ocp_quay

Signed-off-by: Yashansh-Sharma15 <[email protected]>

Author: Yashansh-Sharma15

README.md

@@ -53,6 +53,7 @@ This repository consists of additional ansible playbooks for the following:
 1. Verify IPI day2 operations
 1. Deploy Openshift Data Foundation operator
 1. Enabling Kdump
+1. Deploy Quay Operator
 
 ## Assumptions:
 

examples/all.yaml

@@ -556,3 +556,15 @@ update_channel: ""
 odf_catalogsource_image: "" #Example - quay.io/rhceph-dev/ocs-registry:4.16.3
 test_pod_image: "quay.io/powercloud/nginx-unprivileged:latest"
 
+# ocp-quay required vars
+quay_enabled: false            #set to true for quay operator installation
+lso_index: "" # provide LSO index image
+cluster_upi: true  #set to true if using UPI cluster
+quay_registry_namespace: ""        #Nmaespace for quay-registry
+quay_catalogsource_name:  ""     # CatalogSource Name
+quay_catalogsource_image: "" # CatalogSource Image
+quay_operator_channel :    # Version of Quay to be installed 
+quay_registry_hostname: "" # Hostname for Quayconfig
+volume_path: "/dev/disk/by-id/......" #Get the volume path using "ls /dev/disk/by-id/......"
+odf_index: "" #Example - quay.io/rhceph-dev/ocs-registry:4.16.3
+odf_channel:  #Define this to set subscription channel for ODF Operator

examples/ocp_quay_vars.yaml

@@ -0,0 +1,13 @@
+#ocp-quay vars
+
+quay_enabled: false            #set to true for quay operator installation
+lso_index: "" # provide LSO index image
+cluster_upi: true  #set to true if using UPI cluster
+quay_registry_namespace: ""        #Nmaespace for quay-registry
+quay_catalogsource_name:  ""     # CatalogSource Name
+quay_catalogsource_image: "" # CatalogSource Image
+quay_operator_channel :    # Version of Quay to be installed 
+quay_registry_hostname: "" # Hostname for Quayconfig
+volume_path: "/dev/disk/by-id/......" #Get the volume path using "ls /dev/disk/by-id/......"
+odf_index: "" #Example - quay.io/rhceph-dev/ocs-registry:4.16.3
+odf_channel:  #Define this to set subscription channel for ODF Operator

playbooks/main.yml

@@ -159,3 +159,6 @@
 - import_playbook: ocp-odf-operator.yml
   when: odf_enabled is defined and odf_enabled
 
+- import_playbook: ocp-quay.yml
+  when: quay_enabled is defined and quay_enabled
+

playbooks/ocp-quay.yml

@@ -0,0 +1,5 @@
+---
+- name: Automate Quay operator in OpenShift
+  hosts: bastion 
+  roles:
+  - ocp-quay

playbooks/roles/ocp-quay/README.md

@@ -0,0 +1,56 @@
+
+Quay Automation
+=========
+
+This playbook will:
+- Install Quay operator
+- Install LSO operator
+- Install ODF operator
+
+Requirements
+------------
+
+- Access to the cluster as a user with the cluster-admin role
+- The cluster is in a known good state, without any errors
+- OCP secret with name ***podman-secret*** in the default namespace which is used for global secret update and has following keys:
+   ***username***, ***password*** and ***registry***
+
+
+Role Variables
+--------------
+| Variable                       | Required | Default     | Comments                                       |
+|--------------------------------|----------|-------------|------------------------------------------------|
+| quay_enabled      | no       |    false    | Set it to true to run this playbook            |
+| quay_registry_namespace       | no     | "quay-registry" |  Quay registry namespace   |
+| quay_catalogsource_name       | no       |  | Quay Catalogsource Name   |
+| quay_catalogsource_image      | no       |        | Quay Catalogsource Image |
+| lso_index                      | no       |    " "    | Index image for LSO operator    |
+| odf_index                  | no       |    " "    | Index image for ODF operator    |
+| odf_channel                | no | It uses default channel | It is used to set subscription channel for ODF Operator |
+| cluster_upi                    | no       |    false    | #set to true if using UPI cluster             |
+| volume_path                  | no       |    false    | #Get the volume path using "ls /dev/disk/by-id/"           |
+
+Dependencies
+------------
+
+- Import LSO role
+- Import ODF role
+
+Example Playbook
+----------------
+
+```
+  - name: Deploy Quay operator in OpenShift
+    include_role:
+      name: ocp-quay
+```
+
+License
+-------
+
+See LICENCE.txt
+
+Author Information
+------------------
+
+[email protected]

playbooks/roles/ocp-quay/defaults/main.yaml

@@ -0,0 +1,13 @@
+#ocp-quay vars
+
+quay_enabled: false            #set to true for quay operator installation
+lso_index: "" # provide LSO index image
+cluster_upi: true  #set to true if using UPI cluster
+quay_registry_namespace: "quay-registry"        #Nmaespace for quay-registry
+quay_catalogsource_name:  "quay-catsrc-zyz"     # CatalogSource Name
+quay_catalogsource_image: "brew.registry.redhat.io/rh-osbs/iib:1009805" # CatalogSource Image
+quay_operator_channel :    # Version of Quay to be installed 
+quay_registry_hostname: "quay-registry.apps.xyz.ibm.com" # Hostname for Quayconfig
+volume_path: "/dev/disk/by-id/......" #Get the volume path using "ls /dev/disk/by-id/......"
+odf_index: "" #Example - quay.io/rhceph-dev/ocs-registry:4.16.3
+odf_channel:  #Define this to set subscription channel for ODF Operator

playbooks/roles/ocp-quay/files/quay-registry.yaml

@@ -0,0 +1,35 @@
+apiVersion: quay.redhat.com/v1
+kind: QuayRegistry
+metadata:
+  name: quayreg1
+  namespace: quay-registry
+spec:
+  configBundleSecret: config-bundle-secret
+  components:
+    - kind: clair
+      managed: true
+    - kind: quay
+      managed: true
+    - kind: postgres
+      managed: true
+      overrides:
+        env:
+        - name: DEBUGLOG
+          value: "true"
+    - kind: redis
+      managed: true
+    - kind: horizontalpodautoscaler
+      managed: true
+    - kind: objectstorage
+      managed: true
+    - kind: route
+      managed: true
+    - kind: mirror
+      managed: false
+    - kind: monitoring
+      managed: true
+    - kind: tls
+      managed: true
+    - kind: clairpostgres
+      managed: true
+      

playbooks/roles/ocp-quay/files/quayreg1.yaml

@@ -0,0 +1,7 @@
+apiVersion: quay.redhat.com/v1
+kind: QuayRegistry
+metadata:
+  name: quayreg1
+  namespace: quay-registry
+spec:
+  configBundleSecret: config-bundle-secret

playbooks/roles/ocp-quay/tasks/main.yaml

@@ -0,0 +1,214 @@
+ # check if Cluster Health is good
+- name: Check if cluster operators and nodes are healthy
+  include_role:
+    name: check-cluster-health
+
+- name: Get worker names
+  command: oc get nodes -l node-role.kubernetes.io/worker --no-headers -o custom-columns=NAME:.metadata.name
+  register: worker_list
+
+- name: Save to worker list
+  set_fact:
+    worker: "{{ worker_list.stdout_lines }}"
+
+- name: Check if LSO (Local Storage Operator) is already installed
+  shell: |
+    oc get csv -n openshift-local-storage -o json | jq -r '.items[] | select(.metadata.name | test("local-storage-operator")) | .status.phase'
+  register: lso_csv_status
+  changed_when: false
+  failed_when: false
+
+- name: Set flag if LSO is installed
+  set_fact:
+    lso_install_req: "{{ lso_csv_status.stdout != 'Succeeded' }}"
+
+# Install LSO
+- name: Install LSO - Local Storage operator
+  include_role:
+    name: ocp-lso
+  when: lso_install_req
+  vars:
+    lso_catalogsource_image: "{{ lso_index }}"
+    upi_cluster: "{{ cluster_upi }}"
+    device_path: "{{ volume_path }}" 
+    lso_namespace: "openshift-local-storage"
+    lso_channel: "stable"
+    lso_catalogsource_name: "redhat-operators"
+    busybox_image: "quay.io/powercloud/busybox:ubi"
+
+- name: Check if ODF (OpenShift Data Foundation) is already installed
+  shell: |
+    oc get csv -n openshift-storage -o json | jq -r '.items[] | select(.metadata.name | test("odf-operator")) | .status.phase'
+  register: odf_csv_status
+  changed_when: false
+  failed_when: false
+
+- name: Set flag if ODF is installed
+  set_fact:
+    odf_install_req: "{{ odf_csv_status.stdout != 'Succeeded' }}"
+
+# ODF installation
+- name: Install ODF - Openshift Data Foundation
+  include_role:
+    name: ocp-odf-operator
+  when: odf_install_req
+  vars:
+    odf_catalogsource_image: "{{ odf_index }}"
+    update_channel: "{{ odf_channel }}"
+    test_pod_image: "quay.io/powercloud/nginx-unprivileged:latest"
+
+# Creating Project for Quay
+- name: Create quay-registry project
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ quay_registry_namespace }}"
+        annotations:
+          openshift.io/node-selector: 'node-role.kubernetes.io/infra='
+          openshift.io/description: "Red Hat Quay Enterprise Container Image Repository"
+          openshift.io/display-name: "Quay"
+          scheduler.alpha.kubernetes.io/defaultTolerations: >-
+            [{"operator": "Exists", "effect": "NoSchedule", "key": "node-role.kubernetes.io/infra"}]
+
+- name: Switch to quay-registry project
+  command: oc project {{ quay_registry_namespace }}
+
+# Custom ImageContentSourcePolicy and CatalogSource
+- name: Create ImageContentSourcePolicy and CatalogSource
+  block:
+  - name: Include the global-secret-update role
+    include_role:
+      name: global-secret-update
+
+  - name: Include role to create ImageContentSourcePolicy and CatalogSource
+    include_role:
+      name: set-custom-catalogsource
+    vars:
+      custom_catalogsource_name: "{{ quay_catalogsource_name }}"
+      custom_catalogsource_display_name: "Custom Quay CatalogSource"
+      custom_catalogsource_image: "{{ quay_catalogsource_image }}"
+  when: quay_catalogsource_image is defined or quay_catalogsource_image != '' and quay_catalogsource_image != None
+
+- name: Use default CatalogSource if no custom image is provided
+  set_fact:
+    quay_catalogsource_name: "redhat-operators"
+  when: quay_catalogsource_image is undefined or quay_catalogsource_image == '' or quay_catalogsource_image == None
+
+- name: Check if Quay CatalogSource exists and is READY
+  shell: >
+    oc get catalogsource {{ quay_catalogsource_name }} -n openshift-marketplace -o jsonpath='{.status.connectionState.lastObservedState}'
+  register: quay_catsrc_check
+  retries: 10
+  delay: 15
+  until: quay_catsrc_check.rc == 0
+  changed_when: false
+  failed_when: quay_catsrc_check.rc != 0
+
+- name: Debug output for Quay CatalogSource check
+  debug:
+    msg: "Quay CatalogSource '{{ quay_catalogsource_name }}' is present and in Ready state."
+
+# Label and taint infra nodes
+- name: Label and taint infra nodes
+  shell: |
+    oc label node {{ worker[0] }} node-role.kubernetes.io/infra=
+    oc adm taint nodes {{ worker[0] }} node-role.kubernetes.io/infra:NoSchedule --overwrite
+    oc label node {{ worker[1] }} node-role.kubernetes.io/infra=
+    oc adm taint nodes {{ worker[1] }} node-role.kubernetes.io/infra:NoSchedule --overwrite
+  args:
+    executable: /bin/bash
+
+- name: Create OperatorGroup for Quay
+  k8s:
+    state: present
+    definition:
+      apiVersion: operators.coreos.com/v1
+      kind: OperatorGroup
+      metadata:
+        name: quay-operator-group
+        namespace: "{{ quay_registry_namespace }}"
+      spec: {}
+
+- name: Create Quay Operator Subscription
+  k8s:
+    state: present
+    definition:
+      apiVersion: operators.coreos.com/v1alpha1
+      kind: Subscription
+      metadata:
+        name: quay-operator
+        namespace: "{{ quay_registry_namespace }}"
+      spec:
+        channel: "{{ quay_operator_channel }}"
+        name: quay-operator
+        source: "{{ quay_catalogsource_name }}"
+        sourceNamespace: openshift-marketplace
+        installPlanApproval: Automatic
+
+- name: Check if Quay Operator CSV is in 'Succeeded' phase
+  shell: |
+    oc get csv -n {{ quay_registry_namespace }} --no-headers | grep quay-operator | grep Succeeded
+  register: csv_status
+  retries: 10
+  delay: 30
+  until: csv_status.stdout != "" and csv_status.stderr == ""
+  failed_when: csv_status.rc != 0
+
+- name: Debug Quay operator CSV status
+  debug:
+    msg: "Quay operator CSV has successfully reached 'Succeeded' state."
+
+- name: Generate config.yaml from template
+  template:
+    src: config.yaml.j2
+    dest: /tmp/config.yaml
+
+# Create config-bundle-secret from existing config.yaml file
+- name: Create config-bundle-secret from rendered config.yaml
+  shell: |
+    oc create secret generic config-bundle-secret \
+      --from-file=config.yaml=/tmp/config.yaml \
+      -n {{ quay_registry_namespace }} \
+      --dry-run=client -o yaml | oc apply -f -
+  args:
+    executable: /bin/bash
+
+# Apply QuayRegistry CR from quay-registry.yaml
+- name: Apply QuayRegistry CR from quay-registry.yaml
+  shell: oc apply -f quay-registry.yaml -n {{ quay_registry_namespace }}
+  args:
+    chdir: "{{ role_path }}/files"
+  register: create_quayregistry
+
+- name: Debug QuayRegistry creation output
+  debug:
+    var: create_quayregistry.stdout
+
+- name: Wait a bit for pods to be created
+  pause:
+    seconds: 30
+
+- name: Wait until all pods are Running or Completed in {{ quay_registry_namespace }}
+  shell: |
+    set -eo pipefail
+    oc get pods -n {{ quay_registry_namespace }} -o json | \
+      jq -r '.items[] | [.metadata.name, .status.phase, (.status.containerStatuses[0].ready // false)] | @tsv' | \
+      awk '
+        {
+          if ($2 != "Running" && $2 != "Succeeded") {
+            print "WAITING: Pod", $1, "is in phase", $2;
+            exit 1;
+          }
+          if ($2 == "Running" && $3 != "true") {
+            print "WAITING: Pod", $1, "is Running but not Ready";
+            exit 1;
+          }
+        }
+      '
+  register: quay_pods_check
+  retries: 40         # 10 minutes max wait
+  delay: 15
+  until: quay_pods_check.rc == 0