From 580e15acc7496a6065198419d159bc1aaf15683b Mon Sep 17 00:00:00 2001
From: Mary Karroqe <mkarroqe@gmail.com>
Date: Fri, 8 Sep 2023 10:37:48 -0400
Subject: [PATCH 1/7] fix: bump alpine from 3.15.4 to 3.15.6 to patch zlib CVE

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 8caf527fd..99ad15113 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ FROM ${BASE} as devkit
 
 ARG TARGETPLATFORM
 # hadolint ignore=DL3029
-FROM --platform=${TARGETPLATFORM} alpine:3.15.4
+FROM --platform=${TARGETPLATFORM} alpine:3.15.6
 
 ENV ANSIBLE_PATH=/usr
 ENV PYTHON_PATH=/usr

From 795cd49a7da117718f76cc42557ff7d360a2b031 Mon Sep 17 00:00:00 2001
From: faiq <faiqrazarizvi@gmail.com>
Date: Thu, 7 Sep 2023 12:22:26 -0700
Subject: [PATCH 2/7] fix: use d2iq base templates

---
 test/infra/vsphere/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/infra/vsphere/variables.tf b/test/infra/vsphere/variables.tf
index 28f084cea..b82b4eb5e 100644
--- a/test/infra/vsphere/variables.tf
+++ b/test/infra/vsphere/variables.tf
@@ -5,7 +5,7 @@ variable "datastore_name" {
 
 variable "bastion_base_template" {
   description = "base template name"
-  default     = "os-qualification-templates/d2iq-base-RockyLinux-9.1"
+  default     = "d2iq-base-templates/d2iq-base-RockyLinux-9.1"
 }
 
 variable "resource_pool_name" {

From eb91a39cacb95e3937aa575672638d6035ba6b95 Mon Sep 17 00:00:00 2001
From: Shalin Patel <spatel@d2iq.com>
Date: Fri, 18 Aug 2023 06:50:13 -0700
Subject: [PATCH 3/7] ci: use vsphere base templates from d2iq-base-templates
 vsphere folder (#870)

* ci: use base d2iq templates

* ci: set vsphere base templates from d2iq-base-templates directory
---
 images/ova/rhel-79.yaml                            | 2 +-
 images/ova/rhel-84.yaml                            | 2 +-
 images/ova/rhel-86.yaml                            | 2 +-
 images/ova/rocky-91.yaml                           | 2 +-
 images/ova/ubuntu-2004.yaml                        | 2 +-
 test/infra/vsphere/packer-vsphere-airgap.yaml.tmpl | 4 +---
 6 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/images/ova/rhel-79.yaml b/images/ova/rhel-79.yaml
index ae82c34b1..f9609042d 100644
--- a/images/ova/rhel-79.yaml
+++ b/images/ova/rhel-79.yaml
@@ -13,7 +13,7 @@ packer:
   insecure_connection: "false"
   network: ""
   resource_pool: ""
-  template: "os-qualification-templates/d2iq-base-RHEL-79"
+  template: "d2iq-base-templates/d2iq-base-RHEL-79"
   vsphere_guest_os_type: "rhel7_64Guest"
   guest_os_type: "rhel7-64"
   # goss params
diff --git a/images/ova/rhel-84.yaml b/images/ova/rhel-84.yaml
index b75d177f0..99ddae15f 100644
--- a/images/ova/rhel-84.yaml
+++ b/images/ova/rhel-84.yaml
@@ -13,7 +13,7 @@ packer:
   insecure_connection: "false"
   network: ""
   resource_pool: ""
-  template: "os-qualification-templates/d2iq-base-RHEL-84" # change default value with your base template name
+  template: "d2iq-base-templates/d2iq-base-RHEL-84" # change default value with your base template name
   vsphere_guest_os_type: "rhel8_64Guest"
   guest_os_type: "rhel8-64"
   # goss params
diff --git a/images/ova/rhel-86.yaml b/images/ova/rhel-86.yaml
index 6d8da5c0e..986014ea4 100644
--- a/images/ova/rhel-86.yaml
+++ b/images/ova/rhel-86.yaml
@@ -13,7 +13,7 @@ packer:
   insecure_connection: "false"
   network: ""
   resource_pool: ""
-  template: "os-qualification-templates/d2iq-base-RHEL-86" # change default value with your base template name
+  template: "d2iq-base-templates/d2iq-base-RHEL-86" # change default value with your base template name
   vsphere_guest_os_type: "rhel8_64Guest"
   guest_os_type: "rhel8-64"
   # goss params
diff --git a/images/ova/rocky-91.yaml b/images/ova/rocky-91.yaml
index 526c1d07a..3becc235b 100644
--- a/images/ova/rocky-91.yaml
+++ b/images/ova/rocky-91.yaml
@@ -13,7 +13,7 @@ packer:
   insecure_connection: "false"
   network: ""
   resource_pool: ""
-  template: "os-qualification-templates/d2iq-base-RockyLinux-9.1" # change default value with your base template name
+  template: "d2iq-base-templates/d2iq-base-RockyLinux-9.1" # change default value with your base template name
   vsphere_guest_os_type: "other4xLinux64Guest"
   guest_os_type: "rocky9-64"
   # goss params
diff --git a/images/ova/ubuntu-2004.yaml b/images/ova/ubuntu-2004.yaml
index c8f1c3aa8..53aec4e75 100644
--- a/images/ova/ubuntu-2004.yaml
+++ b/images/ova/ubuntu-2004.yaml
@@ -13,7 +13,7 @@ packer:
   insecure_connection: "false"
   network: ""
   resource_pool: ""
-  template: "os-qualification-templates/d2iq-base-Ubuntu-20.04" # change default value with your base template name
+  template: "d2iq-base-templates/d2iq-base-Ubuntu-20.04" # change default value with your base template name
   vsphere_guest_os_type: "other4xLinux64Guest"
   guest_os_type: "ubuntu2004-64"
   # goss params
diff --git a/test/infra/vsphere/packer-vsphere-airgap.yaml.tmpl b/test/infra/vsphere/packer-vsphere-airgap.yaml.tmpl
index a68e4ae48..8ce5aba44 100644
--- a/test/infra/vsphere/packer-vsphere-airgap.yaml.tmpl
+++ b/test/infra/vsphere/packer-vsphere-airgap.yaml.tmpl
@@ -15,6 +15,4 @@ packer:
   folder: "cluster-api"
   network: "Airgapped"
   resource_pool: "Users"
-  # ssh authentication with base template VM.
-  ssh_username: "builder"
-  ssh_agent_auth: true
+  ssh_username: "kib"

From eb2098741d3544ce07ddd8ca93882b25ae1c2337 Mon Sep 17 00:00:00 2001
From: Mary Karroqe <mkarroqe@gmail.com>
Date: Fri, 8 Sep 2023 12:47:07 -0400
Subject: [PATCH 4/7] fix: adds missing ssh_public_key variable

---
 pkg/packer/manifests/vsphere/packer.pkr.hcl | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/packer/manifests/vsphere/packer.pkr.hcl b/pkg/packer/manifests/vsphere/packer.pkr.hcl
index 2240e62cb..146630bf6 100644
--- a/pkg/packer/manifests/vsphere/packer.pkr.hcl
+++ b/pkg/packer/manifests/vsphere/packer.pkr.hcl
@@ -147,6 +147,12 @@ variable "ssh_private_key_file" {
   sensitive = true
 }
 
+variable "ssh_public_key" {
+  type    = string
+  default = env("SSH_PUBLIC_KEY")
+  sensitive = true
+}
+
 variable "ssh_timeout" {
   type    = string
   default = "60m"

From 428362a8ac72de25f63f4b75e8a118d9cc0c5b18 Mon Sep 17 00:00:00 2001
From: Mary Karroqe <mkarroqe@gmail.com>
Date: Fri, 8 Sep 2023 13:19:52 -0400
Subject: [PATCH 5/7] fix: pulled in ssh_public_key changes

---
 .github/workflows/vsphere-e2e.yaml          |  1 +
 cmd/konvoy-image-wrapper/cmd/wrapper.go     |  9 ++-
 pkg/packer/manifests/vsphere/packer.pkr.hcl | 75 +++++++++++++++++++++
 3 files changed, 82 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/vsphere-e2e.yaml b/.github/workflows/vsphere-e2e.yaml
index d2a21a835..76526e4cd 100644
--- a/.github/workflows/vsphere-e2e.yaml
+++ b/.github/workflows/vsphere-e2e.yaml
@@ -86,6 +86,7 @@ jobs:
         env:
           SSH_BASTION_KEY_CONTENTS: ${{ secrets.SSH_BASTION_KEY_CONTENTS }}
           SSH_BASTION_PUBLIC_KEY_CONTENTS: ${{ secrets.SSH_BASTION_PUBLIC_KEY_CONTENTS }}
+          SSH_PUBLIC_KEY: ${{ secrets.SSH_BASTION_PUBLIC_KEY_CONTENTS}}
           VSPHERE_USERNAME: ${{ secrets.VSPHERE_USERNAME }}
           VSPHERE_USER: ${{ secrets.VSPHERE_USERNAME }} # required for terraform
           VSPHERE_PASSWORD: ${{ secrets.VSPHERE_PASSWORD }}
diff --git a/cmd/konvoy-image-wrapper/cmd/wrapper.go b/cmd/konvoy-image-wrapper/cmd/wrapper.go
index 57ce088ae..dafa45ae0 100644
--- a/cmd/konvoy-image-wrapper/cmd/wrapper.go
+++ b/cmd/konvoy-image-wrapper/cmd/wrapper.go
@@ -50,9 +50,10 @@ const (
 	envRedHatSubscriptionManagerActivationKey = "RHSM_ACTIVATION_KEY"
 	envRedHatSubscriptionManagerOrgID         = "RHSM_ORG_ID"
 
-	envVSphereSSHUserName       = "SSH_USERNAME"
-	envVSphereSSHPassword       = "SSH_PASSWORD"
-	envVsphereSSHPrivatekeyFile = "SSH_PRIVATE_KEY_FILE"
+	envVSphereSSHUserName          = "SSH_USERNAME"
+	envVSphereSSHPassword          = "SSH_PASSWORD"
+	envVsphereSSHPrivatekeyFile    = "SSH_PRIVATE_KEY_FILE"
+	envVsphereSSHPublicKeyContents = "SSH_PUBLIC_KEY"
 
 	//nolint:gosec // environment var set by user
 	envGCPApplicationCredentials = "GOOGLE_APPLICATION_CREDENTIALS"
@@ -216,6 +217,8 @@ func (r *Runner) setVSphereEnv() error {
 		envRedHatSubscriptionManagerOrgID,
 		envVSphereSSHUserName,
 		envVSphereSSHPassword,
+		envVsphereSSHPrivatekeyFile,
+		envVsphereSSHPublicKeyContents,
 	} {
 		value, found := os.LookupEnv(env)
 		if found {
diff --git a/pkg/packer/manifests/vsphere/packer.pkr.hcl b/pkg/packer/manifests/vsphere/packer.pkr.hcl
index 146630bf6..24c465df1 100644
--- a/pkg/packer/manifests/vsphere/packer.pkr.hcl
+++ b/pkg/packer/manifests/vsphere/packer.pkr.hcl
@@ -366,6 +366,81 @@ locals {
   ssh_bastion_private_key_file = var.ssh_bastion_private_key_file
   ssh_bastion_username         = var.ssh_bastion_username
   vm_name                      = "konvoy-${var.build_name}-${var.kubernetes_full_version}-${local.build_timestamp}"
+
+  # if only a public key is given we expect the private key to be loaded into ssh-agent
+  ssh_agent_auth = var.ssh_agent_auth  != "false" ? true : var.ssh_private_key_file == "" && var.ssh_public_key != ""
+  # inject generated key if no agent auth or private key is given
+  ssh_private_key_file = var.ssh_private_key_file != "" ? var.ssh_private_key_file : local.ssh_agent_auth ? "" : data.sshkey.kibkey.private_key_path
+  # when ssh_private_key_file uses the generated key inject its public key
+  ssh_public_key = local.ssh_private_key_file == data.sshkey.kibkey.private_key_path ? data.sshkey.kibkey.public_key : chomp(var.ssh_public_key)
+  ssh_password_hash = bcrypt(var.ssh_password)
+  # prepare cloud-init
+  cloud_init = <<EOF
+#cloud-config
+users:
+  - name: ${var.ssh_username}
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    groups: sudo, wheel
+    lock_passwd: true
+    ssh_authorized_keys:
+      - ${local.ssh_public_key}
+EOF
+  ignition_config = <<EOF
+{
+  "ignition": {
+    "config": {},
+    "security": {
+      "tls": {}
+    },
+    "timeouts": {},
+    "version": "2.3.0"
+  },
+  "networkd": {},
+  "passwd": {
+    "users": [
+      {
+        "groups": [
+          "wheel",
+          "sudo",
+          "docker"
+        ],
+        "name": "${var.ssh_username}",
+        "passwordHash": "${local.ssh_password_hash}",
+        "sshAuthorizedKeys": [
+          "${local.ssh_public_key}"
+        ]
+      }
+    ]
+  },
+  "systemd": {
+    "units": [
+      {
+        "enabled": true,
+        "name": "docker.service"
+      },
+      {
+        "mask": true,
+        "name": "update-engine.service"
+      },
+      {
+        "mask": true,
+        "name": "locksmithd.service"
+      }
+    ]
+  }
+}
+EOF
+  configuration_parameters_cloud_init = local.ssh_public_key != "" ? {
+    "guestinfo.userdata" = base64encode(local.cloud_init),
+    "guestinfo.userdata.encoding" = "base64",
+    "guestinfo.metadata" = ""
+    "guestinfo.metadata.encoding" = "base64"
+  } : {}
+  configuration_parameters_ignition = {
+    "guestinfo.ignition.config.data" = base64encode(local.ignition_config),
+    "guestinfo.ignition.config.data.encoding" = "base64",
+  }
+  configuration_parameters = var.distribution == "flatcar" ? local.configuration_parameters_ignition : local.configuration_parameters_cloud_init
 }
 
 # source blocks are generated from your builders; a source can be referenced in

From 787a4f64ad8f96191e8e90f135cbb7bc319581b0 Mon Sep 17 00:00:00 2001
From: Dimitri Koshkin <dimitri.koshkin@gmail.com>
Date: Fri, 8 Sep 2023 11:08:26 -0700
Subject: [PATCH 6/7] fix: sync more vSphere packer changes from main

---
 Dockerfile                                  |  1 +
 Dockerfile.devkit                           |  3 ++-
 pkg/packer/manifests/vsphere/packer.pkr.hcl | 30 +++++++++++++++++----
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 99ad15113..92e88b78d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,6 +23,7 @@ RUN apk add --no-cache \
         py3-cryptography \
         py3-pip \
         py3-wheel \
+        xorriso \
     && pip3 install --no-cache-dir --requirement /tmp/requirements.txt \
     && rm -rf /root/.cache
 
diff --git a/Dockerfile.devkit b/Dockerfile.devkit
index d4fa7d079..837bc9a64 100644
--- a/Dockerfile.devkit
+++ b/Dockerfile.devkit
@@ -139,7 +139,8 @@ RUN --mount=type=secret,id=githubtoken PACKER_GITHUB_API_TOKEN="$(cat /run/secre
     packer-${BUILDARCH} plugins install github.com/hashicorp/azure ">=1.3.1" && \
     packer-${BUILDARCH} plugins install github.com/hashicorp/amazon ">=1.1.3" && \
     packer-${BUILDARCH} plugins install github.com/hashicorp/ansible ">=1.0.3" && \
-    packer-${BUILDARCH} plugins install github.com/hashicorp/vsphere ">=1.0.8"
+    packer-${BUILDARCH} plugins install github.com/hashicorp/vsphere ">=1.0.8" && \
+    packer-${BUILDARCH} plugins install github.com/ivoronin/sshkey ">=1.0.1"
 
 # Non-trivial bash scripting like e.g. the Makefile require bash instead of
 # plain sh, in order to function.
diff --git a/pkg/packer/manifests/vsphere/packer.pkr.hcl b/pkg/packer/manifests/vsphere/packer.pkr.hcl
index 24c465df1..cdf68fbd8 100644
--- a/pkg/packer/manifests/vsphere/packer.pkr.hcl
+++ b/pkg/packer/manifests/vsphere/packer.pkr.hcl
@@ -8,6 +8,10 @@ packer {
       version = ">= 1.0.2"
       source  = "github.com/hashicorp/ansible"
     }
+    sshkey = {
+      version = ">= 1.0.1"
+      source  = "github.com/ivoronin/sshkey"
+    }
   }
 }
 
@@ -351,6 +355,10 @@ variable "remote_folder" {
   default = "/tmp"
 }
 
+data "sshkey" "kibkey" {
+  name = "konvoy-image-builder-tmpkey"
+}
+
 # "timestamp" template function replacement
 locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
 
@@ -369,11 +377,12 @@ locals {
 
   # if only a public key is given we expect the private key to be loaded into ssh-agent
   ssh_agent_auth = var.ssh_agent_auth  != "false" ? true : var.ssh_private_key_file == "" && var.ssh_public_key != ""
+
   # inject generated key if no agent auth or private key is given
   ssh_private_key_file = var.ssh_private_key_file != "" ? var.ssh_private_key_file : local.ssh_agent_auth ? "" : data.sshkey.kibkey.private_key_path
   # when ssh_private_key_file uses the generated key inject its public key
   ssh_public_key = local.ssh_private_key_file == data.sshkey.kibkey.private_key_path ? data.sshkey.kibkey.public_key : chomp(var.ssh_public_key)
-  ssh_password_hash = bcrypt(var.ssh_password)
+  ssh_password_hash = var.ssh_password != "" ? bcrypt(var.ssh_password): ""
   # prepare cloud-init
   cloud_init = <<EOF
 #cloud-config
@@ -430,6 +439,7 @@ EOF
   }
 }
 EOF
+
   configuration_parameters_cloud_init = local.ssh_public_key != "" ? {
     "guestinfo.userdata" = base64encode(local.cloud_init),
     "guestinfo.userdata.encoding" = "base64",
@@ -469,7 +479,7 @@ source "vsphere-clone" "kib_image" {
   ssh_bastion_username         = local.ssh_bastion_username
   ssh_key_exchange_algorithms  = ["curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"]
   ssh_password                 = var.ssh_password
-  ssh_private_key_file         = var.ssh_private_key_file
+  ssh_private_key_file         = local.ssh_private_key_file
   ssh_timeout                  = "4h"
   ssh_username                 = var.ssh_username
   template                     = var.template
@@ -478,6 +488,16 @@ source "vsphere-clone" "kib_image" {
   vm_name                      = local.vm_name
   resource_pool                = var.resource_pool
 
+  cd_label = "cidata"
+  cd_content = {
+    "/user-data"       = local.cloud_init,
+    "/user-data.txt"       = local.cloud_init,
+    "/meta-data"       = "",
+  }
+
+  // try injecting cloud-init via guestinfo
+  configuration_parameters = local.configuration_parameters
+
   create_snapshot     = !var.dry_run
   convert_to_template = !var.dry_run
 }
@@ -570,9 +590,9 @@ build {
   post-processor "shell-local" {
     inline = [ "if ${var.dry_run}; then echo 'destroying VM ${local.vm_name} with command: govc vm.destroy -dc=${var.vsphere_datacenter} ${local.vm_name}'; govc vm.destroy -dc=${var.vsphere_datacenter} ${local.vm_name}; fi"]
     environment_vars =[
-        "GOVC_URL=${var.vcenter_server}",
-        "GOVC_USERNAME=${var.vsphere_username}",
-        "GOVC_PASSWORD=${var.vsphere_password}"
+      "GOVC_URL=${var.vcenter_server}",
+      "GOVC_USERNAME=${var.vsphere_username}",
+      "GOVC_PASSWORD=${var.vsphere_password}"
     ]
   }
 }

From 697d8b9e77a3b4b57450d0871b54c6de5cd050bd Mon Sep 17 00:00:00 2001
From: supershal <spatel@d2iq.com>
Date: Fri, 8 Sep 2023 11:53:27 -0700
Subject: [PATCH 7/7] ci: remove ssh public key to vsphere e2e tests

---
 .github/workflows/vsphere-e2e.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/vsphere-e2e.yaml b/.github/workflows/vsphere-e2e.yaml
index 76526e4cd..d2a21a835 100644
--- a/.github/workflows/vsphere-e2e.yaml
+++ b/.github/workflows/vsphere-e2e.yaml
@@ -86,7 +86,6 @@ jobs:
         env:
           SSH_BASTION_KEY_CONTENTS: ${{ secrets.SSH_BASTION_KEY_CONTENTS }}
           SSH_BASTION_PUBLIC_KEY_CONTENTS: ${{ secrets.SSH_BASTION_PUBLIC_KEY_CONTENTS }}
-          SSH_PUBLIC_KEY: ${{ secrets.SSH_BASTION_PUBLIC_KEY_CONTENTS}}
           VSPHERE_USERNAME: ${{ secrets.VSPHERE_USERNAME }}
           VSPHERE_USER: ${{ secrets.VSPHERE_USERNAME }} # required for terraform
           VSPHERE_PASSWORD: ${{ secrets.VSPHERE_PASSWORD }}