Allow publishing of Ansible 2.9 and 2.11 images

Related to #5115

This PR introduces the Dockerfile and infrastructure to build Ansible
2.9 and Ansible 2.11 images side by side. This commit does not integrate
these changes into CI, and therefore will need to be mered alongside a
follow-up PR to intetgrate with GitHub actions.

Co-authored-by: Austin Macdonald <[email protected]>
Co-authored-by: Fabian von Feilitzsch <[email protected]>

Signed-off-by: austin <[email protected]>

Author: fabianvf

.github/workflows/deploy-manual.yml

@@ -32,10 +32,12 @@ jobs:
       with:
         fetch-depth: 1
 
-    - name: create tag
+    # TODO(asmacdo) add 2.11-preview-base
+    - name: create 2.9-base tag
       id: tag
       run: |
         set -e
+        # TODO(asmacdo)
         IMG=quay.io/${{ github.repository_owner }}/ansible-operator-base
         TAG="${{ github.event.inputs.ansible_operator_base_tag }}"
         GIT_COMMIT=$(git rev-parse HEAD)
@@ -58,7 +60,8 @@ jobs:
 
     # This change will be staged and committed in the PR pushed below.
     # The script below will fail if no change was made.
-    - name: update ansible-operator base
+    # TODO(asmacdo) add base of 2.11-preview
+    - name: update base of ansible-operator
       id: update
       run: |
         set -ex
@@ -67,6 +70,7 @@ jobs:
         REF="${{ github.event.ref }}"
         echo ::set-output name=branch_name::"${REF##*/}"
 
+    # TODO(asmacdo) add base of 2.11-preview
     - name: create PR
       uses: peter-evans/create-pull-request@v3
       with:

.github/workflows/deploy.yml

@@ -98,6 +98,8 @@ jobs:
     - name: create tags
       id: tags
       run: |
+        # TODO(asmacdo) github.repository_owner is wrong. This should be a quay account, `operator-framework` happens to be the same in
+        # gh and quay.
         IMG=quay.io/${{ github.repository_owner }}/${{ matrix.id }}
         echo ::set-output name=tags::$(.github/workflows/get_image_tags.sh "$IMG" "v")
 

Makefile

@@ -82,7 +82,8 @@ build/scorecard-test build/scorecard-test-kuttl build/custom-scorecard-tests:
 
 # Convenience wrapper for building all remotely hosted images.
 .PHONY: image-build
-IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator scorecard-test scorecard-test-kuttl
+# TODO(asmacdo) add 2.11-preview
+IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator/2.9 Oscorecard-test scorecard-test-kuttl
 image-build: $(foreach i,$(IMAGE_TARGET_LIST),image/$(i)) ## Build all images.
 
 # Build an image.

images/ansible-operator/2.11/Dockerfile

@@ -0,0 +1,38 @@
+# Build the manager binary
+FROM --platform=$BUILDPLATFORM golang:1.16 as builder
+ARG TARGETARCH
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY . .
+
+# Build
+RUN GOOS=linux GOARCH=$TARGETARCH make build/ansible-operator
+
+# Final image.
+# TODO(asmacdo) update GH action to set this
+FROM quay.io/operator-framework/ansible-operator-2.11-preview-base:master-bc8aedd752afff8aed00e62901d69e737d3e370e
+
+ENV HOME=/opt/ansible \
+    USER_NAME=ansible \
+    USER_UID=1001
+
+# Ensure directory permissions are properly set
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd \
+  && mkdir -p ${HOME}/.ansible/tmp \
+  && chown -R ${USER_UID}:0 ${HOME} \
+  && chmod -R ug+rwx ${HOME}
+
+WORKDIR ${HOME}
+USER ${USER_UID}
+
+COPY --from=builder /workspace/build/ansible-operator /usr/local/bin/ansible-operator
+
+ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", "--watches-file=./watches.yaml"]

images/ansible-operator/2.11/Pipfile

@@ -0,0 +1,21 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+ansible-runner = "~=1.4.7"
+ansible-runner-http = "==1.0.0"
+ipaddress = "==1.0.23"
+openshift = "~=0.12.0"
+jmespath = "==0.10.0"
+# cryptography needs to be pinned to 3.3.2 as this is the last version
+# before its setup requires rust, which is not available via RPM in the
+# base image. This pin should be re-evaluated once the base image is updated.
+cryptography = "==3.3.2"
+ansible-core = "~=2.11.0"
+
+[dev-packages]
+
+[requires]
+python_version = "3.8"

images/ansible-operator/2.11/Pipfile.lock

@@ -4,6 +4,7 @@
 
 FROM registry.access.redhat.com/ubi8/ubi:8.4
 ARG TARGETARCH
+ARG ANSIBLE_VERSION=2.9
 
 # Label this image with the repo and commit that built it, for freshmaking purposes.
 ARG GIT_COMMIT=devel
@@ -15,8 +16,9 @@ RUN mkdir -p /etc/ansible \
   && echo 'roles_path = /opt/ansible/roles' >> /etc/ansible/ansible.cfg \
   && echo 'library = /usr/share/ansible/openshift' >> /etc/ansible/ansible.cfg
 
-# Copy python dependencies specs to be installed using Pipenv
-COPY Pipfile* ./
+
+# Copy python dependencies (including ansible) to be installed using Pipenv
+COPY images/ansible-operator/${ANSIBLE_VERSION}/Pipfile* ./
 # Instruct pip(env) not to keep a cache of installed packages,
 # to install into the global site-packages and
 # to clear the pipenv cache as well