Merge pull request #91 from intel/release_23.10

Reference Architecture 23.10

Pipfile

@@ -4,22 +4,22 @@ verify_ssl = true
 name = "pypi"
 
 [packages]
-ansible = "~=5.7.1"
-"ansible-core" = "~=2.12"
+ansible = "~=7.7.0"
+"ansible-core" = "~=2.14"
 cryptography = "~=41.0"
 jinja2 = "~=3.1"
-netaddr = "~=0.7.19"
-pbr = "~=5.4"
-jmespath = "~=0.9.5"
-"ruamel.yaml" = "~=0.17.21"
-"ruamel.yaml.clib" = "~=0.2.6"
+netaddr = "~=0.8.0"
+pbr = "~=5.11"
+jmespath = "~=1.0.1"
+"ruamel.yaml" = "~=0.17.32"
+"ruamel.yaml.clib" = "~=0.2.7"
 MarkupSafe = "~=2.1"
 ipaddr = "*"
 
 [dev-packages]
-ansible-lint = "~=6.12.1"
-pylint = "~=2.15.4"
-bandit = "~=1.7.4"
+ansible-lint = "~=6.12.2"
+pylint = "~=2.17.5"
+bandit = "~=1.7.5"
 
 [requires]
 python_version = "3"

README.md

@@ -66,6 +66,8 @@ The software provided here is for reference only and not intended for production
 
 2. Install python dependencies using one of the following methods
 
+   > **_NOTE:_** Ensure that at least python3.9 is installed on ansible host
+
     a) Non-invasive virtual environment using pipenv
 
     ```bash
@@ -102,7 +104,7 @@ The software provided here is for reference only and not intended for production
    > **_NOTE:_** It is **highly recommended** to read [this](docs/generate_profiles.md) file before profiles generation.
 
     ```bash
-    make examples ARCH=<atom,core,**icx**,spr> NIC=<fvl,**cvl**>
+    make examples ARCH=<atom,core,**icx**,spr,emr> NIC=<fvl,**cvl**>
     ```
 
 5. Copy example inventory file to the project root dir.

action_plugins/cpupin.py

@@ -29,7 +29,7 @@
 from ansible.errors import AnsibleActionFail
 
 # Minimum required vCPUs for the VM
-MINIMUM_VCPUS = 4
+MINIMUM_VCPUS = 2
 # Number of vCPUs (CPUs + threads) allocated for host OS
 HOST_OS_VCPUS = 16
 # Minimum required vCPUs for host OS

ansible.cfg

@@ -16,7 +16,7 @@ fact_caching_timeout = 7200
 
 action_plugins = ./action_plugins:~/.ansible/plugins/action:/usr/share/ansible/plugins/action
 library = ./library
-roles_path = roles
+roles_path = roles:collections/share/roles
 collections_path = ./collections
 
 log_path = ./.ansible_last_run.log

cloud/README.md

@@ -14,11 +14,11 @@ Cloud RA allows for deploying Intel Container Experience Kits on managed Kuberne
 
 - Python 3.8+
 
-- Azure CLI 2.50.0+ ([Install Guide](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt))
+- Azure CLI 2.53.0+ ([Install Guide](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt))
 
-- AWS CLI 2.12.7+ ([Install Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html))
+- AWS CLI 2.13.21+ ([Install Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html))
 
-- Terraform 1.5.2+
+- Terraform 1.5.7+
 
 - Docker 20.10.17+
 
@@ -81,7 +81,7 @@ azureConfig:
   sg_whitelist_cidr_blocks: []
   enable_proximity_placement: true
   aks:
-    kubernetes_version: "1.26"
+    kubernetes_version: "1.27"
     cni: "kubenet" # Possible values are: kubenet, cilium
     enable_sgx: false # Requires DCsv series instances in one of node pools
     default_node_pool:
@@ -120,7 +120,7 @@ awsConfig:
   sg_whitelist_cidr_blocks: []
   ecr_repositories: []
   eks:
-    kubernetes_version: "1.26"
+    kubernetes_version: "1.27"
     subnets: ["subnet_a", "subnet_b"]
     custom_ami: "ubuntu" # Comment out this line to use Amazon Linux 2 OS
     node_groups:

cloud/cwdf_example_aws.yaml

@@ -15,7 +15,7 @@ awsConfig:
   sg_whitelist_cidr_blocks: []
   ecr_repositories: []
   eks:
-    kubernetes_version: "1.26"
+    kubernetes_version: "1.27"
     subnets: ["subnet_a", "subnet_b"]
     custom_ami: "ubuntu" # Comment out this line to use Amazon Linux 2 OS
     node_groups:

cloud/cwdf_example_azure.yaml

@@ -14,7 +14,7 @@ azureConfig:
   sg_whitelist_cidr_blocks: []
   enable_proximity_placement: true
   aks:
-    kubernetes_version: "1.26"
+    kubernetes_version: "1.27"
     cni: "kubenet" # Possible values are: kubenet, cilium, cilium-ebpf
     enable_sgx: false # Requires DCsv series instances in one of node pools
     default_node_pool:

cloud/cwdf_util/config.py

@@ -24,7 +24,7 @@
             Optional("root_volume_type", default='gp2'): str
         }],
         Optional("eks"): {
-            Optional("kubernetes_version", default='1.26'): Or("1.24", "1.25", "1.26"),
+            Optional("kubernetes_version", default='1.27'): Or("1.25", "1.26", "1.27"),
             "subnets": [str],
             Optional("install_ebs_csi_driver", default=True): bool,
             Optional("custom_ami", default=None): str,
@@ -48,7 +48,7 @@
         Optional("enable_proximity_placement", default=False): bool,
         Optional("ansible_instance_size", default="Standard_B2s"): str,
         Optional("aks"): {
-            Optional("kubernetes_version", default='1.26'): Or("1.25", "1.26"),
+            Optional("kubernetes_version", default='1.27'): Or("1.26", "1.27"),
             Optional("cni", default="cilium"): Or("cilium", "kubenet"),
             Optional("enable_sgx", default=False): bool,
             "default_node_pool": {

cloud/cwdf_util/main.py

@@ -78,7 +78,7 @@ def compose_cloudcli(
         # version = cloud_config["eks"]["kubernetes_version"]
         # region = cloud_config["region"]
         file_loader = FileSystemLoader(provider_template_path)
-        env = Environment(loader=file_loader)
+        env = Environment(loader=file_loader, autoescape=True)
         shutil.copy2(os.path.join(provider_template_path, 'aws_cloudcli_cleanup.sh'), deployment_dir)
         cleanup_file = os.path.join(deployment_dir, 'aws_cloudcli_cleanup.sh')
         print(f"Cleanup file path: {cleanup_file}")
@@ -87,7 +87,7 @@ def compose_cloudcli(
         script_template = env.get_template("aws_cloudcli_deploy.sh.j2")
     elif cloud_provider == "azure":
         file_loader = FileSystemLoader(provider_template_path)
-        env = Environment(loader=file_loader)
+        env = Environment(loader=file_loader, autoescape=True)
         shutil.copy2(os.path.join(provider_template_path, 'azure_cloudcli_cleanup.sh'), deployment_dir)
         cleanup_file = os.path.join(deployment_dir, 'azure_cloudcli_cleanup.sh')
         st = os.stat(cleanup_file)

cloud/cwdf_util/templates/cloudcli/aws/aws_cloudcli_deploy.sh.j2

@@ -47,9 +47,21 @@ ANSIBLE_INSTANCE_IMAGE=$(aws ec2 describe-images \
 ANSIBLE_INSTANCE_TYPE="t3.medium"
 ANSIBLE_INSTANCE_NAME="cwdf-infra-{{ cloud_config.job_id }}-ansible-instance"
 
+# Generate Ansible instance SSH Host Key
+if [ ! -f ./ansible_host ]
+then
+  ssh-keygen -q -N "" -t rsa -f ./ansible_host
+fi
+ANSIBLE_INSTANCE_HOST_PRIVKEY=$(cat ./ansible_host)
+ANSIBLE_INSTANCE_HOST_PUBKEY=$(cat ./ansible_host.pub)
+
 # Ansible instance entrypoint script
 ANSIBLE_INSTANCE_ENTRYPOINT="$(cat <<- "EOM"
 #!/usr/bin/env bash
+echo $ANSIBLE_INSTANCE_HOST_PRIVKEY > /etc/ssh/ssh_host_rsa_key
+rm /etc/ssh/ssh_host_dsa_key
+rm /etc/ssh/ssh_host_ed25519_key
+rm /etc/ssh/ssh_host_ecdsa_key
 apt-get -qq -y update
 apt-get -qq -y upgrade
 apt-get -qq -y install python3-pip python3-venv
@@ -359,10 +371,13 @@ JSON_OUTPUT=$(jq -n \
                  --arg cloud_provider "aws" \
                  --arg cr_url $ECR_URL \
                  --arg k8s_worker_username "ubuntu" \
+                 --arg host_key "$ANSIBLE_INSTANCE_HOST_PUBKEY" \
                  '{ansible_host_public_ip:
                     {value: $ansible_host_ip},
                    cloud_provider: 
                     {value: $cloud_provider},
+                   ansible_ssh_host_key:
+                    {value: $host_key},
                    cr_url: 
                     {value: $cr_url},
                    k8s_worker_username: 

cloud/cwdf_util/templates/cloudcli/azure/azure_cloudcli_deploy.sh.j2

@@ -30,9 +30,21 @@ NIC_NAME="cwdf-infra-{{ cloud_config.job_id }}-ansible-instance-nic"
 ANSIBLE_INSTANCE_NAME="cwdf-infra-{{ cloud_config.job_id }}-ansible-instance"
 ANSIBLE_INSTANCE_IMAGE="Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest"
 
+# Generate Ansible instance SSH Host Key
+if [ ! -f ${SCRIPT_DIR}/ansible_host ]
+then
+  ssh-keygen -q -N "" -t rsa -f ${SCRIPT_DIR}/ansible_host
+fi
+ANSIBLE_INSTANCE_HOST_PRIVKEY=$(cat ${SCRIPT_DIR}/ansible_host)
+ANSIBLE_INSTANCE_HOST_PUBKEY=$(cat ${SCRIPT_DIR}/ansible_host.pub)
+
 # Ansible instance entrypoint script
 ANSIBLE_INSTANCE_ENTRYPOINT="$(cat <<- "EOM"
 #!/usr/bin/env bash
+echo $ANSIBLE_INSTANCE_HOST_PRIVKEY > /etc/ssh/ssh_host_rsa_key
+rm /etc/ssh/ssh_host_dsa_key
+rm /etc/ssh/ssh_host_ed25519_key
+rm /etc/ssh/ssh_host_ecdsa_key
 mkdir -p /etc/apt/keyrings
 curl -sLS https://packages.microsoft.com/keys/microsoft.asc |
   gpg --dearmor |
@@ -479,6 +491,7 @@ JSON_OUTPUT=$(jq -n \
                  --arg k8s_worker_username "azureuser" \
                  --arg rg_name "$AZ_GROUP_NAME" \
                  --arg sub_id "$SUBSCRIPTION_ID" \
+                 --arg host_key "$ANSIBLE_INSTANCE_HOST_PUBKEY" \
                  '{aks_cluster_name: 
                     {value: $aks_name},
                    aks_scale_sets_rg: 
@@ -487,6 +500,8 @@ JSON_OUTPUT=$(jq -n \
                     {value: $ansible_host_ip},
                    cloud_provider: 
                     {value: $cloud_provider},
+                   ansible_ssh_host_key:
+                    {value: $host_key},
                    cr_url: 
                     {value: $cr_url},
                    k8s_worker_username: 

cloud/cwdf_util/templates/terraform/aws/ansible_host.tf.jinja

@@ -143,6 +143,11 @@ resource "aws_eip" "ansible" {
   domain   = "vpc"
 }
 
+resource "tls_private_key" "ansible_ssh_rsa_host_key" {
+  algorithm = "RSA"
+  rsa_bits = 4096
+}
+
 resource "aws_instance" "ansible" {
   ami                    = data.aws_ami.ubuntu2204.id
   instance_type          = "{{ ansible_instance_type }}"
@@ -165,6 +170,10 @@ resource "aws_instance" "ansible" {
 
   user_data = <<EOF
 #!/bin/bash
+echo '${tls_private_key.ansible_ssh_rsa_host_key.private_key_pem}' > /etc/ssh/ssh_host_rsa_key
+rm /etc/ssh/ssh_host_dsa_key
+rm /etc/ssh/ssh_host_ed25519_key
+rm /etc/ssh/ssh_host_ecdsa_key
 apt-get -qq -y update
 apt-get -qq -y upgrade
 apt-get -qq -y install python3-pip python3-venv
@@ -207,3 +216,7 @@ EOF
 output "ansible_host_public_ip" {
   value = aws_eip.ansible.public_ip
 }
+
+output "ansible_host_ssh_host_key" {
+  value = tls_private_key.ansible_ssh_rsa_host_key.public_key_openssh
+}

cloud/cwdf_util/templates/terraform/aws/provider.tf.jinja

@@ -2,15 +2,15 @@ terraform {
   required_providers {
     aws = {
       source = "hashicorp/aws"
-      version = "5.7.0"
+      version = "5.17.0"
     }
     kubernetes = {
       source = "hashicorp/kubernetes"
-      version = "2.21.1"
+      version = "2.23.0"
     }
     helm = {
       source = "hashicorp/helm"
-      version = "2.10.1"
+      version = "2.11.0"
     }
   }
 }

cloud/cwdf_util/templates/terraform/azure/aks.tf.jinja

@@ -42,7 +42,7 @@ resource "azurerm_kubernetes_cluster" "default" {
     {% endif %}
     {% if aks.cni == "cilium" %}
     ebpf_data_plane = "cilium"
-    network_plugin_mode = "Overlay"
+    network_plugin_mode = "overlay"
     {% endif %}
   }
 

cloud/cwdf_util/templates/terraform/azure/ansible_host.tf.jinja

@@ -39,6 +39,11 @@ resource "azurerm_network_interface_security_group_association" "ansible_instanc
   network_security_group_id = azurerm_network_security_group.default.id
 }
 
+resource "tls_private_key" "ansible_ssh_rsa_host_key" {
+  algorithm = "RSA"
+  rsa_bits = 4096
+}
+
 resource "azurerm_linux_virtual_machine" "ansible_instance" {
   name                = "cwdf-infra-{{ job_id }}-ansible-instance"
   resource_group_name = azurerm_resource_group.default.name
@@ -79,6 +84,10 @@ resource "azurerm_linux_virtual_machine" "ansible_instance" {
 
   custom_data = base64encode(<<EOF
 #!/bin/bash
+echo '${tls_private_key.ansible_ssh_rsa_host_key.private_key_pem}' > /etc/ssh/ssh_host_rsa_key
+rm /etc/ssh/ssh_host_dsa_key
+rm /etc/ssh/ssh_host_ed25519_key
+rm /etc/ssh/ssh_host_ecdsa_key
 mkdir -p /etc/apt/keyrings
 curl -sLS https://packages.microsoft.com/keys/microsoft.asc |
   gpg --dearmor |
@@ -254,3 +263,7 @@ resource "azurerm_monitor_data_collection_rule_association" "ansible_instance" {
 output "ansible_host_public_ip" {
   value = azurerm_public_ip.ansible_instance.ip_address
 }
+
+output "ansible_host_ssh_host_key" {
+  value = tls_private_key.ansible_ssh_rsa_host_key.public_key_openssh
+}

cloud/cwdf_util/templates/terraform/azure/provider.tf.jinja

@@ -2,11 +2,11 @@ terraform {
   required_providers {
     azurerm = {
       source = "hashicorp/azurerm"
-      version = "3.64.0"
+      version = "3.74.0"
     }
     helm = {
       source = "hashicorp/helm"
-      version = "2.10.1"
+      version = "2.11.0"
     }
   }
 }

cloud/deployer.py

@@ -16,7 +16,7 @@
 import cwdf_util
 import sw_deployment.sw_deployment_tool as sw_deployment
 
-from ssh_connector import SSHConnector
+from ssh_connector import SSHConnector, SSHHostKey
 
 
 def subprocess_run(*args, **kwargs):
@@ -107,8 +107,10 @@ def deploy(deployment_dir, provisioner_tool):
     provisioning_output = None
     if provisioner_tool == "terraform":
         provisioning_output = terrafrom_provisioning(deployment_dir, cwdf_user_config, job_id, ssh_public_key)
-    if provisioner_tool == "cloudcli":
+    elif provisioner_tool == "cloudcli":
         provisioning_output = cloudcli_provisioning(deployment_dir, cwdf_user_config, job_id, public_key_path)
+    else:
+        return
 
     ansible_host_ip = provisioning_output["ansible_host_public_ip"]["value"]
     click.echo("Ansible Host is accessible on: " + ansible_host_ip)
@@ -154,9 +156,12 @@ def deploy(deployment_dir, provisioner_tool):
         click.echo("Public ip: " + worker["public_ip"])
         click.echo("-------------------")
     ssh_username = provisioning_output["k8s_worker_username"]["value"]
+    ssh_host_key_raw = provisioning_output["ansible_host_ssh_host_key"]["value"][8:]
+    ssh_host_key = SSHHostKey("ssh-rsa", ssh_host_key_raw)
     click.echo("Opening SSH connection to Ansible host...")
     ssh = SSHConnector(ip_address=ansible_host_ip,
                        username='ubuntu',
+                       host_keys=[ssh_host_key],
                        priv_key=private_key_path,
                        try_loop=True)
     click.echo("Opened SSH connection.")
@@ -213,6 +218,7 @@ def deploy(deployment_dir, provisioner_tool):
     with open(file=sw_config_path, mode='r', encoding='utf-8') as file:
         sw_configuration = yaml.load(file, Loader=yaml.FullLoader)
     sw_configuration['ansible_host_ip'] = ansible_host_ip
+    sw_configuration['ansible_ssh_host_key'] = ssh_host_key_raw
     sw_configuration['worker_ips'] = workers_ip
     sw_configuration['ssh_user'] = ssh_username
     sw_configuration['ssh_key'] = os.path.join('..', private_key_path)