#820 dry-run for global pull secret

IBM · Oct 29, 2024 · fc70d36 · fc70d36
1 parent 50f7c81
commit fc70d36
Show file tree

Hide file tree

Showing 9 changed files with 79 additions and 24 deletions.
diff --git a/...oles/50-install-cloud-pak/cp4ba/cp4ba-prepare-openshift/tasks/cp4ba-prepare-openshift.yml b/...oles/50-install-cloud-pak/cp4ba/cp4ba-prepare-openshift/tasks/cp4ba-prepare-openshift.yml
@@ -34,8 +34,7 @@
   ansible.builtin.include_role:
     name: cp-ocp-global-pull-secret
   vars:
-    _p_registry_url: "{{ entitled_registry }}"
-    _p_registry_pull_secret: "cp:{{ ibm_cp_entitlement_key }}"
+    _p_ibm_cp_entitlement_key: "{{ ibm_cp_entitlement_key }}"
   when: (use_entitled_registry | bool)
 
 - name: Resume the Machine Config operator

diff --git a/...50-install-cloud-pak/cp4d/cp4d-prepare-openshift/tasks/cp4d-prepare-entitled-registry.yml b/...50-install-cloud-pak/cp4d/cp4d-prepare-openshift/tasks/cp4d-prepare-entitled-registry.yml
@@ -1,6 +1,6 @@
 ---
 - name: Get IBM Entitled Registry key
-  include_role: 
+  ansible.builtin.include_role:
     name: vault-get-secret
   vars:
     secret_name: "ibm_cp_entitlement_key"
@@ -15,8 +15,7 @@
   when: ibm_cp_entitlement_key == ""
 
 - name: Set the global pull secret for the entitled registry
-  include_role:
+  ansible.builtin.include_role:
     name: cp-ocp-global-pull-secret
   vars:
-    _p_registry_url: "{{ _v_entitled_registry }}" 
-    _p_registry_pull_secret: "{{ _v_entitled_registry_username }}:{{ ibm_cp_entitlement_key }}"
+    _p_ibm_cp_entitlement_key: "{{ ibm_cp_entitlement_key }}"
diff --git a/...n-roles/50-install-cloud-pak/cp4i/cp4i-prepare-openshift/tasks/cp4i-prepare-openshift.yml b/...n-roles/50-install-cloud-pak/cp4i/cp4i-prepare-openshift/tasks/cp4i-prepare-openshift.yml
@@ -53,11 +53,10 @@
 #
 
 - name: Set the global pull secret for the entitled registry
-  include_role:
+  ansible.builtin.include_role:
     name: cp-ocp-global-pull-secret
   vars:
-    _p_registry_url: "{{ _v_entitled_registry }}"
-    _p_registry_pull_secret: "{{ _p_entitled_reg_auth }}"
+    _p_ibm_cp_entitlement_key: "{{ ibm_cp_entitlement_key }}"
   when: (_p_use_entitled_registry | bool)
 
 #

diff --git a/...tall-cloud-pak/cpfs/cp-ocp-global-pull-secret/tasks/apply-global-pull-secret-entitled.yml b/...tall-cloud-pak/cpfs/cp-ocp-global-pull-secret/tasks/apply-global-pull-secret-entitled.yml
@@ -0,0 +1,15 @@
+---
+- name: Generate add-icr-cred-to-global-pull-secret command to set global pull secret for entitled registry
+  set_fact: 
+    _add_icr_cred_globl_pull_secret_command: "{{ lookup('template','add-icr-cred-to-global-pull-secret.j2') }} "
+
+- include_role:
+    name: log-deployer-activity
+  vars:
+    _p_activity_description: "Set global pull secret for entitled registry"
+    _p_activity_command: "{{ _add_icr_cred_globl_pull_secret_command }}"
+
+- name: Set global pull secret for entitled registry, output is in {{ status_dir }}/log/add-icr-cred-to-global-pull-secret.log
+  shell: |
+    {{ _add_icr_cred_globl_pull_secret_command }} | tee -a {{ status_dir }}/log/add-icr-cred-to-global-pull-secret.log
+  when: not cpd_dry_run
diff --git a/...stall-cloud-pak/cpfs/cp-ocp-global-pull-secret/tasks/apply-global-pull-secret-private.yml b/...stall-cloud-pak/cpfs/cp-ocp-global-pull-secret/tasks/apply-global-pull-secret-private.yml
@@ -0,0 +1,19 @@
+---
+- set_fact:
+    _private_registry_user: "{{ _p_registry_pull_secret.split(':')[0] }}"
+    _private_registry_pass: "{{ _p_registry_pull_secret.split(':')[1] }}"
+
+- name: Generate add-cred-to-global-pull-secret command to set global pull secret for private registry {{ _p_registry_url }}
+  set_fact: 
+    _add_cred_globl_pull_secret_command: "{{ lookup('template','add-cred-to-global-pull-secret.j2') }} "
+
+- include_role:
+    name: log-deployer-activity
+  vars:
+    _p_activity_description: "Set global pull secret for private registry {{ _p_registry_url }}"
+    _p_activity_command: "{{ _add_cred_globl_pull_secret_command }}"
+
+- name: Set global pull secret for private registry {{ _p_registry_url }}, output is in {{ status_dir }}/log/add-cred-to-global-pull-secret.log
+  shell: |
+    {{ _add_cred_globl_pull_secret_command }} | tee -a {{ status_dir }}/log/add-cred-to-global-pull-secret.log
+  when: not cpd_dry_run
diff --git a/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-global-pull-secret/tasks/main.yml b/automation-roles/50-install-cloud-pak/cpfs/cp-ocp-global-pull-secret/tasks/main.yml
@@ -1,17 +1,9 @@
 ---
-- name: Extract the global pull secret
-  shell: |
-    oc extract secret/pull-secret -n openshift-config --confirm --to={{ status_dir }}/openshift
-- name: Set the global pull secret
-  shell: |
-    cat {{ status_dir }}/openshift/.dockerconfigjson | \
-      jq --arg registry "{{ _p_registry_url }}" \
-        --arg pull_secret $(echo -n "{{ _p_registry_pull_secret }}" | base64 -w0) \
-        '.auths += {($registry): {"auth": $pull_secret, "email": "not-used"}}' \
-        > {{ status_dir }}/openshift/newdockerconfigjson
-    oc set data secret/pull-secret -n openshift-config \
-      --from-file=.dockerconfigjson={{ status_dir }}/openshift/newdockerconfigjson
+- include_tasks: apply-global-pull-secret-entitled.yml
+  when: (_p_registry_url | default('')) == ''
 
-- name: Apply pull secret if the Machine Config Operator does not exist
-  include_tasks: non-mco-apply-pull-secret.yml
+- include_tasks: apply-global-pull-secret-private.yml
+  when: (_p_registry_url | default('')) != ''
+
+- include_tasks: non-mco-apply-pull-secret.yml
   when: not _mco_exists
diff --git a/...s/50-install-cloud-pak/cpfs/cp-ocp-global-pull-secret/tasks/non-mco-apply-pull-secret.yml b/...s/50-install-cloud-pak/cpfs/cp-ocp-global-pull-secret/tasks/non-mco-apply-pull-secret.yml
@@ -1,5 +1,33 @@
 ---
+- set_fact:
+    _registry_pull_secret: "cp:{{ _p_ibm_cp_entitlement_key }}"
+  when: (_p_registry_url | default('')) == ''
+
+- set_fact:
+    _registry_pull_secret: "{{ _p_registry_pull_secret }}"
+  when: (_p_registry_url | default('')) != ''
+
+- include_role:
+    name: log-deployer-activity
+  vars:
+    _p_activity_description: "Set global pull secret for clusters that do not have the Machine Config Operator"
+    _p_activity_command: "# Global pull secret is applied from secret cloud-pak-node-fix-secrets in namespace kube-system"
+
+- name: Extract the global pull secret
+  shell: |
+    oc extract secret/pull-secret -n openshift-config --confirm --to={{ status_dir }}/openshift
+- name: Set the global pull secret
+  shell: |
+    cat {{ status_dir }}/openshift/.dockerconfigjson | \
+      jq --arg registry "{{ _p_registry_url }}" \
+        --arg pull_secret $(echo -n "{{ _registry_pull_secret }}" | base64 -w0) \
+        '.auths += {($registry): {"auth": $pull_secret, "email": "not-used"}}' \
+        > {{ status_dir }}/openshift/newdockerconfigjson
+    oc set data secret/pull-secret -n openshift-config \
+      --from-file=.dockerconfigjson={{ status_dir }}/openshift/newdockerconfigjson
+
 - name: Add global pull secret to node fix secret
   shell: |
     oc set data -n kube-system secret/cloud-pak-node-fix-secrets \
-      --from-file=newdockerconfigjson={{ status_dir }}/openshift/newdockerconfigjson
+      --from-file=newdockerconfigjson={{ status_dir }}/openshift/newdockerconfigjson
+  when: not cpd_dry_run
diff --git a/...tall-cloud-pak/cpfs/cp-ocp-global-pull-secret/templates/add-cred-to-global-pull-secret.j2 b/...tall-cloud-pak/cpfs/cp-ocp-global-pull-secret/templates/add-cred-to-global-pull-secret.j2
@@ -0,0 +1,3 @@
+add-cred-to-global-pull-secret --registry={{ _p_registry_url }} \
+    --registry_pull_user={{ _private_registry_user }} \
+    --registry_pull_password={{ _private_registry_pass }}
diff --git a/...-cloud-pak/cpfs/cp-ocp-global-pull-secret/templates/add-icr-cred-to-global-pull-secret.j2 b/...-cloud-pak/cpfs/cp-ocp-global-pull-secret/templates/add-icr-cred-to-global-pull-secret.j2
@@ -0,0 +1 @@
+add-icr-cred-to-global-pull-secret --entitled_registry_key="{{ _p_ibm_cp_entitlement_key }}"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		add-icr-cred-to-global-pull-secret --entitled_registry_key="{{ _p_ibm_cp_entitlement_key }}"