Add cifmw_ocp_agent_installer role

This is a port of the OCP Agent Installer role used in hotstack.

I used Claude 4 Sonnet to rename all the variables, and removed some
hotstack specific snapshot features.

Follow up changes to integrate this with other ci-framework would
follow, and that will most likely also mean edits to this role.

Assisted-By: Claude Code/claude-sonnet-4
Signed-off-by: Harald Jensås <[email protected]>

Author: hjensas

roles/ocp_agent_installer/README.md

@@ -0,0 +1,12 @@
+# cifmw_ocp_agent_installer
+
+> **NOTE**: This Work-in-Progress ...
+
+
+* Create PXE bootstrap-artifects using the OCP Agent Installer
+* Customizations:
+  * Cnable iscsi
+  * Enable multipath
+  * Stand up cinder-volumes LVM
+  * Extra config for OVN-Kubernetes
+  * Etcd hardware speed (Slower)

roles/ocp_agent_installer/defaults/main.yml

@@ -0,0 +1,74 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# Can be one of ['pxe', 'iso']
+cifmw_ocp_agent_installer_bootstrap_assets: pxe
+cifmw_ocp_agent_installer_add_ingress_cert_to_ca_trust: true
+
+cifmw_ocp_agent_installer_openshift_version: stable-4.18
+cifmw_ocp_agent_installer_mirror_url: https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp
+cifmw_ocp_agent_installer_client_url: "{{ cifmw_ocp_agent_installer_mirror_url }}/{{ cifmw_ocp_agent_installer_openshift_version }}/openshift-client-linux.tar.gz"
+cifmw_ocp_agent_installer_installer_url: "{{ cifmw_ocp_agent_installer_mirror_url }}/{{ cifmw_ocp_agent_installer_openshift_version }}/openshift-install-linux.tar.gz"
+
+cifmw_ocp_agent_installer_base_dir: "{{ cifmw_basedir | default(ansible_user_dir ~ '/ci-framework-data') }}/ocp-agent-installer"
+cifmw_ocp_agent_installer_bin_dir: "{{ ansible_user_dir }}/bin"
+cifmw_ocp_agent_installer_kube_config_dir: "{{ ansible_user_dir }}/.kube"
+cifmw_ocp_agent_installer_cluster_dir: "{{ cifmw_ocp_agent_installer_base_dir }}/ocp-cluster"
+cifmw_ocp_agent_installer_manifests_dir: "{{ cifmw_ocp_agent_installer_cluster_dir }}/openshift"
+cifmw_ocp_agent_installer_agent_installer_dir: "{{ cifmw_ocp_agent_installer_base_dir }}/agent-installer"
+cifmw_ocp_agent_installer_cluster_custom_config_dir: "{{ cifmw_ocp_agent_installer_base_dir }}/cluster-custom-config/"
+cifmw_ocp_agent_installer_butane_dir: "{{ cifmw_ocp_agent_installer_cluster_custom_config_dir }}/butane"
+cifmw_ocp_agent_installer_machine_configs_dir: "{{ cifmw_ocp_agent_installer_cluster_custom_config_dir }}/machine-configs"
+cifmw_ocp_agent_installer_config_assets_dir: "{{ cifmw_ocp_agent_installer_cluster_custom_config_dir }}/config-assets"
+
+cifmw_ocp_agent_installer_boot_artifacts_dir: /var/www/html/boot-artifacts
+
+cifmw_ocp_agent_installer_install_config:
+cifmw_ocp_agent_installer_agent_config:
+cifmw_ocp_agent_installer_pull_secret:
+
+cifmw_ocp_agent_installer_cinder_volume_pvs: []
+cifmw_ocp_agent_installer_cinder_volume_roles:
+  - master
+cifmw_ocp_agent_installer_enable_multipath: false
+cifmw_ocp_agent_installer_multipath_roles:
+  - master
+cifmw_ocp_agent_installer_enable_iscsi: false
+cifmw_ocp_agent_installer_iscsi_roles:
+  - master
+cifmw_ocp_agent_installer_disable_net_ifnames: true
+cifmw_ocp_agent_installer_net_ifnames_roles:
+  - master
+
+# OVN Configuration
+cifmw_ocp_agent_installer_enable_ovn_k8s_overrides: true
+cifmw_ocp_agent_installer_ovn_k8s_gateway_config_ip_forwarding: true
+cifmw_ocp_agent_installer_ovn_k8s_gateway_config_host_routing: false
+
+# Etcd - set to true for controlPlaneHardwareSpeed = Slower
+# https://www.redhat.com/en/blog/introducing-selectable-profiles-for-etcd
+cifmw_ocp_agent_installer_enable_etcd_hardware_speed_slow: true
+
+cifmw_ocp_agent_installer_enable_image_content_source_policy: false
+# To enable ImageContentSourcePolicy (ICSP), set this variable to contain the value
+# for the ICSP spec's repositoryDigestMirrors field.
+cifmw_ocp_agent_installer_image_content_source_policy_mirrors: []
+
+cifmw_ocp_agent_installer_enable_additional_trusted_ca: false
+cifmw_ocp_agent_installer_ocp_additional_trusted_ca:
+  - name: registry-proxy.engineering.redhat.com
+    url: https://url.corp.redhat.com/hotstack-ca

roles/ocp_agent_installer/files/additional-trusted-ca-config-image.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: config.openshift.io/v1
+kind: Image
+metadata:
+  name: cluster
+spec:
+  additionalTrustedCA:
+    name: hotstack-additional-trusted-ca

roles/ocp_agent_installer/files/etcd-config.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: operator.openshift.io/v1
+kind: Etcd
+metadata:
+  name: cluster
+spec:
+  controlPlaneHardwareSpeed: Slower
+  managementState: Managed

roles/ocp_agent_installer/meta/main.yml

@@ -0,0 +1,15 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.

roles/ocp_agent_installer/tasks/additional_ca.yml

@@ -0,0 +1,53 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Assert
+  ansible.builtin.assert:
+    that:
+      - ca.name is defined
+      - ca.name | length > 0
+      - ca.url is defined or ca.data is defined
+      - (
+          ca.url | length > 0 or
+          ca.data | length > 0
+        )
+
+- name: Download the CA bundle if url
+  when: ca.url is defined
+  ansible.builtin.uri:
+    url: "{{ ca.url }}"
+    method: get
+    return_content: true
+    validate_certs: false
+  register: __get_ca_from_url_result
+  ignore_errors: true
+
+- name: Append to _ocp_additional_trusted_ca_map
+  when: (
+          ca.data is defined or
+          (
+            ca.url is defined and
+            not __get_ca_from_url_result.failed
+          )
+        )
+  ansible.builtin.set_fact:
+    _ocp_additional_trusted_ca_map: >-
+      {{
+        _ocp_additional_trusted_ca_map |
+        combine(
+          {ca.name: ca.data | default(__get_ca_from_url_result.content)}
+        )
+      }}

roles/ocp_agent_installer/tasks/config_assets.yml

@@ -0,0 +1,94 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Template ovn-k8s customization
+  when: cifmw_ocp_agent_installer_enable_ovn_k8s_overrides | bool
+  ansible.builtin.template:
+    src: ovn-k8s-config.j2
+    dest: >-
+      {{
+        [
+          cifmw_ocp_agent_installer_config_assets_dir,
+          'ovn_k8s_config.yaml'
+        ] | ansible.builtin.path_join
+      }}
+    mode: '0644'
+
+- name: Copy Etcd customization
+  when: cifmw_ocp_agent_installer_enable_etcd_hardware_speed_slow | bool
+  ansible.builtin.copy:
+    src: etcd-config.yaml
+    dest: >-
+      {{
+        [
+          cifmw_ocp_agent_installer_config_assets_dir,
+          '95-etcd_config.yaml'
+        ] | ansible.builtin.path_join
+      }}
+    mode: '0644'
+
+- name: Template ImageContentSourcePolicy customization
+  when: cifmw_ocp_agent_installer_enable_image_content_source_policy | bool
+  ansible.builtin.template:
+    src: image-content-source-policy.yaml.j2
+    dest: >-
+      {{
+        [
+          cifmw_ocp_agent_installer_config_assets_dir,
+          '95-image-content-source-policy.yaml'
+        ] | ansible.builtin.path_join
+      }}
+    mode: '0644'
+
+- name: Additional trusted CA
+  when:
+    - cifmw_ocp_agent_installer_enable_additional_trusted_ca | bool
+    - cifmw_ocp_agent_installer_ocp_additional_trusted_ca is defined
+    - cifmw_ocp_agent_installer_ocp_additional_trusted_ca | length > 0
+  block:
+    - name: Initialize _ocp_additional_trusted_ca_map fact
+      ansible.builtin.set_fact:
+        _ocp_additional_trusted_ca_map: {}
+
+    - name: Append to _ocp_additional_trusted_ca_map fact
+      ansible.builtin.include_tasks: additional_ca.yml
+      loop: "{{ cifmw_ocp_agent_installer_ocp_additional_trusted_ca }}"
+      loop_control:
+        loop_var: ca
+
+    - name: Template additional CA config map
+      ansible.builtin.template:
+        src: additional-trusted-ca-config-map.yaml.j2
+        dest: >-
+          {{
+            [
+              cifmw_ocp_agent_installer_config_assets_dir,
+              '93-additional-ca-config-map.yaml'
+            ] | ansible.builtin.path_join
+          }}
+        mode: '0644'
+
+    - name: Copy additional CA config image
+      ansible.builtin.copy:
+        src: additional-trusted-ca-config-image.yaml
+        dest: >-
+          {{
+            [
+              cifmw_ocp_agent_installer_config_assets_dir,
+              '94-additional-ca-config-image.yaml'
+            ] | ansible.builtin.path_join
+          }}
+        mode: '0644'

roles/ocp_agent_installer/tasks/ingress_cert.yml

@@ -0,0 +1,39 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Extract ingress CA cert
+  register: _ingress_cert
+  ansible.builtin.shell: |
+    POD_NAME=$({{ cifmw_ocp_agent_installer_bin_dir }}/oc get pods -n openshift-authentication -o jsonpath='{.items[0].metadata.name}')
+    {{ cifmw_ocp_agent_installer_bin_dir }}/oc rsh -n openshift-authentication $POD_NAME \
+      cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
+  retries: 10
+  delay: 10
+  until: _ingress_cert.rc == 0
+
+- name: Write ingress cert to ca-trust
+  become: true
+  ansible.builtin.copy:
+    content: "{{ _ingress_cert.stdout }}"
+    dest: /etc/pki/ca-trust/source/anchors/ingress-ca.crt
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Update CA trust
+  become: true
+  ansible.builtin.command:
+    cmd: update-ca-trust

roles/ocp_agent_installer/tasks/install_client.yml

@@ -0,0 +1,47 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Download the client
+  ansible.builtin.get_url:
+    url: "{{ cifmw_ocp_agent_installer_client_url }}"
+    dest: >-
+      {{
+        [
+          cifmw_ocp_agent_installer_agent_installer_dir,
+          'openshift-client-linux.tar.gz'
+        ] | ansible.builtin.path_join
+      }}
+    mode: '0644'
+
+- name: Extract client to /home/zuul/bin
+  ansible.builtin.unarchive:
+    src: >-
+      {{
+        [
+          cifmw_ocp_agent_installer_agent_installer_dir,
+          'openshift-client-linux.tar.gz'
+        ] | ansible.builtin.path_join
+      }}
+    dest: "{{ cifmw_ocp_agent_installer_bin_dir }}"
+    remote_src: true
+    creates: "{{ cifmw_ocp_agent_installer_bin_dir }}/oc"
+
+- name: Configure bash completion
+  become: true
+  ansible.builtin.shell: |
+    {{ cifmw_ocp_agent_installer_bin_dir }}/oc completion bash > /etc/bash_completion.d/oc_bash_completion
+  args:
+    creates: /etc/bash_completion.d/oc_bash_completion

roles/ocp_agent_installer/tasks/install_installer.yml

@@ -0,0 +1,40 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Download the installer
+  ansible.builtin.get_url:
+    url: "{{ cifmw_ocp_agent_installer_installer_url }}"
+    dest: >-
+      {{
+        [
+          cifmw_ocp_agent_installer_agent_installer_dir,
+          'openshift-install-linux.tar.gz'
+        ] | ansible.builtin.path_join
+      }}
+    mode: '0644'
+
+- name: Extract installer to /home/zuul/bin
+  ansible.builtin.unarchive:
+    src: >-
+      {{
+        [
+          cifmw_ocp_agent_installer_agent_installer_dir,
+          'openshift-install-linux.tar.gz'
+        ] | ansible.builtin.path_join
+      }}
+    dest: "{{ cifmw_ocp_agent_installer_bin_dir }}"
+    remote_src: true
+    creates: "{{ cifmw_ocp_agent_installer_bin_dir }}/openshift-install"