[release-2.9][backport] feat: embed k8s rpms in container

mesosphere · Aug 21, 2024 · c37a61f · c37a61f
1 parent 5765f64
commit c37a61f
Show file tree

Hide file tree

Showing 15 changed files with 155 additions and 25 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -31,8 +31,8 @@ ARG BUILDARCH
 # we copy this to remote hosts to execute GOSS
 # Packer copies /usr/local/bin/goss-amd64 from this container to the remote host
 COPY --from=devkit /usr/local/bin/goss-amd64 /usr/local/bin/goss-amd64
-
-COPY --from=devkit /opt/amazon-ssm-agent.rpm /opt/amazon-ssm-agent.rpm
+COPY --from=devkit /opt/*.rpm /opt
+COPY --from=devkit /opt/d2iq-sign-authority-gpg-public-key /opt/d2iq-sign-authority-gpg-public-key
 
 # we copy this to remote hosts to execute mindthegap so its always amd64
 COPY --from=devkit /usr/local/bin/mindthegap /usr/local/bin/

diff --git a/Dockerfile.devkit b/Dockerfile.devkit
@@ -79,6 +79,33 @@ RUN chmod +rx /usr/local/bin/goss-amd64
 ARG BUILDARCH
 RUN ln -s /usr/local/bin/goss-${BUILDARCH} /usr/local/bin/goss
 RUN curl -o /opt/amazon-ssm-agent.rpm https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
+COPY ansible ansible
+# Fetch nokmem rpms
+RUN \
+  export KUBERNETES_VERSION=$(awk -F': ' '/kubernetes_version/ {print $2}' ansible/group_vars/all/defaults.yaml | sed -n '2p' | xargs) && \
+  echo ${KUBERNETES_VERSION} && \
+  curl -o /opt/kubectl-${KUBERNETES_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/kubectl-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  curl -o /opt/kubeadm-${KUBERNETES_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/kubeadm-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  curl -o /opt/kubelet-${KUBERNETES_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/kubelet-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  export CRICTL_TOOLS_VERSION="$(echo ${KUBERNETES_VERSION} | cut -d. -f1-2).0" && \
+  curl -o  /opt/cri-tools-${CRICTL_TOOLS_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/cri-tools-${CRICTL_TOOLS_VERSION}-0.x86_64.rpm && \
+  export CNI_VERSION=$(awk -F': ' '/kubernetes_cni_version/ {print $2}' ansible/group_vars/all/defaults.yaml | sed -n '1p' | xargs) && \
+  curl -o /opt/kubernetes-cni-${CNI_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/kubernetes-cni-${CNI_VERSION}-0.x86_64.rpm
+
+
+# Fetch fips rpms
+RUN \
+  export KUBERNETES_VERSION=$(awk -F': ' '/kubernetes_version/ {print $2}' ansible/group_vars/all/defaults.yaml | sed -n '2p' | xargs) && \
+  echo ${KUBERNETES_VERSION} && \
+  curl -o /opt/kubectl-${KUBERNETES_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-fips/x86_64/kubectl-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  curl -o /opt/kubeadm-${KUBERNETES_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-fips/x86_64/kubeadm-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  curl -o /opt/kubelet-${KUBERNETES_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-fips/x86_64/kubelet-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  export CRICTL_TOOLS_VERSION="$(echo ${KUBERNETES_VERSION} | cut -d. -f1-2).0" && \
+  curl -o  /opt/cri-tools-${CRICTL_TOOLS_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/cri-tools-${CRICTL_TOOLS_VERSION}-0.x86_64.rpm && \
+  export CNI_VERSION=$(awk -F': ' '/kubernetes_cni_version/ {print $2}' ansible/group_vars/all/defaults.yaml | sed -n '1p' | xargs) && \
+  curl -o /opt/kubernetes-cni-${CNI_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-fips/x86_64/kubernetes-cni-${CNI_VERSION}-0.x86_64.rpm
+
+RUN curl -o /opt/d2iq-sign-authority-gpg-public-key https://packages.d2iq.com/konvoy/stable/linux/repos/d2iq-sign-authority-gpg-public-key
 
 COPY --from=packer-amd64 /bin/packer /usr/local/bin/packer-amd64
 COPY --from=packer-arm64 /bin/packer /usr/local/bin/packer-arm64

diff --git a/ansible/roles/kubeadm/tasks/redhat.yaml b/ansible/roles/kubeadm/tasks/redhat.yaml
@@ -14,9 +14,43 @@
       not 'kubeadm-' + package_versions.kubernetes_rpm in exportedversionlocklist.stdout
       )"
 
+- block:
+  - name: copy cri-tools rpm
+    copy:
+      src: "/opt/{{ 'cri-tools-' + critools_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+      dest: "/opt/{{ 'cri-tools-' + critools_rpm }}.rpm"
+
+  - name: install cri-tools rpm package
+    yum:
+      name: "/opt/{{ 'cri-tools-' + critools_rpm }}.rpm"
+      state: present
+      update_cache: true
+      enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
+      disablerepo: "{{ '*' if offline_mode_enabled else '' }}"
+    register: result
+    until: result is success
+    retries: 3
+    delay: 3
+
+# If the rpms for the kubernetes version provided by the customer
+# exists on the current container, we should copy it to the remote
+# and install it with the file.
+- name: check kubeadm rpm exists for provided version
+  stat:
+    path: "/opt/{{ 'kubeadm-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+  delegate_to: localhost
+  register: haslocalkubeadm
+  become: false
+
+- name: copy kubeadm rpm
+  copy:
+    src: "/opt/{{ 'kubeadm-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+    dest: "/opt/{{ 'kubeadm-' + package_versions.kubernetes_rpm }}.rpm"
+  when: haslocalkubeadm.stat.exists
+
 - name: install kubeadm rpm package
   yum:
-    name: "{{ 'kubeadm-' + package_versions.kubernetes_rpm }}"
+    name: "{{ '/opt/' if haslocalkubeadm.stat.exists }}{{ 'kubeadm-' + package_versions.kubernetes_rpm }}{{ '.rpm' if haslocalkubeadm.stat.exists }}"
     state: present
     update_cache: true
     enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
@@ -34,4 +68,4 @@
   changed_when: |
     'command_result.stdout is regex(".*versionlock added: [1-9]+.*")'
   when:
-    - versionlock_plugin_enabled
+    - versionlock_plugin_enabled
diff --git a/ansible/roles/packages/tasks/redhat.yaml b/ansible/roles/packages/tasks/redhat.yaml
@@ -65,9 +65,47 @@
     - versionlock_plugin_enabled
     - item in exportedversionlocklist.stdout
 
+# If the rpms for the kubernetes version provided by the customer
+# exists on the current container, we should copy it to the remote
+# and install it with the file.
+- name: check kubernetes rpms exist for provided version
+  stat:
+    path: "/opt/{{ 'kubectl-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+  delegate_to: localhost
+  register: haslocalk8srpms
+  become: false
+
+- block:
+    - name: copy gpg key
+      copy:
+        src: /opt/d2iq-sign-authority-gpg-public-key
+        dest: /opt/d2iq-sign-authority-gpg-public-key
+
+    - name: import key
+      ansible.builtin.rpm_key:
+        state: present
+        key: /opt/d2iq-sign-authority-gpg-public-key
+
+    - name: copy kubectl rpm
+      copy:
+        src: "/opt/{{ 'kubectl-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+        dest: "/opt/{{ 'kubectl-' + package_versions.kubernetes_rpm }}.rpm"
+
+    - name: copy kubernetes_cni rpm
+      copy:
+        src: "/opt/{{ 'kubernetes-cni-' + kubernetes_cni_version }}-0{{ '-fips' if fips.enabled else '' }}.rpm"
+        dest: "/opt/{{ 'kubernetes-cni-' + kubernetes_cni_version }}-0.rpm"
+
+    - name: copy kubelet rpm
+      copy:
+        src: "/opt/{{ 'kubelet-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+        dest: "/opt/{{ 'kubelet-' + package_versions.kubernetes_rpm }}.rpm"
+  when:
+    - haslocalk8srpms.stat.exists
+
 - name: install kubectl rpm package
   yum:
-    name: "{{ 'kubectl-' + package_versions.kubernetes_rpm }}"
+    name: "{{ '/opt/' if haslocalk8srpms.stat.exists }}{{ 'kubectl-' + package_versions.kubernetes_rpm }}{{ '.rpm' if haslocalk8srpms.stat.exists }}"
     state: present
     update_cache: true
     enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
@@ -77,15 +115,17 @@
   retries: 3
   delay: 3
 
-- name: install kubelet rpm package
+- name: install kubernetes_cni and kubelet rpm packages
   yum:
-    name: "{{ 'kubelet-' + package_versions.kubernetes_rpm }}"
+    name:
+      - "{{ '/opt/' if haslocalk8srpms.stat.exists }}{{ 'kubernetes-cni-' + kubernetes_cni_version }}-0{{ '.rpm' if haslocalk8srpms.stat.exists }}"
+      - "{{ '/opt/' if haslocalk8srpms.stat.exists }}{{ 'kubelet-' + package_versions.kubernetes_rpm }}{{ '.rpm' if haslocalk8srpms.stat.exists }}"
     state: present
     update_cache: true
     enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
     disablerepo: "{{ '*' if offline_mode_enabled else '' }}"
-  register: kubelet_installation_rpm
-  until: kubelet_installation_rpm is success
+  register: installation_rpm
+  until: installation_rpm is success
   retries: 3
   delay: 3
 
@@ -100,4 +140,4 @@
   changed_when: >
     'command_result.stdout is regex(".*versionlock added: [1-9]+.*")'
   when:
-    - versionlock_plugin_enabled
+    - versionlock_plugin_enabled
diff --git a/bundles/centos7.9/bundle.sh.gotmpl b/bundles/centos7.9/bundle.sh.gotmpl
@@ -12,6 +12,7 @@ echo skip_missing_names_on_install=False >> /etc/yum.conf
 yum -y install epel-release gettext yum-utils createrepo
 yum clean all
 TMP_DIR="$(mktemp -d repodata-XXXX)"
+chmod 777 -R "${TMP_DIR}"
 cp packages.txt "${TMP_DIR}"
 pushd "${TMP_DIR}"
 #shellcheck disable=SC2046

diff --git a/bundles/redhat7.9/bundle.sh.gotmpl b/bundles/redhat7.9/bundle.sh.gotmpl
@@ -58,6 +58,7 @@ subscription-manager repos --enable=rhel-7-server-extras-rpms
 yum -y install createrepo gettext yum-utils https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
 yum clean all
 TMP_DIR="$(mktemp -d repodata-XXXX)"
+chmod 777 -R "${TMP_DIR}"
 cp packages.txt "${TMP_DIR}"
 pushd "${TMP_DIR}"
 #shellcheck disable=SC2046

diff --git a/bundles/redhat8.4/bundle.sh.gotmpl b/bundles/redhat8.4/bundle.sh.gotmpl
@@ -51,6 +51,7 @@ subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms
 yum --disablerepo=appstream-centos -y install gettext yum-utils createrepo dnf-utils
 yum clean all
 TMP_DIR="$(mktemp -d repodata-XXXX)"
+chmod 777 -R "${TMP_DIR}"
 cp packages.txt "${TMP_DIR}"
 pushd "${TMP_DIR}"
 #shellcheck disable=SC2046,SC2062,SC2063,SC2035

diff --git a/bundles/redhat8.6/bundle.sh.gotmpl b/bundles/redhat8.6/bundle.sh.gotmpl
@@ -55,15 +55,15 @@ if [[ -z "${SKIP_SUBSCRIPTION_MANAGER}" ]]; then
   subscription-manager refresh
   subscription::defer_unregister
 
-  ENABLED_REPOS="kubernetes,codeready-builder-for-rhel-8-x86_64-rpms,rhel-8-for-x86_64-appstream-rpms,rhel-8-for-x86_64-baseos-rpms"
+  ENABLED_REPOS="codeready-builder-for-rhel-8-x86_64-rpms,rhel-8-for-x86_64-appstream-rpms,rhel-8-for-x86_64-baseos-rpms"
   EUS_REPOS=${EUS_REPOS:-""}
   if [[ -n "${EUS_REPOS}" ]]; then
     #disables the standard repositories which should not be enabled when using EUS
     subscription-manager repos --disable=rhel-8-for-x86_64-baseos-rpms --disable=rhel-8-for-x86_64-appstream-rpms
     subscription-manager repos --enable rhel-8-for-x86_64-baseos-eus-rpms
     subscription-manager repos --enable rhel-8-for-x86_64-appstream-eus-rpms
     subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-eus-rpms
-    ENABLED_REPOS="kubernetes,codeready-builder-for-rhel-8-x86_64-eus-rpms,rhel-8-for-x86_64-appstream-eus-rpms,rhel-8-for-x86_64-baseos-eus-rpms"
+    ENABLED_REPOS="codeready-builder-for-rhel-8-x86_64-eus-rpms,rhel-8-for-x86_64-appstream-eus-rpms,rhel-8-for-x86_64-baseos-eus-rpms"
   else
     subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
     subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms
@@ -73,6 +73,11 @@ else
   echo "Bypassing subscription-manager and upstream RHEL repositories due to --skip-subscription-manager being set to true."
 fi
 
+KUBERNETES_REPOS=${KUBERNETES_REPOS:-""}
+if [[ -n "${KUBERNETES_REPOS}" ]]; then
+  ENABLED_REPOS="${ENABLED_REPOS},kubernetes"
+fi
+
 if [[ -f /etc/yum.repos.d/user-repos.repo ]]; then
   USER_REPOS="$(awk -F '[][]' '/^\[.*\]/ {print $2}' /etc/yum.repos.d/user-repos.repo | paste -sd, -)"
   if [[ -n "${ENABLED_REPOS}" ]] && [[ -n "${USER_REPOS}" ]]; then

diff --git a/bundles/redhat8.6/packages.txt.gotmpl b/bundles/redhat8.6/packages.txt.gotmpl
@@ -15,16 +15,18 @@ yum-utils
 cloud-init
 cloud-utils-growpart
 container-selinux
+{{ if .FetchKubernetesRPMs -}}
 kubectl-{{ .KubernetesVersion }}-0
 kubelet-{{ .KubernetesVersion }}-0
 kubeadm-{{ .KubernetesVersion }}-0
+cri-tools
+{{- end }}
 conntrack
 ebtables
 ethtool
 iproute
 iptables
 socat
-cri-tools
 gcc
 make
 elfutils-libelf-devel

diff --git a/bundles/redhat8.8/bundle.sh.gotmpl b/bundles/redhat8.8/bundle.sh.gotmpl
@@ -55,15 +55,15 @@ if [[ -z "${SKIP_SUBSCRIPTION_MANAGER}" ]]; then
   subscription-manager refresh
   subscription::defer_unregister
 
-  ENABLED_REPOS="kubernetes,codeready-builder-for-rhel-8-x86_64-rpms,rhel-8-for-x86_64-appstream-rpms,rhel-8-for-x86_64-baseos-rpms"
+  ENABLED_REPOS="codeready-builder-for-rhel-8-x86_64-rpms,rhel-8-for-x86_64-appstream-rpms,rhel-8-for-x86_64-baseos-rpms"
   EUS_REPOS=${EUS_REPOS:-""}
   if [[ -n "${EUS_REPOS}" ]]; then
     #disables the standard repositories which should not be enabled when using EUS
     subscription-manager repos --disable=rhel-8-for-x86_64-baseos-rpms --disable=rhel-8-for-x86_64-appstream-rpms
     subscription-manager repos --enable rhel-8-for-x86_64-baseos-eus-rpms
     subscription-manager repos --enable rhel-8-for-x86_64-appstream-eus-rpms
     subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-eus-rpms
-    ENABLED_REPOS="kubernetes,codeready-builder-for-rhel-8-x86_64-eus-rpms,rhel-8-for-x86_64-appstream-eus-rpms,rhel-8-for-x86_64-baseos-eus-rpms"
+    ENABLED_REPOS="codeready-builder-for-rhel-8-x86_64-eus-rpms,rhel-8-for-x86_64-appstream-eus-rpms,rhel-8-for-x86_64-baseos-eus-rpms"
   else
     subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
     subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms
@@ -73,6 +73,11 @@ else
   echo "Bypassing subscription-manager and upstream RHEL repositories due to --skip-subscription-manager being set to true."
 fi
 
+KUBERNETES_REPOS=${KUBERNETES_REPOS:-""}
+if [[ -n "${KUBERNETES_REPOS}" ]]; then
+  ENABLED_REPOS="${ENABLED_REPOS},kubernetes"
+fi
+
 if [[ -f /etc/yum.repos.d/user-repos.repo ]]; then
   USER_REPOS="$(awk -F '[][]' '/^\[.*\]/ {print $2}' /etc/yum.repos.d/user-repos.repo | paste -sd, -)"
   if [[ -n "${ENABLED_REPOS}" ]] && [[ -n "${USER_REPOS}" ]]; then

diff --git a/bundles/redhat8.8/packages.txt.gotmpl b/bundles/redhat8.8/packages.txt.gotmpl
@@ -15,16 +15,18 @@ yum-utils
 cloud-init
 cloud-utils-growpart
 container-selinux
+{{ if .FetchKubernetesRPMs -}}
 kubectl-{{ .KubernetesVersion }}-0
 kubelet-{{ .KubernetesVersion }}-0
 kubeadm-{{ .KubernetesVersion }}-0
+cri-tools
+{{- end }}
 conntrack
 ebtables
 ethtool
 iproute
 iptables
 socat
-cri-tools
 gcc
 make
 libseccomp

diff --git a/bundles/rocky9.1/bundle.sh.gotmpl b/bundles/rocky9.1/bundle.sh.gotmpl
@@ -8,14 +8,14 @@ echo skip_missing_names_on_install=False >> /etc/yum.conf
 yum -y install epel-release gettext yum-utils createrepo dnf-utils
 yum clean all
 TMP_DIR="$(mktemp -d repodata-XXXX)"
+chmod 777 -R "${TMP_DIR}"
 cp packages.txt "${TMP_DIR}"
 pushd "${TMP_DIR}"
 #shellcheck disable=SC2046
 repoquery --archlist=x86_64,noarch  --resolve --requires --recursive  $(< packages.txt) | xargs -r yumdownloader --archlist=x86_64,noarch -x \*i686
 #shellcheck disable=SC2046
 yumdownloader  --archlist=x86_64,noarch -x \*i686 $(< packages.txt)
 rm packages.txt
-curl https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm -o amazon-ssm-agent.rpm
 createrepo -v . && chown -R 1000:1000 repodata/
 #shellcheck disable=SC1083,SC2035
 tar -czf {{ .OutputDirectory }}/{{ .KubernetesVersion }}_rocky_9.1_x86_64.tar.gz *

diff --git a/bundles/rocky9.1/packages.txt.gotmpl b/bundles/rocky9.1/packages.txt.gotmpl
@@ -15,16 +15,18 @@ yum-utils
 cloud-init
 cloud-utils-growpart
 container-selinux
+{{ if .FetchKubernetesRPMs -}}
 kubectl-{{ .KubernetesVersion }}-0
 kubelet-{{ .KubernetesVersion }}-0
 kubeadm-{{ .KubernetesVersion }}-0
+cri-tools
+{{- end }}
 conntrack
 ebtables
 ethtool
 iproute
 iptables
 socat
-cri-tools
 gcc
 libseccomp
 nfs-utils

diff --git a/bundles/ubuntu20.04/bundle.sh.gotmpl b/bundles/ubuntu20.04/bundle.sh.gotmpl
@@ -24,6 +24,7 @@ sed -i 's/cri-tools/cri-tools='"{{ .CRIToolsVersion }}-${DEB_PATCH_VERSION}"'/'
 sed -i 's/cloud-init/cloud-init='"23.1.2-0ubuntu0~20.04.2"'/' /tmp/packages
 
 TMP_DIR="$(mktemp -d repodata-XXXX)"
+chmod 777 -R "${TMP_DIR}"
 pushd "${TMP_DIR}"
 #shellcheck disable=SC2046
 apt-get download $(< /tmp/packages)