rht
/
sso-playbooks


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245
							---
# Fixes the openshift-marketplace catalog by recreating it from a new image minus rhsso-operator.
# After that, adds a new catalogsource containing the correct rhsso-operator package.
#
# References:
#   https://docs.openshift.com/container-platform/4.11/operators/admin/olm-restricted-networks.html
#   https://docs.openshift.com/container-platform/4.11/operators/admin/olm-managing-custom-catalogs.html
#   https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/cli_tools/opm-cli
#
# Prep Cheat-sheet:
#
# 1. Get rid of rhsso-operator in the do280-catalog:
#
#   - get a list of existing packages in the do280-catalog
#
#       oc port-forward do280-catalog-foobar 50051:50051
#       grpcurl -plaintext localhost:50051 api.Registry/ListPackages > do280-packages.json
#
#   - remove rhsso-operator from do280-operator-catalog and push create a new image
#
#       opm index prune --from-index quay.io/redhattraining/do280-operator-catalog:v4.10 --tag quay.io/rhtuser/do280-catalog-nosso:v4.10 -p $(grep name do280-packages.json | sed 's/^.*name": "//; s/"$//' | grep -v rhsso-operator | tr '\n' ',' | sed 's/,$//')
#
#   - push the new image up (AUTHENTICATION!)
#
#       podman push quay.io/rhtuser/do280-catalog-nosso:v4.10
#
# 2. Get the latest version of rhsso-operator:
#
#   - take the original operator index (latest version) and prune it of everything but rhsso-operator
#
#       opm index prune --from-index registry.redhat.io/redhat/redhat-operator-index:v4.10 --tag quay.io/rhtuser/do280-sso-operator:v4.10 -p rhsso-operator
#
#   - push the image (AUTHENTICATION!)
#
#       podman push quay.io/rhtuser/do280-sso-operator:v4.10
#
# NOTE: quay.io robot account rhtuser+rhsso must have read access to the above two images.
#         (creds in vars/main.yml)
#
# NOTE: Everything up until here has already been done and only needs to be done once.
#
# This is necessary immediately after lab create.
- name: Wait for the marketplace-operator to be up
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: pod
    namespace: openshift-marketplace
    label_selectors:
      - name=marketplace-operator
  register: mktplc_pod
  until:
    - (mktplc_pod.resources | length) == 1
    - mktplc_pod.resources[0].status.containerStatuses[0].ready
  retries: 30
  delay: 10

- name: Get info about the SSO catalog secret
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: openshift-marketplace
    name: catalogsecret
  register: sso_sec

- name: Get rid of the secret if anything is wrong with it
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    state: absent
    api_version: v1
    kind: secret
    namespace: openshift-marketplace
    name: catalogsecret
  register: sso_sec_removed
  when:
    - sso_sec.resources is defined
    - (sso_sec.resources | length) == 1
    - |-
      (sso_sec.resources[0].data[".dockerconfigjson"] is not defined) or
      (sso_sec.resources[0].type != "kubernetes.io/dockerconfigjson")

# NOTE: dot-keys aren't welcome for some dumb reason. Must use imperative command here.
- name: Create a secret to access the catalog image if not yet there
  #k8s:
  #  kubeconfig: tmp/kubeconfig-ocp4
  #  validate_certs: no
  #  state: present
  #  api_version: v1
  #  kind: secret
  #  namespace: openshift-marketplace
  #  name: catalogsecret
  #  definition:
  #    type: "kubernetes.io/dockerconfigjson"
  #    data:
  #      .dockerconfigjson: "{{ sso_secret | string | b64encode }}"
  command: oc --kubeconfig=tmp/kubeconfig-ocp4 -n openshift-marketplace create secret docker-registry catalogsecret --docker-server=quay.io --docker-username={{ robot_username }} --docker-password={{ robot_token }}
  when: |-
    sso_sec_removed.changed or
    (sso_sec.resources is not defined) or
    ((sso_sec.resources | length) == 0) or
    (sso_sec.resources[0].data[".dockerconfigjson"] is not defined)

- name: Get info about the rhsso-operator
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: packages.operators.coreos.com/v1
    kind: packagemanifest
    namespace: openshift-marketplace
    name: rhsso-operator
  register: sso_mft

- name: Get info from the do280-catalog source
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: catalogsource
    namespace: openshift-marketplace
    name: do280-catalog
  register: op_catalog

# TODO: remove the catalogsource also if the pod is older than the secret
- name: Remove existing catalogsource from openshift-marketplace if rhsso-operator belongs to it
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: catalogsource
    namespace: openshift-marketplace
    name: do280-catalog
    state: absent
  when: |-
    (sso_mft.resources is defined and
      (sso_mft.resources | length) > 0 and
      sso_mft.resources[0].status.catalogSource == "do280-catalog")
    or
      (op_catalog.resources is defined and
      (op_catalog.resources | length) > 0 and
      ((op_catalog.resources[0].spec.image != "{{ catalog_main_image }}") or
        (op_catalog.resources[0].spec.secrets is not defined) or
        (op_catalog.resources[0].spec.secrets != ["catalogsecret"])))

- name: Make certain the "standard" catalog source is updated
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: catalogsource
    namespace: openshift-marketplace
    name: do280-catalog
    state: present
    definition:
      spec:
        displayName: "do280 Operator Catalog"
        image: "{{ catalog_main_image }}"
        publisher: "Red Hat"
        secrets:
          - "catalogsecret"
        sourceType: "grpc"
  register: op_catalog_modified

- debug: var=op_catalog_modified

- name: Ensure the RHSSO catalog source is there as well
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: catalogsource
    namespace: openshift-marketplace
    name: do280-sso
    state: present
    definition:
      spec:
        displayName: "do280 SSO Catalog"
        image: "{{ catalog_sso_image }}"
        publisher: "Red Hat"
        secrets:
          - "catalogsecret"
        sourceType: "grpc"

- name: Wait for things to settle down a bit for do280-catalog
  pause:
    seconds: 10
    prompt: "Waiting for marketplace operator to settle down."
  when: op_catalog_modified.changed

- name: Delete the do280-catalog pod if CS was modified
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: pod
    namespace: openshift-marketplace
    label_selectors:
      - olm.catalogSource=do280-catalog
    state: absent
  when: op_catalog_modified.changed

- name: Wait for the catalogsource to be ready.
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: catalogsource
    namespace: openshift-marketplace
    name: do280-sso
  register: sso_cat
  until:
    - (sso_cat.resources | length) == 1
    - sso_cat.resources[0].status is defined
    - sso_cat.resources[0].status.connectionState.lastObservedState == "READY"
  retries: 30
  delay: 10

- name: Wait for the rhsso-operator packagemanifest to appear.
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: packages.operators.coreos.com/v1
    kind: packagemanifest
    namespace: openshift-marketplace
    name: rhsso-operator
  register: sso_mft
  until:
    - (sso_mft.resources | length) == 1
    - sso_mft.resources[0].status.catalogSource == "do280-sso"
    - sso_mft.resources[0].status.packageName == "rhsso-operator"
  retries: 30
  delay: 10

- assert:
    that:
      - sso_mft.resources is defined
      - (sso_mft.resources | length) > 0
      - sso_mft.resources[0].status.catalogSource == "do280-sso"
      - '"rhsso-operator.7.6.0-opr-003" in (sso_mft.resources[0] | community.general.json_query("status.channels[*].currentCSV") | list)'
    fail_msg: "ERROR: rhsso-operator package manifest not deployed correctly."
    success_msg: "OK: rhsso-operator package manifest configured correctly."
...