diff --git a/docs/dictionary/en-custom.txt b/docs/dictionary/en-custom.txt index 1c4ee523ce..7c816e0703 100644 --- a/docs/dictionary/en-custom.txt +++ b/docs/dictionary/en-custom.txt @@ -186,6 +186,7 @@ ezzmy favorit fbqufbqkfbzxrja fci +fdp fedoraproject fil filesystem diff --git a/post-deployment.yml b/post-deployment.yml index b0e66a41ce..869ae9b853 100644 --- a/post-deployment.yml +++ b/post-deployment.yml @@ -26,6 +26,34 @@ tags: - compliance + # FDP Update - OpenStack package updates across all layers + - name: FDP Update - Validate required variables + when: cifmw_fdp_update_enabled | default(false) | bool + tags: + - fdp-update + block: + - name: Validate required variables are set + ansible.builtin.assert: + that: + - cifmw_fdp_update_target_package is defined + - cifmw_fdp_update_target_package | length > 0 + - cifmw_fdp_update_repo_baseurl is defined + - cifmw_fdp_update_repo_baseurl | length > 0 + fail_msg: | + Required variables are missing! + + You must set: + - cifmw_fdp_update_target_package: Name of the RPM package to update + - cifmw_fdp_update_repo_baseurl: Repository base URL containing the updated package + success_msg: "Required variables validated successfully" + + - name: Update control plane container images + ansible.builtin.import_role: + name: fdp_update_container_images + vars: + cifmw_fdp_update_container_images_target_package: "{{ cifmw_fdp_update_target_package }}" + cifmw_fdp_update_container_images_repo_baseurl: "{{ cifmw_fdp_update_repo_baseurl }}" + - name: Run compliance scan for computes hosts: "{{ groups['computes'] | default ([]) }}" gather_facts: true diff --git a/roles/fdp_update_container_images/README.md b/roles/fdp_update_container_images/README.md new file mode 100644 index 0000000000..50875c80f5 --- /dev/null +++ b/roles/fdp_update_container_images/README.md @@ -0,0 +1,120 @@ +# fdp_update_container_images + +Ansible role to update specific RPM packages in OpenStack container images by rebuilding them with custom repositories. + +This role automates the process of: +1. Fetching container images from OpenStackVersion CR +2. Checking if target package exists in each image +3. Building new images with updated packages from custom repository +4. Pushing updated images to OpenShift internal registry +5. Patching OpenStackVersion CR to use the new images + +## Privilege escalation +None - Runs as the user executing Ansible + +## Parameters + +* `cifmw_fdp_update_container_images_basedir`: (String) Base directory. Defaults to `cifmw_basedir` which defaults to `~/ci-framework-data`. +* `cifmw_fdp_update_container_images_namespace`: (String) OpenShift namespace where OpenStack is deployed. Defaults to `openstack`. +* `cifmw_fdp_update_container_images_openstack_cr_name`: (String) Name of the OpenStackVersion CR. Defaults to `controlplane`. +* `cifmw_fdp_update_container_images_target_package`: (String) Name of the RPM package to update (e.g., `ovn24.03`). **Required**. +* `cifmw_fdp_update_container_images_images_to_scan`: (List) List of container image keys to update. Only these images will be processed. Defaults to `['ovnControllerImage', 'ovnControllerOvsImage', 'ovnNbDbclusterImage', 'ovnNorthdImage', 'ovnSbDbclusterImage', 'ceilometerSgcoreImage']`. +* `cifmw_fdp_update_container_images_repo_name`: (String) Repository name. Defaults to `custom-repo`. +* `cifmw_fdp_update_container_images_repo_baseurl`: (String) Repository base URL. **Required**. +* `cifmw_fdp_update_container_images_repo_enabled`: (Integer) Enable repository (0 or 1). Defaults to `1`. +* `cifmw_fdp_update_container_images_repo_gpgcheck`: (Integer) Enable GPG check (0 or 1). Defaults to `0`. +* `cifmw_fdp_update_container_images_repo_priority`: (Integer) Repository priority. Defaults to `0`. +* `cifmw_fdp_update_container_images_repo_sslverify`: (Integer) Enable SSL verification (0 or 1). Defaults to `0`. +* `cifmw_fdp_update_container_images_image_registry`: (String) External OpenShift image registry URL. Auto-detected from cluster if not specified. Leave empty for auto-detection. +* `cifmw_fdp_update_container_images_image_registry_internal`: (String) Internal OpenShift image registry URL. Defaults to `image-registry.openshift-image-registry.svc:5000`. +* `cifmw_fdp_update_container_images_image_name_prefix`: (String) Prefix for new image names. Defaults to `fdp-update`. +* `cifmw_fdp_update_container_images_temp_dir`: (String) Temporary directory for build context. Auto-generated if not specified. +* `cifmw_fdp_update_container_images_update_dnf_args`: (String) Additional arguments for dnf update command. Defaults to `--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}`. + +## Examples + +### Update OVN package in default images +```yaml +--- +- hosts: localhost + vars: + cifmw_fdp_update_container_images_target_package: "ovn24.03" + cifmw_fdp_update_container_images_repo_name: "custom-repo" + cifmw_fdp_update_container_images_repo_baseurl: "http://example.com/custom-repo/" + cifmw_fdp_update_container_images_namespace: "openstack" + roles: + - role: "fdp_update_container_images" +``` + +### Update with custom registry and image prefix +```yaml +--- +- hosts: localhost + vars: + cifmw_fdp_update_container_images_target_package: "ovn24.03" + cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/" + cifmw_fdp_update_container_images_image_registry: "registry.example.com" + cifmw_fdp_update_container_images_image_name_prefix: "ovn-hotfix" + roles: + - role: "fdp_update_container_images" +``` + +### Update with specific DNF arguments +```yaml +--- +- hosts: localhost + vars: + cifmw_fdp_update_container_images_target_package: "neutron-ovn-metadata-agent" + cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/" + cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }} --nobest" + roles: + - role: "fdp_update_container_images" +``` + +### Update specific images only +```yaml +--- +- hosts: localhost + vars: + cifmw_fdp_update_container_images_target_package: "ovn24.03" + cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/" + cifmw_fdp_update_container_images_images_to_scan: + - ovnControllerImage + - ovnNorthdImage + roles: + - role: "fdp_update_container_images" +``` + +## How it works + +1. **Registry Setup**: + - Enables the default route for OpenShift image registry + - Auto-detects the registry hostname or uses the configured value +2. **Authentication**: Obtains a token from OpenShift and authenticates with the internal registry using TLS +3. **Image Discovery**: Queries the OpenStackVersion CR for all container images +4. **Package Check**: For each image, creates a temporary container to check if the target package is installed +5. **Image Build**: If the package exists, builds a new image with the updated package from the custom repository +6. **Registry Push**: Pushes the new image to the OpenShift internal registry +7. **CR Update**: Patches the OpenStackVersion CR's `spec.customContainerImages` field with the new image reference +8. **Summary**: Provides a summary of all updated images + +## Requirements + +* OpenShift CLI (`oc`) must be available +* Podman must be installed and accessible +* User must have permissions to: + - Create tokens in the target namespace + - Get and patch OpenStackVersion CRs + - Push images to the internal registry + - Patch image registry configuration (`configs.imageregistry.operator.openshift.io/cluster`) + +## Notes + +* The role uses podman to build and push images with TLS verification +* Each updated image gets a unique tag with timestamp: `--` +* Only images containing the target package will be updated +* The role cleans up temporary containers automatically +* All build contexts are created in a temporary directory that is cleaned up after execution +* The role automatically configures the OpenShift image registry for external access: + - Enables the default route if not already enabled + - Auto-detects the registry hostname from the route diff --git a/roles/fdp_update_container_images/defaults/main.yml b/roles/fdp_update_container_images/defaults/main.yml new file mode 100644 index 0000000000..81c4c9b5e9 --- /dev/null +++ b/roles/fdp_update_container_images/defaults/main.yml @@ -0,0 +1,67 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# ============================================================================ +# Base Configuration +# ============================================================================ + +# Base directory for artifacts and temporary files +cifmw_fdp_update_container_images_basedir: "{{ cifmw_basedir | default(ansible_user_dir ~ '/ci-framework-data') }}" + +# OpenShift namespace where OpenStack is deployed +cifmw_fdp_update_container_images_namespace: "openstack" + +# Name of the OpenStackVersion custom resource +cifmw_fdp_update_container_images_openstack_cr_name: "controlplane" + +# Target package to update (REQUIRED - must be set by user) +cifmw_fdp_update_container_images_target_package: "" + +# List of images to update with the target package +# Only these images will be updated (no package scanning is performed) +cifmw_fdp_update_container_images_images_to_scan: + - ovnControllerImage + - ovnControllerOvsImage + - ovnNbDbclusterImage + - ovnNorthdImage + - ovnSbDbclusterImage + - ceilometerSgcoreImage + +# Repository configuration +cifmw_fdp_update_container_images_repo_name: "custom-repo" +cifmw_fdp_update_container_images_repo_baseurl: "" # REQUIRED - must be set by user +cifmw_fdp_update_container_images_repo_enabled: 1 +cifmw_fdp_update_container_images_repo_gpgcheck: 0 +cifmw_fdp_update_container_images_repo_priority: 0 +cifmw_fdp_update_container_images_repo_sslverify: 0 + +# Image registry configuration +# External registry URL (for compute nodes/EDPM and pushing images) +# Leave empty to auto-detect external route from OpenShift cluster +cifmw_fdp_update_container_images_image_registry: "" + +# Internal registry URL (for OpenShift pods to pull images) +# This is auto-detected and should not normally need to be changed +cifmw_fdp_update_container_images_image_registry_internal: "image-registry.openshift-image-registry.svc:5000" + +# Image naming +cifmw_fdp_update_container_images_image_name_prefix: "fdp-update" + +# Temporary directory for build context +cifmw_fdp_update_container_images_temp_dir: "" + +# DNF update arguments +cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}" diff --git a/roles/fdp_update_container_images/meta/main.yml b/roles/fdp_update_container_images/meta/main.yml new file mode 100644 index 0000000000..d727c787bd --- /dev/null +++ b/roles/fdp_update_container_images/meta/main.yml @@ -0,0 +1,38 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +galaxy_info: + author: Red Hat + description: Update RPM packages in OpenStack container images + company: Red Hat + license: Apache-2.0 + min_ansible_version: "2.15" + platforms: + - name: Fedora + versions: + - all + - name: EL + versions: + - "9" + galaxy_tags: + - openstack + - containers + - kubernetes + - openshift + - podman + - rpm + +dependencies: [] diff --git a/roles/fdp_update_container_images/tasks/authenticate_registry.yml b/roles/fdp_update_container_images/tasks/authenticate_registry.yml new file mode 100644 index 0000000000..4646337392 --- /dev/null +++ b/roles/fdp_update_container_images/tasks/authenticate_registry.yml @@ -0,0 +1,28 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Create registry token + ansible.builtin.command: oc create token builder -n {{ cifmw_fdp_update_container_images_namespace }} + register: _cifmw_fdp_update_container_images_token + changed_when: false + no_log: true + +- name: Authenticate podman with TLS verification + containers.podman.podman_login: + username: unused + password: "{{ _cifmw_fdp_update_container_images_token.stdout }}" + registry: "{{ cifmw_fdp_update_container_images_image_registry }}" + no_log: true diff --git a/roles/fdp_update_container_images/tasks/configure_ca_cert.yml b/roles/fdp_update_container_images/tasks/configure_ca_cert.yml new file mode 100644 index 0000000000..ea3fd29bda --- /dev/null +++ b/roles/fdp_update_container_images/tasks/configure_ca_cert.yml @@ -0,0 +1,40 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Get OpenShift ingress CA certificate + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: router-ca + namespace: openshift-ingress-operator + register: _cifmw_fdp_update_container_images_ca_secret + +- name: Extract CA certificate from secret + ansible.builtin.set_fact: + _cifmw_fdp_update_container_images_ca_cert_b64: + stdout: "{{ _cifmw_fdp_update_container_images_ca_secret.resources[0].data['tls.crt'] }}" + +- name: Decode CA certificate + ansible.builtin.copy: + content: "{{ _cifmw_fdp_update_container_images_ca_cert_b64.stdout | b64decode }}" + dest: /etc/pki/ca-trust/source/anchors/openshift-registry-ca.crt + mode: '0644' + become: true + +- name: Update CA trust + ansible.builtin.command: update-ca-trust extract + become: true + changed_when: true diff --git a/roles/fdp_update_container_images/tasks/detect_registry.yml b/roles/fdp_update_container_images/tasks/detect_registry.yml new file mode 100644 index 0000000000..70bfe3bcb5 --- /dev/null +++ b/roles/fdp_update_container_images/tasks/detect_registry.yml @@ -0,0 +1,50 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Enable OpenShift registry route + kubernetes.core.k8s: + api_version: imageregistry.operator.openshift.io/v1 + kind: Config + name: cluster + state: patched + definition: + spec: + defaultRoute: true + register: _cifmw_fdp_update_container_images_enable_route + failed_when: false + +- name: Wait for route + ansible.builtin.pause: + seconds: 10 + when: _cifmw_fdp_update_container_images_enable_route is not failed + +- name: Get registry route + kubernetes.core.k8s_info: + api_version: route.openshift.io/v1 + kind: Route + name: default-route + namespace: openshift-image-registry + register: _cifmw_fdp_update_container_images_route_info + failed_when: false + +- name: Verify registry URL + ansible.builtin.fail: + msg: "Failed to determine registry URL. Set cifmw_fdp_update_container_images_image_registry manually." + when: (_cifmw_fdp_update_container_images_route_info.resources | length == 0) + +- name: Set registry URL + ansible.builtin.set_fact: + cifmw_fdp_update_container_images_image_registry: "{{ _cifmw_fdp_update_container_images_route_info.resources[0].spec.host }}" diff --git a/roles/fdp_update_container_images/tasks/fetch_images.yml b/roles/fdp_update_container_images/tasks/fetch_images.yml new file mode 100644 index 0000000000..b3362efc83 --- /dev/null +++ b/roles/fdp_update_container_images/tasks/fetch_images.yml @@ -0,0 +1,38 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Get OpenStackVersion CR + kubernetes.core.k8s_info: + api_version: core.openstack.org/v1beta1 + kind: OpenStackVersion + name: "{{ cifmw_fdp_update_container_images_openstack_cr_name }}" + namespace: "{{ cifmw_fdp_update_container_images_namespace }}" + register: _cifmw_fdp_update_container_images_cr_info + +- name: Extract container images + ansible.builtin.set_fact: + _cifmw_fdp_update_container_images_container_images: "{{ _cifmw_fdp_update_container_images_cr_info.resources[0].status.containerImageVersionDefaults.values() | first | default({}) }}" + +- name: Filter images to process + ansible.builtin.set_fact: + _cifmw_fdp_update_container_images_image_entries: "{{ _cifmw_fdp_update_container_images_container_images | dict2items | selectattr('key', 'in', cifmw_fdp_update_container_images_images_to_scan) | list }}" + _cifmw_fdp_update_container_images_modified_images: [] + _cifmw_fdp_update_container_images_updated_cr_keys: [] + _cifmw_fdp_update_container_images_processed_images: 0 + +- name: Display images to process + ansible.builtin.debug: + msg: "Processing {{ _cifmw_fdp_update_container_images_image_entries | length }} images: {{ _cifmw_fdp_update_container_images_image_entries | map(attribute='key') | list | join(', ') }}" diff --git a/roles/fdp_update_container_images/tasks/main.yml b/roles/fdp_update_container_images/tasks/main.yml new file mode 100644 index 0000000000..f3aaec14b1 --- /dev/null +++ b/roles/fdp_update_container_images/tasks/main.yml @@ -0,0 +1,78 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# ============================================ +# Validate and Initialize +# ============================================ + +- name: Validate parameters and initialize + ansible.builtin.include_tasks: validate.yml + +# ============================================ +# Detect Registry +# ============================================ + +- name: Detect OpenShift registry URL + ansible.builtin.include_tasks: detect_registry.yml + +# ============================================ +# Configure Registry Authentication +# ============================================ + +- name: Configure registry CA certificate + ansible.builtin.include_tasks: configure_ca_cert.yml + +- name: Authenticate with registry + ansible.builtin.include_tasks: authenticate_registry.yml + +# ============================================ +# Fetch Images +# ============================================ + +- name: Fetch images to process + ansible.builtin.include_tasks: fetch_images.yml + +# ============================================ +# Process Each Image +# ============================================ + +- name: Build and push updated images + ansible.builtin.include_tasks: process_image.yml + loop: "{{ _cifmw_fdp_update_container_images_image_entries }}" + loop_control: + loop_var: image_entry + label: "{{ image_entry.key }}" + when: _cifmw_fdp_update_container_images_image_entries | length > 0 + +# ============================================ +# Summary +# ============================================ + +- name: Display summary + ansible.builtin.debug: + msg: + - "==========================================" + - "Container image update complete" + - "Target package: {{ cifmw_fdp_update_container_images_target_package }}" + - "Images processed: {{ _cifmw_fdp_update_container_images_processed_images }}" + - "Updated: {{ _cifmw_fdp_update_container_images_updated_cr_keys | join(', ') if _cifmw_fdp_update_container_images_updated_cr_keys | length > 0 else 'None' }}" + - "==========================================" + +- name: Cleanup temporary directory + ansible.builtin.file: + path: "{{ _cifmw_fdp_update_container_images_temp_dir }}" + state: absent + when: _cifmw_fdp_update_container_images_temp_dir is defined diff --git a/roles/fdp_update_container_images/tasks/process_image.yml b/roles/fdp_update_container_images/tasks/process_image.yml new file mode 100644 index 0000000000..54b0173ce3 --- /dev/null +++ b/roles/fdp_update_container_images/tasks/process_image.yml @@ -0,0 +1,67 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Create repository file + ansible.builtin.template: + src: repo.j2 + dest: "{{ _cifmw_fdp_update_container_images_temp_dir }}/{{ cifmw_fdp_update_container_images_repo_name }}.repo" + mode: '0644' + +- name: Create Dockerfile + ansible.builtin.template: + src: Dockerfile.j2 + dest: "{{ _cifmw_fdp_update_container_images_temp_dir }}/Dockerfile" + mode: '0644' + vars: + base_image: "{{ image_entry.value }}" + +- name: Generate image paths + ansible.builtin.set_fact: + _cifmw_fdp_update_container_images_new_image_path_external: "{{ cifmw_fdp_update_container_images_image_registry }}/{{ cifmw_fdp_update_container_images_namespace }}/{{ cifmw_fdp_update_container_images_image_name_prefix }}-{{ image_entry.key | lower }}-{{ ansible_date_time.epoch }}" + _cifmw_fdp_update_container_images_new_image_path_internal: "{{ cifmw_fdp_update_container_images_image_registry_internal }}/{{ cifmw_fdp_update_container_images_namespace }}/{{ cifmw_fdp_update_container_images_image_name_prefix }}-{{ image_entry.key | lower }}-{{ ansible_date_time.epoch }}" + +- name: Build and push image + containers.podman.podman_image: + name: "{{ _cifmw_fdp_update_container_images_new_image_path_external }}" + path: "{{ _cifmw_fdp_update_container_images_temp_dir }}" + build: + file: "{{ _cifmw_fdp_update_container_images_temp_dir }}/Dockerfile" + push: true + push_args: + dest: "{{ _cifmw_fdp_update_container_images_new_image_path_external }}" + state: build + +- name: Patch OpenStackVersion CR + kubernetes.core.k8s: + state: patched + api_version: core.openstack.org/v1beta1 + kind: OpenStackVersion + name: "{{ cifmw_fdp_update_container_images_openstack_cr_name }}" + namespace: "{{ cifmw_fdp_update_container_images_namespace }}" + definition: + spec: + customContainerImages: + "{{ image_entry.key }}": "{{ _cifmw_fdp_update_container_images_new_image_path_internal }}" + +- name: Update tracking + ansible.builtin.set_fact: + _cifmw_fdp_update_container_images_modified_images: "{{ _cifmw_fdp_update_container_images_modified_images + [image_entry.key ~ ': ' ~ _cifmw_fdp_update_container_images_new_image_path_internal] }}" + _cifmw_fdp_update_container_images_updated_cr_keys: "{{ _cifmw_fdp_update_container_images_updated_cr_keys + [image_entry.key] }}" + _cifmw_fdp_update_container_images_processed_images: "{{ _cifmw_fdp_update_container_images_processed_images | int + 1 }}" + +- name: Display progress + ansible.builtin.debug: + msg: "✓ Updated {{ image_entry.key }} ({{ _cifmw_fdp_update_container_images_processed_images }}/{{ _cifmw_fdp_update_container_images_image_entries | length }})" diff --git a/roles/fdp_update_container_images/tasks/validate.yml b/roles/fdp_update_container_images/tasks/validate.yml new file mode 100644 index 0000000000..061632c224 --- /dev/null +++ b/roles/fdp_update_container_images/tasks/validate.yml @@ -0,0 +1,38 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Validate required parameters + ansible.builtin.assert: + that: + - cifmw_fdp_update_container_images_target_package is defined + - cifmw_fdp_update_container_images_target_package | length > 0 + - cifmw_fdp_update_container_images_repo_baseurl is defined + - cifmw_fdp_update_container_images_repo_baseurl | length > 0 + fail_msg: "Required: cifmw_fdp_update_container_images_target_package and cifmw_fdp_update_container_images_repo_baseurl" + +- name: Check oc command is available + ansible.builtin.command: oc version --client + changed_when: false + +- name: Create temporary directory + ansible.builtin.tempfile: + state: directory + prefix: "cifmw_fdp_update_build_" + register: _cifmw_fdp_update_container_images_temp_dir_result + +- name: Set temporary directory + ansible.builtin.set_fact: + _cifmw_fdp_update_container_images_temp_dir: "{{ cifmw_fdp_update_container_images_temp_dir if (cifmw_fdp_update_container_images_temp_dir is defined and cifmw_fdp_update_container_images_temp_dir | length > 0) else _cifmw_fdp_update_container_images_temp_dir_result.path }}" diff --git a/roles/fdp_update_container_images/templates/Dockerfile.j2 b/roles/fdp_update_container_images/templates/Dockerfile.j2 new file mode 100644 index 0000000000..5a844f8eed --- /dev/null +++ b/roles/fdp_update_container_images/templates/Dockerfile.j2 @@ -0,0 +1,3 @@ +FROM {{ base_image }} +COPY ./{{ cifmw_fdp_update_container_images_repo_name }}.repo /etc/yum.repos.d/ +RUN dnf update -y {{ cifmw_fdp_update_container_images_update_dnf_args }} {{ cifmw_fdp_update_container_images_target_package }}* && dnf clean all diff --git a/roles/fdp_update_container_images/templates/repo.j2 b/roles/fdp_update_container_images/templates/repo.j2 new file mode 100644 index 0000000000..cee92cf1b2 --- /dev/null +++ b/roles/fdp_update_container_images/templates/repo.j2 @@ -0,0 +1,7 @@ +[{{ cifmw_fdp_update_container_images_repo_name }}] +name={{ cifmw_fdp_update_container_images_repo_name }} +baseurl={{ cifmw_fdp_update_container_images_repo_baseurl }} +enabled={{ cifmw_fdp_update_container_images_repo_enabled }} +gpgcheck={{ cifmw_fdp_update_container_images_repo_gpgcheck }} +priority={{ cifmw_fdp_update_container_images_repo_priority }} +sslverify={{ cifmw_fdp_update_container_images_repo_sslverify }} diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index 10decae4bd..e1d4e77efc 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -927,6 +927,15 @@ - ^.config/molecule/.* name: cifmw-molecule-cleanup_openstack parent: cifmw-molecule-noop +- job: + files: + - ^common-requirements.txt + - ^test-requirements.txt + - ^roles/fdp_update_container_images/.* + - ^ci/playbooks/molecule.* + - ^.config/molecule/.* + name: cifmw-molecule-fdp_update_container_images + parent: cifmw-molecule-noop - job: files: - ^common-requirements.txt diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index f68e2c3351..8ca3c251c6 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -55,6 +55,7 @@ - cifmw-molecule-edpm_kustomize - cifmw-molecule-edpm_prepare - cifmw-molecule-env_op_images + - cifmw-molecule-fdp_update_container_images - cifmw-molecule-federation - cifmw-molecule-fix_python_encodings - cifmw-molecule-hci_prepare