--- # Copyright Red Hat, Inc. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. - name: Ensure output directory exists tags: - always ansible.builtin.file: path: "{{ cifmw_openshift_setup_basedir }}/artifacts" state: directory mode: "0755" - name: Fetch namespaces to create ansible.builtin.set_fact: cifmw_openshift_setup_namespaces: >- {{ (( ([cifmw_install_yamls_defaults['NAMESPACE']] + ([cifmw_install_yamls_defaults['OPERATOR_NAMESPACE']] if 'OPERATOR_NAMESPACE' is in cifmw_install_yamls_defaults else []) ) if cifmw_install_yamls_defaults is defined else [] ) + cifmw_openshift_setup_create_namespaces) | unique }} - name: Create required namespaces kubernetes.core.k8s: kubeconfig: "{{ cifmw_openshift_kubeconfig }}" api_key: "{{ cifmw_openshift_token | default(omit)}}" context: "{{ cifmw_openshift_context | default(omit) }}" name: "{{ item }}" kind: Namespace state: present with_items: "{{ cifmw_openshift_setup_namespaces }}" when: not cifmw_openshift_setup_dry_run - name: Get internal OpenShift registry route when: not cifmw_openshift_setup_skip_internal_registry | bool kubernetes.core.k8s_info: kubeconfig: "{{ cifmw_openshift_kubeconfig }}" api_key: "{{ cifmw_openshift_token | default(omit)}}" context: "{{ cifmw_openshift_context | default(omit)}}" kind: Route name: default-route namespace: openshift-image-registry register: cifmw_openshift_setup_registry_default_route - name: Allow anonymous image-pulls in CRC registry for targeted namespaces with_items: "{{ cifmw_openshift_setup_namespaces }}" when: - not cifmw_openshift_setup_skip_internal_registry | bool - not cifmw_openshift_setup_dry_run - (cifmw_openshift_setup_registry_default_route.resources | default([]) | length > 0) kubernetes.core.k8s: state: present kubeconfig: "{{ cifmw_openshift_kubeconfig }}" api_key: "{{ cifmw_openshift_token | default(omit)}}" context: "{{ cifmw_openshift_context | default(omit)}}" definition: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:image-puller namespace: "{{ item }}" subjects: - kind: User name: system:anonymous - kind: User name: system:unauthenticated roleRef: kind: ClusterRole name: system:image-puller - name: Podman login into OpenShift registry when: - cifmw_openshift_token is defined - not cifmw_openshift_setup_skip_internal_registry | bool - cifmw_openshift_setup_registry_default_route.resources | length > 0 block: - name: Wait for the image registry to be ready kubernetes.core.k8s_info: kind: Deployment name: image-registry namespace: openshift-image-registry kubeconfig: "{{ cifmw_openshift_kubeconfig }}" api_key: "{{ cifmw_openshift_token | default(omit)}}" context: "{{ cifmw_openshift_context | default(omit)}}" wait: true wait_sleep: 10 wait_timeout: 600 wait_condition: type: Available status: "True" - name: Login into OpenShift internal registry cifmw.general.ci_script: output_dir: "{{ cifmw_openshift_setup_basedir }}/artifacts" script: >- podman login -u {{ cifmw_openshift_user }} -p {{ cifmw_openshift_token }} {%- if cifmw_openshift_setup_skip_internal_registry_tls_verify|bool %} --tls-verify=false {%- endif %} {{ cifmw_openshift_setup_registry_default_route.resources[0].spec.host }} retries: 10 delay: 30 register: cifmw_openshift_setup_podman_login_stdout until: cifmw_openshift_setup_podman_login_stdout.rc == 0 - name: Add custom CA bundle to OCP registry when: cifmw_openshift_setup_ca_registry_to_add is defined block: - name: Ensure we have custom CA installed on host ansible.builtin.include_role: role: install_ca - name: Update ca bundle become: true ansible.builtin.command: cmd: update-ca-trust extract - name: Slurp CAs file ansible.builtin.slurp: src: "{{ cifmw_openshift_setup_ca_bundle_path }}" register: _ca_content - name: Create config map with registry CAs vars: _config_map_data: - key: "{{ cifmw_openshift_setup_ca_registry_to_add }}" value: "{{ _ca_content.content | b64decode }}" kubernetes.core.k8s: kubeconfig: "{{ cifmw_openshift_kubeconfig }}" api_key: "{{ cifmw_openshift_token | default(omit)}}" context: "{{ cifmw_openshift_context | default(omit)}}" definition: apiVersion: v1 kind: ConfigMap metadata: namespace: openshift-config name: registry-cas data: "{{ _config_map_data | items2dict }}" - name: Install Red Hat CA for pulling images from internal registry kubernetes.core.k8s: kubeconfig: "{{ cifmw_openshift_kubeconfig }}" api_key: "{{ cifmw_openshift_token | default(omit)}}" context: "{{ cifmw_openshift_context | default(omit)}}" merge_type: "merge" definition: apiVersion: config.openshift.io/v1 kind: Image metadata: name: cluster spec: additionalTrustedCA: name: "registry-cas" - name: Configure insecure registries and ICSP ansible.builtin.import_tasks: configure_registries.yml - name: Patch network operator when using OVNKubernetes backend ansible.builtin.import_tasks: patch_network_operator.yml - name: Patch samples registry ansible.builtin.import_tasks: patch_samples_registry.yml - name: Fix openshift-marketplace pods ansible.builtin.import_tasks: fix_openshift_marketplace.yml