diff --git a/tools/iso_builder/Makefile b/tools/iso_builder/Makefile index cd39df55..72e0a847 100644 --- a/tools/iso_builder/Makefile +++ b/tools/iso_builder/Makefile @@ -4,6 +4,8 @@ ARCH ?= x86_64 PULL_SECRET_FILE ?= ./pull-secret.json RELEASE_IMAGE_URL ?= RELEASE_IMAGE_VERSION ?= +MIRROR_PATH ?= +REGISTRY_CERT ?= ifdef RELEASE_IMAGE_VERSION RELEASE_FLAG := --ocp-version @@ -25,7 +27,7 @@ clean-appliance-temp-dir: hack/cleanup.sh clean-appliance-temp-dir build-ove-iso: - hack/build-ove-image.sh $(RELEASE_FLAG) $(RELEASE_VALUE) --pull-secret-file $(PULL_SECRET_FILE) + hack/build-ove-image.sh $(RELEASE_FLAG) $(RELEASE_VALUE) --pull-secret-file $(PULL_SECRET_FILE) $(if $(MIRROR_PATH),--mirror-path $(MIRROR_PATH)) $(if $(REGISTRY_CERT),--registry-cert $(REGISTRY_CERT)) build-ove-iso-container: # Build the container with specific capabilities to support podman used by openshift-appliance diff --git a/tools/iso_builder/hack/build-ove-image.sh b/tools/iso_builder/hack/build-ove-image.sh index 51a38171..4b0cebb8 100755 --- a/tools/iso_builder/hack/build-ove-image.sh +++ b/tools/iso_builder/hack/build-ove-image.sh @@ -12,6 +12,8 @@ export RELEASE_IMAGE_VERSION="" export RELEASE_IMAGE_URL="" export ARCH="" export DIR_PATH="" +export MIRROR_PATH="" +export REGISTRY_CERT="" # Check user provided params [[ $# -lt 2 ]] && usage @@ -62,9 +64,34 @@ EOF function build_live_iso() { if [ ! -f "${appliance_work_dir}"/appliance.iso ]; then - local appliance_image=registry.ci.openshift.org/ocp/${major_minor_version}:agent-preinstall-image-builder + #local appliance_image=registry.ci.openshift.org/ocp/${major_minor_version}:agent-preinstall-image-builder + local appliance_image=quay.io/rwsu1/openshift-appliance:dev-scripts echo "Building appliance ISO (image: ${appliance_image})" - $SUDO podman run --authfile "${PULL_SECRET_FILE}" --rm -it --privileged --pull always --net=host -v "${appliance_work_dir}"/:/assets:Z "${appliance_image}" build live-iso --log-level debug + + # Build the podman run command with optional mirror path + local podman_cmd="$SUDO podman run --authfile \"${PULL_SECRET_FILE}\" --rm -it --privileged --pull always --net=host -v \"${appliance_work_dir}\"/:/assets:Z" + local appliance_cmd="build live-iso --log-level debug" + + # Add mirror path mount and flag if provided + if [[ -n "${MIRROR_PATH}" ]]; then + echo "Using pre-mirrored images from: ${MIRROR_PATH}" + podman_cmd="${podman_cmd} -v \"${MIRROR_PATH}\":/mirror:Z" + appliance_cmd="${appliance_cmd} --mirror-path /mirror" + fi + + # Add registry certificate mount if provided (for custom registries with self-signed certs) + if [[ -n "${REGISTRY_CERT}" ]]; then + echo "Mounting registry certificate for TLS verification: ${REGISTRY_CERT}" + podman_cmd="${podman_cmd} -v \"${REGISTRY_CERT}\":/etc/pki/ca-trust/source/anchors/registry.crt:Z,ro" + # Override entrypoint to run update-ca-trust before openshift-appliance + # Must include --dir assets as it's in the original entrypoint + podman_cmd="${podman_cmd} --entrypoint sh" + appliance_cmd="-c 'update-ca-trust && /openshift-appliance --dir assets ${appliance_cmd}'" + fi + + set -x + eval "${podman_cmd} \"${appliance_image}\" ${appliance_cmd}" + set +x else echo "Skip building appliance ISO. Reusing ${appliance_work_dir}/appliance.iso." fi diff --git a/tools/iso_builder/hack/helper.sh b/tools/iso_builder/hack/helper.sh index 9f7fc543..aefb1a42 100644 --- a/tools/iso_builder/hack/helper.sh +++ b/tools/iso_builder/hack/helper.sh @@ -6,14 +6,14 @@ set -euo pipefail function parse_inputs() { while [[ "$#" -gt 0 ]]; do case $1 in - --release-image-url) + --release-image-url) if [[ -n "$RELEASE_IMAGE_VERSION" ]]; then echo "Error: Cannot specify both --release-image-url and --ocp-version." >&2 usage exit 1 fi RELEASE_IMAGE_URL="$2"; shift ;; - --ocp-version) + --ocp-version) if [[ -n "$RELEASE_IMAGE_URL" ]]; then echo "Error: Cannot specify both --release-image-url and --ocp-version." >&2 usage @@ -23,9 +23,11 @@ function parse_inputs() { --arch) ARCH="$2"; shift ;; --pull-secret-file) PULL_SECRET_FILE="$2"; shift ;; --ssh-key-file) SSH_KEY_FILE="$2"; shift ;; + --mirror-path) MIRROR_PATH="$2"; shift ;; + --registry-cert) REGISTRY_CERT="$2"; shift ;; --dir) DIR_PATH="$2"; shift ;; --step) STEP="$2"; shift ;; - *) + *) echo "Unknown parameter: $1" >&2 usage exit 1 ;; @@ -70,6 +72,16 @@ function validate_inputs() { exit 1 fi + if [[ -n "$REGISTRY_CERT" && ! -f "$REGISTRY_CERT" ]]; then + echo "Error: Registry certificate file $REGISTRY_CERT does not exist." >&2 + exit 1 + fi + + if [[ -n "$MIRROR_PATH" && ! -d "$MIRROR_PATH" ]]; then + echo "Error: Mirror path $MIRROR_PATH does not exist or is not a directory." >&2 + exit 1 + fi + if [[ -z "${DIR_PATH:-}" ]]; then DIR_PATH="/tmp/iso_builder" echo "Directory path not specified. Using default location: $DIR_PATH." @@ -155,6 +167,8 @@ function usage() { echo " --arch Target CPU architecture (default: x86_64)" echo " --ssh-key-file Path to the SSH key file (e.g., ~/.ssh/id_rsa)" echo " --dir Path for ISOBuilder assets (default: /tmp/iso_builder)" + echo " --mirror-path Path to pre-mirrored images (skips oc-mirror if provided)" + echo " --registry-cert Path to registry certificate for custom registries with self-signed certs" echo " --step Control the steps that will be invoked, options are all, configure, and create-iso (default: all)" echo "" echo "Examples:"