image mirroring for MCE + policy

Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Nov 18, 2024 · bbae39e · bbae39e
1 parent 7b26255
commit bbae39e
Show file tree

Hide file tree

Showing 11 changed files with 266 additions and 136 deletions.
diff --git a/acm/README.md b/acm/README.md
@@ -2,16 +2,26 @@
 
 This folder contains helm charts and automation to managed helm charts for the ACM components `MCE` and `policy`.
 
+## Structure
+
 Installation and configuration are split into two individual helm charts
 
-## multicluster-engine
+### multicluster-engine
 
 This helm chart installs the MCE operator. The chart is autogenerated from an OLM release-bundle of MCE by running `make helm-chart`. The resulting chart is then commited into the repository.
 
 To update MCE, change the `MCE_OPERATOR_BUNDLE_IMAGE` variable in the Makefile. If you are testing pre-releases from the `quay.io/acm-d` organization, make sure the `REGISTRY` env var in the Makefile is set to `${ARO_HCP_IMAGE_ACR}.azurecr.io/acm-d-mce`. For production releases set it to `${ARO_HCP_IMAGE_ACR}.azurecr.io` instead.
 
-## multicluster-engine-config
+### multicluster-engine-config
 
 This helm chart configures MCE and installs the `policy` component on top of it. The subchart for `policy` is imported into this repo by running `make helm-chart`. It can be found [in the ACM upstream Github org](https://github.com/stolostron/mce-install-kube) and is maintained by the ACM team.
 
 Updating `policy` needs to be done with care for now, since the content of the helm chart repo is not tagged. We are working on it.
+
+## Updating charts
+
+Lookup the desired install MCE OLM bundle on [https://catalog.redhat.com](https://catalog.redhat.com/software/containers/multicluster-engine/mce-operator-bundle/6160406290fb938ecf6009c6) and update the `MCE_OPERATOR_BUNDLE_IMAGE` variable in `Makefile`.
+
+Then run `make helm-chart`.
+
+Test the changes and commit
diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile
@@ -102,6 +102,7 @@ imagesync.rg:
 		az group create \
 			--name $(IMAGE_SYNC_RESOURCEGROUP)  \
 			--location $(REGION) \
+			--tags persist=$(PERSIST) \
 			--output none; \
 	fi
 .PHONY: imagesyncRg

diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep
@@ -223,11 +223,9 @@ resource componentSyncJob 'Microsoft.App/jobs@2024-03-01' = {
   }
 }
 
-// oc-mirror job
+// oc-mirror jobs
 
-var ocMirrorJobName = 'oc-mirror'
-
-var ocMirrorConfig = {
+var ocpMirrorConfig = {
   kind: 'ImageSetConfiguration'
   apiVersion: 'mirror.openshift.io/v1alpha2'
   storageConfig: {
@@ -251,10 +249,6 @@ var ocMirrorConfig = {
       graph: true
     }
     additionalImages: [
-      { name: 'registry.redhat.io/redhat/redhat-operator-index:v4.16' }
-      { name: 'registry.redhat.io/redhat/certified-operator-index:v4.16' }
-      { name: 'registry.redhat.io/redhat/community-operator-index:v4.16' }
-      { name: 'registry.redhat.io/redhat/redhat-marketplace-index:v4.16' }
       { name: 'registry.redhat.io/redhat/redhat-operator-index:v4.17' }
       { name: 'registry.redhat.io/redhat/certified-operator-index:v4.17' }
       { name: 'registry.redhat.io/redhat/community-operator-index:v4.17' }
@@ -263,98 +257,149 @@ var ocMirrorConfig = {
   }
 }
 
-resource ocMirrorJob 'Microsoft.App/jobs@2024-03-01' = {
-  name: ocMirrorJobName
-  location: location
-  identity: {
-    type: 'UserAssigned'
-    userAssignedIdentities: {
-      '${uami.id}': {}
-    }
+var acmMirrorConfig = {
+  kind: 'ImageSetConfiguration'
+  apiVersion: 'mirror.openshift.io/v2alpha1'
+  mirror: {
+    operators: [
+      {
+        catalog: 'registry.redhat.io/redhat/redhat-operator-index:v4.17'
+        packages: [
+          {
+            name: 'multicluster-engine'
+            bundles: [
+              {
+                name: 'multicluster-engine.v2.7.0'
+              }
+            ]
+          }
+          {
+            name: 'advanced-cluster-management'
+            bundles: [
+              {
+                name: 'advanced-cluster-management.v2.12.0'
+              }
+            ]
+          }
+        ]
+      }
+    ]
   }
+}
 
-  properties: {
-    environmentId: containerAppEnvironment.id
-    configuration: {
-      eventTriggerConfig: {}
-      triggerType: 'Schedule'
-      manualTriggerConfig: {
-        parallelism: 1
-      }
-      scheduleTriggerConfig: {
-        cronExpression: '0 * * * *'
-        parallelism: 1
+var ocMirrorJobConfiguration = [
+  {
+    name: 'oc-mirror'
+    cron: '0 * * * *'
+    timeout: 4 * 60 * 60
+    targetRegistry: ocpAcrName
+    imageSetConfig: ocpMirrorConfig
+  }
+  {
+    name: 'acm-mirror'
+    cron: '0 10 * * *'
+    timeout: 4 * 60 * 60
+    targetRegistry: svcAcrName
+    imageSetConfig: acmMirrorConfig
+  }
+]
+
+resource ocMirrorJobs 'Microsoft.App/jobs@2024-03-01' = [
+  for i in range(0, length(ocMirrorJobConfiguration)): {
+    name: ocMirrorJobConfiguration[i].name
+    location: location
+    identity: {
+      type: 'UserAssigned'
+      userAssignedIdentities: {
+        '${uami.id}': {}
       }
-      replicaTimeout: 4 * 60 * 60
-      registries: [
-        {
-          identity: uami.id
-          server: '${svcAcrName}${environment().suffixes.acrLoginServer}'
+    }
+    properties: {
+      environmentId: containerAppEnvironment.id
+      configuration: {
+        eventTriggerConfig: {}
+        triggerType: 'Schedule'
+        manualTriggerConfig: {
+          parallelism: 1
         }
-      ]
-      secrets: [
-        {
-          name: 'pull-secrets'
-          keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${ocpPullSecretName}'
-          identity: uami.id
+        scheduleTriggerConfig: {
+          cronExpression: ocMirrorJobConfiguration[i].cron
+          parallelism: 1
         }
-      ]
-    }
-    template: {
-      containers: [
-        {
-          name: ocMirrorJobName
-          image: ocMirrorImage
-          volumeMounts: [
-            { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' }
-          ]
-          env: [
-            { name: 'IMAGE_SET_CONFIG', value: base64(string(ocMirrorConfig)) }
-            { name: 'REGISTRY', value: ocpAcrName }
-            { name: 'REGISTRY_URL', value: '${ocpAcrName}${environment().suffixes.acrLoginServer}' }
-            { name: 'XDG_RUNTIME_DIR', value: '/etc' }
-            { name: 'AZURE_CLIENT_ID', value: uami.properties.clientId }
-            {
-              name: 'APPSETTING_WEBSITE_SITE_NAME'
-              value: 'workaround - https://github.com/microsoft/azure-container-apps/issues/502'
+        replicaTimeout: ocMirrorJobConfiguration[i].timeout
+        registries: [
+          {
+            identity: uami.id
+            server: '${svcAcrName}${environment().suffixes.acrLoginServer}'
+          }
+        ]
+        secrets: [
+          {
+            name: 'pull-secrets'
+            keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/${ocpPullSecretName}'
+            identity: uami.id
+          }
+        ]
+      }
+      template: {
+        containers: [
+          {
+            name: 'oc-mirror'
+            image: ocMirrorImage
+            volumeMounts: [
+              { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' }
+            ]
+            env: [
+              { name: 'IMAGE_SET_CONFIG', value: base64(string(ocMirrorJobConfiguration[i].imageSetConfig)) }
+              { name: 'REGISTRY', value: ocMirrorJobConfiguration[i].targetRegistry }
+              {
+                name: 'REGISTRY_URL'
+                value: '${ocMirrorJobConfiguration[i].targetRegistry}${environment().suffixes.acrLoginServer}'
+              }
+              { name: 'XDG_RUNTIME_DIR', value: '/etc' }
+              { name: 'AZURE_CLIENT_ID', value: uami.properties.clientId }
+              {
+                name: 'APPSETTING_WEBSITE_SITE_NAME'
+                value: 'workaround - https://github.com/microsoft/azure-container-apps/issues/502'
+              }
+            ]
+            resources: {
+              cpu: 2
+              memory: '4Gi'
             }
-          ]
-          resources: {
-            cpu: 2
-            memory: '4Gi'
           }
-        }
-      ]
-      initContainers: [
-        {
-          name: 'decodesecrets'
-          image: 'mcr.microsoft.com/azure-cli:cbl-mariner2.0'
-          command: [
-            '/bin/sh'
-          ]
-          args: [
-            '-c'
-            'cat /tmp/secret-orig/pull-secrets | base64 -d > /etc/containers/auth.json'
-          ]
-          volumeMounts: [
-            { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' }
-            { volumeName: 'pull-secrets', mountPath: '/tmp/secret-orig' }
-          ]
-        }
-      ]
-      volumes: [
-        {
-          name: 'pull-secrets-updated'
-          storageType: 'EmptyDir'
-        }
-        {
-          name: 'pull-secrets'
-          storageType: 'Secret'
-          secrets: [
-            { secretRef: 'pull-secrets' }
-          ]
-        }
-      ]
+        ]
+        initContainers: [
+          {
+            name: 'decodesecrets'
+            image: 'mcr.microsoft.com/azure-cli:cbl-mariner2.0'
+            command: [
+              '/bin/sh'
+            ]
+            args: [
+              '-c'
+              'cat /tmp/secret-orig/pull-secrets | base64 -d > /etc/containers/auth.json'
+            ]
+            volumeMounts: [
+              { volumeName: 'pull-secrets-updated', mountPath: '/etc/containers' }
+              { volumeName: 'pull-secrets', mountPath: '/tmp/secret-orig' }
+            ]
+          }
+        ]
+        volumes: [
+          {
+            name: 'pull-secrets-updated'
+            storageType: 'EmptyDir'
+          }
+          {
+            name: 'pull-secrets'
+            storageType: 'Secret'
+            secrets: [
+              { secretRef: 'pull-secrets' }
+            ]
+          }
+        ]
+      }
     }
   }
-}
+]
diff --git a/image-sync/oc-mirror/Dockerfile b/image-sync/oc-mirror/Dockerfile
@@ -43,4 +43,4 @@ COPY --chown=0:0 --chmod=755 --from=downloader \
     /usr/local/bin/yq \
     /usr/local/bin/
 
-    ENTRYPOINT ["/usr/local/bin/mirror.sh"]
+ENTRYPOINT ["/usr/local/bin/mirror.sh"]
diff --git a/image-sync/oc-mirror/Makefile b/image-sync/oc-mirror/Makefile
@@ -4,15 +4,44 @@ $(shell ../../templatize.sh $(DEPLOY_ENV) config.tmpl.mk config.mk)
 include config.mk
 COMMIT = $(shell git rev-parse --short=7 HEAD)$(shell [[ $$(git status --porcelain) = "" ]])
 
+ifeq ($(shell uname), Darwin)
+	AUTH_FILE = ${HOME}/.config/containers/auth.json
+else
+	AUTH_FILE = ${HOME}/.docker/config.json
+endif
+
 build-push: image push
+.PHONY: build-push
 
 image:
 	docker build --platform="linux/amd64" -f "./Dockerfile" -t ${OC_MIRROR_IMAGE_TAGGED} .
+.PHONY: image
 
 push: image
 	az acr login --name ${ARO_HCP_IMAGE_ACR}
 	docker tag ${OC_MIRROR_IMAGE_TAGGED} ${OC_MIRROR_IMAGE}:latest
 	docker push ${OC_MIRROR_IMAGE_TAGGED}
 	docker push ${OC_MIRROR_IMAGE}:latest
+.PHONY: push
+
+acm-dry-run: image
+	@docker run -it --rm --tmpfs /oc-mirror-workspace \
+		-e XDG_RUNTIME_DIR=/ \
+		-v ${AUTH_FILE}:/containers/auth.json:z \
+		-v ${HOME}/.azure:/root/.azure:z \
+		-e IMAGE_SET_CONFIG=$(shell cat ${PWD}/test/acm-image-set-config.yml | base64) \
+		-e REGISTRY=${ARO_HCP_IMAGE_ACR} \
+		-e REGISTRY_URL=${ARO_HCP_IMAGE_ACR_URL} \
+		${OC_MIRROR_IMAGE_TAGGED} --dry-run
+.PHONY: acm-dry-run
 
-.PHONY: image push build-push
+ocp-dry-run: image
+	@docker run -it --rm --tmpfs /oc-mirror-workspace \
+		-e XDG_RUNTIME_DIR=/ \
+		-v ${AUTH_FILE}:/containers/auth.json:z \
+		-v ${HOME}/.azure:/root/.azure:z \
+		-e IMAGE_SET_CONFIG=$(shell cat ${PWD}/test/acm-image-set-config.yml | base64) \
+		-e REGISTRY=${ARO_HCP_OCP_IMAGE_ACR} \
+		-e REGISTRY_URL=${ARO_HCP_OCP_IMAGE_ACR_URL} \
+		${OC_MIRROR_IMAGE_TAGGED} --dry-run
+.PHONY: ocp-dry-run