Upgrade OCP and Tkn CLI tools to match cluster version + cluster config

.github/workflows/build-and-test.yml

@@ -134,7 +134,7 @@ jobs:
             ansible/vaults/integration-tests/ci-pipeline-github-ssh-key
 
       - name: Run the integration tests ansible playbook
-        uses: dawidd6/action-ansible-playbook@3363d6aa333ecb41ef01579bc5eb4412b3d6802f # v5
+        uses: dawidd6/action-ansible-playbook@e8303e5fa5b52015d59fd5bc8c968943bd5f349c # v6
         with:
           playbook: playbooks/operator-pipeline-integration-tests.yml
           directory: ./ansible

.github/workflows/deploy.yml

@@ -21,11 +21,36 @@ jobs:
         run: |
           echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
 
-  deploy-dev:
+  configure-stage-cluster:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
     needs:
       - prepare-env
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Install dependencies
+        run: |
+          # Install python packages needed from ansible
+          pipx inject ansible-core jmespath openshift pygithub
+      - name: Configure stage cluster
+        uses: dawidd6/action-ansible-playbook@e8303e5fa5b52015d59fd5bc8c968943bd5f349c # v6
+        with:
+          playbook: playbooks/config-ocp-cluster.yml
+          directory: ./ansible
+          requirements: playbooks/requirements.yml
+          vault_password: ${{secrets.VAULT_PASSWORD}}
+          options: |
+            --inventory ./inventory/clusters
+            --extra-vars "clusters=stage-cluster"
+            --extra-vars "env=stage"
+            --extra-vars "ansible_python_interpreter=/opt/pipx/venvs/ansible-core/bin/python3"
+            --verbose
+
+  deploy-dev:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare-env
+      - configure-stage-cluster
     environment:
       name: dev
     env:
@@ -37,7 +62,7 @@ jobs:
           # Install python packages needed from ansible
           pipx inject ansible-core jmespath openshift pygithub
       - name: Deploy dev environment
-        uses: dawidd6/action-ansible-playbook@3363d6aa333ecb41ef01579bc5eb4412b3d6802f # v5
+        uses: dawidd6/action-ansible-playbook@e8303e5fa5b52015d59fd5bc8c968943bd5f349c # v6
         with:
           playbook: playbooks/deploy.yml
           directory: ./ansible
@@ -53,9 +78,9 @@ jobs:
 
   deploy-qa:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
     needs:
       - prepare-env
+      - configure-stage-cluster
     environment:
       name: qa
     env:
@@ -67,7 +92,7 @@ jobs:
           # Install python packages needed from ansible
           pipx inject ansible-core jmespath openshift pygithub
       - name: Deploy qa environment
-        uses: dawidd6/action-ansible-playbook@3363d6aa333ecb41ef01579bc5eb4412b3d6802f # v5
+        uses: dawidd6/action-ansible-playbook@e8303e5fa5b52015d59fd5bc8c968943bd5f349c # v6
         with:
           playbook: playbooks/deploy.yml
           directory: ./ansible
@@ -89,6 +114,7 @@ jobs:
       SHORT_SHA: ${{needs.prepare-env.outputs.short_sha}}
     needs:
       - prepare-env
+      - configure-stage-cluster
       - deploy-qa
       - deploy-dev
     steps:
@@ -97,8 +123,9 @@ jobs:
         run: |
           # Install python packages needed from ansible
           pipx inject ansible-core jmespath openshift pygithub
+
       - name: Deploy stage environment
-        uses: dawidd6/action-ansible-playbook@3363d6aa333ecb41ef01579bc5eb4412b3d6802f # v5
+        uses: dawidd6/action-ansible-playbook@e8303e5fa5b52015d59fd5bc8c968943bd5f349c # v6
         with:
           playbook: playbooks/deploy.yml
           directory: ./ansible
@@ -112,6 +139,33 @@ jobs:
             --skip-tags ci,import-index-images
             --verbose
 
+  configure-prod-cluster:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare-env
+      - deploy-stage
+    environment:
+      name: prod
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Install dependencies
+        run: |
+          # Install python packages needed from ansible
+          pipx inject ansible-core jmespath openshift pygithub
+      - name: Configure prod cluster
+        uses: dawidd6/action-ansible-playbook@e8303e5fa5b52015d59fd5bc8c968943bd5f349c # v6
+        with:
+          playbook: playbooks/config-ocp-cluster.yml
+          directory: ./ansible
+          requirements: playbooks/requirements.yml
+          vault_password: ${{secrets.VAULT_PASSWORD_PROD}}
+          options: |
+            --inventory ./inventory/clusters
+            --extra-vars "clusters=prod-cluster"
+            --extra-vars "env=prod"
+            --extra-vars "ansible_python_interpreter=/opt/pipx/venvs/ansible-core/bin/python3"
+            --verbose
+
   deploy-prod:
     runs-on: ubuntu-latest
     environment:
@@ -120,15 +174,15 @@ jobs:
       SHORT_SHA: ${{needs.prepare-env.outputs.short_sha}}
     needs:
       - prepare-env
-      - deploy-stage
+      - configure-prod-cluster
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Install dependencies
         run: |
           # Install python packages needed from ansible
           pipx inject ansible-core jmespath openshift pygithub
       - name: Deploy prod environment
-        uses: dawidd6/action-ansible-playbook@3363d6aa333ecb41ef01579bc5eb4412b3d6802f # v5
+        uses: dawidd6/action-ansible-playbook@e8303e5fa5b52015d59fd5bc8c968943bd5f349c # v6
         with:
           playbook: playbooks/deploy.yml
           directory: ./ansible

Makefile

@@ -11,6 +11,25 @@ PIPELINE_IMAGE ?= $(PIPELINE_IMAGE_REPO):$(TAG)
 OPERATOR_VERSION_RELEASE ?= 1-1
 OPERATOR_VERSION ?= 0.1.$(OPERATOR_VERSION_RELEASE)
 
+
+.PHONY: configure-stage-cluster
+configure-stage-cluster:
+	@echo "Configuring stage cluster..."
+	ansible-playbook \
+		ansible/playbooks/config-ocp-cluster.yml \
+		-e clusters=stage-cluster \
+		-i ansible/inventory/clusters \
+		--vault-password-file ansible/vault-password
+
+.PHONY: configure-prod-cluster
+configure-prod-cluster:
+	@echo "Configuring prod cluster..."
+	ansible-playbook \
+		ansible/playbooks/config-ocp-cluster.yml \
+		-e clusters=prod-cluster \
+		-i ansible/inventory/clusters \
+		--vault-password-file ansible/vault-password-prod
+
 .PHONY: build-and-deploy-playground
 build-and-deploy-playground:
 	@echo "Building and deploying playground..."

ansible/inventory/group_vars/operator-pipeline-integration-tests-isv-fbc-catalog.yml

@@ -11,5 +11,5 @@ integration_tests_pr_title: "Catalog update {{ integration_tests_operator_packag
 
 # To avoid conflicts with the non-fbc tests, we use a different range
 # and keep the version N-1
-integration_tests_ocp_versions_range: "=v4.17"
-integration_tests_catalog_versions: "v4.17"
+integration_tests_ocp_versions_range: "=v4.19"
+integration_tests_catalog_versions: "v4.19"

ansible/inventory/group_vars/operator-pipeline-integration-tests.yml

@@ -26,7 +26,7 @@ integration_tests_src_operator_bundle_version: 0.0.8
 
 # This version needs to be alligned with the cluster version in order
 # to pass integration tests
-integration_tests_ocp_versions_range: "=v4.18"
+integration_tests_ocp_versions_range: "=v4.20"
 
 integration_tests_fbc_catalog: false
 integration_tests_verify_bundle_in_catalog: true

ansible/inventory/host_vars/crc-cluster.yml

@@ -1,4 +1,5 @@
 ---
+env: stage
 ocp_host: https://api.crc.testing:6443
 pipelines_metrics_endpoint: http://pipeline-metrics.pipeline-metrics-nonprod
 

ansible/inventory/host_vars/prod-cluster.yml

@@ -1,4 +1,5 @@
 ---
+env: prod
 ocp_host: https://api.pipelines-prod.ijdb.p1.openshiftapps.com:6443
 pipelines_metrics_endpoint: http://pipeline-metrics.pipeline-metrics-prod
 

ansible/inventory/host_vars/stage-cluster.yml

@@ -1,6 +1,8 @@
 ---
+env: stage
 ocp_host: https://api.pipelines-stage.0ce8.p1.openshiftapps.com:6443
 pipelines_metrics_endpoint: http://pipeline-metrics.pipeline-metrics-nonprod
 
 config_ocp_cluster_chat_enabled: false
 config_ocp_cluster_metrics_enabled: true
+config_ocp_cluster_summary_bot_enabled: false

ansible/playbooks/config-ocp-cluster.yml

@@ -4,7 +4,8 @@
   roles:
     - name: config_ocp_cluster
   vars_files:
-    - ../vaults/config-ocp-cluster/secret-vars.yml
+    - "../vaults/config-ocp-cluster/{{ env }}/secret-vars.yml"
+    - "../vaults/{{ env }}/ocp-token.yml"
   environment:
     K8S_AUTH_API_KEY: "{{ ocp_token }}"
     K8S_AUTH_HOST: "{{ ocp_host }}"

ansible/roles/config_ocp_cluster/tasks/chat-trigger.yml

@@ -9,7 +9,7 @@
         apply: true
         validate_certs: "{{ k8s_validate_certs }}"
         namespace: "{{ pipelinerun_listener_namespace }}"
-        definition: "{{ lookup('file', '{{ item }}') }}"
+        definition: "{{ lookup('file', item) }}"
       with_fileglob:
         - ../files/tasks/*
 

ansible/roles/config_ocp_cluster/tasks/main.yml

@@ -5,7 +5,7 @@
   kubernetes.core.k8s:
     state: present
     validate_certs: "{{ k8s_validate_certs }}"
-    definition: "{{ lookup('file', '{{ item }}') }}"
+    definition: "{{ lookup('file', item) }}"
   with_items:
     - ../files/tektonconfig.yml
 

ansible/roles/config_ocp_cluster/tasks/metrics-trigger.yml

@@ -8,7 +8,7 @@
         namespace: "{{ pipelinerun_listener_namespace }}"
         state: present
         validate_certs: "{{ k8s_validate_certs }}"
-        definition: "{{ lookup('file', '{{ item }}') }}"
+        definition: "{{ lookup('file', item) }}"
       with_items:
         - ../templates/openshift/update-metrics.yml
         - ../templates/openshift/metrics-pipeline.yml

ansible/roles/config_ocp_cluster/tasks/pipelinerun-listener.yml

@@ -80,6 +80,7 @@
           apiVersion: v1
           kind: ConfigMap
           metadata:
-            name: config-defaults
+            name: config-events
           data:
-            default-cloud-events-sink: "http://el-pipelinerun-listener.{{ pipelinerun_listener_namespace }}.svc.cluster.local:8080"
+            formats: tektonv1
+            sink: "http://el-pipelinerun-listener.{{ pipelinerun_listener_namespace }}.svc.cluster.local:8080"

ansible/roles/config_ocp_cluster/templates/openshift/metrics-pipeline.yml

@@ -10,7 +10,7 @@ spec:
       default: "registry.access.redhat.com/ubi8-minimal@sha256:54ef2173bba7384dc7609e8affbae1c36f8a3ec137cacc0866116d65dd4b9afe"
     - name: tkn_image
       description: Tekton CLI image
-      default: registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel8@sha256:d966a46ceac30b702791be4c1278ae316896119521d3007da8a6f2303671d577
+      default: registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:dccbf3d518cb06e4ad170e6a46ccf4f4c0a1ccca523f1520c97897a04edf4254
     - name: metrics_endpoint
       description: |
         A metrics collector route.

ansible/roles/config_ocp_cluster/templates/openshift/update-metrics.yml

@@ -17,7 +17,7 @@ spec:
       default: "registry.access.redhat.com/ubi8-minimal@sha256:54ef2173bba7384dc7609e8affbae1c36f8a3ec137cacc0866116d65dd4b9afe"
     - name: tkn_image
       description: Tekton CLI image
-      default: registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel8@sha256:d966a46ceac30b702791be4c1278ae316896119521d3007da8a6f2303671d577
+      default: registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:dccbf3d518cb06e4ad170e6a46ccf4f4c0a1ccca523f1520c97897a04edf4254
     - name: metrics_url
       description: |
         A metrics collector route.

ansible/roles/index_signature_verification/tasks/main.yml

@@ -16,7 +16,7 @@
     apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
-    definition: "{{ lookup('file', '{{ item }}') }}"
+    definition: "{{ lookup('file', item) }}"
   with_fileglob:
     - ../files/configmaps/*
 
@@ -26,7 +26,7 @@
     apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
-    definition: "{{ lookup('file', '{{ item }}') }}"
+    definition: "{{ lookup('file', item) }}"
   with_fileglob:
     - ../files/tasks/*
 
@@ -36,7 +36,7 @@
     apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
-    definition: "{{ lookup('file', '{{ item }}') }}"
+    definition: "{{ lookup('file', item) }}"
   with_fileglob:
     - ../files/pipelines/*
 

ansible/roles/integration_tests/tasks/tools.yml

@@ -10,7 +10,7 @@
 
     - name: Download and extract the tkn binary
       ansible.builtin.unarchive:
-        src: https://mirror.openshift.com/pub/openshift-v4/clients/pipelines/1.18.0/tkn-linux-amd64.tar.gz
+        src: https://mirror.openshift.com/pub/openshift-v4/clients/pipelines/1.20.0/tkn-linux-amd64.tar.gz
         dest: "{{ integration_tests_temp_tools_dir.path }}"
         remote_src: true
         include:

ansible/roles/operator-pipeline/tasks/index-img-bootstrap-signing.yml

@@ -115,7 +115,7 @@
     state: present
     apply: true
     namespace: "{{ oc_index_bootstrap_namespace }}"
-    definition: "{{ lookup('template', '{{ item }}') }}"
+    definition: "{{ lookup('template', item) }}"
   with_items:
     - ../templates/openshift/tasks/set-env.yml
     - ../templates/openshift/tasks/index-signing-image-check.yml
@@ -129,6 +129,6 @@
     state: present
     apply: true
     namespace: "{{ oc_index_bootstrap_namespace }}"
-    definition: "{{ lookup('template', '{{ item }}') }}"
+    definition: "{{ lookup('template', item) }}"
   with_items:
     - ../templates/openshift/pipelines/index-img-bootstrap-signing-pipeline.yml

ansible/roles/operator-pipeline/tasks/index-img-signing.yml

@@ -23,7 +23,7 @@
     state: present
     apply: true
     namespace: "{{ oc_signing_namespace }}"
-    definition: "{{ lookup('template', '{{ item }}') }}"
+    definition: "{{ lookup('template', item) }}"
   with_items:
     - ../templates/openshift/tasks/set-env.yml
 
@@ -35,6 +35,6 @@
     state: present
     apply: true
     namespace: "{{ oc_signing_namespace }}"
-    definition: "{{ lookup('template', '{{ item }}') }}"
+    definition: "{{ lookup('template', item) }}"
   with_items:
     - ../templates/openshift/pipelines/index-img-signing-pipeline.yml

ansible/roles/operator-pipeline/tasks/main.yml

@@ -16,7 +16,7 @@
   kubernetes.core.k8s:
     state: present
     apply: true
-    definition: "{{ lookup('template', '{{ item }}') }}"
+    definition: "{{ lookup('template', item) }}"
   with_items:
     - ../templates/openshift/openshift-pipelines-custom-scc.yml
     - ../templates/openshift/openshift-pipeline-sa-scc-role.yml
@@ -29,7 +29,7 @@
     state: present
     apply: true
     namespace: "{{ oc_namespace }}"
-    definition: "{{ lookup('template', '{{ item }}') }}"
+    definition: "{{ lookup('template', item) }}"
   with_fileglob:
     - ../templates/openshift/tasks/*
 
@@ -40,7 +40,7 @@
     state: present
     apply: true
     namespace: "{{ oc_namespace }}"
-    definition: "{{ lookup('template', '{{ item }}') }}"
+    definition: "{{ lookup('template', item) }}"
   with_items:
     - ../templates/openshift/pipelines/operator-hosted-pipeline.yml
     - ../templates/openshift/pipelines/operator-release-pipeline.yml
@@ -52,7 +52,7 @@
     state: present
     apply: true
     namespace: "{{ oc_namespace }}"
-    definition: "{{ lookup('template', '{{ item }}') }}"
+    definition: "{{ lookup('template', item) }}"
   with_items:
     - ../templates/openshift/pipelines/operator-ci-pipeline.yml