pipeline: upload builds to S3

[jlebon]

This is a first step towards switching to S3. We still rsync to the
artifact server, but we also upload new builds to S3. Once we confirm
this works nicely, we can switch over to using buildprep and
completely wean off the artifact server.

---

Requires: coreos/coreos-assembler#527

I tested this from my local cluster and it works, though I'm also working on #57 to make it easier to test changes like these.

[dustymabe]

any preference on just using ENV vars here instead of a config file there?

[jlebon]

Heh, I explicitly chose to move away from env vars actually to raise the barrier a bit more on how easily credentials could leak e.g. into logs.

[cgwalters]

Side note, for AWS it's best to use https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html if you can.

[dustymabe]

Heh, I explicitly chose to move away from env vars actually to raise the barrier a bit more on how easily credentials could leak e.g. into logs.

yeah. i've just always done it the other way so I have a slight preference. We can stick with this.

[jlebon]

Side note, for AWS it's best to use https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html if you can.

Hmm neat, hadn't seen this before. I don't want to address this right now in this patch, but I don't want to lose track of it either, so filed #63.

[jlebon]

OK, this is updated and tested now!

You can use #62 to test this:

$ ./devel-up --pipeline https://github.com/jlebon/fedora-coreos-pipeline@pr/devel-pipeline
Parameters:
  DEVEL_PREFIX=jlebon-
  PIPELINE_REPO_URL=https://github.com/jlebon/fedora-coreos-pipeline
  PIPELINE_REPO_REF=pr/devel-pipeline
imagestream "jlebon-coreos-assembler" configured
buildconfig "jlebon-fedora-coreos-pipeline" configured

You may start your dev pipeline with:
  oc start-build jlebon-fedora-coreos-pipeline
$ oc start-build jlebon-fedora-coreos-pipeline
...

Wait for build to finish. Then e.g.:

$ aws s3 ls fcos-builds/devel/streams/jlebon/30.237/
2019-05-31 15:03:44      31874 commitmeta.json
2019-05-31 15:03:43        486 coreos-assembler-config-git.json
2019-05-31 15:03:42      11601 coreos-assembler-config.tar.gz
2019-05-31 15:03:09   57889466 fedora-coreos-30.237-installer-initramfs.img
2019-05-31 15:03:08    8863944 fedora-coreos-30.237-installer-kernel
2019-05-31 15:03:02   76756992 fedora-coreos-30.237-installer.iso
2019-05-31 15:01:49  613107738 fedora-coreos-30.237-metal-bios.raw.gz
2019-05-31 15:01:58  612779524 fedora-coreos-30.237-metal-uefi.raw.gz
2019-05-31 15:03:13  612640074 fedora-coreos-30.237-openstack.qcow2.gz
2019-05-31 15:01:38  612645539 fedora-coreos-30.237-qemu.qcow2.gz
2019-05-31 15:03:22  626155520 fedora-coreos-30.237-vmware.ova
2019-05-31 15:03:43      68387 install.log
2019-05-31 15:03:54      10255 meta.json
2019-05-31 15:03:44      14604 ostree-commit-object
2019-05-31 15:03:45  557957120 ostree-commit.tar

One obvious thing here is that we're re-using the same workdir as prod, though that's not an urgent issue right now since (1) Jenkins won't run them concurrently and (2) we always rsync in the prod data from the artifact server.

Still, once we move away from the artifact server (which we should be able to do as soon as this code runs once), I'll clean that up.

[jlebon]

Still, once we move away from the artifact server (which we should be able to do as soon as this code runs once), I'll clean that up.

This is fixed in #62 now.

[dustymabe]

gave this a quick review - had one comment. will try out with devel pipelines next.

[dustymabe]

Assuming this PR is updated with all the content from #62 this LGTM