openstack-operator/hack/pin-bundle-images.sh at ea0e18756e789e0703ad478c54d650c82464a170 · openstack-k8s-operators/openstack-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/bin/bash
set -eo pipefail

# This script can be executed in 2 modes. If DOCKERFILE is set then we replace the image locations there with pinned SHA version.
# If no DOCKERFILE is set the script just echo's a list of bundle dependencies to stout as a single common separated line. This
# is suitable for use with OPM catalog/index creation
DOCKERFILE=${DOCKERFILE:-""}
IMAGENAMESPACE=${IMAGENAMESPACE:-"openstack-k8s-operators"}
IMAGEREGISTRY=${IMAGEREGISTRY:-"quay.io"}
IMAGEBASE=${IMAGEBASE:-}
IMAGECUSTOMTAG=${IMAGECUSTOMTAG:-}
LOCAL_REGISTRY=${LOCAL_REGISTRY:-0}

if [ -n "$DOCKERFILE" ]; then
    cp "$DOCKERFILE" "${DOCKERFILE}.pinned"
    set -exo pipefail #in DOCKERFILE mode we like extra logging
fi

#loop over each openstack-k8s-operators go.mod entry
MOD_PATHS=$(go list -mod=readonly -m -json all | jq -r '. | select(.Path | contains("openstack")) | select(.Path | contains("openstack-operator") | not) | select(.Path | contains("lib-common") | not) | .Replace // . |.Path')
for MOD_PATH in ${MOD_PATHS}; do
    if [[ "$MOD_PATH" == "./apis" ]]; then
        continue
    fi
    MOD_VERSION=$(go list -mod=readonly -m -json all | jq -r ". | select(.Path | contains(\"openstack\")) | .Replace // . | select( .Path == \"$MOD_PATH\") | .Version")

    BASE=$(echo $MOD_PATH | sed -e 's|github.com/.*/\(.*\)-operator/.*|\1|')

    GIT_REPO=${MOD_PATH%"/apis"}
    GIT_REPO=${GIT_REPO%"/api"}

    # Check if there is a custom tag for IMAGEBASE operator
    if [[ -n "$IMAGECUSTOMTAG" && "$BASE" == "$IMAGEBASE" ]]; then
        REF=${IMAGECUSTOMTAG}
    else
        REF=$(echo $MOD_VERSION | sed -e 's|v[0-9]*.[0-9]*.[0-9]*-.*[0-9]*-\(.*\)$|\1|')
        if [[ "$REF" == v* ]]; then
            REF=$(git ls-remote https://${GIT_REPO} | grep ${REF} | awk 'NR==1{print $1}')
        fi
    fi

    GITHUB_USER=$(echo $MOD_PATH | sed -e 's|github.com/\(.*\)/.*-operator/.*$|\1|')
    CURL_REGISTRY="quay.io"
    REPO_CURL_URL="https://${CURL_REGISTRY}/api/v1/repository/openstack-k8s-operators"
    REPO_URL="${CURL_REGISTRY}/openstack-k8s-operators"

    # IMAGEBASE takes precedence - if this operator matches IMAGEBASE, use custom registry
    if [[ "$BASE" == "$IMAGEBASE" ]]; then
        REPO_URL="${IMAGEREGISTRY}/${IMAGENAMESPACE}"
        CURL_REGISTRY="${IMAGEREGISTRY}"
        if [[ ${LOCAL_REGISTRY} -eq 1 ]]; then
            REPO_CURL_URL="http://${CURL_REGISTRY}/v2/${IMAGENAMESPACE}"
        elif [[ "${CURL_REGISTRY}" == "docker.io" ]]; then
            REPO_CURL_URL="https://hub.docker.com/v2/repositories/${IMAGENAMESPACE}"
        else
            REPO_CURL_URL="https://${CURL_REGISTRY}/api/v1/repository/${IMAGENAMESPACE}"
        fi
    # For operators with replace directives (non-openstack-k8s-operators users),
    # bundle images are only on quay.io, not mirrored to local registry
    elif [[ "$GITHUB_USER" != "openstack-k8s-operators" ]]; then
        # Force quay.io for replaced operators, use the GitHub user's namespace
        CURL_REGISTRY="quay.io"
        REPO_CURL_URL="https://${CURL_REGISTRY}/api/v1/repository/${GITHUB_USER}"
        REPO_URL="${CURL_REGISTRY}/${GITHUB_USER}"
    # For standard operators with custom registry settings
    elif [[ "$IMAGENAMESPACE" != "openstack-k8s-operators" || "${IMAGEREGISTRY}" != "quay.io" ]]; then
        REPO_URL="${IMAGEREGISTRY}/${IMAGENAMESPACE}"
        CURL_REGISTRY="${IMAGEREGISTRY}"
        # Quay registry v2 api does not return all the tags that's why keeping v1 for quay and v2
        # for local registry
        if [[ ${LOCAL_REGISTRY} -eq 1 ]]; then
            REPO_CURL_URL="http://${CURL_REGISTRY}/v2/${IMAGENAMESPACE}"
        elif [[ "${CURL_REGISTRY}" == "docker.io" ]]; then
            # replace docker.io by hub.docker.com to read tags
            REPO_CURL_URL="https://hub.docker.com/v2/repositories/${IMAGENAMESPACE}"
        else
            REPO_CURL_URL="https://${CURL_REGISTRY}/api/v1/repository/${IMAGENAMESPACE}"
        fi
    fi

    # Query local registry only for standard operators (openstack-k8s-operators) or custom IMAGEBASE
    # Replaced operators (e.g., lmiccini/*) always query quay.io since bundles aren't mirrored locally
    if [[ ${LOCAL_REGISTRY} -eq 1 && ( "$GITHUB_USER" == "openstack-k8s-operators" || "$BASE" == "$IMAGEBASE" ) ]]; then
        SHA=$(curl -s ${REPO_CURL_URL}/$BASE-operator-bundle/tags/list | jq -r '.tags // [] | .[]' | sort -u | { grep $REF || true; })
        # If local registry doesn't have the bundle, fall back to quay.io
        if [ -z "$SHA" ]; then
            SHA=$(curl -s https://quay.io/api/v1/repository/openstack-k8s-operators/$BASE-operator-bundle/tag/?onlyActiveTags=true\&filter_tag_name=like:$REF | jq -r '.tags // [] | .[].name')
            # Update REPO_URL to use quay.io since we're falling back
            REPO_URL="quay.io/openstack-k8s-operators"
        fi
    elif [[ "${CURL_REGISTRY}" == "docker.io" ]]; then
        SHA=$(curl -s ${REPO_CURL_URL}/$BASE-operator-bundle/tags/?page_size=100 | jq -r '.results // [] | .[].name' | sort -u | { grep $REF || true; })
    elif [[ "${CURL_REGISTRY}" != "quay.io" ]]; then
        # quay.rdoproject.io doesn't support filter_tag_name, so increase limit to 100
        SHA=$(curl -s ${REPO_CURL_URL}/$BASE-operator-bundle/tag/?onlyActiveTags=true\&limit=100 | jq -r '.tags // [] | .[].name' | sort -u | { grep $REF || true; })
        # If non-quay.io registry doesn't have the bundle for openstack-k8s-operators, fall back to quay.io
        if [[ -z "$SHA" && "$GITHUB_USER" == "openstack-k8s-operators" ]]; then
            SHA=$(curl -s https://quay.io/api/v1/repository/openstack-k8s-operators/$BASE-operator-bundle/tag/?onlyActiveTags=true\&filter_tag_name=like:$REF | jq -r '.tags // [] | .[].name')
            # Update REPO_URL to use quay.io since we're falling back
            REPO_URL="quay.io/openstack-k8s-operators"
        fi
    else
        SHA=$(curl -s ${REPO_CURL_URL}/$BASE-operator-bundle/tag/?onlyActiveTags=true\&filter_tag_name=like:$REF | jq -r '.tags // [] | .[].name')
    fi

    if [ -z "$SHA" ]; then
        echo "ERROR: Failed to find bundle image SHA for:"
        echo "  MOD_PATH: $MOD_PATH"
        echo "  BASE: $BASE"
        echo "  REF: $REF"
        echo "  REPO_URL: $REPO_URL"
        echo "  REPO_CURL_URL: $REPO_CURL_URL"
        echo "  Bundle: ${REPO_URL}/${BASE}-operator-bundle:$REF"
        echo ",EMPTY_SHA:$REF:$REPO_CURL_URL"
        exit 1
    fi

    if [ -n "$DOCKERFILE" ]; then
        sed -i "${DOCKERFILE}.pinned" -e "s|quay.io/openstack-k8s-operators/${BASE}-operator-bundle.*|${REPO_URL}/${BASE}-operator-bundle:$SHA|"
    else
        echo -n ",${REPO_URL}/${BASE}-operator-bundle:$SHA"
    fi
done
# append the rabbitmq URL only if we aren't in Dockerfile mode
if [ -z "$DOCKERFILE" ]; then
    # pin rabbit to sha256 for our v2.16.0_patches fork
    echo -n ",quay.io/openstack-k8s-operators/rabbitmq-cluster-operator-bundle@sha256:1612b82e274827281af1d64740a7d52e21745bc74c91d5149f111135d8e7779f"
fi