Merge pull request #601 from cloudfoundry/merge-jammy

aramprice · web-flow · commit 7283d4b4ddb5 · 2026-05-29T15:30:53.000-07:00
Merge jammy
diff --git a/ci/pipelines/builder.yml b/ci/pipelines/builder.yml
@@ -44,6 +44,9 @@ groups:
 - name: docker
   jobs:
   - build-os-image-stemcell-builder
+- name: infrastructure
+  jobs:
+  - ensure-integration-network
 
 #@yaml/text-templated-strings
 jobs:
@@ -89,6 +92,25 @@ jobs:
       get_params:
         skip_download: true
 
+#! Manually triggered job that idempotently ensures the GCP subnetwork and
+#! firewall rule consumed by deploy-director / cleanup-bats-vms / prepare-bats
+#! in the test-stemcells-ipv4 and bats jobs below exist. GCP is the source of
+#! truth — no state file is required.
+- name: ensure-integration-network
+  serial: true
+  plan:
+  - get: bosh-stemcells-ci
+  - get: bosh-integration-image
+  - task: ensure-integration-network
+    file: bosh-stemcells-ci/ci/tasks/gcp/ensure-integration-network.yml
+    image: bosh-integration-image
+    params:
+      GCP_JSON_KEY: ((gcp_json_key))
+      GCP_PROJECT_ID: ((gcp_project_id))
+      GCP_REGION: europe-north2
+      GCP_NETWORK_NAME: bosh-concourse
+      SUBNET_INT: (@= data.values.stemcell_details.subnet_int @)
+
 - name: process-high-critical-cves
   serial_groups: [log-cves]
   plan:
@@ -885,7 +907,6 @@ resource_types:
   type: registry-image
   source:
     repository: frodenas/gcs-resource
-
 #@yaml/text-templated-strings
 resources:
 - name: daily
diff --git a/ci/pipelines/publisher.yml b/ci/pipelines/publisher.yml
@@ -480,68 +480,86 @@ jobs:
         path: /bin/bash
         args:
           - -ce
-          - tar xvf ../candidate-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/bosh-stemcell-*-warden-boshlite-(@= data.values.stemcell_details.os_name @)*.tgz image
+          - |
+            tar xvf ../candidate-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/bosh-stemcell-*-warden-boshlite-(@= data.values.stemcell_details.os_name @)*.tgz image
+            printf 'FROM scratch\nADD image /\n' > Dockerfile
+  - task: build-stemcell-oci-image
+    privileged: true
+    config:
+      platform: linux
+      image_resource:
+        type: registry-image
+        source:
+          repository: concourse/oci-build-task
+      inputs:
+        - name: stemcell-image
+      outputs:
+        - name: image
+      params:
+        CONTEXT: stemcell-image
+      run:
+        path: build
   - put: github-container-registry-(@= data.values.stemcell_details.os_name @)-stemcell
     params:
-      import_file: stemcell-image/image
-      tag_file: candidate-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/.resource/version
-      tag_as_latest: true
-  - put: published-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)
-    params:
-      files:
-      - candidate-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/*.tgz
-      options:
-        author_email: *ci_bot_email
-        author_name: *ci_bot_name
-        message: 'publish (heavy): (@= data.values.stemcell_details.os_name @)/(@= str(data.values.stemcell_details.major_version) @).x'
-      rename: '{{.Version}}/stemcells.meta4'
-      version: candidate-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/.resource/version
-  #@ if len(data.values.stemcell_details.include_fips_iaas) > 0 :
-  - put: published-(@= data.values.stemcell_details.os_name @)-fips-stemcell-(@= str(data.values.stemcell_details.major_version) @)
-    params:
-      files:
-      - candidate-(@= data.values.stemcell_details.os_name @)-fips-stemcell-(@= str(data.values.stemcell_details.major_version) @)/*.tgz
-      options:
-        author_email: *ci_bot_email
-        author_name: *ci_bot_name
-        message: 'publish (heavy): (@= data.values.stemcell_details.os_name @)-fips/(@= str(data.values.stemcell_details.major_version) @).x'
-      rename: '{{.Version}}/stemcells.meta4'
-      version: candidate-(@= data.values.stemcell_details.os_name @)-fips-stemcell-(@= str(data.values.stemcell_details.major_version) @)/.resource/version
-  #@ end
-  - params:
-      files:
-      - candidate-aws-light-stemcell/*.tgz
-      options:
-        author_email: *ci_bot_email
-        author_name: *ci_bot_name
-        message: 'publish (light aws): (@= data.values.stemcell_details.os_name @)/(@= str(data.values.stemcell_details.major_version) @).x'
-      rename: '{{.Version}}/stemcells.aws.meta4'
-      version: candidate-aws-light-stemcell/.resource/version
-    put: published-aws-light-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)
-
-  #! once we release all regions with the same account, we can unify these again
-  - file: bosh-stemcells-ci/ci/tasks/light-aws/tag-aws-ami-light.yml
-    image: bosh-ecosystem-concourse-registry-image
-    task: tag-published-aws-ami-light-stemcells
-    params:
-      AWS_PAGER:
-      AWS_ACCESS_KEY_ID: ((aws_publish_us_access_key))
-      AWS_SECRET_ACCESS_KEY: ((aws_publish_us_secret_key))
-      GREP_PATTERN: grep -v 'gov-\|cn-'
-  - file: bosh-stemcells-ci/ci/tasks/light-aws/tag-aws-ami-light.yml
-    image: bosh-ecosystem-concourse-registry-image
-    task: tag-gov-published-aws-ami-light-stemcells
-    params:
-      AWS_PAGER:
-      AWS_ACCESS_KEY_ID: ((aws_publish_us-gov_access_key))
-      AWS_SECRET_ACCESS_KEY: ((aws_publish_us-gov_secret_key))
-      GREP_PATTERN: grep 'gov-'
-#!  - file: bosh-stemcells-ci/ci/tasks/light-aws/tag-aws-ami-light.yml
-#!    task: tag-china-published-aws-ami-light-stemcells
-#!    params:
-#!      AWS_ACCESS_KEY_ID: ((aws_publish_cn_access_key))
-#!      AWS_SECRET_ACCESS_KEY: ((aws_publish_cn_secret_key))
-#!      GREP_PATTERN: grep 'cn-'
+      image: image/image.tar
+      additional_tags: candidate-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/.resource/version
+  - in_parallel:
+    - put: published-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)
+      params:
+        files:
+        - candidate-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/*.tgz
+        options:
+          author_email: *ci_bot_email
+          author_name: *ci_bot_name
+          message: 'publish (heavy): (@= data.values.stemcell_details.os_name @)/(@= str(data.values.stemcell_details.major_version) @).x'
+        rename: '{{.Version}}/stemcells.meta4'
+        version: candidate-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/.resource/version
+    #@ if len(data.values.stemcell_details.include_fips_iaas) > 0 :
+    - put: published-(@= data.values.stemcell_details.os_name @)-fips-stemcell-(@= str(data.values.stemcell_details.major_version) @)
+      params:
+        files:
+        - candidate-(@= data.values.stemcell_details.os_name @)-fips-stemcell-(@= str(data.values.stemcell_details.major_version) @)/*.tgz
+        options:
+          author_email: *ci_bot_email
+          author_name: *ci_bot_name
+          message: 'publish (heavy): (@= data.values.stemcell_details.os_name @)-fips/(@= str(data.values.stemcell_details.major_version) @).x'
+        rename: '{{.Version}}/stemcells.meta4'
+        version: candidate-(@= data.values.stemcell_details.os_name @)-fips-stemcell-(@= str(data.values.stemcell_details.major_version) @)/.resource/version
+    #@ end
+    - params:
+        files:
+        - candidate-aws-light-stemcell/*.tgz
+        options:
+          author_email: *ci_bot_email
+          author_name: *ci_bot_name
+          message: 'publish (light aws): (@= data.values.stemcell_details.os_name @)/(@= str(data.values.stemcell_details.major_version) @).x'
+        rename: '{{.Version}}/stemcells.aws.meta4'
+        version: candidate-aws-light-stemcell/.resource/version
+      put: published-aws-light-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)
+
+    #! once we release all regions with the same account, we can unify these again
+    - file: bosh-stemcells-ci/ci/tasks/light-aws/tag-aws-ami-light.yml
+      image: bosh-ecosystem-concourse-registry-image
+      task: tag-published-aws-ami-light-stemcells
+      params:
+        AWS_PAGER:
+        AWS_ACCESS_KEY_ID: ((aws_publish_us_access_key))
+        AWS_SECRET_ACCESS_KEY: ((aws_publish_us_secret_key))
+        GREP_PATTERN: grep -v 'gov-\|cn-'
+    - file: bosh-stemcells-ci/ci/tasks/light-aws/tag-aws-ami-light.yml
+      image: bosh-ecosystem-concourse-registry-image
+      task: tag-gov-published-aws-ami-light-stemcells
+      params:
+        AWS_PAGER:
+        AWS_ACCESS_KEY_ID: ((aws_publish_us-gov_access_key))
+        AWS_SECRET_ACCESS_KEY: ((aws_publish_us-gov_secret_key))
+        GREP_PATTERN: grep 'gov-'
+#!    - file: bosh-stemcells-ci/ci/tasks/light-aws/tag-aws-ami-light.yml
+#!      task: tag-china-published-aws-ami-light-stemcells
+#!      params:
+#!        AWS_ACCESS_KEY_ID: ((aws_publish_cn_access_key))
+#!        AWS_SECRET_ACCESS_KEY: ((aws_publish_cn_secret_key))
+#!        GREP_PATTERN: grep 'cn-'
   - params:
       files:
       - candidate-google-light-(@= data.values.stemcell_details.os_name @)-stemcell-(@= str(data.values.stemcell_details.major_version) @)/*.tgz
@@ -838,11 +856,12 @@ resources:
   #@ end
 
 - name: github-container-registry-(@= data.values.stemcell_details.os_name @)-stemcell
-  type: docker-image
+  type: registry-image
   source:
     repository: ghcr.io/cloudfoundry/(@= data.values.stemcell_details.os_name @)-stemcell
     username: ((github_read_write_packages.username))
     password: ((github_read_write_packages.password))
+    tag: latest
 
 - name: bosh-integration-registry-image
   type: registry-image
diff --git a/ci/tasks/gcp/ensure-integration-network.sh b/ci/tasks/gcp/ensure-integration-network.sh
@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+: "${GCP_JSON_KEY:?}"
+: "${GCP_PROJECT_ID:?}"
+: "${GCP_REGION:?}"
+: "${GCP_NETWORK_NAME:?}"
+: "${SUBNET_INT:?}"
+
+echo "${GCP_JSON_KEY}" | gcloud auth activate-service-account --key-file - --project "${GCP_PROJECT_ID}"
+
+SUBNET_NAME="stemcell-builder-integration-${SUBNET_INT}"
+SUBNET_CIDR="10.100.${SUBNET_INT}.0/24"
+
+# 'bat'                 => BATS created VM tag
+# 'test-stemcells-bats' => director, and compilation VM tag
+FIREWALL_TAGS="bat,test-stemcells-bats"
+
+gcloud_stderr="$(mktemp)"
+trap 'rm -f "${gcloud_stderr}"' EXIT
+
+echo "Checking for subnet '${SUBNET_NAME}' in region '${GCP_REGION}'..."
+existing_subnet_name="$(gcloud compute networks subnets list \
+    --regions="${GCP_REGION}" \
+    --project="${GCP_PROJECT_ID}" \
+    --filter="name=('${SUBNET_NAME}')" \
+    --format='value(name)' \
+    2>"${gcloud_stderr}")" && subnet_lookup_ok=true || subnet_lookup_ok=false
+
+if ${subnet_lookup_ok}; then
+  if [[ -n "${existing_subnet_name}" ]]; then
+    current_subnet="$(gcloud compute networks subnets describe "${SUBNET_NAME}" \
+        --region="${GCP_REGION}" \
+        --project="${GCP_PROJECT_ID}" \
+        --format='csv[no-heading](network.basename(),ipCidrRange,privateIpGoogleAccess,stackType)' \
+        2>"${gcloud_stderr}")"
+    expected_subnet="${GCP_NETWORK_NAME},${SUBNET_CIDR},True,IPV4_ONLY"
+    if [[ "${current_subnet}" != "${expected_subnet}" ]]; then
+      echo "ERROR: Subnet '${SUBNET_NAME}' exists but is misconfigured."
+      echo "  Expected: ${expected_subnet}"
+      echo "  Actual:   ${current_subnet}"
+      exit 1
+    fi
+    echo "Subnet '${SUBNET_NAME}' already exists and matches expected configuration."
+  else
+    echo "Creating subnet '${SUBNET_NAME}'..."
+    gcloud compute networks subnets create "${SUBNET_NAME}" \
+      --network="${GCP_NETWORK_NAME}" \
+      --region="${GCP_REGION}" \
+      --range="${SUBNET_CIDR}" \
+      --enable-private-ip-google-access \
+      --stack-type=IPV4_ONLY \
+      --project="${GCP_PROJECT_ID}"
+    echo "Subnet '${SUBNET_NAME}' created."
+  fi
+else
+  echo "ERROR: gcloud subnet lookup failed for subnet '${SUBNET_NAME}':"
+  cat "${gcloud_stderr}" >&2
+  exit 1
+fi
+
+echo "Checking for firewall rule '${SUBNET_NAME}'..."
+existing_fw_name="$(gcloud compute firewall-rules list \
+    --project="${GCP_PROJECT_ID}" \
+    --filter="name=('${SUBNET_NAME}')" \
+    --format='value(name)' \
+    2>"${gcloud_stderr}")" && fw_lookup_ok=true || fw_lookup_ok=false
+
+if ${fw_lookup_ok}; then
+  if [[ -n "${existing_fw_name}" ]]; then
+    current_fw_json="$(gcloud compute firewall-rules describe "${SUBNET_NAME}" \
+        --project="${GCP_PROJECT_ID}" \
+        --format=json \
+        2>"${gcloud_stderr}")"
+
+    # Validate network, direction, disabled
+    actual_network="$(echo "${current_fw_json}" | jq -r '.network | split("/") | last')"
+    actual_direction="$(echo "${current_fw_json}" | jq -r '.direction')"
+    actual_disabled="$(echo "${current_fw_json}" | jq -r '.disabled')"
+
+    if [[ "${actual_network}" != "${GCP_NETWORK_NAME}" ]] || \
+       [[ "${actual_direction}" != "INGRESS" ]] || \
+       [[ "${actual_disabled}" != "false" ]]; then
+      echo "ERROR: Firewall rule '${SUBNET_NAME}' exists but is misconfigured."
+      echo "  Expected network=${GCP_NETWORK_NAME}, direction=INGRESS, disabled=false"
+      echo "  Actual   network=${actual_network}, direction=${actual_direction}, disabled=${actual_disabled}"
+      exit 1
+    fi
+
+    # Validate allowed (should be exactly [{IPProtocol: "all"}])
+    actual_allowed="$(echo "${current_fw_json}" | jq -c '[.allowed[] | {protocol: .IPProtocol, ports: (.ports // [])}] | sort_by(.protocol)')"
+    expected_allowed='[{"protocol":"all","ports":[]}]'
+    if [[ "${actual_allowed}" != "${expected_allowed}" ]]; then
+      echo "ERROR: Firewall rule '${SUBNET_NAME}' has wrong allowed configuration."
+      echo "  Expected: ${expected_allowed}"
+      echo "  Actual:   ${actual_allowed}"
+      exit 1
+    fi
+
+    # Validate sourceRanges (should be exactly the subnet CIDR)
+    actual_ranges="$(echo "${current_fw_json}" | jq -c '(.sourceRanges // []) | sort')"
+    expected_ranges="$(printf '["%s"]' "${SUBNET_CIDR}")"
+    if [[ "${actual_ranges}" != "${expected_ranges}" ]]; then
+      echo "ERROR: Firewall rule '${SUBNET_NAME}' has wrong source ranges."
+      echo "  Expected: ${expected_ranges}"
+      echo "  Actual:   ${actual_ranges}"
+      exit 1
+    fi
+
+    # Validate targetTags (order-insensitive)
+    actual_tags="$(echo "${current_fw_json}" | jq -c '(.targetTags // []) | sort')"
+    expected_tags="$(printf '%s\n' ${FIREWALL_TAGS//,/ } | jq -R . | jq -sc 'sort')"
+    if [[ "${actual_tags}" != "${expected_tags}" ]]; then
+      echo "ERROR: Firewall rule '${SUBNET_NAME}' has wrong target tags."
+      echo "  Expected: ${expected_tags}"
+      echo "  Actual:   ${actual_tags}"
+      exit 1
+    fi
+
+    echo "Firewall rule '${SUBNET_NAME}' already exists and matches expected configuration."
+  else
+    echo "Creating firewall rule '${SUBNET_NAME}'..."
+    gcloud compute firewall-rules create "${SUBNET_NAME}" \
+      --network="${GCP_NETWORK_NAME}" \
+      --project="${GCP_PROJECT_ID}" \
+      --direction=INGRESS \
+      --priority=1000 \
+      --allow=all \
+      --source-ranges="${SUBNET_CIDR}" \
+      --target-tags="${FIREWALL_TAGS}"
+    echo "Firewall rule '${SUBNET_NAME}' created."
+  fi
+else
+  echo "ERROR: gcloud firewall-rules lookup failed for '${SUBNET_NAME}':"
+  cat "${gcloud_stderr}" >&2
+  exit 1
+fi
+
+echo "Integration network '${SUBNET_NAME}' is ready."
diff --git a/ci/tasks/gcp/ensure-integration-network.yml b/ci/tasks/gcp/ensure-integration-network.yml
@@ -0,0 +1,15 @@
+---
+platform: linux
+
+inputs:
+  - name: bosh-stemcells-ci
+
+params:
+  GCP_JSON_KEY:
+  GCP_PROJECT_ID:
+  GCP_REGION:
+  GCP_NETWORK_NAME:
+  SUBNET_INT:
+
+run:
+  path: bosh-stemcells-ci/ci/tasks/gcp/ensure-integration-network.sh
diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,22 +1,22 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">697fa6d41f390657587788d83bd61bf152d2a2db047b12ce1ef0bdd185bc21ed529a169048d43d6a89d87f007c1fe7b78732fe158f75916ab2704fd7b5bc6344</hash>
-    <hash type="sha-256">14c59687ceca0e7e06ee1f134ce84dae2f201c7483bc36abe53a680ee46c23b7</hash>
-    <hash type="sha-1">a2428dfb78cd307e64112f4003512e3fce12db5d</hash>
-    <hash type="md5">36f4ce5ace7260cc2d98ca5c00b25251</hash>
-    <size>434910636</size>
+    <hash type="sha-512">262476bd0328ed6f9932491230f129109ab66b6cea92c659eee3056a79f3fef0364760dcc886676fb321eea50439b531ed2c9f3cb0b0571488240573d5ac37ce</hash>
+    <hash type="sha-256">d700a8d194f00f1d1628aad3072a4c0a0075fe38fba0cc7b7cf8f57514d4c0ec</hash>
+    <hash type="sha-1">0da23b76f051ecda06ea42e9f2f477c8e6ae625e</hash>
+    <hash type="md5">18fd61818309c296c1810045b214df1a</hash>
+    <size>435051911</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1052.0.0</version>
+    <version>1064.0.0</version>
   </file>
   <file name="usn-log.json">
-    <hash type="sha-512">d9378b3a430af3ce967861b570ad77af08528260c4812231ff56329936c66a52c64b1c2876caae3ce5775713312dd9e26632d0252468553c1c25d0146c5d8645</hash>
-    <hash type="sha-256">da3273890d484f72fb935f72976b752943acd99f562128ccc4759d2559f6a0ec</hash>
-    <hash type="sha-1">8218d84e4ae3bc7831f015388ec02f43323895e1</hash>
-    <hash type="md5">f2d841b3ccbd4dc7386e7e7b59fb72ce</hash>
-    <size>7477</size>
+    <hash type="sha-512">1be299e68905259454e88adc4a919b0721a5ada64606a6012d3cd46abe992604c1709224b5580f41105eedfe15353e2bcac3c56b4ae6369682f62b6b6304e7f6</hash>
+    <hash type="sha-256">3949a7b939998804e55805449a9e2507cf40dfb7084067124c9aaa95c08b8857</hash>
+    <hash type="sha-1">4e87bb595d36f602b27c33dd9f7ce7e3e5b80af4</hash>
+    <hash type="md5">d70271e3719efa31f7f8f0dcb1d81ed5</hash>
+    <size>75875</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1052.0.0</version>
+    <version>1064.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-05-08T18:01:53.5253407Z</published>
+  <published>2026-05-27T02:55:40.91564987Z</published>
 </metalink>
