Support install operator using iib (index image) (#222) (#225)

Support install operator using iib (index image) (#222)

* Support install operator using iib (index image)

* use generic catalog name

* fix icsp to mirror registry.redhat.io

Author: myakove

ocp_utilities/operators.py

@@ -1,16 +1,20 @@
 from pprint import pformat
 
 from kubernetes.dynamic.exceptions import ResourceNotFoundError
+from ocp_resources.catalog_source import CatalogSource
 from ocp_resources.cluster_service_version import ClusterServiceVersion
+from ocp_resources.image_content_source_policy import ImageContentSourcePolicy
 from ocp_resources.installplan import InstallPlan
 from ocp_resources.namespace import Namespace
 from ocp_resources.operator import Operator
 from ocp_resources.operator_group import OperatorGroup
+from ocp_resources.resource import ResourceEditor
 from ocp_resources.subscription import Subscription
 from ocp_resources.utils import TimeoutExpiredError, TimeoutSampler
+from ocp_resources.validating_webhook_config import ValidatingWebhookConfiguration
 from simple_logger.logger import get_logger
 
-from ocp_utilities.infra import cluster_resource
+from ocp_utilities.infra import cluster_resource, create_icsp, create_update_secret
 
 
 LOGGER = get_logger(name=__name__)
@@ -125,10 +129,12 @@ def install_operator(
     admin_client,
     name,
     channel,
-    source,
+    source=None,
     target_namespaces=None,
     timeout=TIMEOUT_30MIN,
     operator_namespace=None,
+    iib_index_image=None,
+    brew_token=None,
 ):
     """
     Install operator on cluster.
@@ -137,12 +143,30 @@ def install_operator(
         admin_client (DynamicClient): Cluster client.
         name (str): Name of the operator to install.
         channel (str): Channel to install operator from.
-        source (str): CatalogSource name.
+        source (str, optional): CatalogSource name.
         target_namespaces (list, optional): Target namespaces for the operator install process.
             If not provided, a namespace with te operator name will be created and used.
         timeout (int): Timeout in seconds to wait for operator to be ready.
-        operator_namespace (str, optional): Operator namespace, if not provided, operator name will be used
+        operator_namespace (str, optional): Operator namespace, if not provided, operator name will be used.
+        iib_index_image (str, optional): iib index image url, If provided install operator from iib index image.
+        brew_token (str, optional): Token to access iib index image registry.
     """
+    catalog_source = None
+    operator_market_namespace = "openshift-marketplace"
+
+    if iib_index_image:
+        if not brew_token:
+            raise ValueError("brew_token must be provided for iib_index_image")
+
+        catalog_source = create_catalog_source_for_iib_install(
+            name="iib-catalog",
+            iib_index_image=iib_index_image,
+            brew_token=brew_token,
+            operator_market_namespace=operator_market_namespace,
+        )
+    else:
+        if not source:
+            raise ValueError("source must be provided if not using iib_index_image")
 
     operator_namespace = operator_namespace or name
     if target_namespaces:
@@ -170,8 +194,8 @@ def install_operator(
         name=name,
         namespace=operator_namespace,
         channel=channel,
-        source=source,
-        source_namespace="openshift-marketplace",
+        source=catalog_source.name if catalog_source else source,
+        source_namespace=operator_market_namespace,
         install_plan_approval="Automatic",
     )
     subscription.deploy(wait=True)
@@ -231,3 +255,109 @@ def uninstall_operator(
         )
 
         csv.wait_deleted(timeout=timeout)
+
+
+def create_catalog_source_for_iib_install(
+    name, iib_index_image, brew_token, operator_market_namespace
+):
+    """
+    Create ICSP and catalog source for given iib index image
+
+    Args:
+        name (str): Name for the catalog source (used in 'name, display_name and publisher').
+        iib_index_image (str): iib index image url.
+        brew_token (str): Token to access iib index image registry.
+        operator_market_namespace (str): Namespace of the marketplace.
+
+    Returns:
+        CatalogSource: catalog source object.
+    """
+
+    def _manipulate_validating_webhook_configuration(_validating_webhook_configuration):
+        _resource_name = "imagecontentsourcepolicies"
+        _validating_webhook_configuration_dict = (
+            _validating_webhook_configuration.instance.to_dict()
+        )
+        for webhook in _validating_webhook_configuration_dict["webhooks"]:
+            for rule in webhook["rules"]:
+                all_resources = rule["resources"]
+                for _resources in all_resources:
+                    if _resource_name in _resources:
+                        all_resources[all_resources.index(_resource_name)] = "nonexists"
+                        break
+
+        return _validating_webhook_configuration_dict
+
+    def _icsp(_repository_digest_mirrors):
+        if icsp.exists:
+            ResourceEditor(
+                patches={
+                    icsp: {
+                        "spec:": {
+                            "repository_digest_mirrors": _repository_digest_mirrors
+                        }
+                    }
+                }
+            ).update()
+        else:
+            create_icsp(
+                icsp_name="brew-registry",
+                repository_digest_mirrors=_repository_digest_mirrors,
+            )
+
+    brew_registry = "brew.registry.redhat.io"
+    source_iib_registry = iib_index_image.split("/")[0]
+    _iib_index_image = iib_index_image.replace(source_iib_registry, brew_registry)
+    icsp = ImageContentSourcePolicy(name="brew-registry")
+    validating_webhook_configuration = ValidatingWebhookConfiguration(
+        name="sre-imagecontentpolicies-validation"
+    )
+    repository_digest_mirrors = [
+        {
+            "source": source_iib_registry,
+            "mirrors": [brew_registry],
+        },
+        {
+            "source": "registry.redhat.io",
+            "mirrors": [brew_registry],
+        },
+    ]
+
+    if validating_webhook_configuration.exists:
+        # This is managed cluster, we need to disable ValidatingWebhookConfiguration rule
+        # for 'imagecontentsourcepolicies'
+        validating_webhook_configuration_dict = (
+            _manipulate_validating_webhook_configuration(
+                _validating_webhook_configuration=validating_webhook_configuration
+            )
+        )
+
+        with ResourceEditor(
+            patches={
+                validating_webhook_configuration: {
+                    "webhooks": validating_webhook_configuration_dict["webhooks"]
+                }
+            }
+        ):
+            _icsp(_repository_digest_mirrors=repository_digest_mirrors)
+    else:
+        _icsp(_repository_digest_mirrors=repository_digest_mirrors)
+
+    secret_data_dict = {"auths": {brew_registry: {"auth": brew_token}}}
+    create_update_secret(
+        secret_data_dict=secret_data_dict,
+        name="pull-secret",  # pragma: allowlist secret
+        namespace="openshift-config",
+    )
+
+    catalog_source = CatalogSource(
+        name=name,
+        namespace=operator_market_namespace,
+        display_name=name,
+        image=_iib_index_image,
+        publisher=name,
+        source_type="grpc",
+        update_strategy_registry_poll_interval="30m",
+    )
+    catalog_source.deploy(wait=True)
+    return catalog_source