Build extensions container

ci-operator/config/openshift/os/openshift-os-master__periodic.yaml

@@ -0,0 +1,128 @@
+base_images:
+  coreos_coreos-assembler_latest:
+    name: coreos-assembler
+    namespace: coreos
+    tag: latest
+build_root:
+  image_stream_tag:
+    name: fcos-buildroot
+    namespace: coreos
+    tag: testing-devel
+images:
+- dockerfile_literal: |
+    # COSA + source code
+    FROM registry.svc.ci.openshift.org/coreos/coreos-assembler:latest
+    WORKDIR /src
+    # Tell the build scripts that we have setup a directory for unprivileged build
+    ENV COSA_DIR=/tmp/cosa
+    RUN mkdir -p "${COSA_DIR}"
+    # Prow doesn't support emptydir for jobs today
+    ENV COSA_SKIP_OVERLAY=1
+    # Copy the source code
+    COPY . .
+    # We need to make sure that root can read / write to the COSA_DIR so that
+    # when this container is actually run, we have permissions to read and
+    # write to the COSA_DIR and the /src dir.
+    USER root
+    RUN chgrp -Rf root "${COSA_DIR}" && \
+      chmod -Rf g+w "${COSA_DIR}" && \
+      chown -R builder:builder /src
+    # Go back to unprivileged user for COSA
+    USER builder
+    WORKDIR /tmp/cosa
+  inputs:
+    coreos_coreos-assembler_latest:
+      as:
+      - registry.svc.ci.openshift.org/coreos/coreos-assembler:latest
+  to: build-image
+- build_args:
+  - name: RHELVER
+    value: rhel-8.6
+  dockerfile_literal: |
+    # This performs the RHCOS build itself.
+    # TODO: Move this Dockerfile into the openshift/os repository so we can
+    # easily reuse it for all RHCOS / SCOS versions via setting the build arg.
+    FROM build-image:latest AS base
+    ARG RHELVER="rhel-8.6"
+    ENV RHELVER=$RHELVER
+    ENV COSA_NO_KVM=1
+    # We need to reduce the size of this image because we can run out of space
+    # on the underlying volume when the layer is committed. All we care about
+    # is the rhcos.x86_64.ociarchive file.
+    RUN /src/ci/prow-entrypoint.sh build && \
+      /src/ci/simplify-ociarchive-path.sh && \
+      mv /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive /tmp/cosa/rhcos.x86_64.ociarchive && \
+      rm -rf /tmp/cosa/builds /tmp/cosa/cache
+
+    # We don't need the rest of the build-image container, so we copy the OCI
+    # archive into its own scratch image in preparation for extraction.
+    FROM scratch
+    COPY --from=base /tmp/cosa/rhcos.x86_64.ociarchive /tmp/cosa/rhcos.x86_64.ociarchive
+  inputs:
+    build-image:
+      as:
+      - build-image:latest
+  to: rhcos-8.6-build
+- dockerfile_literal: |
+    # This extracts the OCI archive from the rhcos-8.6-build image build, injects it
+    # into the build context, and then uses that OCI archive as this image.
+    # This makes use of the following:
+    # - OpenShift Image Builds allows one to pass in a path from another container
+    # image. It places this under /tmp/build/inputs/<path>. See:
+    # https://github.com/openshift/builder/blob/37525a77fa07e26c420962dee47193d672ef0b35/pkg/build/builder/common.go#L72
+    # - Buildah allows one to use oci-archive as a transport. See:
+    # https://www.redhat.com/sysadmin/7-transports-features
+    # - Utilizing the above features in concert with one another and using an
+    # absolute path to refer to the OCI archive in the build context allows us
+    # to "import" the OCI archive into the CI ImageStream.
+    FROM oci-archive:/tmp/build/inputs/magic/cosa/rhcos.x86_64.ociarchive
+  inputs:
+    rhcos-8.6-build:
+      paths:
+      - destination_dir: magic
+        source_path: /tmp/cosa
+  to: machine-os-oci-content-rhel-8.6
+- dockerfile_path: extensions/Dockerfile
+  inputs:
+    machine-os-oci-content-rhel-8.6:
+      as:
+      - registry.ci.openshift.org/rhcos-devel/rhel-coreos:latest
+  to: rhcos-extensions-8.6
+promotion:
+  additional_images:
+    rhel-coreos: machine-os-oci-content-rhel-8.6
+    rhel-coreos-extensions: rhcos-extensions-8.6
+  excluded_images:
+  - '*'
+  namespace: rhcos-devel
+  tag: latest
+releases:
+  initial:
+    integration:
+      name: "4.12"
+      namespace: ocp
+  latest:
+    integration:
+      include_built_images: true
+      name: "4.12"
+      namespace: ocp
+resources:
+  '*':
+    requests:
+      cpu: 2000m
+      memory: 4Gi
+tests:
+- as: validate-built-image-rhel-8.6
+  commands: cat /etc/os-release
+  container:
+    from: machine-os-oci-content-rhel-8.6
+  cron: '@daily'
+- as: validate-built-extensions-8.6
+  commands: cat /etc/os-release
+  container:
+    from: rhcos-extensions-8.6
+zz_generated_metadata:
+  branch: master
+  org: openshift
+  repo: os
+  variant: periodic

ci-operator/jobs/openshift/os/openshift-os-master-periodics.yaml

@@ -0,0 +1,57 @@
+periodics:
+- agent: kubernetes
+  cluster: build01
+  cron: 51 1 * * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: os
+  labels:
+    ci-operator.openshift.io/variant: periodic
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-os-master-periodic-validate-built-image-rhel-8.6
+  reporter_config:
+    slack:
+      channel: '#jenkins-coreos'
+      job_states_to_report:
+      - failure
+      report_template: ':warning: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*.
+        <{{.Status.URL}}|View logs> :warning:'
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --report-credentials-file=/etc/report/credentials
+      - --target=validate-built-image-rhel-8.6
+      - --variant=periodic
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/jobs/openshift/os/openshift-os-master-postsubmits.yaml

@@ -54,3 +54,61 @@ postsubmits:
       - name: result-aggregator
         secret:
           secretName: result-aggregator
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^master$
+    cluster: build03
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/is-promotion: "true"
+      ci-operator.openshift.io/variant: periodic
+      ci.openshift.io/generator: prowgen
+    max_concurrency: 1
+    name: branch-ci-openshift-os-master-periodic-images
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson
+        - --promote
+        - --report-credentials-file=/etc/report/credentials
+        - --target=[images]
+        - --target=machine-os-oci-content-rhel-8.6
+        - --target=rhcos-extensions-8.6
+        - --variant=periodic
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/push-secret
+          name: push-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: push-secret
+        secret:
+          secretName: registry-push-credentials-ci-central
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator

ci-operator/jobs/openshift/os/openshift-os-master-presubmits.yaml

@@ -50,6 +50,110 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )images,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build03
+    context: ci/prow/periodic-images
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/variant: periodic
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-os-master-periodic-images
+    rerun_command: /test periodic-images
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --target=[images]
+        - --target=machine-os-oci-content-rhel-8.6
+        - --target=rhcos-extensions-8.6
+        - --variant=periodic
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )periodic-images,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build03
+    context: ci/prow/periodic-validate-built-extensions-8.6
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/variant: periodic
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-os-master-periodic-validate-built-extensions-8.6
+    rerun_command: /test periodic-validate-built-extensions-8.6
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --target=validate-built-extensions-8.6
+        - --variant=periodic
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )periodic-validate-built-extensions-8.6,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches: