fix(deploy,olm): Allow installing previous (non-latest) versions of RHDH operator from catalog

Signed-off-by: Pavel Macík <pavel.macik@gmail.com>

Author: pmacik

ci-scripts/rhdh-setup/common.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+TMP_DIR=${TMP_DIR:-$(python3 -c 'import os, sys; print(os.path.realpath(sys.argv[1]))' .tmp)}
+mkdir -p "$TMP_DIR"
+
+cli="oc"
+
+log() {
+  echo "{\"level\":\"${2:-info}\",\"ts\":\"$(date -u -Ins)\",\"message\":\"$1\"}"
+}
+
+log_info() {
+  log "$1" "info"
+}
+
+log_warn() {
+  log "$1" "warn"
+}
+
+log_error() {
+  log "$1" "error"
+}
+
+log_token() {
+  log "$1" "$2" >>"$TMP_DIR/get_token.log"
+}
+
+log_token_info() {
+  log_token "$1" "info"
+}
+
+log_token_err() {
+  log_token "$1" "error"
+}
+
+wait_and_approve_install_plans() {
+  namespace=${1:-namespace}
+  initial_timeout=${2:-300}
+  component_prefix=${3:-}
+  description=${4:-"install plans in $namespace"}
+  timeout_timestamp=$(python3 -c "from datetime import datetime, timedelta; t_add=int('$initial_timeout'); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))")
+  interval=10
+
+  log_info "Waiting for unapproved install plans in $namespace namespace..."
+
+  # Wait for install plans to appear with timeout
+  install_plans=""
+  for ((i = 0; i < initial_timeout; i += interval)); do
+    install_plans=$($cli get installplan -n "$namespace" --sort-by=.metadata.creationTimestamp -o json | jq -r --arg prefix "$component_prefix" '.items[] | select(any(.spec.clusterServiceVersionNames[]; startswith($prefix))) | select(.spec.approved == false) | .metadata.name' 2>/dev/null)
+
+    echo "install_plans: $install_plans"
+    if [ -n "$install_plans" ]; then
+      break
+    fi
+
+    if [ "$(date "+%s")" -gt "$timeout_timestamp" ]; then
+      log_error "Timeout waiting for $description"
+      exit 1
+    fi
+
+    log_info "Waiting ${interval}s for $description..."
+    sleep "$interval"
+  done
+
+  # Approve each install plan found
+  if [ -n "$install_plans" ]; then
+    log_info "Found unapproved install plans in $namespace namespace, approving all..."
+    for install_plan in $install_plans; do
+      log_info "Approving install plan '$install_plan'..."
+      $cli patch installplan "$install_plan" -n "$namespace" --type merge --patch '{"spec":{"approved":true}}'
+    done
+    return $?
+  else
+    log_error "No unapproved install plans found in $namespace namespace within timeout"
+    exit 1
+  fi
+}
+
+export -f log_info log_warn log_error log_token log_token_info log_token_err wait_and_approve_install_plans

ci-scripts/rhdh-setup/create_resource.sh

@@ -4,6 +4,9 @@ SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 # shellcheck disable=SC1090,SC1091
 source "$(python3 -c 'import os, sys; print(os.path.realpath(sys.argv[1]))' "$SCRIPT_DIR"/../../test.env)"
 
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/common.sh"
+
 export TMP_DIR WORKDIR
 
 POPULATION_CONCURRENCY=${POPULATION_CONCURRENCY:-10}
@@ -19,7 +22,7 @@ COOKIE="$TMP_DIR/cookie.jar"
 
 keycloak_url() {
   f="$TMP_DIR/keycloak.url"
-  if command -v  flock >/dev/null 2>&1; then
+  if command -v flock >/dev/null 2>&1; then
     exec 4>"$kc_lockfile"
     flock 4 || {
       echo "Failed to acquire lock"
@@ -30,7 +33,7 @@ keycloak_url() {
       echo -n "https://$(oc get routes keycloak -n "${RHDH_NAMESPACE}" -o jsonpath='{.spec.host}')" >"$f"
     fi
     flock -u 4
-  elif command -v  shlock >/dev/null 2>&1; then
+  elif command -v shlock >/dev/null 2>&1; then
     LOCKFILE="$TMP_DIR/kc_lockfile"
     trap 'rm -f "$LOCKFILE"' EXIT
 
@@ -148,8 +151,8 @@ clone_and_upload() {
 
   files=()
   while IFS= read -r line; do
-      files+=("$line")
-  done <<< "$out"
+    files+=("$line")
+  done <<<"$out"
 
   for filename in "${files[@]}"; do
     cp -vf "$filename" "$(basename "$filename")"
@@ -224,7 +227,7 @@ get_group_id_by_name() {
   response=$(curl -s -k --location --request GET "$(keycloak_url)/auth/admin/realms/backstage/groups?search=${group_name}" \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $token" 2>&1)
-  
+
   if [[ "$response" == "["* ]] && [[ "$response" == *"]" ]] && [[ "$response" != "[]" ]]; then
     group_id=$(echo "$response" | jq -r --stream --arg name "$group_name" '
       [., inputs] |
@@ -255,19 +258,19 @@ assign_parent_group() {
   max_attempts=5
   attempt=1
   parent_id=""
-  while (( attempt <= max_attempts )); do
+  while ((attempt <= max_attempts)); do
     parent_id="$(get_group_id_by_name "$parent_group_name")"
     [ -n "$parent_id" ] && [ "$parent_id" != "null" ] && break
     log_warn "Parent $parent_group_name not found (attempt $attempt). Waiting..." >>"$TMP_DIR/create_group.log"
-    ((attempt++));
+    ((attempt++))
   done
   if [ -z "$parent_id" ] || [ "$parent_id" = "null" ]; then
     log_error "Parent $parent_group_name missing after $max_attempts attempts; cannot create $child_name" 2>&1 | tee -a "$TMP_DIR/create_group.log"
     return 1
   fi
 
   attempt=1
-  while (( attempt <= max_attempts )); do
+  while ((attempt <= max_attempts)); do
     token=$(get_token)
     response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups/${parent_id}/children" \
       -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
@@ -277,7 +280,7 @@ assign_parent_group() {
       return 0
     fi
     log_warn "Unable to create child $child_name under $parent_group_name at attempt $attempt. [$response]" >>"$TMP_DIR/create_group.log"
-    ((attempt++));
+    ((attempt++))
   done
   log_error "Unable to create child $child_name under $parent_group_name in $max_attempts attempts" 2>&1 | tee -a "$TMP_DIR/create_group.log"
   return 1
@@ -304,7 +307,7 @@ create_group() {
           return
         fi
         log_warn "Unable to create $groupname at attempt $attempt. [$response]" >>"$TMP_DIR/create_group.log"
-        ((attempt++));
+        ((attempt++))
       done
       log_error "Unable to create the $groupname group in $max_attempts attempts, giving up!" 2>&1 | tee -a "$TMP_DIR/create_group.log"
       return 1
@@ -327,7 +330,7 @@ create_group() {
         return
       fi
       log_warn "Unable to create $groupname at attempt $attempt. [$response]" >>"$TMP_DIR/create_group.log"
-      ((attempt++));
+      ((attempt++))
     done
     log_error "Unable to create the $groupname group in $max_attempts attempts, giving up!" 2>&1 | tee -a "$TMP_DIR/create_group.log"
     return 1
@@ -405,7 +408,7 @@ create_groups() {
     [ "$N" -gt "$GROUP_COUNT" ] && N="$GROUP_COUNT"
     seq 1 "$N" | xargs -P1 -I{} bash -lc "create_group \"\$1\"" _ {}
     if [ "$GROUP_COUNT" -gt "$N" ]; then
-      seq $((N+1)) "$GROUP_COUNT" | xargs -P"${POPULATION_CONCURRENCY}" -I{} bash -lc "create_group \"\$1\"" _ {}
+      seq $((N + 1)) "$GROUP_COUNT" | xargs -P"${POPULATION_CONCURRENCY}" -I{} bash -lc "create_group \"\$1\"" _ {}
     fi
   else
     seq 1 "$GROUP_COUNT" | xargs -P"${POPULATION_CONCURRENCY}" -I{} bash -lc "create_group \"\$1\"" _ {}
@@ -466,7 +469,7 @@ create_user() {
   done
 
   if [[ $attempt -gt $max_attempts ]]; then
-    log_error "Unable to create the $username user in $max_attempts attempts, giving up!" 2>&1| tee -a "$TMP_DIR/create_user.log"
+    log_error "Unable to create the $username user in $max_attempts attempts, giving up!" 2>&1 | tee -a "$TMP_DIR/create_user.log"
   fi
 }
 
@@ -478,33 +481,6 @@ create_users() {
 }
 
 token_lockfile="$TMP_DIR/token.lockfile"
-log() {
-  echo "{\"level\":\"${2:-info}\",\"ts\":\"$(date -u -Ins)\",\"message\":\"$1\"}"
-}
-
-log_info() {
-  log "$1" "info"
-}
-
-log_warn() {
-  log "$1" "warn"
-}
-
-log_error() {
-  log "$1" "error"
-}
-
-log_token() {
-  log "$1" "$2" >>"$TMP_DIR/get_token.log"
-}
-
-log_token_info() {
-  log_token "$1" "info"
-}
-
-log_token_err() {
-  log_token "$1" "error"
-}
 
 keycloak_token() {
   curl -s -k "$(keycloak_url)/auth/realms/master/protocol/openid-connect/token" -d username=admin -d "password=$1" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
@@ -534,7 +510,7 @@ rhdh_token() {
     --data-urlencode "redirect_uri=${REDIRECT_URL}" \
     --data-urlencode "scope=openid email profile" \
     --data-urlencode "response_type=code" \
-    "$(keycloak_url)/auth/realms/$REALM/protocol/openid-connect/auth" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
+    "$(keycloak_url)/auth/realms/$REALM/protocol/openid-connect/auth" 2>&1 | tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
 
   execution=$(echo "$AUTH_URL" | grep -oE 'execution=[^&]+' | grep -oE '[^=]+$')
   tab_id=$(echo "$AUTH_URL" | grep -oE 'tab_id=[^&]+' | grep -oE '[^=]+$')
@@ -547,7 +523,7 @@ rhdh_token() {
     --data-urlencode "tab_id=${tab_id}" \
     --data-urlencode "execution=${execution}" \
     --write-out "%{redirect_url}" \
-    "$AUTHENTICATE_URL" 2>&1| tee "$TMP_DIR/code_url.log")
+    "$AUTHENTICATE_URL" 2>&1 | tee "$TMP_DIR/code_url.log")
 
   code=$(echo "$CODE_URL" | grep -oE 'code=[^&]+' | grep -oE '[^=]+$')
   session_state=$(echo "$CODE_URL" | grep -oE 'session_state=[^&]+' | grep -oE '[^=]+$')

ci-scripts/rhdh-setup/deploy.sh

@@ -5,6 +5,9 @@ SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 # shellcheck disable=SC1090,SC1091
 source "$(python3 -c 'import os, sys; print(os.path.realpath(sys.argv[1]))' "$SCRIPT_DIR"/../../test.env)"
 
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/common.sh"
+
 # shellcheck disable=SC1091
 source "${SCRIPT_DIR}/create_resource.sh"
 
@@ -123,47 +126,6 @@ wait_for_crd() {
     done
 }
 
-wait_and_approve_install_plans() {
-    namespace=${1:-namespace}
-    initial_timeout=${2:-300}
-    description=${3:-"install plans in $namespace"}
-    timeout_timestamp=$(python3 -c "from datetime import datetime, timedelta; t_add=int('$initial_timeout'); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))")
-    interval=10
-
-    log_info "Waiting for unapproved install plans in $namespace namespace..."
-
-    # Wait for install plans to appear with timeout
-    install_plans=""
-    for ((i = 0; i < initial_timeout; i += interval)); do
-        install_plans=$($cli get installplan -n "$namespace" --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[?(@.spec.approved==false)].metadata.name}' 2>/dev/null)
-
-        if [ -n "$install_plans" ]; then
-            break
-        fi
-
-        if [ "$(date "+%s")" -gt "$timeout_timestamp" ]; then
-            log_error "Timeout waiting for $description"
-            exit 1
-        fi
-
-        log_info "Waiting ${interval}s for $description..."
-        sleep "$interval"
-    done
-
-    # Approve each install plan found
-    if [ -n "$install_plans" ]; then
-        log_info "Found unapproved install plans in $namespace namespace, approving all..."
-        for install_plan in $install_plans; do
-            log_info "Approving install plan '$install_plan'..."
-            $cli patch installplan "$install_plan" -n "$namespace" --type merge --patch '{"spec":{"approved":true}}'
-        done
-        return $?
-    else
-        log_error "No unapproved install plans found in $namespace namespace within timeout"
-        exit 1
-    fi
-}
-
 is_orchestrator_infra_installed() {
     helm list -n "${RHDH_NAMESPACE}" -q | grep -q "^${RHDH_HELM_RELEASE_NAME}-orchestrator-infra$"
     return $?
@@ -343,14 +305,14 @@ backstage_install() {
     if ${ENABLE_RBAC}; then
         cp template/backstage/rbac-config.yaml "${TMP_DIR}/rbac-config.yaml"
         if [[ $RBAC_POLICY == "$RBAC_POLICY_REALISTIC" ]]; then
-            cat template/backstage/realistic-rbac-config.yaml >> "${TMP_DIR}/rbac-config.yaml"
+            cat template/backstage/realistic-rbac-config.yaml >>"${TMP_DIR}/rbac-config.yaml"
         fi
         create_rbac_policy "$RBAC_POLICY"
         cat "$TMP_DIR/group-rbac.yaml" >>"$TMP_DIR/rbac-config.yaml"
         if [[ "$INSTALL_METHOD" == "helm" ]] && ${ENABLE_ORCHESTRATOR}; then
             cat template/backstage/helm/orchestrator-rbac-patch.yaml >>"$TMP_DIR/rbac-config.yaml"
             if [[ $RBAC_POLICY == "$RBAC_POLICY_REALISTIC" ]]; then
-                cat template/backstage/helm/realistic-orchestrator-rbac-patch.yaml>>"${TMP_DIR}/rbac-config.yaml"
+                cat template/backstage/helm/realistic-orchestrator-rbac-patch.yaml >>"${TMP_DIR}/rbac-config.yaml"
             fi
         fi
         until $clin create -f "$TMP_DIR/rbac-config.yaml"; do $clin delete configmap rbac-policy --ignore-not-found=true; done

ci-scripts/rhdh-setup/install-rhdh-catalog-source.sh

@@ -21,6 +21,9 @@ SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 # shellcheck disable=SC1090,SC1091
 source "$(python3 -c 'import os, sys; print(os.path.realpath(sys.argv[1]))' "$SCRIPT_DIR"/../../test.env)"
 
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/common.sh"
+
 set -e
 
 RED='\033[0;31m'
@@ -279,5 +282,13 @@ if [ -n "${RHDH_OLM_OPERATOR_RESOURCES_CPU_LIMITS}" ]; then yq -i '.spec.config.
 if [ -n "${RHDH_OLM_OPERATOR_RESOURCES_MEMORY_REQUESTS}" ]; then yq -i '.spec.config.resources.requests.memory = "'"${RHDH_OLM_OPERATOR_RESOURCES_MEMORY_REQUESTS}"'"' "$subscription"; fi
 if [ -n "${RHDH_OLM_OPERATOR_RESOURCES_MEMORY_LIMITS}" ]; then yq -i '.spec.config.resources.limits.memory = "'"${RHDH_OLM_OPERATOR_RESOURCES_MEMORY_LIMITS}"'"' "$subscription"; fi
 if [ -n "${RHDH_OLM_OPERATOR_RESOURCES_EPHEMERAL_STORAGE_REQUESTS}" ]; then yq -i '.spec.config.resources.requests.ephemeral-storage = "'"${RHDH_OLM_OPERATOR_RESOURCES_EPHEMERAL_STORAGE_REQUESTS}"'"' "$subscription"; fi
+if [ -n "${RHDH_OLM_OPERATOR_VERSION:-}" ]; then
+  yq -i '.spec.startingCSV = "rhdh-operator.v'"${RHDH_OLM_OPERATOR_VERSION}"'"' "$subscription"
+  yq -i '.spec.installPlanApproval = "Manual"' "$subscription"
+fi
 
 oc apply -f "$subscription"
+
+if [ -n "${RHDH_OLM_OPERATOR_VERSION:-}" ]; then
+  wait_and_approve_install_plans "$NAMESPACE_SUBSCRIPTION" 300 "rhdh-operator.v${RHDH_OLM_OPERATOR_VERSION}" "install plan for $TO_INSTALL"
+fi