Skip to content

Commit

Permalink
Fix the podvm-payload image references
Browse files Browse the repository at this point in the history 
Ensure release tag is used

Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
  • Loading branch information
@bpradipt
bpradipt committed Apr 5, 2024
1 parent b57ba2c commit bcca723
Show file tree
Hide file tree
Showing 3 changed files with 259 additions and 257 deletions.
122 changes: 62 additions & 60 deletions config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,66 +35,68 @@ spec:
seccompProfile:
type: RuntimeDefault
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 120
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 120
- effect: NoSchedule
key: node.kubernetes.io/memory-pressure
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 120
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 120
- effect: NoSchedule
key: node.kubernetes.io/memory-pressure
operator: Exists
volumes:
- name: ssh
secret:
defaultMode: 384
optional: true
secretName: ssh-key-secret
containers:
- command:
- /manager
args:
- --enable-leader-election
volumeMounts:
- mountPath: /root/.ssh/
name: ssh
readOnly: true
envFrom:
- secretRef:
name: peer-pods-secret
optional: true
- configMapRef:
name: peer-pods-cm
- name: ssh
secret:
defaultMode: 384
optional: true
image: controller:latest
name: manager
env:
- name: PEERPODS_NAMESPACE
value: "openshift-sandboxed-containers-operator"
- name: RELATED_IMAGE_KATA_MONITOR
value: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-monitor:latest
- name: SANDBOXED_CONTAINERS_EXTENSION
value: kata-containers
- name: RELATED_IMAGE_CAA
value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:latest
- name: RELATED_IMAGE_PEERPODS_WEBHOOK
value: "quay.io/confidential-containers/peer-pods-webhook:latest"
imagePullPolicy: Always
resources:
limits:
cpu: 200m
memory: 100Mi
requests:
cpu: 100m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
secretName: ssh-key-secret
containers:
- command:
- /manager
args:
- --enable-leader-election
volumeMounts:
- mountPath: /root/.ssh/
name: ssh
readOnly: true
envFrom:
- secretRef:
name: peer-pods-secret
optional: true
- configMapRef:
name: peer-pods-cm
optional: true
image: controller:latest
name: manager
env:
- name: PEERPODS_NAMESPACE
value: "openshift-sandboxed-containers-operator"
- name: RELATED_IMAGE_KATA_MONITOR
value: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.5.3
- name: SANDBOXED_CONTAINERS_EXTENSION
value: kata-containers
- name: RELATED_IMAGE_CAA
value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:1.5.3
- name: RELATED_IMAGE_PEERPODS_WEBHOOK
value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9:1.5.3
- name: RELATED_IMAGE_PODVM_PAYLOAD
value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.5.3
imagePullPolicy: Always
resources:
limits:
cpu: 200m
memory: 100Mi
requests:
cpu: 100m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
terminationGracePeriodSeconds: 10
180 changes: 90 additions & 90 deletions config/peerpods/podvm/aws-VM-image-create-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,99 +12,99 @@ spec:
name: aws-image-creation
spec:
volumes:
- name: shared-data
emptyDir: {}
volumes:
- name: image-id
emptyDir: {}
- name: shared-data
emptyDir: {}
volumes:
- name: image-id
emptyDir: {}

initContainers:
- name: payload
image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:latest
imagePullPolicy: Always
volumeMounts:
- name: shared-data
mountPath: /payload
command: ["/bin/sh"]
args: ["-c", "cp /podvm-binaries.tar.gz /payload/"]
- name: payload
image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.5.3
imagePullPolicy: Always
volumeMounts:
- name: shared-data
mountPath: /payload
command: ["/bin/sh"]
args: ["-c", "cp /podvm-binaries.tar.gz /payload/"]

restartPolicy: Never
containers:
- name: create
image: registry.access.redhat.com/ubi9/ubi:9.2
securityContext:
runAsUser: 0 # needed for container mode dnf access
volumeMounts:
- name: shared-data
mountPath: /payload
- name: image-id
mountPath: /output
env:
- name: CLOUD_PROVIDER
value: aws
- name: PODVM_DISTRO
value: rhel
# - name: INSTANCE_TYPE
# value: "t3.small" # default is t3.small, uncomment and modify if not available in your region
# - name: IMAGE_NAME
# value: "aws-podvm-image-name" # set custom image name for custom image if you wish to avoid its deletion
envFrom:
- secretRef:
name: peer-pods-secret
- configMapRef:
name: peer-pods-cm
optional: true
command:
- /bin/sh
- -c
- |
set -e
[[ ! "${IMAGE_NAME}" ]] && UUID=$(uuidgen) && export IMAGE_NAME="peer-pod-ami-${UUID::6}" && echo "IMAGE_NAME:${IMAGE_NAME}"
dnf install -y make git unzip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install
curl https://releases.hashicorp.com/packer/1.9.4/packer_1.9.4_linux_amd64.zip -o packer_1.9.4_linux_amd64.zip
echo "6cd5269c4245aa8c99e551d1b862460d63fe711c58bec618fade25f8492e80d9 packer_1.9.4_linux_amd64.zip" | sha256sum -c
unzip packer_1.9.4_linux_amd64.zip -d /usr/bin/
PATH="/usr/bin:${PATH}"
packer plugins install github.com/hashicorp/amazon
curl -L https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 -o /usr/bin/yq
echo "8afd786b3b8ba8053409c5e7d154403e2d4ed4cf3e93c237462dc9ef75f38c8d /usr/bin/yq" | sha256sum -c
chmod +x /usr/bin/yq
git clone https://github.com/confidential-containers/cloud-api-adaptor.git && (cd cloud-api-adaptor && git checkout 90ccfc3fa0ee56c2fc61b23ecf3731f819faf875)
[ "$BOOT_FIPS" == "true" ] && sed -i '/exit 0/ifips-mode-setup --enable' cloud-api-adaptor/aws/image/misc-settings.sh
tar xvf /payload/podvm-binaries.tar.gz -C cloud-api-adaptor/podvm/files
mkdir cloud-api-adaptor/podvm/files/pause_bundle # workaround to avoid pause image requirement
[[ ! "${VPC_ID}" ]] && [[ "${AWS_VPC_ID}" ]] && export VPC_ID=${AWS_VPC_ID}
[[ ! "${SUBNET_ID}" ]] && [[ "${AWS_SUBNET_ID}" ]] && export SUBNET_ID=${AWS_SUBNET_ID}
export MAC=$(curl -m 3 -s http://169.254.169.254/latest/meta-data/mac)
[[ ! "${AWS_REGION}" ]] && export AWS_REGION=$(curl -m 30 -s --show-error http://169.254.169.254/latest/meta-data/placement/region)
[[ ! "${AWS_REGION}" ]] && echo "AWS_REGION is missing" && exit 1
[[ ! "${VPC_ID}" ]] && export VPC_ID=$(curl -m 30 -s --show-error http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/vpc-id)
[[ ! "${VPC_ID}" ]] && echo "VPC_ID is missing" && exit 1
[[ ! "${SUBNET_ID}" ]] && export SUBNET_ID=$(curl -m 30 -s --show-error http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/subnet-id)
[[ ! "${SUBNET_ID}" ]] && echo "SUBNET_ID is missing" && exit 1
cd cloud-api-adaptor/aws/image
LIBC=gnu make BINARIES= PAUSE_BUNDLE= image && \
PODVM_AMI_ID=$(aws ec2 describe-images --query "Images[*].[ImageId]" --filters "Name=name,Values=${IMAGE_NAME}" --region ${AWS_REGION} --output text) && \
echo "PODVM_AMI_ID: \"$PODVM_AMI_ID\"" && \
echo ${PODVM_AMI_ID} > /output/image-id
- name: create
image: registry.access.redhat.com/ubi9/ubi:9.2
securityContext:
runAsUser: 0 # needed for container mode dnf access
volumeMounts:
- name: shared-data
mountPath: /payload
- name: image-id
mountPath: /output
env:
- name: CLOUD_PROVIDER
value: aws
- name: PODVM_DISTRO
value: rhel
# - name: INSTANCE_TYPE
# value: "t3.small" # default is t3.small, uncomment and modify if not available in your region
# - name: IMAGE_NAME
# value: "aws-podvm-image-name" # set custom image name for custom image if you wish to avoid its deletion
envFrom:
- secretRef:
name: peer-pods-secret
- configMapRef:
name: peer-pods-cm
optional: true
command:
- /bin/sh
- -c
- |
set -e
[[ ! "${IMAGE_NAME}" ]] && UUID=$(uuidgen) && export IMAGE_NAME="peer-pod-ami-${UUID::6}" && echo "IMAGE_NAME:${IMAGE_NAME}"
dnf install -y make git unzip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install
curl https://releases.hashicorp.com/packer/1.9.4/packer_1.9.4_linux_amd64.zip -o packer_1.9.4_linux_amd64.zip
echo "6cd5269c4245aa8c99e551d1b862460d63fe711c58bec618fade25f8492e80d9 packer_1.9.4_linux_amd64.zip" | sha256sum -c
unzip packer_1.9.4_linux_amd64.zip -d /usr/bin/
PATH="/usr/bin:${PATH}"
packer plugins install github.com/hashicorp/amazon
curl -L https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 -o /usr/bin/yq
echo "8afd786b3b8ba8053409c5e7d154403e2d4ed4cf3e93c237462dc9ef75f38c8d /usr/bin/yq" | sha256sum -c
chmod +x /usr/bin/yq
git clone https://github.com/confidential-containers/cloud-api-adaptor.git && (cd cloud-api-adaptor && git checkout 90ccfc3fa0ee56c2fc61b23ecf3731f819faf875)
[ "$BOOT_FIPS" == "true" ] && sed -i '/exit 0/ifips-mode-setup --enable' cloud-api-adaptor/aws/image/misc-settings.sh
tar xvf /payload/podvm-binaries.tar.gz -C cloud-api-adaptor/podvm/files
mkdir cloud-api-adaptor/podvm/files/pause_bundle # workaround to avoid pause image requirement
[[ ! "${VPC_ID}" ]] && [[ "${AWS_VPC_ID}" ]] && export VPC_ID=${AWS_VPC_ID}
[[ ! "${SUBNET_ID}" ]] && [[ "${AWS_SUBNET_ID}" ]] && export SUBNET_ID=${AWS_SUBNET_ID}
export MAC=$(curl -m 3 -s http://169.254.169.254/latest/meta-data/mac)
[[ ! "${AWS_REGION}" ]] && export AWS_REGION=$(curl -m 30 -s --show-error http://169.254.169.254/latest/meta-data/placement/region)
[[ ! "${AWS_REGION}" ]] && echo "AWS_REGION is missing" && exit 1
[[ ! "${VPC_ID}" ]] && export VPC_ID=$(curl -m 30 -s --show-error http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/vpc-id)
[[ ! "${VPC_ID}" ]] && echo "VPC_ID is missing" && exit 1
[[ ! "${SUBNET_ID}" ]] && export SUBNET_ID=$(curl -m 30 -s --show-error http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/subnet-id)
[[ ! "${SUBNET_ID}" ]] && echo "SUBNET_ID is missing" && exit 1
cd cloud-api-adaptor/aws/image
LIBC=gnu make BINARIES= PAUSE_BUNDLE= image && \
PODVM_AMI_ID=$(aws ec2 describe-images --query "Images[*].[ImageId]" --filters "Name=name,Values=${IMAGE_NAME}" --region ${AWS_REGION} --output text) && \
echo "PODVM_AMI_ID: \"$PODVM_AMI_ID\"" && \
echo ${PODVM_AMI_ID} > /output/image-id
- name: result
image: registry.access.redhat.com/ubi9/ubi:9.2
volumeMounts:
- name: image-id
mountPath: /output
envFrom:
- secretRef:
name: peer-pods-secret
- configMapRef:
name: peer-pods-cm
optional: true
command:
- /bin/sh
- -c
- |
while [ ! -f /output/image-id ]; do sleep 5; done
cat /output/image-id
- name: result
image: registry.access.redhat.com/ubi9/ubi:9.2
volumeMounts:
- name: image-id
mountPath: /output
envFrom:
- secretRef:
name: peer-pods-secret
- configMapRef:
name: peer-pods-cm
optional: true
command:
- /bin/sh
- -c
- |
while [ ! -f /output/image-id ]; do sleep 5; done
cat /output/image-id

0 comments on commit bcca723

Please sign in to comment.