ocp-power-automation · Yashansh-Sharma15 · Oct 28, 2025
diff --git a/README.md b/README.md
@@ -54,6 +54,7 @@ This repository consists of additional ansible playbooks for the following:
 1. Deploy Openshift Data Foundation operator
 1. Enabling Kdump
 1. Enable Topology Manager on Power
+1. Deploy Container Security Operator 
 
 ## Assumptions:
 

diff --git a/examples/all.yaml b/examples/all.yaml
@@ -570,3 +570,10 @@ restricted_cpuv2: ""
 none_cpuv1: ""
 none_cpuv2: ""
 
+#ocp-cso vars
+cso_enabled: false
+cso_namespace: ""        
+cso_catalogsource_name:  ""     
+cso_catalogsource_image: "" 
+cso_operator_channel :   
+
diff --git a/examples/ocp_cso_vars.yaml b/examples/ocp_cso_vars.yaml
@@ -0,0 +1,7 @@
+#ocp-cso vars
+
+cso_enabled: false
+cso_namespace: ""        #Nmaespace for cso-registry
+cso_catalogsource_name:  ""     # CatalogSource Name
+cso_catalogsource_image: "" # CatalogSource Image
+cso_operator_channel :    # Version of CSO to be installed 
diff --git a/playbooks/main.yml b/playbooks/main.yml
@@ -166,3 +166,6 @@
 - import_playbook: ocp-odf-operator.yml
   when: odf_enabled is defined and odf_enabled
 
+- import_playbook: ocp-cso.yml
+  when: cso_enabled is defined and cso_enabled
+
diff --git a/playbooks/ocp-cso.yml b/playbooks/ocp-cso.yml
@@ -0,0 +1,5 @@
+---
+- name: Automate Container Security Operator in OpenShift
+  hosts: bastion 
+  roles:
+  - ocp-cso
diff --git a/playbooks/roles/ocp-cso/README.md b/playbooks/roles/ocp-cso/README.md
@@ -0,0 +1,44 @@
+Container Security Operator Automation
+=========
+
+This playbook will:
+- Install CSO operator
+
+Requirements
+------------
+
+- Access to the cluster as a user with the cluster-admin role
+- The cluster is in a known good state, without any errors
+- OCP secret with name ***podman-secret*** in the default namespace which is used for global secret update and has following keys:
+   ***username***, ***password*** and ***registry***
+
+
+Role Variables
+--------------
+| Variable                       | Required | Default     | Comments                                       |
+|--------------------------------|----------|-------------|------------------------------------------------|
+| cso_enabled      | no       |    false    | Set it to true to run this playbook            |
+| cso_namespace       | no     | "CSO-registry" |  CSO namespace   |
+| cso_catalogsource_name       | no       |  | CSO Catalogsource Name   |
+| cso_catalogsource_image      | no       |        | CSO Catalogsource Image |
+| cso_operator_channel     | no       |        | CSO operator Image |
+
+
+Example Playbook
+----------------
+
+```
+  - name: Deploy CSO operator in OpenShift
+    include_role:
+      name: ocp-cso
+```
+
+License
+-------
+
+See LICENCE.txt
+
+Author Information
+------------------
+
+[email protected]
diff --git a/playbooks/roles/ocp-cso/defaults/main.yaml b/playbooks/roles/ocp-cso/defaults/main.yaml
@@ -0,0 +1,7 @@
+#ocp-cso vars
+
+cso_enabled: false
+cso_namespace: "quay-registry"        #Nmaespace for container security operator
+cso_catalogsource_name:  "CSO Custom CatalogSource"     # CatalogSource Name
+cso_catalogsource_image: "" # CatalogSource Image
+cso_operator_channel :    # Version of cso to be installed 
diff --git a/playbooks/roles/ocp-cso/tasks/main.yaml b/playbooks/roles/ocp-cso/tasks/main.yaml
@@ -0,0 +1,101 @@
+ # check if Cluster Health is good
+- name: Check if cluster operators and nodes are healthy
+  include_role:
+    name: check-cluster-health
+
+- name: Check if cso_namespace is defined, and set default if not
+  set_fact:
+     cso_namespace: "{{ cso_namespace | default('quay-registry') }}"  # Set default namespace if not defined
+
+- name: Create a target namespace
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ cso_namespace }}"
+  when: cso_namespace is defined
+
+# Custom ImageContentSourcePolicy and CatalogSource
+- name: Create ImageContentSourcePolicy and CatalogSource
+  block:
+  - name: Include the global-secret-update role
+    include_role:
+      name: global-secret-update
+
+  - name: Include role to create ImageContentSourcePolicy and CatalogSource
+    include_role:
+      name: set-custom-catalogsource
+    vars:
+      custom_catalogsource_name: "{{ cso_catalogsource_name }}"
+      custom_catalogsource_display_name: "Custom CSO CatalogSource"
+      custom_catalogsource_image: "{{ cso_catalogsource_image }}"
+  when: cso_catalogsource_image is defined or cso_catalogsource_image != '' and cso_catalogsource_image != None
+
+- name: Use default CatalogSource if no custom image is provided
+  set_fact:
+    cso_catalogsource_name: "redhat-operators"
+  when: cso_catalogsource_image is undefined or cso_catalogsource_image == '' or cso_catalogsource_image == None
+
+- name: Verify creation of Catsrc
+  shell: oc get catsrc -A | grep "{{ cso_catalogsource_name }}"
+  register: catsrc
+  until: catsrc.stdout|int == 0 and catsrc.stderr == ""
+  retries: 10
+  delay: 30
+
+- name: Check if CSO CatalogSource exists and is READY
+  shell: >
+    oc get catalogsource {{ cso_catalogsource_name }} -n openshift-marketplace -o jsonpath='{.status.connectionState.lastObservedState}'
+  register: cso_catsrc_check
+  retries: 10
+  delay: 15
+  until: cso_catsrc_check.rc == 0
+  changed_when: false
+  failed_when: cso_catsrc_check.rc != 0
+
+- name: Debug output for CSO CatalogSource check
+  debug:
+    msg: "CSO CatalogSource '{{ cso_catalogsource_name }}' is present and in Ready state."
+
+- name: Create OperatorGroup for CSO
+  k8s:
+    state: present
+    definition:
+      apiVersion: operators.coreos.com/v1
+      kind: OperatorGroup
+      metadata:
+        name: container-security-operator-group
+        namespace: "{{ cso_namespace }}"
+      spec: {}
+
+- name: Create CSO Operator Subscription
+  k8s:
+    state: present
+    definition:
+      apiVersion: operators.coreos.com/v1alpha1
+      kind: Subscription
+      metadata:
+        name: container-security-operator
+        namespace: "{{ cso_namespace }}"
+      spec:
+        channel: "{{ cso_operator_channel }}"
+        name: container-security-operator
+        source: "{{ cso_catalogsource_name }}"
+        sourceNamespace: openshift-marketplace
+        installPlanApproval: Automatic
+
+- name: Check if cso Operator CSV is in 'Succeeded' phase
+  shell: |
+    oc get csv -n {{ cso_namespace }} --no-headers | grep container-security-operator | grep Succeeded
+  register: csv_status
+  retries: 10
+  delay: 30
+  until: csv_status.stdout != "" and csv_status.stderr == ""
+  failed_when: csv_status.rc != 0
+
+- name: Debug container-security-operator CSV status
+  debug:
+    msg: "Container Security Operator CSV has successfully reached 'Succeeded' state."
+