-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fail earlier when registry creds are not set (#592)
* Fail earlier when registry creds are not set Move the credential setup for the internal registry up in the execution and perform a simple check with the "oc image info" command to fail earlier in case the credentials haven't been set properly * Add assert to the internal registry creds check Enhance debugging experience by adding more information when trying to access to the required bundles in the internal registry * Change "internal registry" for "bundles registry" Use a more accurate term when refering to the registry in which the bundles are located when doing the early registry access check * Keep logic for checking bundle registry creds Maintain the conditionals when checking the config for the bundle registry credentials and cert
- Loading branch information
Showing
3 changed files
with
108 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
- name: Update Pull Secret with bundle registry credentials | ||
when: setup_bundle_registry_auth | bool | ||
block: | ||
- name: Get existing Pull Secret from openshift config | ||
kubernetes.core.k8s_info: | ||
api_version: v1 | ||
kind: Secret | ||
namespace: openshift-config | ||
name: pull-secret | ||
register: pull_secret | ||
|
||
- name: Decode docker config json | ||
ansible.builtin.set_fact: | ||
dockerconfigjson: "{{ pull_secret.resources[0].data['.dockerconfigjson'] | b64decode }}" | ||
|
||
- name: Merge registry creds into auth section of docker config | ||
ansible.builtin.set_fact: | ||
new_dockerauths: "{{ dockerconfigjson['auths'] | combine( { | ||
pull_secret_registry:{ | ||
'auth': (pull_secret_user ~ ':' ~ pull_secret_pass) | b64encode | ||
} | ||
}) }}" | ||
|
||
- name: Create new docker config | ||
ansible.builtin.set_fact: | ||
new_dockerconfigjson: "{{ dockerconfigjson | combine({'auths': new_dockerauths}) }}" | ||
|
||
- name: Create Pull Secret for bundle registry access (in the local namespace) | ||
kubernetes.core.k8s: | ||
state: present | ||
definition: | ||
apiVersion: v1 | ||
kind: Secret | ||
type: kubernetes.io/dockerconfigjson | ||
metadata: | ||
name: pull-secret | ||
namespace: "{{ namespace }}" | ||
data: | ||
.dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}" | ||
|
||
- name: Create Pull Secret for bundle registry access (in the global namespace) | ||
kubernetes.core.k8s: | ||
state: present | ||
definition: | ||
apiVersion: v1 | ||
kind: Secret | ||
type: kubernetes.io/dockerconfigjson | ||
metadata: | ||
name: pull-secret | ||
namespace: openshift-config | ||
data: | ||
.dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}" | ||
|
||
- name: Create registry CA Cert | ||
when: setup_bundle_registry_tls_ca | bool | ||
kubernetes.core.k8s: | ||
state: present | ||
definition: | ||
apiVersion: v1 | ||
kind: Secret | ||
type: Opaque | ||
metadata: | ||
name: registry-tls-ca | ||
namespace: "{{ namespace }}" | ||
data: | ||
cert.pem: "{{ lookup('file', 'CA.pem') | b64encode }}" | ||
|
||
- name: Patch the default service account to use our pull secret | ||
when: setup_bundle_registry_tls_ca | bool | ||
kubernetes.core.k8s_json_patch: | ||
kind: ServiceAccount | ||
namespace: "{{ namespace }}" | ||
name: default | ||
patch: | ||
- op: add | ||
path: /imagePullSecrets | ||
value: | ||
- name: pull-secret | ||
|
||
- name: Ensure that the bundle paths are set | ||
ansible.builtin.assert: | ||
that: | ||
- '__smart_gateway_bundle_image_path | default("") | length > 0' | ||
- '__service_telemetry_bundle_image_path | default("") | length > 0' | ||
fail_msg: "Bundle path(s) not set. __smart_gateway_bundle_image_path is '{{ __smart_gateway_bundle_image_path }}' and __service_telemetry_bundle_image_path is '{{ __service_telemetry_bundle_image_path }}'. Both values need to be set." | ||
success_msg: "Bundle paths are defined, are not None and have a non-zero-length." | ||
|
||
- name: Try to access to the STO bundle | ||
ansible.builtin.command: oc image info {{ __service_telemetry_bundle_image_path }} | ||
register: sto_bundle_info | ||
ignore_errors: true | ||
|
||
- name: Try to access to the SGO bundle | ||
ansible.builtin.command: oc image info {{ __smart_gateway_bundle_image_path }} | ||
register: sgo_bundle_info | ||
ignore_errors: true | ||
|
||
- name: Check successful read access to STO and SGO bundles in the internal registry | ||
ansible.builtin.assert: | ||
that: | ||
- sto_bundle_info.rc != 0 | ||
- sgo_bundle_info.rc != 0 | ||
fail_msg: "Bundles couldn't be retrieved. Check configuration for the bundles registry and retry." | ||
success_msg: "Bundles were correctly retrieved from the registry." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters