feat: add gitlab-runner image for ubuntu

packer/gitlab-runner-fleeting/README.md

@@ -0,0 +1,32 @@
+# AWS AMI Builds
+
+This folder contains the Packer code necessary to build STIG'd gitlab-runner fleeting AMIs, with support for Ubuntu 20.04 base images.
+
+## Prerequisites
+
+You must have your local AWS context configured (`aws sts get-caller-identity` should show your user).
+
+You must choose a base image to build off of (`ubuntu.pkrvars.hcl` has examples that may be available in your environment).
+
+## Setting up Variables
+
+To build an AMI you typically only need a few variables. All available variable is described in the `variables.pkr.hcl` file and the most common are included for reference here as well:
+- `ami_name`: Name to use for the final AMI build
+- `base_ami_name`: Name of the base AMI to build off of
+- `ssh_username`: Default user in the base AMI to use for building
+
+## Building the Image
+
+Assuming you have modified the variables as needed in the `ubuntu.pkrvars.hcl` or `rhel.pkrvars.hcl` file, you should be able to use the below [`uds` tasks](https://github.com/defenseunicorns/uds-cli/blob/main/docs/runner.md) for building the AMI and publishing to your active AWS environment:
+
+```console
+# Build the image using the ubuntu variables file
+uds run publish-ami-ubuntu
+
+# Build the image using the RHEL variables file
+uds run publish-ami-rhel
+```
+
+## Using the Image
+
+Once your image is built and "published" you can spin up an EC2 instance using it. One option for usage is to leverage the included RKE2 startup script to simplify cluster creation during cloud-init. Additional details on how to use the script can be seen in this [document](./docs/rke2-startup.md).

packer/gitlab-runner-fleeting/aws.pkr.hcl

@@ -0,0 +1,82 @@
+packer {
+  required_version = ">= 1.9.2"
+
+  required_plugins {
+    amazon = {
+      version = ">= 1.2.6"
+      source  = "github.com/hashicorp/amazon"
+    }
+  }
+}
+
+locals {
+  ami_name = var.timestamp ? lower("${var.ami_name}-${formatdate("YYYYMMDDhhmm", timestamp())}") : lower("${var.ami_name}")
+}
+
+data "amazon-ami" "base-ami" {
+  filters = {
+    name = var.base_ami_name
+  }
+  owners      = var.base_ami_owners
+  most_recent = true
+  region      = var.region
+}
+
+source "amazon-ebs" "base" {
+  ami_name        = local.ami_name
+  ami_regions     = var.ami_regions
+  ami_description = "For UDS deployments on RKE2"
+  instance_type   = "t2.small"
+  region          = var.region
+  ssh_username    = var.ssh_username
+  source_ami      = data.amazon-ami.base-ami.id
+  ami_groups      = var.ami_groups
+  skip_create_ami = var.skip_create_ami
+}
+
+build {
+  name    = local.ami_name
+  sources = ["source.amazon-ebs.base"]
+
+  // Ubuntu Pro subscription attachment happens during cloud-init when using a Pro AMI
+  provisioner "shell" {
+    execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
+    inline          = ["cloud-init status --wait"]
+    timeout         = "20m"
+  }
+
+  provisioner "shell" {
+    execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
+    script          = "../scripts/install-deps.sh"
+    timeout         = "30m"
+  }
+
+  provisioner "shell" {
+    execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
+    script          = "../scripts/install-gitlab-runner.sh"
+    timeout         = "30m"
+  }
+
+  provisioner "shell" {
+    environment_vars = [
+      "UBUNTU_PRO_TOKEN=${var.ubuntu_pro_token}"
+    ]
+    // STIG-ing must be run as root
+    execute_command   = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
+    script            = "../scripts/os-stig.sh"
+    expect_disconnect = true // Expect a restart due to FIPS reboot
+    timeout           = "20m"
+    pause_after       = "30s" // Give a grace period for the OS to restart
+  }
+
+  provisioner "shell" {
+    execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
+    script          = "../scripts/cleanup-deps.sh"
+    timeout         = "15m"
+  }
+
+  post-processor "manifest" {
+    output = "manifest.json"
+  }
+
+}

packer/gitlab-runner-fleeting/ubuntu.pkrvars.hcl

@@ -0,0 +1,5 @@
+// Input variable values for an Ubuntu based RKE2 AMI
+ami_name      = "uds-ubuntu-gitlab-runner"
+base_ami_name = "ubuntu-pro-server/images/hvm-ssd/ubuntu-focal-20.04-amd64-pro-server-202*"
+ssh_username  = "ubuntu"
+base_ami_owners = ["amazon", "513442679011"] # 513442679011 is Ubuntu if GovCloud

packer/gitlab-runner-fleeting/variables.pkr.hcl

@@ -0,0 +1,57 @@
+variable "ami_name" {
+  type        = string
+  description = "Name to use for the published AMI"
+}
+
+variable "ami_regions" {
+  type = list(string)
+  description = "List of regions to publish the AMI to"
+  default = []
+}
+
+variable "ami_groups" {
+  type = list(string)
+  description = "List of groups to allow access to the AMI, set to `all` for public access"
+  default = []
+}
+
+variable "timestamp" {
+  type        = bool
+  description = "Append a timestamp to the end of the published AMI name"
+  default     = true
+}
+
+variable "base_ami_name" {
+  type        = string
+  description = "AMI to build on top of, builds validated against Ubuntu 20.04 and RHEL8"
+}
+
+variable "ubuntu_pro_token" {
+  type        = string
+  description = "Token for a valid Ubuntu Pro subscription to use for FIPS packages"
+  default     = ""
+  sensitive   = true
+}
+
+variable "skip_create_ami" {
+  type        = bool
+  description = "Build, but skip creation of an AMI"
+  default     = false
+}
+
+variable "ssh_username" {
+  type        = string
+  description = "Username used to connect to instance over SSH"
+}
+
+variable "base_ami_owners" {
+  type        = list(string)
+  description = "List of owners to filter looking up the base ami"
+  default     = ["amazon"]
+}
+
+variable "region" {
+  type        = string
+  description = "Region that AMI should be built in"
+  default     = "us-gov-west-1"
+}

packer/scripts/install-gitlab-runner.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
+
+curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
+
+apt-get update -y && apt-get upgrade -y
+
+apt-get install git gitlab-runner -y
+

tasks.yaml

@@ -10,20 +10,29 @@ tasks:
   - name: validate-ami-rhel
     actions:
       - task: aws:validate-ami-rhel
+  - name: validate-ami-ubuntu-gitlab
+    actions:
+      - task: aws:validate-ami-ubuntu-gitlab
 
   - name: build-ami-ubuntu
     actions:
       - task: aws:build-ami-ubuntu
   - name: build-ami-rhel
     actions:
       - task: aws:build-ami-rhel
+  - name: build-ami-ubuntu-gitlab
+    actions:
+      - task: aws:build-ami-ubuntu-gitlab
 
   - name: publish-ami-ubuntu
     actions:
       - task: aws:publish-ami-ubuntu
   - name: publish-ami-rhel
     actions:
       - task: aws:publish-ami-rhel
+  - name: publish-ami-ubuntu-gitlab
+    actions:
+      - task: aws:publish-ami-ubuntu-gitlab
 
   - name: test-cluster
     actions:

tasks/aws.yaml

@@ -2,6 +2,9 @@ variables:
   - name: AWS_DIR
     default: "packer/aws"
     description: "Directory containing AWS packer config"
+  - name: GITLAB_DIR
+    default: "packer/gitlab-runner-fleeting"
+    description: "Directory containing gitlab-runner fleeting packer config"
   - name: UBUNTU_PRO_TOKEN
     default: ""
     description: "Optional: provide Ubuntu pro token if using Ubuntu + FIPS"
@@ -27,6 +30,14 @@ tasks:
           packer init .
           packer build -var "ubuntu_pro_token=${UBUNTU_PRO_TOKEN}" --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "rke2_version=${RKE2_VERSION}" .
 
+  - name: publish-ami-ubuntu-gitlab
+    description: "Build and Publish the Ubuntu AMI for AWS for gitlab-runner fleeting"
+    actions:
+      - cmd: |
+          cd ${GITLAB_DIR}
+          packer init .
+          packer build -var "ubuntu_pro_token=${UBUNTU_PRO_TOKEN}" --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" .
+
   - name: publish-ami-rhel
     description: "Build and Publish the RHEL AMI for AWS"
     actions:
@@ -43,6 +54,14 @@ tasks:
           packer init .
           packer build -var "skip_create_ami=true" -var "ubuntu_pro_token=${UBUNTU_PRO_TOKEN}" --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "rke2_version=${RKE2_VERSION}" .
 
+  - name: build-ami-ubuntu-gitlab
+    description: "Build  the Ubuntu AMI for AWS for gitlab-runner fleeting"
+    actions:
+      - cmd: |
+          cd ${GITLAB_DIR}
+          packer init .
+          packer build -var "skip_create_ami=true" -var "ubuntu_pro_token=${UBUNTU_PRO_TOKEN}" --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" .
+
   - name: build-ami-rhel
     description: "Build the RHEL AMI for AWS"
     actions:
@@ -56,6 +75,11 @@ tasks:
     actions:
       - cmd: cd ${AWS_DIR} && packer fmt .
 
+  - name: fmt-ami-gitlab
+    description: "Run packer fmt for the AWS AMIs"
+    actions:
+      - cmd: cd ${GITLAB_DIR} && packer fmt .
+
   - name: validate-ami-ubuntu
     description: "Run packer validation for the AWS Ubuntu AMI"
     actions:
@@ -64,6 +88,14 @@ tasks:
           packer init .
           packer validate --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "rke2_version=${RKE2_VERSION}" .
 
+  - name: validate-ami-ubuntu-gitlab
+    description: "Run packer validation for the AWS Ubuntu AMI"
+    actions:
+      - cmd: |
+          cd ${GITLAB_DIR}
+          packer init .
+          packer validate --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" .
+
   - name: validate-ami-rhel
     description: "Run packer validation for the AWS RHEL AMI"
     actions: