mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-02 06:16:08 -04:00
Create mkosi image build pipeline
This commit is contained in:
Malte Poll
Malte Poll
parent
e5aaf0a42f
commit
34367ea3cc
107 changed files with 2733 additions and 105 deletions
|
|
@ -193,6 +193,7 @@ module "scale_set_control_plane" {
|
|||
location = var.location
|
||||
instance_type = var.instance_type
|
||||
confidential_vm = var.confidential_vm
|
||||
secure_boot = var.secure_boot
|
||||
tags = merge(local.tags, { role = "control-plane" })
|
||||
image_id = var.image_id
|
||||
user_assigned_identity = var.user_assigned_identity
|
||||
|
|
@ -215,6 +216,7 @@ module "scale_set_worker" {
|
|||
location = var.location
|
||||
instance_type = var.instance_type
|
||||
confidential_vm = var.confidential_vm
|
||||
secure_boot = var.secure_boot
|
||||
tags = merge(local.tags, { role = "worker" })
|
||||
image_id = var.image_id
|
||||
user_assigned_identity = var.user_assigned_identity
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {
|
|||
vtpm_enabled = true
|
||||
disable_password_authentication = false
|
||||
upgrade_mode = "Manual"
|
||||
secure_boot_enabled = true
|
||||
secure_boot_enabled = var.secure_boot
|
||||
source_image_id = var.image_id
|
||||
tags = var.tags
|
||||
|
||||
|
|
|
|||
|
|
@ -71,3 +71,9 @@ variable "confidential_vm" {
|
|||
default = true
|
||||
description = "Whether to deploy the cluster nodes as confidential VMs."
|
||||
}
|
||||
|
||||
variable "secure_boot" {
|
||||
type = bool
|
||||
default = false
|
||||
description = "Whether to deploy the cluster nodes with secure boot."
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,6 +57,12 @@ variable "confidential_vm" {
|
|||
description = "Whether to deploy the cluster nodes as confidential VMs."
|
||||
}
|
||||
|
||||
variable "secure_boot" {
|
||||
type = bool
|
||||
default = false
|
||||
description = "Whether to deploy the cluster nodes with secure boot."
|
||||
}
|
||||
|
||||
variable "debug" {
|
||||
type = bool
|
||||
default = false
|
||||
|
|
|
|||
|
|
@ -59,6 +59,8 @@ module "control_plane" {
|
|||
pool = libvirt_pool.cluster.name
|
||||
boot_volume_id = libvirt_volume.constellation_coreos_image.id
|
||||
machine = var.machine
|
||||
firmware = var.firmware
|
||||
nvram = var.nvram
|
||||
name = var.name
|
||||
}
|
||||
|
||||
|
|
@ -74,6 +76,8 @@ module "worker" {
|
|||
pool = libvirt_pool.cluster.name
|
||||
boot_volume_id = libvirt_volume.constellation_coreos_image.id
|
||||
machine = var.machine
|
||||
firmware = var.firmware
|
||||
nvram = var.nvram
|
||||
name = var.name
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,10 +6,31 @@
|
|||
</xsl:copy>
|
||||
</xsl:template>
|
||||
<xsl:template match="os">
|
||||
<os firmware="efi">
|
||||
<os>
|
||||
<xsl:apply-templates select="@*|node()"/>
|
||||
</os>
|
||||
</xsl:template>
|
||||
<xsl:template match="/domain/os/loader">
|
||||
<xsl:copy>
|
||||
<!--<xsl:apply-templates select="node()|@*"/>-->
|
||||
<xsl:attribute name="secure">
|
||||
<xsl:value-of select="'yes'"/>
|
||||
</xsl:attribute>
|
||||
<xsl:attribute name="readonly">
|
||||
<xsl:value-of select="'yes'"/>
|
||||
</xsl:attribute>
|
||||
<xsl:attribute name="type">
|
||||
<xsl:value-of select="'pflash'"/>
|
||||
</xsl:attribute>
|
||||
<xsl:value-of select="."/>
|
||||
</xsl:copy>
|
||||
</xsl:template>
|
||||
<xsl:template match="/domain/features">
|
||||
<xsl:copy>
|
||||
<xsl:apply-templates select="node()|@*"/>
|
||||
<xsl:element name ="smm" />
|
||||
</xsl:copy>
|
||||
</xsl:template>
|
||||
<xsl:template match="/domain/devices/tpm/backend">
|
||||
<xsl:copy>
|
||||
<xsl:apply-templates select="node()|@*"/>
|
||||
|
|
|
|||
|
|
@ -13,11 +13,16 @@ locals {
|
|||
}
|
||||
|
||||
resource "libvirt_domain" "instance_group" {
|
||||
name = "${var.name}-${var.role}-${count.index}"
|
||||
count = var.amount
|
||||
memory = var.memory
|
||||
vcpu = var.vcpus
|
||||
machine = var.machine
|
||||
name = "${var.name}-${var.role}-${count.index}"
|
||||
count = var.amount
|
||||
memory = var.memory
|
||||
vcpu = var.vcpus
|
||||
machine = var.machine
|
||||
firmware = var.firmware
|
||||
nvram {
|
||||
file = "/var/lib/libvirt/qemu/nvram/${var.role}-${count.index}_VARS.fd"
|
||||
template = var.nvram
|
||||
}
|
||||
tpm {
|
||||
backend_type = "emulator"
|
||||
backend_version = "2.0"
|
||||
|
|
|
|||
|
|
@ -48,7 +48,18 @@ variable "machine" {
|
|||
description = "machine type. use 'q35' for secure boot and 'pc' for non secure boot. See 'qemu-system-x86_64 -machine help'"
|
||||
}
|
||||
|
||||
variable "firmware" {
|
||||
type = string
|
||||
description = "path to UEFI firmware file."
|
||||
}
|
||||
|
||||
variable "nvram" {
|
||||
type = string
|
||||
description = "path to UEFI NVRAM template file. Used for secure boot."
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
type = string
|
||||
description = "name prefix of the cluster VMs"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -45,6 +45,17 @@ variable "machine" {
|
|||
description = "machine type. use 'q35' for secure boot and 'pc' for non secure boot. See 'qemu-system-x86_64 -machine help'"
|
||||
}
|
||||
|
||||
variable "firmware" {
|
||||
type = string
|
||||
default = "/usr/share/OVMF/OVMF_CODE.secboot.fd"
|
||||
description = "path to UEFI firmware file. Use \"OVMF_CODE_4M.ms.fd\" on Ubuntu and \"OVMF_CODE.secboot.fd\" on Fedora."
|
||||
}
|
||||
|
||||
variable "nvram" {
|
||||
type = string
|
||||
description = "path to UEFI NVRAM template file. Used for secure boot."
|
||||
}
|
||||
|
||||
variable "metadata_api_image" {
|
||||
type = string
|
||||
description = "container image of the QEMU metadata api server"
|
||||
|
|
|
|||
|
|
@ -97,6 +97,8 @@ type AzureVariables struct {
|
|||
ImageID string
|
||||
// ConfidentialVM sets the VM to be confidential.
|
||||
ConfidentialVM bool
|
||||
// SecureBoot sets the VM to use secure boot.
|
||||
SecureBoot bool
|
||||
// Debug is true if debug mode is enabled.
|
||||
Debug bool
|
||||
}
|
||||
|
|
@ -112,6 +114,7 @@ func (v *AzureVariables) String() string {
|
|||
writeLinef(b, "state_disk_type = %q", v.StateDiskType)
|
||||
writeLinef(b, "image_id = %q", v.ImageID)
|
||||
writeLinef(b, "confidential_vm = %t", v.ConfidentialVM)
|
||||
writeLinef(b, "secure_boot = %t", v.SecureBoot)
|
||||
writeLinef(b, "debug = %t", v.Debug)
|
||||
|
||||
return b.String()
|
||||
|
|
@ -140,6 +143,10 @@ type QEMUVariables struct {
|
|||
// In case of unix socket, this should be "qemu:///system".
|
||||
// Other wise it should be the same as LibvirtURI.
|
||||
MetadataLibvirtURI string
|
||||
// NVRAM is the path to the NVRAM template.
|
||||
NVRAM string
|
||||
// Firmware is the path to the firmware.
|
||||
Firmware string
|
||||
}
|
||||
|
||||
// String returns a string representation of the variables, formatted as Terraform variables.
|
||||
|
|
@ -154,6 +161,17 @@ func (v *QEMUVariables) String() string {
|
|||
writeLinef(b, "memory = %d", v.MemorySizeMiB)
|
||||
writeLinef(b, "metadata_api_image = %q", v.MetadataAPIImage)
|
||||
writeLinef(b, "metadata_libvirt_uri = %q", v.MetadataLibvirtURI)
|
||||
switch v.NVRAM {
|
||||
case "production":
|
||||
b.WriteString("nvram = \"/usr/share/OVMF/constellation_vars.production.fd\"\n")
|
||||
case "testing":
|
||||
b.WriteString("nvram = \"/usr/share/OVMF/constellation_vars.testing.fd\"\n")
|
||||
default:
|
||||
writeLinef(b, "nvram = %q", v.NVRAM)
|
||||
}
|
||||
if v.Firmware != "" {
|
||||
writeLinef(b, "firmware = %q", v.Firmware)
|
||||
}
|
||||
|
||||
return b.String()
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue