Skip to content
Service for pushing operators manifests to quay.io from various sources
Python Other
  1. Python 99.2%
  2. Other 0.8%
Branch: master
Clone or download
MartinBasti Release 8.0
Signed-off-by: Martin Bašti <mbasti@redhat.com>
Latest commit 1ad6d1b Jul 22, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docker curl: drop --insecure options Apr 3, 2019
docs/usage
omps Release 8.0 Jul 22, 2019
tests Teach the integration tests how to check nested bundles Jul 22, 2019
.gitignore Move integration test configs to a YAML file Mar 12, 2019
.travis.yml Test against multiple versions of operator-courier. Apr 29, 2019
Dockerfile Install operator-courier from updates-testing. Apr 29, 2019
LICENSE Initial commit Jan 28, 2019
README.md Keep only courier_released in the default tox env list. Apr 29, 2019
example.test.env.yaml
setup.py Compatibility with operator-courier 2.1.1 Jun 24, 2019
tox.ini

README.md

Operators Manifests Push Service (OMPS)

Build Status Coverage Status

Service for pushing operators manifests to quay.io from various sources.

Settings

Configuration file

Setting location of config file:

export OMPS_CONF_FILE=/path/to/config.py
export OMPS_CONF_SECTION=ProdConfig

Configuration file example:

class ProdConfig:
    SECRET_KEY = "123456789secretkeyvalue"
    LOG_LEVEL = "INFO"
    LOG_FORMAT = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
    DEFAULT_RELEASE_VERSION = "1.0.0"  # default operator manifest version

    # configuration of Koji URLs
    KOJIHUB_URL = 'https://koji.fedoraproject.org/kojihub'
    KOJIROOT_URL = 'https://kojipkgs.fedoraproject.org/'

    # Timeout in seconds for Koji and Quay requests
    REQUEST_TIMEOUT = 28

    # Organization access
    ORGANIZATIONS = {
        "public-org": {
            "public": True,
            "oauth_token" "application_access_token_goes_here"
            "replace_registry": [
                {
                    "old": "quay.io",
                    "new": "example.com",
                },
            ]
        }
    }

    # Greenwave integration
    GREENWAVE = {
        "url": "https://greenwave.example.com",
        "context": "omps_push",
        "product_version": "cvp"
    }

Configuration of quay's organizations

Auto publishing new repositories

By default OMPS uses auth tokens for quay's CNR endpoint passed by user in HTTP Authorization header (see Authorization section).

However CNR endpoint doesn't provide full access to quay applications. OMPS needs oauth access token to be able make repositories public in chosen organizations.

Required permissions:

  • Administer Repositories

Organizations configuration options:

  • public: if True OMPS publish all new repositories in that organization (requires oauth_token). Default is False repositories are private.
  • oauth_token: application oauth access token from quay.io

Replacing registries URLs in manifest files

If organization have configured replace_registry section in the particular organization:

"replace_registry": [
    {
        "old": "quay.io",
        "new": "example.com",
    },
]

all specified old registries will be replaced by new in all manifests yaml files for that organization. Replacement happen during pushing manifests into application registry.

Greenwave integration

This is optional. When GREENWAVE settings are missing in config file checks are skipped.

Greenwave integration allows OMPS to check if koji builds meets policies defined in Greenwave before operators from koji builds are pushed to quay. (Note: this check is skipped for pushing from zipfiles directly)

Running service

The best way is to run service from a container:

docker build -t omps:latest .
docker run --rm -p 8080:8080 omps:latest

Running container with custom CA certificate

docker run --rm -p 8080:8080 -e CA_URL='http://example.com/ca-cert.crt' omps:latest

Running container with customized number of workers (default: 8):

docker run --rm -p 8080:8080 -e WORKERS_NUM=6 omps:latest

Running container with custom worker timeout (default: 30 seconds):

docker run --rm -p 8080:8080 -e WORKER_TIMEOUT=60 omps:latest

Usage

Authorization

Users are expected to use quay.io token that can be acquired by the following command:

TOKEN=$(curl -sH "Content-Type: application/json" -XPOST https://quay.io/cnr/api/v1/users/login -d '
{
    "user": {
        "username": "'"${QUAY_USERNAME}"'",
        "password": "'"${QUAY_PASSWORD}"'"
    }
}' | jq -r '.token')

Quay token must be passed to OMPS app via HTTP Authorization header

curl -H "Authorization: ${TOKEN}" ...

Is recommended to use robot accounts.

REST API

Development

Running Flask dev. server

To run app locally for testing, use:

OMPS_DEVELOPER_ENV=true FLASK_APP=omps/app.py flask run

Installing with test dependencies

To install test dependencies from local directory use following:

pip install '.[test]'

Running tests

Project is integrated with tox:

  • please install rpm-devel and krb5-devel (Fedora) or rpm and libkrb5-dev (Ubuntu) package to be able build koji dependency rpm-py-installer in tox:
sudo dnf install -y rpm-devel krb5-devel
  • run:
tox

Additionally, you can run the following to execute tests against the latest unreleased version of Operator Courier:

tox -e 'py{36,37}-courier_master'

To run tests manually, you can use pytest directly:

py.test tests/
You can’t perform that action at this time.