OKD-152: Add layered build for OKD-SCOS

base/security.openshift.io/securitycontextcontraints/scc-admin.yaml

@@ -0,0 +1,59 @@
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: scc-admin
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- KILL
+- MKNOD
+- SYS_CHROOT
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:okd-coreos:pipeline
+volumes:
+- awsElasticBlockStore
+- azureDisk
+- azureFile
+- cephFS
+- cinder
+- configMap
+- csi
+- downwardAPI
+- emptyDir
+- ephemeral
+- fc
+- flexVolume
+- flocker
+- gcePersistentDisk
+- gitRepo
+- glusterfs
+- iscsi
+- nfs
+- persistentVolumeClaim
+- photonPersistentDisk
+- portworxVolume
+- projected
+- quobyte
+- rbd
+- scaleIO
+- secret
+- storageOS
+- vsphere

base/tekton.dev/pipelines/okd-coreos.yaml

@@ -26,10 +26,13 @@ spec:
       default: "quay.io/okd"
       type: string
     - name: baseos-container-image-name
-      default: "centos-stream-coreos-9"
+      default: "stream-coreos"
+      type: string
+    - name: layered-os-container-image-name
+      default: "stream-coreos-okd"
       type: string
     - name: extensions-container-image-name
-      default: "centos-stream-coreos-9-extensions"
+      default: "stream-coreos-extensions"
       type: string
     - name: upload-container-images
       default: "false"
@@ -111,14 +114,23 @@ spec:
         - name: ws
           workspace: shared-workspace
     - name: cosa-test
+      taskRef:
+        kind: Task
+        name: cosa-test
       params:
         - name: variant
           value: $(params.variant)
       runAfter:
         - cosa-build-baseos
+      workspaces:
+        - name: ws
+          workspace: shared-workspace
+    - name: build-layer
+      runAfter:
+        - cosa-test
       taskRef:
         kind: Task
-        name: cosa-test
+        name: build-layer
       workspaces:
         - name: ws
           workspace: shared-workspace
@@ -136,7 +148,7 @@ spec:
           workspace: shared-workspace
     - name: cosa-buildextend
       runAfter:
-        - cosa-test
+        - cosa-build-extensions
       taskRef:
         kind: Task
         name: cosa-buildextend
@@ -255,6 +267,23 @@ spec:
           workspace: s3-credentials
         - name: ws
           workspace: shared-workspace        
+    - name: cosa-upload-scosokd
+      taskRef:
+        kind: Task
+        name: cosa-push-layered-container
+      runAfter:
+        - build-layer 
+        - cosa-generate-release-meta
+      workspaces:
+        - name: ws
+          workspace: shared-workspace  
+      when:
+      - input: $(params.upload-container-images)
+        operator: in
+        values: ["true"]
+      - input: $(tasks.build-layer.results.output)
+        operator: in
+        values: ["OK"]
   finally:
     - name: notify-matrix
       when: 

base/tekton.dev/tasks/build-layer.yaml

@@ -0,0 +1,63 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: build-layer
+spec:
+  steps:
+    - image: quay.io/podman/stable:latest
+      name: build-layer
+      resources: {}
+      securityContext:
+        privileged: true
+      script: |
+        #!/usr/bin/env bash
+        set -euxo pipefail
+
+        dnf install -y jq
+
+        cd /srv/coreos
+
+        OSTREE_VERSION=$(jq -r '."ostree-version"' < builds/latest/$(uname -m)/meta.json)
+        OSTREE_TARFILE=$(jq -r '.images.ostree.path' < builds/latest/$(uname -m)/meta.json)
+
+        # the c9s.repo file is meant to be consumed by a COSA container
+        # where the RPM GPG keys are shipped in /usr/share/distribution-gpg-keys/centos
+        # SCOS however ships the keys in the /etc/pki/rpm-gpg
+        sed -i 's;/usr/share/distribution-gpg-keys/centos;/etc/pki/rpm-gpg;g' src/config/c9s.repo
+        sed -i 's/RPM-GPG-KEY-CentOS-Official/RPM-GPG-KEY-centosofficial/g' src/config/c9s.repo
+
+        cat <<EOF >> src/config/Dockerfile
+        FROM quay.io/okd/centos-stream-coreos-9:4.14-x86_64
+        COPY rpms/ /srv/coreos/rpms/
+        COPY src/config/c9s.repo /etc/yum.repos.d/c9s.repo
+        COPY src/config/packages-openshift.yaml /etc/rpm-ostree/origin.d/packages-openshift.yaml
+        RUN cat /etc/os-release \
+            && rpm-ostree --version \
+            && ostree --version \
+            && rpm-ostree ex rebuild \
+            && rpm-ostree cleanup -m \
+            && rm -rf /var/lib/unbound /srv/coreos/rpms /etc/rpm-ostree/origin.d /etc/yum.repos.d/c9s.repo \
+            && ostree container commit
+
+        LABEL io.openshift.release.operator=true \
+              io.openshift.build.version-display-names="machine-os=CentOS Stream CoreOS" \
+              io.openshift.build.versions="machine-os=${OSTREE_VERSION}"
+
+        EOF
+
+        ls /srv/coreos/builds/latest/$(uname -m)/${OSTREE_TARFILE} 
+        podman build \
+          -f src/config/Dockerfile \
+          -t ostree-okd \
+          .
+        # mkdir /srv/ostree-okd
+        podman save --format oci-dir ostree-okd:latest -o /srv/ostree-okd
+        # podman tag localhost/ostree-okd quay.io/okd/stream-coreos-okd
+        # podman push  quay.io/okd/stream-coreos-okd
+        # TODO Allow for pulling previously built base image, and for pushing the layered image
+        printf "%s" "OK" > $(results.output.path)
+  results:
+    - name: output
+  workspaces:
+    - mountPath: /srv
+      name: ws

base/tekton.dev/tasks/cosa-init.yaml

@@ -56,9 +56,16 @@ spec:
         fi
 
         # TODO: Upstream to openshift/os
-        # Get oc and hypershift from the yum repo in the artifacts image,
-        # instead of the rhel ose repo.
+        # Remove OpenShift package layer from SCOS base manifest
+        sed -i '/- packages-openshift.yaml/d' $(readlink -f src/config/manifest-$(params.variant).yaml)
+
+        # Don't inject CVO layers in SCOS base compose
+        sed -i 's/ostree-container-inject-openshift-cvo-labels: true/ostree-container-inject-openshift-cvo-labels: false/' $(readlink -f src/config/image-$(params.variant).yaml)
+
+        # Get oc and hyperkube rpms frpm the artifacts image instead of rhel ose repo
         sed -i 's/rhel-9.*-server-ose.*/artifacts/' $(readlink -f src/config/manifest-$(params.variant).yaml)
+
+        # Add repo for RPMs from artifacts container image
         cat <<EOF >> src/config/c9s.repo
 
         [artifacts]

base/tekton.dev/tasks/cosa-push-layered-container.yaml

@@ -0,0 +1,46 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: cosa-push-layered-container
+spec:
+  params:
+    - name: target-registry
+      default: quay.io/okd
+      type: string
+    - name: container-image-name
+      default: stream-coreos-okd
+      type: string
+    - name: image
+      default: localhost/ostree-okd
+      type: string
+    - name: tag
+      default: "4.14"
+      type: string
+    - name: tag-latest
+      default: "false"
+      type: string
+  steps:
+    - image: 'quay.io/podman/stable:latest'
+      name: upload-image
+      resources: {}
+      securityContext:
+        privileged: true
+      script: |
+        #!/usr/bin/env bash
+        set -euxo pipefail
+
+        cd /srv/coreos
+        podman images
+        podman load -i /srv/ostree-okd
+        podman tag ostree-okd:latest $(params.target-registry)/$(params.container-image-name):$(params.tag)-$(uname -m)
+        podman push $(params.target-registry)/$(params.container-image-name):$(params.tag)-$(uname -m) --authfile=$(workspaces.regcred.path)/.dockerconfigjson
+        # cosa push-container --authfile=$(workspaces.regcred.path)/.dockerconfigjson --image=$(params.image) $(params.target-registry)/$(params.container-image-name)
+        # if [[ "$(params.tag-latest)" == "true" ]]; then
+        #   # Add stable tag for import into Prow
+        #   cosa push-container --authfile=$(workspaces.regcred.path)/.dockerconfigjson --image=$(params.image) $(params.target-registry)/$(params.container-image-name):$(params.tag)-$(uname -m)
+        # fi
+
+  workspaces:
+    - name: regcred
+    - mountPath: /srv
+      name: ws

base/tekton.dev/tasks/kustomization.yaml

@@ -6,8 +6,10 @@ resources:
   - cosa-buildextend.yaml
   - cosa-init.yaml
   - cosa-push-container.yaml
+  - cosa-push-layered-container.yaml
   - cosa-test.yaml
   - cosa-upload-s3.yaml
   - cosa-generate-release-meta.yaml
   - rpm-artifacts-copy.yaml
   - notify-matrix.yaml
+  - build-layer.yaml

base/triggers.tekton.dev/triggertemplates/okd-coreos-prod.yaml

@@ -19,9 +19,11 @@ spec:
   - name: target-registry
     default: "quay.io/okd"
   - name: baseos-container-image-name
-    default: "centos-stream-coreos-9"
+    default: "stream-coreos"
+  - name: layered-os-container-image-name
+    default: "stream-coreos-okd"
   - name: extensions-container-image-name
-    default: "centos-stream-coreos-9-extensions"
+    default: "stream-coreos-extensions"
   - name: upload-container-images
     default: "true"
   - name: tag-latest
@@ -71,6 +73,8 @@ spec:
           value: $(tt.params.target-registry)
         - name: baseos-container-image-name
           value: $(tt.params.baseos-container-image-name)
+        - name: layered-os-container-image-name
+          value: $(tt.params.layered-os-container-image-name)
         - name: extensions-container-image-name
           value: $(tt.params.extensions-container-image-name)
         - name: upload-container-images

environments/kind/pipelineruns/okd-coreos-4.13-dev-pipelinerun.yaml

@@ -19,14 +19,20 @@ spec:
       value: "4.13"
     - name: release-stream
       value: "stable"
+    - name: s3-bucket-name
+      value: "okd-scos"
+    - name: s3-endpoint-url
+      value: "https://okd-scos.s3.amazonaws.com/"
     - name: rpm-artifacts-image
       value: "registry.ci.openshift.org/origin/4.13:artifacts"
     - name: target-registry
       value: "quay.io/okd"
     - name: baseos-container-image-name
-      value: "centos-stream-coreos-9"
+      value: "stream-coreos"
+    - name: layered-os-container-image-name
+      value: "stream-coreos-okd"
     - name: extensions-container-image-name
-      value: "centos-stream-coreos-9-extensions"
+      value: "stream-coreos-extensions"
     - name: s3-bucket-name
       value: "okd-scos"
     - name: s3-endpoint-url

environments/kind/pipelineruns/okd-coreos-4.14-dev-pipelinerun.yaml

@@ -8,6 +8,7 @@ metadata:
     operator.tekton.dev/prune.keep: "1"
     operator.tekton.dev/prune.strategy: "keep"
 spec:
+  serviceAccountName: pipeline
   params:
     - name: repo
       value: "https://github.com/openshift/os.git"

environments/moc/pipelineruns/okd-coreos-4.13-prod-pipelinerun.yaml

@@ -8,6 +8,7 @@ metadata:
     operator.tekton.dev/prune.keep: "1"
     operator.tekton.dev/prune.strategy: "keep"
 spec:
+  serviceAccountName: pipeline
   params:
     - name: repo
       value: "https://github.com/openshift/os.git"
@@ -22,9 +23,11 @@ spec:
     - name: target-registry
       value: "quay.io/okd"
     - name: baseos-container-image-name
-      value: "centos-stream-coreos-9"
+      value: "stream-coreos"
+    - name: layered-os-container-image-name
+      value: "stream-coreos-okd"
     - name: extensions-container-image-name
-      value: "centos-stream-coreos-9-extensions"
+      value: "stream-coreos-extensions"
     - name: s3-bucket-name
       value: "okd-scos"
     - name: s3-endpoint-url
@@ -45,7 +48,7 @@ spec:
       value: pipeline-scos-4.13-pvc
   podTemplate:
     nodeSelector:
-       kubernetes.io/hostname: host-192-168-111-83
+      kubernetes.io/hostname: host-192-168-111-83
   pipelineRef:
     name: okd-coreos
   timeouts:

environments/moc/pipelineruns/okd-coreos-4.14-prod-pipelinerun.yaml

@@ -8,6 +8,7 @@ metadata:
     operator.tekton.dev/prune.keep: "1"
     operator.tekton.dev/prune.strategy: "keep"
 spec:
+  serviceAccountName: pipeline
   params:
     - name: repo
       value: "https://github.com/openshift/os.git"
@@ -22,9 +23,11 @@ spec:
     - name: target-registry
       value: "quay.io/okd"
     - name: baseos-container-image-name
-      value: "centos-stream-coreos-9"
+      value: "stream-coreos"
+    - name: layered-os-container-image-name
+      value: "stream-coreos-okd"
     - name: extensions-container-image-name
-      value: "centos-stream-coreos-9-extensions"
+      value: "stream-coreos-extensions"
     - name: s3-bucket-name
       value: "okd-scos"
     - name: s3-endpoint-url