Packer: make osbuild-executor worker config more configurable

We need to use custom IAM policy name used by the worker for osbuild-executor on Fedora workers (in prod vs. stage). And we have the same requirement for the CloudWatch log group used by the osbuild-executor. Modify the Ansible playbook used by Packer to use the values from /tmp/cloud_init_vars if set and defaulting to the current values if not set. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
2024-03-05 14:09:59 +01:00 · 2024-03-05 14:09:59 +01:00 · f02fe86366
commit f02fe86366
parent e8a3aac989
4 changed files with 19 additions and 6 deletions
--- a/templates/packer/ansible/roles/common/files/osbuild-worker.toml
+++ b/templates/packer/ansible/roles/common/files/osbuild-worker.toml
@ -1,5 +1 @@
 base_path = "/api/image-builder-worker/v1"
-
-[osbuild_executor]
-type = "aws.ec2"
-iam_profile = "osbuild-executor"
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_config.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_config.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+set -euo pipefail
+
+source /tmp/cloud_init_vars
+
+echo "Writing osbuild_executor config to worker configuration."
+OSBUILD_EXECUTOR_IAM_PROFILE=${OSBUILD_EXECUTOR_IAM_PROFILE:-osbuild-executor}
+sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
+[osbuild_executor]
+type = "aws.ec2"
+iam_profile = "${OSBUILD_EXECUTOR_IAM_PROFILE}"
+EOF
--- a/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_executor.sh
+++ b/templates/packer/ansible/roles/common/files/worker-initialization-scripts/worker_executor.sh
@ -1,8 +1,10 @@
 #!/bin/bash
 set -euo pipefail

-# Don't subscribe on fedora
 source /etc/os-release
+source /tmp/cloud_init_vars
+
+# Don't subscribe on fedora
 if [ "$ID" != fedora ]; then
  /usr/local/bin/aws secretsmanager get-secret-value \
    --secret-id executor-subscription-manager-command | jq -r ".SecretString" > /tmp/subscription_manager_command.json
@ -14,6 +16,8 @@ echo "Writing vector config."
 REGION=$(curl -Ls http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
 HOSTNAME=$(hostname)
 CLOUDWATCH_ENDPOINT="https://logs.$REGION.amazonaws.com"
+OSBUILD_EXECUTOR_CLOUDWATCH_GROUP=${OSBUILD_EXECUTOR_CLOUDWATCH_GROUP:-osbuild-executor-log-group}
+
 sudo mkdir -p /etc/vector
 sudo tee /etc/vector/vector.toml > /dev/null << EOF
 [sources.journald]
@ -25,7 +29,7 @@ type = "aws_cloudwatch_logs"
 inputs = [ "journald" ]
 region = "${REGION}"
 endpoint = "${CLOUDWATCH_ENDPOINT}"
-group_name = "osbuild-executor-log-group"
+group_name = "${OSBUILD_EXECUTOR_CLOUDWATCH_GROUP}"
 stream_name = "osbuild_executor_syslog_${HOSTNAME}"
 encoding.codec = "json"
 EOF
--- a/templates/packer/ansible/roles/common/files/worker-initialization.service
+++ b/templates/packer/ansible/roles/common/files/worker-initialization.service
@ -9,6 +9,7 @@ Type=oneshot
 ExecStart=touch /etc/worker-first-boot
 ExecStart=/usr/local/libexec/worker-initialization-scripts/set_hostname.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/vector.sh
+ExecStart=/usr/local/libexec/worker-initialization-scripts/worker_config.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/offline_token.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/client_credentials.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/subscription_manager.sh