Merge pull request #77561 from amolnar-rh/TELCODOCS-1707-performing-gitops

TELCODOCS-1707: Add Performing upgrade GitOps

Author: jeana-redhat

_topic_maps/_topic_map.yml

@@ -3111,8 +3111,8 @@ Topics:
       File: ztp-image-based-upgrade-prep-resources
   - Name: Performing an image-based upgrade for single-node OpenShift clusters
     File: cnf-image-based-upgrade-base
-#  - Name: Performing an image-based upgrade for single-node OpenShift clusters using GitOps ZTP
-#    File: ztp-image-based-upgrade
+  - Name: Performing an image-based upgrade for single-node OpenShift clusters using GitOps ZTP
+    File: ztp-image-based-upgrade
 ---
 Name: Reference design specifications
 Dir: telco_ref_design_specs

edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc

@@ -0,0 +1,39 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-image-based-upgrade-for-sno"]
+= Performing an image-based upgrade for {sno} clusters using {ztp}
+:context: ztp-image-based-upgrade
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+You can upgrade your managed {sno} cluster with the image-based upgrade through {ztp-first}.
+
+When you deploy the {lcao} on a cluster, an `ImageBasedUpgrade` CR is automatically created.
+You update this CR to specify the image repository of the seed image and to move through the different stages.
+
+// Lifecycle Agent (LCAO)
+
+include::modules/ztp-image-based-upgrade-talm-prep.adoc[leveloffset=+1]
+
+////
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository-ver-ind_ztp-preparing-the-hub-cluster[Preparing the GitOps ZTP site configuration repository for version independence]
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/ztp-image-based-upgrade-prep-resources.adoc[Preparing for the image-based upgrade for single-node OpenShift clusters]
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc#ztp-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots when using GitOps ZTP]
+
+* xref:../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc#oadp-about-backup-snapshot-locations_installing-oadp-ocs[About backup and snapshot locations and their secrets]
+
+* xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-creating-backup-cr.adoc[Creating a Backup CR]
+
+* xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/restoring-applications.adoc#oadp-creating-restore-cr_restoring-applications[Creating a Restore CR]
+////
+
+include::modules/ztp-image-based-upgrade-talm-upgrade.adoc[leveloffset=+1]
+
+include::modules/ztp-image-based-upgrade-talm-rollback.adoc[leveloffset=+1]
+
+include::modules/cnf-image-based-upgrade-troubleshooting.adoc[leveloffset=+1]

modules/cnf-image-based-upgrade-troubleshooting.adoc

@@ -56,24 +56,29 @@ message: failed to delete all the backup CRs. Perform cleanup manually then add
 --
 
 Resolution::
-
++
+--
 . Inspect the logs to determine why the failure occurred.
 
 . To prompt {lcao} to retry the cleanup, add the `lca.openshift.io/manual-cleanup-done` annotation to the `ImageBasedUpgrade` CR.
 
++
 After observing this annotation, {lcao} retries the cleanup and, if it is successful, the `ImageBasedUpgrade` stage transitions to `Idle`.
 
++
 If the cleanup fails again, you can manually clean up the resources.
+--
 
 [id="ztp-image-based-upgrade-troubleshooting-stateroot_{context}"]
 === Cleaning up stateroot manually
 
 Issue::
 
 Stopping at the `Prep` stage, {lcao} cleans up the new stateroot. When finalizing after a successful upgrade or a rollback, {lcao} cleans up the old stateroot.
-If this step fails, it is recommended that you inspect the logs to determine why the failure occurred. 
+If this step fails, it is recommended that you inspect the logs to determine why the failure occurred.
 
 Resolution::
++
 --
 . Check if there are any existing deployments in the stateroot by running the following command:
 +
@@ -86,21 +91,24 @@ $ ostree admin status
 +
 [source,terminal]
 ----
-$ ostree admin undeploy <index_of_deployment> 
+$ ostree admin undeploy <index_of_deployment>
 ----
 
 . After cleaning up all the deployments of the stateroot, wipe the stateroot directory by running the following commands:
 
++
 [WARNING]
 ====
 Ensure that the booted deployment is not in this stateroot.
 ====
 
++
 [source,terminal]
 ----
 $ stateroot="<stateroot_to_delete>"
 ----
 
++
 [source,terminal]
 ----
 $ unshare -m /bin/sh -c "mount -o remount,rw /sysroot && rm -rf /sysroot/ostree/deploy/${stateroot}"

modules/ztp-image-based-upgrade-talm-prep.adoc

@@ -0,0 +1,194 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/ztp-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-prep-gitops_{context}"]
+= Moving to the Prep stage of the image-based upgrade with {lcao} and {ztp}
+
+When you deploy the {lcao} on a cluster, an `ImageBasedUpgrade` CR is automatically created. You update this CR to specify the image repository of the seed image and to move through the different stages.
+
+.Prerequisites
+
+* Create policies and `ConfigMap` objects for resources used in the image-based upgrade. For more information, see "Creating ConfigMap objects for the image-based upgrade with {ztp}
+
+.Procedure
+
+. Add policies for the `Prep`, `Upgrade`, and `Idle` stages to your existing group `PolicyGenTemplate` called `ibu-upgrade-ranGen.yaml`:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: example-group-ibu
+  namespace: "ztp-group"
+spec:
+  bindingRules:
+    group-du-sno: ""
+  mcp: "master"
+  evaluationInterval: <1>
+    compliant: 10s
+    noncompliant: 10s
+  sourceFiles:
+    - fileName: ConfigMapGeneric.yaml
+      complianceType: mustonlyhave
+      policyName: "oadp-cm-policy"
+      metadata:
+        name: oadp-cm
+        namespace: openshift-adp
+    - fileName: ibu/ImageBasedUpgrade.yaml
+      policyName: "prep-stage-policy"
+      spec:
+        stage: Prep
+        seedImageRef: <2>
+          version: "4.15.0"
+          image: "quay.io/user/lca-seed:4.15.0"
+          pullSecretRef:
+            name: "<seed_pull_secret>"
+        oadpContent: <3>
+        - name: "oadp-cm"
+          namespace: "openshift-adp"
+      status:
+        conditions:
+          - reason: Completed
+            status: "True"
+            type: PrepCompleted
+            message: "Prep stage completed successfully"
+    - fileName: ibu/ImageBasedUpgrade.yaml
+      policyName: "upgrade-stage-policy"
+      spec:
+        stage: Upgrade
+      status:
+        conditions:
+          - reason: Completed
+            status: "True"
+            type: UpgradeCompleted
+    - fileName: ibu/ImageBasedUpgrade.yaml
+      policyName: "finalize-stage-policy"
+      complianceType: mustonlyhave
+      spec:
+        stage: Idle
+    - fileName: ibu/ImageBasedUpgrade.yaml
+      policyName: "finalize-stage-policy"
+      status:
+        conditions:
+          - reason: Idle
+            status: "True"
+            type: Idle
+----
+<1> The policy evaluation interval for compliant and non-compliant policies. Set them to `10s` to ensure that the policies status accurately reflects the current upgrade status.
+<2> Define the seed image, {product-title} version, and pull secret for the upgrade in the Prep stage.
+<3> Define the OADP `ConfigMap` resources required for backup and restore.
+
+. Verify that the policies required for an image-based upgrade are created by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get policies -n spoke1 | grep -E "example-group-ibu"
+----
+
+.Example output
+[source,terminal]
+----
+ztp-group.example-group-ibu-oadp-cm-policy       inform               NonCompliant          31h
+ztp-group.example-group-ibu-prep-stage-policy          inform               NonCompliant          31h
+ztp-group.example-group-ibu-upgrade-stage-policy       inform               NonCompliant          31h
+ztp-group.example-group-ibu-finalize-stage-policy      inform               NonCompliant          31h
+ztp-group.example-group-ibu-rollback-stage-policy      inform               NonCompliant          31h
+----
+--
+
+. Update the `du-profile` cluster label to the target platform version or the corresponding policy-binding label in the `SiteConfig` CR.
++
+--
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: SiteConfig
+[...]
+spec:
+  [...]
+    clusterLabels:
+      du-profile: "4.15.0"
+----
+
+[IMPORTANT]
+====
+Updating the labels to the target platform version unbinds the existing set of policies.
+====
+--
+
+. Commit and push the updated `SiteConfig` CR to the Git repository.
+
+. When you are ready to move to the `Prep` stage, create the `ClusterGroupUpgrade` CR on the target hub cluster with the `Prep` and OADP `ConfigMap` policies:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1alpha1
+kind: ClusterGroupUpgrade
+metadata:
+  name: cgu-ibu-prep
+  namespace: default
+spec:
+  clusters:
+  - spoke1
+  enable: true
+  managedPolicies:
+  - example-group-ibu-oadp-cm-policy
+  - example-group-ibu-prep-stage-policy
+  remediationStrategy:
+    canaries:
+      - spoke1
+    maxConcurrency: 1
+    timeout: 240
+----
+
+. Apply the `Prep` policy by running the following command:
++
+--
+[source,terminal]
+----
+$ oc apply -f cgu-ibu-prep.yml
+----
+
+If you provide `ConfigMap` objects for OADP resources and extra manifests, {lcao} validates the specified `ConfigMap` objects during the `Prep` stage.
+You might encounter the following issues: 
+
+* Validation warnings or errors if the {lcao} detects any issues with `extraManifests` 
+* Validation errors if the {lcao} detects any issues with `oadpContent`
+
+Validation warnings do not block the `Upgrade` stage but you must decide if it is safe to proceed with the upgrade.
+These warnings, for example missing CRDs, namespaces or dry run failures, update the `status.conditions` in the `Prep` stage and `annotation` fields in the `ImageBasedUpgrade` CR with details about the warning.
+
+.Example validation warning
+[source,yaml]
+----
+[...]
+metadata:
+annotations:
+  extra-manifest.lca.openshift.io/validation-warning: '...'
+[...]
+----
+
+However, validation errors, such as adding `MachineConfig` or Operator manifests to extra manifests, cause the `Prep` stage to fail and block the `Upgrade` stage.
+
+When the validations pass, the cluster creates a new `ostree` stateroot, which involves pulling and unpacking the seed image, and running host level commands.
+Finally, all the required images are precached on the target cluster.
+--
+
+. Monitor the status and wait for the `cgu-ibu-prep` `ClusterGroupUpgrade` to report `Completed` by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get cgu -n default
+----
+
+.Example output
+[source,terminal]
+----
+NAME                    AGE   STATE       DETAILS
+cgu-ibu-prep            31h   Completed   All clusters are compliant with all the managed policies
+----
+--