openstack-k8s-operators
diff --git a/‎docs/dictionary/en-custom.txt‎
Lines changed: 2 additions & 0 deletions b/‎docs/dictionary/en-custom.txt‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎post-deployment.yml‎
Lines changed: 113 additions & 1 deletion b/‎post-deployment.yml‎
Lines changed: 113 additions & 1 deletion
diff --git a/‎roles/fdp_update_container_images/README.md‎
Lines changed: 106 additions & 0 deletions b/‎roles/fdp_update_container_images/README.md‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎roles/fdp_update_container_images/defaults/main.yml‎
Lines changed: 73 additions & 0 deletions b/‎roles/fdp_update_container_images/defaults/main.yml‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎roles/fdp_update_container_images/meta/main.yml‎
Lines changed: 38 additions & 0 deletions b/‎roles/fdp_update_container_images/meta/main.yml‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎roles/fdp_update_container_images/tasks/authenticate_registry.yml‎
Lines changed: 27 additions & 0 deletions b/‎roles/fdp_update_container_images/tasks/authenticate_registry.yml‎
Lines changed: 27 additions & 0 deletions
@@ -186,6 +186,7 @@ ezzmy
 favorit
 fbqufbqkfbzxrja
 fci
+fdp
 fedoraproject
 fil
 filesystem
@@ -414,6 +415,7 @@ openstack
 openstackclient
 openstackcontrolplane
 openstackdataplane
+openstackdataplanedeployment
 openstackdataplanenodeset
 openstackdataplanenodesets
 openstackprovisioner
 
@@ -8,7 +8,6 @@
         tasks_from: admin_setup.yml
       tags:
         - admin-setup
-
     - name: Run Test
       ansible.builtin.import_role:
         name: cifmw_setup
@@ -26,6 +25,119 @@
       tags:
         - compliance
 
+    # FDP Update - OpenStack package updates across all layers
+    - name: FDP Update - Validate required variables
+      when: cifmw_fdp_update_enabled | default(false) | bool
+      block:
+        - name: Validate required variables are set
+          ansible.builtin.assert:
+            that:
+              - cifmw_fdp_update_target_package is defined
+              - cifmw_fdp_update_target_package | length > 0
+              - cifmw_fdp_update_repo_baseurl is defined
+              - cifmw_fdp_update_repo_baseurl | length > 0
+            fail_msg: |
+              Required variables are missing!
+
+              You must set:
+                - cifmw_fdp_update_target_package: Name of the RPM package to update
+                - cifmw_fdp_update_repo_baseurl: Repository base URL containing the updated package
+            success_msg: "Required variables validated successfully"
+
+        - name: Display update configuration
+          ansible.builtin.debug:
+            msg:
+              - "=============================================="
+              - "OpenStack Package Update Configuration"
+              - "=============================================="
+              - "Target Package: {{ cifmw_fdp_update_target_package }}"
+              - "Repository: {{ cifmw_fdp_update_repo_baseurl }}"
+              - ""
+              - "Update Control Flags:"
+              - "  Control Plane Images: {{ cifmw_fdp_update_container_images_enabled | default(true) }}"
+              - "  EDPM Update: {{ cifmw_fdp_update_edpm_enabled | default(true) }}"
+              - "    - Container Images: {{ cifmw_fdp_update_edpm_containers_enabled | default(true) }}"
+              - "    - Host Packages: {{ cifmw_fdp_update_edpm_packages_enabled | default(true) }}"
+              - "=============================================="
+
+        - name: Setup hypervisor firewall for registry access
+          become: true
+          when: cifmw_fdp_update_setup_hypervisor_firewall | default(true) | bool
+          block:
+            - name: Allow traffic from osp_trunk to ocpbm (compute -> registry)
+              ansible.builtin.iptables:
+                chain: FORWARD
+                in_interface: osp_trunk
+                out_interface: ocpbm
+                jump: ACCEPT
+                action: insert
+                rule_num: '1'
+
+            - name: Allow return traffic from ocpbm to osp_trunk (registry -> compute)
+              ansible.builtin.iptables:
+                chain: FORWARD
+                in_interface: ocpbm
+                out_interface: osp_trunk
+                ctstate: RELATED,ESTABLISHED
+                jump: ACCEPT
+                action: insert
+                rule_num: '1'
+
+            - name: Enable NAT for compute nodes to access registry
+              ansible.builtin.iptables:
+                table: nat
+                chain: POSTROUTING
+                source: 192.168.122.0/24
+                destination: 192.168.201.0/24
+                out_interface: ocpbm
+                jump: MASQUERADE
+
+            - name: Persist firewall rules
+              community.general.iptables_state:
+                state: saved
+                path: /etc/sysconfig/iptables
+
+        - name: Update control plane container images
+          ansible.builtin.import_role:
+            name: fdp_update_container_images
+          vars:
+            cifmw_fdp_update_container_images_target_package: "{{ cifmw_fdp_update_target_package }}"
+            cifmw_fdp_update_container_images_repo_baseurl: "{{ cifmw_fdp_update_repo_baseurl }}"
+            cifmw_fdp_update_container_images_namespace: "{{ cifmw_fdp_update_namespace | default('openstack') }}"
+          when: cifmw_fdp_update_container_images_enabled | default(true) | bool
+
+        - name: Update EDPM (containers and host packages)
+          ansible.builtin.import_role:
+            name: fdp_update_edpm
+          vars:
+            cifmw_fdp_update_edpm_repo_baseurl: "{{ cifmw_fdp_update_repo_baseurl }}"
+          when: cifmw_fdp_update_edpm_enabled | default(true) | bool
+
+        - name: Build FDP status messages
+          ansible.builtin.set_fact:
+            _cifmw_fdp_update_cp_status: "{{ 'Updated' if (cifmw_fdp_update_container_images_enabled | default(true) | bool) else 'Skipped' }}"
+            _cifmw_fdp_update_edpm_status: "{{ 'Updated' if (cifmw_fdp_update_edpm_enabled | default(true) | bool) else 'Skipped' }}"
+            _cifmw_fdp_update_edpm_images_status: "{{ 'Updated' if (cifmw_fdp_update_edpm_containers_enabled | default(true) | bool) else 'Skipped' }}"
+            _cifmw_fdp_update_edpm_packages_status: "{{ 'Service created' if (cifmw_fdp_update_edpm_packages_enabled | default(true) | bool) else 'Skipped' }}"
+
+        - name: Display FDP completion summary
+          ansible.builtin.debug:
+            msg:
+              - "=============================================="
+              - "OpenStack Package Update Completed"
+              - "=============================================="
+              - ""
+              - "Control plane containers: {{ _cifmw_fdp_update_cp_status }}"
+              - "EDPM update: {{ _cifmw_fdp_update_edpm_status }}"
+              - "  - Container images: {{ _cifmw_fdp_update_edpm_images_status }}"
+              - "  - Host packages: {{ _cifmw_fdp_update_edpm_packages_status }}"
+              - ""
+              - "Package: {{ cifmw_fdp_update_target_package }}"
+              - "Repository: {{ cifmw_fdp_update_repo_baseurl }}"
+              - "=============================================="
+      tags:
+        - fdp-update
+
 - name: Run compliance scan for computes
   hosts: "{{ groups['computes'] | default ([]) }}"
   gather_facts: true
 
@@ -0,0 +1,106 @@
+# fdp_update_container_images
+
+Ansible role to update specific RPM packages in OpenStack container images by rebuilding them with custom repositories.
+
+This role automates the process of:
+1. Fetching container images from OpenStackVersion CR
+2. Checking if target package exists in each image
+3. Building new images with updated packages from custom repository
+4. Pushing updated images to OpenShift internal registry
+5. Patching OpenStackVersion CR to use the new images
+
+## Privilege escalation
+None - Runs as the user executing Ansible
+
+## Parameters
+
+* `cifmw_fdp_update_container_images_basedir`: (String) Base directory. Defaults to `cifmw_basedir` which defaults to `~/ci-framework-data`.
+* `cifmw_fdp_update_container_images_namespace`: (String) OpenShift namespace where OpenStack is deployed. Defaults to `openstack`.
+* `cifmw_fdp_update_container_images_openstack_cr_name`: (String) Name of the OpenStackVersion CR. Defaults to `controlplane`.
+* `cifmw_fdp_update_container_images_target_package`: (String) Name of the RPM package to update (e.g., `ovn24.03`). **Required**.
+* `cifmw_fdp_update_container_images_repo_name`: (String) Repository name. Defaults to `custom-repo`.
+* `cifmw_fdp_update_container_images_repo_baseurl`: (String) Repository base URL. **Required**.
+* `cifmw_fdp_update_container_images_repo_enabled`: (Integer) Enable repository (0 or 1). Defaults to `1`.
+* `cifmw_fdp_update_container_images_repo_gpgcheck`: (Integer) Enable GPG check (0 or 1). Defaults to `0`.
+* `cifmw_fdp_update_container_images_repo_priority`: (Integer) Repository priority. Defaults to `0`.
+* `cifmw_fdp_update_container_images_repo_sslverify`: (Integer) Enable SSL verification (0 or 1). Defaults to `0`.
+* `cifmw_fdp_update_container_images_image_registry`: (String) External OpenShift image registry URL. Auto-detected from cluster if not specified. Leave empty for auto-detection.
+* `cifmw_fdp_update_container_images_image_registry_internal`: (String) Internal OpenShift image registry URL. Defaults to `image-registry.openshift-image-registry.svc:5000`.
+* `cifmw_fdp_update_container_images_image_name_prefix`: (String) Prefix for new image names. Defaults to `fdp-update`.
+* `cifmw_fdp_update_container_images_update_control_plane_images`: (Boolean) Update control plane container images. Defaults to `true`.
+* `cifmw_fdp_update_container_images_temp_dir`: (String) Temporary directory for build context. Auto-generated if not specified.
+* `cifmw_fdp_update_container_images_update_dnf_args`: (String) Additional arguments for dnf update command. Defaults to `--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}`.
+
+## Examples
+
+### Update OVN package in all containers
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_name: "custom-repo"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://example.com/custom-repo/"
+    cifmw_fdp_update_container_images_namespace: "openstack"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update with custom registry and image prefix
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_image_registry: "registry.example.com"
+    cifmw_fdp_update_container_images_image_name_prefix: "ovn-hotfix"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update with specific DNF arguments
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "neutron-ovn-metadata-agent"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }} --nobest"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+## How it works
+
+1. **Registry Setup**:
+   - Enables the default route for OpenShift image registry
+   - Auto-detects the registry hostname or uses the configured value
+2. **Authentication**: Obtains a token from OpenShift and authenticates with the internal registry using TLS
+3. **Image Discovery**: Queries the OpenStackVersion CR for all container images
+4. **Package Check**: For each image, creates a temporary container to check if the target package is installed
+5. **Image Build**: If the package exists, builds a new image with the updated package from the custom repository
+6. **Registry Push**: Pushes the new image to the OpenShift internal registry
+7. **CR Update**: Patches the OpenStackVersion CR's `spec.customContainerImages` field with the new image reference
+8. **Summary**: Provides a summary of all updated images
+
+## Requirements
+
+* OpenShift CLI (`oc`) must be available
+* Podman must be installed and accessible
+* User must have permissions to:
+  - Create tokens in the target namespace
+  - Get and patch OpenStackVersion CRs
+  - Push images to the internal registry
+  - Patch image registry configuration (`configs.imageregistry.operator.openshift.io/cluster`)
+
+## Notes
+
+* The role uses podman to build and push images with TLS verification
+* Each updated image gets a unique tag with timestamp: `<prefix>-<image-key>-<timestamp>`
+* Only images containing the target package will be updated
+* The role cleans up temporary containers automatically
+* All build contexts are created in a temporary directory that is cleaned up after execution
+* The role automatically configures the OpenShift image registry for external access:
+  - Enables the default route if not already enabled
+  - Auto-detects the registry hostname from the route
@@ -0,0 +1,73 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# ============================================================================
+# Base Configuration
+# ============================================================================
+
+# Base directory for artifacts and temporary files
+cifmw_fdp_update_container_images_basedir: "{{ cifmw_basedir | default(ansible_user_dir ~ '/ci-framework-data') }}"
+
+# OpenShift namespace where OpenStack is deployed
+cifmw_fdp_update_container_images_namespace: "openstack"
+
+# Name of the OpenStackVersion custom resource
+cifmw_fdp_update_container_images_openstack_cr_name: "controlplane"
+
+# Target package to update (REQUIRED - must be set by user)
+cifmw_fdp_update_container_images_target_package: ""
+
+# List of images to update with the target package
+# Only these images will be updated (no package scanning is performed)
+cifmw_fdp_update_container_images_images_to_scan:
+  - ovnControllerImage
+  - ovnControllerOvsImage
+  - ovnNbDbclusterImage
+  - ovnNorthdImage
+  - ovnSbDbclusterImage
+  - ceilometerSgcoreImage
+
+# Repository configuration
+cifmw_fdp_update_container_images_repo_name: "custom-repo"
+cifmw_fdp_update_container_images_repo_baseurl: ""  # REQUIRED - must be set by user
+cifmw_fdp_update_container_images_repo_enabled: 1
+cifmw_fdp_update_container_images_repo_gpgcheck: 0
+cifmw_fdp_update_container_images_repo_priority: 0
+cifmw_fdp_update_container_images_repo_sslverify: 0
+
+# Image registry configuration
+# External registry URL (for compute nodes/EDPM and pushing images)
+# Leave empty to auto-detect external route from OpenShift cluster
+cifmw_fdp_update_container_images_image_registry: ""
+
+# Internal registry URL (for OpenShift pods to pull images)
+# This is auto-detected and should not normally need to be changed
+cifmw_fdp_update_container_images_image_registry_internal: "image-registry.openshift-image-registry.svc:5000"
+
+# Image naming
+cifmw_fdp_update_container_images_image_name_prefix: "fdp-update"
+
+# Temporary directory for build context
+cifmw_fdp_update_container_images_temp_dir: ""
+
+# DNF update arguments
+cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}"
+
+# Internal variables (do not override)
+_cifmw_fdp_update_container_images_modified_images: []
+_cifmw_fdp_update_container_images_updated_cr_keys: []
+_cifmw_fdp_update_container_images_total_images: 0
+_cifmw_fdp_update_container_images_processed_images: 0
@@ -0,0 +1,38 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+galaxy_info:
+  author: Red Hat
+  description: Update RPM packages in OpenStack container images
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: "2.15"
+  platforms:
+    - name: Fedora
+      versions:
+        - all
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - openstack
+    - containers
+    - kubernetes
+    - openshift
+    - podman
+    - rpm
+
+dependencies: []
@@ -0,0 +1,27 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Create registry token
+  ansible.builtin.command: oc create token builder -n {{ cifmw_fdp_update_container_images_namespace }}
+  register: _cifmw_fdp_update_container_images_token
+  changed_when: false
+
+- name: Authenticate podman with TLS verification
+  containers.podman.podman_login:
+    username: unused
+    password: "{{ _cifmw_fdp_update_container_images_token.stdout }}"
+    registry: "{{ cifmw_fdp_update_container_images_image_registry }}"
+  no_log: true