forked from drewbernetes/baski
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbaski-example.yaml
201 lines (197 loc) · 10.9 KB
/
baski-example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# The infra section defines the infrastructure to use.
infra:
# type dictates which settings to use in the infra section below - must match the yaml key.
# IE, openstack, kubevirt etc
type: kubevirt
# OpenStack support is a tricky one due to the varying nature of configurations that can exist across different setups.
# The approach taken with this is a basic kolla-ansible install with no bells and whistles. Any additional configuration must be seriously considered before adding additional code/options to support it.
openstack:
# The location of the clouds.yaml file to use for interaction with OpenStack.
clouds-file: "~/.config/openstack/clouds.yaml"
# The cloud entry in the clouds.yaml file for the OpenStack.
cloud-name: "image-builder"
# This is the network-id which the instance will be attached to for building.
network-id: "network-id"
# The image that will be the source for the image being built.
source-image-id: "source-image"
# The flavor that should be launched to build the image. If you're building the NVIDIA driver into the image then the instance should have a GPU.
flavor-name: "spicy-meatball"
# Whether to attach a config drive. This generally isn't required except for in custom circumstances where the OpenStack setup requires it.
attach-config-drive: false
# Whether to use a floating IP on the instance.
use-floating-ip: true
# The name of the network from which to get a floating IP from.
floating-ip-network-name: "public1"
# Specify a specific security group to use instead of "default".
security-group: ""
# Sets the image visibility once it has been created. The cloud account being used must have permission to do this.
image-visibility: "public"
# The disk format
image-disk-format: "raw"
# Sets the block_storage_volume OpenStack Packer config parameter.
use-blockstorage-volume: false
# Specify an existing SSH keypair to use
ssh-keypair-name: "drew-rsa"
# The private Key file to use with the ssh-keypair-name - one will be autogenerated if not set.
ssh-privatekey-file: "/home/<USER>/.ssh/id_rsa"
# The volume type.
volume-type: ""
# The size of the storage volume.
volume-size: 0
# The metadata-prefix will be used to prefix any metadata. This can be left blank if not required but if your metadata requires a prefix like `baski:k8s-version`, then it can be added here.
# Whatever is entered here will be split with a semi-colon - <metadata-prefix>:<metadata>.
metadata-prefix: "baski"
# KubeVirt support is a wrapper around QEMU builds however at the end of the build it will generate a PVC in the target Kubernetes cluster.
kubevirt:
# qemu_binary enables the overriding of the qemu-system-x86_64 binary name.
qemu_binary: "qemu-system-x86_64"
# disk_size describes the size of the VM disk.
disk_size: "10G"
# The directory in which the resulting QCOW2 image will be stored.
# This will have the image-name stored within it resulting in:
# /tmp/image-output/{{build.image-prefix}}-{{date}}-{{unique-code}}/{{build.build-os}}-kube-v{{build.kubernetes-version}}.
output-directory: "/tmp/image-output"
# This enables the image to be uploaded to an S3 endpoint as defined in the S3 object and is recommended if using the datavolume-from-S3 approach in KubeVirt.
store-in-s3: false
# The bucket in which to store the resulting image - required if store-in-s3 is true.
image-bucket: "images"
# kubevirt_namespace is the namespace in which the DV will be created.
image-namespace: "baski-vm-images"
# k8s contains kubernetes cluster options
k8s:
# kubeconfig_path is the path to the kubeconfig that will be used to generate the PVC for Kubevirt.
kubeconfig_path: "/tmp/kubeconfig"
# Baski presumes there is an S3 endpoint available for the pulling of any items such as the .trivyignore and nvidia files (where required) as well as uploading any other items such as scan results and QEMU images (where required).
# This is because the image builder defaults to this for the NVIDIA support, and it is presumed that most if not all people can have/can set up an S3 endpoint for authenticated storage.
s3:
endpoint: "S3_ENDPOINT_URL"
access-key: "ACCESS_KEY"
secret-key: "SECRET_KEY"
region: "us-east-1"
# If the S3 endpoint is being used, set this to true to instruct the aws ansible role to do the same.
is-ceph: true
# Build stage options.
build:
# If enabled this will output all the output generated by the make command in the background.
verbose: true
# The OS to build for. This should match the source image.
build-os: "ubuntu-2204"
# The prefix to prepend to the name of the image that is built. The name will result in <prefix>-yymmdd-unique_id.
image-prefix: "kmi"
# The repo to use for image building. This will default to the main image builder repo but can be updated if additional functionality is required in a fork.
image-repo: "https://github.com/kubernetes-sigs/image-builder.git"
# The branch to use in the image repo.
image-repo-branch: "main"
# The path to an existing checkout of image-builder
image-repo-dir: ""
# The crictl version.
crictl-version: "1.26.0"
# The CNI version.
cni-version: "1.5.1"
# The specific version of the CNI Debian package ('kubernetes-cni') to install.
cni-deb-version: "1.5.1-1.1"
# The Kubernetes version.
kubernetes-version: "1.31.0"
# The specific version of the Kubernetes Debian packages ('kubeadm', 'kubelet') to install.
kubernetes-deb-version: "1.31.0-1.1"
# Any additional debs to install. Currently, Baski only supports ubuntu and flatcar and this will only work with Ubuntu.
extra-debs: "nfs-common"
# Whether to add Trivy into the image.
add-trivy: true
# Whether to add Falco into the image.
add-falco: true
# GPU support is available in the image-builder project.
# NVIDIA support has a prerequisite that means the operator should provide the NVIDIA license (.tok) and installer (.run) files via an S3 endpoint
# due to license restrictions by NVIDIA. The vGPU drivers are not publicly available which is why this requirement is in place.
# The image builder will not provide these files and if they are not supplied, the build will fail.
gpu:
# Enable GPU driver installs into the image.
enable-gpu-support: true
# The GPU architecture being used ("nvidia" or "amd" are currently supported).
gpu-vendor: "amd"
# The GPU Model this image supports
gpu-model-support: "MI250X"
# What type of instance this GPU support. "vm" (virtual machine), "bm", (bare metal) or "any".
gpu-instance-support: "any"
# The AMD driver version to be installed.
amd-driver-version: "6.1.2"
# The AMD driver version to be installed.
amd-deb-version: "6.1.60102-1"
# The AMDGPU Installer usecase
amd-usecase-version: "dkms"
# The NVIDIA driver version to be installed - Currently used for tagging metadata.
nvidia-driver-version: "535.129.03"
# The S3 bucket to get the NVIDIA installer and license files from.
nvidia-bucket: "nvidia"
# The NVIDIA installer file name in the bucket.
nvidia-installer-location: "NVIDIA-Linux-x86_64-535.129.03-grid.run"
# The NVIDIA license file name in the bucket.
nvidia-tok-location: "client_configuration_token.tok"
# The feature type to configure the NVIDIA GRIDD service with - see NVIDIA docs for more information on this.
nvidia-gridd-feature-type: "4"
# The additional-images section should be a list of container images to bake into the image.
additional-images: []
# Any additional metadata/tags to add to the image as a map[string]string.
# The following are available via the `generateBuilderMetadata` func in the provisioner and any additional data added here will be appended in that func.
# "os": o.BuildOS,
# "k8s": o.KubeVersion,
# "gpu": gpu,
# "date": time.Now().Format(time.RFC3339),
additional-metadata: {}
# Scan stage options.
scan:
# Used to scan a single image - takes an image ID and scans it.
single:
# The ID of the image to be scanned.
image-id: ""
# Used in the `existing` command - takes a wildcard and scans all images that match it.
multiple:
# The image-search is used to filter images. If this string is within the name of the image, it'll be selected for scanning.
image-search: "kmi-"
# How many concurrent scans to perform.
concurrency: 2
# Override the cloud.[provider].flavor for the scan. This can help avoid using a large or gpu enabled node just for scanning.
# This is only really needed if you're using a single config for all steps of Baski.
# If Baski is run in a pipeline, the scan step may generate its own config on demand and therefore the cloud.[provider].flavor would be sufficient.
flavor-name: "some-flavor"
# Whether to auto-delete the image should a scan fail.
# Should the scan fail on a new image and the image shouldn't be available publicly as a result, it can be automatically deleted from the infrastructure to ensure a vulnerable image is not deployed.
auto-delete-image: false
# This option allows the scan to skip checking the CVE check which would result in a failure should the thresholds below be hit.
# It can be useful for building an image that needs to stick around, even if a scan would fail. Maybe for troubleshooting or review.
# Don't use this in production otherwise you could end up with vulnerable images.
skip-cve-check: false
# Minimum severity to check for during the scan.
max-severity-type: MEDIUM
# The bucket name in which the trivyignore file can be located.
scan-bucket: "baski"
# The file path in the bucket to the trivyignore file.
trivyignore-path: ""
# The name of the trivyignore file in the bucket.
trivyignore-filename: ".trivyignore"
# A list of CVEs to add to the ignore list. If a file is also provided, this list will be appended to the list within the file.
# If no file exists, then the file will be created with the list contents.
trivyignore-list: []
# Sign stage options
sign:
# The generate step will create a public/private key pair that can be used for image signing.
generate:
# Output path of the generated keys.
path: "."
# Vault can be used to store the certificates. Vault is currently the only supported storage as it's FOSS making it available to anyone.
# Other options could be supported but will not be added by Drewbernetes.
vault:
# The Vault endpoint.
url: "https://vault.ENDPOINT/"
# The Vault token.
token: "VAULT_TOKEN"
# The mount path within vault.
mount-path: "baski"
# The name of the secret in the mount path - there should be a `password`, `private-key` and public-key` for cosign stored in here.
secret-name: "signing-keys"
# The ID of the image to sign.
image-id: "" # Used for existing images
# The private key to use in the signing process - this takes precedence over vault.
private-key: ""
# The public key to use in the validation process - this takes precedence over vault.
public-key: ""