Add support for Windows 2019/2022 to OCI capi provider image builder

[joekr]

What this PR does / why we need it:
Adds support to build windows images to using with CAPOCI provider using cluster-api.

Which issue(s) this PR fixes (optional, in fixes #(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged): No open issues

Additional context
the oci_iad_windows_bm.json file contents

{
  "availability_domain": "<myAD>",
  "build_name": "windows",
  "base_image_ocid": "ocid1.image.oc1.iad.aaaaaaaazt5nv5koc2sxjagzfvdv7gnza2te7gheiscw2ukdrwcdk4mwhyxq",
  "compartment_ocid": "<myCompartment",
  "kubernetes_deb_version": "1.24.9-00",
  "kubernetes_rpm_version": "1.24.9-0",
  "kubernetes_semver": "v1.24.9",
  "kubernetes_series": "v1.24",
  "ocpus": "128",
  "region": "us-ashburn-1",
  "shape": "BM.Standard.E4.128",
  "subnet_ocid": "<mySubnet>"
}

Build logs

$ OPC_USER_PASSWORD="<mypassword>"  no_proxy=* PACKER_VAR_FILES=oci_iad_windows_bm.json make build-oci-windows-2019

...
...
...

==> oracle-oci: Provisioning with powershell script: /var/folders/yp/cx82s01j4m1d34krx_q97xs80000gn/T/powershell-provisioner2441768962
    oracle-oci: Using cloudbase-init unattend file for sysprep: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\Unattend.xml
    oracle-oci: IMAGE_STATE_COMPLETE
    oracle-oci: IMAGE_STATE_UNDEPLOYABLE
    oracle-oci: IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE
    oracle-oci: >>> Sysprep complete ...
==> oracle-oci: Creating image from instance...
==> oracle-oci: Updating image schema...
==> oracle-oci: Created image (ocid1.image.oc1.iad.XXXX).
==> oracle-oci: Terminating instance (ocid1.instance.oc1.iad.XXXX)...
==> oracle-oci: Terminated instance.
==> oracle-oci: Running post-processor: manifest
Build 'oracle-oci' finished after 33 minutes 47 seconds.

==> Wait completed after 33 minutes 47 seconds

==> Builds finished. The artifacts of successful builds are:
--> oracle-oci: An image was created: 'cluster-api-windows-v1.24.9-1673378936' (OCID: ocid1.image.oc1.iad.XXXX) in region 'us-ashburn-1'
--> oracle-oci: An image was created: 'cluster-api-windows-v1.24.9-1673378936' (OCID: ocid1.image.oc1.iad.XXXX) in region 'us-ashburn-1'

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jsturtevant]

/assign

[jsturtevant]

what is the difference between these? most configuration should be configurable through cloudbase_metadata_services and cloudbase_plugins I think?

[joekr]

I saw I could modify the cloudbase_plugins but it appeared to only be addition, I couldn't figure out how to remove plugins OCI doesn't support https://github.com/kubernetes-sigs/image-builder/blob/master/images/capi/ansible/windows/roles/cloudbase-init/templates/cloudbase-init.conf#L35.

The OCI template removes

cloudbaseinit.plugins.windows.createuser.CreateUserPlugin, 
cloudbaseinit.plugins.common.setuserpassword.SetUserPasswordPlugin, 
cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin,

[jsturtevant]

I think it might be better to move these out of the base template to avoid duplicating this file as much as we can. what do you think?

[joekr]

Makes sense to me.

[joekr]

I've moved all the plugins to their respective packer-windows.json files and reduced the amount of default cloudbase_plugins in the cloudbase-init.conf file.

[jsturtevant]

/retest

[jsturtevant]

centos failed when updating with yum. I don't know much about yum and centos, would a retry to this command help flakes?

 [Errno -1] Metadata file does not match checksum\nTrying other mirror.\n\n\n One of the configured repositories failed (CentOS-7 - Updates (OpenLogic)),\n and yum doesn't have enough cached data to continue. At this point the only\n safe thing yum can do is fail. There are a few ways to work \"fix\" this:\n\n     1. Contact the upstream for the repository and get them to fix the problem.\n\n     2. Reconfigure the baseurl/etc. for the repository, to point to a working\n        upstream. This is most often useful if you are using a newer\n        distribution release than is supported by the repository (and the\n        packages for the previous distribution release still work).\n\n     3. Run the command with the repository temporarily disabled\n            yum --disablerepo=updates-openlogic ...\n\n     4. Disable the repository permanently, so yum won't use it by default. Yum\n        will then just ignore the repository until you permanently enable it\n        again or use --enablerepo for temporary usage:\n\n            yum-config-manager --disable updates-openlogic\n        or\n            subscription-manager repos --disable=updates-openlogic\n\n     5. Configure the failing repository to be skipped, if it is unavailable.\n        Note that yum will try to contact the repo. when it runs most commands,\n        so will have to try and fail each time (and thus. yum will be be much\n        slower). If it is a very temporary problem though, this is often a nice\n        compromise:\n\n            yum-config-manager --save --setopt=updates-openlogic.skip_if_unavailable=true\n\nfailure: repodata/filelists.sqlite.bz2 from updates-openlogic: [Errno 256] No more mirrors to try.\nhttp://olcentgbl.trafficmanager.net/centos/7/updates/x86_64/repodata/filelists.sqlite.bz2: [Errno -1] Metadata file does not match checksum\n", "obsoletes": 

/retest

[joekr]

I had to push a change. After removing "wins_url" the image would build, but failed to join the cluster. Using "wins_url": "", fixes the joining issue.

[joekr]

/retest

[jsturtevant]

Is this going to leave the password in a file as plain text?

[joekr]

It will modify the password set in the winrm_bootstrap.txt to be set a launch. From my understanding I need to set a password at launch as our image process sets the password to automatically reset on launch and it won't be known.

Here is an old example related issue: hashicorp/packer#7033 (comment)

I'm not sure how to use the ENV to set the value in winrm_bootstrap.txt without saving it to the file for launch.

[jsturtevant]

so this password is only used during bootstrapping but the password when a new image is created will be generated? If that is the case can we make a comment so that we know we are not leaking passwords in plain text here?

[joekr]

I have updated how this works now. When the image is built we temporarily set the password to the user provided password, when the image create the file containing the provided password is deleted. I've also updated the book to call that out.

[joekr]

/retest

[jsturtevant]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joekr, jsturtevant

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• docs/OWNERS [jsturtevant]
• images/capi/OWNERS [jsturtevant]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment