OTA-905: ipi install: use integration cincinnati in CI clusters, where possible

ci-operator/step-registry/ipi/install/install/ipi-install-install-commands.sh

@@ -4,6 +4,71 @@ set -o nounset
 set -o errexit
 set -o pipefail
 
+function set-cluster-version-spec-update-service() {
+    local payload_version
+    payload_version="$(oc adm release info "${OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE}" -o "jsonpath={.metadata.version}")"
+    echo "Release payload version: ${payload_version}"
+
+    # Using OSUS in upgrade jobs would be tricky (we would need to know the channel with both versions)
+    # and the use case has little benefits (not many jobs that update between two released versions)
+    # so we do not need to support it. We still need to channel clear to avoid tripping the
+    # CannotRetrieveUpdates alert on one of the versions.
+    # Not all steps that use this script expose OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE so we need to default it
+    # If we are in a step that exposes it and it differs from OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE, we are likely
+    # running an upgrade job.
+    if [[ -n "${OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE:-}" ]] &&
+       [[ "$OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE" != "${OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE:-}" ]]; then
+        echo "This is likely an upgrade job (OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE differs from nonempty OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE)"
+        echo "Cluster cannot query OpenShift Update Service (OSUS/Cincinnati), cleaning the channel"
+        sed -i '/^  channel:/d' "${dir}/manifests/cvo-overrides.yaml"
+        return
+    fi
+
+    # Determine architecture that Cincinnati would use: check metadata for release.openshift.io/architecture key
+    # and fall back to manifest-declared architecture
+    local payload_arch
+    payload_arch="$(oc adm release info "${OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE}" -o "jsonpath={.metadata.metadata.release\.openshift\.io/architecture}")"
+    if [[ -z "${payload_arch}" ]]; then
+        echo 'Payload architecture not found in .metadata.metadata["release.openshift.io/architecture"], using .config.architecture'
+        payload_arch="$(oc adm release info "${OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE}" -o "jsonpath={.config.architecture}")"
+    fi
+    local payload_arch_param
+    if [[ -n "${payload_arch}" ]]; then
+        echo "Release payload architecture: ${payload_arch}"
+        payload_arch_param="&arch=${payload_arch}"
+    else
+        echo "Unable to determine payload architecture"
+        payload_arch_param=""
+    fi
+
+    # The candidate channel is most likely to contain the versions we are interested in, so transfer the current channel
+    # into a candidate one.
+    local channel
+    channel="$(grep -E --only-matching '(stable|eus|fast|candidate)-4.[0-9]+' "${dir}/manifests/cvo-overrides.yaml")"
+    echo "Original channel from CVO manifest: ${channel}"
+    local candidate_channel
+    candidate_channel="$(echo "${channel}" | sed -E 's/(stable|eus|fast)/candidate/')"
+    echo "Matching candidate channel: ${candidate_channel}"
+
+    # If the version is known to OSUS, it is safe for the CI cluster to query it, so we will query the integration OSUS
+    # instance maintained by OTA team. Otherwise, the cluster would trip the CannotRetrieveUpdates alert, so we need
+    # to clear the channel to make the cluster *not* query any OSUS instance.
+    local query
+    query="https://api.integration.openshift.com/api/upgrades_info/graph?channel=${candidate_channel}${payload_arch_param}"
+    echo "Querying $query for version ${payload_version}"
+    if curl --silent "$query" | grep --quiet '"version":"'"$payload_version"'"'; then
+        echo "Version ${payload_version} is available in ${candidate_channel}, cluster can query OpenShift Update Service (OSUS/Cincinnati)"
+        echo "Setting channel to $candidate_channel and upstream to https://api.integration.openshift.com/api/upgrades_info/graph "
+        sed -i "s|^  channel: .*|  channel: $candidate_channel|" "${dir}/manifests/cvo-overrides.yaml"
+        echo '  upstream: https://api.integration.openshift.com/api/upgrades_info/graph' >> "${dir}/manifests/cvo-overrides.yaml"
+    else
+        echo "Version ${payload_version} is not available in ${candidate_channel}"
+        echo "Cluster cannot query OpenShift Update Service (OSUS/Cincinnati)"
+        echo "Clearing the channel"
+        sed -i '/^  channel:/d' "${dir}/manifests/cvo-overrides.yaml"
+    fi
+}
+
 function populate_artifact_dir() {
   set +e
   echo "Copying log bundle..."
@@ -434,7 +499,7 @@ aws|aws-arm64|aws-usgov)
     ;;
 esac
 
-sed -i '/^  channel:/d' "${dir}/manifests/cvo-overrides.yaml"
+set-cluster-version-spec-update-service
 
 echo "Will include manifests:"
 find "${SHARED_DIR}" \( -name "manifest_*.yml" -o -name "manifest_*.yaml" \)

ci-operator/step-registry/ipi/install/install/stableinitial/ipi-install-install-stableinitial-ref.yaml

@@ -11,7 +11,7 @@ ref:
   credentials:
   - namespace: test-credentials
     name: ci-ibmcloud8
-    mount_path: /var/run/vsphere8-secrets      
+    mount_path: /var/run/vsphere8-secrets
   env:
   - name: ARM64_RELEASE_OVERRIDE
     default: ""
@@ -23,6 +23,8 @@ ref:
   dependencies:
   - name: "release:latest"
     env: OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE
+  - name: "release:latest"
+    env: OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE
   - name: "release:latest"
     env: RELEASE_IMAGE_LATEST
   documentation: |-