packer: build Fedora images

The decision logic which jobs to run is quite confusing but that's how we roll for now: Jenkins builds RHEL images only on main Schutzbot builds RHEL images only in PRs Schutzbot builds Fedora images on both PRs and on main To achieve this, the commit re-enables running Packer on main on Schutzbot. Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-03-10 11:36:49 +01:00 · 2022-03-10 11:36:49 +01:00 · ad15179faf
commit ad15179faf
parent ec070612ff
5 changed files with 98 additions and 3 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -121,7 +121,7 @@ Packer:
  stage: test
  extends: .terraform
  rules:
-    - if: '$CI_PIPELINE_SOURCE != "schedule" && $CI_COMMIT_BRANCH =~ /PR-[0-9]+/'
+    - if: '$CI_PIPELINE_SOURCE != "schedule"'
  script:
    - tools/appsre-build-worker-packer.sh
  variables:
--- a/templates/packer/ansible/inventory/fedora-35-aarch64/group_vars/all.yml
+++ b/templates/packer/ansible/inventory/fedora-35-aarch64/group_vars/all.yml
@ -0,0 +1,5 @@
+---
+# this is just a template!
+# the actual content is generated by build/appsre-build-worker-packer.sh
+rpmrepo_distribution: distro
+osbuild_commit: abcdef
--- a/templates/packer/ansible/inventory/fedora-35-x86_64/group_vars/all.yml
+++ b/templates/packer/ansible/inventory/fedora-35-x86_64/group_vars/all.yml
@ -0,0 +1,5 @@
+---
+# this is just a template!
+# the actual content is generated by build/appsre-build-worker-packer.sh
+rpmrepo_distribution: distro
+osbuild_commit: abcdef
--- a/templates/packer/worker.pkr.hcl
+++ b/templates/packer/worker.pkr.hcl
@ -53,6 +53,80 @@ build {
    }
  }

+  source "amazon-ebs.image_builder"  {
+    name = "fedora-35-x86_64"
+
+    # Use a static Fedora 35 Cloud Base Image.
+    source_ami = "ami-08b4ee602f76bff79"
+    ssh_username = "fedora"
+    instance_type = "c6a.large"
+
+    # Set a name for the resulting AMI.
+    ami_name = "${var.image_name}-fedora-35-x86_64"
+
+    # Apply tags to the resulting AMI/EBS snapshot.
+    tags = {
+      AppCode = "IMGB-001"
+      Name = "${var.image_name}"
+      composer_commit = "${var.composer_commit}"
+      os = "fedora"
+      os_version = "35"
+      arch = "x86_64"
+    }
+
+    # Ensure that the EBS snapshot used for the AMI meets our requirements.
+    launch_block_device_mappings {
+      delete_on_termination = "true"
+      device_name           = "/dev/sda1"
+      volume_size           = 5
+      volume_type           = "gp2"
+    }
+
+    # go doesn't like modern Fedora crypto policies
+    # see https://github.com/hashicorp/packer/issues/10074
+    user_data = <<EOF
+#!/bin/bash
+update-crypto-policies --set LEGACY
+EOF
+  }
+
+  source "amazon-ebs.image_builder"  {
+    name = "fedora-35-aarch64"
+
+    # Use a static Fedora 35 Cloud Base Image.
+    source_ami = "ami-068c123e1c1ca0d49"
+    ssh_username = "fedora"
+    instance_type = "c6g.large"
+
+    # Set a name for the resulting AMI.
+    ami_name = "${var.image_name}-fedora-35-aarch64"
+
+    # Apply tags to the resulting AMI/EBS snapshot.
+    tags = {
+      AppCode = "IMGB-001"
+      Name = "${var.image_name}"
+      composer_commit = "${var.composer_commit}"
+      os = "fedora"
+      os_version = "35"
+      arch = "aarch64"
+    }
+
+    # Ensure that the EBS snapshot used for the AMI meets our requirements.
+    launch_block_device_mappings {
+      delete_on_termination = "true"
+      device_name           = "/dev/sda1"
+      volume_size           = 5
+      volume_type           = "gp2"
+    }
+
+    # go doesn't like modern Fedora crypto policies
+    # see https://github.com/hashicorp/packer/issues/10074
+    user_data = <<EOF
+#!/bin/bash
+update-crypto-policies --set LEGACY
+EOF
+  }
+
  provisioner "ansible" {
    playbook_file = "${path.root}/ansible/playbook.yml"
    user = build.User
--- a/tools/appsre-build-worker-packer.sh
+++ b/tools/appsre-build-worker-packer.sh
@ -122,8 +122,19 @@ EOF2
 EOF
 fi

-cat >> worker-packer.sh <<'EOF'
-/usr/bin/packer build /osbuild-composer/templates/packer
+if [ "$ON_JENKINS" = true ]; then
+    # jenkins on main: build rhel only
+    PACKER_ONLY_EXCEPT=--only=amazon-ebs.rhel-8-x86_64
+elif [ -n "$CI_COMMIT_BRANCH" ] && [ "$CI_COMMIT_BRANCH" == "main" ]; then
+    # Schutzbot on main: build all except rhel
+    PACKER_ONLY_EXCEPT=--except=amazon-ebs.rhel-8-x86_64
+elif [ -n "$CI_COMMIT_BRANCH" ]; then
+    # Schutzbot but not main, build everything (use dummy except)
+    PACKER_ONLY_EXCEPT=--except=amazon-ebs.dummy
+fi
+
+cat >> worker-packer.sh <<EOF
+/usr/bin/packer build $PACKER_ONLY_EXCEPT /osbuild-composer/templates/packer
 EOF

 # prepare ansible inventories