stackabletech
diff --git a/‎olm/README.md
Lines changed: 65 additions & 98 deletions b/‎olm/README.md
Lines changed: 65 additions & 98 deletions
diff --git a/‎olm/build-bundles.sh
Lines changed: 149 additions & 0 deletions b/‎olm/build-bundles.sh
Lines changed: 149 additions & 0 deletions
@@ -1,123 +1,90 @@
-# OLM installation files
+# Overview
 
-The following steps describe how to install a Stackable operator - in this, the operator for Apache Zookeeper - using the [Operator Lifecycle Manager](https://olm.operatorframework.io/) (OLM).
+These notes are a summary of the more in-depth, internal documentation [here](https://app.nuclino.com/Stackable/Engineering/Certification-Process-a8cf57d0-bd41-4d56-b505-f59af4159a56).
 
-It specifically installs the version 23.1.0 of the operator. Installing additional versions in the future requires generating new bundle images and updating the catalog as described below.
+# Prerequisites
 
-## Usage
-
-Prerequisite is of course a running OpenShift cluster.
-
-First, install the operator using OLM:
-
-    kubectl apply -f catalog-source.yaml \
-    -f operator-group.yaml \
-    -f subscription.yaml
-
-Then, install the operator dependencies with Helm:
-
-    helm install secret-operator stackable/secret-operator
-    helm install commons-operator stackable/commons-operator
-
-And finally, create an Apache Zookeeper cluster:
-
-    kubectl create -f examples/simple-zookeeper-cluster.yaml
-
-NOTE: The `kuttl` tests don't work because they themselves require SCCs which are not available.
-
-## OLM packaging requirements
-
-- An [OpenShift](https://developers.redhat.com/products/openshift-local/overview) cluster.
+- an [OpenShift](https://developers.redhat.com/products/openshift-local/overview) cluster with the `stackable-operators` namespace
 - [opm](https://github.com/operator-framework/operator-registry/)
 - docker and kubectl
-- `kubeadmin` access
-
-It was tested with:
-
-    $ crc version
-    WARN A new version (2.5.1) has been published on https://developers.redhat.com/content-gateway/file/pub/openshift-v4/clients/crc/2.5.1/crc-linux-amd64.tar.xz
-    CRC version: 2.4.1+b877358
-    OpenShift version: 4.10.14
-    Podman version: 4.0.2
-
-    $ oc version
-    Client Version: 4.10.14
-    Server Version: 4.10.14
-    Kubernetes Version: v1.23.5+b463d71
-
-    $ opm version
-    Version: version.Version{OpmVersion:"v1.23.2", GitCommit:"82505333", BuildDate:"2022-07-04T13:45:39Z", GoOs:"linux", GoArch:"amd64"}
-
-## Open questions
-
-- OLM [doesn't support DaemonSet(s)](https://github.com/operator-framework/operator-lifecycle-manager/issues/1022) and we need them for the secret-operator. Currently we can deploy the secret-operator using Helm but this means we cannot configure the [required](https://olm.operatorframework.io/docs/tasks/creating-operator-manifests/#required-apis) apis of the Zookeeper bundle. What are the consequences for publishing and certification ?
-- Here we create a catalog for a single operator. We probably want a catalog for all Stackable operators in the future but this will get large very quickly. Figure out how to handle this. Especially figure out what happens with new versions of the same operator.
-- OLM cannot create SecurityContextConstraints objects. The Zookeeper cluster (not the operator) cannot run with the default `restricted` SCC. The current solution is to use the `hostmount-anyuid` SCC for the `zookeeper-clusterrole`. Will this pass the certification process ?
-- Everything (catalog, subscription, etc) is installed in the `stackable-operators` namespace. Is this a good idea ?
-- The Subscription object uses `installPlanApproval: Automatic` which means the operator is updated automatically for every new version. Is this a good idea?
-
-See the [OLM documentation](https://olm.operatorframework.io/docs/tasks/) for details.
-
-## Build and publish operator bundle image
-
-Each catalog can contain several operator packages, and each operator package can contain multiple channels, each with its own bundles of different versions of the operator.
-
-### Generate operator bundle (this is operator-specific)
-
-    opm alpha bundle generate --directory manifests --package zookeeper-operator-package --output-dir bundle --channels stable --default stable
+- `kubeadmin` access: once logged in to an openshift cluster a secret is needed
+```
+export KUBECONFIG=~/.kube/config
+oc create secret generic kubeconfig --from-file=kubeconfig=$KUBECONFIG --namespace stackable-operators
+```
+- [tkn](https://github.com/tektoncd/cli)
+- a secret for `pyxis_api_key`: a token giving access to Redhat Connect 
+- a secret for `github-api-token`: a token giving access to the RH repo
 
-### Build bundle image
+# Deployment
 
-    docker build -t docker.stackable.tech/stackable/zookeeper-operator-bundle:23.1.0 -f bundle.Dockerfile .
-  	docker push docker.stackable.tech/stackable/zookeeper-operator-bundle:23.1.0
+Stackable operators can be deployed to Openshift in one of three ways:
 
-### Validate bundle image
+- Helm: either natively, or by using stackablectl
+- Operator Catalog
+- Certified Operators
 
-  	opm alpha bundle validate --tag docker.stackable.tech/stackable/zookeeper-operator-bundle:23.1.0 --image-builder docker
+The latter two require an operator to be deployed to an Openshift cluster, from where the operator (and its dependencies, if these have been defined) can be installed from the console UI. Both pathways use version-specific manifest files which are created in the [Stackable repository](https://github.com/stackabletech/openshift-certified-operators) that is forked from [here](https://github.com/redhat-openshift-ecosystem/certified-operators). These manifests are largely based on the templates used by helm, with the addition of Openshift-specific items (such as a ClusterServiceVersion manifest).
 
-## Create catalog
+## Build the bundle
 
-    mkdir catalog
-    opm generate dockerfile catalog
+An operator bundle and catalog can be built and deployed using the `build-bundle.sh` script e.g.
 
-## Create a package for each operator
+```
+./olm/build-bundles.sh -r 23.4.1 -b secret-23.4.1 -o secret-operator -d
+```
 
-    opm init zookeeper-operator-package \
-      --default-channel=stable \
-      --description=./README.md \
-      --output yaml > catalog/zookeeper-operator-package.yaml
+Where:
+- `-r <release>`: the release number (mandatory). This must be a semver-compatible value to patch-level e.g. 23.1.0.
+- `-b <branch>`: the branch name (mandatory) in the (stackable forked) openshift-certified-operators repository.
+- `-o <operator-name>`: the operator name (mandatory) e.g. airflow-operator.
+- `-d <deploy>`: optional flag for catalog deployment.
 
-    {
-        echo "---"
-        echo "schema: olm.channel"
-        echo "package: zookeeper-operator-package"
-        echo "name: stable"
-        echo "entries:"
-        echo "- name: zookeeper-operator.v23.1.0"
-    } >> catalog/zookeeper-operator-package.yaml
+The script creates a catalog specific to an operator. A catalog can contain bundles for multiple operators, but a 1:1 deployment makes it easier to deploy and test operators independently. Testing with a deployed catalog is essential as the certification pipeline should only be used for stable operators, and a certified operator can only be changed if a new version is specified.
 
-NOTE: with the command below we can add the Stackable logo as icon.
+## Use the CI pipeline
 
-    # add for each operator...
-    opm render docker.stackable.tech/stackable/zookeeper-operator-bundle:23.1.0 --output=yaml >> catalog/zookeeper-operator-package.yaml
+### Testing
 
-    # ...and then validate the entire catalog
-    opm validate catalog
+This should either be called from the stackable-utils root folder, or the `volumeClaimTemplateFile` path should be changed accordingly.
 
-The catalog is correct if the command above returns successfully without any message. If the catalog doesn't validate, the operator will not install. Now build a catalog image and push it to the repository:
+```
+export GIT_REPO_URL=https://github.com/stackabletech/openshift-certified-operators
+export BUNDLE_PATH=operators/stackable-commons-operator/23.4.1
+export LOCAL_BRANCH=commons-23.4.1
 
-    docker build .  -f catalog.Dockerfile -t docker.stackable.tech/stackable/zookeeper-operator-catalog:latest
-    docker push docker.stackable.tech/stackable/zookeeper-operator-catalog:latest
+tkn pipeline start operator-ci-pipeline \
+  --namespace stackable-operators \
+  --param git_repo_url=$GIT_REPO_URL \
+  --param git_branch=$LOCAL_BRANCH \
+  --param bundle_path=$BUNDLE_PATH \
+  --param env=prod \
+  --param kubeconfig_secret_name=kubeconfig \
+  --workspace name=pipeline,volumeClaimTemplateFile=olm/templates/workspace-template.yml \
+  --showlog
+```
 
-## Install catalog and the operator group
+### Certifying
 
-    kubectl apply -f catalog-source.yaml
-    kubectl apply -f operator-group.yaml
+This callout is identical to the previous one, with the addition of the last two parameters `upstream_repo_name` and `submit=true`:
 
-## List available operators
+```
+export GIT_REPO_URL=https://github.com/stackabletech/openshift-certified-operators
+export BUNDLE_PATH=operators/stackable-commons-operator/23.4.1
+export LOCAL_BRANCH=commons-23.4.1
 
-    kubectl get packagemanifest -n stackable-operators
+tkn pipeline start operator-ci-pipeline \
+  --namespace stackable-operators \
+  --param git_repo_url=$GIT_REPO_URL \
+  --param git_branch=$LOCAL_BRANCH \
+  --param bundle_path=$BUNDLE_PATH \
+  --param env=prod \
+  --param kubeconfig_secret_name=kubeconfig \
+  --workspace name=pipeline,volumeClaimTemplateFile=olm/templates/workspace-template.yml \
+  --showlog \
+  --param upstream_repo_name=redhat-openshift-ecosystem/certified-operators \
+  --param submit=true
+```
 
-## Install operator
+A successful callout will result in a PR being opened in the Redhat repository, from where progress can be tracked.
 
-    kubectl apply -f subscription.yaml
@@ -0,0 +1,149 @@
+#!/usr/bin/env bash
+# Usage:
+#   ./olm/build-bundles.sh -r <release as x.y.z> -b <branch-name>
+#   -r <release>: the release number (mandatory). This must be a semver-compatible value to patch-level e.g. 23.1.0.
+#   -b <branch>: the branch name (mandatory) in the (stackable forked) openshift-certified-operators repository.
+#   -o <operator-name>: the operator name (mandatory) e.g. airflow-operator.
+#   -d <deploy>: optional flag for catalog deployment.
+#
+# e.g. ./olm/build-bundles.sh -r 23.4.1 -b secret-23.4.1 -o secret-operator -d
+
+set -euo pipefail
+set -x
+
+
+SCRIPT_NAME=$(basename $0)
+
+parse_inputs() {
+  INITIAL_DIR="$PWD"
+
+  VERSION=""
+  BRANCH=""
+  OPERATOR_NAME=""
+  DEPLOY=false
+
+  while [[ "$#" -gt 0 ]]; do
+      case $1 in
+          -r|--release) VERSION="$2"; shift ;;
+          -b|--branch) BRANCH="$2"; shift ;;
+          -o|--operator) OPERATOR_NAME="$2"; shift ;;
+          -d|--deploy) DEPLOY=true ;;
+          *) echo "Unknown parameter passed: $1"; exit 1 ;;
+      esac
+      shift
+  done
+
+  # e.g. "airflow" instead of "airflow-operator"
+  OPERATOR=$(echo "${OPERATOR_NAME}" | cut -d- -f1)
+}
+
+bundle-clean() {
+	rm -rf "bundle"
+	rm -rf "bundle.Dockerfile"
+}
+
+build-bundle() {
+	opm alpha bundle generate --directory manifests --package "${OPERATOR_NAME}-package" --output-dir bundle --channels stable --default stable
+  cp metadata/*.yaml bundle/metadata/
+  docker build -t "docker.stackable.tech/stackable/${OPERATOR_NAME}-bundle:${VERSION}" -f bundle.Dockerfile .
+  docker push "docker.stackable.tech/stackable/${OPERATOR_NAME}-bundle:${VERSION}"
+  opm alpha bundle validate --tag "docker.stackable.tech/stackable/${OPERATOR_NAME}-bundle:${VERSION}" --image-builder docker
+}
+
+setup() {
+  if [ -d "catalog" ]; then
+    rm -rf catalog
+  fi
+
+  mkdir -p catalog
+  rm -f catalog.Dockerfile
+  rm -f catalog-source.yaml
+}
+
+catalog() {
+  opm generate dockerfile catalog
+
+  echo "Initiating package: ${OPERATOR}"
+  opm init "stackable-${OPERATOR}-operator" \
+      --default-channel=stable \
+      --description=./README.md \
+      --output yaml > "catalog/stackable-${OPERATOR}-operator.yaml"
+  echo "Add operator to package: ${OPERATOR}"
+  {
+    echo "---"
+    echo "schema: olm.channel"
+    echo "package: stackable-${OPERATOR}-operator"
+    echo "name: stable"
+    echo "entries:"
+    echo "- name: ${OPERATOR}-operator.v${VERSION}"
+  } >> "catalog/stackable-${OPERATOR}-operator.yaml"
+  echo "Render operator: ${OPERATOR}"
+  opm render "docker.stackable.tech/stackable/${OPERATOR}-operator-bundle:${VERSION}" --output=yaml >> "catalog/stackable-${OPERATOR}-operator.yaml"
+
+  echo "Validating catalog..."
+  opm validate catalog
+
+  echo "Build and push catalog for all ${OPERATOR} operator..."
+  docker build . -f catalog.Dockerfile -t "docker.stackable.tech/stackable/stackable-${OPERATOR}-catalog:${VERSION}"
+  docker push "docker.stackable.tech/stackable/stackable-${OPERATOR}-catalog:${VERSION}"
+}
+
+deploy() {
+  if $DEPLOY; then
+    echo "Deploying catalog..."
+
+    {
+    echo "---"
+    echo "apiVersion: operators.coreos.com/v1alpha1"
+    echo "kind: CatalogSource"
+    echo "metadata:"
+    echo "  name: stackable-${OPERATOR}-catalog"
+    echo "  namespace: stackable-operators"
+    echo "spec:"
+    echo "  sourceType: grpc"
+    echo "  image: docker.stackable.tech/stackable/stackable-${OPERATOR}-catalog:${VERSION}"
+    echo "  displayName: Stackable Catalog"
+    echo "  publisher: Stackable GmbH"
+    echo "  updateStrategy:"
+    echo "    registryPoll:"
+    echo "      interval: 10m"
+    } >> catalog-source.yaml
+
+    kubectl apply -f catalog-source.yaml
+    echo "Catalog deployment successful!"
+  fi
+}
+
+main() {
+  parse_inputs "$@"
+  if [ -z "${VERSION}" ] || [ -z "${BRANCH}" ] || [ -z "${OPERATOR_NAME}" ]; then
+    echo "Usage: $SCRIPT_NAME -r <release> -b <branch> -o <operator>"
+    exit 1
+  fi
+
+  TMPFOLDER=$(mktemp -d -t 'openshift-bundles-XXXXXXXX')
+  cd "${TMPFOLDER}"
+
+  git clone "git@github.com:stackabletech/openshift-certified-operators.git" --depth 1 --branch "${BRANCH}" --single-branch "${TMPFOLDER}/openshift-certified-operators/"
+
+  cd "${TMPFOLDER}/openshift-certified-operators/operators/stackable-${OPERATOR}-operator/${VERSION}"
+
+  # clean up any residual files from previous actions
+  bundle-clean
+  build-bundle
+
+  # should not be pushed to repo (unintentionally) once bundle is built, so clean up straight away
+  bundle-clean
+
+  echo "Bundle-build successful!"
+
+  pushd "$INITIAL_DIR/olm"
+  setup
+  catalog
+  deploy
+
+  popd
+  echo "Catalog built successfully!"
+}
+
+main "$@"