ci: build magnum images (#1066)

Signed-off-by: Mohammed Naser <mnaser@vexxhost.com>
diff --git a/Dockerfile b/Dockerfile
index 1cf987f..9c8e06b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,14 @@
 FROM ubuntu:jammy-20240227 AS ubuntu
 LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere
 
+FROM ubuntu AS helm
+ARG TARGETOS
+ARG TARGETARCH
+ARG HELM_VERSION=3.14.0
+ADD https://get.helm.sh/helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /helm.tar.gz
+RUN tar -xzf /helm.tar.gz
+RUN mv /${TARGETOS}-${TARGETARCH}/helm /usr/bin/helm
+
 FROM ubuntu AS ubuntu-cloud-archive
 ADD --chmod=644 https://git.launchpad.net/ubuntu/+source/ubuntu-keyring/plain/keyrings/ubuntu-cloud-keyring.gpg /etc/apt/trusted.gpg.d/ubuntu-cloud-keyring.gpg
 ARG RELEASE
@@ -123,3 +131,31 @@
 
 FROM openstack-runtime AS barbican
 COPY --from=barbican-build --link /var/lib/openstack /var/lib/openstack
+
+FROM alpine/git AS magnum-src
+ARG MAGNUM_GIT_REF
+ADD --keep-git-dir=true https://opendev.org/openstack/magnum.git#${MAGNUM_GIT_REF} /src
+RUN git -C /src fetch --unshallow
+ARG RELEASE
+COPY patches/${RELEASE}/magnum /patches
+RUN if [ -n "$(ls -A /patches/*.patch)" ]; then git -C /src apply --verbose /patches/*; fi
+
+FROM openstack-venv-builder AS magnum-build
+COPY --from=magnum-src --link /src /src/magnum
+RUN <<EOF bash -xe
+pip3 install \
+    --constraint /upper-constraints.txt \
+        /src/magnum \
+        magnum-cluster-api==0.16.0
+EOF
+
+FROM openstack-runtime AS magnum
+RUN <<EOF bash -xe
+apt-get update -qq
+apt-get install -qq -y --no-install-recommends \
+    haproxy
+apt-get clean
+rm -rf /var/lib/apt/lists/*
+EOF
+COPY --from=helm --link /usr/bin/helm /usr/local/bin/helm
+COPY --from=magnum-build --link /var/lib/openstack /var/lib/openstack
diff --git a/docker-bake.hcl b/docker-bake.hcl
index ea8a9be..7237361 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -52,8 +52,47 @@
     }
 }
 
+target "magnum" {
+    name = "magnum-${release.tgt}"
+
+    context = "."
+    target = "magnum"
+
+    cache-from = cache_from("magnum:${release.name}")
+    cache-to = cache_to("magnum:${release.name}")
+
+    tags = [
+        "${REGISTRY}/magnum:${release.name}",
+        "${REGISTRY}/magnum:${release.ref}"
+    ]
+
+    matrix = {
+        release = [
+            {
+                tgt = "zed",
+                name = "zed",
+                ref = "0ee979099a01ae2c8b1b5d6757897a8993e4e34c"
+            },
+            {
+                tgt = "bobcat",
+                name = "2023.2",
+                ref = "5f921a72d22d7e96fb3584c4906a39de9a085a41"
+            }
+        ]
+    }
+
+    args = {
+        RELEASE = release.name
+        BRANCH = format("stable/%s", release.name)
+        PROJECT = "magnum"
+        MAGNUM_GIT_REF = release.ref
+    }
+}
+
+
 group "default" {
     targets = [
-        "barbican"
+        "barbican",
+        "magnum"
     ]
 }
diff --git a/patches/2023.2/magnum/.gitkeep b/patches/2023.2/magnum/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/patches/2023.2/magnum/.gitkeep
diff --git a/patches/zed/magnum/0000-Fix-Trust-token-scope-for-drivers.patch b/patches/zed/magnum/0000-Fix-Trust-token-scope-for-drivers.patch
new file mode 100644
index 0000000..1a61a5c
--- /dev/null
+++ b/patches/zed/magnum/0000-Fix-Trust-token-scope-for-drivers.patch
@@ -0,0 +1,100 @@
+From 258fbb75be8a004d2ab092502f58508c95de6e84 Mon Sep 17 00:00:00 2001
+From: ricolin <rlin@vexxhost.com>
+Date: Fri, 21 Jul 2023 10:54:23 +0800
+Subject: [PATCH] Fix Trust token scope for drivers
+
+This fix driver token scope to make sure we use correct token
+scope from Trust.
+
+Change-Id: If5b31951959c7a141dc1cae5fefcabe4ebf438b3
+(cherry picked from commit eca79453c0097b0f63019821d3c2e9ecacebf784)
+---
+
+diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
+index 1e4cf14..e7debbc 100644
+--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
++++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
+@@ -62,6 +62,11 @@
+                     "password": "$TRUSTEE_PASSWORD"
+                 }
+             }
++        },
++        "scope": {
++            "OS-TRUST:trust": {
++                "id": "$TRUST_ID"
++            }
+         }
+     }
+ }
+diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+index 84bf839..d28149b 100644
+--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
++++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+@@ -98,6 +98,11 @@
+                     "password": "$TRUSTEE_PASSWORD"
+                 }
+             }
++        },
++        "scope": {
++            "OS-TRUST:trust": {
++                "id": "$TRUST_ID"
++            }
+         }
+     }
+ }
+diff --git a/magnum/drivers/common/templates/swarm/fragments/make-cert.py b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
+index bd8cbd7..258ae6a 100644
+--- a/magnum/drivers/common/templates/swarm/fragments/make-cert.py
++++ b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
+@@ -161,6 +161,11 @@
+                     "password": "%(trustee_password)s"
+                 }
+             }
++        },
++        "scope": {
++            "OS-TRUST:trust": {
++                "id": "$(trust_id)s"
++            }
+         }
+     }
+ }
+@@ -168,6 +173,7 @@
+     params = {
+         'trustee_user_id': config['TRUSTEE_USER_ID'],
+         'trustee_password': config['TRUSTEE_PASSWORD'],
++        'trust_id': config['TRUST_ID'],
+     }
+     creds = creds_str % params
+     headers = {'Content-Type': 'application/json'}
+diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
+index dc910bf..846f49b 100644
+--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
++++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
+@@ -73,6 +73,11 @@
+                           "password": "$TRUSTEE_PASSWORD"
+                       }
+                   }
++              },
++              "scope": {
++                  "OS-TRUST:trust": {
++                      "id": "$TRUST_ID"
++                  }
+               }
+           }
+       }
+diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+index 8ef1128..d9191bd 100644
+--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
++++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+@@ -104,6 +104,11 @@
+                           "password": "$TRUSTEE_PASSWORD"
+                       }
+                   }
++              },
++              "scope": {
++                  "OS-TRUST:trust": {
++                      "id": "$TRUST_ID"
++                  }
+               }
+           }
+       }
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index da43a0d..dfb9d58 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -101,10 +101,10 @@
   local_path_provisioner: docker.io/rancher/local-path-provisioner:v0.0.24@sha256:b7dea5221f06f6feed7788db0ad6b024a433c8f55533bd6cc792dc2079ff9ad2
   loki_gateway: docker.io/nginxinc/nginx-unprivileged:1.19-alpine@sha256:bbd46452aae30a7cc7bc438f267af812c7a2b0f3b5bcd4cc55eb99669cea3f28
   loki: docker.io/grafana/loki:2.7.3@sha256:8e3abbd89173066721fa07bddfee1c1a7a8fe59bed5b00a2fa09d2b3cef8758c
-  magnum_api: ghcr.io/vexxhost/atmosphere/magnum:2023.2@sha256:14fd0e901f2ebae19d03638f91ac0a11267a1c9a1b5ad1b8f80147d3f6066a29
-  magnum_cluster_api_proxy: ghcr.io/vexxhost/atmosphere/magnum:2023.2@sha256:14fd0e901f2ebae19d03638f91ac0a11267a1c9a1b5ad1b8f80147d3f6066a29
-  magnum_conductor: ghcr.io/vexxhost/atmosphere/magnum:2023.2@sha256:14fd0e901f2ebae19d03638f91ac0a11267a1c9a1b5ad1b8f80147d3f6066a29
-  magnum_db_sync: ghcr.io/vexxhost/atmosphere/magnum:2023.2@sha256:14fd0e901f2ebae19d03638f91ac0a11267a1c9a1b5ad1b8f80147d3f6066a29
+  magnum_api: registry.atmosphere.dev/library/magnum:2023.2@sha256:5cc8854c18d5590238f9bfa28b8a4c9a07e0b1c9e69e9a9874fe78fef58454ff
+  magnum_cluster_api_proxy: registry.atmosphere.dev/library/magnum:2023.2@sha256:5cc8854c18d5590238f9bfa28b8a4c9a07e0b1c9e69e9a9874fe78fef58454ff
+  magnum_conductor: registry.atmosphere.dev/library/magnum:2023.2@sha256:5cc8854c18d5590238f9bfa28b8a4c9a07e0b1c9e69e9a9874fe78fef58454ff
+  magnum_db_sync: registry.atmosphere.dev/library/magnum:2023.2@sha256:5cc8854c18d5590238f9bfa28b8a4c9a07e0b1c9e69e9a9874fe78fef58454ff
   magnum_registry: quay.io/vexxhost/magnum-cluster-api-registry:latest@sha256:caba380e193264f047651728cbc7905e87d7eee846d8576778b5e7d824ec609d
   manila_api: ghcr.io/vexxhost/atmosphere/manila:2023.2@sha256:c14e65aca5d474fede5be312ce8bdb2d8bedb9841ac138f53bad5882f3f0f31c
   manila_data: ghcr.io/vexxhost/atmosphere/manila:2023.2@sha256:c14e65aca5d474fede5be312ce8bdb2d8bedb9841ac138f53bad5882f3f0f31c