diff --git a/playbooks/06-deploy-architecture.yml b/playbooks/06-deploy-architecture.yml index 38e2907b8b..711acaff7c 100644 --- a/playbooks/06-deploy-architecture.yml +++ b/playbooks/06-deploy-architecture.yml @@ -163,6 +163,43 @@ msg: >- Error detected. Check debugging output above. + - name: Extract registry credentials from OpenShift pull-secret + tags: + - always + when: + - cifmw_sync_pullsecret_credentials | default(true) | bool + block: + - name: Extract credentials for each configured registry + loop: "{{ cifmw_reproducer_registry_list | default(['registry.stage.redhat.io']) }}" + loop_control: + loop_var: registry + ansible.builtin.include_role: + name: edpm_pullsecret_sync + vars: + cifmw_edpm_pullsecret_sync_registry: "{{ registry }}" + cifmw_edpm_pullsecret_sync_fact_name: "cifmw_reproducer_registry_{{ registry | replace('.', '_') | replace('-', '_') }}_creds" + + - name: Build registry credentials dictionary for templates + ansible.builtin.set_fact: + cifmw_ci_gen_kustomize_values_registry_logins: >- + {%- set result = {} -%} + {%- for registry in (cifmw_reproducer_registry_list | default(['registry.stage.redhat.io'])) -%} + {%- set fact_name = 'cifmw_reproducer_registry_' + (registry | replace('.', '_') | replace('-', '_')) + '_creds_dict' -%} + {%- if vars[fact_name] is defined -%} + {%- set _ = result.update({registry: vars[fact_name]}) -%} + {%- endif -%} + {%- endfor -%} + {{ result }} + + - name: Log extracted registry credentials + ansible.builtin.debug: + msg: "Registry credentials extracted for: {{ cifmw_ci_gen_kustomize_values_registry_logins.keys() | list }}" + + rescue: + - name: Log pull-secret extraction failure + ansible.builtin.debug: + msg: "Failed to extract credentials from pull-secret, templates will not include registry credentials" + - name: Set cifmw_architecture_automation_file if not set before when: cifmw_architecture_automation_file is not defined ansible.builtin.set_fact: diff --git a/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 index b0110b530b..ee84958f1c 100644 --- a/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 index d9f1b61b65..14d17d2059 100644 --- a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 @@ -37,6 +37,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 index f3316b92ff..71d498339c 100644 --- a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 @@ -39,6 +39,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 index 369dae6a2b..b83136aa25 100644 --- a/roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -43,3 +66,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 index cc79a738ad..289b109282 100644 --- a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_one_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 index 3c62a0657c..50d00f237c 100644 --- a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_two_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 index 8667d91d0b..8390b9b9a3 100644 --- a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_one_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 index 3f9a75153b..45a9b52d1f 100644 --- a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_two_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 index 4987ed49d7..0119df58d6 100644 --- a/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 @@ -38,12 +38,26 @@ data: # see https://access.redhat.com/solutions/253273 dnf -y install conntrack-tools +{% if cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool %} + + # Container policy.json + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} {% if cifmw_ci_gen_kustomize_values_sshd_ranges | default([]) | length > 0 %} edpm_sshd_allowed_ranges: {% for range in cifmw_ci_gen_kustomize_values_sshd_ranges %} - "{{ range }}" {% endfor %} {% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} {% if cifmw_baremetal_hosts | default({}) | length > 0 %} # source roles/deploy_bmh/template/bmh.yml.j2, but it patches kustomize built outputs diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 index 6ae842b92b..312b54ce86 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% if cifmw_baremetal_hosts | default([]) | length > 0 %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% if (('label' in cifmw_baremetal_hosts[_inst]) and @@ -42,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -56,3 +79,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset2-values/values.yaml.j2 index 6e2109bc50..3c50efe7b0 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset2-values/values.yaml.j2 @@ -42,6 +42,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset-values/values.yaml.j2 index 62ec8dad00..de3eed84d6 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% if cifmw_baremetal_hosts | default([]) | length > 0 %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% if (('label' in cifmw_baremetal_hosts[_inst]) and @@ -42,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -56,3 +79,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset2-values/values.yaml.j2 index 80103686c3..031a00d8fc 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset2-values/values.yaml.j2 @@ -42,6 +42,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6/edpm-nodeset-values/values.yaml.j2 index cf1e9ce624..4cb0ea8df5 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -43,3 +66,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov/edpm-nodeset-values/values.yaml.j2 index 7d92c69d87..b3fdb1756b 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -43,3 +66,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk/edpm-nodeset-values/values.yaml.j2 index 3d4fb5cc4d..27aeb0f9ba 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -42,3 +65,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/shiftstack/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/shiftstack/edpm-nodeset-values/values.yaml.j2 index 69a2739190..afabb93fc4 100644 --- a/roles/ci_gen_kustomize_values/templates/shiftstack/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/shiftstack/edpm-nodeset-values/values.yaml.j2 @@ -69,6 +69,28 @@ data: {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/sriov/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/sriov/edpm-nodeset-values/values.yaml.j2 index 8139a2dc1d..23bb0b9a29 100644 --- a/roles/ci_gen_kustomize_values/templates/sriov/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/sriov/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -42,3 +65,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/uni02beta/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/uni02beta/edpm-nodeset-values/values.yaml.j2 index 6022ff2323..5f87f9641e 100644 --- a/roles/ci_gen_kustomize_values/templates/uni02beta/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/uni02beta/edpm-nodeset-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset-values/values.yaml.j2 index 69105034d4..92089e3113 100644 --- a/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset-values/values.yaml.j2 @@ -39,6 +39,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_one_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset2-values/values.yaml.j2 index 9f3360974c..061146d045 100644 --- a/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset2-values/values.yaml.j2 @@ -39,6 +39,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_two_instances %} edpm-{{ instance }}: diff --git a/roles/cifmw_registry_pullsecret/README.md b/roles/cifmw_registry_pullsecret/README.md new file mode 100644 index 0000000000..d4819ff695 --- /dev/null +++ b/roles/cifmw_registry_pullsecret/README.md @@ -0,0 +1,43 @@ +# cifmw_registry_pullsecret + +Extract registry credentials from OpenShift pull-secret and update the registry token used for EDPM deployment. + +## Privilege escalation + +None required. + +## Parameters + +* `cifmw_registry_pullsecret_enabled`: (Boolean) Enable/disable pull-secret credential extraction. Default: `false` +* `cifmw_registry_pullsecret_registry_url`: (String) Registry URL to extract credentials for. Example: `` +* `cifmw_registry_pullsecret_update_file`: (Boolean) Whether to update the registry token file. Default: `true` +* `cifmw_registry_pullsecret_dest_file`: (String) Destination file for registry token credentials. Default: `{{ ansible_user_dir }}/secrets/registry_token_creds.yaml` + +## Usage + +This role is designed to be called during EDPM deployment, after OpenShift is deployed but before EDPM nodesets are created. + +It extracts credentials from the OpenShift pull-secret in the `openshift-config` namespace and updates the `cifmw_registry_token` variable and optionally the registry token file. + +### Example configuration which can be used in the zuul jobs + +```yaml +vars: + cifmw_registry_pullsecret_enabled: true + cifmw_registry_pullsecret_registry_url: +``` + +### Integration point + +This role is automatically called by `cifmw_setup/tasks/deploy_architecture.yml` when `cifmw_registry_pullsecret_enabled` is `true`. + +## Requirements + +* OpenShift cluster must be deployed and accessible +* `kubernetes.core.k8s_info` module must be available +* Pull-secret must exist in `openshift-config/pull-secret` +* The specified registry URL must be present in the pull-secret + +## Error handling + +If extraction fails for any reason (OpenShift not accessible, registry not in pull-secret, etc.), the role will log a warning and continue, keeping the existing credentials from pre-run. diff --git a/roles/cifmw_registry_pullsecret/defaults/main.yml b/roles/cifmw_registry_pullsecret/defaults/main.yml new file mode 100644 index 0000000000..744ee660cb --- /dev/null +++ b/roles/cifmw_registry_pullsecret/defaults/main.yml @@ -0,0 +1,27 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# Enable/disable pull-secret credential extraction +cifmw_registry_pullsecret_enabled: false + +# Registry URL to extract credentials for +# cifmw_registry_pullsecret_registry_url: registry.stage.redhat.io + +# Whether to update the registry token file with extracted credentials +cifmw_registry_pullsecret_update_file: true + +# Destination file for registry token credentials +cifmw_registry_pullsecret_dest_file: "{{ ansible_user_dir }}/secrets/registry_token_creds.yaml" diff --git a/roles/cifmw_registry_pullsecret/meta/main.yml b/roles/cifmw_registry_pullsecret/meta/main.yml new file mode 100644 index 0000000000..c0536be5f4 --- /dev/null +++ b/roles/cifmw_registry_pullsecret/meta/main.yml @@ -0,0 +1,35 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +galaxy_info: + author: CI Framework + description: Extract registry credentials from OpenShift pull-secret + company: Red Hat + license: Apache-2.0 + min_ansible_version: "2.15" + platforms: + - name: CentOS + versions: + - stream9 + - name: Fedora + versions: + - 39 + - 40 + - name: RedHat + versions: + - "9" + +dependencies: [] diff --git a/roles/cifmw_registry_pullsecret/tasks/main.yml b/roles/cifmw_registry_pullsecret/tasks/main.yml new file mode 100644 index 0000000000..a450444048 --- /dev/null +++ b/roles/cifmw_registry_pullsecret/tasks/main.yml @@ -0,0 +1,130 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Extract registry credentials from OpenShift pull-secret + when: + - cifmw_registry_pullsecret_enabled | default(false) | bool + - cifmw_registry_pullsecret_registry_url is defined + block: + - name: Get OpenShift pull-secret + no_log: true + kubernetes.core.k8s_info: + kubeconfig: "{{ cifmw_openshift_kubeconfig | default(omit) }}" + api_key: "{{ cifmw_openshift_token | default(omit) }}" + context: "{{ cifmw_openshift_context | default(omit) }}" + api_version: v1 + kind: Secret + name: pull-secret + namespace: openshift-config + register: _pullsecret_info + + - name: Validate pull-secret was retrieved + ansible.builtin.assert: + that: + - _pullsecret_info.resources is defined + - _pullsecret_info.resources | length > 0 + fail_msg: "Could not retrieve pull-secret from OpenShift" + + - name: Parse pull-secret content + no_log: true + ansible.builtin.set_fact: + _dockerconfig: "{{ _pullsecret_info.resources[0].data['.dockerconfigjson'] | b64decode | from_json }}" + + - name: Validate registry exists in pull-secret + ansible.builtin.assert: + that: + - _dockerconfig.auths is defined + - cifmw_registry_pullsecret_registry_url in _dockerconfig.auths + fail_msg: "Registry {{ cifmw_registry_pullsecret_registry_url }} not found in pull-secret" + + - name: Extract and decode registry auth + no_log: true + ansible.builtin.set_fact: + _registry_auth_decoded: "{{ _dockerconfig.auths[cifmw_registry_pullsecret_registry_url].auth | b64decode }}" + + - name: Parse username and password + no_log: true + ansible.builtin.set_fact: + _pullsecret_username: "{{ _registry_auth_decoded.split(':')[0] }}" + _pullsecret_password: "{{ _registry_auth_decoded.split(':')[1] }}" + + - name: Update cifmw_registry_token with pull-secret credentials + no_log: true + ansible.builtin.set_fact: + cifmw_registry_token: + name: "pullsecret_extracted" + description: "Extracted from OpenShift pull-secret" + created: "{{ ansible_date_time.iso8601 }}" + credentials: + username: "{{ _pullsecret_username }}" + password: "{{ _pullsecret_password }}" + + - name: Update cifmw_registry_token_credentials for EDPM deployment + no_log: true + ansible.builtin.set_fact: + cifmw_registry_token_credentials: + - key: "{{ _pullsecret_username }}" + value: "{{ _pullsecret_password }}" + + - name: Update architecture kustomize registry credentials for all stages + when: cifmw_architecture_user_kustomize_90_registry_mirror_login is defined + no_log: true + vars: + _new_logins: + registry.redhat.io: + "{{ cifmw_registry_token.credentials.username }}": "{{ cifmw_registry_token.credentials.password }}" + registry.stage.redhat.io: + "{{ cifmw_registry_token.credentials.username }}": "{{ cifmw_registry_token.credentials.password }}" + _stage_update: + data: + nodeset: + ansible: + ansibleVars: + edpm_container_registry_logins: "{{ _new_logins }}" + ansible.builtin.set_fact: + cifmw_architecture_user_kustomize_90_registry_mirror_login: >- + {{ + cifmw_architecture_user_kustomize_90_registry_mirror_login | + dict2items | + map('combine', {'value': _stage_update}, recursive=true) | + items2dict + }} + + - name: Ensure destination directory exists + when: cifmw_registry_pullsecret_update_file | bool + ansible.builtin.file: + path: "{{ cifmw_registry_pullsecret_dest_file | dirname }}" + state: directory + mode: "0755" + + - name: Update registry token file with pull-secret credentials + when: cifmw_registry_pullsecret_update_file | bool + vars: + _file_content: + cifmw_registry_token: "{{ cifmw_registry_token }}" + ansible.builtin.copy: + content: "{{ _file_content | to_nice_yaml }}" + dest: "{{ cifmw_registry_pullsecret_dest_file }}" + mode: "0644" + + - name: Display success + ansible.builtin.debug: + msg: "Updated registry credentials for {{ cifmw_registry_pullsecret_registry_url }} from OpenShift pull-secret (user: {{ _pullsecret_username }})" + + rescue: + - name: Pull-secret extraction failed + ansible.builtin.debug: + msg: "Could not extract credentials from pull-secret. Keeping existing credentials." diff --git a/roles/cifmw_setup/tasks/deploy_architecture.yml b/roles/cifmw_setup/tasks/deploy_architecture.yml index 3a11b4dbd6..74a0ff27bc 100644 --- a/roles/cifmw_setup/tasks/deploy_architecture.yml +++ b/roles/cifmw_setup/tasks/deploy_architecture.yml @@ -228,6 +228,13 @@ - storage - edpm_bootstrap +- name: Update registry credentials from OpenShift pull-secret + when: cifmw_registry_pullsecret_enabled | default(false) | bool + ansible.builtin.include_role: + name: cifmw_registry_pullsecret + tags: + - edpm_bootstrap + - name: Execute deployment steps tags: - edpm_deploy diff --git a/roles/kustomize_deploy/tasks/execute_step.yml b/roles/kustomize_deploy/tasks/execute_step.yml index 76bd5b82bf..96ebb36707 100644 --- a/roles/kustomize_deploy/tasks/execute_step.yml +++ b/roles/kustomize_deploy/tasks/execute_step.yml @@ -126,6 +126,51 @@ ansible.builtin.include_role: name: run_hook + - name: Debug stage information for metal3 detection + ansible.builtin.debug: + msg: + - "Stage path: {{ stage.path }}" + - "Stage path defined: {{ stage.path is defined }}" + - "Matches pattern: {{ stage.path is match('.*/edpm/nodeset.*') if stage.path is defined else false }}" + + - name: Detect metal3 pod node for baremetal nodeset provisioning + when: + - stage.path is defined + - stage.path is match('.*/edpm/nodeset.*') + block: + - name: Debug - Entering metal3 detection block + ansible.builtin.debug: + msg: "INSIDE metal3 detection block for stage: {{ stage.path }}" + + - name: Get metal3 pod information + kubernetes.core.k8s_info: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + kind: Pod + namespace: openshift-machine-api + label_selectors: + - k8s-app=metal3 + register: _cifmw_kustomize_deploy_metal3_pod_info + + - name: Set metal3 node for provisionserver nodeSelector + ansible.builtin.set_fact: + cifmw_kustomize_deploy_metal3_node: "{{ _cifmw_kustomize_deploy_metal3_pod_info.resources[0].spec.nodeName }}" + cacheable: true + when: + - _cifmw_kustomize_deploy_metal3_pod_info.resources is defined + - _cifmw_kustomize_deploy_metal3_pod_info.resources | length > 0 + + - name: Log metal3 node location + ansible.builtin.debug: + msg: "Metal3 pod is running on {{ cifmw_kustomize_deploy_metal3_node }}, provisionserver will be co-located there" + when: cifmw_kustomize_deploy_metal3_node is defined + + - name: Debug - metal3 pod info result + ansible.builtin.debug: + msg: + - "Resources found: {{ _cifmw_kustomize_deploy_metal3_pod_info.resources | default([]) | length }}" + - "Variable set: {{ cifmw_kustomize_deploy_metal3_node is defined }}" + - "Variable value: {{ cifmw_kustomize_deploy_metal3_node | default('NOT_SET') }}" + - name: "Generate values.yaml for {{ stage.path }}" when: - _val.src_file is defined