[WIP] Image Builder Updates

ansible/playbooks/oci-build-installer-image.yaml

@@ -3,6 +3,8 @@
   hosts: localhost
   roles:
     - role: openshift-image-builder-imi
+      vars:
+        pipeline_mode: true
 
 - name: Find Appropriate Image Builder Host
   become: yes

ansible/playbooks/oci-create-image.yaml

@@ -1,18 +1,20 @@
 - name: Generate In-Memory Inventory of OpenShift VMs
-  gather_facts: no
+  gather_facts: false
   hosts: localhost
   roles:
     - role: openshift-image-builder-imi
+      vars:
+        pipeline_mode: true
 
 - name: Find Appropriate Image Builder Host
-  become: yes
+  become: true
   hosts: builders
   roles:
     - role: pipeline-scheduler
 
 - name: Create OCI Image
-  become: yes
-  gather_facts: no
+  become: true
+  gather_facts: false
   hosts: pipeline_target_host
   tasks:
     - name: Configure Content Sources

ansible/playbooks/redhat-image-downloader.yaml

@@ -1,10 +1,18 @@
 - name: Download Red Hat Images
+  gather_facts: false
   hosts: localhost
   vars:
     nexus_credentials_secret_name: nexus-rfe-credentials
-  roles:
-    - role: redhat-image-downloader
   tasks:
+    - name: Assert image_checksums is Defined
+      ansible.builtin.assert:
+        that:
+          - image_checksums is defined
+
+    - name: Download Images
+      ansible.builtin.import_role:
+        name: redhat-image-downloader
+
     - name: Get Nexus Credentials
       community.kubernetes.k8s_info:
         api_key: "{{ lookup('file', '/var/run/secrets/kubernetes.io/serviceaccount/token') }}"
@@ -27,8 +35,8 @@
       ansible.builtin.include_role:
         name: content-download-upload
         tasks_from: upload-rfe-artifact.yaml
+      loop: "{{ image_urls.results }}"
       vars:
         file_to_upload: "/tmp/{{ item.json.body.filename }}"
         nexus_repository: rfe-rhel-media
         skip_httpd_upload: true
-      loop: "{{ image_urls.results }}"

ansible/roles/image-builder-content-sources/tasks/reconfigure-repositories.yaml

@@ -2,10 +2,25 @@
   ansible.builtin.set_fact:
     rhsm_repositories_list: "{{ ((rhsm_repositories | b64decode | from_json) | from_json).repositories | list }}"
 
-- name: Reconfigure RHSM Repositories
+- name: Reconfigure RHSM Repositories from Pipeline (Custom Sources)
   community.general.rhsm_repository:
     name: "{{ rhsm_repositories_list | join(',') }}"
-    purge: yes
+    purge: true
     state: enabled
   when:
-    - rhsm_repositories_list | count > 0
+    - rhsm_repositories_list | count > 0
+
+- name: Reconfigure RHSM Repositories from Pool Config (Default Sources)
+  when:
+    - rhsm_repositories_list | count == 0
+  block:
+    - name: Query Pool Default Repositories
+      ansible.builtin.slurp:
+        src: /var/configmaps/pool-default-config/channels
+      register: pool_default_repositories
+
+    - name: Setup Repositories
+      community.general.rhsm_repository:
+        name: "{{ pool_default_repositories.content | b64decode | from_json }}"
+        purge: true
+        state: enabled

ansible/roles/image-builder-content-sources/tasks/remove-existing-sources.yaml

@@ -1,24 +1,28 @@
 - name: Get List of Existing Content Sources
   ansible.builtin.command: >
     composer-cli -j sources list
+  changed_when: false
   register: existing_sources
 
 - name: Create CSV of Existing Content Sources
   ansible.builtin.set_fact:
     existing_sources_csv: "{{ (existing_sources.stdout | from_json | first).body.sources | join(',') }}"
 
 - name: Remove Applicable Existing Content Sources
+  when:
+    - (existing_sources.stdout | from_json | first).body.sources | count > 0
   block:
     - name: Get Details of Existing Content Sources
       ansible.builtin.command: >
         composer-cli -j sources info {{ existing_sources_csv }}
+      changed_when: false
       register: existing_sources_detail
 
     - name: Remove Existing Content Sources
       ansible.builtin.command: >
         composer-cli sources delete {{ item.id }}
+      changed_when: existing_sources_delete.rc == 0
       loop: "{{ (existing_sources_detail.stdout | from_json | first | json_query('body.sources.[*]'))[0] }}"
+      register: existing_sources_delete
       when:
-        - item.system == false
-  when:
-    - (existing_sources.stdout | from_json | first).body.sources | count > 0
+        - not item.system

ansible/roles/image-builder/tasks/ingress-default-certificate.yaml

@@ -1,32 +1,39 @@
 - name: Append Certificates
-  block:
-  - name: Query Ingress TLS Secret
-    community.kubernetes.k8s_info:
-      api_key: "{{ lookup('file', '/var/run/secrets/kubernetes.io/serviceaccount/token') }}"
-      api_version: v1
-      ca_cert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-      host: https://kubernetes.default.svc
-      kind: Secret
-      name: "{{ item.spec.defaultCertificate.name }}"
-      namespace: "{{ ingress_controller_namespace }}"
-      validate_certs: yes
-    become: no
-    delegate_to: localhost
-    register: ingress_controller_tls_secret
-
-  - name: Append Additional Certificates to Payload
-    ansible.builtin.set_fact:
-      ca_certificate_text: |
-        {{
-          ca_certificate_text +
-          (ingress_controller_tls_secret.resources[0].data['tls.crt'] | b64decode)
-        }}
-
-  - name: Ensure Updated Certificate Payload has Trailing Empty Line
-    ansible.builtin.set_fact:
-      ca_certificate_text: "{{ ca_certificate_text + \"\n\" }}"
-    when:
-      - ca_certificate_text[-1:] != "\n"
   when:
     - item.spec.defaultCertificate.name is defined
     - item.spec.defaultCertificate.name != ""
+  block:
+    - name: Query Ingress TLS Secret
+      community.kubernetes.k8s_info:
+        api_key: "{{ lookup('file', '/var/run/secrets/kubernetes.io/serviceaccount/token') }}"
+        api_version: v1
+        ca_cert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        host: https://kubernetes.default.svc
+        kind: Secret
+        name: "{{ item.spec.defaultCertificate.name }}"
+        namespace: "{{ ingress_controller_namespace }}"
+        validate_certs: true
+      become: false
+      delegate_to: localhost
+      register: ingress_controller_tls_secret
+      run_once: true
+
+    - name: Append Additional Certificates to Payload
+      ansible.builtin.set_fact:
+        ca_certificate_text: |
+          {{
+            ca_certificate_text +
+            (ingress_controller_tls_secret.resources[0].data['tls.crt'] | b64decode)
+          }}
+      become: false
+      delegate_to: localhost
+      run_once: true
+
+    - name: Ensure Updated Certificate Payload has Trailing Empty Line
+      ansible.builtin.set_fact:
+        ca_certificate_text: "{{ ca_certificate_text + \"\n\" }}"
+      become: false
+      delegate_to: localhost
+      run_once: true
+      when:
+        - ca_certificate_text[-1:] != "\n"