From 1819185e8ccd26014aed3d2e9030adf0e904e597 Mon Sep 17 00:00:00 2001
From: Paul Bastide <pbastide@us.ibm.com>
Date: Thu, 12 Oct 2023 20:13:26 -0400
Subject: [PATCH] fix: update the ignition download so it only downloads with
 MTU 9100 in the ignition

Signed-off-by: Paul Bastide <pbastide@us.ibm.com>
---
 ansible/support/tasks/ignition.yml   | 77 ++++++++++++++++++++++++++++
 modules/4_pvs_support/pvs_support.tf | 37 ++++++++++++-
 outputs.tf                           |  5 --
 3 files changed, 113 insertions(+), 6 deletions(-)
 create mode 100644 ansible/support/tasks/ignition.yml

diff --git a/ansible/support/tasks/ignition.yml b/ansible/support/tasks/ignition.yml
new file mode 100644
index 0000000..9dbceaf
--- /dev/null
+++ b/ansible/support/tasks/ignition.yml
@@ -0,0 +1,77 @@
+---
+- hosts: all
+  vars_files:
+    - ../vars/main.yml
+
+  ####################################################################################
+  # Verify and Validate prior to starting execution
+  pre_tasks:
+  - name: Verify Ansible version.
+    assert:
+      that: "ansible_version.full is version_compare('2.12', '>=')"
+      msg: >
+          "You must update Ansible to at least 2.12"
+
+  ####################################################################################
+  tasks:
+
+  - name: Create Apache directories for installing
+    file:
+      path: "{{ item }}"
+      state: directory
+      mode: 0755
+    with_items:
+      - /var/www/html/ignition
+
+  - name: Disable fcontext
+    shell: "semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/ignition/worker.ign || true"
+  - name: Download the Ignition file
+    block:
+    - name: Loop until TARGET_MTU is correct
+      ansible.builtin.uri:
+        url: "{{ openshift_machine_config_url }}"
+        method: GET
+        return_content: true
+        headers:
+          "Accept": "application/vnd.coreos.ignition+json;version=3.2.0"
+      ignore_errors: true
+      register: result
+      retries: 120
+      delay: 10
+      until: 'result.status in [200] and "TARGET_MTU=9100" in result.content'
+    - name: Downloading the ignition file
+      get_url:
+        url: "{{ openshift_machine_config_url }}"
+        dest: /var/www/html/ignition/worker.ign
+        validate_certs: false
+        headers:
+          "Accept": "application/vnd.coreos.ignition+json;version=3.2.0"
+      ignore_errors: true
+      register: result
+      retries: 120
+      delay: 10
+      until: '"Request failed: <urlopen error timed out>" not in result.msg'
+    - name: Downloading the ignition file using a https_proxy
+      get_url:
+        url: "{{ openshift_machine_config_url }}"
+        dest: /var/www/html/ignition/worker.ign
+        validate_certs: false
+        headers:
+          "Accept": "application/vnd.coreos.ignition+json;version=3.2.0"
+      ignore_errors: true
+      environment:
+        https_proxy: http://{{ vpc_support_server_ip }}:3128
+
+    - name: Verify the ignition file exists
+      ansible.builtin.shell: stat /var/www/html/ignition/worker.ign
+
+    - name: Make ignition file readable through the www dir
+      ansible.builtin.file:
+        path: /var/www
+        owner: apache
+        group: apache
+        recurse: true 
+        mode: u+rwx,g-rx,o-rx
+
+  - name: Best effort SELinux repair - Apache
+    shell: "restorecon -vR /var/www/html/ignition || true"
\ No newline at end of file
diff --git a/modules/4_pvs_support/pvs_support.tf b/modules/4_pvs_support/pvs_support.tf
index 0bd7d24..72b45cd 100644
--- a/modules/4_pvs_support/pvs_support.tf
+++ b/modules/4_pvs_support/pvs_support.tf
@@ -137,7 +137,7 @@ EOF
 }
 
 resource "null_resource" "wait_on_mcp" {
-  depends_on = [null_resource.set_routing_via_host]
+  depends_on = [null_resource.set_routing_via_host, null_resource.adjust_mtu]
   connection {
     type        = "ssh"
     user        = var.rhel_username
@@ -150,6 +150,8 @@ resource "null_resource" "wait_on_mcp" {
   # Dev Note: added hardening to the MTU wait, we wait for the condition and then fail
   provisioner "remote-exec" {
     inline = [<<EOF
+export HTTPS_PROXY="http://${var.vpc_support_server_ip}:3128"
+
 echo "-diagnostics-"
 oc get network cluster -o yaml | grep -i mtu
 oc get mcp
@@ -166,6 +168,16 @@ do
   sleep 30
 done
 
+RENDERED_CONFIG=$(oc get mcp/worker -o json | jq -r '.spec.configuration.name')
+CHECK_CONFIG=$(oc get mc $${RENDERED_CONFIG} -ojson 2>&1 | grep TARGET_MTU=9100)
+while [ -z "$${CHECK_CONFIG}" ]
+do
+  echo "waiting on worker"
+  sleep 30
+  RENDERED_CONFIG=$(oc get mcp/worker -o json | jq -r '.spec.configuration.name')
+  CHECK_CONFIG=$(oc get mc $${RENDERED_CONFIG} -ojson 2>&1 | grep TARGET_MTU=9100)
+done
+
 # Waiting on output
 oc wait mcp/worker \
   --for condition=updated \
@@ -175,6 +187,29 @@ echo '-checking mtu-'
 oc get network cluster -o yaml | grep 'to: 9100' | awk '{print $NF}'
 [[ "$(oc get network cluster -o yaml | grep 'to: 9100' | awk '{print $NF}')" == "9100" ]] || false
 echo "success on wait on mtu change"
+EOF
+    ]
+  }
+}
+
+# Dev Note: do this as the last step so we get a good worker ignition file downloaded.
+resource "null_resource" "latest_ignition" {
+  depends_on = [null_resource.wait_on_mcp]
+  connection {
+    type        = "ssh"
+    user        = var.rhel_username
+    host        = var.bastion_public_ip
+    private_key = file(var.private_key_file)
+    agent       = var.ssh_agent
+    timeout     = "${var.connection_timeout}m"
+  }
+
+  provisioner "remote-exec" {
+    inline = [<<EOF
+nmcli device up env3
+echo 'Running ocp4-upi-compute-powervs playbook for ignition...'
+cd ocp4-upi-compute-powervs/support
+ANSIBLE_LOG_PATH=/root/.openshift/ocp4-upi-compute-powervs-support.log ansible-playbook -e @vars/vars.yaml tasks/ignition.yml --become
 EOF
     ]
   }
diff --git a/outputs.tf b/outputs.tf
index e243c98..3acff2f 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -3,11 +3,6 @@
 # SPDX-License-Identifier: Apache-2.0
 ################################################################
 
-output "vpc_check_key" {
-  description = "The VPC SSH Key that was added/checked against existing keys"
-  value       = module.vpc_prepare.vpc_check_key
-}
-
 output "instructions" {
   value = <<EOF
 Login to you OCP cluster and get oc get nodes to see your Intel nodes.