common automatic update #110
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
mbaldessari
commented
Dec 18, 2023
mbaldessari
commented
- Adding key to exclude target namespace in operatorgroup
- Added target namespace logic to namespace map case
- Changed description in schema
- Added example to operatorgroupExcludeTargetNS
- Fixing CI tests
- Preview a chart based on the current k8s cluster
- Handle explcit value files
- Add ability to read overrides
- Clean up tests after 7cda9c4
- Add preview-all and remove some spurious stdout output
- All prototype preview-all and silence some output
-
- Removed new key operatorgroupExludeTargetNS - Added key to namespace map entry excludeOperatorGroupTargetNS.
- Updates to CI
- Adding option to include/exclude targetNamespaces in OperatorGroup
- Updated CI tests
-
- Fix: bug in task TASK [iib_ci : Mirror all the needed images]
-
- Updated the mirrordest_tag to use the sha256 of the image instead of the IIB number.
- Restored mirror template to original implementation
-
- Updated structure for supporting OperatorGroup's per suggestion of decoupling operatorGroup and targetNamespaces. Example: - exclude-targetns: operatorGroup: true targetNamespaces: - Continues to support operatorgroupExcludes - Updated CI tests
- Update logic to fix multiple targetNamespaces
- Fix ci issues
- Upgraded ESO to v0.9.8
- Upgrade vault-helm to v0.26.1
- Parametrize ESO caProvider fields
- Simplify target namespace logic
- Avoid nonhubCluster + hubCluster naming for ESO
- Update for new configmanagement plugin feature
- Remove obsolete comment and update tests
- Update schema
- Require plugin.yaml
- Add tmpdir to sidecar mounts
- True up to test code
- Use nindent as appropriate
- Remove stray files
- Plugin config is plugin.yaml
- Remove now-obsolete kustomize-renderer example
- Allow pluginArgs to be set and add schema
- Remove redundancy
- Revert "Remove now-obsolete kustomize-renderer example"
- Remove legacy configManagementPlugins support
- Add configManagementPlugins to tests for industrial edge
- Clustergroup 0.0.5
- Small whitespace test
- Stop referencing remote actions via @main. Use a specific commit
- Updated ESO to v0.9.9
- Updated vault-helm to v0.27.0
- Prevent ArgoCD from writing ESO CRs to clusters that need full support
- Fix whitespaces
- Release clustergroup v0.8.0
- Document preview limitations
- Add support for private repos
- Amend tests
- Check for rc attribute to exist
- Upgrade default imperative image
- Release clustergroup v0.8.1
- Update pattern operator CRD
- Update CRD from the operator
- Bump actions/setup-python from 4 to 5
- Release clustergroup v0.8.2
- Update CRD from the operator
- Small clarification in IIB
- Switch imageDigestMirrors to AllowContactingSource
- Upgrade ESO to v0.9.10
- Add initial support for deploying private repos via CLI directly
- Update tests after common rebase
- Added key to namespace map entry excludeOperatorGroupTargetNS.
Updated the Jinja2 template *ansible/roles/iib_ci/templates/mirror.map.j2* to add a '<iibnumber>-<count>' to the image tag if there's a source image that has the same name in the mirror.map file.
Example mirror.map entry:
registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:da5d5061dbc2ec5082cf14b6c600fb5400b83cf91d7ccebfa80680a238d275db=default-route-openshift-image-registry.apps.lc-claudiol-devsec-hub-535d-2.blueprints.rhecoeng.com/openshift-marketplace/ose-kube-rbac-proxy:610968
registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:d4de33150cb8c8faf0133b39553e6c972be5ace7ae787c98f3b77fca37748036=default-route-openshift-image-registry.apps.lc-claudiol-devsec-hub-535d-2.blueprints.rhecoeng.com/openshift-marketplace/ose-kube-rbac-proxy:610968
The above will generate an error in TASK [iib_ci : Mirror all the needed images]
2023-10-29 20:56:08,534 INFO fatal: [localhost]: FAILED! => {"attempts": 5, "changed": true, "cmd": "set -o pipefail\noc image mirror -a \"/tmp/ansible.eunmaew5/.dockerconfigjson\" -f mirror.map --insecure --keep-manifest-list 2>&1 | tee -a image-mirror.log\n", "delta": "0:00:00.068476", "end": "2023-10-29 20:56:07.485885", "msg": "non-zero return code", "rc": 1, "start": "2023-10-29 20:56:07.417409", "stderr": "", "stderr_lines": [], "stdout": "error: file mirror.map, line 11: each destination tag may only be specified once: default-route-openshift-image-registry.apps.qe-mg-hub-aws-14022.aws.validatedpatterns.io/openshift-marketplace/ose-kube-rbac-proxy:610968", "stdout_lines": ["error: file mirror.map, line 11: each destination tag may only be specified once: default-route-openshift-image-registry.apps.qe-mg-hub-aws-14022.aws.validatedpatterns.io/openshift-marketplace/ose-kube-rbac-proxy:610968"]}
…f the IIB number.
…decoupling operatorGroup and targetNamespaces.
Example:
- exclude-targetns:
operatorGroup: true
targetNamespaces:
- Continues to support operatorgroupExcludes
- Updated CI tests
Upgraded ESO to v0.9.8
Upgrade vault-helm to v0.26.1
This will allow users to disable using the default kube-root-ca.crt
configmap and/or customize things fully.
So, for example, an environment which uses letsencrypt for the ingress
certs, but does not have that CA included in kube-root-ca.crt, can
simply override things with a /values-IBMCloud.yaml file with:
golangExternalSecrets:
caProvider:
enabled: false
Which will just use the CA System bundle to authenticate connections
from ESO to vault.
Tested this and with the steps above, was able to overcome the x509 CA
unknown errors.
Co-authored-by: Andrew Beekhof <[email protected]>
Adding key to exclude target namespace in operatorgroup
This needs the corresponding PR from the operator (https://www.github.com/validatedpatterns/patterns-operator/pull/139). The way it works is that if "global.privateRepo" is set to true, we add an acm policy on the hub only that reads the secret from the openshift-gitops namespaces and copies it to the open-cluster-manager. And then we use another policy that pushes the secret just copied to open-cluster-managemnt to the openshift-gitops + pattern-name-group-one namespaces so that the two argo instances can consume the private repositories. Tested end to end with both https and ssh private repository.
Sometimes CI would error out with:
[localhost]: FAILED! => {"msg": "The conditional check
'vault_role_cmd.rc == 0' failed. The error was: error while evaluating
conditional (vault_role_cmd.rc == 0): 'dict object' has no attribute
'rc'. 'dict object' has no attribute 'rc'"}
This can ahepn when a call returns error 500 for whatever reason.
Let's make sure we catch this situation and keep trying and don't give
up due to this spurious error.
Tested in MCG and everything deployed correctly (imperative ansible jobs ran without issues)
Check for rc attribute to exist
Upgrade default imperative image
Release clustergroup v0.8.1
Update pattern operator CRD
Update CRD from the operator
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v4...v5) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
…ons/actions/setup-python-5 Bump actions/setup-python from 4 to 5
Private repo support
Release clustergroup v0.8.2
Update CRD from the operator
Small clarification in IIB
Currently when we load a preview operator via the IIB mechanism we redirect all images making up the operator bundle to the cluster-internal registry. This is all fine and well, except these redirects (done via an ImageDigestMirrorSet) are based on image names without any specific hashes. (This is because OCP won't allow you to specify hashes). The problem arises when there is a prerelease operator which includes an image that is used by the other non-prerelease operators. So if AAP prerelease uses the image "registry.redhat.io/public/redis-6" we redirect all these redis 6 images towards the internal registry. But if another operator needs the redis-6 image with a hash that is not the exact same that is used by AAP prerelease, it will be unable to find it on the internal registry because we never uploaded it. This is an example error: 2023-12-13 07:18:06,216 INFO Warning Failed 64m (x6 over 66m) kubelet Error: ImagePullBackOff 2023-12-13 07:18:06,216 INFO Normal BackOff 83s (x286 over 66m) kubelet Back-off pulling image "registry.redhat.io/rhel8/redis-6@sha256:edbd40185ed8c20ee61ebdf9f2e1e1d7594598fceff963b4dee3201472d6deda" And this is a relevant /etc/containers/registries.conf : [[registry]] prefix = "" location = "registry.redhat.io/rhel8/redis-6" blocked = true [[registry.mirror]] location = "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6" insecure = true pull-from-mirror = "digest-only" If we change the `mirrorSourcePolicy` from `NeverContactSource` to `AllowContactingSource` we actually avoid this problem entirely. OCP will try to pull the images from both the internal registry and the original source and use the one it was able to find. Tested both on AAP and Gitops prerelease and both deployed correctly which was not the case before.
Switch imageDigestMirrors to AllowContactingSource
Upgrade ESO to v0.9.10
Tested with:
export EXTRA_HELM_OPTS="--set main.tokenSecret=private-repo --set main.tokenSecretNamespace=openshift-operators"
./pattern.sh make install
Note that this is currently only working with https URLs because we have
logic in the Makefile to rewrite ssh-based git URLs into https ones.
Add initial support for deploying private repos via CLI directly
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.