add standard catalog / operator playbooks

playbooks/ansible.cfg

@@ -0,0 +1,12 @@
+[defaults]
+# required to evade implicit conversion to string in k8s resource_definition
+jinja2_native = True
+inventory = ./inventory.yml
+remote_user = student
+ask_pass = no
+
+[privilege_escalation]
+become = no
+become_method = sudo
+become_askpass = no
+

playbooks/inventory.yml

@@ -0,0 +1,26 @@
+---
+# A simplistic inventory for the classroom VMs.
+all:
+  hosts:
+    workstation.lab.example.com:
+      ansible_connection: local
+    utility.lab.example.com:
+      ansible_user: lab
+    bastion.lab.example.com:
+      ansible_user: root
+  vars:
+    # OpenShift versions.
+    ocp_maj: "4.14"
+    ocp_z: "4.14.12"
+
+    # Operator that needs to be installed.
+    op_cat: redhat-operators
+    op_pkg: openshift-pipelines-operator-rh
+    op_chn: latest
+    op_nsp: openshift-operators
+    desired_csv: openshift-pipelines-operator-rh.v1.15.1
+
+    # The list of OpenShift clusters check-env will try to connect to.
+    clusters:
+      - ocp4
+...

playbooks/pre-flight.yml

@@ -0,0 +1,16 @@
+---
+- name: Pre-flight checks only.
+  hosts: workstation.lab.example.com
+  gather_subset: min
+  become: no
+  tasks:
+    - include_role:
+        name: check-env
+      tags: check
+    - include_role:
+        name: fix-operators
+      tags: fix
+    - include_role:
+        name: deploy-operator
+      tags: prep
+...

playbooks/roles/check-env/tasks/main.yml

@@ -0,0 +1,55 @@
+---
+# Variables affecting this role:
+#
+#  clusters:
+#   just a simple list of clusters to check
+#
+- name: Make sure kubeconfig is there on utility
+  delegate_to: utility.lab.example.com
+  file:
+    path: /home/lab/{{ item }}/auth/kubeconfig
+    state: file
+  loop: "{{ clusters }}"
+
+- name: Create a temp dir
+  file:
+    path: tmp
+    state: directory
+
+- name: Copy over the kubeconfig
+  delegate_to: utility.lab.example.com
+  fetch:
+    src: /home/lab/{{ item }}/auth/kubeconfig
+    dest: tmp/kubeconfig-{{ item }}
+    flat: yes
+  loop: "{{ clusters }}"
+
+- name: We need some packages to be there
+  become: yes
+  yum:
+    name:
+      - java-17-openjdk-headless
+      - java-17-openjdk-devel
+      - python3-jmespath
+      - python3.11-jmespath
+      - python3-kubernetes
+      - ansible-collection-ansible-posix
+      - ansible-collection-community-general
+    state: latest
+
+#- name: Make sure stuff is in PATH
+#  lineinfile:
+#    path: "{{ ansible_facts['user_dir'] }}/.bashrc"
+#    line: 'PATH="${PATH}:/opt/amq/bin"'
+#    regexp: '^PATH=.*/opt/amq/bin'
+#    insertafter: "^# User specific environment$"
+#    state: present
+#  loop:
+#    - KAFKA_HOME
+
+- name: Verify cluster connectivity
+  kubernetes.core.k8s_cluster_info:
+    kubeconfig: tmp/kubeconfig-{{ item }}
+    validate_certs: no
+  loop: "{{ clusters }}"
+...

playbooks/roles/deploy-operator/tasks/main.yml

@@ -0,0 +1,123 @@
+---
+# Ensures all the operator artifacts are created and waits for CSV to succeed.
+#
+# The following variables must exist:
+#
+#   desired_csv
+#   op_nsp
+#   op_cat
+#   op_pkg
+#   op_chn
+#
+# NOTE: Do NOT test by checking for presence of API resources - they do not always get cleaned up.
+#
+# TODO: Maybe someday fix the JSONPath expression below. And figure out why check for a CSV.
+#- name: Check if the CSV exists already
+#  k8s_info:
+#    kubeconfig: tmp/kubeconfig-ocp4
+#    validate_certs: no
+#    api_version: operators.coreos.com/v1alpha1
+#    kind: clusterserviceversion
+#  register: all_csv
+#
+#- name: Find the wanted CSV among all CSVs
+#  set_fact:
+#    found_csv: "{{ (all_csv | community.general.json_query(\"resources[?metadata.name == \" + desired_csv + \"]\")) }}"
+#  when:
+#    - all_csv.resources is defined
+#    - (all_csv.resources | length) > 0
+#
+#- name: Get details about the CSV if found
+#  set_fact:
+#    csv_ns: "{{ found_csv[0] | community.general.json_query('metadata.namespace') }}"
+#    csv_name: "{{ found_csv[0] | community.general.json_query('metadata.name') }}"
+#  when:
+#    - found_csv is defined
+#    - (found_csv | length) > 0
+
+- name: Make sure the namespace is there
+  k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: v1
+    kind: namespace
+    name: "{{ op_nsp }}"
+
+# TODO: Finish this at some point.
+#- name: Make sure it has a properly configured OperatorGroup
+#  k8s_info:
+#    kubeconfig: tmp/kubeconfig-ocp4
+#    validate_certs: no
+#    api_version: operators.coreos.com/v1
+#    kind: operatorgroup
+#    namespace: "{{ op_nsp }}"
+#  register: found_opgrp
+
+- name: Also make sure there is a subscription
+  k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: subscription
+    namespace: "{{ op_nsp }}"
+    name: "{{ op_pkg }}"
+    definition:
+      spec:
+        source: "{{ op_cat }}"
+        sourceNamespace: openshift-marketplace
+        name: "{{ op_pkg }}"
+        channel: "{{ op_chn }}"
+        installPlanApproval: Automatic
+
+# TODO: Finish this at some point.
+#- name: Wait for installPlan to show up
+#  k8s_info:
+#    kubeconfig: tmp/kubeconfig-ocp4
+#    validate_certs: no
+#    api_version: operators.coreos.com/v1alpha1
+#    kind: installplan
+#    namespace: "{{ op_nsp }}"
+#  register: installplan
+#  until:
+#    - installplan.resources is defined
+#    - (installplan.resources | length) > 0
+#    - installplan.resources[0].spec.approved
+#  retries: 12
+#  delay: 10
+
+- name: Wait for CSV to show up and complete
+  k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: clusterserviceversion
+    namespace: "{{ op_nsp }}"
+    name: "{{ desired_csv }}"
+  register: new_csv
+  until:
+    - new_csv.resources is defined
+    - (new_csv.resources | length) > 0
+    - new_csv.resources[0].status is defined
+    - new_csv.resources[0].status.phase == "Succeeded"
+  retries: 30
+  delay: 10
+
+# TODO: Finish this at some point.
+#- name: Finally, wait for the pod
+#  k8s_info:
+#    kubeconfig: tmp/kubeconfig-ocp4
+#    validate_certs: no
+#    api_version: v1
+#    kind: pod
+#    namespace: rhsso
+#    label_selectors:
+#      - name = rhsso-operator
+#  register: sso_pod
+#  until:
+#    - sso_pod.resources is defined
+#    - (sso_pod.resources | length) > 0
+#    - sso_pod.resources[0].status is defined
+#    - sso_pod.resources[0].status.phase == "Running"
+#  retries: 30
+#  delay: 10
+...

playbooks/roles/fix-operators/tasks/main.yml

@@ -0,0 +1,117 @@
+---
+# Fixes the openshift-marketplace catalogs by recreating them from original images.
+#
+# Needs the following vars from vars/main.yml:
+#
+#   removed_sources the catalog sources we remove
+#   catalog_sources the catalog sources we recreate
+#
+# These should come from inventory:
+#
+#   op_cat          catalog source
+#   op_pkg          operator package name
+#   op_chn          operator channel
+#   desired_csv     csv we look for
+#
+# This is necessary immediately after lab create.
+- name: Wait for the marketplace-operator to be up
+  k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: v1
+    kind: pod
+    namespace: openshift-marketplace
+    label_selectors:
+      - name=marketplace-operator
+  register: mktplc_pod
+  until:
+    - (mktplc_pod.resources | length) == 1
+    - mktplc_pod.resources[0].status.containerStatuses[0].ready
+  retries: 30
+  delay: 10
+
+- name: Make sure the course catalog is not there
+  k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: catalogsource
+    namespace: openshift-marketplace
+    name: "{{ item }}"
+    state: absent
+  loop: "{{ removed_sources }}"
+
+- name: Make sure the pull secret will do for online sources
+  k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: v1
+    kind: secret
+    namespace: openshift-config
+    name: pull-secret
+    state: present
+    definition: "{{ lookup('file', 'files/pull-secret.yml') | from_yaml }}"
+
+- name: Ensure the standard catalog sources are there
+  k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: catalogsource
+    namespace: openshift-marketplace
+    name: "{{ item.name }}"
+    state: present
+    definition:
+      spec:
+        displayName: "{{ item.displ }}"
+        image: "{{ item.image }}"
+        publisher: "Red Hat"
+        sourceType: "grpc"
+  loop: "{{ catalog_sources }}"
+  loop_control:
+    label: "{{ item.displ }}"
+
+- name: Wait for the catalogsources to be ready.
+  k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: catalogsource
+    namespace: openshift-marketplace
+    name: "{{ item.name }}"
+  register: cat_stat
+  until:
+    - (cat_stat.resources | length) == 1
+    - cat_stat.resources[0].status is defined
+    - cat_stat.resources[0].status.connectionState.lastObservedState == "READY"
+  retries: 30
+  delay: 10
+  loop: "{{ catalog_sources }}"
+  loop_control:
+    label: "{{ item.displ }}"
+
+- name: Wait for the operator packagemanifest to appear.
+  k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: packages.operators.coreos.com/v1
+    kind: packagemanifest
+    namespace: openshift-marketplace
+    name: "{{ op_pkg }}"
+  register: op_mft
+  until:
+    - (op_mft.resources | length) == 1
+    - op_mft.resources[0].status.catalogSource == op_cat
+    - op_mft.resources[0].status.packageName == op_pkg
+  retries: 60
+  delay: 10
+
+- assert:
+    that:
+      - op_mft.resources is defined
+      - (op_mft.resources | length) > 0
+      - op_mft.resources[0].status.catalogSource == op_cat
+      - 'desired_csv in (op_mft.resources[0] | community.general.json_query("status.channels[*].currentCSV") | list)'
+    fail_msg: "ERROR: {{ op_pkg }} package manifest not deployed correctly."
+    success_msg: "OK: {{ op_pkg }} package manifest configured correctly."
+...

playbooks/roles/fix-operators/vars/main.yml

@@ -0,0 +1,17 @@
+---
+removed_sources:
+  - do280-catalog
+  - do280-catalog-cs
+  - do288-catalog-cs
+  - do380-catalog-cs
+catalog_sources:
+  - name: redhat-operators
+    displ: Red Hat Operators
+    image: registry.redhat.io/redhat/redhat-operator-index:v{{ ocp_maj }}
+  - name: certified-operators
+    displ: Certified Operators
+    image: registry.redhat.io/redhat/certified-operator-index:v{{ ocp_maj }}
+  - name: community-operators
+    displ: Community Operators
+    image: registry.redhat.io/redhat/community-operator-index:v{{ ocp_maj }}
+...