[HIVE-2675]-Create hive cluster on AWS by MCE. (#59318)

Co-authored-by: Cloud User <[email protected]>

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17__amd64-stable.yaml

@@ -115,6 +115,20 @@ tests:
     test:
     - chain: cucushift-installer-check-cluster-health
     workflow: cucushift-installer-rehearse-aws-ipi-disconnected-private-cco-manual-security-token-service-private-s3-with-ep-sts-ec2-elb
+- as: aws-ipi-longduration-hive-mce-f14
+  cron: 10 21 12,26 * *
+  steps:
+    cluster_profile: aws-qe
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      FILTERS_ADDITIONAL: ~CPaasrunOnly&;HiveSDRosa&
+      MCE_QE_CATALOG: "true"
+      MCE_VERSION: "2.7"
+      TEST_SCENARIOS: Cluster_Operator
+      TEST_TIMEOUT: "90"
+    test:
+    - chain: openshift-e2e-test-qe-longrun
+    workflow: cucushift-installer-rehearse-aws-ipi-ovn-hive-mce
 - as: aws-ipi-ovn-ipsec-to-multiarch-f28
   cron: 58 0 12 * *
   steps:

ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.17-periodics.yaml

@@ -42315,6 +42315,87 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 10 21 12,26 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.17
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-qe
+    ci-operator.openshift.io/variant: amd64-stable
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-stable-aws-ipi-longduration-hive-mce-f14
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=aws-ipi-longduration-hive-mce-f14
+      - --variant=amd64-stable
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 58 0 12 * *

ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hive/OWNERS

@@ -0,0 +1,12 @@
+approvers:
+- jianlinliu
+- yunjiang29
+- gpei
+- jianping-shu
+- huangmingxia
+reviewers:
+- jianlinliu
+- yunjiang29
+- gpei
+- jianping-shu
+- huangmingxia

ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hive/mce/OWNERS

@@ -0,0 +1,12 @@
+approvers:
+- jianlinliu
+- yunjiang29
+- gpei
+- jianping-shu
+- huangmingxia
+reviewers:
+- jianlinliu
+- yunjiang29
+- gpei
+- jianping-shu
+- huangmingxia

ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hive/mce/cucushift-installer-rehearse-aws-ipi-ovn-hive-mce-workflow.metadata.json

@@ -0,0 +1,19 @@
+{
+	"path": "cucushift/installer/rehearse/aws/ipi/ovn/hive/mce/cucushift-installer-rehearse-aws-ipi-ovn-hive-mce-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"jianlinliu",
+			"yunjiang29",
+			"gpei",
+			"jianping-shu",
+			"huangmingxia"
+		],
+		"reviewers": [
+			"jianlinliu",
+			"yunjiang29",
+			"gpei",
+			"jianping-shu",
+			"huangmingxia"
+		]
+	}
+}

ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hive/mce/cucushift-installer-rehearse-aws-ipi-ovn-hive-mce-workflow.yaml

@@ -0,0 +1,10 @@
+workflow:
+  as: cucushift-installer-rehearse-aws-ipi-ovn-hive-mce
+  steps:
+    pre:
+    - chain: cucushift-installer-rehearse-aws-ipi-ovn-provision
+    - ref: hive-mce-install
+    post:
+    - chain: cucushift-installer-rehearse-aws-ipi-deprovision
+  documentation: |-
+    This is the workflow to trigger Prow's rehearsal test when submitting installer steps/chain/workflow

ci-operator/step-registry/hive/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- jianping-shu
+- huangmingxia
+reviewers:
+- jianping-shu
+- huangmingxia

ci-operator/step-registry/hive/mce/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- jianping-shu
+- huangmingxia
+reviewers:
+- jianping-shu
+- huangmingxia

ci-operator/step-registry/hive/mce/install/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- jianping-shu
+- huangmingxia
+reviewers:
+- jianping-shu
+- huangmingxia

ci-operator/step-registry/hive/mce/install/hive-mce-install-commands.sh

@@ -0,0 +1,151 @@
+#!/bin/bash
+
+set -ex
+
+if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
+  source "${SHARED_DIR}/proxy-conf.sh"
+fi
+
+MCE_VERSION=${MCE_VERSION:-"2.2"}
+if [[ $MCE_QE_CATALOG != "true" ]]; then
+  _REPO="quay.io/acm-d/mce-custom-registry"
+
+  # Setup quay mirror container repo
+  cat << EOF | oc apply -f -
+apiVersion: operator.openshift.io/v1alpha1
+kind: ImageContentSourcePolicy
+metadata:
+  name: rhacm-repo
+spec:
+  repositoryDigestMirrors:
+  - mirrors:
+    - quay.io:443/acm-d
+    source: registry.redhat.io/rhacm2
+  - mirrors:
+    - quay.io:443/acm-d
+    source: registry.redhat.io/multicluster-engine
+  - mirrors:
+    - registry.redhat.io/openshift4/ose-oauth-proxy
+    source: registry.access.redhat.com/openshift4/ose-oauth-proxy
+EOF
+
+  QUAY_USERNAME=$(cat /etc/acm-d-mce-quay-pull-credentials/acm_d_mce_quay_username)
+  QUAY_PASSWORD=$(cat /etc/acm-d-mce-quay-pull-credentials/acm_d_mce_quay_pullsecret)
+  oc get secret pull-secret -n openshift-config -o json | jq -r '.data.".dockerconfigjson"' | base64 -d > /tmp/global-pull-secret.json
+  QUAY_AUTH=$(echo -n "${QUAY_USERNAME}:${QUAY_PASSWORD}" | base64 -w 0)
+  jq --arg QUAY_AUTH "$QUAY_AUTH" '.auths += {"quay.io:443": {"auth":$QUAY_AUTH,"email":""}}' /tmp/global-pull-secret.json > /tmp/global-pull-secret.json.tmp
+  mv /tmp/global-pull-secret.json.tmp /tmp/global-pull-secret.json
+  oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=/tmp/global-pull-secret.json
+  rm /tmp/global-pull-secret.json
+  sleep 60
+  oc wait mcp master worker --for condition=updated --timeout=20m
+
+  VER=`oc version | grep "Client Version:"`
+  echo "* oc CLI ${VER}"
+
+  echo "Install MCE custom catalog source"
+  IMG="${_REPO}:${MCE_VERSION}-latest"
+  oc apply -f - <<EOF
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: multiclusterengine-catalog
+  namespace: openshift-marketplace
+spec:
+  displayName: MultiCluster Engine
+  publisher: Red Hat
+  sourceType: grpc
+  image: ${IMG}
+  updateStrategy:
+    registryPoll:
+      interval: 10m
+EOF
+fi
+
+oc apply -f - <<EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: multicluster-engine
+EOF
+
+oc apply -f - <<EOF
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: multicluster-engine-group
+  namespace: multicluster-engine
+spec:
+  targetNamespaces:
+    - "multicluster-engine"
+EOF
+
+CATALOG=$([[ $MCE_QE_CATALOG == "true" ]] && echo -n "qe-app-registry" || echo -n "multiclusterengine-catalog")
+echo "* Applying SUBSCRIPTION_CHANNEL $MCE_VERSION, SUBSCRIPTION_SOURCE $CATALOG to multiclusterengine-operator subscription"
+oc apply -f - <<EOF
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: multicluster-engine
+  namespace: multicluster-engine
+spec:
+  channel: stable-${MCE_VERSION}
+  installPlanApproval: Automatic
+  name: multicluster-engine
+  source: ${CATALOG}
+  sourceNamespace: openshift-marketplace
+EOF
+
+CSVName=""
+for ((i=1; i<=60; i++)); do
+  output=$(oc get sub multicluster-engine -n multicluster-engine -o jsonpath='{.status.currentCSV}' >> /dev/null && echo "exists" || echo "not found")
+  if [ "$output" != "exists" ]; then
+    sleep 2
+    continue
+  fi
+  CSVName=$(oc get sub -n multicluster-engine multicluster-engine -o jsonpath='{.status.currentCSV}')
+  if [ "$CSVName" != "" ]; then
+    break
+  fi
+  sleep 10
+done
+
+_apiReady=0
+echo "* Using CSV: ${CSVName}"
+for ((i=1; i<=20; i++)); do
+  sleep 30
+  output=$(oc get csv -n multicluster-engine $CSVName -o jsonpath='{.status.phase}' >> /dev/null && echo "exists" || echo "not found")
+  if [ "$output" != "exists" ]; then
+    continue
+  fi
+  phase=$(oc get csv -n multicluster-engine $CSVName -o jsonpath='{.status.phase}')
+  if [ "$phase" == "Succeeded" ]; then
+    _apiReady=1
+    break
+  fi
+  echo "Waiting for CSV to be ready"
+done
+
+if [ $_apiReady -eq 0 ]; then
+  echo "multiclusterengine subscription could not install in the allotted time."
+  exit 1
+fi
+echo "multiclusterengine installed successfully"
+
+oc apply -f - <<EOF
+apiVersion: multicluster.openshift.io/v1
+kind: MultiClusterEngine
+metadata:
+  name: multiclusterengine-sample
+spec: {}
+EOF
+sleep 5
+
+# Check if the hive operator is ready
+oc wait --timeout=20m --for=condition=Available MultiClusterEngine/multiclusterengine-sample
+oc wait --timeout=10m --for=condition=Ready pod -n multicluster-engine -l control-plane=hive-operator
+oc wait --timeout=10m --for=condition=Ready pod -n hive -l control-plane=clustersync
+oc wait --timeout=10m --for=condition=Ready pod -n hive -l control-plane=controller-manager
+oc wait --timeout=10m --for=condition=Ready pod -n hive -l control-plane=machinepool
+oc wait --timeout=10m --for=condition=Ready pod -n hive -l app=hiveadmission
+oc wait --timeout=10m --for=condition=Ready hiveconfig hive

ci-operator/step-registry/hive/mce/install/hive-mce-install-ref.metadata.json

@@ -0,0 +1,13 @@
+{
+	"path": "hive/mce/install/hive-mce-install-ref.yaml",
+	"owners": {
+		"approvers": [
+			"jianping-shu",
+			"huangmingxia"
+		],
+		"reviewers": [
+			"jianping-shu",
+			"huangmingxia"
+		]
+	}
+}

ci-operator/step-registry/hive/mce/install/hive-mce-install-ref.yaml

@@ -0,0 +1,24 @@
+ref:
+  as: hive-mce-install
+  from: upi-installer
+  grace_period: 5m0s
+  timeout: 45m0s
+  cli: latest
+  env:
+  - name: MCE_VERSION
+    default: "2.2"
+    documentation: "version of the mce.(2.2, 2.3)"
+  - name: MCE_QE_CATALOG
+    default: "false"
+    documentation: If true, the QE catalog will be used to create MCE
+  commands: hive-mce-install-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+  credentials:
+  - mount_path: /etc/acm-d-mce-quay-pull-credentials
+    name: acm-d-mce-quay-credentials
+    namespace: test-credentials
+  documentation: |-
+    install mce operator. doc: https://github.com/stolostron/deploy/blob/master/multiclusterengine/README.md