Allow publishing of Ansible 2.9 and 2.11 images (#5311)

* Allow publishing of Ansible 2.9 and 2.11 images

Related to #5115

This PR introduces the Dockerfile and infrastructure to build Ansible
2.9 and Ansible 2.11 images side by side. This commit does not integrate
these changes into CI, and therefore will need to be mered alongside a
follow-up PR to intetgrate with GitHub actions.

Co-authored-by: Austin Macdonald <[email protected]>
Co-authored-by: Fabian von Feilitzsch <[email protected]>

Signed-off-by: austin <[email protected]>

* use new preview dependency image to create preview base
* build and push ansible tags
* e2e ansible molecule should build 2.9 images
* simplify make
* fixup: fix makefile imagebuild dep
* fixup: more tweaks
* fixup: action to use 2.11 dir
* first draft deploy-manual
* finish full separation of 2.9 and 2.11 dirs
* fixup: s/secret/github/
* fixup: cleanup

Signed-off-by: austin <[email protected]>

Co-authored-by: Fabian von Feilitzsch <[email protected]>

Author: asmacdo

.github/workflows/deploy-manual.yml

@@ -6,6 +6,9 @@ on:
       ansible_operator_base_tag:
         description: ansible-operator-base image tag, ex. "6e1b47e6ca7c507b8ecf197a8edcd412dd64d85d"
         required: false
+      ansible_operator_211_base_tag:
+        description: ansible-operator-2.11-preview-base image tag, ex. "6e1b47e6ca7c507b8ecf197a8edcd412dd64d85d"
+        required: false
 
 jobs:
   # Build the ansible-operator-base image.
@@ -32,8 +35,9 @@ jobs:
       with:
         fetch-depth: 1
 
-    - name: create tag
-      id: tag
+    # Copied this for 2.11 rather than use a matrix because eventually 2.11 will be default and this will be removed.
+    - name: create 2.9-base tag
+      id: 29_base_tag
       run: |
         set -e
         IMG=quay.io/${{ github.repository_owner }}/ansible-operator-base
@@ -45,36 +49,82 @@ jobs:
         echo ::set-output name=tag::${IMG}:${TAG}
         echo ::set-output name=git_commit::${GIT_COMMIT}
 
-    - name: build and push
+    - name: create 2.11-base tag
+      id: 211_base_tag
+      run: |
+        set -e
+        IMG=quay.io/${{ github.repository_owner }}/ansible-operator-2.11-preview-base
+        TAG="${{ github.event.inputs.ansible_operator_211_base_tag }}"
+        if [[ "$TAG" == "" ]]; then
+          TAG="$(git branch --show-current)-${GIT_COMMIT}"
+        fi
+        echo ::set-output name=tag::${IMG}:${TAG}
+        echo ::set-output name=git_commit::${GIT_COMMIT}
+
+    - name: build and push ansible 2.9 dep image
       uses: docker/build-push-action@v2
       with:
         file: ./images/ansible-operator/base.Dockerfile
         context: ./images/ansible-operator
         platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
         push: true
-        tags: ${{ steps.tag.outputs.tag }}
+        tags: ${{ steps.tag.outputs.29_base_tag }}
+        build-args: |
+          GIT_COMMIT=${{ steps.tag.outputs.git_commit }}
+
+    - name: build and push ansible 2.11 dep image
+      uses: docker/build-push-action@v2
+      with:
+        file: ./images/ansible-operator-2.11-preview/base.Dockerfile
+        context: ./images/ansible-operator
+        platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
+        push: true
+        tags: ${{ steps.tag.outputs.211_base_tag }}
         build-args: |
           GIT_COMMIT=${{ steps.tag.outputs.git_commit }}
 
     # This change will be staged and committed in the PR pushed below.
     # The script below will fail if no change was made.
-    - name: update ansible-operator base
+    - name: update base of ansible-operator 2.9
       id: update
       run: |
         set -ex
-        sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-base:.+|FROM ${{ steps.tag.outputs.tag }}|g' images/ansible-operator/Dockerfile
+        sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-base:.+|FROM ${{ steps.tag.outputs.29_base_tag }}|g' images/ansible-operator/Dockerfile
         git diff --exit-code --quiet && echo "Failed to update images/ansible-operator/Dockerfile" && exit 1
         REF="${{ github.event.ref }}"
         echo ::set-output name=branch_name::"${REF##*/}"
 
-    - name: create PR
+    - name: create PR for ansible-operator 2.9 Dockerfile
       uses: peter-evans/create-pull-request@v3
       with:
-        title: "[${{ steps.update.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.tag.outputs.tag }}"
+        title: "[${{ steps.update.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.tag.outputs.29_base_tag }}"
         commit-message: |
-          [${{ steps.update.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.tag.outputs.tag }}
+          [${{ steps.update.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.tag.outputs.29_base_tag }}
 
           Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
         body: "New ansible-operator-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
         delete-branch: true
         branch-suffix: short-commit-hash
+
+    # This change will be staged and committed in the PR pushed below.
+    # The script below will fail if no change was made.
+    - name: update base of ansible-operator-2.11-preview
+      id: update
+      run: |
+        set -ex
+        sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-2.11-preview-base:.+|FROM ${{ steps.tag.outputs.211_base_tag }}|g' images/ansible-operator/Dockerfile
+        git diff --exit-code --quiet && echo "Failed to update images/ansible-operator-11-preview-base/Dockerfile" && exit 1
+        REF="${{ github.event.ref }}"
+        echo ::set-output name=branch_name::"${REF##*/}"
+
+    - name: create PR for ansible-operator-2.11-preview Dockerfile
+      uses: peter-evans/create-pull-request@v3
+      with:
+        title: "[${{ steps.update.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.tag.outputs.211_base_tag }}"
+        commit-message: |
+          [${{ steps.update.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.tag.outputs.211_base_tag }}
+
+          Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+        body: "New ansible-operator-2.11-preview-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+        delete-branch: true
+        branch-suffix: short-commit-hash

.github/workflows/deploy.yml

@@ -72,7 +72,7 @@ jobs:
     environment: deploy
     strategy:
       matrix:
-        id: ["operator-sdk", "ansible-operator", "helm-operator", "scorecard-test"]
+        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview"]
     steps:
 
     - name: set up qemu

Makefile

@@ -82,9 +82,14 @@ build/scorecard-test build/scorecard-test-kuttl build/custom-scorecard-tests:
 
 # Convenience wrapper for building all remotely hosted images.
 .PHONY: image-build
-IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator scorecard-test scorecard-test-kuttl
+IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl
 image-build: $(foreach i,$(IMAGE_TARGET_LIST),image/$(i)) ## Build all images.
 
+# Convenience wrapper for building dependency base images.
+.PHONY: image-build-base
+IMAGE_BASE_TARGET_LIST = ansible-operator ansible-operator-2.11-preview
+image-build-base: $(foreach i,$(IMAGE_BASE_TARGET_LIST),image-base/$(i)) ## Build all images.
+
 # Build an image.
 BUILD_IMAGE_REPO = quay.io/operator-framework
 # When running in a terminal, this will be false. If true (ex. CI), print plain progress.
@@ -95,6 +100,9 @@ image/%: export DOCKER_CLI_EXPERIMENTAL = enabled
 image/%:
 	docker buildx build $(DOCKER_PROGRESS) -t $(BUILD_IMAGE_REPO)/$*:dev -f ./images/$*/Dockerfile --load .
 
+image-base/%: export DOCKER_CLI_EXPERIMENTAL = enabled
+image-base/%:
+	docker buildx build $(DOCKER_PROGRESS) -t $(BUILD_IMAGE_REPO)/$*:dev -f ./images/$*/base.Dockerfile --load .
 ##@ Release
 
 .PHONY: release

images/ansible-operator-2.11-preview/Dockerfile

@@ -0,0 +1,38 @@
+# Build the manager binary
+FROM --platform=$BUILDPLATFORM golang:1.16 as builder
+ARG TARGETARCH
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY . .
+
+# Build
+RUN GOOS=linux GOARCH=$TARGETARCH make build/ansible-operator
+
+# Final image.
+# TODO(asmacdo) update GH action to set this
+FROM quay.io/operator-framework/ansible-operator-2.11-preview-base:dev
+
+ENV HOME=/opt/ansible \
+    USER_NAME=ansible \
+    USER_UID=1001
+
+# Ensure directory permissions are properly set
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd \
+  && mkdir -p ${HOME}/.ansible/tmp \
+  && chown -R ${USER_UID}:0 ${HOME} \
+  && chmod -R ug+rwx ${HOME}
+
+WORKDIR ${HOME}
+USER ${USER_UID}
+
+COPY --from=builder /workspace/build/ansible-operator /usr/local/bin/ansible-operator
+
+ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", "--watches-file=./watches.yaml"]

images/ansible-operator-2.11-preview/Pipfile

@@ -0,0 +1,21 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+ansible-runner = "~=1.4.7"
+ansible-runner-http = "==1.0.0"
+ipaddress = "==1.0.23"
+openshift = "~=0.12.0"
+jmespath = "==0.10.0"
+# cryptography needs to be pinned to 3.3.2 as this is the last version
+# before its setup requires rust, which is not available via RPM in the
+# base image. This pin should be re-evaluated once the base image is updated.
+cryptography = "==3.3.2"
+ansible-core = "~=2.11.0"
+
+[dev-packages]
+
+[requires]
+python_version = "3.8"