Move public cloud scripts and implement Azure uploads

Signed-off-by: Dimitris Karakasilis <[email protected]>

Author: jimmykarily

.github/cleanup-old-images-aws.sh …b/public-cloud/cleanup-old-images-aws.sh.github/cleanup-old-images-aws.sh renamed to .github/public-cloud/cleanup-old-images-aws.sh .github/cleanup-old-images-aws.sh renamed to .github/public-cloud/cleanup-old-images-aws.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -euo pipefail
+
+AZURE_GALLERY_NAME="kairos.io"
+AZURE_IMAGE_DEFINITION="kairos"
+# Use same variables defined in the main upload script
+# AZURE_RESOURCE_GROUP and STORAGE_REGION should already be set in the environment
+
+getAllVersions() {
+  az sig image-version list \
+    --resource-group "$AZURE_RESOURCE_GROUP" \
+    --gallery-name "$AZURE_GALLERY_NAME" \
+    --gallery-image-definition "$AZURE_IMAGE_DEFINITION" \
+    --query "[].name" \
+    --output tsv
+}
+
+deleteVersion() {
+  local version=$1
+  echo "Deleting old image version: $version"
+  az sig image-version delete \
+    --resource-group "$AZURE_RESOURCE_GROUP" \
+    --gallery-name "$AZURE_GALLERY_NAME" \
+    --gallery-image-definition "$AZURE_IMAGE_DEFINITION" \
+    --gallery-image-version "$version"
+}
+
+cleanupOldVersions() {
+  echo "Fetching all image versions..."
+  mapfile -t allVersions < <(getAllVersions)
+
+  if (( ${#allVersions[@]} <= 4 )); then
+    echo "4 or fewer image versions found. No cleanup needed."
+    return
+  fi
+
+  echo "Sorting versions..."
+  mapfile -t sortedVersions < <(printf "%s\n" "${allVersions[@]}" | sort -V -r)
+
+  echo "Keeping latest 4 versions:" "${sortedVersions[@]:0:4}"
+  oldVersions=("${sortedVersions[@]:4}")
+
+  for version in "${oldVersions[@]}"; do
+    deleteVersion "$version"
+  done
+}
+
+cleanupOldVersions

.github/public-cloud/cleanup-old-images-azure.sh

@@ -0,0 +1,147 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+# https://github.com/Azure/login?tab=readme-ov-file#azure-login-action
+export AZURE_CORE_OUTPUT=none
+
+checkArguments() {
+  if [ $# -lt 2 ]; then
+    echo "Error: You need to specify the cloud image to upload and the Kairos version (to tag resources)."
+    echo "Usage: $0 <cloud-image> <kairos-version>"
+    exit 1
+  fi
+
+  local file="$1"
+
+  if [ ! -f "$file" ]; then
+    echo "Error: File '$file' does not exist."
+    exit 1
+  fi
+}
+
+checkEnvVars() {
+  if [ -z "$AZURE_RESOURCE_GROUP" ] || [ -z "$AZURE_STORAGE_ACCOUNT" ] || [ -z "$AZURE_CONTAINER_NAME" ]; then
+    echo "Error: AZURE_RESOURCE_GROUP, AZURE_STORAGE_ACCOUNT and AZURE_CONTAINER_NAME environment variables must be set."
+    exit 1
+  fi
+}
+
+LOCAL_VHD_PATH=$(readlink -f "$1")
+NAME=$(basename "$LOCAL_VHD_PATH" | sed 's/\.raw\.vhd$//') # just the file name without extension or path
+VERSION=$2
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=/dev/null
+source "$SCRIPT_DIR/cleanup-old-images-azure.sh"
+
+checkArguments "$@"
+checkEnvVars
+
+# === CHECK AZURE LOGIN ===
+az account show >/dev/null 2>&1 || { echo "Please run 'az login' first."; exit 1; }
+
+# === GET STORAGE ACCOUNT REGION ===
+echo "Fetching storage account region..."
+STORAGE_REGION=$(az storage account show --name "$AZURE_STORAGE_ACCOUNT" --query "primaryLocation" --output tsv)
+echo "Storage account is in region: $STORAGE_REGION"
+
+# === GET STORAGE ACCOUNT KEY ===
+echo "Fetching storage account key..."
+STORAGE_KEY=$(az storage account keys list --account-name "$AZURE_STORAGE_ACCOUNT" --query "[0].value" --output tsv)
+
+echo "Uploading VHD file ($LOCAL_VHD_PATH) to Azure Storage..."
+az storage blob upload --account-name "$AZURE_STORAGE_ACCOUNT" --container-name "$AZURE_CONTAINER_NAME" --type page \
+    --name "$NAME" --file "$LOCAL_VHD_PATH" --auth-mode key --account-key "$STORAGE_KEY" --overwrite true
+
+echo "Retrieving uploaded VHD URL..."
+VHD_URL=$(az storage blob url --account-name "$AZURE_STORAGE_ACCOUNT" --container-name "$AZURE_CONTAINER_NAME" --name "$NAME" --output tsv)
+echo "VHD uploaded successfully: $VHD_URL"
+
+# === Get file size in bytes ===
+VHD_SIZE_BYTES=$(stat -c %s "$LOCAL_VHD_PATH")
+
+# === Convert to GB and round up ===
+VHD_SIZE_GB=$(( (VHD_SIZE_BYTES + 1073741823) / 1073741824 ))
+echo "Calculated disk size: $VHD_SIZE_GB GB"
+
+echo "Creating a managed disk"
+az disk create \
+  --resource-group "$AZURE_RESOURCE_GROUP" \
+  --name "$NAME" \
+  --source "$VHD_URL" \
+  --os-type Linux \
+  --sku Premium_LRS \
+  --size-gb "$VHD_SIZE_GB" \
+  --hyper-v-generation V2
+
+echo "Getting the ID of the managed disk"
+DISK_ID=$(az disk show \
+  --resource-group "$AZURE_RESOURCE_GROUP" \
+  --name "$NAME" \
+  --query "id" \
+  --output tsv)
+
+# === CREATE AZURE IMAGE IN SAME REGION AS STORAGE ACCOUNT ===
+echo "Creating Azure image ($NAME) from VHD in region: $STORAGE_REGION..."
+az image create \
+	--resource-group "$AZURE_RESOURCE_GROUP" \
+	--name "$NAME" \
+	--os-type "Linux" \
+	--source "$DISK_ID" \
+	--hyper-v-generation "V2" \
+	--location "$STORAGE_REGION"
+echo "Image created successfully: $NAME"
+
+echo "Getting the image ID"
+IMAGE_ID=$(az image show \
+	--resource-group "$AZURE_RESOURCE_GROUP" \
+	--name "$NAME" \
+  --query "id" \
+  --output tsv)
+
+# echo "Creating a Shared Image Gallery (one-off)"
+# # https://learn.microsoft.com/en-us/azure/virtual-machines/create-gallery?tabs=portal%2Cportaldirect%2Ccli2
+# # TODO: Link to some EULA?
+# az sig create \
+#    --gallery-name kairos.io \
+#    --permissions community \
+#    --resource-group "$AZURE_RESOURCE_GROUP" \
+#    --location "$STORAGE_REGION" \
+#    --publisher-uri kairos.io \
+#    --publisher-email [email protected] \
+#    --eula https://github.com/kairos-io/kairos/?tab=Apache-2.0-1-ov-file#readme \
+#    --public-name-prefix kairos
+
+# echo "Creating an image definition (one-off)"
+# az sig image-definition create --resource-group "$AZURE_RESOURCE_GROUP" --gallery-name kairos.io \
+#   --gallery-image-definition kairos --publisher kairos.io --offer kairos --sku kairos \
+#   --hyper-v-generation "V2" --os-type Linux
+#
+# echo "Making the gallery public (one-off)"
+# az sig share enable-community --resource-group "$AZURE_RESOURCE_GROUP" --gallery-name kairos.io
+
+echo "Creating a Shared image version"
+az sig image-version create --resource-group "$AZURE_RESOURCE_GROUP" --gallery-name kairos.io \
+  --gallery-image-definition "kairos" --gallery-image-version "${VERSION#v}" \
+  --managed-image "$IMAGE_ID" --location "$STORAGE_REGION"
+
+echo "Deleting the managed disk"
+az disk delete \
+  --resource-group "$AZURE_RESOURCE_GROUP" \
+  --name "$NAME" \
+  --yes
+
+echo "Deleting managed image (no longer needed)"
+az image delete \
+  --resource-group "$AZURE_RESOURCE_GROUP" \
+  --name "$NAME"
+
+echo "Deleting uploaded VHD blob from Azure Storage..."
+az storage blob delete \
+  --account-name "$AZURE_STORAGE_ACCOUNT" \
+  --container-name "$AZURE_CONTAINER_NAME" \
+  --name "$NAME" \
+  --auth-mode key \
+  --account-key "$STORAGE_KEY"

.github/cleanup-old-images-gcp.sh …b/public-cloud/cleanup-old-images-gcp.sh.github/cleanup-old-images-gcp.sh renamed to .github/public-cloud/cleanup-old-images-gcp.sh .github/cleanup-old-images-gcp.sh renamed to .github/public-cloud/cleanup-old-images-gcp.sh

@@ -92,7 +92,7 @@ jobs:
           qemu-img resize -f raw disk.raw "$ROUNDED_SIZE"G
           tar --format=oldgnu -czvf "${file%.*}.tar.gz" disk.raw
 
-          .github/upload-image-to-gcp.sh $(ls *.tar.gz) "$latestTag"
+          .github/public-cloud/upload-image-to-gcp.sh $(ls *.tar.gz) "$latestTag"
 
   # https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
   upload-aws:
@@ -153,4 +153,89 @@ jobs:
             --set "disk.raw=true" \
             --set "state_dir=/aurora"
 
-          .github/upload-image-to-aws.sh $(ls *.raw) "$latestTag"
+          .github/public-cloud/upload-image-to-aws.sh $(ls *.raw) "$latestTag"
+
+  upload-azure:
+    permissions:
+      id-token: write
+    name: Upload to Azure
+    runs-on: ubuntu-latest
+    # https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#github-actions
+    environment: azure-push
+    outputs:
+      shouldBuild: ${{ steps.checkPushed.outputs.shouldBuild }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - run: |
+          git fetch --prune --unshallow
+      # https://github.com/Azure/login?tab=readme-ov-file#azure-login-action
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Find latest stable version
+        run: |
+          # Azure only allows "stable" version strings. E.g. "v1.2.3" (not "v1.2.3-beta1")
+          latestTag=$(git tag --list | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -n1)
+          echo $latestTag > LATEST_TAG
+
+      - name: Check if already pushed
+        id: checkPushed
+        run: |
+          latestTag=$(cat LATEST_TAG)
+
+          echo "Fetching all pushed versions"
+          mapfile -t kairosVersions < <(az sig image-version list --resource-group kairos-cloud-images --gallery-image-name kairos --gallery-name kairos.io --query '[].name' --output tsv)
+
+          echo "Checking if '$latestTag' is already pushed"
+          echo "Looking among versions: ${kairosVersions[@]}"
+          for version in "${kairosVersions[@]}"; do
+            if [[ $version == "${latestTag#v}" ]]; then
+              stableVersions+=("$version")
+              alreadyPushed=true
+              break
+            fi
+          done
+
+          if [[ "$alreadyPushed" = true && "${{ inputs.force }}" != "true" ]]; then
+            echo "shouldBuild=false" >> $GITHUB_OUTPUT
+            echo "Image for $latestTag is already pushed and 'force' wasn't true. Skipping build."
+          else
+            echo "shouldBuild=true" >> $GITHUB_OUTPUT
+            echo "Image for $latestTag is not pushed or 'force' was true. Will build."
+          fi
+
+      - name: Build the image
+        if: ${{ steps.checkPushed.outputs.shouldBuild == 'true' }}
+        run: |
+            latestTag=$(cat LATEST_TAG)
+            containerImage="quay.io/kairos/ubuntu:24.04-core-amd64-generic-${latestTag}"
+            docker run -v /var/run/docker.sock:/var/run/docker.sock --net host \
+              --privileged \
+              -v $PWD:/aurora --rm quay.io/kairos/auroraboot \
+              --debug \
+              --set "disable_http_server=true" \
+              --set "container_image=docker:${containerImage}" \
+              --set "disable_netboot=true" \
+              --set "disk.vhd=true" \
+              --set "state_dir=/aurora"
+
+      - name: Azure CLI script
+        uses: azure/cli@v2
+        if: ${{ steps.checkPushed.outputs.shouldBuild == 'true' }}
+        env:
+          GCP_PROJECT: palette-kairos
+          AZURE_RESOURCE_GROUP: "kairos-cloud-images"
+          AZURE_STORAGE_ACCOUNT: "kairoscloudimages"
+          AZURE_CONTAINER_NAME: "kairos-cloud-images"
+        with:
+          azcliversion: latest
+          inlineScript: |
+            latestTag=$(cat LATEST_TAG)
+            .github/public-cloud/upload-image-to-azure.sh $(ls *.vhd) "$latestTag"