introduce operator update functionality

Author: maorfr

defaults/operators.yaml

@@ -2,62 +2,73 @@
 operators:
 
   - name: quay-operator
+    version: 3.15.2
     defaultChannel: stable-3.15
     channels:
     - name: stable-3.15
     namespace: quay-enterprise
     source: cs-redhat-operator-index-v4-20
 
   - name: multicluster-engine
+    version: 2.10.1
     defaultChannel: stable-2.10
     channels:
     - name: stable-2.10
     namespace: multicluster-engine
     source: cs-redhat-operator-index-v4-20
 
   - name: advanced-cluster-management
+    version: 2.15.1
     defaultChannel: release-2.15
     channels:
     - name: release-2.15
     namespace: open-cluster-management
     source: cs-redhat-operator-index-v4-20
 
   - name: cincinnati-operator
+    version: 5.0.3
     defaultChannel: v1
     channels:
     - name: v1
     namespace: openshift-update-service
     source: cs-redhat-operator-index-v4-20
+    csvName: update-service-operator
 
   - name: openshift-gitops-operator
+    version: 1.19.1
     defaultChannel: gitops-1.19
     channels:
     - name: gitops-1.19
     namespace: openshift-operators
     source: cs-redhat-operator-index-v4-20
 
   - name: openshift-pipelines-operator-rh
+    version: 1.20.2
     defaultChannel: pipelines-1.20
     channels:
     - name: pipelines-1.20
     namespace: openshift-operators
     source: cs-redhat-operator-index-v4-20
 
   - name: netobserv-operator
+    version: 1.10.1
     defaultChannel: stable
     channels:
     - name: stable
     namespace: openshift-operators
     source: cs-redhat-operator-index-v4-20
+    csvName: network-observability-operator
 
   - name: cluster-logging
+    version: 6.4.1
     defaultChannel: stable-6.4
     channels:
     - name: stable-6.4
     namespace: openshift-logging
     source: cs-redhat-operator-index-v4-20
 
   - name: loki-operator
+    version: 6.4.1
     defaultChannel: stable-6.4
     channels:
     - name: stable-6.4
@@ -66,43 +77,52 @@ operators:
     disableTargetNamespace: true
 
   - name: redhat-oadp-operator
+    version: 1.5.3
     defaultChannel: stable
     channels:
     - name: stable
     namespace: openshift-oadp
     source: cs-redhat-operator-index-v4-20
+    csvName: oadp-operator
 
   - name: openshift-cert-manager-operator
+    version: 1.18.1
     defaultChannel: stable-v1
     channels:
     - name: stable-v1
     - name: stable-v1.18
     namespace: cert-manager-operator
     source: cs-redhat-operator-index-v4-20
+    csvName: cert-manager-operator
 
   - name: cluster-observability-operator
+    version: 1.3.1
     defaultChannel: stable
     channels:
     - name: stable
     namespace: openshift-operators
     source: cs-redhat-operator-index-v4-20
 
   - name: openshift-external-secrets-operator
+    version: 1.0.0
     defaultChannel: stable-v1.0
     channels:
     - name: stable-v1.0
     namespace: external-secrets-operator
     source: cs-redhat-operator-index-v4-20
     disableTargetNamespace: true
+    csvName: external-secrets-operator
 
   - name: compliance-operator
+    version: 1.8.2
     defaultChannel: stable
     channels:
     - name: stable
     namespace: openshift-compliance
     source: cs-redhat-operator-index-v4-20
 
   - name: metallb-operator
+    version: 4.20.0-202601271911
     defaultChannel: stable
     channels:
     - name: stable
@@ -112,9 +132,11 @@ operators:
 
   # AAP is a dependency for osac-operator
   - name: ansible-automation-platform-operator
+    version: 2.5.0-0.1768928092
     defaultChannel: stable-2.5-cluster-scoped
     channels:
     - name: stable-2.5-cluster-scoped
     namespace: ansible-aap
     source: cs-redhat-operator-index-v4-20
     disableTargetNamespace: true
+    csvName: aap-operator

defaults/storage_operators.yaml

@@ -8,6 +8,7 @@ storage_operators:  # Install operator depending blockStorageBackend variable
     source: cs-redhat-operator-index-v4-20
   lvms:
     name: lvms-operator
+    version: 4.20.0
     defaultChannel: stable-4.20
     channels:
     - name: stable-4.20

operators/openshift-pipelines-operator-rh/operator_update_pipeline.yaml

@@ -0,0 +1,128 @@
+---
+- name: Get OpenShift CLI image from OpenShift release
+  ansible.builtin.command: >
+    {{ rootDir }}/bin/oc adm release info --registry-config={{ rootDir }}/config/pull-secret.json --image-for cli
+    quay.io/openshift-release-dev/ocp-release:{{ mgmt_openshift_version }}-x86_64
+  register: r_oc_cli_image
+  changed_when: false
+
+- name: Set image facts
+  ansible.builtin.set_fact:
+    oc_cli_image: "{{ r_oc_cli_image.stdout }}"
+
+- name: Create Operator Update ServiceAccount
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: operator-update
+        namespace: openshift-pipelines
+
+- name: Create Operator Update ClusterRole
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: operator-update
+      rules:
+        - apiGroups: ["operators.coreos.com"]
+          resources: ["clusterserviceversions", "installplans"]
+          verbs: ["get", "list", "patch", "update", "watch"]
+
+- name: Create Operator Update ClusterRoleBinding
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: operator-update
+      subjects:
+        - kind: ServiceAccount
+          name: operator-update
+          namespace: openshift-pipelines
+      roleRef:
+        kind: ClusterRole
+        name: operator-update
+        apiGroup: rbac.authorization.k8s.io
+
+- name: Create Operator Update Task
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: tekton.dev/v1
+      kind: Task
+      metadata:
+        name: operator-update
+        namespace: openshift-pipelines
+      spec:
+        params:
+          - name: dry-run
+            description: "If true, only identifies pending updates"
+            type: string
+            default: "false"
+        results:
+          - name: exit-code
+            description: "Success of operator version update (exit code)"
+          - name: status-report
+            description: "Report of operator version updates"
+        workspaces:
+          - name: shared-data
+        steps:
+          - name: generate-script
+            image: "{{ oc_cli_image }}"
+            workingDir: $(workspaces.shared-data.path)
+            script: |
+                #!/bin/bash
+
+                cat <<EOF > operator_update.py
+                {{ lookup('ansible.builtin.file', '../scripts/operator_update.py') }}
+                EOF
+          - name: operator-update
+            image: "{{ oc_cli_image }}"
+            workingDir: $(workspaces.shared-data.path)
+            script: |
+                #!/bin/bash
+
+                python ./operator_update.py "{{ [storage_operators[blockStorageBackend]] + operators }}" "$(params.dry-run)" > $(results.status-report.path)
+                echo -n $? > $(results.exit-code.path)
+
+- name: Create Operator Update Pipeline
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: tekton.dev/v1
+      kind: Pipeline
+      metadata:
+        name: operator-update
+        namespace: openshift-pipelines
+      spec:
+        params:
+          - name: dry-run
+            type: string
+            description: "If true, only identifies pending updates"
+            default: "false"
+        results:
+          - name: exit-code
+            description: "Success of operator version update (exit code)"
+            value: $(tasks.operator-update.results.exit-code)
+          - name: status-report
+            description: "Report of operator version updates"
+            value: $(tasks.operator-update.results.status-report)
+        workspaces:
+          - name: shared-data
+        tasks:
+          - name: operator-update
+            workspaces:
+              - name: shared-data
+                workspace: shared-data
+            taskRef:
+              name: operator-update
+            params:
+              - name: dry-run
+                value: $(params.dry-run)
+            timeout: "2h"

operators/openshift-pipelines-operator-rh/tasks.yaml

@@ -14,3 +14,7 @@
   until: r_tekton_config_info is success
   retries: 120
   delay: 30
+
+- name: Create Operator Update Pipeline
+  ansible.builtin.include_tasks:
+    file: operator_update_pipeline.yaml

playbooks/tasks/configure_operator.yaml

@@ -67,18 +67,21 @@
         name: "{{ operator.name }}"
         namespace: "{{ operator.namespace }}"
       spec:
-        installPlanApproval: Automatic
+        installPlanApproval: "{{ 'Automatic' if operator.namespace == 'openshift-operators' else 'Manual' }}"
         channel: "{{ operator.defaultChannel }}"
         name: "{{ operator.name }}"
         source: "{{ operator.source if (disconnected | default(true)) else 'redhat-operators' }}"
         sourceNamespace: openshift-marketplace
+        startingCSV: "{{ operator.csvName | default(operator.name) }}.v{{ operator.version }}"
   register: r_sub_exists
   retries: 6
   delay: 5
   until: r_sub_exists is success
 
 - name: "Get Installed CSV ({{ operator.name }})"
-  when: r_sub_check.resources | length == 0
+  when:
+    - r_sub_check.resources | length == 0
+    - operator.namespace == "openshift-operators"
   kubernetes.core.k8s_info:
     api_version: operators.coreos.com/v1alpha1
     kind: Subscription
@@ -92,7 +95,9 @@
   - r_subscription.resources[0].status.currentCSV | length > 0
 
 - name: "Wait until CSV is installed"
-  when: r_sub_check.resources | length == 0
+  when:
+    - r_sub_check.resources | length == 0
+    - operator.namespace == "openshift-operators"
   kubernetes.core.k8s_info:
     api_version: operators.coreos.com/v1alpha1
     kind: ClusterServiceVersion

playbooks/tasks/configure_operators.yaml

@@ -13,6 +13,18 @@
       loop_control:
         loop_var: operator
 
+    - name: Pause for 3 minutes for InstallPlans to be created
+      ansible.builtin.pause:
+        minutes: 3
+
+    - name: "Update operator versions"
+      ansible.builtin.shell: |
+        python ../scripts/operator_update.py "{{ [storage_operators[blockStorageBackend]] + operators }}" "False"
+
+    - name: Print the output
+      ansible.builtin.debug:
+        var: operator_update_result.stdout_lines
+
     - name: Include specific tasks for the operators
       ansible.builtin.include_tasks: "../../operators/{{ operator.name }}/tasks.yaml"
       loop: "{{ [storage_operators[blockStorageBackend]] + operators }}"

schemas/operators.yaml

@@ -10,6 +10,9 @@ definitions:
       name:
         type: string
         description: Operator package name as it appears in the catalog.
+      version:
+        type: string
+        description: Operator version.
       defaultChannel:
         type: string
         description: Default update channel for the operator.
@@ -31,6 +34,9 @@ definitions:
       source:
         type: string
         description: Catalog source name (from oc-mirror configuration).
+      csvName:
+        type: string
+        description: ClusterServiceVersion name for the operator.
       disableTargetNamespace:
         type: boolean
         description: configure operator to watch a specific namespace or to watch the entire cluster