[wip]feat: changes to support network restricted environments when creating RHEL OS bundles

Dockerfile

@@ -31,6 +31,8 @@ ARG BUILDARCH
 # we copy this to remote hosts to execute GOSS
 # Packer copies /usr/local/bin/goss-amd64 from this container to the remote host
 COPY --from=devkit /usr/local/bin/goss-amd64 /usr/local/bin/goss-amd64
+COPY --from=devkit /opt/*.rpm /opt
+COPY --from=devkit /opt/d2iq-sign-authority-gpg-public-key /opt/d2iq-sign-authority-gpg-public-key
 
 # we copy this to remote hosts to execute mindthegap so its always amd64
 COPY --from=devkit /usr/local/bin/mindthegap /usr/local/bin/

Dockerfile.devkit

@@ -78,6 +78,34 @@ RUN curl -L "https://github.com/goss-org/goss/releases/download/${GOSS_VERSION}/
 RUN chmod +rx /usr/local/bin/goss-amd64
 ARG BUILDARCH
 RUN ln -s /usr/local/bin/goss-${BUILDARCH} /usr/local/bin/goss
+RUN curl -o /opt/amazon-ssm-agent.rpm https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
+COPY ansible ansible
+# Fetch nokmem rpms
+RUN \
+  export KUBERNETES_VERSION=$(awk -F': ' '/kubernetes_version/ {print $2}' ansible/group_vars/all/defaults.yaml | sed -n '2p' | xargs) && \
+  echo ${KUBERNETES_VERSION} && \
+  curl -o /opt/kubectl-${KUBERNETES_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/kubectl-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  curl -o /opt/kubeadm-${KUBERNETES_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/kubeadm-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  curl -o /opt/kubelet-${KUBERNETES_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/kubelet-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  export CRICTL_TOOLS_VERSION="$(echo ${KUBERNETES_VERSION} | cut -d. -f1-2).0" && \
+  curl -o  /opt/cri-tools-${CRICTL_TOOLS_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/cri-tools-${CRICTL_TOOLS_VERSION}-0.x86_64.rpm && \
+  export CNI_VERSION=$(awk -F': ' '/kubernetes_cni_version/ {print $2}' ansible/group_vars/all/defaults.yaml | sed -n '1p' | xargs) && \
+  curl -o /opt/kubernetes-cni-${CNI_VERSION}-0.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/kubernetes-cni-${CNI_VERSION}-0.x86_64.rpm
+
+
+# Fetch fips rpms
+RUN \
+  export KUBERNETES_VERSION=$(awk -F': ' '/kubernetes_version/ {print $2}' ansible/group_vars/all/defaults.yaml | sed -n '2p' | xargs) && \
+  echo ${KUBERNETES_VERSION} && \
+  curl -o /opt/kubectl-${KUBERNETES_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-fips/x86_64/kubectl-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  curl -o /opt/kubeadm-${KUBERNETES_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-fips/x86_64/kubeadm-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  curl -o /opt/kubelet-${KUBERNETES_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-fips/x86_64/kubelet-${KUBERNETES_VERSION}-0.x86_64.rpm && \
+  export CRICTL_TOOLS_VERSION="$(echo ${KUBERNETES_VERSION} | cut -d. -f1-2).0" && \
+  curl -o  /opt/cri-tools-${CRICTL_TOOLS_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-nokmem/x86_64/cri-tools-${CRICTL_TOOLS_VERSION}-0.x86_64.rpm && \
+  export CNI_VERSION=$(awk -F': ' '/kubernetes_cni_version/ {print $2}' ansible/group_vars/all/defaults.yaml | sed -n '1p' | xargs) && \
+  curl -o /opt/kubernetes-cni-${CNI_VERSION}-0-fips.rpm https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v${KUBERNETES_VERSION}-fips/x86_64/kubernetes-cni-${CNI_VERSION}-0.x86_64.rpm
+
+RUN curl -o /opt/d2iq-sign-authority-gpg-public-key https://packages.d2iq.com/konvoy/stable/linux/repos/d2iq-sign-authority-gpg-public-key
 
 COPY --from=packer-amd64 /bin/packer /usr/local/bin/packer-amd64
 COPY --from=packer-arm64 /bin/packer /usr/local/bin/packer-arm64

ansible/roles/kubeadm/tasks/redhat.yaml

@@ -14,9 +14,43 @@
       not 'kubeadm-' + package_versions.kubernetes_rpm in exportedversionlocklist.stdout
       )"
 
+- block:
+  - name: copy cri-tools rpm
+    copy:
+      src: "/opt/{{ 'cri-tools-' + critools_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+      dest: "/opt/{{ 'cri-tools-' + critools_rpm }}.rpm"
+
+  - name: install cri-tools rpm package
+    yum:
+      name: "/opt/{{ 'cri-tools-' + critools_rpm }}.rpm"
+      state: present
+      update_cache: true
+      enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
+      disablerepo: "{{ '*' if offline_mode_enabled else '' }}"
+    register: result
+    until: result is success
+    retries: 3
+    delay: 3
+
+# If the rpms for the kubernetes version provided by the customer
+# exists on the current container, we should copy it to the remote
+# and install it with the file.
+- name: check kubeadm rpm exists for provided version
+  stat:
+    path: "/opt/{{ 'kubeadm-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+  delegate_to: localhost
+  register: haslocalkubeadm
+  become: false
+
+- name: copy kubeadm rpm
+  copy:
+    src: "/opt/{{ 'kubeadm-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+    dest: "/opt/{{ 'kubeadm-' + package_versions.kubernetes_rpm }}.rpm"
+  when: haslocalkubeadm.stat.exists
+
 - name: install kubeadm rpm package
   yum:
-    name: "{{ 'kubeadm-' + package_versions.kubernetes_rpm }}"
+    name: "{{ '/opt/' if haslocalkubeadm.stat.exists }}{{ 'kubeadm-' + package_versions.kubernetes_rpm }}{{ '.rpm' if haslocalkubeadm.stat.exists }}"
     state: present
     update_cache: true
     enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
@@ -34,4 +68,4 @@
   changed_when: |
     'command_result.stdout is regex(".*versionlock added: [1-9]+.*")'
   when:
-    - versionlock_plugin_enabled
+    - versionlock_plugin_enabled

ansible/roles/packages/tasks/redhat.yaml

@@ -65,9 +65,47 @@
     - versionlock_plugin_enabled
     - item in exportedversionlocklist.stdout
 
+# If the rpms for the kubernetes version provided by the customer
+# exists on the current container, we should copy it to the remote
+# and install it with the file.
+- name: check kubernetes rpms exist for provided version
+  stat:
+    path: "/opt/{{ 'kubectl-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+  delegate_to: localhost
+  register: haslocalk8srpms
+  become: false
+
+- block:
+    - name: copy gpg key
+      copy:
+        src: /opt/d2iq-sign-authority-gpg-public-key
+        dest: /opt/d2iq-sign-authority-gpg-public-key
+
+    - name: import key
+      ansible.builtin.rpm_key:
+        state: present
+        key: /opt/d2iq-sign-authority-gpg-public-key
+
+    - name: copy kubectl rpm
+      copy:
+        src: "/opt/{{ 'kubectl-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+        dest: "/opt/{{ 'kubectl-' + package_versions.kubernetes_rpm }}.rpm"
+
+    - name: copy kubernetes_cni rpm
+      copy:
+        src: "/opt/{{ 'kubernetes-cni-' + kubernetes_cni_version }}-0{{ '-fips' if fips.enabled else '' }}.rpm"
+        dest: "/opt/{{ 'kubernetes-cni-' + kubernetes_cni_version }}-0.rpm"
+
+    - name: copy kubelet rpm
+      copy:
+        src: "/opt/{{ 'kubelet-' + package_versions.kubernetes_rpm }}{{ '-fips' if fips.enabled else '' }}.rpm"
+        dest: "/opt/{{ 'kubelet-' + package_versions.kubernetes_rpm }}.rpm"
+  when:
+    - haslocalk8srpms.stat.exists
+
 - name: install kubectl rpm package
   yum:
-    name: "{{ 'kubectl-' + package_versions.kubernetes_rpm }}"
+    name: "{{ '/opt/' if haslocalk8srpms.stat.exists }}{{ 'kubectl-' + package_versions.kubernetes_rpm }}{{ '.rpm' if haslocalk8srpms.stat.exists }}"
     state: present
     update_cache: true
     enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
@@ -77,15 +115,17 @@
   retries: 3
   delay: 3
 
-- name: install kubelet rpm package
+- name: install kubernetes_cni and kubelet rpm packages
   yum:
-    name: "{{ 'kubelet-' + package_versions.kubernetes_rpm }}"
+    name:
+      - "{{ '/opt/' if haslocalk8srpms.stat.exists }}{{ 'kubernetes-cni-' + kubernetes_cni_version }}-0{{ '.rpm' if haslocalk8srpms.stat.exists }}"
+      - "{{ '/opt/' if haslocalk8srpms.stat.exists }}{{ 'kubelet-' + package_versions.kubernetes_rpm }}{{ '.rpm' if haslocalk8srpms.stat.exists }}"
     state: present
     update_cache: true
     enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
     disablerepo: "{{ '*' if offline_mode_enabled else '' }}"
-  register: kubelet_installation_rpm
-  until: kubelet_installation_rpm is success
+  register: installation_rpm
+  until: installation_rpm is success
   retries: 3
   delay: 3
 
@@ -100,4 +140,4 @@
   changed_when: >
     'command_result.stdout is regex(".*versionlock added: [1-9]+.*")'
   when:
-    - versionlock_plugin_enabled
+    - versionlock_plugin_enabled

ansible/roles/providers/tasks/aws.yml

@@ -42,38 +42,34 @@
     - ansible_distribution != "Amazon"
     - ansible_os_family != "Suse"
 
-- name: install aws agents RPM
-  package:
-    name: "{{ item }}"
-    state: present
-    # must be fixed by amazon https://github.com/aws/amazon-ssm-agent/issues/235
-    disable_gpg_check: yes
-    enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
-    disablerepo: "{{ '*' if offline_mode_enabled else '' }}"
-  with_items:
-    - "{{ 'amazon-ssm-agent' if offline_mode_enabled else 'https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm' }}"
-  when:
-    - ansible_os_family == "RedHat"
-    - ansible_distribution != "Amazon"
 
-- name: install aws agents RPM
-  package:
-    name: "{{ item }}"
-    state: present
-    # must be fixed by amazon https://github.com/aws/amazon-ssm-agent/issues/235
-    disable_gpg_check: yes
-  with_items:
-    - https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
-  when:
-    - ansible_os_family == "Suse"
-    - ansible_distribution != "Amazon"
+- block:
+  - name: copy ssm rpm
+    copy:
+      src: /opt/amazon-ssm-agent.rpm
+      dest: /opt/amazon-ssm-agent.rpm
 
-- name: install aws agents RPM
+  - name: install aws agents RPM
+    ansible.builtin.yum:
+      name: /opt/amazon-ssm-agent.rpm
+      state: present
+      disable_gpg_check: yes
+      enablerepo: "{{ 'offline' if offline_mode_enabled else '' }}"
+      disablerepo: "{{ '*' if offline_mode_enabled else '' }}"
+    when: ansible_os_family == "RedHat" and ansible_distribution != "Amazon"
+
+  - name: install aws agents RPM
+    ansible.builtin.zypper:
+      name: /opt/amazon-ssm-agent.rpm
+      state: present
+      disable_gpg_check: yes
+    when: ansible_os_family == "Suse" and ansible_distribution != "Amazon"
+
+- name: install aws cli for amazon linux
   package:
     name: "{{ item }}"
     state: present
   with_items:
-    - amazon-ssm-agent
     - awscli
   when: ansible_distribution == "Amazon"
 
@@ -93,5 +89,4 @@
     name: snap.amazon-ssm-agent.amazon-ssm-agent.service
     state: started
     enabled: yes
-  when: ansible_distribution == "Ubuntu"
-
+  when: ansible_distribution == "Ubuntu"

bundles/centos7.9/bundle.sh.gotmpl

@@ -12,6 +12,7 @@ echo skip_missing_names_on_install=False >> /etc/yum.conf
 yum -y install epel-release gettext yum-utils createrepo
 yum clean all
 TMP_DIR="$(mktemp -d repodata-XXXX)"
+chmod 777 -R "${TMP_DIR}"
 cp packages.txt "${TMP_DIR}"
 pushd "${TMP_DIR}"
 #shellcheck disable=SC2046

bundles/redhat7.9/bundle.sh.gotmpl

@@ -58,6 +58,7 @@ subscription-manager repos --enable=rhel-7-server-extras-rpms
 yum -y install createrepo gettext yum-utils https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
 yum clean all
 TMP_DIR="$(mktemp -d repodata-XXXX)"
+chmod 777 -R "${TMP_DIR}"
 cp packages.txt "${TMP_DIR}"
 pushd "${TMP_DIR}"
 #shellcheck disable=SC2046

bundles/redhat8.4/bundle.sh.gotmpl

@@ -51,6 +51,7 @@ subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms
 yum --disablerepo=appstream-centos -y install gettext yum-utils createrepo dnf-utils
 yum clean all
 TMP_DIR="$(mktemp -d repodata-XXXX)"
+chmod 777 -R "${TMP_DIR}"
 cp packages.txt "${TMP_DIR}"
 pushd "${TMP_DIR}"
 #shellcheck disable=SC2046,SC2062,SC2063,SC2035
@@ -61,7 +62,6 @@ yumdownloader --archlist=x86_64,noarch --setopt=skip_missing_names_on_install=Fa
 #shellcheck disable=SC2046
 yumdownloader --setopt=skip_missing_names_on_install=False -x \*i686 --archlist=x86_64,noarch --resolve --disablerepo=*  --enablerepo=kubernetes,rhel-8-for-x86_64-baseos-eus-rpms,codeready-builder-for-rhel-8-x86_64-rpms,rhel-8-for-x86_64-appstream-rpms --disablerepo=appstream-centos $(< packages.txt)
 rm packages.txt reqs.txt
-curl https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm -o amazon-ssm-agent.rpm
 createrepo -v .
 chown -R 1000:1000 repodata/
 yum install -y modulemd-tools