diff --git a/.rhdh/scripts/prepare-restricted-environment.sh b/.rhdh/scripts/prepare-restricted-environment.sh deleted file mode 100755 index bfaa8b60..00000000 --- a/.rhdh/scripts/prepare-restricted-environment.sh +++ /dev/null @@ -1,329 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2024 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# - -# Fail on error -set -e - -# example usage: -# ./prepare-restricted-environment.sh \ -# --prod_operator_index "registry.redhat.io/redhat/redhat-operator-index:v4.14" \ -# --prod_operator_package_name "rhdh" \ -# --prod_operator_bundle_name "rhdh-operator" \ -# --prod_operator_version "v1.1.0" \ -# --helper_mirror_registry_storage "30Gi" \ -# --use_existing_mirror_registry "$MY_MIRROR_REGISTRY" -while [ $# -gt 0 ]; do - if [[ $1 == *"--"* ]]; then - param="${1/--/}" - declare "$param"="$2" - fi - shift -done - -# Display commands -# set -x - -# Operators -declare prod_operator_index="${prod_operator_index:?Must set --prod_operator_index: for OCP 4.12, use registry.redhat.io/redhat/redhat-operator-index:v4.12 or quay.io/rhdh/iib:latest-v4.14-x86_64}" -declare prod_operator_package_name="rhdh" -declare prod_operator_bundle_name="rhdh-operator" -declare prod_operator_version="${prod_operator_version:?Must set --prod_operator_version: for stable channel, use v1.1.0; for stable-1.1 channel, use v1.1.1}" # eg., v1.1.0 or v1.1.1 - -# Destination registry -declare my_operator_index_image_name_and_tag=${prod_operator_package_name}-index:${prod_operator_version} -declare helper_mirror_registry_storage=${helper_mirror_registry_storage:-"30Gi"} - -declare my_catalog=${prod_operator_package_name}-disconnected-install -declare k8s_resource_name=${my_catalog} - -# Check we're logged into a cluster -if ! oc whoami > /dev/null 2>&1; then - errorf "Not logged into an OpenShift cluster" - exit 1 -fi -# log into your OCP cluster before running this or you'll get null values for OCP vars! -OCP_VER="$(oc version -o json | jq -r '.openshiftVersion' | sed -r -e "s#([0-9]+\.[0-9]+\.[0-9]+)-.+#\1#")" -OCP_VER_MAJOR="$(oc version -o json | jq -r '.openshiftVersion' | sed -r -e "s#([0-9]+)\..+#\1#")" -OCP_ARCH="$(oc version -o json | jq -r '.serverVersion.platform' | sed -r -e "s#linux/##")" -if [[ $OCP_ARCH == "amd64" ]]; then OCP_ARCH="x86_64"; fi - -function deploy_mirror_registry() { - echo "[INFO] Deploying mirror registry..." >&2 - local namespace="airgap-helper-ns" - local image="registry:2" - local username="registryuser" - local password=$(echo "$RANDOM" | base64 | head -c 20) - - if ! oc get namespace "${namespace}" &> /dev/null; then - echo " namespace ${namespace} does not exist - creating it..." >&2 - oc create namespace "${namespace}" >&2 - fi - - registry_htpasswd=$(htpasswd -Bbn "${username}" "${password}") - echo " generating auth secret for mirror registry. FYI, those creds will be stored in a secret named 'airgap-registry-auth-creds' in ${namespace} ..." >&2 - cat <&2 -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: airgap-registry-auth - namespace: "${namespace}" - labels: - app: airgap-registry -stringData: - htpasswd: "${registry_htpasswd}" -EOF - cat <&2 -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: airgap-registry-auth-creds - namespace: "${namespace}" - labels: - app: airgap-registry -stringData: - username: "${username}" - password: "${password}" -EOF - - if [ -z "$storage_class" ]; then - # use default storage class - storage_class=$(oc get storageclasses -o=jsonpath='{.items[?(@.metadata.annotations.storageclass\.kubernetes\.io/is-default-class=="true")].metadata.name}') - fi - echo " creating PVC for mirror registry, using ${storage_class} as storage class: persistentvolumeclaim/airgap-registry-storage ..." >&2 - cat <&2 -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: airgap-registry-storage - namespace: "${namespace}" -spec: - resources: - requests: - storage: "${helper_mirror_registry_storage}" - storageClassName: "${storage_class}" - accessModes: - - ReadWriteOnce -EOF - - echo " creating mirror registry Deployment: deployment/airgap-registry ..." >&2 - # Replacing because password might have changed if we run the script a second time - cat <&2 -apiVersion: apps/v1 -kind: Deployment -metadata: - name: airgap-registry - namespace: "${namespace}" - labels: - app: airgap-registry -spec: - replicas: 1 - selector: - matchLabels: - app: airgap-registry - template: - metadata: - labels: - app: airgap-registry - spec: - # ----------------------------------------------------------------------- - containers: - - image: "${image}" - name: airgap-registry - imagePullPolicy: IfNotPresent - env: - - name: REGISTRY_AUTH - value: "htpasswd" - - name: REGISTRY_AUTH_HTPASSWD_REALM - value: "RHDH Private Registry" - - name: REGISTRY_AUTH_HTPASSWD_PATH - value: "/auth/htpasswd" - - name: REGISTRY_STORAGE_DELETE_ENABLED - value: "true" - ports: - - containerPort: 5000 - volumeMounts: - - name: registry-vol - mountPath: /var/lib/registry - - name: auth-vol - mountPath: "/auth" - readOnly: true - # ----------------------------------------------------------------------- - volumes: - - name: registry-vol - persistentVolumeClaim: - claimName: airgap-registry-storage - - name: auth-vol - secret: - secretName: airgap-registry-auth -EOF - - echo " creating mirror registry Service: service/airgap-registry ..." >&2 - cat <&2 -apiVersion: v1 -kind: Service -metadata: - name: airgap-registry - namespace: "${namespace}" - labels: - app: airgap-registry -spec: - type: ClusterIP - ports: - - port: 5000 - protocol: TCP - targetPort: 5000 - selector: - app: airgap-registry -EOF - - echo " creating Route to access mirror registry: route/airgap-registry ..." >&2 - oc -n "${namespace}" create route edge --service=airgap-registry --insecure-policy=Redirect --dry-run=client -o yaml \ - | oc -n "${namespace}" apply -f - >&2 - - local registry_url=$(oc get route airgap-registry -n "${namespace}" --template='{{ .spec.host }}') - echo "... done. Mirror registry should now be reachable at: ${registry_url} ..." >&2 - - # Wait until url is ready - echo "[INFO] Waiting for mirror registry to be ready and reachable ..." >&2 - curl --insecure -IL "${registry_url}" --retry 100 --retry-all-errors --retry-max-time 900 --fail &> /tmp/"${registry_url}.log" >&2 - - echo "[INFO] Log into mirror registry to be able to push images to it..." >&2 - podman login -u="${username}" -p="${password}" "${registry_url}" --tls-verify=false >&2 - - echo "[INFO] Marking mirror registry as insecure in the cluster ..." >&2 - oc patch image.config.openshift.io/cluster --patch '{"spec":{"registrySources":{"insecureRegistries":["'${registry_url}'"]}}}' --type=merge >&2 - - echo "[INFO] Adding mirror registry creds to cluster global pull secret ..." >&2 - echo " downloading global pull secret from the cluster ..." >&2 - oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > /tmp/my-global-pull-secret-for-mirror-reg.yaml - echo " log into mirror registry and store creds into the pull secret downloaded..." >&2 - oc registry login \ - --insecure=true \ - --registry="${registry_url}" \ - --auth-basic="${username}:${password}" \ - --to=/tmp/my-global-pull-secret-for-mirror-reg.yaml \ - >&2 - echo " writing updated pull secret into the cluster ..." >&2 - oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=/tmp/my-global-pull-secret-for-mirror-reg.yaml >&2 - - # Need to mirror OCP release images, otherwise ImagePullBackOff when installing the operator after disconnecting the cluster: - # unable to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@... - echo "[INFO] Mirroring OCP release images ..." >&2 - local ocp_product_repo='openshift-release-dev' - local ocp_release_name="ocp-release" - local ocp_local_repo="ocp/openshift" - oc adm release mirror -a /tmp/my-global-pull-secret-for-mirror-reg.yaml \ - --from="quay.io/${ocp_product_repo}/${ocp_release_name}:${OCP_VER}-${OCP_ARCH}" \ - --to="${registry_url}/${ocp_local_repo}" \ - --to-release-image="${registry_url}/${ocp_local_repo}:${OCP_VER}-${OCP_ARCH}" \ - --insecure=true > /tmp/oc-adm-release-mirror__mirror-registry.out - echo " creating ImageContentSourcePolicy for OCP release images: imagecontentsourcepolicy/ocp-release ..." >&2 - cat <&2 -apiVersion: operator.openshift.io/v1alpha1 -kind: ImageContentSourcePolicy -metadata: - name: ocp-release - labels: - app: airgap-registry -spec: - repositoryDigestMirrors: - - mirrors: - - "${registry_url}/${ocp_local_repo}" - source: quay.io/openshift-release-dev/ocp-release - - mirrors: - - "${registry_url}/${ocp_local_repo}" - source: "quay.io/openshift-release-dev/ocp-v${OCP_VER_MAJOR}.0-art-dev" -EOF - - echo "[INFO] Cleaning up temporary files ..." >&2 - rm -f /tmp/my-global-pull-secret-for-mirror-reg.yaml /tmp/oc-adm-release-mirror__mirror-registry.out >&2 - - echo "[INFO] Mirror registry should be ready: ${registry_url}" >&2 - echo "${registry_url}" -} - -declare my_registry="${use_existing_mirror_registry}" -if [ -z "${my_registry}" ]; then - my_registry=$(deploy_mirror_registry) -fi - -declare my_operator_index="${my_registry}/${prod_operator_package_name}/${my_operator_index_image_name_and_tag}" - -# Create local directory -mkdir -p "${my_catalog}/${prod_operator_package_name}" - -echo "[INFO] Fetching metadata for the ${prod_operator_package_name} operator catalog channel, packages, and bundles." -opm render "${prod_operator_index}" \ - | jq "select \ - (\ - (.schema == \"olm.bundle\" and .name == \"${prod_operator_bundle_name}.${prod_operator_version}\") or \ - (.schema == \"olm.package\" and .name == \"${prod_operator_package_name}\") or \ - (.schema == \"olm.channel\" and .package == \"${prod_operator_package_name}\") \ - )" \ - | jq "select \ - (.schema == \"olm.channel\" and .package == \"${prod_operator_package_name}\").entries \ - |= [{name: \"${prod_operator_bundle_name}.${prod_operator_version}\"}]" \ - > "${my_catalog}/${prod_operator_package_name}/render.json" - -echo "[DEBUG] Got $(cat "${my_catalog}/${prod_operator_package_name}/render.json" | wc -l) lines of JSON from the index!" -# echo "[DEBUG] Got this from the index: -# ======" -# cat "${my_catalog}/${prod_operator_package_name}/render.json" -# echo "======" - -echo "[INFO] Creating the catalog dockerfile." -if [ -f "${my_catalog}.Dockerfile" ]; then - rm -f "${my_catalog}.Dockerfile" -fi -opm generate dockerfile "./${my_catalog}" - -echo "[INFO] Building the catalog image locally." -podman build -t "${my_operator_index}" -f "./${my_catalog}.Dockerfile" --no-cache . - -echo "[INFO] Disabling the default Red Hat Ecosystem Catalog." -oc patch OperatorHub cluster --type json \ - --patch '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]' - -echo "[INFO] Deploying your catalog image to the $my_operator_index registry." -skopeo copy --src-tls-verify=false --dest-tls-verify=false --all "containers-storage:$my_operator_index" "docker://$my_operator_index" - -echo "[INFO] Removing index image from mappings.txt to prepare mirroring." -oc adm catalog mirror "$my_operator_index" "$my_registry" --insecure --manifests-only | tee catalog_mirror.log -MANIFESTS_FOLDER=$(sed -n -e 's/^wrote mirroring manifests to \(.*\)$/\1/p' catalog_mirror.log |xargs) # The xargs here is to trim whitespaces -sed -i -e "/${my_operator_index_image_name_and_tag}/d" "${MANIFESTS_FOLDER}/mapping.txt" -cat "${MANIFESTS_FOLDER}/mapping.txt" - -echo "[INFO] Mirroring related images to the $my_registry registry." -# oc image mirror --insecure=true -f "${MANIFESTS_FOLDER}/mapping.txt" -while IFS= read -r line -do - public_image=$(echo "${line}" | cut -d '=' -f1) - if [[ "$prod_operator_index" != registry.redhat.io/redhat/redhat-operator-index* ]] && [[ "$public_image" == registry.redhat.io/rhdh/* ]]; then - if ! skopeo inspect "docker://$public_image" &> /dev/null; then - # likely CI build, which is not public yet - echo " Replacing non-public CI image $public_image ..." - public_image=${public_image/registry.redhat.io\/rhdh/quay.io\/rhdh} - echo " => $public_image" - fi - fi - private_image=$(echo "${line}" | cut -d '=' -f2) - echo "[INFO] Mirroring ${public_image}" - skopeo copy --dest-tls-verify=false --preserve-digests --all "docker://$public_image" "docker://$private_image" -done < "${MANIFESTS_FOLDER}/mapping.txt" - -echo "[INFO] Creating CatalogSource and ImageContentSourcePolicy" -# shellcheck disable=SC2002 -cat "${MANIFESTS_FOLDER}/catalogSource.yaml" | sed 's|name: .*|name: '${k8s_resource_name}'|' | oc apply -f - -# shellcheck disable=SC2002 -cat "${MANIFESTS_FOLDER}/imageContentSourcePolicy.yaml" | sed 's|name: .*|name: '${k8s_resource_name}'|' | oc apply -f - - -echo "[INFO] Catalog $my_operator_index deployed to the $my_registry registry."