Add FDP update automation for EDPM deployments

Implement comprehensive FDP update workflow including:
- New playbook fdp_update.yml orchestrating the update process
- Role fdp_edpm_update_host_packages: Updates packages on EDPM hosts
- Role fdp_update_container_images: Rebuilds container images with updated packages
  * Includes Molecule tests for validation
  * Jinja2 templates for Dockerfile and repo configuration
- Role fdp_update_edpm_containers: Updates running EDPM containers

This automation streamlines the process of updating Fast Data Path
components across OpenStack EDPM (External Data Plane Management)
deployments by coordinating host package updates, container image
rebuilds, and container deployment updates.

Assisted-By: Claude <[email protected]>
Signed-off-by: Miguel Angel Nieto Jimenez <[email protected]>

Author: mnietoji

docs/dictionary/en-custom.txt

@@ -186,6 +186,7 @@ ezzmy
 favorit
 fbqufbqkfbzxrja
 fci
+fdp
 fedoraproject
 fil
 filesystem
@@ -414,6 +415,7 @@ openstack
 openstackclient
 openstackcontrolplane
 openstackdataplane
+openstackdataplanedeployment
 openstackdataplanenodeset
 openstackdataplanenodesets
 openstackprovisioner

post-deployment.yml

@@ -8,7 +8,6 @@
         tasks_from: admin_setup.yml
       tags:
         - admin-setup
-
     - name: Run Test
       ansible.builtin.import_role:
         name: cifmw_setup
@@ -26,6 +25,43 @@
       tags:
         - compliance
 
+    # FDP Update - OpenStack package updates across all layers
+    - name: FDP Update - Validate required variables
+      when: cifmw_fdp_update_enabled | default(false) | bool
+      block:
+        - name: Validate required variables are set
+          ansible.builtin.assert:
+            that:
+              - cifmw_fdp_update_target_package is defined
+              - cifmw_fdp_update_target_package | length > 0
+              - cifmw_fdp_update_repo_baseurl is defined
+              - cifmw_fdp_update_repo_baseurl | length > 0
+            fail_msg: |
+              Required variables are missing!
+
+              You must set:
+                - cifmw_fdp_update_target_package: Name of the RPM package to update
+                - cifmw_fdp_update_repo_baseurl: Repository base URL containing the updated package
+            success_msg: "Required variables validated successfully"
+
+        - name: Update control plane container images
+          ansible.builtin.import_role:
+            name: fdp_update_container_images
+          vars:
+            cifmw_fdp_update_container_images_target_package: "{{ cifmw_fdp_update_target_package }}"
+            cifmw_fdp_update_container_images_repo_baseurl: "{{ cifmw_fdp_update_repo_baseurl }}"
+            cifmw_fdp_update_container_images_namespace: "{{ cifmw_fdp_update_namespace | default('openstack') }}"
+          when: cifmw_fdp_update_container_images_enabled | default(true) | bool
+
+        - name: Update EDPM (containers and host packages)
+          ansible.builtin.import_role:
+            name: fdp_update_edpm
+          vars:
+            cifmw_fdp_update_edpm_repo_baseurl: "{{ cifmw_fdp_update_repo_baseurl }}"
+          when: cifmw_fdp_update_edpm_enabled | default(true) | bool
+      tags:
+        - fdp-update
+
 - name: Run compliance scan for computes
   hosts: "{{ groups['computes'] | default ([]) }}"
   gather_facts: true

roles/fdp_update_container_images/README.md

@@ -0,0 +1,105 @@
+# fdp_update_container_images
+
+Ansible role to update specific RPM packages in OpenStack container images by rebuilding them with custom repositories.
+
+This role automates the process of:
+1. Fetching container images from OpenStackVersion CR
+2. Checking if target package exists in each image
+3. Building new images with updated packages from custom repository
+4. Pushing updated images to OpenShift internal registry
+5. Patching OpenStackVersion CR to use the new images
+
+## Privilege escalation
+None - Runs as the user executing Ansible
+
+## Parameters
+
+* `cifmw_fdp_update_container_images_basedir`: (String) Base directory. Defaults to `cifmw_basedir` which defaults to `~/ci-framework-data`.
+* `cifmw_fdp_update_container_images_namespace`: (String) OpenShift namespace where OpenStack is deployed. Defaults to `openstack`.
+* `cifmw_fdp_update_container_images_openstack_cr_name`: (String) Name of the OpenStackVersion CR. Defaults to `controlplane`.
+* `cifmw_fdp_update_container_images_target_package`: (String) Name of the RPM package to update (e.g., `ovn24.03`). **Required**.
+* `cifmw_fdp_update_container_images_repo_name`: (String) Repository name. Defaults to `custom-repo`.
+* `cifmw_fdp_update_container_images_repo_baseurl`: (String) Repository base URL. **Required**.
+* `cifmw_fdp_update_container_images_repo_enabled`: (Integer) Enable repository (0 or 1). Defaults to `1`.
+* `cifmw_fdp_update_container_images_repo_gpgcheck`: (Integer) Enable GPG check (0 or 1). Defaults to `0`.
+* `cifmw_fdp_update_container_images_repo_priority`: (Integer) Repository priority. Defaults to `0`.
+* `cifmw_fdp_update_container_images_repo_sslverify`: (Integer) Enable SSL verification (0 or 1). Defaults to `0`.
+* `cifmw_fdp_update_container_images_image_registry`: (String) External OpenShift image registry URL. Auto-detected from cluster if not specified. Leave empty for auto-detection.
+* `cifmw_fdp_update_container_images_image_registry_internal`: (String) Internal OpenShift image registry URL. Defaults to `image-registry.openshift-image-registry.svc:5000`.
+* `cifmw_fdp_update_container_images_image_name_prefix`: (String) Prefix for new image names. Defaults to `fdp-update`.
+* `cifmw_fdp_update_container_images_temp_dir`: (String) Temporary directory for build context. Auto-generated if not specified.
+* `cifmw_fdp_update_container_images_update_dnf_args`: (String) Additional arguments for dnf update command. Defaults to `--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}`.
+
+## Examples
+
+### Update OVN package in all containers
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_name: "custom-repo"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://example.com/custom-repo/"
+    cifmw_fdp_update_container_images_namespace: "openstack"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update with custom registry and image prefix
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_image_registry: "registry.example.com"
+    cifmw_fdp_update_container_images_image_name_prefix: "ovn-hotfix"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update with specific DNF arguments
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "neutron-ovn-metadata-agent"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }} --nobest"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+## How it works
+
+1. **Registry Setup**:
+   - Enables the default route for OpenShift image registry
+   - Auto-detects the registry hostname or uses the configured value
+2. **Authentication**: Obtains a token from OpenShift and authenticates with the internal registry using TLS
+3. **Image Discovery**: Queries the OpenStackVersion CR for all container images
+4. **Package Check**: For each image, creates a temporary container to check if the target package is installed
+5. **Image Build**: If the package exists, builds a new image with the updated package from the custom repository
+6. **Registry Push**: Pushes the new image to the OpenShift internal registry
+7. **CR Update**: Patches the OpenStackVersion CR's `spec.customContainerImages` field with the new image reference
+8. **Summary**: Provides a summary of all updated images
+
+## Requirements
+
+* OpenShift CLI (`oc`) must be available
+* Podman must be installed and accessible
+* User must have permissions to:
+  - Create tokens in the target namespace
+  - Get and patch OpenStackVersion CRs
+  - Push images to the internal registry
+  - Patch image registry configuration (`configs.imageregistry.operator.openshift.io/cluster`)
+
+## Notes
+
+* The role uses podman to build and push images with TLS verification
+* Each updated image gets a unique tag with timestamp: `<prefix>-<image-key>-<timestamp>`
+* Only images containing the target package will be updated
+* The role cleans up temporary containers automatically
+* All build contexts are created in a temporary directory that is cleaned up after execution
+* The role automatically configures the OpenShift image registry for external access:
+  - Enables the default route if not already enabled
+  - Auto-detects the registry hostname from the route

roles/fdp_update_container_images/defaults/main.yml

@@ -0,0 +1,73 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# ============================================================================
+# Base Configuration
+# ============================================================================
+
+# Base directory for artifacts and temporary files
+cifmw_fdp_update_container_images_basedir: "{{ cifmw_basedir | default(ansible_user_dir ~ '/ci-framework-data') }}"
+
+# OpenShift namespace where OpenStack is deployed
+cifmw_fdp_update_container_images_namespace: "openstack"
+
+# Name of the OpenStackVersion custom resource
+cifmw_fdp_update_container_images_openstack_cr_name: "controlplane"
+
+# Target package to update (REQUIRED - must be set by user)
+cifmw_fdp_update_container_images_target_package: ""
+
+# List of images to update with the target package
+# Only these images will be updated (no package scanning is performed)
+cifmw_fdp_update_container_images_images_to_scan:
+  - ovnControllerImage
+  - ovnControllerOvsImage
+  - ovnNbDbclusterImage
+  - ovnNorthdImage
+  - ovnSbDbclusterImage
+  - ceilometerSgcoreImage
+
+# Repository configuration
+cifmw_fdp_update_container_images_repo_name: "custom-repo"
+cifmw_fdp_update_container_images_repo_baseurl: ""  # REQUIRED - must be set by user
+cifmw_fdp_update_container_images_repo_enabled: 1
+cifmw_fdp_update_container_images_repo_gpgcheck: 0
+cifmw_fdp_update_container_images_repo_priority: 0
+cifmw_fdp_update_container_images_repo_sslverify: 0
+
+# Image registry configuration
+# External registry URL (for compute nodes/EDPM and pushing images)
+# Leave empty to auto-detect external route from OpenShift cluster
+cifmw_fdp_update_container_images_image_registry: ""
+
+# Internal registry URL (for OpenShift pods to pull images)
+# This is auto-detected and should not normally need to be changed
+cifmw_fdp_update_container_images_image_registry_internal: "image-registry.openshift-image-registry.svc:5000"
+
+# Image naming
+cifmw_fdp_update_container_images_image_name_prefix: "fdp-update"
+
+# Temporary directory for build context
+cifmw_fdp_update_container_images_temp_dir: ""
+
+# DNF update arguments
+cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}"
+
+# Internal variables (do not override)
+_cifmw_fdp_update_container_images_modified_images: []
+_cifmw_fdp_update_container_images_updated_cr_keys: []
+_cifmw_fdp_update_container_images_total_images: 0
+_cifmw_fdp_update_container_images_processed_images: 0

roles/fdp_update_container_images/meta/main.yml

@@ -0,0 +1,38 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+galaxy_info:
+  author: Red Hat
+  description: Update RPM packages in OpenStack container images
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: "2.15"
+  platforms:
+    - name: Fedora
+      versions:
+        - all
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - openstack
+    - containers
+    - kubernetes
+    - openshift
+    - podman
+    - rpm
+
+dependencies: []

roles/fdp_update_container_images/tasks/authenticate_registry.yml

@@ -0,0 +1,27 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Create registry token
+  ansible.builtin.command: oc create token builder -n {{ cifmw_fdp_update_container_images_namespace }}
+  register: _cifmw_fdp_update_container_images_token
+  changed_when: false
+
+- name: Authenticate podman with TLS verification
+  containers.podman.podman_login:
+    username: unused
+    password: "{{ _cifmw_fdp_update_container_images_token.stdout }}"
+    registry: "{{ cifmw_fdp_update_container_images_image_registry }}"
+  no_log: true

roles/fdp_update_container_images/tasks/configure_ca_cert.yml

@@ -0,0 +1,40 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Get OpenShift ingress CA certificate
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: Secret
+    name: router-ca
+    namespace: openshift-ingress-operator
+  register: _cifmw_fdp_update_container_images_ca_secret
+
+- name: Extract CA certificate from secret
+  ansible.builtin.set_fact:
+    _cifmw_fdp_update_container_images_ca_cert_b64:
+      stdout: "{{ _cifmw_fdp_update_container_images_ca_secret.resources[0].data['tls.crt'] }}"
+
+- name: Decode CA certificate
+  ansible.builtin.copy:
+    content: "{{ _cifmw_fdp_update_container_images_ca_cert_b64.stdout | b64decode }}"
+    dest: /etc/pki/ca-trust/source/anchors/openshift-registry-ca.crt
+    mode: '0644'
+  become: true
+
+- name: Update CA trust
+  ansible.builtin.command: update-ca-trust extract
+  become: true
+  changed_when: true