/
mirror_utils.sh
151 lines (122 loc) · 4.88 KB
/
mirror_utils.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
function mirror_package() {
# Here we will do the next actions:
# 1. Create an index of specific packages from specific remote indexes
# 2. Push the index image to the local index
# 3. Upload all packages to the local index and create ICSP and
# CatalogSource for the new created index
# e.g. "local-storage-operator"
package="${1}"
# e.g. "registry.redhat.io/redhat/redhat-operator-index:v4.8"
remote_index="${2}"
# e.g. "virthost.ostest.test.metalkube.org:5000"
local_registry="${3}"
# e.g. "/run/user/0/containers/auth.json", "~/.docker/config.json"
# should have authentication information for both official registry
# (pull-secret) and for the local registry
authfile="${4}"
catalog_source_name="${5}"
# If the remote index is referenced using name and tag, use "name:tag" for the local image.
# If the remote index is referenced using a digest, use "name:digest" for the local image.
local_index_name=${remote_index##*/}
local_index_name="${local_index_name/@*:/:}"
local_registry_index_tag="${local_registry}/olm-index/${local_index_name}"
local_registry_image_tag="${local_registry}/olm"
opm index prune \
--from-index "${remote_index}" \
--packages "${package}" \
--tag "${local_registry_index_tag}"
GODEBUG=x509ignoreCN=0 podman push \
--tls-verify=false \
"${local_registry_index_tag}" \
--authfile "${authfile}"
manifests_dir=$(mktemp -d -t manifests-XXXXXXXXXX)
GODEBUG=x509ignoreCN=0 oc adm catalog mirror \
"${local_registry_index_tag}" \
"${local_registry_image_tag}" \
--registry-config="${authfile}" \
--to-manifests="${manifests_dir}"
echo "Applyed image-content-source-policy:"
cat "${manifests_dir}/imageContentSourcePolicy.yaml"
oc apply -f "${manifests_dir}/imageContentSourcePolicy.yaml"
# Modify openshift-marketplace namespace in order to allow workaround the new pod security
# admissions. Details are described in https://access.redhat.com/articles/6977554 and they
# are used to allow `securityContextConfig: legacy` stanza in the CatalogSource definition.
cat >"${manifests_dir}/namespaceHotfix.yaml" <<EOF
apiVersion: v1
kind: Namespace
metadata:
labels:
security.openshift.io/scc.podSecurityLabelSync: "false"
openshift.io/cluster-monitoring: "true"
pod-security.kubernetes.io/enforce: baseline
name: openshift-marketplace
EOF
echo "Applied hotfix for marketplace namespace:"
cat "${manifests_dir}/namespaceHotfix.yaml"
oc apply -f "${manifests_dir}/namespaceHotfix.yaml"
cat >"${manifests_dir}/catalogSource.yaml" <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: ${catalog_source_name}
namespace: openshift-marketplace
spec:
sourceType: grpc
image: ${local_registry_index_tag}
displayName: Mirror index for package ${package} from ${remote_index}
publisher: Local
grpcPodConfig:
securityContextConfig: legacy
updateStrategy:
registryPoll:
interval: 30m
EOF
echo "Applyed catalog source:"
cat "${manifests_dir}/catalogSource.yaml"
oc apply -f "${manifests_dir}/catalogSource.yaml"
if [ "${OPENSHIFT_CI:-false}" = "false" ]; then
# Until allowing mirroring by tags https://issues.redhat.com/browse/OCPNODE-521
# https://github.com/openshift/api/pull/874 will be part of OCP 4.9
# The sixth element on net-dhcp-leases is the hostname.
# We would like to get all the available hostnames, SSH to them, and fix their registries.conf to allow mirror-by-digest.
hostnames=$(virsh net-dhcp-leases ${BAREMETAL_NETWORK_NAME} | awk 'NR > 2 && $6 != "-" {print $6}')
for hostname in ${hostnames}; do
ssh -o StrictHostKeyChecking=no core@${hostname} bash - <<EOF
if grep "mirror-by-digest-only = true" /etc/containers/registries.conf -c; then
sudo sed -i 's/mirror-by-digest-only = true/mirror-by-digest-only = false/' /etc/containers/registries.conf
sudo systemctl restart crio kubelet
fi
EOF
done
fi
}
function mirror_file() {
remote_url="${1}"
httpd_path="${2}"
base_mirror_url="${3}"
local url_path="$(echo ${remote_url} | cut -d / -f 4-)"
mkdir -p "$(dirname ${httpd_path}/${url_path})"
curl --retry 5 --connect-timeout 30 "${remote_url}" -o "${httpd_path}/${url_path}"
echo "${base_mirror_url}/${url_path}"
}
function disable_default_indexes() {
oc patch OperatorHub cluster --type json \
-p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'
}
function merge_authfiles() {
first_authfile="${1}"
second_authfile="${2}"
merged_authfile="${3}"
jq -s '.[0] * .[1]' "${first_authfile}" "${second_authfile}" >"${merged_authfile}"
}
function install_opm() {
curl --retry 5 --connect-timeout 30 -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.14/opm-linux.tar.gz | tar xvz -C /usr/local/bin/
}
function ocp_mirror_release() {
pull_secret_file="${1}"
source_image="${2}"
dest_mirror_repo="${3}"
oc adm -a "${pull_secret_file}" release mirror \
--from="${source_image}" \
--to="${dest_mirror_repo}"
}