MGMT-23799: Use openshift versions for osImages ISOs (#213)

* Use openshift versions for osImages ISOs

Previously the ISO version set in the osImages list for
AgentServiceConfig was completely separate from the versions the user
provided for ClusterImageSets. These need to match otherwise cluster
creation could fail for a mismatch.

This commit adds logic to fetch the ISO for each listed openshift
version usin `oc` commands rather than keeping a separate list of http
endpoints. This ensures that every ClusterImageSet will always have a
matching ISO configured.

Resolves https://redhat.atlassian.net/browse/MGMT-23799

* use blkid instead of isoinfo to avoid requiring epel on the LZ host

* Move download content after control binaries so the oc cli is available

* Extract just the iso file rather than an entire directory

This wasn't working at all, the directory ended up empty, but it's
better to just get the file we need anyway

* Move blkid call to where the value is needed and always remove temp dirs

Author: carbonin

defaults/content_images.yaml

@@ -15,7 +15,6 @@ Configuration is split across multiple files for better organization and maintai
 | `defaults/platforms.yaml` | Available OpenShift versions |
 | `defaults/deployment.yaml` | Deployment defaults (storage plugin, disconnected mode, etc.) |
 | `defaults/control_binaries.yaml` | URLs and checksums for required binaries (oc, helm, etc.) |
-| `defaults/content_images.yaml` | RHCOS images and ISOs configuration |
 | `defaults/catalogs.yaml` | Operator catalog source name mappings |
 | `defaults/mirror_registry.yaml` | Quay hostname and CA path defaults |
 | `defaults/k8s.yaml` | Kubernetes retry settings for k8s module calls |
@@ -1133,7 +1132,6 @@ Core operators are defined in `defaults/operators.yaml`. Plugin operators are de
 
 Content configuration is stored in the `defaults/` directory:
 - `defaults/control_binaries.yaml` - Binary downloads (oc, helm, mirror-registry, oc-mirror)
-- `defaults/content_images.yaml` - RHCOS ISO images
 
 ### Control Binaries
 
@@ -1173,31 +1171,14 @@ control_binaries:
 - URLs should point to official Red Hat sources
 - Update version numbers as needed
 
-### Content Images
+### RHCOS ISOs
 
-#### `content_images`
+RHCOS ISOs are automatically extracted from OpenShift release images during the prepare phase. For each version defined in `defaults/platforms.yaml`, the system:
 
-**Description**: URLs and checksums for RHCOS images.
-
-**Location**: `defaults/content_images.yaml`
-
-**Type**: Dictionary
-
-**Example**:
-```yaml
-content_images:
-  isos:
-    - url: "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.19/4.19.10/rhcos-4.19.10-x86_64-live-iso.x86_64.iso"
-      checksum: "sha256:7a47d0c7a9bf5edb143d52809e793af2d74731567b95d91c6225171a1c49b5ab"
-```
-
-**Fields**:
-- `isos`: List of ISO images (used for cluster deployment)
-
-**Notes**:
-- Version should match OCP version
-- Checksums are verified after download
-- Multiple entries allowed (for different architectures)
+1. Queries the release image for the `machine-os-images` component
+2. Extracts the ISO from the machine-os-images container
+3. Determines the ISO volume ID using `blkid`
+4. Stores the ISO at `/var/www/html/rhcos-<version>-x86_64-live-iso.x86_64.iso`
 
 ## Complete Example
 

docs/CONFIGURATION_REFERENCE.md

@@ -149,7 +149,6 @@ Configuration is split across multiple files for better organization:
 - `defaults/deployment.yaml` - Deployment behavior defaults
 - `defaults/k8s.yaml` - Kubernetes resource defaults
 - `defaults/control_binaries.yaml` - Binary URLs and checksums (oc, helm, etc.)
-- `defaults/content_images.yaml` - RHCOS images and ISOs
 - `defaults/catalogs.yaml` - Operator catalog source name mappings
 - `defaults/mirror_registry.yaml` - Quay hostname and CA path defaults
 - `defaults/quay_operator.yaml` - Quay feature flags and backend storage defaults
@@ -447,14 +446,6 @@ control_binaries:
     checksum: "sha256:..."
 ```
 
-**`defaults/content_images.yaml`** - RHCOS ISO images:
-```yaml
-content_images:
-  isos:
-    - url: "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.19/4.19.10/rhcos-4.19.10-x86_64-live-iso.x86_64.iso"
-      checksum: "sha256:..."
-```
-
 ## Detailed Configuration Reference
 
 ### Network Configuration

docs/DEPLOYMENT_GUIDE.md

@@ -300,6 +300,14 @@
   until: r_configmap_assisted_service is success
 
 - name: Create AgentServiceConfig for disconnected environment
+  vars:
+    _osimages: |
+      {% for v in openshift_versions %}
+      - cpuArchitecture: x86_64
+        openshiftVersion: "{{ v.version }}"
+        url: "http://{{ quayHostname }}/rhcos-{{ v.version }}-x86_64-live-iso.x86_64.iso"
+        version: "{{ lookup('pipe', 'blkid -s LABEL -o value /var/www/html/rhcos-' + v.version + '-x86_64-live-iso.x86_64.iso') | trim }}"
+      {% endfor %}
   kubernetes.core.k8s:
     state: present
     definition:
@@ -325,11 +333,7 @@
           resources:
             requests:
               storage: 40Gi
-        osImages:
-        - cpuArchitecture: x86_64
-          openshiftVersion: "4.20"
-          url: "http://{{ quayHostname }}/rhcos-4.20.0-x86_64-live-iso.x86_64.iso"
-          version: 9.6.20251023-0
+        osImages: "{{ _osimages | from_yaml }}"
   register: r_agentserviceconfig
   retries: "{{ k8s_retries }}"
   delay: "{{ k8s_delay }}"

operators/multicluster-engine/tasks.yaml

@@ -31,16 +31,16 @@
           tags: always
       tags: always
 
-    - name: Download content
-      ansible.builtin.include_tasks:
-        file: tasks/download_content.yaml
-        apply:
-          tags: download-content
-      tags: download-content
-
     - name: Download control binaries
       ansible.builtin.include_tasks:
         file: tasks/download_control_binaries.yaml
         apply:
           tags: download-control-binaries
       tags: download-control-binaries
+
+    - name: Download content
+      ansible.builtin.include_tasks:
+        file: tasks/download_content.yaml
+        apply:
+          tags: download-content
+      tags: download-content

playbooks/01-prepare.yaml

@@ -15,7 +15,6 @@
 - name: Include common configuration
   ansible.builtin.include_vars: "../../defaults/{{ config_file }}"
   loop:
-    - content_images.yaml
     - control_binaries.yaml
     - operators.yaml
     - platforms.yaml

playbooks/common/load-vars.yaml

@@ -1,10 +1,7 @@
 ---
-- name: Download RHCOS live ISOs
-  become: true
-  ansible.builtin.get_url:
-    url: "{{ iso_item.url }}"
-    dest: "/var/www/html/{{ (iso_item.url | ansible.builtin.split('/'))[-1] }}"
-    checksum: "{{ iso_item.checksum }}"
-  loop: "{{ content_images.isos }}"
+- name: Extract RHCOS ISOs from OpenShift release images
+  ansible.builtin.include_tasks:
+    file: download_content_single_version.yaml
+  loop: "{{ openshift_versions }}"
   loop_control:
-    loop_var: iso_item
+    loop_var: version_item

playbooks/tasks/download_content.yaml

@@ -0,0 +1,47 @@
+---
+- name: Check if ISO already exists for {{ version_item.version }}
+  ansible.builtin.stat:
+    path: "/var/www/html/rhcos-{{ version_item.version }}-x86_64-live-iso.x86_64.iso"
+  register: iso_exists
+
+- name: Extract ISO for {{ version_item.version }}
+  when: not iso_exists.stat.exists
+  block:
+    - name: Get machine-os-images digest for {{ version_item.version }}
+      ansible.builtin.command:
+        cmd: >
+          oc adm release info
+          --image-for=machine-os-images
+          quay.io/openshift-release-dev/ocp-release:{{ version_item.version }}-x86_64
+      register: machine_os_image
+      changed_when: false
+
+    - name: Create temporary extraction directory
+      ansible.builtin.tempfile:
+        state: directory
+        prefix: "rhcos-extract-{{ version_item.version }}-"
+      register: temp_extract_dir
+
+    - name: Extract ISO from machine-os-images container
+      ansible.builtin.command:
+        cmd: >
+          oc image extract
+          --registry-config={{ pullSecretPath }}
+          {{ machine_os_image.stdout }}
+          --path /coreos/coreos-x86_64.iso:{{ temp_extract_dir.path }}/
+      changed_when: true
+
+    - name: Move ISO to final location with version-specific name
+      become: true
+      ansible.builtin.copy:
+        src: "{{ temp_extract_dir.path }}/coreos-x86_64.iso"
+        dest: "/var/www/html/rhcos-{{ version_item.version }}-x86_64-live-iso.x86_64.iso"
+        remote_src: true
+        mode: '0644'
+
+  always:
+    - name: Clean up temporary extraction directory
+      ansible.builtin.file:
+        path: "{{ temp_extract_dir.path }}"
+        state: absent
+      when: temp_extract_dir is defined

playbooks/tasks/download_content_single_version.yaml

@@ -8,7 +8,6 @@
 - name: Include common configuration
   ansible.builtin.include_vars: "../../defaults/{{ config_file }}"
   loop:
-    - content_images.yaml
     - control_binaries.yaml
     - operators.yaml
     - platforms.yaml

playbooks/tasks/template_validation/setup.yaml

@@ -14,12 +14,6 @@
     criteria: "{{ lookup('ansible.builtin.file', '../../schemas/catalogs.yaml') | from_yaml | combine(schema_definitions, recursive=True) | to_json }}"
     engine: ansible.utils.jsonschema
 
-- name: validate defaults/content_images.yaml schema
-  ansible.utils.validate:
-    data: "{{ lookup('ansible.builtin.file', '../../defaults/content_images.yaml') | from_yaml | to_json }}"
-    criteria: "{{ lookup('ansible.builtin.file', '../../schemas/content_images.yaml') | from_yaml | combine(schema_definitions, recursive=True) | to_json }}"
-    engine: ansible.utils.jsonschema
-
 - name: validate defaults/control_binaries.yaml schema
   ansible.utils.validate:
     data: "{{ lookup('ansible.builtin.file', '../../defaults/control_binaries.yaml') | from_yaml | to_json }}"