update cert-manager images from opm

Signed-off-by: Evgeny Slutsky <[email protected]>

Author: eslutsky

assets/optional/cert-manager/manager/images.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: cert-manager-images
+  namespace: system
+spec:
+  containers:
+  - name: cert-manager-webhook
+    image: cert-manager-webhook:latest
+  - name: cert-manager-ca-injector
+    image: cert-manager-ca-injector:latest
+  - name: cert-manager-controller
+    image: cert-manager-controller:latest
+  - name: cert-manager-acmesolver
+    image: cert-manager-acmesolver:latest
+  - name: cert-manager-istiocsr
+    image: cert-manager-istiocsr:latest
+  restartPolicy: Never 

assets/optional/cert-manager/manager/kustomization.yaml

@@ -1,8 +1,75 @@
-resources:
-- manager.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+resources:
+  - manager.yaml
+  - images.yaml
+replacements:
+  - source:
+      kind: Pod
+      name: cert-manager-images
+      fieldPath: spec.containers.[name=cert-manager-webhook].image
+    targets:
+      - select:
+          kind: Deployment
+          name: controller-manager
+        fieldPaths:
+          - spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_WEBHOOK].value
+  - source:
+      kind: Pod
+      name: cert-manager-images
+      fieldPath: spec.containers.[name=cert-manager-ca-injector].image
+    targets:
+      - select:
+          kind: Deployment
+          name: controller-manager
+        fieldPaths:
+          - spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_CA_INJECTOR].value
+  - source:
+      kind: Pod
+      name: cert-manager-images
+      fieldPath: spec.containers.[name=cert-manager-controller].image
+    targets:
+      - select:
+          kind: Deployment
+          name: controller-manager
+        fieldPaths:
+          - spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_CONTROLLER].value
+  - source:
+      kind: Pod
+      name: cert-manager-images
+      fieldPath: spec.containers.[name=cert-manager-acmesolver].image
+    targets:
+      - select:
+          kind: Deployment
+          name: controller-manager
+        fieldPaths:
+          - spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_ACMESOLVER].value
+  - source:
+      kind: Pod
+      name: cert-manager-images
+      fieldPath: spec.containers.[name=cert-manager-istiocsr].image
+    targets:
+      - select:
+          kind: Deployment
+          name: controller-manager
+        fieldPaths:
+          - spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_ISTIOCSR].value
 images:
-- name: controller
-  newName: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256
-  newTag: 4d5e238300ce6f427a1045d51d6b37a4e5c5633985208ebb44f91e7dd53897d9
+  - name: controller
+    newName: registry.redhat.io/cert-manager/cert-manager-operator-rhel9
+    digest: sha256:4d5e238300ce6f427a1045d51d6b37a4e5c5633985208ebb44f91e7dd53897d9
+  - name: cert-manager-istiocsr
+    newName: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9
+    digest: sha256:9ea2c29a384b964cef14f853278821df3cd30320f25afab8823897192f67fc7e
+  - name: cert-manager-acmesolver
+    newName: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9
+    digest: sha256:4f7c045819c39e176a6090efdaba6ec736edf772d88fc87dd1c6fb33d3b5b26b
+  - name: cert-manager-webhook
+    newName: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9
+    digest: sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659
+  - name: cert-manager-ca-injector
+    newName: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9
+    digest: sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659
+  - name: cert-manager-controller
+    newName: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9
+    digest: sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659

scripts/auto-rebase/assets_cert_manager.yaml

@@ -31,9 +31,13 @@ assets:
       - file: cainjection_in_certmanagers.yaml
       - file: webhook_in_certmanagers.yaml
   - dir: optional/cert-manager/manager/
+    no_clean: True
     src: cert-manager-operator/config/manager/
     files:
       - file: kustomization.yaml
+        ignore: "Provided by MicroShift"      
+      - file: images.yaml
+        ignore: "Provided by MicroShift"      
       - file: manager.yaml
   - dir: optional/cert-manager/rbac/
     src: cert-manager-operator/config/rbac/

scripts/auto-rebase/rebase.py

@@ -27,6 +27,7 @@
 AMD64_RELEASE_ENV = "AMD64_RELEASE"
 ARM64_RELEASE_ENV = "ARM64_RELEASE"
 RHOAI_RELEASE_ENV = "RHOAI_RELEASE"
+OPM_VERSION_ENV = "OPM_RELEASE"
 JOB_NAME_ENV = "JOB_NAME"
 BUILD_ID_ENV = "BUILD_ID"
 DRY_RUN_ENV = "DRY_RUN"
@@ -101,6 +102,24 @@ def run_rebase_ai_model_serving_sh(release):
     logging.info(f"Script returned code: {result.returncode}. It ran for {end/60:.0f}m{end%60:.0f}s.")
     return RebaseScriptResult(success=result.returncode == 0, output=result.stdout)
 
+def run_rebase_cert_manager_sh(release):
+    """Run the 'rebase_cert_manager.sh' script with the given release version and return the script's output."""
+    script_dir = os.path.abspath(os.path.dirname(__file__))
+    args = [f"{script_dir}/rebase_cert_manager.sh", "to", release]
+    env = os.environ.copy()
+    env["NO_BRANCH"] = "true"
+    logging.info(f"Running: '{' '.join(args)}'")
+    start = timer()
+    result = subprocess.run(
+        args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True, check=False,
+        env=env)
+    logging.info(f"Return code: {result.returncode}. Output:\n" +
+                 "==================================================\n" +
+                 f"{result.stdout}" +
+                 "==================================================\n")
+    end = timer() - start
+    logging.info(f"Script returned code: {result.returncode}. It ran for {end/60:.0f}m{end%60:.0f}s.")
+    return RebaseScriptResult(success=result.returncode == 0, output=result.stdout)
 
 def commit_str(commit):
     """Returns the first 8 characters of the commit's SHA hash and the commit summary."""
@@ -477,6 +496,7 @@ def main():
     release_amd = try_get_env(AMD64_RELEASE_ENV)
     release_arm = try_get_env(ARM64_RELEASE_ENV)
     rhoai_release = try_get_env(RHOAI_RELEASE_ENV)
+    opm_version = try_get_env(OPM_VERSION_ENV)
     base_branch_override = try_get_env(BASE_BRANCH_ENV, die=False)
 
     global REMOTE_DRY_RUN
@@ -495,8 +515,9 @@ def main():
 
     rebase_result = run_rebase_sh(release_amd, release_arm)
     ai_rebase_result = run_rebase_ai_model_serving_sh(rhoai_release)
+    cert_manager_rebase_result = run_rebase_cert_manager_sh(opm_version)
 
-    rebases_succeeded = rebase_result.success and ai_rebase_result.success
+    rebases_succeeded = rebase_result.success and ai_rebase_result.success and cert_manager_rebase_result.success
 
     if rebases_succeeded:
         # TODO How can we inform team that rebase job ran successfully just there was nothing new?

scripts/auto-rebase/rebase_cert_manager.sh

@@ -108,46 +108,56 @@ download_cert_manager(){
     # convert from cert-manager-operator.v1.16.0 to cert-manager-x.y
     branch_name=$(echo ${operator} | awk -F'[^0-9]*' '{print "cert-manager-"$2"."$3}')
     clone_repo "https://github.com/openshift/cert-manager-operator" "$branch_name" "."
+    popd
 
 }
 
-# Updates the image digests in pkg/release/release*.go
-# update_images() {
-#     if [ ! -f "${STAGING_DIR}/release_amd64.json" ] || [ ! -f "${STAGING_DIR}/release_arm64.json" ]; then
-#         >&2 echo "No release found in ${STAGING_DIR}, you need to download one first."
-#         exit 1
-#     fi
-#     pushd "${STAGING_DIR}" >/dev/null
-
-   
-# }
-
-
+# helper to append an image mapping to kustomization.yaml, supporting digest or tag
+add_image_to_kustomize() {
+    local alias_name="$1"
+    local full_image_ref="$2"
+    if [[ "${full_image_ref}" == *@sha256:* ]]; then
+        local image_name_no_digest="${full_image_ref%@*}"
+        local image_digest="${full_image_ref#*@}"
+        yq -i ".images += [{\"name\": \"${alias_name}\", \"newName\": \"${image_name_no_digest}\", \"digest\": \"${image_digest}\"}]" "${cert_manager_kustomization_yaml}"
+    else
+        local image_name_no_tag="${full_image_ref%:*}"
+        local image_tag="${full_image_ref##*:}"
+        yq -i ".images += [{\"name\": \"${alias_name}\", \"newName\": \"${image_name_no_tag}\", \"newTag\": \"${image_tag}\"}]" "${cert_manager_kustomization_yaml}"
+    fi
+}
 
 write_cert_manager_images_for_arch() {
     local arch="$1"
     title "Updating images for ${arch}"
-    #local csv_manifest="${arch_dir}/servicemeshoperator3.clusterserviceversion.yaml"
-    #local kustomization_arch_file="${REPOROOT}/assets/optional/gateway-api/kustomization.${GOARCH_TO_UNAME_MAP[${arch}]}.yaml"
     local cert_manager_release_json="${REPOROOT}/assets/optional/cert-manager/release-cert-manager-${GOARCH_TO_UNAME_MAP[${arch}]}.json"
     local cert_manager_operator_yaml="${REPOROOT}/assets/optional/cert-manager/manager/manager.yaml"
     local cert_manager_kustomization_yaml="${REPOROOT}/assets/optional/cert-manager/manager/kustomization.yaml"
 
-    local base_release=4.20
-    jq -n "{\"release\": {\"base\": \"${base_release}\"}, \"images\": {}}" > "${cert_manager_release_json}"
+    local operatorVersion=$(yq '.properties[] | select(.type == "olm.package").value.version' "${OPERATOR_CERT_MANAGER_INDEX}")
+
+    jq -n "{\"release\": {\"base\": \"${operatorVersion}\"}, \"images\": {}}" > "${cert_manager_release_json}"
 
     #containerImage
-    local operatorImage=$(yq '.properties[] | select(.type == "olm.csv.metadata").value.annotations.containerImage' "${OPERATOR_CERT_MANAGER_INDEX}")
-    
-    yq -i -o json ".images += {\"cert-manager-operator\": \"${operatorImage}\"}" "${cert_manager_release_json}"
-    sed -i "s#newName:.*openshift.io\/cert-manager-operator.*#newName: ${operatorImage}#g" "${cert_manager_kustomization_yaml}"
+    local operatorImageFull=$(yq '.properties[] | select(.type == "olm.csv.metadata").value.annotations.containerImage' "${OPERATOR_CERT_MANAGER_INDEX}")
+    local operatorImage="${operatorImageFull%:*}"
+    local operatorTag="${operatorImageFull#*:}"
+  
+    yq -i -o json ".images += {\"cert-manager-operator\": \"${operatorImageFull}\"}" "${cert_manager_release_json}"
+
+    # reset and rebuild the images list in kustomization.yaml from opm output
+    yq -i 'del(.images) | .images = []' "${cert_manager_kustomization_yaml}"
+
+    # add operator image to kustomization images (named 'controller')
+    add_image_to_kustomize "controller" "${operatorImageFull}"
 
     #relatedImages
     for index in $(yq '.relatedImages.[] | path | .[-1] ' "${OPERATOR_CERT_MANAGER_INDEX}"); do
      local image=$(yq ".relatedImages.${index}.image" "${OPERATOR_CERT_MANAGER_INDEX}" )
      local component=$(yq ".relatedImages.${index}.name" "${OPERATOR_CERT_MANAGER_INDEX}")
     if [[  -n "${component}" && "${OPERATOR_COMPONENTS}" == *"${component}"* ]]; then
         yq -i -o json ".images += {\"${component}\": \"${image}\"}" "${cert_manager_release_json}"
+        add_image_to_kustomize "${component}" "${image}"
         sed -i "s#value:.*${component}.*#value: ${image}#g" "${cert_manager_operator_yaml}"
 
         # handle special case istiocsr v istio-csr mismatch 
@@ -183,34 +193,17 @@ copy_manifests() {
     "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets_cert_manager.yaml"
 }
 
-
-# Updates embedded component manifests by gathering these from various places
-# in the staged repos and copying them into the asset directorcay.
-update_cert_manager_manifests() {
-    pushd "${STAGING_DIR}" >/dev/null
-
-    title "Modifying OpenShift manifests"
-    
-    for index in $(yq '.[] | path | .[-1] ' "${OPERATOR_CERT_MANAGER_INDEX}")
-    do
-     image=$(yq ".${index}.image" "${OPERATOR_CERT_MANAGER_INDEX}")
-     component=$(yq ".${index}.name" "${OPERATOR_CERT_MANAGER_INDEX}")
-
-    if [[  -n "${component}" && "${OPERATOR_COMPONENTS}" == *"${component}"* ]]; then
-        #clone_repo "${repo}" "${commit}" "."
-        #echo "${repo} embedded-component ${commit}" >> "${new_commits_file}"
-        echo "${image} ${component}"
-    fi
-    done
-
-
-    popd >/dev/null
+rebase_cert_manager_to(){
+    local -r operator_bundle="${1}"
+    download_cert_manager "${operator_bundle}"
+    copy_manifests
+    update_cert_manager_images
 }
 
 usage() {
     echo "Usage:"
-    echo "$(basename "$0") to RELEASE_IMAGE_INTEL RELEASE_IMAGE_ARM         Performs all the steps to rebase to a release image. Specify both amd64 and arm64 OCP releases."
-    echo "$(basename "$0") download RELEASE_IMAGE_INTEL RELEASE_IMAGE_ARM   Downloads the content of a release image to disk in preparation for rebasing. Specify both amd64 and arm64 OCP releases."
+    echo "$(basename "$0") to OPM_RELEASE_IMAGE                             Performs all the steps to rebase to a release image."
+    echo "$(basename "$0") download OPM_RELEASE_IMAGE                       Downloads the content of a release image to disk in preparation for rebasing."
     echo "$(basename "$0") images                                           Rebases the component images to the downloaded release"
     echo "$(basename "$0") manifests                                        Rebases the component manifests to the downloaded release"
     exit 1
@@ -221,8 +214,8 @@ check_preconditions
 command=${1:-help}
 case "$command" in
     to)
-        [[ $# -lt 3 ]] && usage
-        rebase_to "$2" "$3"
+        [[ $# -lt 2 ]] && usage
+        rebase_cert_manager_to "$2"
         ;;
     download)
         #[[ $# -lt 3 ]] && usage
@@ -235,7 +228,6 @@ case "$command" in
 
     manifests)
         copy_manifests
-        update_cert_manager_manifests
         ;;
     *) usage;;
 esac

scripts/auto-rebase/rebase_job_entrypoint.sh

@@ -93,14 +93,15 @@ fi
 # New references can be obtained from:
 # https://catalog.redhat.com/software/containers/rhoai/odh-operator-bundle/659803ca929f3c931af06f28
 rhoai_release="registry.redhat.io/rhoai/odh-operator-bundle:v2.22"
-
+opm_release="registry.redhat.io/redhat/redhat-operator-index:v4.20"
 APP_ID=$(cat /secrets/pr-creds/app_id) \
 KEY=/secrets/pr-creds/key.pem \
 ORG=${ORG:-openshift} \
 REPO=${REPO:-microshift} \
 AMD64_RELEASE=${PULLSPEC_RELEASE_AMD64} \
 ARM64_RELEASE=${PULLSPEC_RELEASE_ARM64} \
 RHOAI_RELEASE=${rhoai_release} \
+OPM_RELEASE=${opm_release} \
 ./scripts/auto-rebase/rebase.py
 
 # LVMS is not tracked in the OCP release image.  Instead, rely on the