Use metal_stack_release_vector module (#247)

Gerrit91 · web-flow · commit d4a2b3ee3a2f · 2025-11-21T15:46:55.000+01:00
diff --git a/compose.yaml b/compose.yaml
@@ -14,6 +14,7 @@ services:
       # - ${HOME}/git/github.com/metal-stack/helm-charts:/helm-charts:ro
     environment:
       - ANSIBLE_CONFIG=/mini-lab/ansible.cfg
+      - ANSIBLE_INVENTORY=inventories/control-plane.yaml
       - KUBECONFIG=/mini-lab/.kubeconfig
       - K8S_AUTH_KUBECONFIG=/mini-lab/.kubeconfig
       - CI=${CI}
@@ -26,13 +27,9 @@ services:
       - /bin/bash
       - -ce
       - |
-        ansible-playbook \
-          -i inventories/control-plane.yaml \
-          obtain_role_requirements.yaml
-        ansible-galaxy install --ignore-errors -r requirements.yaml
-        ansible-playbook \
-          -i inventories/control-plane.yaml \
-          deploy_control_plane.yaml --extra-vars "@.extra_vars.yaml"
+        cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
+        ansible -m metalstack.base.metal_stack_release_vector localhost --extra-vars "@.extra_vars.yaml"
+        ansible-playbook deploy_control_plane.yaml --extra-vars "@.extra_vars.yaml"
 
   partition:
     image: ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
@@ -47,6 +44,7 @@ services:
       # - ${HOME}/.ansible/roles/metal-ansible-modules:/root/.ansible/roles/metal-ansible-modules:ro
     environment:
       - ANSIBLE_CONFIG=/mini-lab/ansible.cfg
+      - ANSIBLE_INVENTORY=inventories/partition.yaml,clab-mini-lab/ansible-inventory.yml
       - CI=${CI}
       - DOCKER_HUB_USER=${DOCKER_HUB_USER}
       - DOCKER_HUB_TOKEN=${DOCKER_HUB_TOKEN}
@@ -56,14 +54,9 @@ services:
       - /bin/bash
       - -ce
       - |
-        ansible-playbook \
-          -i inventories/control-plane.yaml \
-          obtain_role_requirements.yaml
-        ansible-galaxy install --ignore-errors -r requirements.yaml
-        ansible-playbook \
-          -i inventories/partition.yaml \
-          -i clab-mini-lab/ansible-inventory.yml \
-          deploy_partition.yaml --extra-vars "@.extra_vars.yaml"
+        cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
+        ansible -m metalstack.base.metal_stack_release_vector localhost --extra-vars "@.extra_vars.yaml"
+        ansible-playbook deploy_partition.yaml --extra-vars "@.extra_vars.yaml"
 
   metalctl:
     image: ghcr.io/metal-stack/metalctl:${METALCTL_IMAGE_TAG}
diff --git a/env.sh b/env.sh
@@ -8,7 +8,7 @@ yq_shell() {
   docker run --rm -i -v ${PWD}:/workdir mikefarah/yq:3 /bin/sh -c "$@"
 }
 
-METAL_STACK_RELEASE_VERSION=$(yq_shell "yq r inventories/group_vars/all/images.yaml 'metal_stack_release_version'")
+METAL_STACK_RELEASE_VERSION=$(yq_shell "yq r inventories/group_vars/all/release_vector.yaml 'metal_stack_release_version'")
 RELEASE_YAML=$(curl -s https://raw.githubusercontent.com/metal-stack/releases/${METAL_STACK_RELEASE_VERSION}/release.yaml)
 METALCTL_IMAGE_TAG=$(yq_shell "echo \"${RELEASE_YAML}\" | yq r - docker-images.metal-stack.control-plane.metalctl.tag")
 DEPLOYMENT_BASE_IMAGE_TAG=$(yq_shell "echo \"${RELEASE_YAML}\" | yq r - docker-images.metal-stack.generic.deployment-base.tag")
diff --git a/files/cosign.pub b/files/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdeAXd2namgVNDT0APmogKGwaV+Q4
+rfe4uVgmsyBbb6TrhX5Py6x1PsonDahTvdVpbSGC7QGEjxIHdi8HnJ4Okg==
+-----END PUBLIC KEY-----
diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml
@@ -1,9 +1,11 @@
 ---
 metal_stack_release_version: develop
 
-setup_yaml:
-  - url: https://raw.githubusercontent.com/metal-stack/releases/{{ metal_stack_release_version }}/release.yaml
-    meta_var: metal_stack_release
+metal_stack_release_vectors:
+  - url: oci://ghcr.io/metal-stack/releases:{{ metal_stack_release_version }}
+    variable_mapping_path: metal_stack_release.mapping
+    include_role_defaults: metal-roles/common/roles/defaults
+    oci_cosign_verify_key: "{{ lookup('file', 'cosign.pub') }}"
 
 ##
 ## for development purposes, you can override releases from our image vector here
diff --git a/obtain_role_requirements.yaml b/obtain_role_requirements.yaml

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ yq_shell() {`
`8`	`8`	`docker run --rm -i -v ${PWD}:/workdir mikefarah/yq:3 /bin/sh -c "$@"`
`9`	`9`	`}`
`10`	`10`
`11`		`-METAL_STACK_RELEASE_VERSION=$(yq_shell "yq r inventories/group_vars/all/images.yaml 'metal_stack_release_version'")`
	`11`	`+METAL_STACK_RELEASE_VERSION=$(yq_shell "yq r inventories/group_vars/all/release_vector.yaml 'metal_stack_release_version'")`
`12`	`12`	`RELEASE_YAML=$(curl -s https://raw.githubusercontent.com/metal-stack/releases/${METAL_STACK_RELEASE_VERSION}/release.yaml)`
`13`	`13`	`METALCTL_IMAGE_TAG=$(yq_shell "echo \"${RELEASE_YAML}\" \| yq r - docker-images.metal-stack.control-plane.metalctl.tag")`
`14`	`14`	`DEPLOYMENT_BASE_IMAGE_TAG=$(yq_shell "echo \"${RELEASE_YAML}\" \| yq r - docker-images.metal-stack.generic.deployment-base.tag")`