Make AWS AMI builder fetch package from artifact instead of S3 bucket

Signed-off-by: Balasankar "Balu" C <[email protected]>

Author: balasankarc

gitlab-ci-config/gitlab-com.yml

@@ -713,12 +713,12 @@ validate_packer_changes:
   image: "${PUBLIC_BUILDER_IMAGE_REGISTRY}/debian_packer:${BUILDER_IMAGE_REVISION}"
   stage: check
   script:
-    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ce-arm64.pkr.hcl
-    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ce.pkr.hcl
-    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ee-arm64.pkr.hcl
-    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ee-premium.pkr.hcl
-    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ee-ultimate.pkr.hcl
-    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ee.pkr.hcl
+    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var ci_job_token=XXX -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ce-arm64.pkr.hcl
+    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var ci_job_token=XXX -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ce.pkr.hcl
+    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var ci_job_token=XXX -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ee-arm64.pkr.hcl
+    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var ci_job_token=XXX -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ee-premium.pkr.hcl
+    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var ci_job_token=XXX -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ee-ultimate.pkr.hcl
+    - cd "${CI_PROJECT_DIR}/support/packer" && packer validate -var ci_job_token=XXX -var aws_access_key=XXX -var aws_secret_key=XXX -var download_url=XXX ee.pkr.hcl
   rules:
     - if: '$PIPELINE_TYPE == "_TEST_PIPELINE"'
       changes:

lib/gitlab/aws_helper.rb

@@ -14,7 +14,7 @@ def initialize(version, type)
     @type = type || 'ce'
   end
 
-  def create_ami
+  def create_ami_old
     release_type = Gitlab::Util.get_env('AWS_RELEASE_TYPE')
     architecture = Gitlab::Util.get_env('AWS_ARCHITECTURE')
     args = {}
@@ -31,7 +31,27 @@ def create_ami
 
     @download_url = Build::Info.ami_deb_package_download_url(**args)
 
-    system(*%W[support/packer/packer_ami.sh #{@version} #{@type} #{@download_url} #{@license_file}])
+    system(*%W[support/packer_old/packer_ami.sh #{@version} #{@type} #{@download_url} #{@license_file}])
+  end
+
+  def create_ami
+    release_type = Gitlab::Util.get_env('AWS_RELEASE_TYPE')
+    architecture = Gitlab::Util.get_env('AWS_ARCHITECTURE')
+
+    if (@type == 'ee') && release_type
+      @type = "ee-#{release_type}"
+      @license_file = "AWS_#{release_type}_LICENSE_FILE".upcase
+    end
+
+    if architecture
+      @type = "#{@type}-#{architecture}"
+    else
+      architecture = 'amd64'
+    end
+
+    @download_url = Build::Info::CI.package_download_url(job_name: "Ubuntu-20.04", arch: architecture)
+
+    system(*%W[support/packer/packer_ami.sh #{@version} #{@type} #{@download_url} #{Build::Info::CI.job_token} #{@license_file}])
   end
 
   def set_marketplace_details

lib/gitlab/tasks/aws.rake

@@ -12,7 +12,11 @@ namespace :aws do
       next if Build::Check.is_auto_deploy? || Build::Check.is_rc_tag?
 
       Omnibus.load_configuration('omnibus.rb')
-      AWSHelper.new(Omnibus::BuildVersion.semver, Build::Info.edition).create_ami
+      if Gitlab::Util.get_env('AMI_USE_OLD_BUILD_PROCESS') == "true"
+        AWSHelper.new(Omnibus::BuildVersion.semver, Build::Info.edition).create_ami_old
+      else
+        AWSHelper.new(Omnibus::BuildVersion.semver, Build::Info.edition).create_ami
+      end
     end
   end
 

spec/lib/gitlab/tasks/aws_spec.rb

@@ -40,21 +40,42 @@ def deregister_image(parameters)
   before do
     Rake::Task['aws:ami:create'].reenable
     allow_any_instance_of(Kernel).to receive(:system).and_return(true)
+    allow(ENV).to receive(:[]).and_call_original
+    stub_env_var('CI_JOB_TOKEN', 'CI-NO-JOB-TOKEN')
   end
 
-  describe 'on a regular tag' do
+  context 'when using `AMI_USE_OLD_BUILD_PROCESS` environment variable' do
     before do
+      stub_env_var('AMI_USE_OLD_BUILD_PROCESS', 'true')
       allow(Build::Check).to receive(:on_tag?).and_return(true)
       allow(Build::Check).to receive(:is_auto_deploy?).and_return(false)
       allow(Build::Check).to receive(:is_rc_tag?).and_return(false)
       allow(Build::Info).to receive(:ami_deb_package_download_url).and_return('http://example.com')
     end
 
+    it 'should call the old script' do
+      allow(Build::Info).to receive(:edition).and_return('ce')
+      allow(Omnibus::BuildVersion).to receive(:semver).and_return('9.3.0')
+
+      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer_old/packer_ami.sh", "9.3.0", "ce", "http://example.com", ""])
+
+      Rake::Task['aws:ami:create'].invoke
+    end
+  end
+
+  describe 'on a regular tag' do
+    before do
+      allow(Build::Check).to receive(:on_tag?).and_return(true)
+      allow(Build::Check).to receive(:is_auto_deploy?).and_return(false)
+      allow(Build::Check).to receive(:is_rc_tag?).and_return(false)
+      allow(Build::Info::CI).to receive(:package_download_url).and_return('http://example.com')
+    end
+
     it 'should identify ce category correctly, if specified' do
       allow(Build::Info).to receive(:edition).and_return('ce')
       allow(Omnibus::BuildVersion).to receive(:semver).and_return('9.3.0')
 
-      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ce", "http://example.com", ""])
+      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ce", "http://example.com", "CI-NO-JOB-TOKEN", ""])
 
       Rake::Task['aws:ami:create'].invoke
     end
@@ -63,7 +84,7 @@ def deregister_image(parameters)
       allow(Build::Info).to receive(:edition).and_return(nil)
       allow(Omnibus::BuildVersion).to receive(:semver).and_return('9.3.0')
 
-      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ce", "http://example.com", ""])
+      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ce", "http://example.com", "CI-NO-JOB-TOKEN", ""])
 
       Rake::Task['aws:ami:create'].invoke
     end
@@ -72,7 +93,7 @@ def deregister_image(parameters)
       allow(Build::Info).to receive(:edition).and_return('ee')
       allow(Omnibus::BuildVersion).to receive(:semver).and_return('9.3.0')
 
-      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ee", "http://example.com", ""])
+      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ee", "http://example.com", "CI-NO-JOB-TOKEN", ""])
 
       Rake::Task['aws:ami:create'].invoke
     end
@@ -83,7 +104,7 @@ def deregister_image(parameters)
       allow(Build::Info).to receive(:edition).and_return(nil)
       allow(Omnibus::BuildVersion).to receive(:semver).and_return('9.3.0')
 
-      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ce-arm64", "http://example.com", ""])
+      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ce-arm64", "http://example.com", "CI-NO-JOB-TOKEN", ""])
 
       Rake::Task['aws:ami:create'].invoke
     end
@@ -94,7 +115,7 @@ def deregister_image(parameters)
       allow(Build::Info).to receive(:edition).and_return('ee')
       allow(Omnibus::BuildVersion).to receive(:semver).and_return('9.3.0')
 
-      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ee-arm64", "http://example.com", ""])
+      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ee-arm64", "http://example.com", "CI-NO-JOB-TOKEN", ""])
 
       Rake::Task['aws:ami:create'].invoke
     end
@@ -105,7 +126,7 @@ def deregister_image(parameters)
       allow(Gitlab::Util).to receive(:get_env).with("AWS_RELEASE_TYPE").and_return('ultimate')
       allow(Omnibus::BuildVersion).to receive(:semver).and_return('9.3.0')
 
-      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ee-ultimate", "http://example.com", "AWS_ULTIMATE_LICENSE_FILE"])
+      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ee-ultimate", "http://example.com", "CI-NO-JOB-TOKEN", "AWS_ULTIMATE_LICENSE_FILE"])
 
       Rake::Task['aws:ami:create'].invoke
     end
@@ -116,7 +137,7 @@ def deregister_image(parameters)
       allow(Gitlab::Util).to receive(:get_env).with("AWS_RELEASE_TYPE").and_return('premium')
       allow(Omnibus::BuildVersion).to receive(:semver).and_return('9.3.0')
 
-      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ee-premium", "http://example.com", "AWS_PREMIUM_LICENSE_FILE"])
+      expect_any_instance_of(Kernel).to receive(:system).with(*["support/packer/packer_ami.sh", "9.3.0", "ee-premium", "http://example.com", "CI-NO-JOB-TOKEN", "AWS_PREMIUM_LICENSE_FILE"])
 
       Rake::Task['aws:ami:create'].invoke
     end
@@ -127,7 +148,7 @@ def deregister_image(parameters)
       allow(Build::Check).to receive(:on_tag?).and_return(true)
       allow(Build::Check).to receive(:is_auto_deploy?).and_return(false)
       allow(Build::Check).to receive(:is_rc_tag?).and_return(true)
-      allow(Build::Info).to receive(:ami_deb_package_download_url).and_return('http://example.com')
+      allow(Build::Info::CI).to receive(:package_download_url).and_return('http://example.com')
     end
 
     it 'does not do anything' do
@@ -142,7 +163,7 @@ def deregister_image(parameters)
       allow(Build::Check).to receive(:on_tag?).and_return(true)
       allow(Build::Check).to receive(:is_auto_deploy?).and_return(true)
       allow(Build::Check).to receive(:is_rc_tag?).and_return(false)
-      allow(Build::Info).to receive(:ami_deb_package_download_url).and_return('http://example.com')
+      allow(Build::Info::CI).to receive(:package_download_url).and_return('http://example.com')
     end
 
     it 'does not do anything' do

support/packer/ce-arm64.pkr.hcl

@@ -14,6 +14,11 @@ variable "download_url" {
   type = string
 }
 
+# ci_job_token is the token used to download the package from CI artifacts
+variable "ci_job_token" {
+  type = string
+}
+
 # license_file, somewhat of a misnomer, is the contents of the license to
 # install on the image. Due to the size of the license contents, it is usually
 # better to use a shell variable to hold the contents and then use the variable
@@ -121,7 +126,7 @@ build {
   }
 
   provisioner "shell" {
-    environment_vars = ["DOWNLOAD_URL=${var.download_url}"]
+    environment_vars = ["DOWNLOAD_URL=${var.download_url}", "CI_JOB_TOKEN=${var.ci_job_token}"]
     script           = "update-script-ce.sh"
   }
 

support/packer/ce.pkr.hcl

@@ -14,6 +14,11 @@ variable "download_url" {
   type = string
 }
 
+# ci_job_token is the token used to download the package from CI artifacts
+variable "ci_job_token" {
+  type = string
+}
+
 # license_file, somewhat of a misnomer, is the contents of the license to
 # install on the image. Due to the size of the license contents, it is usually
 # better to use a shell variable to hold the contents and then use the variable
@@ -121,7 +126,7 @@ build {
   }
 
   provisioner "shell" {
-    environment_vars = ["DOWNLOAD_URL=${var.download_url}"]
+    environment_vars = ["DOWNLOAD_URL=${var.download_url}", "CI_JOB_TOKEN=${var.ci_job_token}"]
     script           = "update-script-ce.sh"
   }
 

support/packer/ee-arm64.pkr.hcl

@@ -14,6 +14,11 @@ variable "download_url" {
   type = string
 }
 
+# ci_job_token is the token used to download the package from CI artifacts
+variable "ci_job_token" {
+  type = string
+}
+
 # license_file, somewhat of a misnomer, is the contents of the license to
 # install on the image. Due to the size of the license contents, it is usually
 # better to use a shell variable to hold the contents and then use the variable
@@ -118,7 +123,7 @@ build {
   }
 
   provisioner "shell" {
-    environment_vars = ["DOWNLOAD_URL=${var.download_url}"]
+    environment_vars = ["DOWNLOAD_URL=${var.download_url}", "CI_JOB_TOKEN=${var.ci_job_token}"]
     script           = "update-script-ee.sh"
   }
 

support/packer/ee-premium.pkr.hcl

@@ -14,6 +14,11 @@ variable "download_url" {
   type = string
 }
 
+# ci_job_token is the token used to download the package from CI artifacts
+variable "ci_job_token" {
+  type = string
+}
+
 # license_file, somewhat of a misnomer, is the contents of the license to
 # install on the image. Due to the size of the license contents, it is usually
 # better to use a shell variable to hold the contents and then use the variable
@@ -117,7 +122,7 @@ build {
   }
 
   provisioner "shell" {
-    environment_vars = ["DOWNLOAD_URL=${var.download_url}", "GITLAB_LICENSE_FILE=${var.license_file}"]
+    environment_vars = ["DOWNLOAD_URL=${var.download_url}", "GITLAB_LICENSE_FILE=${var.license_file}", "CI_JOB_TOKEN=${var.ci_job_token}"]
     script           = "update-script-ee-premium.sh"
   }
 

support/packer/ee-ultimate.pkr.hcl

@@ -14,6 +14,11 @@ variable "download_url" {
   type = string
 }
 
+# ci_job_token is the token used to download the package from CI artifacts
+variable "ci_job_token" {
+  type = string
+}
+
 # license_file, somewhat of a misnomer, is the contents of the license to
 # install on the image. Due to the size of the license contents, it is usually
 # better to use a shell variable to hold the contents and then use the variable
@@ -117,7 +122,7 @@ build {
   }
 
   provisioner "shell" {
-    environment_vars = ["DOWNLOAD_URL=${var.download_url}", "GITLAB_LICENSE_FILE=${var.license_file}"]
+    environment_vars = ["DOWNLOAD_URL=${var.download_url}", "GITLAB_LICENSE_FILE=${var.license_file}", "CI_JOB_TOKEN=${var.ci_job_token}"]
     script           = "update-script-ee-ultimate.sh"
   }
 

support/packer/ee.pkr.hcl

@@ -14,6 +14,11 @@ variable "download_url" {
   type = string
 }
 
+# ci_job_token is the token used to download the package from CI artifacts
+variable "ci_job_token" {
+  type = string
+}
+
 # license_file, somewhat of a misnomer, is the contents of the license to
 # install on the image. Due to the size of the license contents, it is usually
 # better to use a shell variable to hold the contents and then use the variable
@@ -118,7 +123,7 @@ build {
   }
 
   provisioner "shell" {
-    environment_vars = ["DOWNLOAD_URL=${var.download_url}"]
+    environment_vars = ["DOWNLOAD_URL=${var.download_url}", "CI_JOB_TOKEN=${var.ci_job_token}"]
     script           = "update-script-ee.sh"
   }