enhance singleton script to handle all cases (#1301)

* added cert-manager delegation check Signed-off-by: Henry Li <[email protected]> * fixed CS version pre_req check Signed-off-by: Henry Li <[email protected]> * removed old migration check Signed-off-by: Henry Li <[email protected]> * changed singleton script to handle migrate, install, and upgrade Signed-off-by: Henry Li <[email protected]> * changed ibmlicensing backup to licensing ns Signed-off-by: Henry Li <[email protected]> * fixed fresh install by handling non-existent cert-manager CR Signed-off-by: Henry Li <[email protected]> * fixed incorrect function call 'warn' to 'warning' Signed-off-by: Henry Li <[email protected]> * fixed is_supports_delegation not handling cluster with no CS installed Signed-off-by: Henry Li <[email protected]> * fixed migration not handling empty parameters properly, e.g. --operator-namespace '' --control-namespace '' would fail because the value of --operator-namespace was incorrectly set to '--control-namespace' Signed-off-by: Henry Li <[email protected]> * fixed licensing not being upgraded if it exists already Signed-off-by: Henry Li <[email protected]> * added 4.x upgrade support for cert-manager Signed-off-by: Henry Li <[email protected]> * updated default channel to v4.1 fixed licensing operator migration by checking for existing subscription before updating because default subscription name created by scripts does not match what ODLM creates, leading to 2 different subscriptions for the same operator changed cert-manager 4.x upgrades to actually update subscription instead of just overwriting existing yaml Signed-off-by: Henry Li <[email protected]> --------- Signed-off-by: Henry Li <[email protected]>
IBM · Jul 7, 2023 · 04e6d67 · 04e6d67
1 parent 979c7de
commit 04e6d67
Show file tree

Hide file tree

Showing 3 changed files with 178 additions and 66 deletions.
diff --git a/cp3pt0-deployment/common/migrate_singleton.sh b/cp3pt0-deployment/common/migrate_singleton.sh
@@ -16,6 +16,7 @@ OPERATOR_NS=""
 CONTROL_NS=""
 SOURCE_NS="openshift-marketplace"
 ENABLE_LICENSING=0
+LICENSING_NS=""
 NEW_MAPPING=""
 NEW_TENANT=0
 DEBUG=0
@@ -37,26 +38,32 @@ function main() {
     parse_arguments "$@"
     pre_req
 
-    if [ "$CONTROL_NS" == "$OPERATOR_NS" ]; then
-        # Delete CP2.0 Cert-Manager CR
-        ${OC} delete certmanager.operator.ibm.com default --ignore-not-found --timeout=10s
-        if [ $? -ne 0 ]; then
-            warning "Failed to delete Cert Manager CR, patching its finalizer to null..."
-            ${OC} patch certmanagers.operator.ibm.com default --type="json" -p '[{"op": "remove", "path":"/metadata/finalizers"}]'
-        fi
-        msg ""
-
-        wait_for_no_pod ${CONTROL_NS} "cert-manager-cainjector"
-        wait_for_no_pod ${CONTROL_NS} "cert-manager-controller"
-        wait_for_no_pod ${CONTROL_NS} "cert-manager-webhook"
-        # Delete cert-Manager
-        delete_operator "ibm-cert-manager-operator" "$CONTROL_NS"
-    else
+    # Delete CP2.0 Cert-Manager CR
+    ${OC} delete certmanager.operator.ibm.com default --ignore-not-found --timeout=10s
+    if [ $? -ne 0 ]; then
+        warning "Failed to delete Cert Manager CR, patching its finalizer to null..."
+        ${OC} patch certmanagers.operator.ibm.com default --type="json" -p '[{"op": "remove", "path":"/metadata/finalizers"}]'
+    fi
+
+    if [ ! -z "$CONTROL_NS" ]; then
         # Delegation of CP2 Cert Manager
         ${BASE_DIR}/delegate_cp2_cert_manager.sh --control-namespace $CONTROL_NS "--skip-user-vertify"
     fi
+
+    delete_operator "ibm-cert-manager-operator" "$OPERATOR_NS"
 
     if [[ $ENABLE_LICENSING -eq 1 ]]; then
+
+        is_exists=$("$OC" get deployments ibm-licensing-operator -n "$OPERATOR_NS")
+        if [ ! -z "$is_exists" ]; then
+            # Migrate Licensing Services Data
+            ${BASE_DIR}/migrate_cp2_licensing.sh --control-namespace "$OPERATOR_NS" --target-namespace "$LICENSING_NS" "--skip-user-vertify"
+            local is_deleted=$(("${OC}" delete -n "${CONTROL_NS}" --ignore-not-found OperandBindInfo ibm-licensing-bindinfo --timeout=10s > /dev/null && echo "success" ) || echo "fail")
+            if [[ $is_deleted == "fail" ]]; then
+                warning "Failed to delete OperandBindInfo, patching its finalizer to null..."
+                ${OC} patch -n "${CONTROL_NS}" OperandBindInfo ibm-licensing-bindinfo --type="json" -p '[{"op": "remove", "path":"/metadata/finalizers"}]'
+            fi
+        fi
         
         backup_ibmlicensing
         isExists=$("${OC}" get deployments -n "${CONTROL_NS}" --ignore-not-found ibm-licensing-operator)
@@ -65,21 +72,10 @@ function main() {
         fi
 
         # Delete licensing csv/subscriptions
-        delete_operator "ibm-licensing-operator" "$CONTROL_NS"
+        delete_operator "ibm-licensing-operator" "$OPERATOR_NS"
 
         # restore licensing configuration so that subsequent License Service install will pick them up
         restore_ibmlicensing
-
-
-        if [[ "$CONTROL_NS" == "$OPERATOR_NS" ]]; then
-            # Migrate Licensing Services Data
-            ${BASE_DIR}/migrate_cp2_licensing.sh --control-namespace $CONTROL_NS "--skip-user-vertify"
-            local is_deleted=$(("${OC}" delete -n "${CONTROL_NS}" --ignore-not-found OperandBindInfo ibm-licensing-bindinfo --timeout=10s > /dev/null && echo "success" ) || echo "fail")
-            if [[ $is_deleted == "fail" ]]; then
-                warning "Failed to delete OperandBindInfo, patching its finalizer to null..."
-                ${OC} patch -n "${CONTROL_NS}" OperandBindInfo ibm-licensing-bindinfo --type="json" -p '[{"op": "remove", "path":"/metadata/finalizers"}]'
-            fi
-        fi
     fi
 
     success "Migration is completed for Cloud Pak 3.0 Foundational singleton services."
@@ -89,7 +85,7 @@ function main() {
 function restore_ibmlicensing() {
 
     # extracts the previously saved IBMLicensing CR from ConfigMap and creates the IBMLicensing CR
-    "${OC}" get cm ibmlicensing-instance-bak -n ${CONTROL_NS} -o yaml --ignore-not-found | "${YQ}" .data | sed -e 's/.*ibmlicensing.yaml.*//' | 
+    "${OC}" get cm ibmlicensing-instance-bak -n ${LICENSING_NS} -o yaml --ignore-not-found | "${YQ}" .data | sed -e 's/.*ibmlicensing.yaml.*//' | 
     sed -e 's/^  //g' | oc apply -f -
 
 }
@@ -109,7 +105,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: ibmlicensing-instance-bak
-  namespace: ${CONTROL_NS}
+  namespace: ${LICENSING_NS}
 data:
   ibmlicensing.yaml: |
 ${instance}
@@ -133,6 +129,14 @@ function parse_arguments() {
             shift
             OPERATOR_NS=$1
             ;;
+        --control-namespace)
+            shift
+            CONTROL_NS=$1
+            ;;
+        --licensing-namespace)
+            shift
+            LICENSING_NS=$1
+            ;;
         --enable-licensing)
             ENABLE_LICENSING=1
             ;;
@@ -170,20 +174,9 @@ function print_usage() {
 }
 
 function pre_req() {
-    if [ "$OPERATOR_NS" == "" ]; then
-        error "Must provide operator namespace"
-    fi
-
     if [ "$CONTROL_NS" == "" ]; then
         CONTROL_NS=$OPERATOR_NS
-    fi
-    
-    get_and_validate_arguments
-}
-
-# TODO validate argument
-function get_and_validate_arguments() {
-    get_control_namespace
+    fi    
 }
 
-main $*
+main "$@"
diff --git a/cp3pt0-deployment/common/utils.sh b/cp3pt0-deployment/common/utils.sh
@@ -1078,3 +1078,41 @@ function debug1() {
        debug "${1}"
     fi
 }
+
+# check if version of CS supports delegation for ibm-cert-manager-operator
+# >= v3.19.9 if in v3 channel
+# or >= v3.21.0 in any other channel
+function is_supports_delegation() {
+    local version=$1
+    major=$(echo "$version" | cut -d '.' -f1 | cut -d 'v' -f2)
+    minor=$(echo "$version" | cut -d '.' -f2)
+    patch=$(echo "$version" | cut -d '.' -f3)
+
+    if [ -z "$version" ]; then
+        info "No ibm-common-service-operator found on the cluster, skipping delegation check"
+        return 0
+    fi
+
+    if [ "$major" -gt 3 ]; then
+        info "Major version is greater than 3, skipping delegation check"
+        return 0
+    fi
+
+    if [ "$major" -lt 3 ]; then
+        return 1
+    fi
+
+    if [ "$minor" -lt 19 ]; then
+        return 1
+    fi
+
+    # only LTSR starting from 3.19.9 supported delegation
+    if [ "$minor" -eq 19 ]; then
+        if [ "$patch" -lt 9 ]; then
+            return 1
+        fi
+    fi
+
+    echo "Version: $version supports cert-manager delegation"
+}
+
diff --git a/cp3pt0-deployment/setup_singleton.sh b/cp3pt0-deployment/setup_singleton.sh
@@ -16,7 +16,7 @@ ENABLE_PRIVATE_CATALOG=0
 MIGRATE_SINGLETON=0
 OPERATOR_NS=""
 CONTROL_NS=""
-CHANNEL="v4.0"
+CHANNEL="v4.1"
 SOURCE_NS="openshift-marketplace"
 INSTALL_MODE="Automatic"
 CERT_MANAGER_SOURCE="ibm-cert-manager-catalog"
@@ -29,6 +29,8 @@ DEBUG=0
 CUSTOMIZED_LICENSING_NAMESPACE=0
 SKIP_INSTALL=0
 CHECK_LICENSING_ONLY=0
+CERT_MANAGER_V1_OWNER="operator.ibm.com/v1"
+CERT_MANAGER_V1ALPHA1_OWNER="operator.ibm.com/v1alpha1"
 
 # ---------- Command variables ----------
 
@@ -50,12 +52,15 @@ function main() {
     save_log "logs" "setup_singleton_log" "$DEBUG"
     trap cleanup_log EXIT
     pre_req
+
+    is_migrate_licensing
+    is_migrate_cert_manager
+
     if [ $MIGRATE_SINGLETON -eq 1 ]; then
-        info "Found parameter '--operator-namespace', migrating singleton services"
         if [ $ENABLE_LICENSING -eq 1 ]; then
-            ${BASE_DIR}/common/migrate_singleton.sh "--operator-namespace" "$OPERATOR_NS" "--enable-licensing"
+            ${BASE_DIR}/common/migrate_singleton.sh "--operator-namespace" "$OPERATOR_NS" --control-namespace "$CONTROL_NS" "--enable-licensing" --licensing-namespace "$LICENSING_NAMESPACE"
         else
-            ${BASE_DIR}/common/migrate_singleton.sh "--operator-namespace" "$OPERATOR_NS" 
+            ${BASE_DIR}/common/migrate_singleton.sh "--operator-namespace" "$OPERATOR_NS" --control-namespace "$CONTROL_NS"
         fi
     fi
 
@@ -158,6 +163,57 @@ function print_usage() {
     echo ""
 }
 
+function is_migrate_cert_manager() {
+    title "Check migrating and deactivating LTSR ibm-cert-manager-operator"
+    local webhook_ns=$("$OC" get deployments -A | grep cert-manager-webhook | cut -d ' ' -f1)
+    if [ -z "$webhook_ns" ]; then
+        info "No cert-manager-webhook found, skipping migration"
+        return 0
+    fi
+    local api_version=$("$OC" get deployments -n "$webhook_ns" cert-manager-webhook -o jsonpath='{.metadata.ownerReferences[*].apiVersion}')
+    if [ "$api_version" != "$CERT_MANAGER_V1ALPHA1_OWNER" ]; then
+        info "LTSR ibm-cert-manager-operator already deactivated, skipping"
+        return 0
+    fi
+    MIGRATE_SINGLETON=1
+    get_and_validate_arguments
+}
+
+function is_migrate_licensing() {
+    if [ $ENABLE_LICENSING -ne 1 ] && [ $CHECK_LICENSING_ONLY -ne 1 ]; then
+        return
+    fi
+
+    title "Check migrating LTSR ibm-licensing-operator"
+
+    local version=$("$OC" get ibmlicensing instance -o jsonpath='{.spec.version}')
+    if [ -z "$version" ]; then
+        warning "No version field in ibmlicensing CR, skipping"
+        return 0
+    fi
+    local major=$(echo "$version" | cut -d '.' -f1)
+    if [ "$major" -ge 4 ]; then
+        info "There is no LTSR ibm-licensing-operator to migrate, skipping"
+        return 0
+    fi
+
+    local ns=$("$OC" get deployments -A | grep ibm-licensing-operator | cut -d ' ' -f1)
+    if [ -z "$ns" ]; then
+        info "No LTSR ibm-licensing-operator to migrate, skipping"
+        return 0
+    fi
+
+    get_and_validate_arguments
+    if [ ! -z "$CONTROL_NS" ]; then
+        if [[ "$CUSTOMIZED_LICENSING_NAMESPACE" -eq 1 ]] && [[ "$CONTROL_NS" != "$LICENSING_NAMESPACE" ]]; then
+            error "Licensing Migration could only be done in $CONTROL_NS, please do not set parameter '-licensingNs $LICENSING_NAMESPACE'"
+        fi
+        LICENSING_NAMESPACE="$CONTROL_NS"
+    fi
+
+    MIGRATE_SINGLETON=1
+}
+
 function install_cert_manager() {
     if [ $CHECK_LICENSING_ONLY -eq 1 ]; then
         return
@@ -169,10 +225,10 @@ function install_cert_manager() {
         warning "There is a cert-manager Subscription already\n"
     fi
 
-    pods_exist=$(${OC} get pods -A | grep -w cert-manager-webhook)
-    if [ $? -eq 0 ]; then
+    local webhook_ns=$("$OC" get deployments -A | grep cert-manager-webhook | cut -d ' ' -f1)
+    if [ ! -z "$webhook_ns" ]; then
         warning "There is a cert-manager-webhook pod Running, so most likely another cert-manager is already installed\n"
-        return 0
+        info "Continue to upgrade check\n"
     elif [ $SKIP_INSTALL -eq 1 ]; then
         error "There is no cert-manager-webhook pod running\n"
     fi
@@ -181,9 +237,28 @@ function install_cert_manager() {
         SOURCE_NS="${CERT_MANAGER_NAMESPACE}"
     fi
 
+    local api_version=$("$OC" get deployments -n "$webhook_ns" cert-manager-webhook -o jsonpath='{.metadata.ownerReferences[*].apiVersion}')
+    if [ ! -z "$api_version" ]; then
+        if [ "$api_version" == "$CERT_MANAGER_V1ALPHA1_OWNER" ]; then
+            error "Cluster has not deactivated LTSR ibm-cert-manager-operator yet, please re-run this script"
+        fi
+
+        if [ "$api_version" != "$CERT_MANAGER_V1_OWNER" ]; then
+            warning "Cluster has a non ibm-cert-manager-operator already installed, skipping"
+            return 0
+        fi
+
+        info "Upgrading ibm-cert-manager-operator to channel: $CHANNEL\n"
+    fi
+
     create_namespace "${CERT_MANAGER_NAMESPACE}"
     create_operator_group "ibm-cert-manager-operator" "${CERT_MANAGER_NAMESPACE}" "{}"
-    create_subscription "ibm-cert-manager-operator" "${CERT_MANAGER_NAMESPACE}" "$CHANNEL" "ibm-cert-manager-operator" "${CERT_MANAGER_SOURCE}" "${SOURCE_NS}" "${INSTALL_MODE}"
+    is_sub_exist "ibm-cert-manager-operator" "${CERT_MANAGER_NAMESPACE}" # this will catch the packagenames of all cert-manager-operators
+    if [ $? -eq 0 ]; then
+        update_operator "ibm-cert-manager-operator" "${CERT_MANAGER_NAMESPACE}" "$CHANNEL" "${CERT_MANAGER_SOURCE}" "${SOURCE_NS}" "${INSTALL_MODE}"
+    else
+        create_subscription "ibm-cert-manager-operator" "${CERT_MANAGER_NAMESPACE}" "$CHANNEL" "ibm-cert-manager-operator" "${CERT_MANAGER_SOURCE}" "${SOURCE_NS}" "${INSTALL_MODE}"
+    fi
     wait_for_operator "${CERT_MANAGER_NAMESPACE}" "ibm-cert-manager-operator"
     accept_license "certmanagerconfig.operator.ibm.com" "" "default"
 }
@@ -196,8 +271,7 @@ function install_licensing() {
     title "Installing licensing\n"
     is_sub_exist "ibm-licensing-operator-app" # this will catch the packagenames of all ibm-licensing-operator-app
     if [ $? -eq 0 ]; then
-        warning "There is an ibm-licensing-operator-app Subscription already\n"
-        return 0
+        warning "There is an ibm-licensing-operator-app Subscription already, so will upgrade it\n"
     elif [ $SKIP_INSTALL -eq 1 ]; then
         error "There is no ibm-licensing-operator-app Subscription installed\n"
     fi
@@ -206,6 +280,13 @@ function install_licensing() {
         SOURCE_NS="${LICENSING_NAMESPACE}"
     fi
 
+    local ns=$("$OC" get deployments -A | grep ibm-licensing-operator | cut -d ' ' -f1)
+    if [ ! -z "$ns" ]; then
+        if [ "$ns" != "$LICENSING_NAMESPACE" ]; then
+            error "An ibm-licensing-operator already installed in namespace: $ns, expected namespace is: $LICENSING_NAMESPACE"
+        fi
+    fi
+
     create_namespace "${LICENSING_NAMESPACE}"
 
     target=$(cat <<EOF
@@ -215,7 +296,12 @@ function install_licensing() {
 EOF
 )
     create_operator_group "ibm-licensing-operator-app" "${LICENSING_NAMESPACE}" "$target"
-    create_subscription "ibm-licensing-operator-app" "${LICENSING_NAMESPACE}" "$CHANNEL" "ibm-licensing-operator-app" "${LICENSING_SOURCE}" "${SOURCE_NS}" "${INSTALL_MODE}"
+    is_sub_exist "ibm-licensing-operator-app" # this will catch the packagenames of all ibm-licensing-operator-app
+    if [ $? -eq 0 ]; then
+        update_operator "ibm-licensing-operator-app" "${LICENSING_NAMESPACE}" "$CHANNEL" "${LICENSING_SOURCE}" "${SOURCE_NS}" "${INSTALL_MODE}"
+    else
+        create_subscription "ibm-licensing-operator-app" "${LICENSING_NAMESPACE}" "$CHANNEL" "ibm-licensing-operator-app" "${LICENSING_SOURCE}" "${SOURCE_NS}" "${INSTALL_MODE}"
+    fi
     wait_for_operator "${LICENSING_NAMESPACE}" "ibm-licensing-operator"
     wait_for_license_instance
     accept_license "ibmlicensing" "" "instance"
@@ -269,18 +355,13 @@ function pre_req() {
         error "Channel is not semantic vx.y"
     fi
 
-    if [ "$OPERATOR_NS" == "" ]; then
-        MIGRATE_SINGLETON=0
-    else
-        MIGRATE_SINGLETON=1
-        get_and_validate_arguments
-        if [[ "$ENABLE_LICENSING" == 1 ]];then
-            if [[ "$CUSTOMIZED_LICENSING_NAMESPACE" -eq 1 ]] && [[ "$CONTROL_NS" != "$LICENSING_NAMESPACE" ]] && [[ "$CONTROL_NS" != "" ]]; then
-                error "Licensing Migration could only be done in $CONTROL_NS, please do not set parameter '-licensingNs $LICENSING_NAMESPACE'"
-            elif [[ "$CONTROL_NS" != "" ]]; then
-                LICENSING_NAMESPACE="${CONTROL_NS}"
-            fi
-        fi
+    # Check if all CS installations are above 3.19.9
+    local csvs=$("$OC" get csv -A | grep ibm-common-service-operator | awk '{print $2}' | sort -V)
+    local version=$(echo "$csvs" | head -n 1 | cut -d '.' -f2-)
+    is_supports_delegation "$version"
+
+    if [ -z "$OPERATOR_NS" ]; then
+        OPERATOR_NS=$("$OC" project --short)
     fi
 }
 
@@ -289,4 +370,4 @@ function get_and_validate_arguments() {
     get_control_namespace
 }
 
-main $*
+main "$@"