Fix demo bundle deployment

.github/workflows/offline.yml

@@ -32,6 +32,25 @@ jobs:
           echo ::set-output name=UPLOAD_NAME::$GITHUB_SHA
           # echo ::set-output name=UPLOAD_NAME::${SOURCE_TAG:-$GITHUB_SHA}
 
+      # demo profile build
+      - name: Process the demo profile build
+        run: ./offline/demo-build/build.sh
+        env:
+          GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}'
+          DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}'
+
+      - name: Copy demo build assets tarball to S3 and clean up
+        run: |
+          # Upload tarball for each profile by specifying their OUTPUT_TAR path
+          aws s3 cp offline/demo-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz
+          echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz"
+          # remove the assets from the build to optimize the space on the server
+          rm -rf offline/demo-build/output/*
+        env:
+          AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}'
+          AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
+          AWS_REGION: "eu-west-1"
+
       # min profile build
       - name: Process the min profile build
         run: ./offline/min-build/build.sh
@@ -63,27 +82,6 @@ jobs:
           # Upload tarball for each profile by specifying their OUTPUT_TAR path
           aws s3 cp offline/default-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz
           echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz"
-          # remove the archives from the build to optimize the space on the server
-          rm offline/default-build/output/containers-helm.tar
-        env:
-          AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}'
-          AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
-          AWS_REGION: "eu-west-1"
-
-      # demo profile build
-      - name: Process the demo profile build
-        run: ./offline/demo-build/build.sh
-        env:
-          GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}'
-          DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}'
-
-      - name: Copy demo build assets tarball to S3 and clean up
-        run: |
-          # Upload tarball for each profile by specifying their OUTPUT_TAR path
-          aws s3 cp offline/demo-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz
-          echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz"
-          # remove the assets from the build to optimize the space on the server
-          rm -rf offline/demo-build/output/*
           # removing everything except assets.tgz as it is not required anymore in the further builds
           find offline/default-build/output/ -mindepth 1 -maxdepth 1 ! -name 'assets.tgz' -exec rm -r {} +
         env:
@@ -117,4 +115,3 @@ jobs:
         run: (cd terraform/examples/wire-server-deploy-offline-hetzner ; terraform init && terraform destroy -auto-approve)
         env:
           HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
-

ansible/inventory/demo/host.yml

@@ -0,0 +1,65 @@
+wiab:
+  hosts:
+    deploy_node:
+      ansible_host: example.com
+      ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+      ansible_user: 'ubuntu'
+      ansible_ssh_private_key_file: "~/.ssh/wiab-demo.pem"
+
+  vars:
+    # requirements
+    # ubuntu 24.04
+    # amd64 architecture
+    # Following ports to be available on it from stack-it guide
+
+    # it should have all dns records configured as per DNS requirements
+    # https://docs.wire.com/latest/how-to/install/includes/helm_dns-ingress-troubleshooting.inc.html 
+    target_domain: "example.com"
+
+    # define this variable in case, deploying it in a private network
+    # specify the external (Gateway) IP of the network where the deploy_node is present
+    # by default, public ip address attached to the node will be used, if accessible over test_port in verify_wire_ip playbook
+    wire_ip: ""
+
+    # artifact_hash
+    artifact_hash: "83c373394ff86ec4c96e110e327fc46b617c22ff"
+
+    # docker vars
+    docker_ce_version: "5:28.1.1-1~ubuntu.24.04~noble"
+    containerd_version: "1.7.27-1"
+
+    # minikube vars
+    minikube_profile: "k8s-wire" 
+    minikube_version: "v1.35.0"
+    kubernetes_version: "v1.28.2"
+    container_runtime: "containerd"
+    minikube_nodes: 1
+    minikube_cpus: 15
+    minikube_memory: "16384"
+    minikube_disk_size: "200g"
+    minikube_network_name: "minikube-wire-network"
+    pod_network_cidr: "10.233.0.0/16"
+    minikube_node_subnet: "192.168.99.0/24"
+
+    # networking iptables dnat rules
+    http_dnat_rules:
+      - { protocol: "tcp", port: 443, to_port: 31773 }
+      - { protocol: "tcp", port: 80,  to_port: 31772 }
+    turn_dnat_rules:
+      - { protocol: "tcp", port: 3478,  to_port: 3478 }
+      - { protocol: "udp", port: 3478,  to_port: 3478 }
+
+    # list of helm charts to deploy
+    charts_to_deploy:
+      - fake-aws
+      - demo-smtp
+      - rabbitmq
+      - databases-ephemeral
+      - reaper
+      - wire-server
+      - webapp
+      - account-pages
+      - team-settings
+      - smallstep-accomp
+      - ingress-nginx-controller
+      - nginx-ingress-services

ansible/inventory/offline/group_vars/demo/offline.yml

@@ -0,0 +1,28 @@
+# The assethost will host assets other machines will download
+# this will be passed post adding the assethost node in the playbook
+# assethost_host: "{{ hostvars['assethost'].ansible_host }}:8080"
+# When set to true; will set up all the repos below before continuing
+# to bootstrap; such that no network access is needed
+offline: true
+
+# This is used nowhere inside kubespray, only inside this file
+# and our own playbooks
+ubuntu_repos: "http://{{ assethost_host }}/debs-{{ ansible_distribution_release }}/public"
+ubuntu_repo_base_url: "{{ ubuntu_repos }}"
+ubuntu_repo_gpgkey: "{{ ubuntu_repos }}/gpg"
+
+docker_ubuntu_repo_base_url: "{{ ubuntu_repos }}"
+docker_ubuntu_repo_gpgkey: "{{ ubuntu_repos }}/gpg"
+# docker_ubuntu_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
+
+binaries_url: "http://{{ assethost_host }}/binaries"
+
+kubeconfig_localhost: true
+#resolvconf_mode: none
+
+# This defaults to true if http://169.254.169.254/latest/meta-data exists; which
+# is also available in non-AWS. e.g. in Hetzner. Lets not let this autodetect in offline
+is_aws_environment: False
+
+# IP address for the logging (for example QRadar) server
+syslog_target_ip: 12.34.56.78

ansible/seed-offline-containerd.yml

@@ -1,3 +1,16 @@
+- name: Fix containerd socker permission
+  hosts: k8s-cluster
+  tasks:
+    # useful for minikube setup as docker user doesn't have permissions to access to the socket
+    - name: Ensure containerd socket has correct permissions for docker user
+      file:
+        path: /run/containerd/containerd.sock
+        owner: root
+        group: docker
+        mode: '0660'
+      become: yes
+      when: docker_permission_fix | default(false) == true
+
 - name: Seed system containers
   # Add etcd group here if you are deploying separate worker and master clusters
   hosts: k8s-cluster
@@ -8,6 +21,19 @@
         for container in $(curl -q {{ assethost_host }}/containers-system/index.txt);do
           curl -q "{{ assethost_host }}/containers-system/$container" | ctr -n=k8s.io images import -
         done
+      register: load_containers
+      async: 3600
+      poll: 0
+      when: skip_seed_system_containers | default(false) == false
+
+    - name: Waiting on async task load_containers
+      async_status:
+        jid: "{{ load_containers.ansible_job_id }}"
+      register: res
+      until: res.finished
+      retries: 60
+      delay: 60
+      when: skip_seed_system_containers | default(false) == false
 
 - name: Download helm containers
   hosts: k8s-cluster
@@ -19,7 +45,17 @@
           curl -q "{{ assethost_host }}/containers-helm/$container" | ctr -n=k8s.io images import -
         done
 
+      register: load_helm_containers
+      async: 3600
+      poll: 0
 
+    - name: Waiting on async task load_helm_containers
+      async_status:
+        jid: "{{ load_helm_containers.ansible_job_id }}"
+      register: res
+      until: res.finished
+      retries: 60
+      delay: 60
 ################################### Hack to tag the ingress-nginx container images ###############
 #- name: Load ingress-controller containers
 #  hosts: k8s-cluster

ansible/setup-offline-sources.yml

@@ -1,59 +1,83 @@
 - name: Copy over binaries, debs and container images to the asset host and host them
   hosts: assethost
+  become: yes
+  vars:
+    src_path: ".."  # Default value for src_path
+    remote_src: no
   tasks:
     - file:
         path: /opt/assets
         state: directory
+
     - name: Copy debs jammy
       unarchive:
-        src: ../debs-jammy.tar
+        src: "{{ src_path }}/debs-jammy.tar"
         dest: /opt/assets
+        remote_src: "{{ remote_src }}"
       tags:
         - debs
+      when: demo_deploy | default(false) == false
+
     - name: Copy binaries
       unarchive:
-        src: ../binaries.tar
+        src: "{{ src_path }}/binaries.tar"
         dest: /opt/assets
+        remote_src: "{{ remote_src }}"
       tags:
         - binaries
+      when: demo_deploy | default(false) == false
+
     - name: Copy system containers
       unarchive:
-        src: ../containers-system.tar
+        src: "{{ src_path }}/containers-system.tar"
         dest: /opt/assets
+        remote_src: "{{ remote_src }}"
       tags:
         - containers-system
         - containers
+      when: demo_deploy | default(false) == false
+
+    # this task needs to run everytime, we assume it a basic requirement in all types of deployment
     - name: Copy helm containers
       unarchive:
-        src: ../containers-helm.tar
+        src: "{{ src_path }}/containers-helm.tar"
         dest: /opt/assets
+        remote_src: "{{ remote_src }}"
       tags:
         - containers-helm
         - containers
-    - copy:
-        src: files/serve-assets.service
-        dest: /etc/systemd/system/serve-assets.service
-    - systemd:
-        name: serve-assets
-        state: restarted
-        enabled: yes
-        daemon-reload: yes
+
+    - name: setup serve-assets
+      block:
+      - name: Copy serve-assets.service file
+        copy:
+          src: files/serve-assets.service
+          dest: /etc/systemd/system/serve-assets.service
+      - name: Running serve-assets systemd service
+        systemd:
+          name: serve-assets
+          state: restarted
+          enabled: yes
+          daemon-reload: yes
 
 - name: Set up offline repositories and remove online ones
+  become: yes
   hosts: k8s-cluster:etcd:cassandra:elasticsearch:minio:rmq-cluster
   tasks:
-    - name: Bail if GPG is not installed or installable.
-      apt:
-        name: gpg
-        state: present
-    - name: Remove /etc/apt/sources.list to remove all online debian package repos
-      file:
-        path: /etc/apt/sources.list
-        state: absent
-    - name: Remove /etc/apt/sources.list.d/ to remove all online debian package repos
-      file:
-        path: /etc/apt/sources.list.d/
-        state: absent
+  - when: demo_deploy | default(false) == false
+    block:
+      - name: Bail if GPG is not installed or installable.
+        apt:
+          name: gpg
+          state: present
+      - name: Remove /etc/apt/sources.list to remove all online debian package repos
+        file:
+          path: /etc/apt/sources.list
+          state: absent
+      - name: Remove /etc/apt/sources.list.d/ to remove all online debian package repos
+        file:
+          path: /etc/apt/sources.list.d/
+          state: absent
 
 #######################################################################
 # If your offline repo's debian key has expired, uncomment this block.
@@ -75,16 +99,15 @@
 #############################
 # Otherwise, trust the repo.
 #############################
-    - name: Register offline repo key
-      apt_key:
-        url: "{{ ubuntu_repo_gpgkey }}"
-        state: present
-
-    - name: Register offline repo
-      apt_repository:
-        repo: "deb {{ ubuntu_repo_base_url }} {{ ansible_distribution_release }} main"
-        state: present
-    - name: Apt update
-      apt:
-        update_cache: yes
+      - name: Register offline repo key
+        apt_key:
+          url: "{{ ubuntu_repo_gpgkey }}"
+          state: present
 
+      - name: Register offline repo
+        apt_repository:
+          repo: "deb {{ ubuntu_repo_base_url }} {{ ansible_distribution_release }} main"
+          state: present
+      - name: Apt update
+        apt:
+          update_cache: yes