add workflow

update workflow

add default value to workflow inputs

update workflow

testing default values

test run

update workflow

update

pin ansible version

ansible ver

ansible ver

ansible-core ver

update workflow

update

remove custom role (temporary)

add azure build step

add SP login

update azure envs

fix typo

add cache

add key

testing azure

add gh token

fix cache

update workflow

seperate jobs

update

update

logs

remove cahce from azure

test

update

update

fix typo

add artifact upload

update store step

update path

add store workflow

add input

add install openstckclient

fix

fix command

add image-builder workflow

fix branch name

testing sed

typo

create tag

quotes

echo

fix

add docker login

update openstack to use container

remove checkout

change workflow

update .dockerignore

update workflow

add option

testing

binbash

hostname

test

test

try

deps

testing

testing

typo

test

enable kvm

add logs

env

TEST

test

mount

mount change

mount change

kvm

testing upload artifact

update mount

rw

add user

mdkir

privileged

test

testing

enable azure

add elastx store

update storing

inherit secrets

fix naming

add safespring store

add safespring store

change auth safespring

verbose

change openstack

final

add sshca role

testing

enable image builder

update builder

add sshca role

build new image

run build

add volume

testing

add docker image

add envs

final1

Author: vomba

.github/workflows/build-azure-capi-image.yml

@@ -0,0 +1,81 @@
+name: Build Azure CAPI VM image
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Kuberentes version
+        required: true
+        type: string
+      tag:
+        description: ck8s-capi tag
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      version:
+        description: Kubernetes version
+        required: true
+        type: string
+
+      tag:
+        description: ck8s-capi tag
+        required: true
+        type: string
+
+env:
+  version: ${{ inputs.version }}
+  tag: ${{ inputs.tag }}
+  docker_image: "ghcr.io/elastisys/image-builder-amd64:Automate-production-of-CAPI-VM-images-09c9dac9dc61dc069b72ac55e654cbe1a9190911"
+
+defaults:
+  run:
+    working-directory: ./images/capi
+    shell: bash
+
+jobs:
+  build-image:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+
+      - name: replace variables
+        run: |
+          package="${version}-1.1"
+          series="${version%.*}"
+
+          sed -r \
+            -e "s/\\\$KUBERNETES_SERIES/${series}/" \
+            -e "s/\\\$KUBERNETES_VERSION/${version}/" \
+            -e "s/\\\$KUBERNETES_DEB_VERSION/${package}/" \
+            -e "s/\\\$IMAGE_TAG/${tag}/" \
+            <"template.json" >"kubernetes.json"
+
+      - name: build azure image
+        run: |
+          image_name="ubuntu-2404-kube-${version%%-*}-ck8s-capi-${tag}"
+
+          export SIG_IMAGE_DEFINITION="${image_name}"
+          export SIG_PUBLISHER="elastisys"
+          export SIG_OFFER="ck8s-capi"
+          export SIG_SKU="${image_name}"
+
+          docker run -i --rm \
+          -e PACKER_VAR_FILES -e PACKER_GITHUB_API_TOKEN=${{ secrets.GITHUB_TOKEN }} \
+          -e SIG_IMAGE_DEFINITION -e SIG_PUBLISHER -e SIG_OFFER -e SIG_SKU \
+          -e AZURE_SUBSCRIPTION_ID -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID -e AZURE_LOCATION \
+          -e RESOURCE_GROUP_NAME -e GALLERY_NAME -e BUILD_RESOURCE_GROUP_NAME \
+          -v ${{ github.workspace }}/images/capi:/tmp/host \
+          ${{ env.docker_image }} build-azure-sig-ubuntu-2404-gen2
+
+        env:
+          PACKER_VAR_FILES: /tmp/host/kubernetes.json
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID}}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }}
+          RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}
+          GALLERY_NAME: ${{ secrets.GALLERY_NAME }}
+          BUILD_RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}

.github/workflows/build-capi-vm-images.yml

@@ -0,0 +1,47 @@
+name: Build CAPI VM image with manual input
+
+on:
+  # push:
+    
+  workflow_dispatch:
+    inputs:
+      version:
+        description: k8s version
+        required: true
+        type: string
+        default: "1.33.1"
+      tag:
+        description: ck8s capi version
+        required: true
+        type: string
+        default: "0.8"
+
+env:
+  PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  build-azure-image:
+    uses: ./.github/workflows/build-azure-capi-image.yml
+    with:
+      version: ${{ inputs.version || '1.33.1' }}
+      tag: ${{ inputs.tag || '0.8' }}
+    secrets: inherit
+  build-openstack-image:
+    uses: ./.github/workflows/build-openstack-capi-image.yml
+    with:
+      version: ${{ inputs.version || '1.33.1' }}
+      tag: ${{ inputs.tag || '0.8' }}
+  store-openstack-image-elastx:
+    uses: ./.github/workflows/store-openstack-capi-image-elastx.yml
+    needs: build-openstack-image
+    with:
+      version: ${{ inputs.version || '1.33.1' }}
+      tag: ${{ inputs.tag || '0.8' }}
+    secrets: inherit
+  # store-openstack-image-safespring:
+  #   uses: ./.github/workflows/store-openstack-capi-image-safespring.yml
+  #   needs: build-openstack-image
+  #   with:
+  #     version: ${{ inputs.version || '1.33.1' }}
+  #     tag: ${{ inputs.tag || '0.8' }}
+  #   secrets: inherit

.github/workflows/build-image-builder.yml

@@ -0,0 +1,46 @@
+name: Build CAPI image builder
+
+on:
+  push:
+    branches:
+      - main
+  # pull_request:
+    
+env:
+  IMAGE_NAME: image-builder
+  REGISTRY: ghcr.io/elastisys
+
+jobs:
+  build-image-builder:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: get tag
+        id: get-tag
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            PR_TITLE="${{ github.event.pull_request.title }}"
+            PR_TAG=$(echo "${PR_TITLE}" | sed -e 's/ /-/g')
+            echo "TAG=${PR_TAG}-${{ github.sha }}" >> $GITHUB_OUTPUT
+          else
+            echo "TAG=${GITHUB_REF##*/}-${{ github.sha }}" >> $GITHUB_OUTPUT
+          fi
+        shell: bash
+
+      - name: 'Login to GitHub Container Registry'
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: run make docker-build
+        run: make docker-build
+        env:
+          TAG: ${{ steps.get-tag.outputs.TAG }}
+
+      - name: run make docker-push
+        run: make docker-push
+        env:
+          TAG: ${{ steps.get-tag.outputs.TAG }}

.github/workflows/build-openstack-capi-image.yml

@@ -0,0 +1,77 @@
+name: Build OpenStack VM CAPI image
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Kubernetes version
+        required: true
+        type: string
+      tag:
+        description: ck8s-capi tag
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      version:
+        description: Kubernetes version
+        required: true
+        type: string
+      tag:
+        description: ck8s-capi tag
+        required: true
+        type: string
+
+env:
+  version: ${{ inputs.version }}
+  tag: ${{ inputs.tag }}
+  docker_image: "ghcr.io/elastisys/image-builder-amd64:Automate-production-of-CAPI-VM-images-7461dbd4e9c3a972cf73d93904f1472270e5af99"
+
+defaults:
+  run:
+    working-directory: ./images/capi
+    shell: bash
+
+jobs:
+  build-image:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Enable KVM
+        run: |
+          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
+          sudo udevadm control --reload-rules
+          sudo udevadm trigger --name-match=kvm
+
+      - name: replace variables
+        run: |
+          package="${version}-1.1"
+          series="${version%.*}"
+
+          sed -r \
+            -e "s/\\\$KUBERNETES_SERIES/${series}/" \
+            -e "s/\\\$KUBERNETES_VERSION/${version}/" \
+            -e "s/\\\$KUBERNETES_DEB_VERSION/${package}/" \
+            -e "s/\\\$IMAGE_TAG/${tag}/" \
+            <"template.json" >"kubernetes.json"
+
+      - name: add user
+        run: |
+          mkdir -p ${{ github.workspace }}/output
+          sudo useradd -ms /bin/bash imagebuilder
+          sudo chmod -R 777 ${{ github.workspace }}/output
+
+      - name: build openstack image
+        run: |
+          docker run --device=/dev/kvm -i --rm \
+           -e PACKER_VAR_FILES=/tmp/host/kubernetes.json -e PACKER_LOG -e PACKER_GITHUB_API_TOKEN=${{ secrets.GITHUB_TOKEN }} \
+           -v ${{ github.workspace }}/images/capi:/tmp/host -v ${{ github.workspace }}/output:/home/imagebuilder/output:rw \
+           ${{ env.docker_image }} build-qemu-ubuntu-2404-efi
+
+      - name: store openstack image
+        uses: actions/upload-artifact@v4
+        with:
+          name: ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }}
+          path: ${{ github.workspace }}/output/ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }}

.github/workflows/store-openstack-capi-image-elastx.yml

@@ -0,0 +1,49 @@
+name: Store OpenStack CAPI image on elastx
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: Kubernetes version
+        required: true
+        type: string
+      tag:
+        description: ck8s-capi tag
+        required: true
+        type: string
+
+env:
+  version: ${{ inputs.version }}
+  tag: ${{ inputs.tag }}
+  docker_image: ghcr.io/elastisys/openstack-client:v0.1.0
+  
+
+jobs:
+  on-success:
+    runs-on: ubuntu-24.04
+      
+    steps:
+      - name: retrieve image
+        uses: actions/download-artifact@v5
+        with:
+          name: ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }}
+
+      - name: store image
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.ELASTX_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.ELASTX_APPLICATION_CREDENTIAL_SECRET }}
+          OS_AUTH_URL: "https://ops.elastx.cloud:5000/v3"
+          OS_AUTH_TYPE: "v3applicationcredential"
+          OS_IDENTITY_API_VERSION: "3"
+          OS_INTERFACE: "public"
+          OS_REGION_NAME: "se-sto"
+        run: |
+
+          image_create_extra_vars+=('--property' 'hw_firmware_type=uefi' '--property' 'hw_disk_bus=scsi' '--property' 'hw_scsi_model=virtio-scsi')
+          image_name=ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }}
+          image_path=/tmp/home/ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }}
+
+          docker run -i --rm \
+          -e OS_APPLICATION_CREDENTIAL_ID -e OS_APPLICATION_CREDENTIAL_SECRET -e OS_AUTH_URL -e OS_AUTH_TYPE -e OS_IDENTITY_API_VERSION -e OS_INTERFACE -e OS_REGION_NAME  \
+          -v ${{ github.workspace }}:/tmp/home ${{ env.docker_image }} \
+          openstack image create --disk-format qcow2 "${image_create_extra_vars[@]}" --file "${image_path}" --shared --progress "${image_name}"

.github/workflows/store-openstack-capi-image-safespring.yml

@@ -0,0 +1,50 @@
+name: Store OpenStack CAPI image on safespring
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: Kubernetes version
+        required: true
+        type: string
+      tag:
+        description: ck8s-capi tag
+        required: true
+        type: string
+
+env:
+  version: ${{ inputs.version }}
+  tag: ${{ inputs.tag }}
+  
+
+jobs:
+  on-success:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: retrieve image
+        uses: actions/download-artifact@v5
+        with:
+          name: ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }}
+
+      - name: install deps
+        run: |
+          pip3 install python-openstackclient
+
+      - name: store image
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.SAFESPRING_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.SAFESPRING_APPLICATION_CREDENTIAL_SECRET }}
+          OS_AUTH_URL: "https://v2.dashboard.sto1.safedc.net:5000/v3/"
+          OS_AUTH_TYPE: "v3applicationcredential"
+          OS_IDENTITY_API_VERSION: "3"
+          OS_INTERFACE: "public"
+          OS_REGION_NAME: "sto1"
+        run: |
+
+          image_create_extra_vars+=('--property' 'hw_firmware_type=uefi' '--property' 'hw_disk_bus=scsi' '--property' 'hw_scsi_model=virtio-scsi')
+          image_name=ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }}
+          image_path=./ubuntu-2404-efi-kube-${{ env.version }}-ck8s-capi-${{ env.tag }}
+
+          openstack image create --verbose --disk-format qcow2 "${image_create_extra_vars[@]}" --file "${image_path}" --shared --progress "${image_name}"
+

images/capi/.dockerignore

@@ -9,3 +9,4 @@
 !packer
 !Makefile
 !azure_targets.sh
+!template.json

images/capi/Dockerfile

@@ -55,6 +55,7 @@ COPY --chown=imagebuilder:imagebuilder hack hack/
 COPY --chown=imagebuilder:imagebuilder packer packer/
 COPY --chown=imagebuilder:imagebuilder Makefile Makefile
 COPY --chown=imagebuilder:imagebuilder azure_targets.sh azure_targets.sh
+COPY --chown=imagebuilder:imagebuilder template.json template.json
 
 ENV PATH="/home/imagebuilder/.local/bin:${PATH}"
 ENV PACKER_ARGS=''

images/capi/ansible/roles/sshca/files/ssh_ca.pub

@@ -0,0 +1,18 @@
+- name: add the ssh ca public key
+  ansible.builtin.copy:
+    dest: /etc/ssh/ssh_ca.pub
+    mode: "644"
+    src: ssh_ca.pub
+- name: set authorized principals
+  ansible.builtin.copy:
+    dest: /etc/ssh/authorized_principals
+    # Couldn't get this to use the `ssh_username` variable
+    content: |
+      ubuntu
+- name: add ssh ca settings
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/ca.conf
+    content: |
+      TrustedUserCAKeys /etc/ssh/ssh_ca.pub
+      AuthorizedPrincipalsFile /etc/ssh/authorized_principals
+