diff --git a/hooks/playbooks/config_cluster_for_disconnected_deployment.yml b/hooks/playbooks/config_cluster_for_disconnected_deployment.yml new file mode 100644 index 0000000000..4ba09f6e88 --- /dev/null +++ b/hooks/playbooks/config_cluster_for_disconnected_deployment.yml @@ -0,0 +1,196 @@ +--- +- name: Update cluster for disconnected deployment + hosts: "{{ cifmw_target_host | default('localhost') }}" + vars: + oc_mirror_download_url: "{{ cifmw_disconnected_mirror_url | default('https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/oc-mirror.rhel9.tar.gz') }}" + mirror_registry_url: "{{ cifmw_disconnected_registry_url | default('https://mirror.openshift.com/pub/cgw/mirror-registry/latest/mirror-registry-amd64.tar.gz') }}" + openstack_namespace: "{{ cifmw_openstack_namespace | default('openstack') }}" + disconnect_working_dir: "{{ cifmw_disconnected_working_dir | default('/home/zuul/disconnect_working_dir') }}" + mirror_location: "{{ disconnect_working_dir }}/mirror_location" + local_registry: "{{ disconnect_working_dir }}/local_registry" + mirror_registry_password: "JbmsjFR0yf6SNxKhk185BOVX2Dv39T74" + tasks: + - name: Create disconnected working directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: '0777' + loop: + - "{{ disconnect_working_dir }}" + - "{{ mirror_location }}" + - "{{ local_registry }}" + + - name: Download oc mirror image to controller + ansible.builtin.get_url: + url: "{{ oc_mirror_download_url }}" + dest: "{{disconnect_working_dir}}/oc-mirror.rhel9.tar.gz" + mode: '0644' + + - name: Install oc mirror + ansible.builtin.shell: | + cmd: >- + tar xvf {{disconnect_working_dir}}/oc-mirror.rhel9.tar.gz -C {{disconnect_working_dir}} && + chmod +x {{disconnect_working_dir}}/oc-mirror && + sudo mv {{disconnect_working_dir}}/oc-mirror /usr/local/bin/. + + - name: Create update service namespace + cifmw.general.ci_script: + output_dir: "{{ cifmw_basedir }}/artifacts" + script: | + oc apply -f - <- + oc get crd | grep -i updateservice.operator.openshift.io + register: crd_out + until: "'updateservice.operator.openshift.io' in crd_out.stdout" + retries: 10 + delay: 30 + + - name: Create Image Set yaml + ansible.builtin.shell: | + cmd: >- + cat <{{ disconnect_working_dir }}/imageset-config-v2.yaml + kind: ImageSetConfiguration + apiVersion: mirror.openshift.io/v2alpha1 + mirror: + operators: + - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.18 + packages: + - name: openstack-operator + - name: kubernetes-nmstate-operator + - name: openshift-cert-manager-operator + - name: metallb-operator + - name: local-storage-operator + - name: lvms-operator + - name: cluster-observability-operator + additionalImages: + - name: registry.redhat.io/ubi8/ubi:latest + - name: registry.redhat.io/ubi9/ubi@sha256:20f695d2a91352d4eaa25107535126727b5945bff38ed36a3e59590f495046f0 + EOF + + #To do need podman login here + + - name: Mirror specified image set configuration to disk + ansible.builtin.shell: | + cmd: >- + oc mirror --v2 --config {{ disconnect_working_dir }}/imageset-config-v2.yaml file://{{ mirror_location }} >{{ disconnect_working_dir }}/mirror_images.log + + - name: Download mirror registry to controller + ansible.builtin.get_url: + url: "{{ mirror_registry_url }}" + dest: "{{disconnect_working_dir}}/mirror-registry-amd64.tar.gz" + mode: '0644' + + - name: Install mirror registry + ansible.builtin.shell: | + cmd: >- + tar xvf {{disconnect_working_dir}}/mirror-registry-amd64.tar.gz -C {{disconnect_working_dir}} + {{disconnect_working_dir}}/mirror-registry install --quayHostname controller-0.ocp.openstack.lab --quayRoot \ + {{ local_registry }} --initPassword {{ mirror_registry_password }} >{{disconnect_working_dir}}/registry_install.log + + - name: Configure system to trust mirror registry root ca + become: true + ansible.builtin.shell: | + cmd: >- + cp {{ local_registry }}/quay-rootCA/rootCA.pem /etc/pki/ca-trust/source/anchors/ + update-ca-trust extract + + - name: login to mirror registry + ansible.builtin.shell: | + cmd: >- + podman login -u init -p {{ mirror_registry_password }} controller-0.ocp.openstack.lab:8443 + + - name: Configure cluster to trust mirror registry root ca + ansible.builtin.shell: | + cmd: >- + oc create configmap registry-cas -n openshift-config --from-file=controller-0.ocp.openstack.lab..8443={{ local_registry }}/quay-rootCA/rootCA.pem + oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge + + - name: Get cluster's current pull secret + ansible.builtin.shell: | + cmd: >- + oc get secret {% raw %}pull-secret -n openshift-config -o template='{{index .data ".dockerconfigjson" | base64decode}}'{% endraw %} > {{ disconnect_working_dir }}/pull-secret.json + + - name: Configure cluster to use pull secret from mirror registry + ansible.builtin.shell: | + cmd: >- + oc registry login --registry controller-0.ocp.openstack.lab:8443 --auth-basic=init:{{ mirror_registry_password }} --to={{ disconnect_working_dir }}/pull-secret.json + oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson={{ disconnect_working_dir }}/pull-secret.json + + - name: Mirror contents of generated image set to target mirror registry + ansible.builtin.shell: | + cmd: >- + oc mirror --v2 --config {{ disconnect_working_dir }}/imageset-config-v2.yaml --from file://{{ mirror_location }} docker://controller-0.ocp.openstack.lab:8443 >{{ disconnect_working_dir }}/mirror_contents.log + + - name: Disable catalog source + ansible.builtin.shell: | + cmd: >- + oc patch OperatorHub cluster --type json -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]' + + - name: Prepare catalog source for environment + ansible.builtin.shell: | + cmd: >- + sed -i s/cs-redhat-operator-index-v4-18/redhat-operators/g {{ mirror_location }}/working-dir/cluster-resources/cs-redhat-operator-index-v4-18.yaml + + - name: Apply yaml files from results directory to cluster + ansible.builtin.shell: | + cmd: >- + oc apply -f {{ mirror_location }}/working-dir/cluster-resources + + - name: Wait for mirrored operators to be available + ansible.builtin.shell: | + cmd: >- + oc get packagemanifests.packages.operators.coreos.com + register: packagemanifest_out + until: "'openstack-operator' and 'kubernetes-nmstate-operator' in packagemanifest_out.stdout" + retries: 10 + delay: 30 + + - name: Wait until the OpenShift cluster is stable + ansible.builtin.command: + cmd: >- + oc adm wait-for-stable-cluster --minimum-stable-period=5s --timeout=30m