[fdp_update_container_images] FDP control plane update role

Implement container image rebuild automation for FDP updates:
- Role fdp_update_container_images: Rebuilds container images with updated packages
  * Jinja2 templates for Dockerfile and repo configuration
- Integration in post-deployment.yml with variable validation
- Zuul CI configuration for automated testing

This role enables updating Fast Data Path components in OpenStack
control plane containers by rebuilding images with updated RPM packages
from a specified repository. Part of the broader FDP update workflow,
focusing specifically on container image management.

Assisted-By: Claude <[email protected]>
Signed-off-by: Miguel Angel Nieto Jimenez <[email protected]>

Author: mnietoji

docs/dictionary/en-custom.txt

@@ -186,6 +186,7 @@ ezzmy
 favorit
 fbqufbqkfbzxrja
 fci
+fdp
 fedoraproject
 fil
 filesystem

post-deployment.yml

@@ -26,6 +26,34 @@
       tags:
         - compliance
 
+    # FDP Update - OpenStack package updates across all layers
+    - name: FDP Update - Validate required variables
+      when: cifmw_fdp_update_enabled | default(false) | bool
+      tags:
+        - fdp-update
+      block:
+        - name: Validate required variables are set
+          ansible.builtin.assert:
+            that:
+              - cifmw_fdp_update_target_package is defined
+              - cifmw_fdp_update_target_package | length > 0
+              - cifmw_fdp_update_repo_baseurl is defined
+              - cifmw_fdp_update_repo_baseurl | length > 0
+            fail_msg: |
+              Required variables are missing!
+
+              You must set:
+                - cifmw_fdp_update_target_package: Name of the RPM package to update
+                - cifmw_fdp_update_repo_baseurl: Repository base URL containing the updated package
+            success_msg: "Required variables validated successfully"
+
+        - name: Update control plane container images
+          ansible.builtin.import_role:
+            name: fdp_update_container_images
+          vars:
+            cifmw_fdp_update_container_images_target_package: "{{ cifmw_fdp_update_target_package }}"
+            cifmw_fdp_update_container_images_repo_baseurl: "{{ cifmw_fdp_update_repo_baseurl }}"
+
 - name: Run compliance scan for computes
   hosts: "{{ groups['computes'] | default ([]) }}"
   gather_facts: true

roles/fdp_update_container_images/README.md

@@ -0,0 +1,120 @@
+# fdp_update_container_images
+
+Ansible role to update specific RPM packages in OpenStack container images by rebuilding them with custom repositories.
+
+This role automates the process of:
+1. Fetching container images from OpenStackVersion CR
+2. Checking if target package exists in each image
+3. Building new images with updated packages from custom repository
+4. Pushing updated images to OpenShift internal registry
+5. Patching OpenStackVersion CR to use the new images
+
+## Privilege escalation
+None - Runs as the user executing Ansible
+
+## Parameters
+
+* `cifmw_fdp_update_container_images_basedir`: (String) Base directory. Defaults to `cifmw_basedir` which defaults to `~/ci-framework-data`.
+* `cifmw_fdp_update_container_images_namespace`: (String) OpenShift namespace where OpenStack is deployed. Defaults to `openstack`.
+* `cifmw_fdp_update_container_images_openstack_cr_name`: (String) Name of the OpenStackVersion CR. Defaults to `controlplane`.
+* `cifmw_fdp_update_container_images_target_package`: (String) Name of the RPM package to update (e.g., `ovn24.03`). **Required**.
+* `cifmw_fdp_update_container_images_images_to_scan`: (List) List of container image keys to update. Only these images will be processed. Defaults to `['ovnControllerImage', 'ovnControllerOvsImage', 'ovnNbDbclusterImage', 'ovnNorthdImage', 'ovnSbDbclusterImage', 'ceilometerSgcoreImage']`.
+* `cifmw_fdp_update_container_images_repo_name`: (String) Repository name. Defaults to `custom-repo`.
+* `cifmw_fdp_update_container_images_repo_baseurl`: (String) Repository base URL. **Required**.
+* `cifmw_fdp_update_container_images_repo_enabled`: (Integer) Enable repository (0 or 1). Defaults to `1`.
+* `cifmw_fdp_update_container_images_repo_gpgcheck`: (Integer) Enable GPG check (0 or 1). Defaults to `0`.
+* `cifmw_fdp_update_container_images_repo_priority`: (Integer) Repository priority. Defaults to `0`.
+* `cifmw_fdp_update_container_images_repo_sslverify`: (Integer) Enable SSL verification (0 or 1). Defaults to `0`.
+* `cifmw_fdp_update_container_images_image_registry`: (String) External OpenShift image registry URL. Auto-detected from cluster if not specified. Leave empty for auto-detection.
+* `cifmw_fdp_update_container_images_image_registry_internal`: (String) Internal OpenShift image registry URL. Defaults to `image-registry.openshift-image-registry.svc:5000`.
+* `cifmw_fdp_update_container_images_image_name_prefix`: (String) Prefix for new image names. Defaults to `fdp-update`.
+* `cifmw_fdp_update_container_images_temp_dir`: (String) Temporary directory for build context. Auto-generated if not specified.
+* `cifmw_fdp_update_container_images_update_dnf_args`: (String) Additional arguments for dnf update command. Defaults to `--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}`.
+
+## Examples
+
+### Update OVN package in default images
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_name: "custom-repo"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://example.com/custom-repo/"
+    cifmw_fdp_update_container_images_namespace: "openstack"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update with custom registry and image prefix
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_image_registry: "registry.example.com"
+    cifmw_fdp_update_container_images_image_name_prefix: "ovn-hotfix"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update with specific DNF arguments
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "neutron-ovn-metadata-agent"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }} --nobest"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update specific images only
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_images_to_scan:
+      - ovnControllerImage
+      - ovnNorthdImage
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+## How it works
+
+1. **Registry Setup**:
+   - Enables the default route for OpenShift image registry
+   - Auto-detects the registry hostname or uses the configured value
+2. **Authentication**: Obtains a token from OpenShift and authenticates with the internal registry using TLS
+3. **Image Discovery**: Queries the OpenStackVersion CR for all container images
+4. **Package Check**: For each image, creates a temporary container to check if the target package is installed
+5. **Image Build**: If the package exists, builds a new image with the updated package from the custom repository
+6. **Registry Push**: Pushes the new image to the OpenShift internal registry
+7. **CR Update**: Patches the OpenStackVersion CR's `spec.customContainerImages` field with the new image reference
+8. **Summary**: Provides a summary of all updated images
+
+## Requirements
+
+* OpenShift CLI (`oc`) must be available
+* Podman must be installed and accessible
+* User must have permissions to:
+  - Create tokens in the target namespace
+  - Get and patch OpenStackVersion CRs
+  - Push images to the internal registry
+  - Patch image registry configuration (`configs.imageregistry.operator.openshift.io/cluster`)
+
+## Notes
+
+* The role uses podman to build and push images with TLS verification
+* Each updated image gets a unique tag with timestamp: `<prefix>-<image-key>-<timestamp>`
+* Only images containing the target package will be updated
+* The role cleans up temporary containers automatically
+* All build contexts are created in a temporary directory that is cleaned up after execution
+* The role automatically configures the OpenShift image registry for external access:
+  - Enables the default route if not already enabled
+  - Auto-detects the registry hostname from the route

roles/fdp_update_container_images/defaults/main.yml

@@ -0,0 +1,67 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# ============================================================================
+# Base Configuration
+# ============================================================================
+
+# Base directory for artifacts and temporary files
+cifmw_fdp_update_container_images_basedir: "{{ cifmw_basedir | default(ansible_user_dir ~ '/ci-framework-data') }}"
+
+# OpenShift namespace where OpenStack is deployed
+cifmw_fdp_update_container_images_namespace: "openstack"
+
+# Name of the OpenStackVersion custom resource
+cifmw_fdp_update_container_images_openstack_cr_name: "controlplane"
+
+# Target package to update (REQUIRED - must be set by user)
+cifmw_fdp_update_container_images_target_package: ""
+
+# List of images to update with the target package
+# Only these images will be updated (no package scanning is performed)
+cifmw_fdp_update_container_images_images_to_scan:
+  - ovnControllerImage
+  - ovnControllerOvsImage
+  - ovnNbDbclusterImage
+  - ovnNorthdImage
+  - ovnSbDbclusterImage
+  - ceilometerSgcoreImage
+
+# Repository configuration
+cifmw_fdp_update_container_images_repo_name: "custom-repo"
+cifmw_fdp_update_container_images_repo_baseurl: ""  # REQUIRED - must be set by user
+cifmw_fdp_update_container_images_repo_enabled: 1
+cifmw_fdp_update_container_images_repo_gpgcheck: 0
+cifmw_fdp_update_container_images_repo_priority: 0
+cifmw_fdp_update_container_images_repo_sslverify: 0
+
+# Image registry configuration
+# External registry URL (for compute nodes/EDPM and pushing images)
+# Leave empty to auto-detect external route from OpenShift cluster
+cifmw_fdp_update_container_images_image_registry: ""
+
+# Internal registry URL (for OpenShift pods to pull images)
+# This is auto-detected and should not normally need to be changed
+cifmw_fdp_update_container_images_image_registry_internal: "image-registry.openshift-image-registry.svc:5000"
+
+# Image naming
+cifmw_fdp_update_container_images_image_name_prefix: "fdp-update"
+
+# Temporary directory for build context
+cifmw_fdp_update_container_images_temp_dir: ""
+
+# DNF update arguments
+cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}"

roles/fdp_update_container_images/meta/main.yml

@@ -0,0 +1,38 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+galaxy_info:
+  author: Red Hat
+  description: Update RPM packages in OpenStack container images
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: "2.15"
+  platforms:
+    - name: Fedora
+      versions:
+        - all
+    - name: EL
+      versions:
+        - "9"
+  galaxy_tags:
+    - openstack
+    - containers
+    - kubernetes
+    - openshift
+    - podman
+    - rpm
+
+dependencies: []

roles/fdp_update_container_images/tasks/authenticate_registry.yml

@@ -0,0 +1,28 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Create registry token
+  ansible.builtin.command: oc create token builder -n {{ cifmw_fdp_update_container_images_namespace }}
+  register: _cifmw_fdp_update_container_images_token
+  changed_when: false
+  no_log: true
+
+- name: Authenticate podman with TLS verification
+  containers.podman.podman_login:
+    username: unused
+    password: "{{ _cifmw_fdp_update_container_images_token.stdout }}"
+    registry: "{{ cifmw_fdp_update_container_images_image_registry }}"
+  no_log: true

roles/fdp_update_container_images/tasks/configure_ca_cert.yml

@@ -0,0 +1,40 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Get OpenShift ingress CA certificate
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: Secret
+    name: router-ca
+    namespace: openshift-ingress-operator
+  register: _cifmw_fdp_update_container_images_ca_secret
+
+- name: Extract CA certificate from secret
+  ansible.builtin.set_fact:
+    _cifmw_fdp_update_container_images_ca_cert_b64:
+      stdout: "{{ _cifmw_fdp_update_container_images_ca_secret.resources[0].data['tls.crt'] }}"
+
+- name: Decode CA certificate
+  ansible.builtin.copy:
+    content: "{{ _cifmw_fdp_update_container_images_ca_cert_b64.stdout | b64decode }}"
+    dest: /etc/pki/ca-trust/source/anchors/openshift-registry-ca.crt
+    mode: '0644'
+  become: true
+
+- name: Update CA trust
+  ansible.builtin.command: update-ca-trust extract
+  become: true
+  changed_when: true

roles/fdp_update_container_images/tasks/detect_registry.yml

@@ -0,0 +1,50 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Enable OpenShift registry route
+  kubernetes.core.k8s:
+    api_version: imageregistry.operator.openshift.io/v1
+    kind: Config
+    name: cluster
+    state: patched
+    definition:
+      spec:
+        defaultRoute: true
+  register: _cifmw_fdp_update_container_images_enable_route
+  failed_when: false
+
+- name: Wait for route
+  ansible.builtin.pause:
+    seconds: 10
+  when: _cifmw_fdp_update_container_images_enable_route is not failed
+
+- name: Get registry route
+  kubernetes.core.k8s_info:
+    api_version: route.openshift.io/v1
+    kind: Route
+    name: default-route
+    namespace: openshift-image-registry
+  register: _cifmw_fdp_update_container_images_route_info
+  failed_when: false
+
+- name: Verify registry URL
+  ansible.builtin.fail:
+    msg: "Failed to determine registry URL. Set cifmw_fdp_update_container_images_image_registry manually."
+  when: (_cifmw_fdp_update_container_images_route_info.resources | length == 0)
+
+- name: Set registry URL
+  ansible.builtin.set_fact:
+    cifmw_fdp_update_container_images_image_registry: "{{ _cifmw_fdp_update_container_images_route_info.resources[0].spec.host }}"