From ecb3ed3525da4fd7252ca41b1ccd39f147652695 Mon Sep 17 00:00:00 2001 From: Dan Prince Date: Mon, 25 Sep 2023 15:19:25 -0400 Subject: [PATCH] Support disconnected network environments This PR adds support for installing the operator in disconnected network environments. To build with image-digests set USE_IMAGE_DIGESTS=true before running make bundle. For Prow jobs we are enabling this via .prow-ci.env This drops the old logic from create_bundle.sh which has been broken with operator-sdk's make bundle for some time. (NOTE: this currently requires a secure registry) Jira: OSP-26486 --- .github/create_bundle.sh | 58 +------------------ .prow_ci.env | 1 + api/v1beta1/octavia_types.go | 8 +-- config/default/manager_default_images.yaml | 8 ++- ...ctavia-operator.clusterserviceversion.yaml | 1 + .../common/assert_sample_deployment.yaml | 42 +++++++++++--- 6 files changed, 49 insertions(+), 69 deletions(-) create mode 100644 .prow_ci.env diff --git a/.github/create_bundle.sh b/.github/create_bundle.sh index 9b024a35..fdbd8bb8 100755 --- a/.github/create_bundle.sh +++ b/.github/create_bundle.sh @@ -1,69 +1,13 @@ #!/bin/bash set -e -CLUSTER_BUNDLE_FILE="bundle/manifests/octavia-operator.clusterserviceversion.yaml" - echo "Creating octavia operator bundle" cd .. echo "${GITHUB_SHA}" echo "${BASE_IMAGE}" -skopeo --version - -echo "Calculating image digest for docker://${REGISTRY}/${BASE_IMAGE}:${GITHUB_SHA}" -DIGEST=$(skopeo inspect docker://${REGISTRY}/${BASE_IMAGE}:${GITHUB_SHA} | jq '.Digest' -r) -# Output: -# Calculating image digest for docker://quay.io/openstack-k8s-operators/octavia-operator:d03f2c1c362c04fc5ef819f92a218f9ea59bbd0c -# Digest: sha256:1d5b578fd212f8dbd03c0235f1913ef738721766f8c94236af5efecc6d8d8cb1 -echo "Digest: ${DIGEST}" RELEASE_VERSION=$(grep "^VERSION" Makefile | awk -F'?= ' '{ print $2 }') -OPERATOR_IMG_WITH_DIGEST="${REGISTRY}/${BASE_IMAGE}@${DIGEST}" - -echo "New Operator Image with Digest: $OPERATOR_IMG_WITH_DIGEST" echo "Release Version: $RELEASE_VERSION" echo "Creating bundle image..." -VERSION=$RELEASE_VERSION IMG=$OPERATOR_IMG_WITH_DIGEST make bundle - -echo "Bundle file images:" -cat "${CLUSTER_BUNDLE_FILE}" | grep "image:" -# FIXME: display any ENV variables once we have offline support implemented -#grep -A1 IMAGE_URL_DEFAULT "${CLUSTER_BUNDLE_FILE}" - -# We do not want to exit here. Some images are in different registries, so -# error will be reported to the console. -set +e -for csv_image in $(cat "${CLUSTER_BUNDLE_FILE}" | grep "image:" | sed -e "s|.*image:||" | sort -u); do - digest_image="" - echo "CSV line: ${csv_image}" - - # case where @ is in the csv_image image - if [[ "$csv_image" =~ .*"@".* ]]; then - delimeter='@' - else - delimeter=':' - fi - - base_image=$(echo $csv_image | cut -f 1 -d${delimeter}) - tag_image=$(echo $csv_image | cut -f 2 -d${delimeter}) - - if [[ "$base_image:$tag_image" == "controller:latest" ]]; then - echo "$base_image:$tag_image becomes $OPERATOR_IMG_WITH_DIGEST" - sed -e "s|$base_image:$tag_image|$OPERATOR_IMG_WITH_DIGEST|g" -i "${CLUSTER_BUNDLE_FILE}" - else - digest_image=$(skopeo inspect docker://${base_image}${delimeter}${tag_image} | jq '.Digest' -r) - echo "Base image: $base_image" - if [ -n "$digest_image" ]; then - echo "$base_image${delimeter}$tag_image becomes $base_image@$digest_image" - sed -i "s|$base_image$delimeter$tag_image|$base_image@$digest_image|g" "${CLUSTER_BUNDLE_FILE}" - else - echo "$base_image${delimeter}$tag_image not changed" - fi - fi -done - -echo "Resulting bundle file images:" -cat "${CLUSTER_BUNDLE_FILE}" | grep "image:" - -# FIXME: display any ENV variables once we have offline support implemented -#grep -A1 IMAGE_URL_DEFAULT "${CLUSTER_BUNDLE_FILE}" +USE_IMAGE_DIGESTS=true VERSION=$RELEASE_VERSION IMG=${REGISTRY}/${BASE_IMAGE}:${GITHUB_SHA} make bundle diff --git a/.prow_ci.env b/.prow_ci.env new file mode 100644 index 00000000..2606e6b6 --- /dev/null +++ b/.prow_ci.env @@ -0,0 +1 @@ +export USE_IMAGE_DIGESTS=true diff --git a/api/v1beta1/octavia_types.go b/api/v1beta1/octavia_types.go index 3ba45920..7d29489e 100644 --- a/api/v1beta1/octavia_types.go +++ b/api/v1beta1/octavia_types.go @@ -199,10 +199,10 @@ func (instance Octavia) IsReady() bool { func SetupDefaults() { // Acquire environmental defaults and initialize Octavia defaults with them octaviaDefaults := OctaviaDefaults{ - APIContainerImageURL: util.GetEnvVar("OCTAVIA_API_IMAGE_URL_DEFAULT", OctaviaAPIContainerImage), - HousekeepingContainerImageURL: util.GetEnvVar("OCTAVIA_HOUSEKEEPING_IMAGE_URL_DEFAULT", OctaviaHousekeepingContainerImage), - HealthManagerContainerImageURL: util.GetEnvVar("OCTAVIA_HEALTHMANAGER_IMAGE_URL_DEFAULT", OctaviaHealthManagerContainerImage), - WorkerContainerImageURL: util.GetEnvVar("OCTAVIA_WORKER_IMAGE_URL_DEFAULT", OctaviaWorkerContainerImage), + APIContainerImageURL: util.GetEnvVar("RELATED_IMAGE_OCTAVIA_API_IMAGE_URL_DEFAULT", OctaviaAPIContainerImage), + HousekeepingContainerImageURL: util.GetEnvVar("RELATED_IMAGE_OCTAVIA_HOUSEKEEPING_IMAGE_URL_DEFAULT", OctaviaHousekeepingContainerImage), + HealthManagerContainerImageURL: util.GetEnvVar("RELATED_IMAGE_OCTAVIA_HEALTHMANAGER_IMAGE_URL_DEFAULT", OctaviaHealthManagerContainerImage), + WorkerContainerImageURL: util.GetEnvVar("RELATED_IMAGE_OCTAVIA_WORKER_IMAGE_URL_DEFAULT", OctaviaWorkerContainerImage), } SetupOctaviaDefaults(octaviaDefaults) diff --git a/config/default/manager_default_images.yaml b/config/default/manager_default_images.yaml index a7ec0b6b..ed82601a 100644 --- a/config/default/manager_default_images.yaml +++ b/config/default/manager_default_images.yaml @@ -11,5 +11,11 @@ spec: containers: - name: manager env: - - name: OCTAVIA_API_IMAGE_URL_DEFAULT + - name: RELATED_IMAGE_OCTAVIA_API_IMAGE_URL_DEFAULT value: quay.io/podified-antelope-centos9/openstack-octavia-api:current-podified + - name: RELATED_IMAGE_OCTAVIA_HOUSEKEEPING_IMAGE_URL_DEFAULT + value: quay.io/podified-antelope-centos9/openstack-octavia-housekeeping:current-podified + - name: RELATED_IMAGE_OCTAVIA_HEALTHMANAGER_IMAGE_URL_DEFAULT + value: quay.io/podified-antelope-centos9/openstack-octavia-health-manager:current-podified + - name: RELATED_IMAGE_OCTAVIA_WORKER_IMAGE_URL_DEFAULT + value: quay.io/podified-antelope-centos9/openstack-octavia-worker:current-podified diff --git a/config/manifests/bases/octavia-operator.clusterserviceversion.yaml b/config/manifests/bases/octavia-operator.clusterserviceversion.yaml index 03715be4..73c9c531 100644 --- a/config/manifests/bases/octavia-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/octavia-operator.clusterserviceversion.yaml @@ -5,6 +5,7 @@ metadata: alm-examples: '[]' capabilities: Basic Install operatorframework.io/suggested-namespace: openstack + operators.openshift.io/infrastructure-features: '["disconnected"]' operators.operatorframework.io/operator-type: non-standalone name: octavia-operator.v0.0.0 namespace: placeholder diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml index 5b522481..24f42bf6 100644 --- a/tests/kuttl/common/assert_sample_deployment.yaml +++ b/tests/kuttl/common/assert_sample_deployment.yaml @@ -29,7 +29,6 @@ spec: secret: osp-secret serviceUser: octavia octaviaAPI: - containerImage: quay.io/podified-antelope-centos9/openstack-octavia-api:current-podified customServiceConfig: | [DEFAULT] debug = true @@ -46,7 +45,6 @@ spec: secret: osp-secret serviceUser: octavia octaviaHousekeeping: - containerImage: quay.io/podified-antelope-centos9/openstack-octavia-housekeeping:current-podified customServiceConfig: | [DEFAULT] debug = true @@ -59,7 +57,6 @@ spec: secret: osp-secret serviceUser: octavia octaviaHealthManager: - containerImage: quay.io/podified-antelope-centos9/openstack-octavia-health-manager:current-podified customServiceConfig: | [DEFAULT] debug = true @@ -72,7 +69,6 @@ spec: secret: osp-secret serviceUser: octavia octaviaWorker: - containerImage: quay.io/podified-antelope-centos9/openstack-octavia-worker:current-podified customServiceConfig: | [DEFAULT] debug = true @@ -117,7 +113,6 @@ spec: - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start command: - /bin/bash - image: quay.io/podified-antelope-centos9/openstack-octavia-api:current-podified imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 @@ -143,7 +138,6 @@ spec: - env: - name: CONFIG_HASH - name: KOLLA_CONFIG_STRATEGY - image: quay.io/podified-antelope-centos9/openstack-octavia-api:current-podified imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 @@ -189,7 +183,6 @@ spec: value: octavia - name: DatabaseUser value: octavia - image: quay.io/podified-antelope-centos9/openstack-octavia-api:current-podified imagePullPolicy: IfNotPresent name: init resources: {} @@ -236,3 +229,38 @@ spec: selector: service: octavia type: ClusterIP +--- +# when using image digests the containerImage URLs are SHA's so we verify them with a script +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: | + tupleTemplate='{{ range (index .spec.template.spec.containers 1).env }}{{ .name }}{{ "#" }}{{ .value}}{{"\n"}}{{ end }}' + imageTuples=$(oc get -n openstack-operators deployment octavia-operator-controller-manager -o go-template="$tupleTemplate") + for ITEM in $(echo $imageTuples); do + # it is an image + if echo $ITEM | grep 'RELATED_IMAGE' &> /dev/null; then + NAME=$(echo $ITEM | sed -e 's|^RELATED_IMAGE_OCTAVIA_\([^_]*\)_.*|\1|') + IMG_FROM_ENV=$(echo $ITEM | sed -e 's|^.*#\(.*\)|\1|') + case $NAME in + API) + template='{{.spec.octaviaAPI.containerImage}}' + ;; + HOUSEKEEPING) + template='{{.spec.octaviaHousekeeping.containerImage}}' + ;; + HEALTHMANAGER) + template='{{.spec.octaviaHealthManager.containerImage}}' + ;; + WORKER) + template='{{.spec.octaviaWorker.containerImage}}' + ;; + esac + SERVICE_IMAGE=$(oc get -n $NAMESPACE octavia octavia -o go-template="$template") + if [ "$SERVICE_IMAGE" != "$IMG_FROM_ENV" ]; then + echo "$NAME image does not equal $IMG_FROM_ENV" + exit 1 + fi + fi + done + exit 0