#648 Uae idmp instead of ImageContentSourcePolicy

IBM · Apr 27, 2024 · 03e9d1f · 03e9d1f
1 parent b2f77fa
commit 03e9d1f
Show file tree

Hide file tree

Showing 6 changed files with 161 additions and 1 deletion.
diff --git a/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/tasks/create-idms-alt.yml b/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/tasks/create-idms-alt.yml
@@ -0,0 +1,13 @@
+---
+- name: Create ImageDigestMirrorSet for alternative registries into {{ status_dir }}/openshift/cloud-pak-idms.yaml
+  template:
+    src: cloud-pak-idms-alt.j2
+    dest: "{{ status_dir }}/openshift/cloud-pak-idms.yaml"
+
+- name: Create ImageDigestMirrorSet {{ icsp_name }}
+  shell: |
+    oc apply -f {{ status_dir }}/openshift/cloud-pak-idms.yaml
+
+- name: Delete ImageContentSourcePolicy {{ icsp_name }} if still existing
+  shell: |
+    oc delete imagecontentsourcepolicies.operator.openshift.io {{ icsp_name }} --ignore-not-found
diff --git a/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/tasks/create-idms.yml b/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/tasks/create-idms.yml
@@ -0,0 +1,80 @@
+---
+- name: Create ImageDigestMirrorSet for private registry
+  template:
+    src: cloud-pak-idms.j2
+    dest: "{{ status_dir }}/openshift/cloud-pak-idms.yaml"
+
+- name: Create ImageDigestMirrorSet {{ idms_name }}
+  shell: |
+    oc apply -f {{ status_dir }}/openshift/cloud-pak-idms.yaml
+
+- name: Delete ImageContentSourcePolicy {{ icsp_name }} if still existing
+  shell: |
+    oc delete imagecontentsourcepolicies.operator.openshift.io {{ icsp_name }} --ignore-not-found
+
+# Handle insecure registry
+- name: Patch OpenShift image object if insecure registry was specified
+  block:
+  - name: Check if insecureRegistries already in image specification
+    shell: |
+      oc get image.config.openshift.io/cluster -o json | jq -r '.spec.registrySources // ""'
+    register: _insecure_registries
+  - name: Add insecureRegistries specification
+    shell: |
+      oc patch image.config.openshift.io/cluster --type=merge --patch '{"spec": {"registrySources": {"insecureRegistries": []}}}'
+    when: not "insecureRegistries" in _insecure_registries.stdout
+
+  - name: Check if {{ private_registry_url }} already in insecure registries
+    shell: |
+      oc get image.config.openshift.io/cluster -o json | jq -r '.spec.registrySources.insecureRegistries // ""'
+    register: _private_registry_entries
+
+  - name: Add insecure registry entry
+    shell: |
+      oc patch image.config.openshift.io/cluster --type=json \
+      --patch '[{"op": "add", "path": "/spec/registrySources/insecureRegistries/-", "value": "{{ private_registry_url }}" }]'
+    when: not private_registry_url in _private_registry_entries.stdout
+  when: (current_image_registry.registry_insecure | default(False) | bool)
+
+# Handle registry with CA bundle
+- name: Patch OpenShift image object if trusted CA secret was specified
+  block:
+  - name: Get trusted CA secret from vault
+    include_role: 
+      name: vault-get-secret
+    vars:
+      secret_name: "{{ current_image_registry.registry_trusted_ca_secret }}"
+      secret_group: "{{ environment_name }}"
+
+  - set_fact:
+      _registry_trusted_ca_secret: "{{ secret_value }}"
+
+  - name: Fail if secret {{ current_image_registry.registry_trusted_ca_secret }} was not found in the vault
+    fail:
+      msg: Secret "{{ current_image_registry.registry_trusted_ca_secret }}" was not found in the vault
+    when: _registry_trusted_ca_secret == ""
+
+  - name: Check if additionalTrustedCA already in image specification
+    shell: |
+      oc get image.config.openshift.io/cluster -o json | jq -r '.spec.additionalTrustedCA.name // ""'
+    register: _additional_trusted_ca_name_output
+  - set_fact:
+      _additional_trusted_ca_name: "{{ _additional_trusted_ca_name_output.stdout }}"
+  - set_fact:
+      _additional_trusted_ca_name: "{{ current_image_registry.registry_trusted_ca_secret }}"
+    when: _additional_trusted_ca_name == ""
+
+  - name: Create ConfigMap for additional trusted CA if non-existing
+    shell: |
+      oc create cm -n openshift-config {{ _additional_trusted_ca_name }}
+    failed_when: False
+  - name: Set data for registry hostname {{ current_image_registry.registry_host_name }}
+    shell: |
+      oc set data cm/{{ _additional_trusted_ca_name }} -n openshift-config \
+        "{{ private_registry_url | replace(':', '..') }}"="{{ _registry_trusted_ca_secret }}"
+
+  - name: Set additionalTrustedCA specification
+    shell: |
+      oc patch image.config.openshift.io/cluster --type=merge \
+        --patch '{"spec": {"additionalTrustedCA": {"name": "{{ _additional_trusted_ca_name }}"}}}'
+  when: current_image_registry.registry_trusted_ca_secret | default("") != ""
diff --git a/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/tasks/main.yml b/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/tasks/main.yml
@@ -1,13 +1,31 @@
 ---
+- name: Get OpenShift version
+  include_role:
+    name: openshift-get-version
+
 - include_tasks: create-icsp.yml
   when: 
   - _mco_exists
   - (all_config.cp_alt_repo | default({})) == {}
+  - _p_current_ocp_version < '4.12'
 
 - include_tasks: create-icsp-alt.yml
   when: 
   - _mco_exists
   - (all_config.cp_alt_repo | default({})) != {}
+  - _p_current_ocp_version < '4.12'
+
+- include_tasks: create-idms.yml
+  when: 
+  - _mco_exists
+  - (all_config.cp_alt_repo | default({})) == {}
+  - _p_current_ocp_version >= '4.12'
+
+- include_tasks: create-idms-alt.yml
+  when: 
+  - _mco_exists
+  - (all_config.cp_alt_repo | default({})) != {}
+  - _p_current_ocp_version >= '4.12'
 
 - name: Apply ImageContentSourcePolicy settings if the Machine Config Operator does not exist
   include_tasks: non-mco-apply-icsp.yml

diff --git a/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/templates/cloud-pak-idms-alt.j2 b/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/templates/cloud-pak-idms-alt.j2
@@ -0,0 +1,14 @@
+apiVersion: config.openshift.io/v1
+kind: ImageDigestMirrorSet
+metadata:
+  name: {{ idms_name }}
+spec:
+  imageDigestMirrors:
+{% for registry_mirror in all_config.cp_alt_repo.registry_mirrors %}
+  - source: {{ registry_mirror.source}}
+    mirrors:
+{% for mirror in registry_mirror.mirrors %}
+    - {{ mirror }}
+{% endfor %}
+    mirrorSourcePolicy: AllowContactingSource
+{% endfor %}
diff --git a/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/templates/cloud-pak-idms.j2 b/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/templates/cloud-pak-idms.j2
@@ -0,0 +1,34 @@
+apiVersion: config.openshift.io/v1
+kind: ImageDigestMirrorSet
+metadata:
+  name: {{ idms_name }}
+spec:
+  imageDigestMirrors:
+  - mirrors:
+    - {{ private_registry_url_namespace }}/cp
+    source: cp.icr.io/cp
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - {{ private_registry_url_namespace }}/cp/cpd
+    source: cp.icr.io/cp/cpd
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - {{ private_registry_url_namespace }}/cpopen
+    source: icr.io/cpopen
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - {{ private_registry_url_namespace }}/db2u
+    source: icr.io/db2u
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - {{ private_registry_url_namespace }}/cpopen/cpfs
+    source: icr.io/cpopen/cpfs
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - {{ private_registry_url_namespace }}/opencloudio
+    source: quay.io/opencloudio
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - {{ private_registry_url_namespace }}/ibmcom
+    source: docker.io/ibmcom
+    mirrorSourcePolicy: AllowContactingSource
diff --git a/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/vars/main.yml b/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-icsp/vars/main.yml
@@ -1,2 +1,3 @@
 ---
-icsp_name: cloud-pak-mirror
+icsp_name: cloud-pak-mirror
+idms_name: cloud-pak-mirror