ci-operator/openshift/os: Re-enable nightly RHCOS builds

ci-operator/config/openshift/os/openshift-os-master__periodic.yaml

@@ -0,0 +1,136 @@
+base_images:
+  coreos_coreos-assembler_latest:
+    name: coreos-assembler
+    namespace: coreos
+    tag: latest
+build_root:
+  image_stream_tag:
+    name: fcos-buildroot
+    namespace: coreos
+    tag: testing-devel
+images:
+- dockerfile_literal: |
+    # Container image that has COSA + source code
+    FROM registry.svc.ci.openshift.org/coreos/coreos-assembler:latest
+    WORKDIR /src
+    # Tell the build scripts that we have setup a directory for unprivileged build
+    ENV COSA_DIR=/tmp/cosa
+    RUN mkdir -p "${COSA_DIR}"
+    # Prow doesn't support emptydir for jobs today
+    ENV COSA_SKIP_OVERLAY=1
+    # Copy the source code
+    COPY . .
+    # Setup ownership for /src & $COSA_DIR. This is required for:
+    # - Builds that run during the build phase under the builder user
+    # - Builds that run during test jobs under a random non root user but with
+    #   the root group.
+    USER root
+    RUN chgrp -Rf root "${COSA_DIR}" && \
+        chmod -Rf g+w "${COSA_DIR}" && \
+        chown -R builder:builder /src && \
+        chmod -R a+rX /src
+    # Go back to unprivileged user for COSA
+    USER builder
+    WORKDIR /tmp/cosa
+  inputs:
+    coreos_coreos-assembler_latest:
+      as:
+      - registry.svc.ci.openshift.org/coreos/coreos-assembler:latest
+  to: build-image
+- dockerfile_literal: |
+    # Container image used to build RHCOS in Prow build step to be able to push
+    # it and use it as a native container image for other jobs in Prow CI.
+    #
+    # This stage thus builds the RHCOS OCI image just like the test jobs do
+    # before the tests. However, due to limitations within OpenShift CI, we
+    # need to do the following:
+    # 1. Disable KVM by using the COSA_NO_KVM env var. This is due to OpenShift
+    # CI using the default OpenShift Docker Build strategy, which precludes us
+    # from mounting /dev/kvm into the build context.
+    # 2. Due to a limitation in the version of Buildah that OpenShift Builds
+    # uses (at the time of this writing, it uses a v1.23.z version of Buildah),
+    # we cannot mount the build context into the container build (e.g., `RUN
+    # --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared
+    # <cmd>`), which would allow it to mutate the build context. This is due to
+    # https://github.com/containers/buildah/pull/3548 not being present.
+    # For now, this necessitates passing this image into the cosa-build image
+    # build below to extract the OCI archive and inject it into the
+    # ImageStream. However, once the OpenShift CI system is upgraded to use
+    # OpenShift 4.11, we can create the RHCOS image in a single shot via this
+    # stage.
+    FROM build-image:latest as base
+    ENV COSA_NO_KVM=1
+    # TODO: Remove me once https://github.com/openshift/os/pull/882 is merged
+    ENV RHELVER="rhel-8.6"
+    # We need to reduce the size of this image because we can run out of space
+    # on the underlying volume when the layer is committed. All we care about
+    # is the rhcos.x86_64.ociarchive file.
+    # 1. Run only the ostree build step
+    # 2. Keep only the OCI archive
+    # 3. Clean-up the cache
+    RUN /src/ci/prow-entrypoint.sh build && \
+        /src/ci/simplify-ociarchive-path.sh && \
+        mv /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive /tmp/cosa/rhcos.x86_64.ociarchive && \
+        rm -rf /tmp/cosa/builds /tmp/cosa/cache
+
+    # We don't need the rest of the build-image container, so we copy the OCI
+    # archive into its own scratch image in preparation for extraction.
+    FROM scratch
+    COPY --from=base /tmp/cosa/rhcos.x86_64.ociarchive /tmp/cosa/rhcos.x86_64.ociarchive
+  inputs:
+    build-image:
+      as:
+      - build-image:latest
+  to: oci-archive
+- dockerfile_literal: |
+    # This extracts the OCI archive from the oci-archive image, injects it into
+    # the build context, and then uses that OCI archive as this image.
+    # This makes use of the following:
+    # - OpenShift Image Builds allows one to pass in a path from another
+    # container image. It places this under /tmp/build/inputs/<path>. See:
+    # https://github.com/openshift/builder/blob/37525a77fa07e26c420962dee47193d672ef0b35/pkg/build/builder/common.go#L72
+    # - Buildah allows one to use oci-archive as a transport. See:
+    # https://www.redhat.com/sysadmin/7-transports-features
+    # - Utilizing the above features in concert with one another and using an
+    # absolute path to refer to the OCI archive in the build context allows us
+    # to "import" the OCI archive into the CI ImageStream.
+    FROM oci-archive:/tmp/build/inputs/magic/cosa/rhcos.x86_64.ociarchive
+  inputs:
+    oci-archive:
+      paths:
+      - destination_dir: magic
+        source_path: /tmp/cosa
+  to: machine-os-oci-content
+promotion:
+  additional_images:
+    rhel-coreos: machine-os-oci-content
+  excluded_images:
+  - '*'
+  namespace: rhcos-devel
+  tag: latest
+releases:
+  initial:
+    integration:
+      name: "4.12"
+      namespace: ocp
+  latest:
+    integration:
+      include_built_images: true
+      name: "4.12"
+      namespace: ocp
+resources:
+  '*':
+    requests:
+      cpu: 2000m
+      memory: 4Gi
+tests:
+- as: validate-machine-os-oci-image
+  commands: cat /etc/os-release
+  container:
+    from: machine-os-oci-content
+  cron: '@daily'
+zz_generated_metadata:
+  branch: master
+  org: openshift
+  repo: os
+  variant: periodic

ci-operator/jobs/openshift/os/openshift-os-master-periodics.yaml

@@ -0,0 +1,50 @@
+periodics:
+- agent: kubernetes
+  cluster: build01
+  cron: 38 0 * * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: os
+  labels:
+    ci-operator.openshift.io/variant: periodic
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-os-master-periodic-validate-machine-os-oci-image
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --report-credentials-file=/etc/report/credentials
+      - --target=validate-machine-os-oci-image
+      - --variant=periodic
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/jobs/openshift/os/openshift-os-master-postsubmits.yaml

@@ -54,3 +54,60 @@ postsubmits:
       - name: result-aggregator
         secret:
           secretName: result-aggregator
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^master$
+    cluster: build03
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/is-promotion: "true"
+      ci-operator.openshift.io/variant: periodic
+      ci.openshift.io/generator: prowgen
+    max_concurrency: 1
+    name: branch-ci-openshift-os-master-periodic-images
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson
+        - --promote
+        - --report-credentials-file=/etc/report/credentials
+        - --target=[images]
+        - --target=machine-os-oci-content
+        - --variant=periodic
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/push-secret
+          name: push-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: push-secret
+        secret:
+          secretName: registry-push-credentials-ci-central
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator

ci-operator/jobs/openshift/os/openshift-os-master-presubmits.yaml

@@ -50,6 +50,58 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )images,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build03
+    context: ci/prow/periodic-images
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/variant: periodic
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-os-master-periodic-images
+    rerun_command: /test periodic-images
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --target=[images]
+        - --target=machine-os-oci-content
+        - --variant=periodic
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )periodic-images,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches: