shift over to ubi7 image (#1426)

* shift over to ubi7 image
project-koku · Nov 22, 2019 · c00738c · c00738c
1 parent 3e267cd
commit c00738c
Show file tree

Hide file tree

Showing 5 changed files with 92 additions and 38 deletions.
diff --git a/docs/source/openshift.rst b/docs/source/openshift.rst
@@ -2,6 +2,8 @@
 .. _`minishift`: https://github.com/minishift/minishift
 .. _`Kubernetes`: https://kubernetes.io/docs/home/
 .. _`Docker`: https://docs.docker.com/
+.. _`crc`: https://github.com/code-ready/crc
+.. _`Red Hat Registry Authentication`: https://access.redhat.com/RegistryAuthentication
 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Developing using OpenShift
@@ -23,13 +25,49 @@ When ready, your workstation should be able to run containers and deploy `OpenSh
 Local Development
 =================
 
-Minishift
----------
+Minishift (OKD 3.11)
+--------------------
 
 The recommended way to deploy a local OpenShift 3.x installation on Linux for Koku development is to use `minishift`_. This runs an OpenShift cluster inside of a VM.
 
 Installing and configuring `minishift`_ is outside the scope of this document.  Please refer to the `minishift`_ documentation for details.
 
+In order to access RHEL images for building Koku, you must configure `Red Hat Registry Authentication`_:
+
+For username/password, you can use the minishift's ``redhat-registry-login``
+addon:
+
+::
+    minishift addons enable redhat-registry-login
+    minishift addons apply redhat-registry-login --addon-env REGISTRY_USERNAME=${USERNAME} --addon-env REGISTRY_PASSWORD=${PASSWORD}
+
+
+For token-based authentication, you will need to configure the secret manually
+in your project:
+
+::
+    # this extracts the nested object from the file distributed by https://access.redhat.com/terms-based-registry
+    cat /path/to/registry-pull-secret.yaml | \
+             python -c 'import yaml, sys; print(yaml.safe_load(sys.stdin).get("data").get(".dockerconfigjson"))' | \
+             base64 -d | \
+             oc create secret generic registry-redhat-io-secret \
+                                    --from-file=.dockerconfigjson=/dev/stdin \
+                                    -n myproject \
+                                    --type=kubernetes.io/dockerconfigjson
+    oc secrets link default registry-redhat-io-secret -n myproject --for=pull
+    oc secrets link builder registry-redhat-io-secret -n myproject
+
+CodeReady Containers (OKD 4.x)
+------------------------------
+The recommended way to deploy a local OpenShift 4.x installation on Linux for Koku development is to use `crc`_. This runs an OpenShift cluster inside of a VM.
+
+Installing and configuring `crc`_ is outside the scope of this document.  Please refer to the `crc`_ documentation for details.
+
+In order to access RHEL images for building Koku, you must configure `Red Hat Registry Authentication`_.
+
+The script ``scripts/e2e-deploy.sh`` handles setup and configuration of `crc`_, including `Red Hat Registry Authentication`_.
+
+
 Deploying Services
 ------------------
 

diff --git a/openshift/celery-flower.yaml b/openshift/celery-flower.yaml
@@ -100,7 +100,7 @@ objects:
                 key: app-module
         from:
           kind: ImageStreamTag
-          name: python-36-centos7:latest
+          name: ubi7-python36:latest
           namespace: ${NAMESPACE}
     triggers:
     - type: ConfigChange

diff --git a/openshift/imagestream.yaml b/openshift/imagestream.yaml
@@ -18,25 +18,6 @@ labels:
   template: koku-imagestream
 objects:
 
-# Koku and Masu are built on python-36-centos7
-- apiVersion: v1
-  kind: ImageStream
-  metadata:
-    name: python-36-centos7
-    namespace: ${NAMESPACE}
-  spec:
-    dockerImageRepository: registry.centos.org/centos/python-36-centos7
-    lookupPolicy:
-      local: false
-    tags:
-    - annotations: null
-      from:
-        kind: DockerImage
-        name: centos/python-36-centos7
-      name: latest
-      referencePolicy:
-        type: Source
-
 # Koku database runs on postgresql-96-centos7
 - apiVersion: v1
   kind: ImageStream
@@ -75,11 +56,10 @@ objects:
       referencePolicy:
         type: Source
 
-# RabbitMQ builds on RHEL 7, if available
 - apiVersion: v1
   kind: ImageStream
   metadata:
-    name: rhel
+    name: rhel7
     namespace: ${NAMESPACE}
   spec:
     dockerImageRepository: registry.redhat.io/rhel7/rhel
@@ -94,7 +74,7 @@ objects:
       referencePolicy:
         type: Source
 
-# RabbitMQ builds on centos 7 when RHEL 7 isn't available
+# RabbitMQ builds on centos 7, for now.
 - apiVersion: v1
   kind: ImageStream
   metadata:
@@ -113,6 +93,25 @@ objects:
       referencePolicy:
         type: Source
 
+# Most koku components use the python-36 image.
+- apiVersion: v1
+  kind: ImageStream
+  metadata:
+    name: ubi7-python36
+    namespace: ${NAMESPACE}
+  spec:
+    dockerImageRepository: registry.redhat.io/ubi7/python-36
+    lookupPolicy:
+      local: false
+    tags:
+    - annotations: null
+      from:
+        kind: DockerImage
+        name: registry.redhat.io/ubi7/python-36:latest
+      name: latest
+      referencePolicy:
+        type: Source
+
 parameters:
 - description: The OpenShift Namespace where the ImageStream resides.
   displayName: Namespace

diff --git a/openshift/koku.yaml b/openshift/koku.yaml
@@ -113,7 +113,7 @@ objects:
                 key: app-domain
         from:
           kind: ImageStreamTag
-          name: python-36-centos7:latest
+          name: ubi7-python36:latest
           namespace: ${NAMESPACE}
         forcePull: true
       type: Source

diff --git a/scripts/e2e-deploy.sh b/scripts/e2e-deploy.sh
@@ -26,6 +26,9 @@
 # - registry.redhat.io secrets YAML
 #     see: https://docs.openshift.com/container-platform/4.2/registry/registry-options.html#registry-authentication-enabled-registry-overview_registry-options
 #
+#     NOTE: This script assumes you're using a pull secrets YAML from https://access.redhat.com/terms-based-registry
+#     NOTE: You may need to alter this script if your pull secrets are in a different format
+#
 # - a clone of these repositories:
 #     https://github.com/project-koku/koku
 #     https://github.com/RedHatInsights/e2e-deploy
@@ -35,6 +38,8 @@
 #     - oc
 #     - ocdeployer
 #     - iqe
+#     - python
+#     - base64
 #
 #   Check the READMEs in the above git repos for installation instructions
 #
@@ -48,8 +53,6 @@ set -e
 OPENSHIFT_API_URL=https://api.crc.testing:6443
 
 ### login info
-ADMIN_USER=kubeadmin
-ADMIN_PASSWORD=e4FEb-9dxdF-9N2wH-Dj7B8
 OCP_USER=developer
 OCP_PASSWORD=developer
 
@@ -100,20 +103,12 @@ for cmd in "${OC}" "${OCDEPLOYER}" "${IQE}"; do
     fi
 done
 
-${OC} login -u ${ADMIN_USER} -p ${ADMIN_PASSWORD} ${OPENSHIFT_API_URL}
-VALIDATE="${OC} get -n openshift secret/registry-redhat-io-secret -o name"
-if [ "$($VALIDATE)" != 'secret/registry-redhat-io-secret' ]; then
-    echo "Adding registry.redhat.io secret."
-    ${OC} project openshift
-    ${OC} create secret generic registry-redhat-io-secret --from-file=${REGISTRY_REDHAT_IO_SECRETS}
-    ${OC} secrets link --for=pull builder registry-redhat-io-secret
-fi
-
+### ensure we're logged in
 ${OC} login -u ${OCP_USER} -p ${OCP_PASSWORD} ${OPENSHIFT_API_URL}
 
 ### create projects
 for project in "${SECRETS_PROJECT}" "${BUILDFACTORY_PROJECT}" "${DEPLOY_PROJECT}"; do
-    VALIDATE="${OC} get project/${project} -o name 2>/dev/null"
+    VALIDATE="${OC} get project/${project} -o name"
     echo "Checking if project ${project} exists."
     if [ "$($VALIDATE)x" != "x" ]; then
         echo "Project '${project}' already exists. Exiting."
@@ -122,6 +117,26 @@ for project in "${SECRETS_PROJECT}" "${BUILDFACTORY_PROJECT}" "${DEPLOY_PROJECT}
     ${OC} new-project ${project}
 done
 
+echo "Adding registry.redhat.io secret."
+# the json distributed by access.redhat.com/terms-based-registry is a nested object.
+# oc wants the contents of the .data object, so we need to unwrap the outer layer
+# in order to load the pull secrets dockerconfigjson object into the secret.
+if [ -f ${REGISTRY_REDHAT_IO_SECRETS} ]; then
+    SECRET=$(cat ${REGISTRY_REDHAT_IO_SECRETS} | \
+             python -c 'import yaml, sys; print(yaml.safe_load(sys.stdin).get("data").get(".dockerconfigjson"))' | \
+             base64 -d)
+    # we need to install the pull secret into multiple projects because setting
+    # up a shared secret across projects is not well-supported by OCP <=4.2.
+    for project in "${BUILDFACTORY_PROJECT}" "${DEPLOY_PROJECT}"; do
+        echo ${SECRET} | ${OC} create secret generic registry-redhat-io-secret \
+                                    --from-file=.dockerconfigjson=/dev/stdin \
+                                    -n ${project} \
+                                    --type=kubernetes.io/dockerconfigjson
+        ${OC} secrets link default registry-redhat-io-secret -n ${project} --for=pull
+        ${OC} secrets link builder registry-redhat-io-secret -n ${project}
+    done
+fi
+
 ### create secrets
 echo "Applying secrets."
 ${OC} process -f ${KOKU_SECRETS} | ${OC} apply -n ${SECRETS_PROJECT} -f -
@@ -133,6 +148,8 @@ ${OC} policy add-role-to-user system:image-puller system:serviceaccount:${DEPLOY
 ### create builds
 # doing the initial builds can take a while
 # So, we ignore any non-zero exit because it's not necessarily a problem.
+# Until we come up with a more intelligent design, the user will need to spot
+# build failures and elect to not continue the deploy when prompted.
 echo "Creating builds in project ${BUILDFACTORY_PROJECT}"
 ${OCDEPLOYER} deploy -s hccm -t buildfactory ${BUILDFACTORY_PROJECT} || true