openstack-k8s-operators
diff --git a/‎docs/dictionary/en-custom.txt‎
Lines changed: 2 additions & 0 deletions b/‎docs/dictionary/en-custom.txt‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎playbooks/fdp_update.yml‎
Lines changed: 168 additions & 0 deletions b/‎playbooks/fdp_update.yml‎
Lines changed: 168 additions & 0 deletions
diff --git a/‎post-deployment.yml‎
Lines changed: 4 additions & 1 deletion b/‎post-deployment.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎roles/fdp_update_container_images/README.md‎
Lines changed: 106 additions & 0 deletions b/‎roles/fdp_update_container_images/README.md‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎roles/fdp_update_container_images/defaults/main.yml‎
Lines changed: 79 additions & 0 deletions b/‎roles/fdp_update_container_images/defaults/main.yml‎
Lines changed: 79 additions & 0 deletions
@@ -186,6 +186,7 @@ ezzmy
 favorit
 fbqufbqkfbzxrja
 fci
+fdp
 fedoraproject
 fil
 filesystem
@@ -413,6 +414,7 @@ openstack
 openstackclient
 openstackcontrolplane
 openstackdataplane
+openstackdataplanedeployment
 openstackdataplanenodeset
 openstackdataplanenodesets
 openstackprovisioner
 
@@ -0,0 +1,168 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# Master playbook to update OpenStack packages across all layers:
+# - Control plane containers
+# - EDPM compute containers
+# - EDPM compute node hosts
+#
+# Granular control via flags:
+#   cifmw_fdp_update_container_images_update_control_plane_images: true/false
+#   cifmw_fdp_update_container_images_update_edpm_images: true/false
+#   cifmw_fdp_update_container_images_update_edpm_host_packages: true/false
+#
+# Usage Examples:
+#
+# 1. Update everything (default):
+#   ansible-playbook playbooks/fdp_update.yml \
+#     -e cifmw_fdp_update_container_images_target_package=ovn24.03 \
+#     -e cifmw_fdp_update_container_images_repo_baseurl=http://example.com/repo/
+#
+# 2. Update only control plane:
+#   ansible-playbook playbooks/fdp_update.yml \
+#     -e cifmw_fdp_update_container_images_target_package=ovn24.03 \
+#     -e cifmw_fdp_update_container_images_repo_baseurl=http://example.com/repo/ \
+#     -e cifmw_fdp_update_container_images_update_edpm_images=false \
+#     -e cifmw_fdp_update_container_images_update_edpm_host_packages=false
+#
+# 3. Update only EDPM host packages:
+#   ansible-playbook playbooks/fdp_update.yml \
+#     -e cifmw_fdp_update_container_images_target_package=openvswitch3.3 \
+#     -e cifmw_fdp_update_container_images_repo_baseurl=http://example.com/ovs-repo/ \
+#     -e cifmw_fdp_update_container_images_update_control_plane_images=false \
+#     -e cifmw_fdp_update_container_images_update_edpm_images=false
+
+- name: Update OpenStack packages across all layers
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  vars:
+    # Control flags for what to update (can be overridden via -e)
+    cifmw_fdp_update_container_images_update_edpm_images: true
+    cifmw_fdp_update_container_images_update_edpm_host_packages: true
+
+  pre_tasks:
+    - name: Early playbook stop if disabled
+      when:
+        - not cifmw_fdp_update_enabled | default(false) | bool
+      ansible.builtin.meta: end_play
+
+    - name: Validate required variables are set
+      ansible.builtin.assert:
+        that:
+          - cifmw_fdp_update_container_images_target_package is defined
+          - cifmw_fdp_update_container_images_target_package | length > 0
+          - cifmw_fdp_update_container_images_repo_baseurl is defined
+          - cifmw_fdp_update_container_images_repo_baseurl | length > 0
+        fail_msg: |
+          Required variables are missing!
+
+          You must set:
+            - cifmw_fdp_update_container_images_target_package: Name of the RPM package to update
+            - cifmw_fdp_update_container_images_repo_baseurl: Repository base URL containing the updated package
+
+          Example:
+            ansible-playbook playbooks/fdp_update.yml \
+              -e cifmw_fdp_update_container_images_target_package=ovn24.03 \
+              -e cifmw_fdp_update_container_images_repo_baseurl=http://example.com/repo/
+        success_msg: "Required variables validated successfully"
+
+    - name: Display update configuration
+      ansible.builtin.debug:
+        msg:
+          - "=============================================="
+          - "OpenStack Package Update Configuration"
+          - "=============================================="
+          - "Target Package: {{ cifmw_fdp_update_container_images_target_package }}"
+          - "Repository: {{ cifmw_fdp_update_container_images_repo_baseurl }}"
+          - ""
+          - "Update Control Flags:"
+          - "  Control Plane Images: {{ cifmw_fdp_update_container_images_update_control_plane_images | default(true) }}"
+          - "  EDPM Container Images: {{ cifmw_fdp_update_container_images_update_edpm_images | default(true) }}"
+          - "  EDPM Host Packages: {{ cifmw_fdp_update_container_images_update_edpm_host_packages | default(true) }}"
+          - ""
+          - "Namespace: {{ cifmw_fdp_update_container_images_namespace | default('openstack') }}"
+          - "=============================================="
+
+    - name: Setup hypervisor firewall for registry access
+      become: true
+      when: cifmw_fdp_update_setup_hypervisor_firewall | default(true) | bool
+      block:
+        - name: Allow traffic from osp_trunk to ocpbm (compute -> registry)
+          ansible.builtin.command: # noqa: command-instead-of-module
+            cmd: iptables -I FORWARD -i osp_trunk -o ocpbm -j ACCEPT
+          register: _fdp_update_fw_rule1
+          failed_when: false
+          changed_when: _fdp_update_fw_rule1.rc == 0
+
+        - name: Allow return traffic from ocpbm to osp_trunk (registry -> compute)
+          ansible.builtin.command: # noqa: command-instead-of-module
+            cmd: iptables -I FORWARD -i ocpbm -o osp_trunk -m state --state RELATED,ESTABLISHED -j ACCEPT
+          register: _fdp_update_fw_rule2
+          failed_when: false
+          changed_when: _fdp_update_fw_rule2.rc == 0
+
+        - name: Enable NAT for compute nodes to access registry
+          ansible.builtin.command: # noqa: command-instead-of-module
+            cmd: iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d 192.168.201.0/24 -o ocpbm -j MASQUERADE
+          register: _fdp_update_nat_rule
+          failed_when: false
+          changed_when: _fdp_update_nat_rule.rc == 0
+
+        - name: Persist firewall rules
+          ansible.builtin.shell: # noqa: command-instead-of-shell
+            cmd: iptables-save > /etc/sysconfig/iptables
+          when: _fdp_update_fw_rule1.changed or _fdp_update_fw_rule2.changed or _fdp_update_nat_rule.changed
+
+  roles:
+    # Update control plane container images
+    - role: fdp_update_container_images
+      when: cifmw_fdp_update_container_images_update_control_plane_images | default(true) | bool
+
+    # Update EDPM (containers and host packages unified)
+    - role: fdp_update_edpm
+      vars:
+        # Map old variables to new unified role
+        cifmw_fdp_update_edpm_namespace: "{{ cifmw_fdp_update_container_images_namespace | default('openstack') }}"
+        cifmw_fdp_update_edpm_repo_baseurl: "{{ cifmw_fdp_update_container_images_repo_baseurl }}"
+        cifmw_fdp_update_edpm_containers_enabled: "{{ cifmw_fdp_update_container_images_update_edpm_images | default(true) | bool }}"
+        cifmw_fdp_update_edpm_packages_enabled: "{{ cifmw_fdp_update_container_images_update_edpm_host_packages | default(true) | bool }}"
+      when: >-
+        (cifmw_fdp_update_container_images_update_edpm_images | default(true) | bool) or
+        (cifmw_fdp_update_container_images_update_edpm_host_packages | default(true) | bool)
+
+  post_tasks:
+    - name: Build status messages
+      ansible.builtin.set_fact:
+        _cifmw_fdp_update_cp_status: "{{ 'Updated' if (cifmw_fdp_update_container_images_update_control_plane_images | default(true) | bool) else 'Skipped' }}"
+        _cifmw_fdp_update_edpm_images_status: "{{ 'Updated' if (cifmw_fdp_update_container_images_update_edpm_images | default(true) | bool) else 'Skipped' }}"
+        _cifmw_fdp_update_edpm_packages_status: "{{ 'Service created' if (cifmw_fdp_update_container_images_update_edpm_host_packages | default(true) | bool) else 'Skipped' }}"
+        _cifmw_fdp_update_edpm_enabled: "{{ (cifmw_fdp_update_container_images_update_edpm_images | default(true) | bool) or (cifmw_fdp_update_container_images_update_edpm_host_packages | default(true) | bool) }}"
+
+    - name: Display completion summary
+      ansible.builtin.debug:
+        msg:
+          - "=============================================="
+          - "OpenStack Package Update Completed"
+          - "=============================================="
+          - ""
+          - "Control plane containers: {{ _cifmw_fdp_update_cp_status }}"
+          - "EDPM container images: {{ _cifmw_fdp_update_edpm_images_status }}"
+          - "EDPM host packages: {{ _cifmw_fdp_update_edpm_packages_status }}"
+          - ""
+          - "Package: {{ cifmw_fdp_update_container_images_target_package }}"
+          - "Repository: {{ cifmw_fdp_update_container_images_repo_baseurl }}"
+          - "Namespace: {{ cifmw_fdp_update_edpm_containers_namespace | default('openstack') }}"
+          - "=============================================="
@@ -1,3 +1,7 @@
+- name: Run FDP update after deployment
+  ansible.builtin.import_playbook: playbooks/fdp_update.yml
+  when: cifmw_fdp_update_enabled | default(false) | bool
+
 - name: Run Post-deployment admin setup steps, test, and compliance scan
   hosts: "{{ cifmw_target_host | default('localhost') }}"
   gather_facts: true
@@ -8,7 +12,6 @@
         tasks_from: admin_setup.yml
       tags:
         - admin-setup
-
     - name: Run Test
       ansible.builtin.import_role:
         name: cifmw_setup
 
@@ -0,0 +1,106 @@
+# fdp_update_container_images
+
+Ansible role to update specific RPM packages in OpenStack container images by rebuilding them with custom repositories.
+
+This role automates the process of:
+1. Fetching container images from OpenStackVersion CR
+2. Checking if target package exists in each image
+3. Building new images with updated packages from custom repository
+4. Pushing updated images to OpenShift internal registry
+5. Patching OpenStackVersion CR to use the new images
+
+## Privilege escalation
+None - Runs as the user executing Ansible
+
+## Parameters
+
+* `cifmw_fdp_update_container_images_basedir`: (String) Base directory. Defaults to `cifmw_basedir` which defaults to `~/ci-framework-data`.
+* `cifmw_fdp_update_container_images_namespace`: (String) OpenShift namespace where OpenStack is deployed. Defaults to `openstack`.
+* `cifmw_fdp_update_container_images_openstack_cr_name`: (String) Name of the OpenStackVersion CR. Defaults to `controlplane`.
+* `cifmw_fdp_update_container_images_target_package`: (String) Name of the RPM package to update (e.g., `ovn24.03`). **Required**.
+* `cifmw_fdp_update_container_images_repo_name`: (String) Repository name. Defaults to `custom-repo`.
+* `cifmw_fdp_update_container_images_repo_baseurl`: (String) Repository base URL. **Required**.
+* `cifmw_fdp_update_container_images_repo_enabled`: (Integer) Enable repository (0 or 1). Defaults to `1`.
+* `cifmw_fdp_update_container_images_repo_gpgcheck`: (Integer) Enable GPG check (0 or 1). Defaults to `0`.
+* `cifmw_fdp_update_container_images_repo_priority`: (Integer) Repository priority. Defaults to `0`.
+* `cifmw_fdp_update_container_images_repo_sslverify`: (Integer) Enable SSL verification (0 or 1). Defaults to `0`.
+* `cifmw_fdp_update_container_images_image_registry`: (String) External OpenShift image registry URL. Auto-detected from cluster if not specified. Leave empty for auto-detection.
+* `cifmw_fdp_update_container_images_image_registry_internal`: (String) Internal OpenShift image registry URL. Defaults to `image-registry.openshift-image-registry.svc:5000`.
+* `cifmw_fdp_update_container_images_image_name_prefix`: (String) Prefix for new image names. Defaults to `fdp-update`.
+* `cifmw_fdp_update_container_images_update_control_plane_images`: (Boolean) Update control plane container images. Defaults to `true`.
+* `cifmw_fdp_update_container_images_temp_dir`: (String) Temporary directory for build context. Auto-generated if not specified.
+* `cifmw_fdp_update_container_images_update_dnf_args`: (String) Additional arguments for dnf update command. Defaults to `--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}`.
+
+## Examples
+
+### Update OVN package in all containers
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_name: "custom-repo"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://example.com/custom-repo/"
+    cifmw_fdp_update_container_images_namespace: "openstack"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update with custom registry and image prefix
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "ovn24.03"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_image_registry: "registry.example.com"
+    cifmw_fdp_update_container_images_image_name_prefix: "ovn-hotfix"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+### Update with specific DNF arguments
+```yaml
+---
+- hosts: localhost
+  vars:
+    cifmw_fdp_update_container_images_target_package: "neutron-ovn-metadata-agent"
+    cifmw_fdp_update_container_images_repo_baseurl: "http://custom-repo.example.com/repo/"
+    cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }} --nobest"
+  roles:
+    - role: "fdp_update_container_images"
+```
+
+## How it works
+
+1. **Registry Setup**:
+   - Enables the default route for OpenShift image registry
+   - Auto-detects the registry hostname or uses the configured value
+2. **Authentication**: Obtains a token from OpenShift and authenticates with the internal registry using TLS
+3. **Image Discovery**: Queries the OpenStackVersion CR for all container images
+4. **Package Check**: For each image, creates a temporary container to check if the target package is installed
+5. **Image Build**: If the package exists, builds a new image with the updated package from the custom repository
+6. **Registry Push**: Pushes the new image to the OpenShift internal registry
+7. **CR Update**: Patches the OpenStackVersion CR's `spec.customContainerImages` field with the new image reference
+8. **Summary**: Provides a summary of all updated images
+
+## Requirements
+
+* OpenShift CLI (`oc`) must be available
+* Podman must be installed and accessible
+* User must have permissions to:
+  - Create tokens in the target namespace
+  - Get and patch OpenStackVersion CRs
+  - Push images to the internal registry
+  - Patch image registry configuration (`configs.imageregistry.operator.openshift.io/cluster`)
+
+## Notes
+
+* The role uses podman to build and push images with TLS verification
+* Each updated image gets a unique tag with timestamp: `<prefix>-<image-key>-<timestamp>`
+* Only images containing the target package will be updated
+* The role cleans up temporary containers automatically
+* All build contexts are created in a temporary directory that is cleaned up after execution
+* The role automatically configures the OpenShift image registry for external access:
+  - Enables the default route if not already enabled
+  - Auto-detects the registry hostname from the route
@@ -0,0 +1,79 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# ============================================================================
+# Update Control Flags
+# ============================================================================
+# Enable/disable control plane container image updates
+cifmw_fdp_update_container_images_update_control_plane_images: true
+
+# ============================================================================
+# Base Configuration
+# ============================================================================
+
+# Base directory for artifacts and temporary files
+cifmw_fdp_update_container_images_basedir: "{{ cifmw_basedir | default(ansible_user_dir ~ '/ci-framework-data') }}"
+
+# OpenShift namespace where OpenStack is deployed
+cifmw_fdp_update_container_images_namespace: "openstack"
+
+# Name of the OpenStackVersion custom resource
+cifmw_fdp_update_container_images_openstack_cr_name: "controlplane"
+
+# Target package to update (REQUIRED - must be set by user)
+cifmw_fdp_update_container_images_target_package: ""
+
+# List of images to update with the target package
+# Only these images will be updated (no package scanning is performed)
+cifmw_fdp_update_container_images_images_to_scan:
+  - ovnControllerImage
+  - ovnControllerOvsImage
+  - ovnNbDbclusterImage
+  - ovnNorthdImage
+  - ovnSbDbclusterImage
+  - ceilometerSgcoreImage
+
+# Repository configuration
+cifmw_fdp_update_container_images_repo_name: "custom-repo"
+cifmw_fdp_update_container_images_repo_baseurl: ""  # REQUIRED - must be set by user
+cifmw_fdp_update_container_images_repo_enabled: 1
+cifmw_fdp_update_container_images_repo_gpgcheck: 0
+cifmw_fdp_update_container_images_repo_priority: 0
+cifmw_fdp_update_container_images_repo_sslverify: 0
+
+# Image registry configuration
+# External registry URL (for compute nodes/EDPM and pushing images)
+# Leave empty to auto-detect external route from OpenShift cluster
+cifmw_fdp_update_container_images_image_registry: ""
+
+# Internal registry URL (for OpenShift pods to pull images)
+# This is auto-detected and should not normally need to be changed
+cifmw_fdp_update_container_images_image_registry_internal: "image-registry.openshift-image-registry.svc:5000"
+
+# Image naming
+cifmw_fdp_update_container_images_image_name_prefix: "fdp-update"
+
+# Temporary directory for build context
+cifmw_fdp_update_container_images_temp_dir: ""
+
+# DNF update arguments
+cifmw_fdp_update_container_images_update_dnf_args: "--disablerepo='*' --enablerepo={{ cifmw_fdp_update_container_images_repo_name }}"
+
+# Internal variables (do not override)
+_cifmw_fdp_update_container_images_modified_images: []
+_cifmw_fdp_update_container_images_updated_cr_keys: []
+_cifmw_fdp_update_container_images_total_images: 0
+_cifmw_fdp_update_container_images_processed_images: 0