diff --git a/.tekton/hive-pull-request.yaml b/.tekton/hive-pull-request.yaml index aa4ed7f7491..582a044ca8d 100644 --- a/.tekton/hive-pull-request.yaml +++ b/.tekton/hive-pull-request.yaml @@ -223,9 +223,9 @@ spec: taskRef: params: - name: name - value: buildah-10gb + value: buildah-20gb - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-10gb:0.1 + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-20gb:0.1 - name: kind value: task resolver: bundles diff --git a/.tekton/hive-push.yaml b/.tekton/hive-push.yaml index 80b30530089..e6bd083b149 100644 --- a/.tekton/hive-push.yaml +++ b/.tekton/hive-push.yaml @@ -220,9 +220,9 @@ spec: taskRef: params: - name: name - value: buildah-10gb + value: buildah-20gb - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-10gb:0.1 + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-20gb:0.1 - name: kind value: task resolver: bundles diff --git a/Dockerfile b/Dockerfile index 3c86a09a605..aa269fec514 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,36 @@ -FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.21-openshift-4.16 as builder +FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.21-openshift-4.16 as builder_rhel8 RUN mkdir -p /go/src/github.com/openshift/hive WORKDIR /go/src/github.com/openshift/hive COPY . . +RUN dnf -y install git python3-pip RUN make build -FROM quay.io/centos/centos:stream9 +FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.21-openshift-4.16 as builder_rhel9 +RUN mkdir -p /go/src/github.com/openshift/hive +WORKDIR /go/src/github.com/openshift/hive +COPY . . +RUN dnf -y install git python3-pip +RUN make build -ARG DNF=dnf +FROM registry.redhat.io/rhel9-4-els/rhel:9.4 -RUN $DNF -y update && $DNF clean all +RUN dnf -y update && dnf clean all # ssh-agent required for gathering logs in some situations: -RUN if ! rpm -q openssh-clients; then $DNF install -y openssh-clients && $DNF clean all && rm -rf /var/cache/dnf/*; fi +RUN if ! rpm -q openssh-clients; then dnf install -y openssh-clients && dnf clean all && rm -rf /var/cache/dnf/*; fi # libvirt libraries required for running bare metal installer. -RUN if ! rpm -q libvirt-libs; then $DNF install -y libvirt-libs && $DNF clean all && rm -rf /var/cache/dnf/*; fi +RUN if ! rpm -q libvirt-libs; then dnf install -y libvirt-libs && dnf clean all && rm -rf /var/cache/dnf/*; fi + +# tar is needed to package must-gathers on install failure +RUN if ! which tar; then dnf install -y tar && dnf clean all && rm -rf /var/cache/dnf/*; fi + +COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/manager /opt/services/ +COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/hiveadmission /opt/services/ +COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/operator /opt/services/hive-operator -COPY --from=builder /go/src/github.com/openshift/hive/bin/manager /opt/services/ -COPY --from=builder /go/src/github.com/openshift/hive/bin/hiveadmission /opt/services/ -COPY --from=builder /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin -COPY --from=builder /go/src/github.com/openshift/hive/bin/operator /opt/services/hive-operator +COPY --from=builder_rhel8 /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin/hiveutil.rhel8 +COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin/hiveutil # Hacks to allow writing known_hosts, homedir is / by default in OpenShift. # Bare metal installs need to write to $HOME/.cache, and $HOME/.ssh for as long as @@ -30,17 +41,9 @@ RUN mkdir -p /home/hive && \ chgrp -R 0 /home/hive && \ chmod -R g=u /home/hive -# This is so that we can write source certificate anchors during container start up. -RUN mkdir -p /etc/pki/ca-trust/source/anchors && \ - chgrp -R 0 /etc/pki/ca-trust/source/anchors && \ - chmod -R g=u /etc/pki/ca-trust/source/anchors - -# This is so that we can run update-ca-trust during container start up. -RUN mkdir -p /etc/pki/ca-trust/extracted/openssl && \ - mkdir -p /etc/pki/ca-trust/extracted/pem && \ - mkdir -p /etc/pki/ca-trust/extracted/java && \ - chgrp -R 0 /etc/pki/ca-trust/extracted && \ - chmod -R g=u /etc/pki/ca-trust/extracted +RUN mkdir -p /output/hive-trusted-cabundle && \ + chgrp -R 0 /output/hive-trusted-cabundle && \ + chmod -R g=u /output/hive-trusted-cabundle # TODO: should this be the operator? ENTRYPOINT ["/opt/services/manager"] diff --git a/Dockerfile.ubi b/Dockerfile.ubi deleted file mode 100644 index 1d0d3af242b..00000000000 --- a/Dockerfile.ubi +++ /dev/null @@ -1,49 +0,0 @@ -FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.21-openshift-4.16 as builder -RUN mkdir -p /go/src/github.com/openshift/hive -WORKDIR /go/src/github.com/openshift/hive -COPY . . -RUN make build - -FROM registry.access.redhat.com/ubi8/ubi-minimal - -ARG DNF=microdnf - -RUN $DNF -y update && $DNF clean all - -# ssh-agent required for gathering logs in some situations: -RUN if ! rpm -q openssh-clients; then $DNF install -y openssh-clients && $DNF clean all && rm -rf /var/cache/dnf/*; fi - -# libvirt libraries required for running bare metal installer. -RUN if ! rpm -q libvirt-libs; then $DNF install -y libvirt-libs && $DNF clean all && rm -rf /var/cache/dnf/*; fi - -# tar is needed to package must-gathers on install failure -RUN if ! which tar; then $DNF install -y tar && $DNF clean all && rm -rf /var/cache/dnf/*; fi - -COPY --from=builder /go/src/github.com/openshift/hive/bin/manager /opt/services/ -COPY --from=builder /go/src/github.com/openshift/hive/bin/hiveadmission /opt/services/ -COPY --from=builder /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin -COPY --from=builder /go/src/github.com/openshift/hive/bin/operator /opt/services/hive-operator - -# Hacks to allow writing known_hosts, homedir is / by default in OpenShift. -# Bare metal installs need to write to $HOME/.cache, and $HOME/.ssh for as long as -# we're hitting libvirt over ssh. OpenShift will not let you write these directories -# by default so we must setup some permissions here. -ENV HOME /home/hive -RUN mkdir -p /home/hive && \ - chgrp -R 0 /home/hive && \ - chmod -R g=u /home/hive - -# This is so that we can write source certificate anchors during container start up. -RUN mkdir -p /etc/pki/ca-trust/source/anchors && \ - chgrp -R 0 /etc/pki/ca-trust/source/anchors && \ - chmod -R g=u /etc/pki/ca-trust/source/anchors - -# This is so that we can run update-ca-trust during container start up. -RUN mkdir -p /etc/pki/ca-trust/extracted/openssl && \ - mkdir -p /etc/pki/ca-trust/extracted/pem && \ - mkdir -p /etc/pki/ca-trust/extracted/java && \ - chgrp -R 0 /etc/pki/ca-trust/extracted && \ - chmod -R g=u /etc/pki/ca-trust/extracted - -# TODO: should this be the operator? -ENTRYPOINT ["/opt/services/manager"] diff --git a/build/build-image/Dockerfile b/build/build-image/Dockerfile deleted file mode 100644 index 9de191fe056..00000000000 --- a/build/build-image/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.21-openshift-4.16 - -# setting Git username and email for workaround of -# https://github.com/jenkinsci/docker/issues/519 -ENV GIT_COMMITTER_NAME hive-team -ENV GIT_COMMITTER_EMAIL hive-team@redhat.com - -# Basic Debug Tools -RUN yum -y install strace tcping && yum clean all - -# Get rid of "go: disabling cache ..." errors. -RUN mkdir -p /go && chgrp -R root /go && chmod -R g+rwX /go diff --git a/contrib/pkg/utils/generic.go b/contrib/pkg/utils/generic.go index 31240ad2241..0a78efc6961 100644 --- a/contrib/pkg/utils/generic.go +++ b/contrib/pkg/utils/generic.go @@ -25,7 +25,7 @@ import ( ) const ( - caTrustDir = "/etc/pki/ca-trust/source/anchors/" + caTrustDir = "/output/hive-trusted-cabundle/" ) type releasePayload struct { @@ -205,10 +205,4 @@ func InstallCerts(sourceDir string) { logger.WithError(err).WithField("output", string(b)).Fatal("failed to copy certs") } logger.WithField("output", string(b)).Info("copied certs") - - b, err = exec.Command("update-ca-trust").CombinedOutput() - if err != nil { - logger.WithError(err).WithField("output", string(b)).Fatal("failed to update CA trust") - } - logger.WithField("output", string(b)).Info("updated CA trust") } diff --git a/hack/app_sre_build_deploy.sh b/hack/app_sre_build_deploy.sh index 8bf5595ac44..f1fb22945d6 100755 --- a/hack/app_sre_build_deploy.sh +++ b/hack/app_sre_build_deploy.sh @@ -99,7 +99,7 @@ else fi # build the image -CONTAINER_BUILD_FLAGS="--file ./Dockerfile.ubi" make IMG="$IMG" GO_REQUIRED_MIN_VERSION:= docker-build +CONTAINER_BUILD_FLAGS="--file ./Dockerfile" make IMG="$IMG" GO_REQUIRED_MIN_VERSION:= docker-build # push the image make IMG="$IMG" docker-push diff --git a/hack/e2e-common.sh b/hack/e2e-common.sh index e018b4428b9..8f1461266c6 100755 --- a/hack/e2e-common.sh +++ b/hack/e2e-common.sh @@ -139,7 +139,9 @@ function save_hive_logs() { done # Let's try to save any prov/deprov pod logs oc get po -A -l hive.openshift.io/install=true -o custom-columns=:.metadata.namespace,:.metadata.name --no-headers | while read ns po; do - oc logs -n $ns $po -c hive > ${ARTIFACT_DIR}/${ns}-${po}.log + oc logs -n $ns $po -c hive > ${ARTIFACT_DIR}/${ns}-${po}-hive.log + oc logs -n $ns $po -c installer > ${ARTIFACT_DIR}/${ns}-${po}-installer.log + done oc get po -A -l hive.openshift.io/uninstall=true -o custom-columns=:.metadata.namespace,:.metadata.name --no-headers | while read ns po; do oc logs -n $ns $po > ${ARTIFACT_DIR}/${ns}-${po}.log @@ -269,12 +271,12 @@ function capture_cluster_logs() { # Capture install logs if IMAGESET_JOB_NAME=$(oc get job -l "hive.openshift.io/cluster-deployment-name=${CLUSTER_NAME},hive.openshift.io/imageset=true" -o name -n ${CLUSTER_NAMESPACE}) && [ "${IMAGESET_JOB_NAME}" ] then - oc logs -c hive -n ${CLUSTER_NAMESPACE} ${IMAGESET_JOB_NAME} &> "${ARTIFACT_DIR}/hive_imageset_job.log" || true + oc logs -c installer -n ${CLUSTER_NAMESPACE} ${IMAGESET_JOB_NAME} &> "${ARTIFACT_DIR}/hive_imageset_job.log" || true oc get ${IMAGESET_JOB_NAME} -n ${CLUSTER_NAMESPACE} -o yaml &> "${ARTIFACT_DIR}/hive_imageset_job.yaml" || true fi if INSTALL_JOB_NAME=$(oc get job -l "hive.openshift.io/cluster-deployment-name=${CLUSTER_NAME},hive.openshift.io/install=true" -o name -n ${CLUSTER_NAMESPACE}) && [ "${INSTALL_JOB_NAME}" ] then - oc logs -c hive -n ${CLUSTER_NAMESPACE} ${INSTALL_JOB_NAME} &> "${ARTIFACT_DIR}/hive_install_job.log" || true + oc logs -c installer -n ${CLUSTER_NAMESPACE} ${INSTALL_JOB_NAME} &> "${ARTIFACT_DIR}/hive_install_job.log" || true oc get ${INSTALL_JOB_NAME} -n ${CLUSTER_NAMESPACE} -o yaml &> "${ARTIFACT_DIR}/hive_install_job.yaml" || true fi echo "************* INSTALL JOB LOG *************" diff --git a/pkg/controller/clusterdeployment/clusterdeployment_controller_test.go b/pkg/controller/clusterdeployment/clusterdeployment_controller_test.go index 01e07e06ec0..ff3aaf17622 100644 --- a/pkg/controller/clusterdeployment/clusterdeployment_controller_test.go +++ b/pkg/controller/clusterdeployment/clusterdeployment_controller_test.go @@ -688,7 +688,7 @@ func TestClusterDeploymentReconcile(t *testing.T) { if assert.Len(t, provisions, 1, "expected exactly one ClusterProvision") { podSpec := provisions[0].Spec.PodSpec if assert.Len(t, podSpec.InitContainers, 1, "expected exactly one initContainer") { - assert.Equal(t, "installer", podSpec.InitContainers[0].Name, "expected the initContainer to be 'installer'") + assert.Equal(t, "hive", podSpec.InitContainers[0].Name, "expected the initContainer to be 'hive'") } } }, diff --git a/pkg/imageset/updateinstaller.go b/pkg/imageset/updateinstaller.go index dc411d88ac9..17499681b37 100644 --- a/pkg/imageset/updateinstaller.go +++ b/pkg/imageset/updateinstaller.go @@ -167,13 +167,9 @@ func (o *UpdateInstallerImageOptions) Run() (returnErr error) { o.log.WithField("installerImage", installerImage).Info("installer image overridden") } else { // Glean the installer image from the release metadata - installerTagName := "installer" - // If this is a bare metal install, we need to get the openshift-install binary from a different image with - // bare metal functionality compiled in. The binary is named the same and in the same location, so after swapping - // out what image to get it from, we can proceed with the code as we normally would. - if cd.Spec.Platform.BareMetal != nil { - installerTagName = "baremetal-installer" - } + // "baremetal-installer" is the legacy name for the fips compliant installer image + installerTagName := "baremetal-installer" + // Override annotation is allowed to override baremetal-installer too if cd.Annotations != nil { if override := cd.Annotations[constants.OverrideInstallerImageNameAnnotation]; override != "" { diff --git a/pkg/imageset/updateinstaller_test.go b/pkg/imageset/updateinstaller_test.go index b7dd1b0dfa5..fbec531160f 100644 --- a/pkg/imageset/updateinstaller_test.go +++ b/pkg/imageset/updateinstaller_test.go @@ -47,8 +47,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) { name: "successful execution", existingClusterDeployment: testClusterDeployment(), images: map[string]string{ - "installer": testInstallerImage, - "cli": testCLIImage, + "baremetal-installer": testInstallerImage, + "cli": testCLIImage, }, validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""), }, @@ -56,7 +56,7 @@ func TestUpdateInstallerImageCommand(t *testing.T) { name: "failure execution missing cli", existingClusterDeployment: testClusterDeployment(), images: map[string]string{ - "installer": testInstallerImage, + "baremetal-installer": testInstallerImage, }, validateClusterDeployment: validateFailureExecution("could not get cli image"), expectError: true, @@ -64,24 +64,11 @@ func TestUpdateInstallerImageCommand(t *testing.T) { { name: "successful execution after failure", existingClusterDeployment: testClusterDeploymentWithErrorCondition(), - images: map[string]string{ - "installer": testInstallerImage, - "cli": testCLIImage, - }, - validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, installerImageResolvedReason), - }, - { - name: "successful execution baremetal platform", - existingClusterDeployment: func() *hivev1.ClusterDeployment { - cd := testClusterDeployment() - cd.Spec.Platform.BareMetal = &baremetal.Platform{} - return cd - }(), images: map[string]string{ "baremetal-installer": testInstallerImage, "cli": testCLIImage, }, - validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""), + validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, installerImageResolvedReason), }, { name: "installer image name override", @@ -118,8 +105,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) { name: "successful execution with version in release metadata", existingClusterDeployment: testClusterDeployment(), images: map[string]string{ - "installer": testInstallerImage, - "cli": testCLIImage, + "baremetal-installer": testInstallerImage, + "cli": testCLIImage, }, version: testReleaseVersion, validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""), @@ -137,8 +124,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) { name: "CLI image domain copied from installer image", existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(), images: map[string]string{ - "installer": testInstallerImage, - "cli": cliImageWithDifferentDomain, + "baremetal-installer": testInstallerImage, + "cli": cliImageWithDifferentDomain, }, validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, "registry.io/foo/cli:blah", ""), }, @@ -146,8 +133,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) { name: "copy requested, invalid installer image", existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(), images: map[string]string{ - "installer": "invalid image", - "cli": cliImageWithDifferentDomain, + "baremetal-installer": "invalid image", + "cli": cliImageWithDifferentDomain, }, validateClusterDeployment: validateFailureExecution("invalid installer image"), expectError: true, @@ -156,8 +143,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) { name: "copy requested, invalid cli image", existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(), images: map[string]string{ - "installer": testInstallerImage, - "cli": "invalid image", + "baremetal-installer": testInstallerImage, + "cli": "invalid image", }, validateClusterDeployment: validateFailureExecution("invalid cli image"), expectError: true, diff --git a/pkg/install/generate.go b/pkg/install/generate.go index d2a73798f17..59365d3c983 100644 --- a/pkg/install/generate.go +++ b/pkg/install/generate.go @@ -154,6 +154,14 @@ func InstallerPodSpec( Name: "PULLSECRET_SECRET_NAME", Value: constants.GetMergedPullSecretName(cd), }, + { + Name: "SSL_CERT_DIR", + Value: "/etc/ssl/certs/:/output/hive-trusted-cabundle/", + }, + { + Name: "HOME", + Value: "/home/hive", + }, } env = append(env, extraEnvVars...) @@ -164,6 +172,7 @@ func InstallerPodSpec( "logs": "/logs", "installconfig": "/installconfig", "pullsecret": "/pullsecret", + "hive": "/home/hive", } var credentialRef, certificateRef string @@ -308,14 +317,14 @@ func InstallerPodSpec( // where our container will run them. This is effectively downloading the all-in-one installer. initContainers := []corev1.Container{ { - Name: "installer", - Image: installerImage, - ImagePullPolicy: corev1.PullIfNotPresent, + Name: "hive", + Image: images.GetHiveImage(), + ImagePullPolicy: corev1.PullAlways, Env: env, Command: []string{"/bin/sh", "-c"}, // Large file copy here has shown to cause problems in clusters under load, safer to copy then rename to the file the install manager is waiting for // so it doesn't try to run a partially copied binary. - Args: []string{"cp -v /bin/openshift-install /output/openshift-install.tmp && mv -v /output/openshift-install.tmp /output/openshift-install && ls -la /output"}, + Args: []string{"cp -v /usr/bin/hiveutil.rhel8 /output/hiveutil8.tmp && mv -v /output/hiveutil8.tmp /output/hiveutil.rhel8 && cp -v /usr/bin/hiveutil /output/hiveutil9.tmp && mv -v /output/hiveutil9.tmp /output/hiveutil.rhel9"}, VolumeMounts: volumeMounts, }, } @@ -333,19 +342,17 @@ func InstallerPodSpec( VolumeMounts: volumeMounts, }) } + containers := []corev1.Container{ { - Name: "hive", - Image: images.GetHiveImage(), - ImagePullPolicy: images.GetHiveClusterProvisionImagePullPolicy(), + Name: "installer", + Image: installerImage, + ImagePullPolicy: corev1.PullIfNotPresent, Env: append(env, cd.Spec.Provisioning.InstallerEnv...), - Command: []string{"/usr/bin/hiveutil"}, - Args: []string{ - "install-manager", - "--work-dir", "/output", - "--log-level", "debug", - cd.Namespace, provisionName, - }, + Command: []string{"/bin/sh", "-c"}, + // Large file copy here has shown to cause problems in clusters under load, safer to copy then rename to the file the install manager is waiting for + // so it doesn't try to run a partially copied binary. + Args: []string{fmt.Sprintf("cp -v /bin/openshift-install /output/openshift-install && major_version=$(sed -n 's/.*release \\([0-9]*\\).*/\\1/p' /etc/redhat-release) && /output/hiveutil.rhel${major_version} install-manager --work-dir /output --log-level debug %s %s", cd.Namespace, provisionName)}, VolumeMounts: volumeMounts, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -543,6 +550,10 @@ func envAndVolumes(ns, credsVolName, credsDir, credsName, certsVolName, certsDir Name: "CLUSTERDEPLOYMENT_NAMESPACE", Value: ns, }, + { + Name: "SSL_CERT_DIR", + Value: "/etc/ssl/certs/:/output/hive-trusted-cabundle/", + }, } if credsName != "" { env = append(env, corev1.EnvVar{