Merge pull request ocp-power-automation#176 from sajauddin/disconnect…

…-upgrade Upgrading restricted network OCP cluster
varad-ahirwadkar · Feb 1, 2023 · 909ef46 · 909ef46
2 parents 5376053 + 89ab0ed
commit 909ef46
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 12 deletions.
diff --git a/playbooks/roles/ocp-upgrade/README.md b/playbooks/roles/ocp-upgrade/README.md
@@ -5,6 +5,8 @@ This module will upgrade an existing OCP cluster based on upgrade_version or upg
 
 For intermediate EUS upgrade please use eus variables and use other variables for final upgrade. 
 
+Restricted network OCP cluster can be upgraded by providing parameters restricted_network_upgrade, upgrade_version, architecture, local_secret, local_registry and local repository.
+
 Requirements
 ------------
 
@@ -13,17 +15,22 @@ Requirements
 Role Variables
 --------------
 
-| Variable        | Required | Default    | Comments                                                      |
-|-----------------|----------|------------|---------------------------------------------------------------|
-| eus_upgrade_version | no   | ""         | Set to a specific version eg. 4.11.3                          |
-| eus_upgrade_channel | no   | ""         | Set to channel having required upgrade version available for cluster upgrade (stable-4.x, fast-4.x, candidate-4.x, eus-4.x) eg. stable-4.11     |
-| eus_upgrade_image   | no   | ""         | Set to OCP upgrade image eg. quay.io/openshift-release-dev/ocp-release@sha256:12345..   |
-| eus_upstream        | no   | ""         | Set the URL for OCP update server eg. https://ppc64le.ocp.releases.ci.openshift.org/graph   |
-| upgrade_version | no       | ""         | Set to a specific version eg. 4.5.4                        |
-| upgrade_channel | no       | ""         | Set to channel having required upgrade version available for cluster upgrade (stable-4.x, fast-4.x, candidate-4.x) eg. stable-4.5 |
-| upgrade_image   | no       | ""         | Set to OCP upgrade image eg. quay.io/openshift-release-dev/ocp-release@sha256:12345.. |
-| pause_time      | no       | 90         | Pauses playbook execution for a set amount of time in minutes |
-| delay_time      | no       | 600        | Number of seconds to wait before starting to poll             |
+| Variable                   | Required | Default           | Comments                                              |
+|----------------------------|----------|-------------------|-------------------------------------------------------|
+| eus_upgrade_version        | no       | ""                | Set to a specific version eg. 4.11.3                  |
+| eus_upgrade_channel        | no       | ""                | Set to channel having required upgrade version available for cluster upgrade (stable-4.x, fast-4.x, candidate-4.x, eus-4.x) eg. stable-4.11     |
+| eus_upgrade_image          | no       | ""                | Set to OCP upgrade image eg. quay.io/openshift-release-dev/ocp-release@sha256:12345..   |
+| eus_upstream               | no       | ""                | Set the URL for OCP update server eg. https://ppc64le.ocp.releases.ci.openshift.org/graph   |
+| upgrade_version            | no       | ""                | Set to a specific version eg. 4.5.4                   |
+| upgrade_channel            | no       | ""                | Set to channel having required upgrade version available for cluster upgrade (stable-4.x, fast-4.x, candidate-4.x) eg. stable-4.5 |
+| upgrade_image              | no       | ""                | Set to OCP upgrade image eg. quay.io/openshift-release-dev/ocp-release@sha256:12345.. |
+| pause_time                 | no       | 90                | Pauses playbook execution for a set amount of time in minutes |
+| delay_time                 | no       | 600               | Number of seconds to wait before starting to poll     |
+| restricted_network_upgrade | no       | false             | Set to true to upgrade the restricted network cluster |
+| architecture               | no       | "ppc64le"         | Architecture of the cluster.                          |
+| local_secret               | no       | ""                | Path to pull secret of the registry                   |
+| local_registry             | no       | ""                | Specify the local registry name along with port for your mirror repository eg. registry.test-ocp-600b.ibm.com:5000 |
+| local_repository           | no       | "ocp4/openshift4" | Name of the repository to create in your registry eg. ocp4/openshift4 |
 
 Note: If eus_upgrade_channel is set to the eus channel then no need to set upgrade_channel.
 

diff --git a/playbooks/roles/ocp-upgrade/defaults/main.yaml b/playbooks/roles/ocp-upgrade/defaults/main.yaml
@@ -10,4 +10,8 @@ upgrade_channel: ""
 upgrade_image: ""
 pause_time: 90
 delay_time: 600
-
+restricted_network_upgrade: false
+architecture: "ppc64le"
+local_secret: ""
+local_registry: ""
+local_repository: "ocp4/openshift4"
diff --git a/playbooks/roles/ocp-upgrade/tasks/main.yaml b/playbooks/roles/ocp-upgrade/tasks/main.yaml
@@ -29,6 +29,7 @@
   when:
   - upgrade_version != "" and upgrade_image == ""
   - eus_upgrade_channel == "" and eus_upgrade_image == ""
+  - not restricted_network_upgrade
 
 - name: Upgrade ocp using a release image
   block:
@@ -50,9 +51,17 @@
   when: 
   - upgrade_image != ""
   - eus_upgrade_channel == "" and eus_upgrade_image == ""
+  - not restricted_network_upgrade
 
 - name: EUS to EUS upgrades 
   include_tasks: "{{ role_path }}/tasks/eus_upgrades.yaml"
   when: >
       (eus_upgrade_channel != "" or eus_upgrade_image != "") and
       ("eus" in eus_upgrade_channel or (upgrade_version != "" or upgrade_image != "" or upgrade_channel != ""))
+
+- name: Update restricted network ocp cluster
+  include_tasks: "{{ role_path }}/tasks/restricted_network_upgrade.yaml"
+  when:
+    - restricted_network_upgrade
+    - upgrade_version != ""
+    - local_registry != "" and local_repository != "" and local_secret != "" 
diff --git a/playbooks/roles/ocp-upgrade/tasks/restricted_network_upgrade.yaml b/playbooks/roles/ocp-upgrade/tasks/restricted_network_upgrade.yaml
@@ -0,0 +1,81 @@
+---
+
+# tasks for updating a restricted network ocp cluster
+
+- name: Get count of paused machine config pools
+  shell: |
+    oc get mcp -ojson | jq ".items[].spec.paused" | grep -i true | wc -l
+  register: paused_mcps_count
+
+- name: Warn if machine config pools are paused
+  debug:
+    msg: "One or more Machine config pools appears paused. Nodes associated with a paused MCP are skipped during the update process."
+  when: 0 < paused_mcps_count.stdout|int
+
+- name: Set ocp image url
+  set_fact:
+    upgrade_image_url: "quay.io/openshift-release-dev/ocp-release:{{ upgrade_version }}-{{ architecture }}"
+
+- name: set image directory
+  set_fact:
+    repo_image_dir: "{{ lookup('env','HOME') }}/ocp_repo_image"
+
+- name: Create repo image directory
+  file:
+    path: "{{ repo_image_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Mirror images and configuration manifests to a directory
+  shell: |
+    oc adm release mirror -a {{ local_secret }} --to-dir={{ repo_image_dir }}/mirror --from={{ upgrade_image_url }}
+
+- name: Get sha key of the image
+  shell: |
+    oc image info {{ upgrade_image_url }} | grep "Digest:"|cut -d ':' -f 3
+  register: upgrade_image_sha_key
+
+- name: Upload images to local container registry
+  shell: |
+    oc image mirror -a {{ local_secret }} --from-dir={{ repo_image_dir }}/mirror "file://openshift/release:{{ upgrade_version }}*" {{ local_registry }}/{{ local_repository }}
+
+- name: Apply mirrored release image signature config
+  shell: |
+    oc apply -f {{ repo_image_dir }}/mirror/config/signature-sha256-{{ upgrade_image_sha_key.stdout[:16] }}.yaml
+
+- name: Get the OCP version 
+  kubernetes.core.k8s_info:
+    kind: ClusterVersion
+    name: version
+  register: ocp_version
+
+- name: Providing the administrator acknowledgement for 4.8 to 4.9 upgrades
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      kind: ConfigMap
+      metadata:
+        name: admin-acks
+        namespace: openshift-config
+      data:
+        ack-4.8-kube-1.22-api-removals-in-4.9: "true"
+  when: ocp_version.resources[0].status.history[0].version | regex_search('4.8') == "4.8"
+
+- name: Upgrade ocp and check for its completion
+  block:
+  - name: Upgrade ocp using a release image from local repository
+    shell: |
+      oc adm upgrade --allow-explicit-upgrade --to-image {{ local_registry }}/{{ local_repository }}@sha256:{{ upgrade_image_sha_key.stdout }}
+
+  - name: Waiting until upgrade completes
+    pause:
+      minutes: "{{ pause_time }}"
+
+  - name: Check for upgrade completion
+    shell: |
+      oc get clusterversion -o json|jq ".items[0].status.history[0].state"
+    register: state
+    until: state.stdout | replace('\"', '') == "Completed"
+    retries: 5
+    delay: "{{ delay_time }}"
+