Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use alternative registry #566

Merged
merged 20 commits into from
Oct 22, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
# Container image including olm-utils
# ARG CPD_OLM_UTILS_IMAGE
ARG CPD_OLM_UTILS_V1_IMAGE
ARG CPD_OLM_UTILS_V2_IMAGE

FROM registry.access.redhat.com/ubi8/ubi
# FROM ${CPD_OLM_UTILS_IMAGE}

FROM icr.io/cpopen/cpd/olm-utils:latest as olm-utils-v1
FROM ${CPD_OLM_UTILS_V1_IMAGE} as olm-utils-v1

RUN cd /opt/ansible && \
tar czf /tmp/opt-ansible-v1.tar.gz *

FROM icr.io/cpopen/cpd/olm-utils-v2:latest
FROM ${CPD_OLM_UTILS_V2_IMAGE}

LABEL authors="Arthur Laimbock, \
Markus Wiegleb, \
Expand Down
1 change: 1 addition & 0 deletions automation-generators/generic/cp_alt_repo/main.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
---
31 changes: 31 additions & 0 deletions automation-generators/generic/cp_alt_repo/preprocessor.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
from generatorPreProcessor import GeneratorPreProcessor
import sys, os
import re


def str_to_bool(s):
if s == None:
return False
else:
return s.lower() in ['true','yes','1']

def preprocessor(attributes=None, fullConfig=None, moduleVariables=None):
global g
g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables)

g('repo').isRequired()
g('registry_pull_secrets').isRequired()
g('registry_mirrors').isRequired()

# Now that we have reached this point, we can check the attribute details if the previous checks passed
if len(g.getErrors()) == 0:
g('repo.token_secret').isRequired()
g('repo.cp_path').isRequired()
g('repo.fs_path').isRequired()
g('repo.opencontent_path').isRequired()

result = {
'attributes_updated': g.getExpandedAttributes(),
'errors': g.getErrors()
}
return result
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
- name: Delete case resolvers
file:
path: "{{ item }}"
state: absent
loop:
- "{{ status_dir }}/cloud-paks/play_env.sh"
- "{{ status_dir }}/cloud-paks/resolvers.yaml"
- "{{ status_dir }}/cloud-paks/resolvers_auth.yaml"
- /tmp/work//play_env.sh
- /tmp/work//resolvers.yaml
- /tmp/work//resolvers_auth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
---
- set_fact:
_cp_alt_repo: "{{ all_config.cp_alt_repo }}"

- name: Get CASE repository token from vault secret {{ _cp_alt_repo.case_repo_token_secret }}
include_role:
name: vault-get-secret
vars:
secret_name: "{{ _cp_alt_repo.repo.token_secret }}"
secret_group: "{{ environment_name }}"
_p_secret_variable: _case_repo_token

- fail:
msg: "Secret {{ _cp_alt_repo.repo.token_secret }} not found in vault; it must contain the alternative Git repository's login token"
when: _case_repo_token==""

- name: Strip off https from the repository URLs
set_fact:
_case_repo_path_cp: "{{ (_cp_alt_repo.repo.cp_path | urlsplit('hostname')) + (_cp_alt_repo.repo.cp_path | urlsplit('path')) }}"
_case_repo_path_fs: "{{ (_cp_alt_repo.repo.fs_path | urlsplit('hostname')) + (_cp_alt_repo.repo.fs_path | urlsplit('path')) }}"
_case_repo_path_opencontent: "{{ (_cp_alt_repo.repo.opencontent_path | urlsplit('hostname')) + (_cp_alt_repo.repo.opencontent_path | urlsplit('path')) }}"

- name: Ensure {{ status_dir }}/cloud-paks exists
file:
path: "{{ status_dir }}/cloud-paks"
state: directory

- name: Generate play_env.sh
template:
src: play_env.j2
dest: "{{ status_dir }}/cloud-paks/play_env.sh"

- name: Generate resolvers.yaml
template:
src: resolvers.j2
dest: "{{ status_dir }}/cloud-paks/resolvers.yaml"

- name: Generate resolvers_auth.yaml
template:
src: resolvers_auth.j2
dest: "{{ status_dir }}/cloud-paks/resolvers_auth.yaml"

- name: Copy casectl files to /tmp/work
copy:
src: "{{ item }}"
dest: /tmp/work/
remote_src: true
loop:
- "{{ status_dir }}/cloud-paks/play_env.sh"
- "{{ status_dir }}/cloud-paks/resolvers.yaml"
- "{{ status_dir }}/cloud-paks/resolvers_auth.yaml"
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
- include_tasks: delete-case-resolvers.yml

- include_tasks: generate-case-resolvers.yml
when: (all_config.cp_alt_repo | default({})) != {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
export CASECTL_RESOLVERS_LOCATION=/tmp/work/resolvers.yaml
export CASECTL_RESOLVERS_AUTH_LOCATION=/tmp/work/resolvers_auth.yaml
export CASE_TOLERATION='--skip-verify'
export GITHUB_TOKEN={{ _case_repo_token }}

# Repository path for Cloud Pak
export CASE_REPO_PATH=https://{{ _case_repo_token }}@{{ _case_repo_path_cp }}

# Repository path for Foundational Services
export CPFS_CASE_REPO_PATH=https://{{ _case_repo_token }}@{{ _case_repo_path_fs }}

# Repository path for open content
export OPENCONTENT_CASE_REPO_PATH=https://{{ _case_repo_token }}@{{ _case_repo_path_opencontent }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
resolvers:
metadata:
description: resolver file to map cases and registries. Used to get dependency cases
resources:
cases:
repositories:
DevGitHub:
repositoryInfo:
url: "https://{{ _case_repo_path_cp }}"
cloudPakCertRepo:
repositoryInfo:
url: "https://{{ _case_repo_path_fs }}"
caseRepositoryMap:
- cases:
- case: "*"
version: "*"
repositories:
- cloudPakCertRepo
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
resolversAuth:
metadata:
description: This is the INTERNAL authorization file for downloading CASE packages from an internal repo
resources:
cases:
repositories:
DevGitHub:
credentials:
basic:
username: [email protected]
password: {{ _case_repo_token }}
cloudPakCertRepo:
credentials:
basic:
username: [email protected]
password: {{ _case_repo_token }}
containerImages:
registries:
entitledStage:
credentials:
basic:
username: not-used
password: not-used
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
- name: Create ImageContentSourcePolicy for alternative registries into {{ status_dir }}/openshift/cloud-pak-icsp.yaml
template:
src: cloud-pak-icsp-alt.j2
dest: "{{ status_dir }}/openshift/cloud-pak-icsp.yaml"

- name: Create ImageContentSourcePolicy {{ icsp_name }}
shell: "oc apply -f {{ status_dir }}/openshift/cloud-pak-icsp.yaml"
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
- name: Create ImageContentSourcePolicy yaml
- name: Create ImageContentSourcePolicy for private registry
template:
src: cloud-pak-icsp.j2
dest: "{{ status_dir }}/openshift/cloud-pak-icsp.yaml"
Expand Down
16 changes: 12 additions & 4 deletions automation-roles/50-install-cloud-pak/cp-ocp-icsp/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,16 @@
---
- name: Create ImageContentSourcePolicy
include_tasks: create-icsp.yml
when: _mco_exists
- include_tasks: create-icsp.yml
when:
- _mco_exists
- (all_config.cp_alt_repo | default({})) == {}

- include_tasks: create-icsp-alt.yml
when:
- _mco_exists
- (all_config.cp_alt_repo | default({})) != {}

- name: Apply ImageContentSourcePolicy settings if the Machine Config Operator does not exist
include_tasks: non-mco-apply-icsp.yml
when: not _mco_exists
when:
- not _mco_exists
- (all_config.cp_alt_repo | default({})) == {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: {{ icsp_name }}
spec:
repositoryDigestMirrors:
{% for registry_mirror in all_config.cp_alt_repo.registry_mirrors %}
- source: {{ registry_mirror.source}}
mirrors:
{% for mirror in registry_mirror.mirrors %}
- {{ mirror }}
{% endfor %}
{% endfor %}
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,15 @@
state: present
create: True

- name: Insert cpd_platform options into {{ status_dir }}/cp4d/{{ _p_current_cp4d_cluster.project }}-install-options.yml
blockinfile:
path: "{{ status_dir }}/cp4d/{{ _p_current_cp4d_cluster.project }}-install-options.yml"
marker: "# {mark} CPD Platform options #"
block: |2
cpd_platform:
cloudpakfordata: true
iamIntegration: {{ _p_current_cp4d_cluster.use_fs_iam | default(False) | bool }}

- name: Run pre-processing scripts
include_tasks: cp4d-install-cr-pre-processing.yml
loop: "{{ _cartridges_to_install | default([]) }}"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
# Store password from vault into OpenShift secret (also in case of reinstallation with existing vault secret)
- name: Update {{ cp4d_login_username }} password in OpenShift secret when using Foundational Services IAM
shell: |
oc set data --namespace {{ current_cp4d_cluster.project }} secret/platform-auth-idp-credentials \
--from-literal=admin_password="{{ _cp4d_admin_password_vault }}"

- name: Restart the platform identity pods
shell: |
oc delete po --namespace {{ current_cp4d_cluster.project }} -l app=platform-auth-service --ignore-not-found
oc delete po --namespace {{ current_cp4d_cluster.project }} -l app=platform-identity-management --ignore-not-found
oc delete po --namespace {{ current_cp4d_cluster.project }} -l app=platform-identity-provider --ignore-not-found
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
- name: Set new password for user {{ cp4d_login_username }}
shell: |
curl -s -k -X POST https://{{ cp4d_url.stdout }}/icp4d-api/v1/changepassword \
-H 'Authorization: Bearer {{ _cp4d_bearer_token }}' \
-H 'Content-Type: multipart/form-data' \
-H 'cache-control: no-cache' \
-F current_password={{ _current_cp4d_admin_password }} \
-F new_password={{ _cp4d_admin_password_vault }}
register: _cp4d_change_password_result
retries: 3
delay: 5
until: _cp4d_change_password_result.rc==0
args:
warn: false

# Store password from vault into OpenShift secret (also in case of reinstallation with existing vault secret)
- name: Update {{ cp4d_login_username }} password in OpenShift secret when not using Foundational Services IAM
shell: |
oc set data --namespace {{ current_cp4d_cluster.project }} secret/admin-user-details \
--from-literal=initial_admin_password="{{ _cp4d_admin_password_vault }}"
Loading
Loading