https://github.com/nimbolus/packer-images
OpenStack Glance images build with Packer
https://github.com/nimbolus/packer-images
openstack openstack-glance packer
Last synced: 4 months ago
JSON representation
OpenStack Glance images build with Packer
- Host: GitHub
- URL: https://github.com/nimbolus/packer-images
- Owner: nimbolus
- License: bsd-3-clause
- Created: 2023-07-07T22:22:44.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-08-12T11:09:43.000Z (almost 2 years ago)
- Last Synced: 2025-05-22T02:11:22.562Z (about 1 year ago)
- Topics: openstack, openstack-glance, packer
- Language: HCL
- Homepage:
- Size: 32.2 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Packer Images
```sh
export PKR_VAR_flavor_id=""
export PKR_VAR_networks='[""]'
packer init images/ansible
packer build -only "ansible.openstack.ubuntu-22_04" images/ansible
```
## GitLab CI
Checkout `example.gitlab-ci.yml` for an example pipeline definition.
## Images
### Ansible
Images with Ansible preinstalled and optional certificate-based user authentication for SSH (e.g. with [HashiCorp Vault SSH Engine](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates)).
To enable the certificate user authentication, set the following metadata properties when creating the OpenStack instance:
| Property | Description | Example |
| --------------------------- | ----------------------------------------------- | ------------------------------------------------------- |
| `ssh_trusted_user_ca_url` | URL for downloading the CAs public key | `https://vault.example.com/v1/ssh/public_key` |
| `ssh_authorized_principals` | Mapping for certificate entities to local users | `{"debian":["admin"]}` while `debian` is the local user |
These properties can also be set via [OpenStack vendordata](https://docs.openstack.org/nova/latest/user/metadata.html#metadata-vendordata).
Note that `ssh_trusted_user_ca_url` in vendordata gets overridden by the instance metadata while `ssh_authorized_principals` will be merged.
For example to create an OpenStack instance with these properties run:
```sh
openstack server create debian-test \
--image debian-12-ansible --flavor m1.small --network \
--property "ssh_trusted_user_ca_url=https://vault.example.com/v1/ssh/public_key" \
--property 'ssh_authorized_principals={"debian":["admin"]}'
```
### Podman
All features of the Ansible image plus preinstalled Podman container runtime. Also includes a Ansible playbook for installing Podman Compose stacks. The playbook fetches environment secrets from [HashiCorp Vault Key/Value v2 Engine](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2) by authenticating against the [OpenStack auth plugin](https://github.com/nimbolus/vault-plugin-auth-openstack) and creating a systemd service file for each stack. The playbook gets configured by the instance metadata attribute `podman_compose_stacks` which contains a list of the stack names, ordered by the desired start sequence.
It assumes that Podman Compose files are located at `/opt//compose.yml` and creates an `.env` file in the same folder with the key/value pairs found in the Vault secret at `//`. The playbook needs to be triggered by running `ansible-playbook /etc/ansible/podman-compose-up.yml` (e.g. with [cloud-init runcmd](https://cloudinit.readthedocs.io/en/latest/reference/modules.html#runcmd)).
| Property | Description | Example |
| ----------------------- | --------------------------------------------- | ------------------------------------ |
| `vault_addr` | URL of the Vault server | `https://vault.example.com` |
| `vault_auth_path` | Mount path of the OpenStack auth plugin | `openstack` (default: `openstack`) |
| `vault_auth_role` | Role name for the OpenStack auth plugin | `example-container-host` |
| `vault_kv_engine_path` | Mount path of the Vault K/V secrets v2 engine | `kv` (default: `projects`) |
| `vault_kv_prefix` | Path prefix for secrets | `project-a/instances/container-host` |
| `podman_compose_stacks` | Names of Compose stacks | `{1="traefik",2="myapp"}` |