Merge pull request #37 from mbaldessari/common-automatic-update

common automatic update

common/Makefile

@@ -113,9 +113,7 @@ secrets-backend-none: ## Edits values files to remove secrets manager + ESO
 .PHONY: load-iib
 load-iib: ## CI target to install Index Image Bundles
 	@set -e; if [ x$(INDEX_IMAGES) != x ]; then \
-		for IIB in $(shell echo $(INDEX_IMAGES) | tr ',' '\n'); do \
-			INDEX_IMAGE="$${IIB}" ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \
-		done; \
+		ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \
 	else \
 		echo "No INDEX_IMAGES defined. Bailing out"; \
 		exit 1; \

common/acm/templates/multiclusterhub.yaml

@@ -1,11 +1,13 @@
+{{- $channel := "" }}
+{{- if .Values.acm.mce_operator.channel }}
+{{- $channel = printf ",\"channel\": \"%s\"" .Values.acm.mce_operator.channel }}
+{{- end }}
 apiVersion: operator.open-cluster-management.io/v1
 kind: MultiClusterHub
 metadata:
   name: multiclusterhub
   namespace: open-cluster-management
   annotations:
     argocd.argoproj.io/sync-wave: "-1"
-    {{- if kindIs "map" .Values.clusterGroup.subscriptions }}
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.clusterGroup.subscriptions.acm.source }}" }'
-    {{- end }}
+    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.acm.mce_operator.source }}" {{- $channel }} }'
 spec: {}

common/acm/templates/policies/ocp-gitops-policy.yaml

@@ -45,7 +45,7 @@ spec:
                   labels:
                     operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
                 spec:
-                  channel: {{ default "gitops-1.11" .Values.main.gitops.channel }}
+                  channel: {{ default "gitops-1.12" .Values.main.gitops.channel }}
                   installPlanApproval: Automatic
                   name: openshift-gitops-operator
                   source: redhat-operators

common/acm/values.yaml

@@ -1,6 +1,6 @@
 main:
   gitops:
-    channel: "gitops-1.11"
+    channel: "gitops-1.12"
 
 global:
   extraValueFiles: []
@@ -30,6 +30,15 @@ clusterGroup:
 #      - name: clusterGroup
 #        value: region-one
 
+acm:
+  # Just used for IIB testing, drives the source and channel for the MCE
+  # subscription triggered by ACM
+  mce_operator:
+    source: redhat-operators
+    channel: null
+
+
+
 secretStore:
   name: vault-backend
   kind: ClusterSecretStore

common/ansible/roles/iib_ci/README.md

@@ -38,31 +38,51 @@ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patc
 oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'
 ```
 
+### Gitops operator
+
 Then in case of the `openshift-gitops-operator` we would install with:
 
 ```sh
 export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}')
 make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.gitops.channel=${CHANNEL}" install
 ```
 
-To install ACM (`export OPERATOR=advanced-cluster-management`) or any other
-operator (except the gitops one) from an IIB we would call the following as a
-final step:
+### ACM operator
+
+The advanced-cluster-management operator is a little bit more complex than the others because it
+also installes another operator called MCE multicluster-engine. So to install ACM you typically
+need two IIBs (one for acm and one for mce). With those two at hand, do the following (the ordering must be
+consistent: the first IIB corresponds to the first OPERATOR, etc).
 
 ```sh
-export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}')
-make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${CHANNEL}" install
+export OPERATOR=advanced-cluster-management,multicluster-engine
+export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034
+make load-iib
+```
+
+Once the IIBs are loaded into the cluster we need to run the following steps:
+
+```sh
+export ACM_CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-713808" --field-selector "metadata.name=advanced-cluster-management" -o jsonpath='{.items[0].status.defaultChannel}')
+export MCE_CHANNEL=$(oc get -n openshift-margetplace packagemanifests -l "catalog=iib-718034" --field-selector "metadata.name=multicluster-engine" -o jsonpath='{.items[0].status.defaultChannel}')
+make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-713808 \
+                      --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${ACM_CHANNEL} \
+                      --set main.extraParameters[2].name=acm.mce_operator.source --set main.extraParameters[2].value="iib-718034" \
+                      --set main.extraParameters[3].name=acm.mce_operator.channel --set main.extraParameters[3].value=${MCE_CHANNEL}" install
 ```
 
-*Note*: In this case `acm` is the name of the subscription in `values-hub.yaml`
+*Note*: In this case the `acm` in `clusterGroup.subscriptions.acm.*` is the name of the key in the subscriptions in `values-hub.yaml`
+
+### Other operators
 
-### OCP 4.13 and onwards
+To install operators other than gitops and acm do the following:
 
-Since 4.13 supports an internal registry that can cope with v2 docker manifests, we
-use that. Run `make iib` with the following environment variables set:
+```sh
+export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}')
+make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.<subname>.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.<subname>.channel --set main.extraParameters[1].value=${CHANNEL}" install
+```
 
-* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329`
-* `KUBEADMINPASS="11111-22222-33333-44444"`
+*Note*: Replace `<subname>` with the actual name of the subscription dictionary in `values-hub.yaml`
 
 ## Useful commands
 

common/ansible/roles/iib_ci/defaults/main.yml

@@ -1,5 +1,5 @@
 rh_internal_registry: registry-proxy.engineering.redhat.com
-iib_image: "{{ lookup('env', 'INDEX_IMAGE') }}"
+iib_images: "{{ lookup('env', 'INDEX_IMAGES') }}"
 
 kubeadminpass: "{{ lookup('env', 'KUBEADMINPASS') }}"
 

common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml

@@ -2,9 +2,9 @@
 # the operator name is defined in the variable "item". This
 # set of tasks is to be included in a loop that goes over the
 # needed operators
-- name: Get default channel in the IIB for "{{ item }}"
+- name: Get default channel in the IIB for "{{ item.key }}"
   ansible.builtin.shell: |
-    oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \
+    oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \
       -o jsonpath='{.items[0].status.defaultChannel}'
   register: default_channel_raw
   retries: 10
@@ -15,9 +15,13 @@
   ansible.builtin.set_fact:
     default_channel: "{{ default_channel_raw.stdout }}"
 
-- name: Get all related images in the IIB for "{{ item }}"
+- name: Print default channel
+  ansible.builtin.debug:
+    msg: "Default channel for {{ item.key }}: {{ default_channel }}"
+
+- name: Get all related images in the IIB for "{{ item.key }}"
   ansible.builtin.shell: |
-    oc get packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \
+    oc get packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \
       -o jsonpath="{.items[0].status.channels[?(@.name==\"{{ default_channel }}\")].currentCSVDesc.relatedImages}"
   register: related_images_raw
   retries: 5
@@ -29,15 +33,15 @@
     related_images: "{{ related_images_raw.stdout }}"
 
 # NOTE(bandini)
-# The following code is here to fund out what the operator bundle image is and to make
+# The following code is here to find out what the operator bundle image is and to make
 # sure it is on the internal registry.
 # This is all potentially hacky, but so far I could not find a single place in the cluster
 # where the olm.bundle image is available. The info is in there in the IIB, but it certainly
 # is not in any package manifest nor catalogsource. This is why we resort to invoking opm
 # alpha commands inside the IIB image locally
 - name: Pull the IIB locally
   ansible.builtin.command:
-    podman pull "{{ iib_image }}"
+    podman pull "{{ item.value['iib_image'] }}"
 
 # $ opm alpha list channels /configs advanced-cluster-management
 # PACKAGE                      CHANNEL      HEAD
@@ -46,7 +50,7 @@
 - name: Read the operator bundle from the default channel
   ansible.builtin.shell: |
     set -o pipefail
-    podman run -it --rm "{{ iib_image }}" alpha list channels /configs "{{ item }}" | grep -E "(\s){{ default_channel }}(\s)" | awk '{ print $3 }'
+    podman run -it --rm "{{ item.value['iib_image'] }}" alpha list channels /configs "{{ item.key }}" | grep -E "(\s){{ default_channel }}(\s)" | awk '{ print $3 }'
   register: bundle_channel_raw
 
 - name: Set bundle fact
@@ -70,7 +74,7 @@
 - name: Get bundle image
   ansible.builtin.shell: |
     set -o pipefail
-    podman run -it --rm "{{ iib_image }}" alpha list bundles /configs "{{ item }}" | grep -e "{{ default_channel }}\s\+{{ bundle_channel }}" | awk '{ print $NF }'
+    podman run -it --rm "{{ item.value['iib_image'] }}" alpha list bundles /configs "{{ item.key }}" | grep -e "{{ default_channel }}\s\+{{ bundle_channel }}" | awk '{ print $NF }'
   register: bundle_image_raw
 
 - name: Set bundle image fact

common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml

@@ -1,3 +1,7 @@
+- name: Set IIB local folder fact
+  ansible.builtin.set_fact:
+    iib_local_folder: "/tmp/manifest-{{ item.value['iib'] }}"
+
 - name: Remove manifest folder "{{ iib_local_folder }}"
   ansible.builtin.file:
     path: "{{ iib_local_folder }}"
@@ -16,14 +20,14 @@
 - name: Mirror catalog manifests only to "{{ iib_local_folder }}"
   ansible.builtin.shell: |
     oc adm catalog mirror --insecure --manifests-only --to-manifests=. \
-      "{{ iib_image }}" "{{ rh_internal_registry }}/rh-osbs" > catalog.log 2>&1
+      "{{ item.value['iib_image'] }}" "{{ rh_internal_registry }}/rh-osbs" > catalog.log 2>&1
   args:
     chdir: "{{ iib_local_folder }}"
 
 - name: Mirror IIB to "{{ mirror_iib }}"
   ansible.builtin.shell: |
     oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" \
-      "{{ iib_image }}={{ mirror_iib }}" --insecure --keep-manifest-list 2>&1
+      "{{ item.value['iib_image'] }}={{ mirror_iib }}" --insecure --keep-manifest-list 2>&1
   args:
     chdir: "{{ iib_local_folder }}"
   register: oc_mirror_result
@@ -43,7 +47,7 @@
 
 - name: Wait for catalogsource to show up
   ansible.builtin.shell: |
-    oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ operator }}" \
+    oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \
       -o jsonpath='{.items[0].status.defaultChannel}'
   register: oc_catalogsource_result
   retries: 30

common/ansible/roles/iib_ci/tasks/main.yml

@@ -1,9 +1,3 @@
-- name: Check that INDEX_IMAGE env variable is set
-  ansible.builtin.fail:
-    msg: "INDEX_IMAGE: '{{ iib_image }}' is not set"
-  failed_when:
-    (iib_image is not defined or iib_image | length == 0)
-
 - name: Check for pre-requisite binaries presence
   ansible.builtin.shell: |
     which "{{ item }}"
@@ -12,13 +6,11 @@
     - oc
     - podman
 
-- name: Set IIB fact
-  ansible.builtin.set_fact:
-    iib: "{{ iib_image.split(':')[1] }}"
-
-- name: Set IIB local folder fact
-  ansible.builtin.set_fact:
-    iib_local_folder: "/tmp/manifest-{{ iib }}"
+- name: Check that INDEX_IMAGES env variable is set
+  ansible.builtin.fail:
+    msg: "INDEX_IMAGES: '{{ iib_images }}' is not set"
+  failed_when:
+    (iib_images is not defined or iib_images | length == 0)
 
 - name: Get cluster version
   # E.g. 4.13.0-rc.6 or 4.12.16
@@ -36,14 +28,44 @@
     msg: "OCP versions < 4.13 are not support for IIB loading"
   when: not ocp_413
 
+- name: Set images array
+  ansible.builtin.set_fact:
+    iib_image_list: "{{ iib_images.split(',') }}"
+
+- name: Set operator array
+  ansible.builtin.set_fact:
+    operator_list: "{{ operator.split(',') }}"
+
+# Creates a dict like:
+# "advanced-cluster-management": {
+#   "iib": "713808",
+#   "iib_image": "registry-proxy.engineering.redhat.com/rh-osbs/iib:713808"
+# },
+# "multicluster-engine": {
+#   "iib": "713809",
+#   "iib_image": "registry-proxy.engineering.redhat.com/rh-osbs/iib:713809"
+# }
+- name: Set IIB dict
+  ansible.builtin.set_fact:
+    iib_dict: "{{ iib_dict | default({}) | combine({item.0: {'iib_image': item.1, 'iib': item.1.split(':')[-1]}}) }}"
+  with_together:
+    - "{{ operator_list }}"
+    - "{{ iib_image_list }}"
+
+- name: Working with the following IIB data
+  ansible.builtin.debug:
+    msg: "{{ iib_dict }}"
+
 - name: Set up internal registry (OCP >= 4.13)
   ansible.builtin.include_tasks: setup-internal-registry.yml
 
 - name: Install new IIB in cluster
   ansible.builtin.include_tasks: install-iib-in-cluster.yml
+  with_items: "{{ iib_dict | dict2items }}"
 
 - name: Mirror all related images
   ansible.builtin.include_tasks: mirror-related-images.yml
+  with_items: "{{ iib_dict | dict2items }}"
 
 - name: Remove pullsecrets tempfolder
   ansible.builtin.file:

common/ansible/roles/iib_ci/tasks/mirror-related-images.yml

@@ -1,16 +1,14 @@
-# This is needed because some operators like "advanced-cluster-management"
-# install a second operator "multicluster-engine"
-- name: Set operators list
+# We redefine this var so it is easier to run this task independently
+- name: Set IIB local folder fact
   ansible.builtin.set_fact:
-    operator_list: "{{ [operator] + (operator == 'advanced-cluster-management') | ternary(['multicluster-engine'], []) }}"
+    iib_local_folder: "/tmp/manifest-{{ item.value['iib'] }}"
 
 - name: Set all images to empty list
   ansible.builtin.set_fact:
     all_images: []
 
 - name: Fetch operator images tasks
   ansible.builtin.include_tasks: fetch-operator-images.yml
-  loop: "{{ operator_list }}"
 
 - name: Print all_images
   ansible.builtin.debug:
@@ -119,7 +117,7 @@
   ansible.builtin.debug:
     msg: "{{ image_urls }}"
 
-# OCP 4.13 uses the new fangled "ImageDigestMirrorSet", older OCPs use "ImageContentSourcePolicy"
+# OCP 4.13 uses the new fangled "ImageDigestMirrorSet"
 - name: Template out imageMirror.yaml (OCP >= 4.13)
   ansible.builtin.template:
     src: ./templates/imageDigestMirror.yaml.j2

common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2

@@ -1,9 +1,9 @@
 apiVersion: operators.coreos.com/v1alpha1
 kind: CatalogSource
 metadata:
-  name: iib-{{ iib }}
+  name: iib-{{ item.value['iib'] }}
   namespace: {{ internal_registry_ns }}
 spec:
-  image: {{ mirror_iib }}:{{ iib }}
+  image: {{ mirror_iib }}:{{ item.value['iib'] }}
   sourceType: grpc
-  displayName: IIB {{ iib }}
+  displayName: IIB {{ item.value['iib'] }}

common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2

@@ -3,16 +3,16 @@ kind: ImageDigestMirrorSet
 metadata:
   labels:
     operators.openshift.org/catalog: "true"
-  name: iib-{{ iib }}
+  name: iib-{{ item.value['iib'] }}
 spec:
   imageDigestMirrors:
-{% for item in image_urls.values() %}
+{% for data in image_urls.values() %}
     - mirrors:
-        - {{ item.mirrordest_nosha }}
-      source: {{ item.source_nosha }}
+        - {{ data.mirrordest_nosha }}
+      source: {{ data.source_nosha }}
       mirrorSourcePolicy: AllowContactingSource
     - mirrors:
-        - {{ item.mirrordest_nosha }}
-      source: {{ item.image_nosha }}
+        - {{ data.mirrordest_nosha }}
+      source: {{ data.image_nosha }}
       mirrorSourcePolicy: AllowContactingSource
 {% endfor %}

common/clustergroup/Chart.yaml

@@ -3,4 +3,4 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any
 keywords:
 - pattern
 name: clustergroup
-version: 0.8.4
+version: 0.8.5

common/operator-install/templates/pattern.yaml

@@ -13,7 +13,7 @@ spec:
     tokenSecretNamespace: {{ .Values.main.tokenSecretNamespace }}
 {{- end }} {{/* if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace */}}
   gitOpsSpec:
-    operatorChannel: {{ default "gitops-1.11" .Values.main.gitops.channel }}
+    operatorChannel: {{ default "gitops-1.12" .Values.main.gitops.channel }}
     operatorSource: {{ default "redhat-operators" .Values.main.gitops.operatorSource }}
   multiSourceConfig:
     enabled: {{ .Values.main.multiSourceConfig.enabled }}

common/operator-install/values.yaml

@@ -7,7 +7,7 @@ main:
     revision: main
 
   gitops:
-    channel: "gitops-1.11"
+    channel: "gitops-1.12"
     operatorSource: redhat-operators
 
   multiSourceConfig: