operators-installer - private registry support

add support for pulling the operator approver job image from a private registry

.github/workflows/install-integration-tests-operators-installer.yaml

@@ -19,6 +19,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  registry_user: registryuser1
+  registry_password: registrypassword1
+
 jobs:
   install-integration-test:
     runs-on: ubuntu-latest
@@ -51,6 +55,7 @@ jobs:
       uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
       with:
         version: ${{ env.KIND_VERSION }}
+        config: charts/operators-installer/_integration-tests/kind-config.yaml
 
     # for helm charts we are testing that require installing operators 
     - name: Setup kind cluster - Install OLM 🧰
@@ -77,6 +82,25 @@ jobs:
           controller: haproxy-ingress.github.io/controller
         EOF
 
+    # for testing operators-installer image from private repository
+    - name: Setup private registry in kind cluster 🧰
+      run: |
+        helm upgrade --install private-registry charts/operators-installer/_integration-tests/private-registry \
+          --namespace registry \
+          --create-namespace \
+          --wait \
+          --set registryUser=${registry_user} \
+          --set registryPassword=${registry_password}
+
+    # copies image used to install argo into local private registry
+    - name: Copy image into private repository 💿
+      run: |
+        skopeo copy \
+          --dest-creds ${registry_user}:${registry_password} \
+          --dest-tls-verify=false \
+          docker://$(awk '$1 ~/Image:/ {print $2}' charts/operators-installer/_integration-tests/test-install-operator-0-automatic-intermediate-manual-upgrades-values.yaml) \
+          docker://registry.localhost/origin-cli:5000
+
     # NOTE: can't use chart-testing because `ct` does not allow for a fixed release so you can't run two different tests that affect the same resources
     - name: Run integration tests 🧪
       timeout-minutes: 30
@@ -91,11 +115,20 @@ jobs:
           --values charts/operators-installer/_integration-tests/test-install-operator-0-automatic-intermediate-manual-upgrades-values.yaml \
           --debug --timeout 10m0s
 
+        echo "##########################################################################################################"
+        echo "# Create pull secret used in next step                                                                   #"
+        echo "##########################################################################################################"
+        oc create secret docker-registry local-registry-pullsecret \
+          --namespace operators-installer-integration-test \
+          --docker-password="${registry_user}" \
+          --docker-username="${registry_password}" \
+          --docker-server=registry.localhost
+
         echo "##########################################################################################################"
         echo "# Upgrade argo to newer version requiring many intermediate updates along the way                        #"
         echo "##########################################################################################################"
         helm upgrade --install operators-installer-integration-test charts/operators-installer \
           --namespace operators-installer-integration-test \
           --wait \
           --values charts/operators-installer/_integration-tests/test-install-operator-1-automatic-intermediate-manual-upgrades-values.yaml \
-          --debug --timeout 30m0s
+          --debug --timeout 35m0s

charts/operators-installer/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.0.2
+version: 3.1.0
 
 home: https://github.com/redhat-cop/helm-charts
 

charts/operators-installer/README.md

@@ -42,6 +42,7 @@ For all of the Subscription parameters see
 | operatorGroups[].targetOwnNamespace          | `false`       | No        | If `true` add the OperatorGroup's Namespace as a `targetNamespaces`. If `true` then OperatorGroup will only work for Operators using `OwnNamespace` or `MultiNamespace` `installModes`. If blank and no `otherTargetNamespaces` specified then OperatorGroup will be configured to allow for operators using `installModes` `AllNamespaces`.
 | operatorGroups[].otherTargetNamespaces       | `[]`          | No        | List of additional Namespaces to target. If specified OperatorGroup will only work for operators using `SingleNamespace` or `MultiNamespace` `installModes` depending on value of `targetOwnNamespace`.
 | installPlanApproverAndVerifyJobsImage        | `registry.redhat.io/openshift4/ose-cli:v4.10` | Yes | Image to use for the InstallPlan Approver and Verify Jobs 
+| installPlanApproverAndVerifyJobsImagePullSecret   | `''` | No | Name of existing secret for pulling `installPlanApproverAndVerifyJobsImage` from a private registry
 | approveManualInstallPlanViaHook              | `true`        | No        | `true` to create (and clean up) manual InstallPlan approval resources as part of post-install,post-upgrade helm hook<br>`false` to create  manual InstallPlan approval resources as part of normal install<br><br>The hook method is nice to not have lingering resources needed for the manual InstallPlan approval but has the downside that no CustomResources using CustomResourceDefinitions installed by the operator can be used in the same chart because the operator InstallPlan wont be approved, and therefor the operator wont be installed, until the post-install,post-upgrade phase which means you will never get to that phase because your CustomResources wont be able to apply because the Operator isn't installed.<br><br>This is is ultimately a trade off between cleaning up these resources or being able to install and configure the operator in the same helm chart that has a dependency on this helm chart.
 | installRequiredPythonLibraries               | `true`        | No        | If `true`, install the required Python libraries (openshift-client, semver==2.13.0) dynamically from the given `pythonIndexURL` and `pythonExtraIndexURL` into the `installPlanApproverAndVerifyJobsImage` at run time
 | pythonIndexURL                               | https://pypi.org/simple/ | No | If `installRequiredPythonLibraries` is `true` then use this python index to pull required libraries

charts/operators-installer/_integration-tests/kind-config.yaml

@@ -0,0 +1,12 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  extraPortMappings:
+  - containerPort: 5000
+    hostPort: 5000
+    protocol: TCP
+  - containerPort: 80
+    hostPort: 80
+    protocol: TCP
+

charts/operators-installer/_integration-tests/private-registry/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: private-registry
+version: 0.0.2

charts/operators-installer/_integration-tests/private-registry/templates/Deployment_registry.yaml

@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry
+  namespace: registry
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: registry
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: registry
+    spec:
+      containers:
+        - env:
+            - name: REGISTRY_HTTP_ADDR
+              value: :5000
+            - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
+              value: /var/lib/registry
+            - name: REGISTRY_AUTH
+              value: htpasswd
+            - name: REGISTRY_AUTH_HTPASSWD_REALM
+              value: Registry Realm
+            - name: REGISTRY_AUTH_HTPASSWD_PATH
+              value: /auth/htpasswd
+          image: registry:2
+          imagePullPolicy: IfNotPresent
+          name: registry
+          ports:
+            - containerPort: 5000
+              name: http
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 500m
+              memory: 128Mi
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/lib/registry
+              name: registry
+            - mountPath: /auth
+              name: htpasswd
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: registry
+          persistentVolumeClaim:
+            claimName: registry
+        - name: htpasswd
+          secret:
+            defaultMode: 420
+            secretName: htpasswd

charts/operators-installer/_integration-tests/private-registry/templates/Ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: registry
+  namespace: registry
+spec:
+  rules:
+  - host: registry.localhost
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: registry
+            port:
+              number: 5000
+

charts/operators-installer/_integration-tests/private-registry/templates/PersistentVolumeClaim.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: registry
+  namespace: registry
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 30Gi

charts/operators-installer/_integration-tests/private-registry/templates/Secret_htpasswd.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  htpasswd: {{ htpasswd .Values.registryUser .Values.registryPassword | b64enc }}
+kind: Secret
+metadata:
+  name: htpasswd
+  namespace: registry
+

charts/operators-installer/_integration-tests/private-registry/templates/Service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: registry
+  name: registry
+  namespace: registry
+spec:
+  ports:
+    - name: http
+      port: 5000
+      protocol: TCP
+      targetPort: 5000
+  selector:
+    app: registry
+  sessionAffinity: None
+  type: ClusterIP

charts/operators-installer/_integration-tests/private-registry/values.yaml

@@ -0,0 +1,3 @@
+registryUser:
+registryPassword:
+

charts/operators-installer/_integration-tests/test-install-operator-1-automatic-intermediate-manual-upgrades-values.yaml

@@ -1,6 +1,8 @@
 approveManualInstallPlanViaHook: true
 
-installPlanApproverAndVerifyJobsImage: quay.io/openshift/origin-cli:4.15
+# use pull secret to pull image from local private registry
+installPlanApproverAndVerifyJobsImage: registry.localhost/origin-cli
+installPlanApproverAndVerifyJobsImagePullSecret: local-registry-pullsecret
 
 operatorGroups:
 - name: argocd-operator

charts/operators-installer/templates/Job_installplan-approver.yaml

@@ -25,6 +25,10 @@ spec:
   activeDeadlineSeconds: {{ .installPlanApproverActiveDeadlineSeconds }}
   template:
     spec:
+      {{- if $.Values.installPlanApproverAndVerifyJobsImagePullSecret }}
+      imagePullSecrets:
+        - name: {{ $.Values.installPlanApproverAndVerifyJobsImagePullSecret }}
+      {{- end }}
       containers:
       - name: installplan-approver
         image: {{ $.Values.installPlanApproverAndVerifyJobsImage }}

charts/operators-installer/templates/Job_installplan-complete-verifier.yaml

@@ -24,6 +24,10 @@ spec:
   activeDeadlineSeconds: {{ .installPlanVerifierActiveDeadlineSeconds }}
   template:
     spec:
+      {{- if $.Values.installPlanApproverAndVerifyJobsImagePullSecret }}
+      imagePullSecrets:
+        - name: {{ $.Values.installPlanApproverAndVerifyJobsImagePullSecret }}
+      {{- end }}
       containers:
       - name: installplan-complete-verifier
         image: {{ $.Values.installPlanApproverAndVerifyJobsImage }}

charts/operators-installer/values.yaml

@@ -12,6 +12,11 @@ approveManualInstallPlanViaHook: true
 # Image to use for the InstallPlan Approver and Verify Jobs
 installPlanApproverAndVerifyJobsImage: registry.redhat.io/openshift4/ose-cli:v4.15@sha256:7ea824531b593b2ec0da05557d5cd2565c3525c51c9007f85e9510b27f38b13f
 
+# If specified, this imagePullSecret will be used for pulling the `installPlanApproverAndVerifyJobsImage`.
+# Only needed when using a custom image and pulling from a private registry.
+# Accepts a single string which is the name of an existing secret. (This chart does not create or manage the secret.)
+installPlanApproverAndVerifyJobsImagePullSecret:
+
 # If `true`, install the required Python libraries (openshift-client, semver==2.13.0) dynamically
 # from the given `pythonIndexURL` and `pythonExtraIndexURL` into the `installPlanApproverAndVerifyJobsImage` at run time
 #