diff --git a/README.md b/README.md index 95da6155..f4212198 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ Note that you can use the baseplan `kcli_plan_infra.yml` to deploy the infrastru |disconnected_community_operators_version |None | |disconnected_extra_catalogs |[] | |disconnected_extra_images |[] | -|disconnected_extra_releases |[] | +|disconnected_extra_release |None | |disconnected_marketplace_operators |[] | |disconnected_marketplace_operators_version |None | |disconnected_operators |[] | @@ -128,7 +128,6 @@ Note that you can use the baseplan `kcli_plan_infra.yml` to deploy the infrastru |go_version |1.13.8 | |http_proxy |None | |image |centos9stream | -|imagecontentsources |[] | |imageregistry |False | |installer_disk_size |None | |installer_ip |None | diff --git a/install-config.yaml b/install-config.yaml index 5344669b..ee15729e 100644 --- a/install-config.yaml +++ b/install-config.yaml @@ -85,11 +85,16 @@ additionalTrustBundle: | {{ ca | certificate | replace('\n', '\n ') }} {% endfor %} {% endif %} -{% if imagecontentsources %} +{% if disconnected or disconnected_url != None %} imageContentSources: -{% for source in imagecontentsources %} - mirrors: - - {{ source }} - source: image-registry.openshift-image-registry.svc:5000/openshift/{{ source | basename | replace("openshift-", "")}} -{% endfor %} + - REGISTRY:PORT/openshift-release-dev/ocp-v4.0-art-dev + - REGISTRY:PORT/openshift/release + source: quay.io/openshift-release-dev/ocp-v4.0-art-dev +- mirrors: + - REGISTRY:PORT/openshift-release-dev + source: {{ 'registry.ci.openshift.org/ocp/release' if version == 'ci' else 'quay.io/openshift-release-dev' }} +- mirrors: + - REGISTRY:PORT/openshift/release-images + source: quay.io/openshift-release-dev/ocp-release {% endif %} diff --git a/scripts/mirror-config.yaml.sample b/mirror-config.yaml similarity index 69% rename from scripts/mirror-config.yaml.sample rename to mirror-config.yaml index 9bdd0e4b..6270ffc5 100644 --- a/scripts/mirror-config.yaml.sample +++ b/mirror-config.yaml @@ -1,24 +1,38 @@ -apiVersion: mirror.openshift.io/v1alpha2 +{% set release = '4.' + (tag|string).split('.')[1] if tag|count('.') > 1 else tag %} + +apiVersion: mirror.openshift.io/v2alpha1 kind: ImageSetConfiguration -storageConfig: - registry: - imageURL: $LOCAL_REGISTRY/openshift/release/metadata:latest mirror: - #platform: - # channels: - # - name: stable-4.10 - # minVersion: 4.10.24 - # maxVersion: 4.10.24 - # graph: true + platform: + graph: false +{% if version in ['ci', 'nightly'] %} + release: registry.ci.openshift.org/ocp/release:{{ tag }} +{% else %} + channels: + - name: {{ 'candidate' if 'rc' in tag else version }}-{{ release }} +{% if tag|count('.') > 1 %} + minVersion: {{ (disconnected_extra_release or tag)|min_ocp_version(tag) }} + maxVersion: {{ (disconnected_extra_release or tag)|max_ocp_version(tag) }} +{% endif %} +{% endif %} + architectures: +# - multi + - amd64 + additionalImages: +{% for image in extra_images|default([]) %} + - name: {{ image }} +{% endfor %} +{% set operators = disconnected_operators|default([]) + disconnected_certified_operators|default([]) + disconnected_community_operators|default([]) + disconnected_marketplace_operators|default([]) %} +{% if operators %} operators: -{% if disconnected_operators %} -{% set catalog = 'quay.io/prega/prega-operator-index' if prega else 'registry.redhat.io/redhat/redhat-operator-index' %} - - catalog: {{ catalog }}:{{ disconnected_operators_version or 'v${OCP_RELEASE}' }} +{% if disconnected_operators|default([]) %} +{% set catalog = 'quay.io/prega/prega-operator-index' if prega|default(False) else 'registry.redhat.io/redhat/redhat-operator-index' %} + - catalog: {{ catalog }}:{{ disconnected_operators_version or "v%s" % OPENSHIFT_TAG }} packages: {% for package in disconnected_operators %} {% if package.name is defined %} - name: {{ package.name }} -{% else %} +{% else %}{# Comment: Support old syntax #} - name: {{ package }} {% endif %} {% if package.minVersion is defined %} @@ -41,12 +55,8 @@ mirror: {% endif %} {% endfor %} {% endif %} -{% if disconnected_certified_operators %} -{% if disconnected_certified_operators_version %} - - catalog: registry.redhat.io/redhat/certified-operator-index:{{ disconnected_certified_operators_version }} -{% else %} - - catalog: registry.redhat.io/redhat/certified-operator-index:v${OCP_RELEASE} -{% endif %} +{% if disconnected_certified_operators|default([]) %} + - catalog: registry.redhat.io/redhat/certified-operator-index:{{ disconnected_certified_operators_version or "v%s" % OPENSHIFT_TAG }} packages: {% for package in disconnected_certified_operators %} {% if package.name is defined %} @@ -74,12 +84,8 @@ mirror: {% endif %} {% endfor %} {% endif %} -{% if disconnected_community_operators %} -{% if disconnected_community_operators_version %} - - catalog: registry.redhat.io/redhat/community-operator-index:{{ disconnected_community_operators_version }} -{% else %} - - catalog: registry.redhat.io/redhat/community-operator-index:v${OCP_RELEASE} -{% endif %} +{% if disconnected_community_operators|default([]) %} + - catalog: registry.redhat.io/redhat/community-operator-index:{{ disconnected_community_operators_version or "v%s" % OPENSHIFT_TAG }} packages: {% for package in disconnected_community_operators %} {% if package.name is defined %} @@ -107,12 +113,8 @@ mirror: {% endif %} {% endfor %} {% endif %} -{% if disconnected_marketplace_operators %} -{% if disconnected_marketplace_operators_version %} - - catalog: registry.redhat.io/redhat/redhat-marketplace-index:{{ disconnected_marketplace_operators_version }} -{% else %} - - catalog: registry.redhat.io/redhat/redhat-marketplace-index:v${OCP_RELEASE} -{% endif %} +{% if disconnected_marketplace_operators|default([]) %} + - catalog: registry.redhat.io/redhat/redhat-marketplace-index:{{ disconnected_marketplace_operators_version or "v%s" % OPENSHIFT_TAG }} packages: {% for package in disconnected_marketplace_operators %} {% if package.name is defined %} @@ -140,7 +142,8 @@ mirror: {% endif %} {% endfor %} {% endif %} -{% if disconnected_extra_catalogs %} +{% endif %} +{% if disconnected_extra_catalogs|default([]) %} {% for catalog_image in disconnected_extra_catalogs %} - catalog: {{ catalog_image }} {% endfor %} diff --git a/mirror-registry/quay_haproxy.cfg b/mirror-registry/quay_haproxy.cfg deleted file mode 100644 index aef20aa6..00000000 --- a/mirror-registry/quay_haproxy.cfg +++ /dev/null @@ -1,28 +0,0 @@ -global - log 127.0.0.1 local2 - maxconn 4000 - daemon - -defaults - mode http - log global - option httplog - option dontlognull - option http-server-close - option forwardfor except 127.0.0.0/8 - option redispatch - retries 3 - timeout http-request 10s - timeout queue 1m - timeout connect 10s - timeout client 1m - timeout server 1m - timeout http-keep-alive 10s - timeout check 10s - maxconn 3000 - -listen quay-8443 - bind :::8443 v6only - mode tcp - balance source - server localhost 127.0.0.1:8443 check inter 1s diff --git a/mirror-registry/quay_haproxy.service b/mirror-registry/quay_haproxy.service deleted file mode 100644 index 43aee937..00000000 --- a/mirror-registry/quay_haproxy.service +++ /dev/null @@ -1,29 +0,0 @@ -[Unit] -Description=Haproxy Podman Container for Quay -Wants=network.target -After=network-online.target - -[Service] -Type=simple -TimeoutStartSec=5m -ExecStartPre=-/bin/rm -f %t/%n-pid %t/%n-cid -ExecStart=/usr/bin/podman run \ - --name quay-haproxy \ - -v /etc/quay-install/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg \ - --net host --privileged \ - --pod=quay-pod \ - --conmon-pidfile %t/%n-pid \ - --cidfile %t/%n-cid \ - --cgroups=no-conmon \ - --replace \ - quay.io/karmab/haproxy:latest - -ExecStop=-/usr/bin/podman stop --ignore --cidfile %t/%n-cid -t 10 -ExecStopPost=-/usr/bin/podman rm --ignore -f --cidfile %t/%n-cid -PIDFile=%t/%n-pid -KillMode=none -Restart=always -RestartSec=30 - -[Install] -WantedBy=multi-user.target default.target diff --git a/plans/kcli_plan.yml b/plans/kcli_plan.yml index 248babdb..b47e4b9a 100644 --- a/plans/kcli_plan.yml +++ b/plans/kcli_plan.yml @@ -86,7 +86,10 @@ path: /root/ocp/auth/kubeconfig {% endif %} - agent-config.yaml - - install-config.yaml + - install-config.yaml +{% if disconnected %} + - mirror-config.yaml +{% endif %} {% if motd != None %} - path: /etc/motd origin: {{ motd }} diff --git a/plans/kcli_plan_default.yml b/plans/kcli_plan_default.yml index e6d7f7ea..f7ef923c 100644 --- a/plans/kcli_plan_default.yml +++ b/plans/kcli_plan_default.yml @@ -7,7 +7,7 @@ info: | api_ip and ingress_ip need to be set along with ctlplanes and workers array to specify your nodes. Nfs can be set to true to deploy nfs provisioner using a share on the installer vm default network type is OVNKubernetes but you can also specify OpenShiftSDN - You can also use ca and imagecontentsources to customize your environments or drop specific manifests in the manifests directory + You can also use ca or drop specific manifests in the manifests directory If using virtual ctlplanes, the ctlplanes array can be omitted. For virtual hub, You can force the mac of your ctlplanes and workers version can be set to stable, nightly, candidate or ci, along with tag, to gather the binary from public sources. @@ -60,14 +60,13 @@ disconnected_community_operators_version: disconnected_marketplace_operators_version: disconnected_extra_images: [] disconnected_extra_catalogs: [] -disconnected_extra_releases: [] +disconnected_extra_release: disconnected_clean_pull_secret: false prega: false nfs: false imageregistry: false go_version: 1.13.8 prs: [] -imagecontentsources: [] fips: false cas: [] dns: false @@ -90,6 +89,7 @@ wait_for_workers_number: wait_for_workers_timeout: 3600 manifests_dir: manifests workflow_installer: false +OPENSHIFT_TAG: 4.17 acm: true gitops_user: dummy diff --git a/scripts/02_packages.sh b/scripts/02_packages.sh index a05b881e..8839d366 100755 --- a/scripts/02_packages.sh +++ b/scripts/02_packages.sh @@ -3,8 +3,7 @@ set -euo pipefail dnf -y copr enable karmab/kcli -dnf -y copr enable karmab/aicli -dnf -y install libvirt-libs libvirt-client mkisofs tmux make git bash-completion vim-enhanced nmstate python3 podman skopeo httpd bind-utils kcli aicli net-tools +dnf -y install libvirt-libs libvirt-client mkisofs tmux make git bash-completion vim-enhanced nmstate python3 podman skopeo httpd bind-utils kcli net-tools systemctl enable --now httpd diff --git a/scripts/04_disconnected_mirror.sh b/scripts/04_disconnected_mirror.sh deleted file mode 100755 index e7ced25a..00000000 --- a/scripts/04_disconnected_mirror.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -PRIMARY_NIC=$(ls -1 /sys/class/net | grep 'eth\|en' | head -1) -export IP=$(ip -o addr show $PRIMARY_NIC | head -1 | awk '{print $4}' | cut -d'/' -f1) -export PATH=/root/bin:$PATH -export PULL_SECRET="/root/openshift_pull.json" -{% if disconnected_url != None %} -{% set registry_port = disconnected_url.split(':')[-1] %} -{% set registry_name = disconnected_url|replace(":" + registry_port, '') %} -REGISTRY_NAME={{ registry_name }} -REGISTRY_PORT={{ registry_port }} -REGISTRY_USER={{ disconnected_user }} -REGISTRY_PASSWORD={{ disconnected_password }} -KEY=$(echo -n $REGISTRY_USER:$REGISTRY_PASSWORD | base64) -echo "{\"auths\": {\"$REGISTRY_NAME:$REGISTRY_PORT\": {\"auth\": \"$KEY\", \"email\": \"jhendrix@karmalabs.corp\"}}}" > /root/disconnected_pull.json -mv /root/openshift_pull.json /root/openshift_pull.json.old -jq ".auths += {\"$REGISTRY_NAME:$REGISTRY_PORT\": {\"auth\": \"$KEY\",\"email\": \"jhendrix@karmalabs.corp\"}}" < /root/openshift_pull.json.old > $PULL_SECRET -mkdir -p /opt/registry/certs -openssl s_client -showcerts -connect $REGISTRY_NAME:$REGISTRY_PORT /dev/null|openssl x509 -outform PEM > /opt/registry/certs/domain.crt -cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors -update-ca-trust extract -{% else %} -REGISTRY_NAME={{ "registry.%s.%s" % (cluster, domain) if dns else "$(echo $IP | sed 's/\./-/g' | sed 's/:/-/g').sslip.io" }} -REGISTRY_PORT=5000 -{% endif %} - -export OPENSHIFT_RELEASE_IMAGE=$(openshift-install version | grep 'release image' | awk -F ' ' '{print $3}') -export LOCAL_REG="$REGISTRY_NAME:$REGISTRY_PORT" -export OCP_RELEASE=$(openshift-install version | head -1 | cut -d' ' -f2)-x86_64 -export MINOR=$(echo $OCP_RELEASE | cut -d. -f1,2) -oc adm release mirror -a $PULL_SECRET --from=$OPENSHIFT_RELEASE_IMAGE --to-release-image=${LOCAL_REG}/openshift/release-images:${OCP_RELEASE} --to=${LOCAL_REG}/openshift/release - -{% for release in disconnected_extra_releases %} -EXTRA_OCP_RELEASE={{ release.split(':')[1] }} -oc adm release mirror -a $PULL_SECRET --from={{ release }} --to-release-image=${LOCAL_REG}/openshift/release-images:${EXTRA_OCP_RELEASE} --to=${LOCAL_REG}/openshift/release -{% endfor %} - -if [ "$(grep imageContentSources /root/install-config.yaml)" == "" ] ; then -cat << EOF >> /root/install-config.yaml -imageContentSources: -- mirrors: - - $REGISTRY_NAME:$REGISTRY_PORT/openshift/release - source: quay.io/openshift-release-dev/ocp-v4.0-art-dev -- mirrors: - - $REGISTRY_NAME:$REGISTRY_PORT/openshift/release-images -{% if version == 'ci' %} - source: registry.ci.openshift.org/ocp/release -{% elif version == 'nightly' %} - source: quay.io/openshift-release-dev/ocp-release-nightly -{% else %} - source: quay.io/openshift-release-dev/ocp-release -{% endif %} -EOF -else - IMAGECONTENTSOURCES="- mirrors:\n - $REGISTRY_NAME:$REGISTRY_PORT/openshift/release\n source: quay.io/openshift-release-dev/ocp-v4.0-art-dev\n- mirrors:\n - $REGISTRY_NAME:$REGISTRY_PORT/openshift/release-images\n source: registry.ci.openshift.org/ocp/release" - sed -i "/imageContentSources/a${IMAGECONTENTSOURCES}" /root/install-config.yaml -fi - -if [ "$(grep additionalTrustBundle /root/install-config.yaml)" == "" ] ; then - echo "additionalTrustBundle: |" >> /root/install-config.yaml - sed -e 's/^/ /' /opt/registry/certs/domain.crt >> /root/install-config.yaml -else - LOCALCERT="-----BEGIN CERTIFICATE-----\n $(grep -v CERTIFICATE /opt/registry/certs/domain.crt | tr -d '[:space:]')\n -----END CERTIFICATE-----" - sed -i "/additionalTrustBundle/a${LOCALCERT}" /root/install-config.yaml - sed -i 's/^-----BEGIN/ -----BEGIN/' /root/install-config.yaml -fi -echo $REGISTRY_NAME:$REGISTRY_PORT/openshift/release-images:$OCP_RELEASE > /root/version.txt - -if [ "$(grep pullSecret /root/install-config.yaml)" == "" ] ; then -DISCONNECTED_PULLSECRET=$(cat /root/disconnected_pull.json | tr -d [:space:]) -echo -e "pullSecret: |\n $DISCONNECTED_PULLSECRET" >> /root/install-config.yaml -fi - -cp /root/machineconfigs/99-operatorhub.yaml /root/manifests - -SITE_GENERATE_TAG={{ '4.17' if version in ['candidate', 'ci'] else '$MINOR' }} -{% for image in disconnected_extra_images + ['quay.io/edge-infrastructure/assisted-installer-agent:latest', 'quay.io/edge-infrastructure/assisted-installer:latest', 'quay.io/edge-infrastructure/assisted-installer-controller:latest', 'registry.redhat.io/rhel9/support-tools', 'quay.io/mavazque/gitea:1.17.3', 'registry.redhat.io/openshift4/ztp-site-generate-rhel8:v$SITE_GENERATE_TAG' ] %} -echo "Syncing image {{ image }}" -/root/bin/sync_image.sh {{ image }} -{% endfor %} - -oc adm release extract --registry-config /root/openshift_pull.json --command=openshift-install --to . $REGISTRY_NAME:$REGISTRY_PORT/openshift/release-images:$OCP_RELEASE --insecure -mv -f openshift-install /bin - -## TEMP HACK -export RHCOS_ISO=$(openshift-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["metal"]["formats"]["iso"]["disk"]["location"]') -export RHCOS_ROOTFS=$(openshift-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["metal"]["formats"]["pxe"]["rootfs"]["location"]') -curl -Lk $RHCOS_ISO > /var/www/html/rhcos-live.x86_64.iso -curl -Lk $RHCOS_ROOTFS > /var/www/html/rhcos-live-rootfs.x86_64.img diff --git a/scripts/04_disconnected_olm.sh b/scripts/04_disconnected_olm.sh deleted file mode 100755 index 6e169065..00000000 --- a/scripts/04_disconnected_olm.sh +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/env bash - -cd /root -export PATH=/root/bin:$PATH -export OCP_RELEASE="$(openshift-install version | head -1 | cut -d' ' -f2 | cut -d'.' -f 1,2)" -{% if disconnected_operators_version != None %} -export OCP_RELEASE="{{ disconnected_operators_version }}" -{% endif %} -export OCP_PULLSECRET_AUTHFILE='/root/openshift_pull.json' -{% if disconnected_url != None %} -{% set registry_port = disconnected_url.split(':')[-1] %} -{% set registry_name = disconnected_url|replace(":" + registry_port, '') %} -REGISTRY_NAME={{ registry_name }} -REGISTRY_PORT={{ registry_port }} -{% elif dns %} -REGISTRY_NAME=registry.{{ cluster }}.{{ domain }} -REGISTRY_PORT=5000 -{% else %} -PRIMARY_NIC=$(ls -1 /sys/class/net | grep 'eth\|en' | head -1) -IP=$(ip -o addr show $PRIMARY_NIC | head -1 | awk '{print $4}' | cut -d'/' -f1) -REGISTRY_NAME=$(echo $IP | sed 's/\./-/g' | sed 's/:/-/g').sslip.io -REGISTRY_PORT=5000 -{% endif %} -export LOCAL_REGISTRY=$REGISTRY_NAME:$REGISTRY_PORT -export IMAGE_TAG=olm - -# Add extra registry keys -curl -o /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv https://www.redhat.com/security/data/55A34A82.txt -jq ".transports.docker += {\"registry.redhat.io/redhat/certified-operator-index\": [{\"type\": \"signedBy\",\"keyType\": \"GPGKeys\",\"keyPath\": \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv\"}], \"registry.redhat.io/redhat/community-operator-index\": [{\"type\": \"signedBy\",\"keyType\": \"GPGKeys\",\"keyPath\": \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv\"}], \"registry.redhat.io/redhat/redhat-marketplace-operator-index\": [{\"type\": \"signedBy\",\"keyType\": \"GPGKeys\",\"keyPath\": \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv\"}]}" < /etc/containers/policy.json > /etc/containers/policy.json.new -mv /etc/containers/policy.json.new /etc/containers/policy.json - -# Login registries -REGISTRY_USER={{ disconnected_user }} -REGISTRY_PASSWORD={{ disconnected_password }} -podman login -u $REGISTRY_USER -p $REGISTRY_PASSWORD $LOCAL_REGISTRY -REDHAT_CREDS=$(cat /root/openshift_pull.json | jq .auths.\"registry.redhat.io\".auth -r | base64 -d) -RHN_USER=$(echo $REDHAT_CREDS | cut -d: -f1) -RHN_PASSWORD=$(echo $REDHAT_CREDS | cut -d: -f2) -podman login -u "$RHN_USER" -p "$RHN_PASSWORD" registry.redhat.io - -which oc-mirror >/dev/null 2>&1 -if [ "$?" != "0" ] ; then - TARGET={{ 'ocp-dev-preview' if version == 'candidate' else 'ocp' }} - LONG_RELEASE={{ 'stable-4.17' if version == 'ci' else "$(cat /root/version.txt | awk -F: '{print $NF}' | rev | cut -d'-' -f2- | rev)" }} - curl -sL https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/$TARGET/$LONG_RELEASE/oc-mirror.tar.gz | tar xvz -C /usr/bin - chmod +x /usr/bin/oc-mirror -fi - -mkdir -p /root/.docker -cp -f /root/openshift_pull.json /root/.docker/config.json - -envsubst < /root/scripts/mirror-config.yaml.sample > /root/mirror-config.yaml - -rm -rf /root/oc-mirror-workspace || true -oc-mirror --config /root/mirror-config.yaml --max-per-registry 20 --ignore-history --max-nested-paths 5 docker://$LOCAL_REGISTRY > /tmp/mirror-registry-output || oc-mirror --config /root/mirror-config.yaml --max-per-registry 20 --ignore-history --max-nested-paths 5 docker://$LOCAL_REGISTRY > /tmp/mirror-registry-output || oc-mirror --config /root/mirror-config.yaml --max-per-registry 20 --ignore-history --max-nested-paths 5 docker://$LOCAL_REGISTRY > /tmp/mirror-registry-output - -# When there are no new images to be mirrored, oc-mirror will not generate the icsp and catalogsource files, so we need to get them generated by ourselves -if [ $(grep -c "No new images detected" /tmp/mirror-registry-output) -eq 1 ] ; then - # If no new images, we will generate the icsp and catalogsource from the mapping file generated by the command below - oc-mirror --config /root/mirror-config.yaml --max-per-registry 20 --ignore-history --dry-run docker://$LOCAL_REGISTRY - # Above command generates this file /root/oc-mirror-workspace/mapping.txt, we create a folder for our results - mkdir -p /root/oc-mirror-workspace/results-mapping/ - # We run the python script that reads the mapping.txt and the mirror-config file to output the icsp and the catalogsource - python3 /root/bin/mapping_to_icsp.py -m /root/oc-mirror-workspace/mapping.txt -o /root/oc-mirror-workspace/results-mapping/ -c /root/mirror-config.yaml -fi - -{% if prega %} -[ ! -d /root/idms ] || rm -rf /root/idms -mkdir /root/idms -sed -i -e '/source:/!b;/bundle/b;/cincinnati/b;s,quay.io/prega/test/,registry.redhat.io/,' /root/oc-mirror-workspace/results-*/*imageContentSourcePolicy.yaml -oc adm migrate icsp /root/oc-mirror-workspace/results-*/*imageContentSourcePolicy.yaml --dest-dir /root/idms -{% endif %} - -oc apply -f /root/oc-mirror-workspace/results-*/*imageContentSourcePolicy.yaml 2>/dev/null || cp /root/oc-mirror-workspace/results-*/*imageContentSourcePolicy.yaml /root/manifests -if [ -d /root/idms ] ; then - oc apply -f /root/idms/* 2>/dev/null || cp /root/idms/* /root/manifests -fi -oc apply -f /root/oc-mirror-workspace/results-*/*catalogSource* 2>/dev/null || cp /root/oc-mirror-workspace/results-*/*catalogSource* /root/manifests - -{% if disconnected_clean_pull_secret %} -rm -rf /root/openshift_pull.json.old -cp -f /root/disconnected_pull.json /root/openshift_pull.json -{% endif %} diff --git a/scripts/04_disconnected_registry.sh b/scripts/04_registry.sh similarity index 73% rename from scripts/04_disconnected_registry.sh rename to scripts/04_registry.sh index 5186b27d..101b936a 100755 --- a/scripts/04_disconnected_registry.sh +++ b/scripts/04_registry.sh @@ -4,20 +4,18 @@ set -euo pipefail PRIMARY_NIC=$(ls -1 /sys/class/net | grep -v podman | head -1) export PATH=/root/bin:$PATH -export PULL_SECRET="/root/openshift_pull.json" dnf -y install httpd-tools jq skopeo libseccomp-devel -{% if dns %} -REGISTRY_NAME=registry.{{ cluster }}.{{ domain }} +{% if disconnected_url != None %} +REGISTRY={{ disconnected_url }} +{% elif dns %} +REGISTRY=registry.{{ cluster }}.{{ domain }} {% else %} export IP=$(ip -o addr show $PRIMARY_NIC | head -1 | awk '{print $4}' | cut -d'/' -f1) -REGISTRY_NAME=$(echo $IP | sed 's/\./-/g' | sed 's/:/-/g').sslip.io +REGISTRY=$(echo $IP | sed 's/\./-/g' | sed 's/:/-/g').sslip.io {% endif %} REGISTRY_USER={{ disconnected_user }} REGISTRY_PASSWORD={{ disconnected_password }} -KEY=$(echo -n $REGISTRY_USER:$REGISTRY_PASSWORD | base64) -echo "{\"auths\": {\"$REGISTRY_NAME:5000\": {\"auth\": \"$KEY\", \"email\": \"jhendrix@karmalabs.corp\"}}}" > /root/disconnected_pull.json -mv /root/openshift_pull.json /root/openshift_pull.json.old -jq ".auths += {\"$REGISTRY_NAME:5000\": {\"auth\": \"$KEY\",\"email\": \"jhendrix@karmalabs.corp\"}}" < /root/openshift_pull.json.old > $PULL_SECRET + mkdir -p /opt/registry/{auth,certs,data,conf} cat < /opt/registry/conf/config.yml version: 0.1 @@ -44,7 +42,7 @@ compatibility: schema1: enabled: true EOF -openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/registry/certs/domain.key -x509 -days 3650 -out /opt/registry/certs/domain.crt -subj "/C=US/ST=Madrid/L=San Bernardo/O=Karmalabs/OU=Guitar/CN=$REGISTRY_NAME" -addext "subjectAltName=DNS:$REGISTRY_NAME" +openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/registry/certs/domain.key -x509 -days 3650 -out /opt/registry/certs/domain.crt -subj "/C=US/ST=Madrid/L=San Bernardo/O=Karmalabs/OU=Guitar/CN=$REGISTRY" -addext "subjectAltName=DNS:$REGISTRY" cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust extract htpasswd -bBc /opt/registry/auth/htpasswd $REGISTRY_USER $REGISTRY_PASSWORD diff --git a/scripts/05_mirror.sh b/scripts/05_mirror.sh new file mode 100755 index 00000000..f47ee2db --- /dev/null +++ b/scripts/05_mirror.sh @@ -0,0 +1,105 @@ +#!/usr/bin/env bash + +export HOME=/root +cd $HOME +export PATH=/root/bin:$PATH + +REGISTRY_PORT=5000 +REGISTRY_USER={{ disconnected_user }} +REGISTRY_PASSWORD={{ disconnected_password }} + +{% if disconnected_url != None %} +{% set registry_port = disconnected_url.split(':')[-1] %} +{% set registry = disconnected_url.split(':')[0] %} +REGISTRY={{ registry }} +REGISTRY_PORT={{ registry_port }} +mkdir -p /opt/registry/certs +openssl s_client -showcerts -connect $REGISTRY:$REGISTRY_PORT /dev/null|openssl x509 -outform PEM > /opt/registry/certs/domain.crt +cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors +update-ca-trust extract +{% elif dns %} +REGISTRY=registry.{{ cluster }}.{{ domain }} +{% else %} +IP=$(ip -o addr show eth0 | grep -v '169.254\|fe80::' | tail -1 | awk '{print $4}' | cut -d'/' -f1) +REGISTRY=$(echo $IP | sed 's/\./-/g' | sed 's/:/-/g').sslip.io +{% endif %} + +KEY=$(echo -n $REGISTRY_USER:$REGISTRY_PASSWORD | base64) +mv /root/openshift_pull.json /root/openshift_pull.json.old +jq ".auths += {\"$REGISTRY:$REGISTRY_PORT\": {\"auth\": \"$KEY\",\"email\": \"jhendrix@karmalabs.corp\"}}" < /root/openshift_pull.json.old > /root/openshift_pull.json + +# Add extra registry keys +curl -Lo /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv https://www.redhat.com/security/data/55A34A82.txt +jq ".transports.docker += {\"registry.redhat.io/redhat/certified-operator-index\": [{\"type\": \"signedBy\",\"keyType\": \"GPGKeys\",\"keyPath\": \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv\"}], \"registry.redhat.io/redhat/community-operator-index\": [{\"type\": \"signedBy\",\"keyType\": \"GPGKeys\",\"keyPath\": \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv\"}], \"registry.redhat.io/redhat/redhat-marketplace-operator-index\": [{\"type\": \"signedBy\",\"keyType\": \"GPGKeys\",\"keyPath\": \"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv\"}]}" < /etc/containers/policy.json > /etc/containers/policy.json.new +mv /etc/containers/policy.json.new /etc/containers/policy.json + +{% if version == 'ci' %} +export OCP_RELEASE={{ tag }} + +{% elif version in ['nightly', 'stable'] %} + +{% set tag = tag|string %} +{% if tag.split('.')|length > 2 %} +TAG={{ tag }} +{% else %} +{% set prefix = 'latest' if version == 'nightly' else 'stable' %} +TAG={{ prefix + '-' + tag }} +{% endif %} +curl -Ls https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$TAG/release.txt > /tmp/release.txt +OCP_RELEASE=$(grep 'Name:' /tmp/release.txt | awk -F ' ' '{print $2}')-x86_64 + +{% elif version == 'candidate' %} +curl -Ls https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/{{ tag }}/release.txt > /tmp/release.txt +OCP_RELEASE=$(grep 'Name:' /tmp/release.txt | awk -F ' ' '{print $2}')-x86_64 +{% endif %} + +{% if version == 'ci' %} +{% set namespace = 'ocp/release' %} +{% elif version == 'candidate' %} +{% set namespace = 'openshift/release-images' %} +{% else %} +{% set namespace = 'openshift-release-dev/ocp-release' %} +{% endif %} +NAMESPACE={{ namespace }} +echo $REGISTRY:$REGISTRY_PORT/$NAMESPACE:$OCP_RELEASE > /root/version.txt + +REGISTRY_USER={{ disconnected_user }} +REGISTRY_PASSWORD={{ disconnected_password }} +podman login -u $REGISTRY_USER -p $REGISTRY_PASSWORD $REGISTRY:$REGISTRY_PORT +REDHAT_CREDS=$(cat /root/openshift_pull.json | jq .auths.\"registry.redhat.io\".auth -r | base64 -d) +RHN_USER=$(echo $REDHAT_CREDS | cut -d: -f1) +RHN_PASSWORD=$(echo $REDHAT_CREDS | cut -d: -f2) +podman login -u "$RHN_USER" -p "$RHN_PASSWORD" registry.redhat.io + +which oc-mirror >/dev/null 2>&1 +if [ "$?" != "0" ] ; then + OPENSHIFT_TAG=4.17 + curl -Ls https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-$OPENSHIFT_TAG/oc-mirror.tar.gz | tar xvz -C /usr/bin + chmod +x /usr/bin/oc-mirror +fi + +mkdir -p /root/.docker +cp -f /root/openshift_pull.json /root/.docker/config.json + +oc-mirror --v2 --workspace file:// --config=mirror-config.yaml docker://$REGISTRY:$REGISTRY_PORT + +sed -i 's@quay.io/prega/test@registry.redhat.io@' /root/working-dir/cluster-resources/idms-oc-mirror.yaml + +cp /root/working-dir/cluster-resources/{cs*,*oc-mirror*} /root + +sed -i "s/REGISTRY:PORT/$REGISTRY:$REGISTRY_PORT/" /root/install-config.yaml + +if [ "$(grep additionalTrustBundle /root/install-config.yaml)" == "" ] ; then + echo "additionalTrustBundle: |" >> /root/install-config.yaml + sed -e 's/^/ /' /opt/registry/certs/domain.crt >> /root/install-config.yaml +else + LOCAL_CERT="-----BEGIN CERTIFICATE-----\n $(grep -v CERTIFICATE /opt/registry/certs/domain.crt | tr -d '[:space:]')\n -----END CERTIFICATE-----" + sed -i "/additionalTrustBundle/a${LOCAL_CERT}" /root/install-config.yaml + sed -i 's/^-----BEGIN/ -----BEGIN/' /root/install-config.yaml +fi + +if [ "$(grep pullSecret /root/install-config.yaml)" == "" ] ; then + echo "{\"auths\": {\"$REGISTRY:5000\": {\"auth\": \"$KEY\", \"email\": \"jhendrix@karmalabs.corp\"}}}" > /root/disconnected_pull.json + DISCONNECTED_PULLSECRET=$(cat /root/disconnected_pull.json | tr -d [:space:]) + echo -e "pullSecret: |\n $DISCONNECTED_PULLSECRET" >> /root/install-config.yaml +fi diff --git a/scripts/07_deploy_hub.sh b/scripts/07_deploy_hub.sh index 6b48164d..3e50023b 100755 --- a/scripts/07_deploy_hub.sh +++ b/scripts/07_deploy_hub.sh @@ -69,12 +69,6 @@ mv -f ocp/agent.x86_64.iso /var/www/html/$HUB.iso restorecon -Frv /var/www/html chown apache.apache /var/www/html/$HUB.iso -ASSISTED_DATA=$(jq '.["*image.Ignition"].Config.storage.files[] | select(.path == "/usr/local/share/assisted-service/assisted-service.env") | .contents.source' ocp/.openshift_install_state.json | cut -d, -f2 | sed 's/"//' | base64 -d) -if [ "$(echo $ASSISTED_DATA | grep AGENT_AUTH_TOKEN)" != "" ] ; then - AI_TOKEN=$(echo $ASSISTED_DATA | grep AGENT_AUTH_TOKEN | cut -d= -f2) - echo export AI_TOKEN=$AI_TOKEN >> /root/.bashrc -fi - PRIMARY_NIC=$(ls -1 /sys/class/net | grep -v podman | head -1) IP=$(ip -o addr show $PRIMARY_NIC | head -1 | awk '{print $4}' | cut -d "/" -f 1 | head -1) echo $IP | grep -q ':' && IP=[$IP] diff --git a/scripts/08_nfs.sh b/scripts/08_nfs.sh index 29a338fc..e3535be2 100755 --- a/scripts/08_nfs.sh +++ b/scripts/08_nfs.sh @@ -4,7 +4,7 @@ set -euo pipefail PRIMARY_NIC=$(ls -1 /sys/class/net | grep 'eth\|en' | head -1) export KUBECONFIG=/root/ocp/auth/kubeconfig -export PRIMARY_IP=$(ip -o addr show $PRIMARY_NIC | head -1 | awk '{print $4}' | cut -d'/' -f1) +export IP=$(ip -o addr show $PRIMARY_NIC | head -1 | awk '{print $4}' | cut -d'/' -f1) # Latest nfs-utils 2.3.3-51 is broken rpm -qi nfs-utils >/dev/null 2>&1 || dnf -y install nfs-utils test ! -f /usr/lib/systemd/system/firewalld.service || systemctl disable --now firewalld @@ -27,11 +27,11 @@ oc adm policy add-scc-to-user hostmount-anyuid system:serviceaccount:$NAMESPACE: if [ "$(podman ps | grep registry)" != "" ] ; then /root/bin/sync_image.sh registry.k8s.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 {% if dns %} - REGISTRY_NAME=registry.{{ cluster }}.{{ domain }} +REGISTRY=registry.{{ cluster }}.{{ domain }} {% else %} - REGISTRY_NAME=$(echo $PRIMARY_IP | sed 's/\./-/g' | sed 's/:/-/g').sslip.io +REGISTRY=$(echo $IP | sed 's/\./-/g' | sed 's/:/-/g').sslip.io {% endif %} - sed -i "s@registry.k8s.io@$REGISTRY_NAME:5000@" $BASEDIR/deploy/deployment.yaml + sed -i "s@registry.k8s.io@$REGISTRY:5000@" $BASEDIR/deploy/deployment.yaml fi sed -i -e "s@registry.k8s.io/nfs-subdir-external-provisioner@storage.io/nfs@" -e "s@10.3.243.101@$PRIMARY_IP@" -e "s@/ifs/kubernetes@/var/nfsshare@" $BASEDIR/deploy/deployment.yaml echo 'apiVersion: storage.k8s.io/v1 diff --git a/scripts/launch_steps.sh b/scripts/launch_steps.sh index 5f5bb714..082d0a90 100755 --- a/scripts/launch_steps.sh +++ b/scripts/launch_steps.sh @@ -34,28 +34,14 @@ echo -e "${blue}************ RUNNING 03_dns.sh ************${clear}" /root/scripts/03_dns.sh {% endif %} -{% if registry %} -echo -e "${blue}************ RUNNING 04_disconnected_registry.sh ************${clear}" -/root/scripts/04_disconnected_registry.sh || exit 1 -KEY=$(echo -n {{ disconnected_user }}:{{ disconnected_password }} | base64) -REGISTRY_NAME={{ "registry.%s.%s" % (cluster, domain) if dns else "$(echo $IP | sed 's/\./-/g' | sed 's/:/-/g').sslip.io" }} -jq ".auths += {\"$REGISTRY_NAME:5000\": {\"auth\": \"$KEY\",\"email\": \"jhendrix@karmalabs.corp\"}}" /root/openshift_pull.json /root/openshift_pull.json.old && mv /root/openshift_pull.json.old /root/openshift_pull.json -{% elif disconnected %} -{% if disconnected_url == None %} -echo -e "${blue}************ RUNNING 04_disconnected_registry.sh ************${clear}" -/root/scripts/04_disconnected_registry.sh || exit 1 -{% endif %} -echo -e "${blue}************ RUNNING 04_disconnected_mirror.sh ************${clear}" -/root/scripts/04_disconnected_mirror.sh || exit 1 -{% if disconnected_operators or disconnected_certified_operators or disconnected_community_operators or disconnected_marketplace_operators or disconnected_extra_catalogs %} -echo -e "${blue}************ RUNNING 04_disconnected_olm.sh ************${clear}" -/root/scripts/04_disconnected_olm.sh -{% endif %} +{% if registry or (disconnected and disconnected_url == None) %} +echo -e "${blue}************ RUNNING 04_registry.sh ************${clear}" +/root/scripts/04_registry.sh || exit 1 {% endif %} -{% if nbde %} -echo -e "${blue}************ RUNNING 05_nbde.sh ************${clear}" -/root/scripts/05_nbde.sh +{% if disconnected %} +echo -e "${blue}************ RUNNING 05_mirror.sh ************${clear}" +/root/scripts/05_mirror.sh || exit 1 {% endif %} {% if ntp %}