.json" >"kubernetes.json" + + - name: build azure image + run: | + image_name="ubuntu-2404-kube-${version%%-*}-ck8s-capi-${tag}" + + export SIG_IMAGE_DEFINITION="${image_name}" + export SIG_PUBLISHER="elastisys" + export SIG_OFFER="ck8s-capi" + export SIG_SKU="${image_name}" + + docker run -i --rm \ + -e PACKER_VAR_FILES -e PACKER_GITHUB_API_TOKEN=${{ secrets.GITHUB_TOKEN }} \ + -e SIG_IMAGE_DEFINITION -e SIG_PUBLISHER -e SIG_OFFER -e SIG_SKU \ + -e AZURE_SUBSCRIPTION_ID -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID -e AZURE_LOCATION \ + -e RESOURCE_GROUP_NAME -e GALLERY_NAME -e BUILD_RESOURCE_GROUP_NAME \ + -v ${{ github.workspace }}/images/capi:/tmp/host \ + ${{ env.docker_image }} build-azure-sig-ubuntu-2404-gen2 + + env: + PACKER_VAR_FILES: /tmp/host/kubernetes.json + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID}} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }} + RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} + GALLERY_NAME: ${{ secrets.GALLERY_NAME }} + BUILD_RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} diff --git a/.github/workflows/build-capi-vm-images.yml b/.github/workflows/build-capi-vm-images.yml new file mode 100644 index 0000000000..21539ed70f --- /dev/null +++ b/.github/workflows/build-capi-vm-images.yml @@ -0,0 +1,47 @@ +name: Build CAPI VM image with manual input + +on: + # push: + + workflow_dispatch: + inputs: + version: + description: k8s version + required: true + type: string + default: "1.33.1" + tag: + description: ck8s capi version + required: true + type: string + default: "0.8" + +env: + PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + +jobs: + build-azure-image: + uses: ./.github/workflows/build-azure-capi-image.yml + with: + version: ${{ inputs.version || '1.33.1' }} + tag: ${{ inputs.tag || '0.8' }} + secrets: inherit + build-openstack-image: + uses: ./.github/workflows/build-openstack-capi-image.yml + with: + version: ${{ inputs.version || '1.33.1' }} + tag: ${{ inputs.tag || '0.8' }} + store-openstack-image-elastx: + uses: ./.github/workflows/store-openstack-capi-image-elastx.yml + needs: build-openstack-image + with: + version: ${{ inputs.version || '1.33.1' }} + tag: ${{ inputs.tag || '0.8' }} + secrets: inherit + # store-openstack-image-safespring: + # uses: ./.github/workflows/store-openstack-capi-image-safespring.yml + # needs: build-openstack-image + # with: + # version: ${{ inputs.version || '1.33.1' }} + # tag: ${{ inputs.tag || '0.8' }} + # secrets: inherit diff --git a/.github/workflows/build-image-builder.yml b/.github/workflows/build-image-builder.yml new file mode 100644 index 0000000000..f2b8618e8d --- /dev/null +++ b/.github/workflows/build-image-builder.yml @@ -0,0 +1,46 @@ +name: Build CAPI image builder + +on: + push: + branches: + - main + # pull_request: + +env: + IMAGE_NAME: image-builder + REGISTRY: ghcr.io/elastisys + +jobs: + build-image-builder: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v5 + + - name: get tag + id: get-tag + run: | + if [ "${{ github.event_name }}" == "pull_request" ]; then + PR_TITLE="${{ github.event.pull_request.title }}" + PR_TAG=$(echo "${PR_TITLE}" | sed -e 's/ /-/g') + echo "TAG=${PR_TAG}-${{ github.sha }}" >> $GITHUB_OUTPUT + else + echo "TAG=${GITHUB_REF##*/}-${{ github.sha }}" >> $GITHUB_OUTPUT + fi + shell: bash + + - name: 'Login to GitHub Container Registry' + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: run make docker-build + run: make docker-build + env: + TAG: ${{ steps.get-tag.outputs.TAG }} + + - name: run make docker-push + run: make docker-push + env: + TAG: ${{ steps.get-tag.outputs.TAG }} diff --git a/.github/workflows/build-openstack-capi-image.yml b/.github/workflows/build-openstack-capi-image.yml new file mode 100644 index 0000000000..55e283dd6a --- /dev/null +++ b/.github/workflows/build-openstack-capi-image.yml @@ -0,0 +1,77 @@ +name: Build OpenStack VM CAPI image + +on: + workflow_dispatch: + inputs: + version: + description: Kubernetes version + required: true + type: string + tag: + description: ck8s-capi tag + required: true + type: string + workflow_call: + inputs: + version: + description: Kubernetes version + required: true + type: string + tag: + description: ck8s-capi tag + required: true + type: string + +env: + version: ${{ inputs.version }} + tag: ${{ inputs.tag }} + docker_image: "ghcr.io/elastisys/image-builder-amd64:Automate-production-of-CAPI-VM-images-7461dbd4e9c3a972cf73d93904f1472270e5af99" + +defaults: + run: + working-directory: ./images/capi + shell: bash + +jobs: + build-image: + runs-on: ubuntu-24.04 + + steps: + - uses: actions/checkout@v5 + + - name: Enable KVM + run: | + echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules + sudo udevadm control --reload-rules + sudo udevadm trigger --name-match=kvm + + - name: replace variables + run: | + package="${version}-1.1" + series="${version%.*}" + + sed -r \ + -e "s/\\\$KUBERNETES_SERIES/${series}/" \ + -e "s/\\\$KUBERNETES_VERSION/${version}/" \ + -e "s/\\\$KUBERNETES_DEB_VERSION/${package}/" \ + -e "s/\\\$IMAGE_TAG/${tag}/" \ + <"template.json" >"kubernetes.json" + + - name: add user + run: | + mkdir -p ${{ github.workspace }}/output + sudo useradd -ms /bin/bash imagebuilder + sudo chmod -R 777 ${{ github.workspace }}/output + + - name: build openstack image + run: | + docker run --device=/dev/kvm -i --rm \ + -e PACKER_VAR_FILES=/tmp/host/kubernetes.json -e PACKER_LOG -e PACKER_GITHUB_API_TOKEN=${{ secrets.GITHUB_TOKEN }} \ + -v ${{ github.workspace }}/images/capi:/tmp/host -v ${{ github.workspace }}/output:/home/imagebuilder/output:rw \ + ${{ env.docker_image }} build-qemu-ubuntu-2404-efi + + - name: store openstack image + uses: actions/upload-artifact@v4 + with: + name: ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} + path: ${{ github.workspace }}/output/ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} diff --git a/.github/workflows/store-openstack-capi-image-elastx.yml b/.github/workflows/store-openstack-capi-image-elastx.yml new file mode 100644 index 0000000000..364e3bb9b1 --- /dev/null +++ b/.github/workflows/store-openstack-capi-image-elastx.yml @@ -0,0 +1,49 @@ +name: Store OpenStack CAPI image on elastx + +on: + workflow_call: + inputs: + version: + description: Kubernetes version + required: true + type: string + tag: + description: ck8s-capi tag + required: true + type: string + +env: + version: ${{ inputs.version }} + tag: ${{ inputs.tag }} + docker_image: ghcr.io/elastisys/openstack-client:v0.1.0 + + +jobs: + on-success: + runs-on: ubuntu-24.04 + + steps: + - name: retrieve image + uses: actions/download-artifact@v5 + with: + name: ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} + + - name: store image + env: + OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.ELASTX_APPLICATION_CREDENTIAL_ID }} + OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.ELASTX_APPLICATION_CREDENTIAL_SECRET }} + OS_AUTH_URL: "https://ops.elastx.cloud:5000/v3" + OS_AUTH_TYPE: "v3applicationcredential" + OS_IDENTITY_API_VERSION: "3" + OS_INTERFACE: "public" + OS_REGION_NAME: "se-sto" + run: | + + image_create_extra_vars+=('--property' 'hw_firmware_type=uefi' '--property' 'hw_disk_bus=scsi' '--property' 'hw_scsi_model=virtio-scsi') + image_name=ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} + image_path=/tmp/home/ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} + + docker run -i --rm \ + -e OS_APPLICATION_CREDENTIAL_ID -e OS_APPLICATION_CREDENTIAL_SECRET -e OS_AUTH_URL -e OS_AUTH_TYPE -e OS_IDENTITY_API_VERSION -e OS_INTERFACE -e OS_REGION_NAME \ + -v ${{ github.workspace }}:/tmp/home ${{ env.docker_image }} \ + openstack image create --disk-format qcow2 "${image_create_extra_vars[@]}" --file "${image_path}" --shared --progress "${image_name}" diff --git a/.github/workflows/store-openstack-capi-image-safespring.yml b/.github/workflows/store-openstack-capi-image-safespring.yml new file mode 100644 index 0000000000..18846a9d94 --- /dev/null +++ b/.github/workflows/store-openstack-capi-image-safespring.yml @@ -0,0 +1,50 @@ +name: Store OpenStack CAPI image on safespring + +on: + workflow_call: + inputs: + version: + description: Kubernetes version + required: true + type: string + tag: + description: ck8s-capi tag + required: true + type: string + +env: + version: ${{ inputs.version }} + tag: ${{ inputs.tag }} + + +jobs: + on-success: + runs-on: ubuntu-24.04 + + steps: + - name: retrieve image + uses: actions/download-artifact@v5 + with: + name: ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} + + - name: install deps + run: | + pip3 install python-openstackclient + + - name: store image + env: + OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.SAFESPRING_APPLICATION_CREDENTIAL_ID }} + OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.SAFESPRING_APPLICATION_CREDENTIAL_SECRET }} + OS_AUTH_URL: "https://v2.dashboard.sto1.safedc.net:5000/v3/" + OS_AUTH_TYPE: "v3applicationcredential" + OS_IDENTITY_API_VERSION: "3" + OS_INTERFACE: "public" + OS_REGION_NAME: "sto1" + run: | + + image_create_extra_vars+=('--property' 'hw_firmware_type=uefi' '--property' 'hw_disk_bus=scsi' '--property' 'hw_scsi_model=virtio-scsi') + image_name=ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} + image_path=./ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} + + openstack image create --verbose --disk-format qcow2 "${image_create_extra_vars[@]}" --file "${image_path}" --shared --progress "${image_name}" + diff --git a/images/capi/.dockerignore b/images/capi/.dockerignore index e474674ca1..565293fe80 100644 --- a/images/capi/.dockerignore +++ b/images/capi/.dockerignore @@ -9,3 +9,4 @@ !packer !Makefile !azure_targets.sh +!template.json diff --git a/images/capi/Dockerfile b/images/capi/Dockerfile index e9ace3ed6c..c0bb403563 100644 --- a/images/capi/Dockerfile +++ b/images/capi/Dockerfile @@ -55,6 +55,7 @@ COPY --chown=imagebuilder:imagebuilder hack hack/ COPY --chown=imagebuilder:imagebuilder packer packer/ COPY --chown=imagebuilder:imagebuilder Makefile Makefile COPY --chown=imagebuilder:imagebuilder azure_targets.sh azure_targets.sh +COPY --chown=imagebuilder:imagebuilder template.json template.json ENV PATH="/home/imagebuilder/.local/bin:${PATH}" ENV PACKER_ARGS='' diff --git a/images/capi/ansible/roles/sshca/files/ssh_ca.pub b/images/capi/ansible/roles/sshca/files/ssh_ca.pub new file mode 100644 index 0000000000..e69de29bb2 diff --git a/images/capi/ansible/roles/sshca/tasks/main.yml b/images/capi/ansible/roles/sshca/tasks/main.yml new file mode 100644 index 0000000000..a9141979e4 --- /dev/null +++ b/images/capi/ansible/roles/sshca/tasks/main.yml @@ -0,0 +1,18 @@ +- name: add the ssh ca public key + ansible.builtin.copy: + dest: /etc/ssh/ssh_ca.pub + mode: "644" + src: ssh_ca.pub +- name: set authorized principals + ansible.builtin.copy: + dest: /etc/ssh/authorized_principals + # Couldn't get this to use the `ssh_username` variable + content: | + ubuntu +- name: add ssh ca settings + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/ca.conf + content: | + TrustedUserCAKeys /etc/ssh/ssh_ca.pub + AuthorizedPrincipalsFile /etc/ssh/authorized_principals + diff --git a/images/capi/template.json b/images/capi/template.json new file mode 100644 index 0000000000..da74772f2b --- /dev/null +++ b/images/capi/template.json @@ -0,0 +1,38 @@ +{ + "crictl_arch": "amd64", + "crictl_sha256": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-{{user `crictl_arch`}}.tar.gz.sha256", + "crictl_source_type": "pkg", + "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-{{user `crictl_arch`}}.tar.gz", + "crictl_version": "$KUBERNETES_SERIES.0", + "kubeadm_template": "etc/kubeadm.yml", + "kubernetes_apiserver_port": "6443", + "kubernetes_container_registry": "registry.k8s.io", + "kubernetes_deb_gpg_key": "https://pkgs.k8s.io/core:/stable:/{{ user `kubernetes_series` }}/deb/Release.key", + "kubernetes_deb_repo": "https://pkgs.k8s.io/core:/stable:/{{ user `kubernetes_series` }}/deb/", + "kubernetes_deb_version": "$KUBERNETES_DEB_VERSION", + "kubernetes_goarch": "amd64", + "kubernetes_http_source": "https://dl.k8s.io/release", + "kubernetes_load_additional_imgs": "false", + "kubernetes_rpm_gpg_check": "True", + "kubernetes_rpm_gpg_key": "https://pkgs.k8s.io/core:/stable:/{{ user `kubernetes_series` }}/rpm/repodata/repomd.xml.key", + "kubernetes_rpm_repo": "https://pkgs.k8s.io/core:/stable:/{{ user `kubernetes_series` }}/rpm/", + "kubernetes_rpm_repo_arch": "x86_64", + "kubernetes_rpm_version": "$KUBERNETES_VERSION", + "kubernetes_semver": "v$KUBERNETES_VERSION", + "kubernetes_series": "v$KUBERNETES_SERIES", + "kubernetes_source_type": "pkg", + "node_custom_roles_post": "sshca", + "systemd_prefix": "/usr/lib/systemd", + "sysusr_prefix": "/usr", + "sysusrlocal_prefix": "/usr/local", + "vm_name": "{{user `build_name`}}-kube-$KUBERNETES_VERSION-ck8s-capi-$IMAGE_TAG", + "artifact_name": "{{user `build_name`}}-kube-$KUBERNETES_VERSION-ck8s-capi-$IMAGE_TAG", + "output_directory": "./output/{{user `build_name`}}-kube-$KUBERNETES_VERSION-ck8s-capi-$IMAGE_TAG", + "image_name": "{{user `distribution`}}-{{user `distribution_version`}}-kube-$KUBERNETES_VERSION-ck8s-capi-$IMAGE_TAG", + "aws_region": "eu-north-1", + "ami_regions": "eu-north-1", + "ami_groups": "", + "snapshot_groups": "", + "containerd_version": "1.7.27", + "containerd_url": "https://github.com/containerd/containerd/releases/download/v1.7.27/containerd-1.7.27-linux-amd64.tar.gz" +} \ No newline at end of file From 97705f7200387ccdd8f1ca3c8cc9e1f024553c93 Mon Sep 17 00:00:00 2001 From: vomba Date: Mon, 1 Dec 2025 08:55:37 +0100 Subject: [PATCH 2/8] cleanup --- .github/workflows/build-azure-capi-image.yml | 14 +++++- .github/workflows/build-capi-vm-images.yml | 23 +++------ .github/workflows/build-image-builder.yml | 9 ++-- .../workflows/build-openstack-capi-image.yml | 14 +++++- .../store-openstack-capi-image-elastx.yml | 49 ------------------ .../store-openstack-capi-image-safespring.yml | 50 ------------------- 6 files changed, 36 insertions(+), 123 deletions(-) delete mode 100644 .github/workflows/store-openstack-capi-image-elastx.yml delete mode 100644 .github/workflows/store-openstack-capi-image-safespring.yml diff --git a/.github/workflows/build-azure-capi-image.yml b/.github/workflows/build-azure-capi-image.yml index c81d227768..8181274c69 100644 --- a/.github/workflows/build-azure-capi-image.yml +++ b/.github/workflows/build-azure-capi-image.yml @@ -11,22 +11,32 @@ on: description: ck8s-capi tag required: true type: string + builder_image: + description: image builder image + required: true + type: string + default: "ghcr.io/elastisys/image-builder-amd64:main" + workflow_call: inputs: version: description: Kubernetes version required: true type: string - tag: description: ck8s-capi tag required: true type: string + builder_image: + description: image builder image + required: true + type: string + default: "ghcr.io/elastisys/image-builder-amd64:main" env: version: ${{ inputs.version }} tag: ${{ inputs.tag }} - docker_image: "ghcr.io/elastisys/image-builder-amd64:Automate-production-of-CAPI-VM-images-09c9dac9dc61dc069b72ac55e654cbe1a9190911" + docker_image: ${{ inputs.builder_image }} defaults: run: diff --git a/.github/workflows/build-capi-vm-images.yml b/.github/workflows/build-capi-vm-images.yml index 21539ed70f..a2e9586840 100644 --- a/.github/workflows/build-capi-vm-images.yml +++ b/.github/workflows/build-capi-vm-images.yml @@ -1,8 +1,6 @@ name: Build CAPI VM image with manual input on: - # push: - workflow_dispatch: inputs: version: @@ -15,6 +13,11 @@ on: required: true type: string default: "0.8" + builder_image: + description: image builder image + required: true + type: string + default: "ghcr.io/elastisys/image-builder-amd64:main" env: PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -25,23 +28,11 @@ jobs: with: version: ${{ inputs.version || '1.33.1' }} tag: ${{ inputs.tag || '0.8' }} + docker_image: ${{ inputs.docker_image }} secrets: inherit build-openstack-image: uses: ./.github/workflows/build-openstack-capi-image.yml with: version: ${{ inputs.version || '1.33.1' }} tag: ${{ inputs.tag || '0.8' }} - store-openstack-image-elastx: - uses: ./.github/workflows/store-openstack-capi-image-elastx.yml - needs: build-openstack-image - with: - version: ${{ inputs.version || '1.33.1' }} - tag: ${{ inputs.tag || '0.8' }} - secrets: inherit - # store-openstack-image-safespring: - # uses: ./.github/workflows/store-openstack-capi-image-safespring.yml - # needs: build-openstack-image - # with: - # version: ${{ inputs.version || '1.33.1' }} - # tag: ${{ inputs.tag || '0.8' }} - # secrets: inherit + docker_image: ${{ inputs.docker_image }} diff --git a/.github/workflows/build-image-builder.yml b/.github/workflows/build-image-builder.yml index f2b8618e8d..ae29267ccc 100644 --- a/.github/workflows/build-image-builder.yml +++ b/.github/workflows/build-image-builder.yml @@ -4,8 +4,7 @@ on: push: branches: - main - # pull_request: - + env: IMAGE_NAME: image-builder REGISTRY: ghcr.io/elastisys @@ -28,12 +27,12 @@ jobs: fi shell: bash - - name: 'Login to GitHub Container Registry' + - name: "Login to GitHub Container Registry" uses: docker/login-action@v1 with: registry: ghcr.io - username: ${{github.actor}} - password: ${{secrets.GITHUB_TOKEN}} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: run make docker-build run: make docker-build diff --git a/.github/workflows/build-openstack-capi-image.yml b/.github/workflows/build-openstack-capi-image.yml index 55e283dd6a..ad12b0bffd 100644 --- a/.github/workflows/build-openstack-capi-image.yml +++ b/.github/workflows/build-openstack-capi-image.yml @@ -11,6 +11,12 @@ on: description: ck8s-capi tag required: true type: string + builder_image: + description: image builder image + required: true + type: string + default: "ghcr.io/elastisys/image-builder-amd64:main" + workflow_call: inputs: version: @@ -21,11 +27,17 @@ on: description: ck8s-capi tag required: true type: string + builder_image: + description: image builder image + required: true + type: string + default: "ghcr.io/elastisys/image-builder-amd64:main" + env: version: ${{ inputs.version }} tag: ${{ inputs.tag }} - docker_image: "ghcr.io/elastisys/image-builder-amd64:Automate-production-of-CAPI-VM-images-7461dbd4e9c3a972cf73d93904f1472270e5af99" + docker_image: ${{ inputs.builder_image }} defaults: run: diff --git a/.github/workflows/store-openstack-capi-image-elastx.yml b/.github/workflows/store-openstack-capi-image-elastx.yml deleted file mode 100644 index 364e3bb9b1..0000000000 --- a/.github/workflows/store-openstack-capi-image-elastx.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: Store OpenStack CAPI image on elastx - -on: - workflow_call: - inputs: - version: - description: Kubernetes version - required: true - type: string - tag: - description: ck8s-capi tag - required: true - type: string - -env: - version: ${{ inputs.version }} - tag: ${{ inputs.tag }} - docker_image: ghcr.io/elastisys/openstack-client:v0.1.0 - - -jobs: - on-success: - runs-on: ubuntu-24.04 - - steps: - - name: retrieve image - uses: actions/download-artifact@v5 - with: - name: ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} - - - name: store image - env: - OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.ELASTX_APPLICATION_CREDENTIAL_ID }} - OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.ELASTX_APPLICATION_CREDENTIAL_SECRET }} - OS_AUTH_URL: "https://ops.elastx.cloud:5000/v3" - OS_AUTH_TYPE: "v3applicationcredential" - OS_IDENTITY_API_VERSION: "3" - OS_INTERFACE: "public" - OS_REGION_NAME: "se-sto" - run: | - - image_create_extra_vars+=('--property' 'hw_firmware_type=uefi' '--property' 'hw_disk_bus=scsi' '--property' 'hw_scsi_model=virtio-scsi') - image_name=ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} - image_path=/tmp/home/ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} - - docker run -i --rm \ - -e OS_APPLICATION_CREDENTIAL_ID -e OS_APPLICATION_CREDENTIAL_SECRET -e OS_AUTH_URL -e OS_AUTH_TYPE -e OS_IDENTITY_API_VERSION -e OS_INTERFACE -e OS_REGION_NAME \ - -v ${{ github.workspace }}:/tmp/home ${{ env.docker_image }} \ - openstack image create --disk-format qcow2 "${image_create_extra_vars[@]}" --file "${image_path}" --shared --progress "${image_name}" diff --git a/.github/workflows/store-openstack-capi-image-safespring.yml b/.github/workflows/store-openstack-capi-image-safespring.yml deleted file mode 100644 index 18846a9d94..0000000000 --- a/.github/workflows/store-openstack-capi-image-safespring.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Store OpenStack CAPI image on safespring - -on: - workflow_call: - inputs: - version: - description: Kubernetes version - required: true - type: string - tag: - description: ck8s-capi tag - required: true - type: string - -env: - version: ${{ inputs.version }} - tag: ${{ inputs.tag }} - - -jobs: - on-success: - runs-on: ubuntu-24.04 - - steps: - - name: retrieve image - uses: actions/download-artifact@v5 - with: - name: ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} - - - name: install deps - run: | - pip3 install python-openstackclient - - - name: store image - env: - OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.SAFESPRING_APPLICATION_CREDENTIAL_ID }} - OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.SAFESPRING_APPLICATION_CREDENTIAL_SECRET }} - OS_AUTH_URL: "https://v2.dashboard.sto1.safedc.net:5000/v3/" - OS_AUTH_TYPE: "v3applicationcredential" - OS_IDENTITY_API_VERSION: "3" - OS_INTERFACE: "public" - OS_REGION_NAME: "sto1" - run: | - - image_create_extra_vars+=('--property' 'hw_firmware_type=uefi' '--property' 'hw_disk_bus=scsi' '--property' 'hw_scsi_model=virtio-scsi') - image_name=ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} - image_path=./ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }} - - openstack image create --verbose --disk-format qcow2 "${image_create_extra_vars[@]}" --file "${image_path}" --shared --progress "${image_name}" - From 46b6ae0578e04fe36c68617192edfb0aafc29231 Mon Sep 17 00:00:00 2001 From: vomba Date: Tue, 9 Dec 2025 10:59:00 +0100 Subject: [PATCH 3/8] revert dockerfiles to main --- images/capi/.dockerignore | 1 - images/capi/Dockerfile | 1 - 2 files changed, 2 deletions(-) diff --git a/images/capi/.dockerignore b/images/capi/.dockerignore index 565293fe80..e474674ca1 100644 --- a/images/capi/.dockerignore +++ b/images/capi/.dockerignore @@ -9,4 +9,3 @@ !packer !Makefile !azure_targets.sh -!template.json diff --git a/images/capi/Dockerfile b/images/capi/Dockerfile index c0bb403563..e9ace3ed6c 100644 --- a/images/capi/Dockerfile +++ b/images/capi/Dockerfile @@ -55,7 +55,6 @@ COPY --chown=imagebuilder:imagebuilder hack hack/ COPY --chown=imagebuilder:imagebuilder packer packer/ COPY --chown=imagebuilder:imagebuilder Makefile Makefile COPY --chown=imagebuilder:imagebuilder azure_targets.sh azure_targets.sh -COPY --chown=imagebuilder:imagebuilder template.json template.json ENV PATH="/home/imagebuilder/.local/bin:${PATH}" ENV PACKER_ARGS='' From 1344c6e4058b14e423a5e75a1a21136c7345b65d Mon Sep 17 00:00:00 2001 From: vomba Date: Tue, 9 Dec 2025 11:02:34 +0100 Subject: [PATCH 4/8] add patch step --- .../workflows/build-openstack-capi-image.yml | 4 ++++ images/capi/.dockerignore | 1 + images/capi/Dockerfile | 1 + images/capi/patches/dockerfile.patch | 21 +++++++++++++++++++ 4 files changed, 27 insertions(+) create mode 100644 images/capi/patches/dockerfile.patch diff --git a/.github/workflows/build-openstack-capi-image.yml b/.github/workflows/build-openstack-capi-image.yml index ad12b0bffd..c639a6dc3a 100644 --- a/.github/workflows/build-openstack-capi-image.yml +++ b/.github/workflows/build-openstack-capi-image.yml @@ -51,6 +51,10 @@ jobs: steps: - uses: actions/checkout@v5 + - name: run patchs + run: | + git apply patches/dockerfile.patch + - name: Enable KVM run: | echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules diff --git a/images/capi/.dockerignore b/images/capi/.dockerignore index e474674ca1..565293fe80 100644 --- a/images/capi/.dockerignore +++ b/images/capi/.dockerignore @@ -9,3 +9,4 @@ !packer !Makefile !azure_targets.sh +!template.json diff --git a/images/capi/Dockerfile b/images/capi/Dockerfile index e9ace3ed6c..c0bb403563 100644 --- a/images/capi/Dockerfile +++ b/images/capi/Dockerfile @@ -55,6 +55,7 @@ COPY --chown=imagebuilder:imagebuilder hack hack/ COPY --chown=imagebuilder:imagebuilder packer packer/ COPY --chown=imagebuilder:imagebuilder Makefile Makefile COPY --chown=imagebuilder:imagebuilder azure_targets.sh azure_targets.sh +COPY --chown=imagebuilder:imagebuilder template.json template.json ENV PATH="/home/imagebuilder/.local/bin:${PATH}" ENV PACKER_ARGS='' diff --git a/images/capi/patches/dockerfile.patch b/images/capi/patches/dockerfile.patch new file mode 100644 index 0000000000..31aacd099b --- /dev/null +++ b/images/capi/patches/dockerfile.patch @@ -0,0 +1,21 @@ +diff --git a/images/capi/.dockerignore b/images/capi/.dockerignore +index e474674ca..565293fe8 100644 +--- a/images/capi/.dockerignore ++++ b/images/capi/.dockerignore +@@ -9,3 +9,4 @@ + !packer + !Makefile + !azure_targets.sh ++!template.json +diff --git a/images/capi/Dockerfile b/images/capi/Dockerfile +index e9ace3ed6..c0bb40356 100644 +--- a/images/capi/Dockerfile ++++ b/images/capi/Dockerfile +@@ -55,6 +55,7 @@ COPY --chown=imagebuilder:imagebuilder hack hack/ + COPY --chown=imagebuilder:imagebuilder packer packer/ + COPY --chown=imagebuilder:imagebuilder Makefile Makefile + COPY --chown=imagebuilder:imagebuilder azure_targets.sh azure_targets.sh ++COPY --chown=imagebuilder:imagebuilder template.json template.json + + ENV PATH="/home/imagebuilder/.local/bin:${PATH}" + ENV PACKER_ARGS='' From 7f6acda74b1864cd837b135378a95932e12dc70b Mon Sep 17 00:00:00 2001 From: vomba Date: Fri, 16 Jan 2026 10:34:20 +0100 Subject: [PATCH 5/8] remove get tag --- .github/workflows/build-image-builder.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.github/workflows/build-image-builder.yml b/.github/workflows/build-image-builder.yml index ae29267ccc..c4805b4c18 100644 --- a/.github/workflows/build-image-builder.yml +++ b/.github/workflows/build-image-builder.yml @@ -15,18 +15,6 @@ jobs: steps: - uses: actions/checkout@v5 - - name: get tag - id: get-tag - run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then - PR_TITLE="${{ github.event.pull_request.title }}" - PR_TAG=$(echo "${PR_TITLE}" | sed -e 's/ /-/g') - echo "TAG=${PR_TAG}-${{ github.sha }}" >> $GITHUB_OUTPUT - else - echo "TAG=${GITHUB_REF##*/}-${{ github.sha }}" >> $GITHUB_OUTPUT - fi - shell: bash - - name: "Login to GitHub Container Registry" uses: docker/login-action@v1 with: From 8bbd540c82598a793f8b8a3cf2712c233192021b Mon Sep 17 00:00:00 2001 From: vomba Date: Fri, 16 Jan 2026 10:37:48 +0100 Subject: [PATCH 6/8] remove sshca role --- .../capi/ansible/roles/sshca/files/ssh_ca.pub | 0 images/capi/ansible/roles/sshca/tasks/main.yml | 18 ------------------ 2 files changed, 18 deletions(-) delete mode 100644 images/capi/ansible/roles/sshca/files/ssh_ca.pub delete mode 100644 images/capi/ansible/roles/sshca/tasks/main.yml diff --git a/images/capi/ansible/roles/sshca/files/ssh_ca.pub b/images/capi/ansible/roles/sshca/files/ssh_ca.pub deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/images/capi/ansible/roles/sshca/tasks/main.yml b/images/capi/ansible/roles/sshca/tasks/main.yml deleted file mode 100644 index a9141979e4..0000000000 --- a/images/capi/ansible/roles/sshca/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: add the ssh ca public key - ansible.builtin.copy: - dest: /etc/ssh/ssh_ca.pub - mode: "644" - src: ssh_ca.pub -- name: set authorized principals - ansible.builtin.copy: - dest: /etc/ssh/authorized_principals - # Couldn't get this to use the `ssh_username` variable - content: | - ubuntu -- name: add ssh ca settings - ansible.builtin.copy: - dest: /etc/ssh/sshd_config.d/ca.conf - content: | - TrustedUserCAKeys /etc/ssh/ssh_ca.pub - AuthorizedPrincipalsFile /etc/ssh/authorized_principals - From 608c4648c0967ac1def9c21bf71fc13ed26203e9 Mon Sep 17 00:00:00 2001 From: vomba Date: Fri, 16 Jan 2026 10:38:54 +0100 Subject: [PATCH 7/8] remove patched step from Dockerfile --- images/capi/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/images/capi/Dockerfile b/images/capi/Dockerfile index c0bb403563..e9ace3ed6c 100644 --- a/images/capi/Dockerfile +++ b/images/capi/Dockerfile @@ -55,7 +55,6 @@ COPY --chown=imagebuilder:imagebuilder hack hack/ COPY --chown=imagebuilder:imagebuilder packer packer/ COPY --chown=imagebuilder:imagebuilder Makefile Makefile COPY --chown=imagebuilder:imagebuilder azure_targets.sh azure_targets.sh -COPY --chown=imagebuilder:imagebuilder template.json template.json ENV PATH="/home/imagebuilder/.local/bin:${PATH}" ENV PACKER_ARGS='' From 658f7efc4517b211dd9e60af3c13900b9a21888e Mon Sep 17 00:00:00 2001 From: vomba Date: Fri, 16 Jan 2026 10:41:17 +0100 Subject: [PATCH 8/8] remove default values --- .github/workflows/build-capi-vm-images.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-capi-vm-images.yml b/.github/workflows/build-capi-vm-images.yml index a2e9586840..b1887d1d90 100644 --- a/.github/workflows/build-capi-vm-images.yml +++ b/.github/workflows/build-capi-vm-images.yml @@ -26,13 +26,13 @@ jobs: build-azure-image: uses: ./.github/workflows/build-azure-capi-image.yml with: - version: ${{ inputs.version || '1.33.1' }} - tag: ${{ inputs.tag || '0.8' }} + version: ${{ inputs.version }} + tag: ${{ inputs.tag }} docker_image: ${{ inputs.docker_image }} secrets: inherit build-openstack-image: uses: ./.github/workflows/build-openstack-capi-image.yml with: - version: ${{ inputs.version || '1.33.1' }} - tag: ${{ inputs.tag || '0.8' }} + version: ${{ inputs.version }} + tag: ${{ inputs.tag }} docker_image: ${{ inputs.docker_image }}