x86-TF-03 and 04: add fvp ECR sync script to cron

Previously the fvp images for LAVA were synced to
the jenkins main node to run FVP jobs, and this was
handled by a cron job on the server.

Since we moved the workers to x86-TF-03 and 04, we
need to implement the sync script to login into the
private ECR and 'docker pull' the latest images.

Change-Id: I0fe5304e62608188223eb966f5272e7f67fe78a9
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/43571

5 files changed, 55 insertions, 0 deletions

diff --git a/jenkins.yml b/jenkins.yml
index 2d9a8fdf..c766a032 100644
--- a/jenkins.yml
+++ b/jenkins.yml
@@ -79,6 +79,7 @@
   become: yes
   vars_files:
     - ["{{secrets_dir}}/group_vars/all", "vars/empty.yml" ]
+    - ["{{secrets_dir}}/host_vars/{{inventory_hostname}}", "vars/empty.yml"]
   roles:
   - {role: jenkins-slave-deps, tags: [jenkins]}
   - {role: nfs-client, tags: [nfs],
diff --git a/roles/jenkins-slave-deps/tasks/main.yml b/roles/jenkins-slave-deps/tasks/main.yml
index 33b4d70f..678d4afa 100644
--- a/roles/jenkins-slave-deps/tasks/main.yml
+++ b/roles/jenkins-slave-deps/tasks/main.yml
@@ -137,3 +137,39 @@
     owner: 1000
     group: 1000
     state: directory
+
+- name: Ensure ECR update directory exists
+  file:
+    path: /root/aws
+    owner: root
+    group: root
+    mode: 0700
+    state: directory
+  when: ansible_hostname == 'x86-TF-03' or ansible_hostname == 'x86-TF-04'
+
+- name: Install FVP sync cron job
+  template:
+    src: update_ecr_images.sh
+    dest: /root/aws/update_ecr_images.sh
+    owner: root
+    group: root
+    mode: 0700
+  when: ansible_hostname == 'x86-TF-03' or ansible_hostname == 'x86-TF-04'
+
+- name: Install AWS credentials for ECR
+  template:
+    src: credentials.sh
+    dest: /root/aws/credentials.sh
+    owner: root
+    group: root
+    mode: 0600
+  when: ansible_hostname == 'x86-TF-03' or ansible_hostname == 'x86-TF-04'
+
+- name: Install AWS credentials for ECR
+  template:
+    src: ecr-sync.crontab
+    dest: /etc/cron.d/ecr-sync
+    owner: root
+    group: root
+    mode: 0755
+  when: ansible_hostname == 'x86-TF-03' or ansible_hostname == 'x86-TF-04'
diff --git a/roles/jenkins-slave-deps/templates/credentials.sh b/roles/jenkins-slave-deps/templates/credentials.sh
new file mode 100644
index 00000000..f8e1729d
--- /dev/null
+++ b/roles/jenkins-slave-deps/templates/credentials.sh
@@ -0,0 +1,3 @@
+export AWS_ACCESS_KEY_ID={{ aws_access_key_id }}
+export AWS_SECRET_ACCESS_KEY={{ aws_secret_access_key }}
+export AWS_REGION=us-east-1
diff --git a/roles/jenkins-slave-deps/templates/ecr-sync.crontab b/roles/jenkins-slave-deps/templates/ecr-sync.crontab
new file mode 100644
index 00000000..a877b099
--- /dev/null
+++ b/roles/jenkins-slave-deps/templates/ecr-sync.crontab
@@ -0,0 +1,4 @@
+# Update the FVP images from the ECR every 30 minutes by doing
+# a docker pull.
+
+*/30 * * * * root /root/aws/update_ecr_images.sh fvp >> /var/log/ecr-sync.log
diff --git a/roles/jenkins-slave-deps/templates/update_ecr_images.sh b/roles/jenkins-slave-deps/templates/update_ecr_images.sh
new file mode 100755
index 00000000..4ce15f0e
--- /dev/null
+++ b/roles/jenkins-slave-deps/templates/update_ecr_images.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+. /root/aws/credentials.sh
+
+ECR=987685672616.dkr.ecr.us-east-1.amazonaws.com
+REPO=${1:-fvp}
+
+aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $ECR
+
+
+for i in $(aws ecr list-images --repository-name $REPO --filter tagStatus=TAGGED --query 'imageIds[*].imageTag' --output text);do docker pull $ECR/$REPO:$i; done