Fetch kni-installer binary from a release payload

.gitignore

@@ -4,6 +4,12 @@ openshift-install.log
 logs/
 config_*.sh
 !config_example.sh
+
+release/release_config_*.sh
+!release/release_config_example.sh
+release/release-kubeconfig
+release/release-pullsecret
+
 assets/generated
 
 # Conditionally created for appropriate environments

03_ocp_repo_sync.sh

@@ -10,8 +10,6 @@ echo "$GOPATH" | lolcat # should print $HOME/go or something like that
 # REPO_PATH is used in sync_repo_and_patch from utils.sh
 export REPO_PATH="$GOPATH/src"
 
-sync_repo_and_patch github.com/openshift-metalkube/kni-installer https://github.com/openshift-metalkube/kni-installer.git
-
 # Build facet
 # FIXME(russellb) - disabled due to build failure related to metal3 rename
 #sync_repo_and_patch github.com/openshift-metalkube/facet https://github.com/openshift-metalkube/facet.git

06_create_cluster.sh

@@ -8,7 +8,7 @@ source common.sh
 source ocp_install_env.sh
 
 # Do some PULL_SECRET sanity checking
-if [[ "${OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE}" == *"registry.svc.ci.openshift.org"* ]]; then
+if [[ "${OPENSHIFT_RELEASE_IMAGE}" == *"registry.svc.ci.openshift.org"* ]]; then
     if [[ "${PULL_SECRET}" != *"registry.svc.ci.openshift.org"* ]]; then
         echo "Please get a valid pull secret for registry.svc.ci.openshift.org."
         exit 1
@@ -23,6 +23,9 @@ fi
 if [ ! -d ocp ]; then
     mkdir -p ocp
 
+    # Extract openshift-install from the release image
+    extract_installer "${OPENSHIFT_RELEASE_IMAGE}" ocp/
+
     # Create a master_nodes.json file
     jq '.nodes[0:3] | {nodes: .}' "${NODES_FILE}" | tee "${MASTER_NODES_FILE}"
 

Makefile

@@ -1,5 +1,5 @@
-.PHONY: default all requirements configure repo_sync ironic build ocp_run deploy_bmo register_hosts clean ocp_cleanup ironic_cleanup host_cleanup bell
-default: requirements configure repo_sync ironic build ocp_run deploy_bmo register_hosts bell
+.PHONY: default all requirements configure repo_sync ironic ocp_run deploy_bmo register_hosts clean ocp_cleanup ironic_cleanup host_cleanup bell
+default: requirements configure repo_sync ironic ocp_run deploy_bmo register_hosts bell
 
 all: default
 
@@ -15,9 +15,6 @@ repo_sync:
 ironic:
 	./04_setup_ironic.sh
 
-build:
-	./05_build_ocp_installer.sh
-
 ocp_run:
 	./06_create_cluster.sh
 

README.md

@@ -71,14 +71,10 @@ server and download the resources it requires.
 The Ironic container is stored at https://quay.io/repository/metalkube/metalkube-ironic, built from
 https://github.com/metalkube/metalkube-ironic.
 
-- `./05_build_ocp_installer.sh`
-
-These will pull and build the openshift-install and some other things from
-source.
-
 - `./06_create_cluster.sh`
 
-This will run the kni-installer to generate ignition configs for the
+This will extract openshift-install from the OCP release payload and
+run `openshift-install` to generate ignition configs for the
 bootstrap node and the masters.  The installer then launches both the
 bootstrap VM and master nodes using the Terraform providers for libvirt
 and Ironic.  Once bootstrap is complete, the installer removes the
@@ -133,7 +129,7 @@ e.g. to clean and re-install ocp run:
 ```
 ./ocp_cleanup.sh
 rm -fr ocp
-./05_run_ocp.sh
+./06_create_cluster.sh
 ```
 
 Or, you can run `make clean` which will run all of the cleanup steps.

common.sh

@@ -47,7 +47,7 @@ export NUM_MASTERS=${NUM_MASTERS:-"3"}
 export NUM_WORKERS=${NUM_WORKERS:-"1"}
 export VM_EXTRADISKS=${VM_EXTRADISKS:-"false"}
 
-export RHCOS_INSTALLER_IMAGE_URL=$(jq -r '.baseURI' $GOPATH/src/github.com/openshift-metalkube/kni-installer/data/data/rhcos.json)
+export RHCOS_INSTALLER_IMAGE_URL="https://releases-art-rhcos.svc.ci.openshift.org/art/storage/releases/ootpa/410.8.20190508.1/"
 export RHCOS_IMAGE_URL=${RHCOS_IMAGE_URL:-${RHCOS_INSTALLER_IMAGE_URL}}
 
 export RHCOS_IMAGE_FILENAME_OPENSTACK_GZ="$(curl ${RHCOS_IMAGE_URL}/meta.json | jq -r '.images.openstack.path')"

docs/release-payload.md

@@ -0,0 +1,112 @@
+# Publishing a KNI Release Payload
+
+OpenShift publishes a release payload image which includes information
+about cluster operator images and their resource manifests, along with
+references to installer and CLI images. The recommended method for
+obtaining an installer binary is to first choose a release version and
+then use the `oc adm release extract --tools` command to extract the
+installer binary from the release payload.
+
+Since KNI has temporarily forked the installer, we build custom and
+publish custom release payloads that include a reference to the forked
+installer.
+
+## Preparation and Configuration
+
+We build and publish within a namespace on an OpenShift
+cluster. First, prepare a `kubeconfig` with credentials to this
+cluster, and with the desired namespace set as the default:
+
+```
+$ oc --config=release-kubeconfig login https://api.ci.openshift.org --token=...
+$ oc --config=release-kubeconfig new-project kni
+$ oc --config=release-kubeconfig project kni
+$ oc --config=release-kubeconfig adm policy add-role-to-user admin <other admin>
+````
+
+We need a docker registry credentials file which contains credentials
+for the registry on this OpenShift cluster:
+
+```
+$ oc --config=release-kubeconfig registry login --to=release-pullsecret
+```
+
+But also, we need credentials for any registry hosting images
+referenced from release payloads (e.g. ```quay.io```)
+
+```
+$ TOKEN=$((. ../config_$USER.sh && echo $PULL_SECRET) 2>/dev/null | jq -r '.auths["quay.io"].auth' | base64 -d)
+$ podman login --authfile=release-pullsecret -u ${TOKEN%:*} -p ${TOKEN#*:} quay.io
+```
+
+Images are published to imagestream tags, and we need an image stream
+for our installer builds and our custom release payloads:
+
+```
+$ oc --config=release-kubeconfig create imagestream release
+$ oc --config=release-kubeconfig create imagestream installer
+```
+
+We need to create a ```docker-registry``` secret so the image stream
+can import referenced images:
+
+```
+$ oc --config=release-kubeconfig \
+    create secret docker-registry quay-pullsecret \
+    --docker-server=quay.io \
+    --docker-username=${TOKEN%:*} \
+    --docker-password=${TOKEN#*:}
+```
+
+Finally, create a ```release_config_$USER.sh``` file with information
+about all of the above:
+
+```
+$ cat > release_config_$USER.sh <<EOF
+RELEASE_NAMESPACE=kni
+RELEASE_STREAM=release
+INSTALLER_STREAM=installer
+RELEASE_KUBECONFIG=release-kubeconfig
+RELEASE_PULLSECRET=release-pullsecret
+INSTALLER_GIT_URI=https://github.com/openshift-metal3/kni-installer.git
+INSTALLER_GIT_REF=master
+EOF
+```
+
+## Building an Installer and Payload
+
+When we want to move to a newer OpenShift release, we pick a release
+payload:
+
+```
+$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.1.0-rc.3 -a release-pullsecret -o json | jq -r .metadata.version
+4.1.0-rc.3
+```
+
+Next, rebase ```openshift-metal3/kni-installer``` to the
+```openshift/installer``` commit referenced by that payload:
+
+```
+$ oc adm release info -a release-pullsecret -o json \
+    quay.io/openshift-release-dev/ocp-release:4.1.0-rc.3 | \
+    jq -r '.references.spec.tags[] | select(.name == "installer") | .annotations["io.openshift.build.commit.id"]'
+403a93d1f683384800597ac38e9c2fc0180b3a5d
+```
+
+And then kick off a build, with the resulting image tagged into the
+installer image stream using the supplied version as the tag:
+
+```
+$ ./build_installer.sh 4.1.0-rc.3-kni.0
+```
+
+Now, finally, we can build a new payload referencing our installer,
+and tag it into the release imagestream:
+
+```
+$ ./prep_release.sh \
+    4.1.0-rc.3-kni.1 \
+    quay.io/openshift-release-dev/ocp-release:4.1.0-rc.3 \
+    installer=registry.svc.ci.openshift.org/kni/installer:4.1.0-rc.3-kni.0 \
+    baremetal-machine-controllers=quay.io/openshift-metal3/baremetal-machine-controllers@sha256:1faf4a863b261c948f5f38c148421603f51c74cbf44142882826ee6cb37d8bd3
+```

ocp_cleanup.sh

@@ -9,8 +9,8 @@ sudo systemctl stop fix_certs.timer
 systemctl is-failed fix_certs.service >/dev/null && sudo systemctl reset-failed fix_certs.service
 
 if [ -d ocp ]; then
-    $GOPATH/src/github.com/openshift-metalkube/kni-installer/bin/kni-install --dir ocp --log-level=debug destroy bootstrap
-    $GOPATH/src/github.com/openshift-metalkube/kni-installer/bin/kni-install --dir ocp --log-level=debug destroy cluster
+    ocp/openshift-install --dir ocp --log-level=debug destroy bootstrap
+    ocp/openshift-install --dir ocp --log-level=debug destroy cluster
     rm -rf ocp
 fi
 

ocp_install_env.sh

@@ -13,7 +13,7 @@ export EXTERNAL_SUBNET="192.168.111.0/24"
 # The release we default to here is pinned and known to work with our current
 # version of kni-installer.
 #
-export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE="registry.svc.ci.openshift.org/kni/release:4.1.0-rc.3-kni.0"
+export OPENSHIFT_RELEASE_IMAGE="registry.svc.ci.openshift.org/kni/release:4.1.0-rc.3-kni.1"
 
 function generate_ocp_install_config() {
     local outdir

release/build_installer.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -xe
+
+#
+# Build a new installer image
+#
+# See release_config_example.sh for required configuration steps
+#
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+USER=`whoami`
+
+# Get variables from the config file
+if [ -z "${RELEASE_CONFIG:-}" ]; then
+    # See if there's a release_config_$USER.sh in the SCRIPTDIR
+    if [ -f "${SCRIPTDIR}/release_config_${USER}.sh" ]; then
+        echo "Using RELEASE_CONFIG ${SCRIPTDIR}/release_config_${USER}.sh"
+        RELEASE_CONFIG="${SCRIPTDIR}/release_config_${USER}.sh"
+    else
+        echo "Please run with a configuration environment set." >&2
+        echo "eg RELEASE_CONFIG=release_config_example.sh $0" >&2
+        exit 1
+    fi
+fi
+source $RELEASE_CONFIG
+
+INSTALLER_VERSION="$1"
+if [ -z "${INSTALLER_VERSION}" ]; then
+    echo "usage: $0 <installer version>" >&2
+    echo "example: $0 4.0.0-0.9" >&2
+    exit 1
+fi
+
+echo "Building kni-installer from ${INSTALLER_GIT_URI}:${INSTALLER_GIT_REF} to ${INSTALLER_STREAM}:${INSTALLER_VERSION}"
+
+# Check prerequisites
+if [ $(oc --config "${RELEASE_KUBECONFIG}" project -q) != "${RELEASE_NAMESPACE}" ]; then
+    echo "Wrong namespace configured, run 'oc --config ${RELEASE_KUBECONFIG} project ${RELEASE_NAMESPACE}'" >&2
+    exit 1
+fi
+
+if ! oc --config "${RELEASE_KUBECONFIG}" get imagestream "${INSTALLER_STREAM}" 2>/dev/null; then
+    echo "No '${INSTALLER_STREAM}' imagestream in '${RELEASE_NAMESPACE}' namespace" >&2
+    exit 1
+fi
+
+oc --config "${RELEASE_KUBECONFIG}" apply -f - <<EOF
+apiVersion: build.openshift.io/v1
+kind: Build
+metadata:
+  name: kni-installer-${INSTALLER_VERSION}
+spec:
+  source:
+    type: Git
+    git:
+      uri: ${INSTALLER_GIT_URI}
+      ref: ${INSTALLER_GIT_REF}
+  strategy:
+    type: Docker
+    dockerStrategy:
+      imageOptimizationPolicy: SkipLayers
+      dockerfilePath: images/baremetal/Dockerfile.ci
+  output:
+    to:
+      kind: ImageStreamTag
+      name: ${INSTALLER_STREAM}:${INSTALLER_VERSION}
+EOF
+
+BUILD_POD=$(oc --config "${RELEASE_KUBECONFIG}" get build "kni-installer-${INSTALLER_VERSION}" -o json | jq -r '.metadata.annotations["openshift.io/build.pod-name"]')
+oc --config "${RELEASE_KUBECONFIG}" wait --for condition=Ready pod "${BUILD_POD}"
+oc --config "${RELEASE_KUBECONFIG}" logs -f "${BUILD_POD}"
+
+BUILD_PHASE=$(oc --config release-kubeconfig get build "kni-installer-${INSTALLER_VERSION}" -o json | jq -r .status.phase)
+if [ "${BUILD_PHASE}" = "Complete" ]; then
+    BUILD_OUTPUT=$(oc --config release-kubeconfig get build "kni-installer-${INSTALLER_VERSION}" -o json | jq -r .status.output.to.imageDigest)
+    echo "Installer built to ${BUILD_OUTPUT}"
+else
+    echo "Installer build failed? Build phase is ${BUILD_PHASE}"
+fi