Supports to encrypt the system disk by copyImage when creating stemcell

Author: xiaozhu36

ci/pipeline-develop.yml

@@ -25,7 +25,7 @@ shared:
   file: pipelines/shared/tasks/run-bats.yml
   params:
     INFRASTRUCTURE:     alicloud
-    STEMCELL_NAME:      bosh-alicloud-kvm-ubuntu-xenial-go_agent
+    STEMCELL_NAME:      bosh-alicloud-kvm-ubuntu-bionic-go_agent
     BAT_INFRASTRUCTURE: alicloud
     BAT_NETWORKING:     manual
     BAT_RSPEC_FLAGS:    "--tag ~multiple_manual_networks --tag ~raw_ephemeral_storage --tag ~persistent_disk"
@@ -84,7 +84,7 @@ jobs:
   - aggregate:
     - {get: bosh-cpi-release, trigger: true,  resource: bosh-cpi-dev-artifacts, passed: [build-candidate]}
     - {get: bosh-cpi-src,     trigger: false, resource: bosh-cpi-src-in, passed: [build-candidate]}
-    - {get: stemcell,         trigger: false, resource: ubuntu-xenial-stemcell}
+    - {get: stemcell,         trigger: false, resource: ubuntu-bionic-stemcell}
     - {get: aliyun-cli,       trigger: false, resource: aliyun-cli}
     - {get: jq-blob,          trigger: false}
     - {get: 24h,              trigger: false}
@@ -114,9 +114,9 @@ jobs:
   plan:
   - aggregate:
     - {get: cpi-release,     trigger: true,  resource: bosh-cpi-dev-artifacts, passed: [build-candidate]}
-    - {get: bosh-release,    trigger: false, resource: precompiled-bosh-releases}
+    - {get: bosh-release,    trigger: false, resource: bosh-release}
     - {get: bosh-cpi-src,    trigger: false, resource: bosh-cpi-src-in, passed: [build-candidate]}
-    - {get: stemcell,        trigger: false, resource: ubuntu-xenial-light-stemcell}
+    - {get: stemcell,        trigger: false, resource: ubuntu-bionic-light-stemcell}
     - {get: bosh-deployment, trigger: false}
     - {get: pipelines,       trigger: false}
     - {get: bosh-cli,        trigger: false}
@@ -159,10 +159,10 @@ jobs:
   plan:
   - aggregate:
     - {get: cpi-release,     trigger: true,  resource: bosh-cpi-dev-artifacts,   passed: [build-candidate]}
-    - {get: bosh-release,    trigger: false, resource: precompiled-bosh-releases}
+    - {get: bosh-release,    trigger: false, resource: bosh-release}
     - {get: bosh-cpi-src,    trigger: false, resource: bosh-cpi-src-in,          passed: [build-candidate]}
-    - {get: stemcell,        trigger: false, resource: ubuntu-xenial-light-stemcell}
-    - {get: heavy-stemcell,  trigger: false, resource: ubuntu-xenial-stemcell}
+    - {get: stemcell,        trigger: false, resource: ubuntu-bionic-light-stemcell}
+    - {get: heavy-stemcell,  trigger: false, resource: ubuntu-bionic-stemcell}
     - {get: bosh-deployment, trigger: false}
     - {get: pipelines,       trigger: false}
     - {get: bosh-cli,        trigger: false}
@@ -276,21 +276,20 @@ resources:
     source:
       uri: https://github.com/cloudfoundry-incubator/bosh-cpi-certification
       branch: master
-  - name: precompiled-bosh-releases
-    type: s3
+  - name: bosh-release
+    type: bosh-io-release
     source:
-      bucket: bosh-compiled-release-tarballs
-      regexp: bosh-(\d+.\d+.\d+)-ubuntu-xenial-(250.\d+).*.tgz
-  - name: ubuntu-xenial-stemcell
+      repository: cloudfoundry/bosh
+  - name: ubuntu-bionic-stemcell
     type: bosh-io-stemcell
     source:
-      name: bosh-alicloud-kvm-ubuntu-xenial-go_agent
+      name: bosh-alicloud-kvm-ubuntu-bionic-go_agent
       force_regular: true
       tarball: true
-  - name: ubuntu-xenial-light-stemcell
+  - name: ubuntu-bionic-light-stemcell
     type: bosh-io-stemcell
     source:
-      name: bosh-alicloud-kvm-ubuntu-xenial-go_agent
+      name: bosh-alicloud-kvm-ubuntu-bionic-go_agent
   - name: bats
     type: git
     source:

src/bosh-alicloud-cpi/action/create_stemcell.go

@@ -10,6 +10,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
+
 	"bytes"
 	"os/exec"
 	"path"
@@ -41,11 +43,11 @@ type StemcellProps struct {
 	//RootDeviceName string 	`json:"root_device_name"`
 	SourceUrl string `json:"source_url"`
 	//SourceSha1    string `json:"raw_disk_sha1,omitempty"`
-	OSSBucket   string `json:"oss_bucket"`
-	OSSObject   string `json:"oss_object"`
-	Description string `json:"description,omitempty"`
-	//	Version string 			`json:"version"`		TODO  sometimes string, and sometimes int
-	Images map[string]interface{} `json:"image_id"`
+	OSSBucket   string                 `json:"oss_bucket"`
+	OSSObject   string                 `json:"oss_object"`
+	Description string                 `json:"description,omitempty"`
+	Version     string                 `json:"version"`
+	Images      map[string]interface{} `json:"image_id"`
 }
 
 type CreateStemcellMethod struct {
@@ -141,6 +143,10 @@ func (a CreateStemcellMethod) CreateStemcell(imagePath string, cloudProps apiv1.
 		return apiv1.StemcellCID{}, bosherr.WrapErrorf(err, "Importing stemcell from '%s'", imagePath)
 	}
 
+	stemcellId, err = a.copyImage(stemcellId, props)
+	if err != nil {
+		return apiv1.StemcellCID{}, bosherr.WrapErrorf(err, "Copying stemcell from '%s'", imagePath)
+	}
 	return apiv1.NewStemcellCID(stemcellId), nil
 }
 
@@ -168,7 +174,7 @@ func (a CreateStemcellMethod) importImage(props StemcellProps) (string, error) {
 	// The bionic stemcell should using Other Linux to avoid opening ipv6 setting
 	if strings.Contains(props.Name, "-bionic-") {
 		args.Platform = "Others Linux"
-	}else {
+	} else {
 		args.Platform = formatImagePlatform(strings.ToLower(props.OsDistro))
 	}
 	args.Description = props.Description
@@ -193,6 +199,36 @@ func (a CreateStemcellMethod) importImage(props StemcellProps) (string, error) {
 	return imageId, nil
 }
 
+func (a CreateStemcellMethod) copyImage(stemcellId string, props StemcellProps) (string, error) {
+	encryptImage := a.Config.OpenApi.Encrypted
+	if encryptImage == nil || !*encryptImage || a.Config.OpenApi.KmsKeyId != "" {
+		return stemcellId, nil
+	}
+	a.Logger.Debug(alicloud.AlicloudImageServiceTag, "Copying Alicloud Image with kms key id %s to encrypt the image.", a.Config.OpenApi.KmsKeyId)
+
+	args := ecs.CreateCopyImageRequest()
+	args.ImageId = stemcellId
+	args.RegionId = a.Config.OpenApi.GetRegion("")
+	args.DestinationRegionId = a.Config.OpenApi.GetRegion("")
+	imageNames := strings.Split(props.Name, "-")
+	args.DestinationImageName = fmt.Sprintf("copied-bosh-stemcell-%s-%s.tgz", props.Version, strings.Join(imageNames[1:], "-"))
+	args.Encrypted = requests.NewBoolean(true)
+	args.KMSKeyId = a.Config.OpenApi.KmsKeyId
+
+	imageId, err := a.stemcells.CopyImage(args)
+	if err != nil {
+		return "", bosherr.WrapError(err, "Failed to create Alicloud Image")
+	}
+
+	if err = a.stemcells.WaitForImageReady(imageId); err != nil {
+		a.cleanUp(imageId)
+		return "", bosherr.WrapError(err, "Failed to copy Alicloud Image")
+	}
+
+	a.Logger.Debug(alicloud.AlicloudImageServiceTag, "Copy Alicloud Image %s success", imageId)
+	return imageId, nil
+}
+
 func (a CreateStemcellMethod) CreateFromTarball(imagePath string, props StemcellProps) (string, error) {
 	imageName := fmt.Sprintf("%s-%s.raw", AlicloudImageNamePrefix, a.getUUIDName(props))
 	bucketName := fmt.Sprintf("%s-%s", alicloud.AlicloudDefaultImageName, uuid.New().String())

src/bosh-alicloud-cpi/alicloud/config.go

@@ -64,6 +64,7 @@ type OpenApi struct {
 	AccessKeySecret  string `json:"access_key_secret"`
 	SecurityToken    string `json:"security_token"`
 	Encrypted        *bool  `json:"encrypted,omitempty"`
+	KmsKeyId         string `json:"kms_key_id"`
 	EcsEndpoint      string `json:"ecs_endpoint"`
 	SlbEndpoint      string `json:"slb_endpoint"`
 	OssEndpoint      string `json:"oss_endpoint"`

src/bosh-alicloud-cpi/alicloud/stemcell_manager.go

@@ -28,6 +28,7 @@ type StemcellManager interface {
 	FindStemcellById(id string) (*ecs.Image, error)
 	DeleteStemcell(id string) error
 	ImportImage(args *ecs.ImportImageRequest) (string, error)
+	CopyImage(args *ecs.CopyImageRequest) (string, error)
 	OpenLocalFile(path string) (*os.File, error)
 	WaitForImageReady(id string) error
 }
@@ -128,6 +129,28 @@ func (a StemcellManagerImpl) ImportImage(args *ecs.ImportImageRequest) (string,
 	return resp.ImageId, err
 }
 
+func (a StemcellManagerImpl) CopyImage(args *ecs.CopyImageRequest) (string, error) {
+	client, err := a.config.NewEcsClient("")
+	if err != nil {
+		return "", err
+	}
+
+	resp, err := client.CopyImage(args)
+	if err != nil {
+		//if e, ok := err.(*aliclouderr.ServerError); ok && e.ErrorCode() == ImageIsImporting {
+		//	if resp != nil {
+		//		return resp.ImageId, nil
+		//	}
+		//}
+		return "", bosherr.WrapErrorf(err, "Failed to copy Alicloud Image in '%s'.", args.RegionId)
+	}
+	if resp == nil {
+		return "", bosherr.WrapErrorf(err, "Failed to copy Alicloud Image in '%s' and CopyImage result is '%#v'.", args.RegionId, resp)
+	}
+	a.log("Copying Image", err, args, resp.ImageId)
+	return resp.ImageId, err
+}
+
 func (a StemcellManagerImpl) OpenLocalFile(path string) (*os.File, error) {
 	return os.Open(path)
 }