multi-architecture builds and publish

[jon-nfc]

SUMMARY

Add changes related to multi-architecture builds and publishing.

The desired endstate is that there is officially built and supported multi-architecture container images that can be built from a single command make docker-buildx and that on quay.io/ansible/awx-operator those same muli-architecture images are available for consumption.

ISSUE TYPE

• New or Enhanced Feature

ADDITIONAL INFORMATION

• Current release runbook can be found in docs/contributors-guide/release-process.md

This PR does not have the intention of changing the release workflow. The intent is that as part of the established workflow, that multi-architecture containers are built and published for use by the community.

Adjustment was made to ensure that there is ever only one image built for a given git commit and is used for the entire workflow. This prevents the scenario where it's as if a witch has casted a spell upon you, when at the end of the day there were two or more images that exist for the same commit and you were the poor sole who can't figure out what is wrong because the image you have is "Good to go!!" Bottom line no one wants to debug black magic (be in a scenario where two images exist for the same code but are different enough to make you pull your hair out). As each commit is stored on GHCR, it becomes the single source of truth for any containers built, especially for debugging purposes.

Changes to Github Actions

• devel push to devel branch builds multi-arch containers and tags it with the git commit and stores it on GHCR in addition to the existing step of pushing said manifest to quay.io with the devel tag

• stage when triggered no longer builds it's own image. pulls the image from GHCR built in devel action and follows the existing flow of tagging with the specified version and pushing back to GHCR

• promote Github Release No change, however now uses the multi-arch manifest.

Other Changes

reference: ansible/eda-server-operator#158

• makefile now has a target docker-buildx this target provides the basis for all multi-arch container builds. As buildx creates a manifest with all container architectures included, as part of the same command will automagic push the image to the tagged registry. This command can also be used in development

  • from a terminal make docker-buildx
  • To customize the image name and registry IMG=registry/name/name2:tag make docker-buildx.
  • To specifiy different architectures to build PLATFORMS=linux/arm64,linux/amd64 make docker-buildx
  • multiple variables can be addded to the command should it be desired.

Fixes issues

• Add ARM Support to the Operator #31
• Add multi-arch build target #1680

[jon-nfc]

awx-operator/.github/workflows/publish-operator-hub.yaml

Lines 78 to 86 in 07427be

	- name: Build and publish bundle to operator-hub
	working-directory: awx-operator-${{ env.VERSION }}
	env:
	IMG_REPOSITORY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REGISTRY_ORGANIZATION }}
	GITHUB_TOKEN: ${{ secrets.AWX_AUTO_GITHUB_TOKEN }}
	run: |
	git config --global user.email "[email protected]"
	git config --global user.name "AWX Automation"
	./hack/publish-to-operator-hub.sh

which leads to

awx-operator/hack/publish-to-operator-hub.sh

Lines 43 to 45 in 07427be

	# Build bundle and catalog images
	make bundle-build bundle-push BUNDLE_IMG=$BUNDLE_IMG IMG=$OPERATOR_IMG
	make catalog-build catalog-push CATALOG_IMG=$CATALOG_IMG BUNDLE_IMGS=$BUNDLE_IMG BUNDLE_IMG=$BUNDLE_IMG IMG=$OPERATOR_IMG

As part of the publish there is another build and push of the image. Can this be safely removed? AS the complete manifest is already pushed to quay.io in the promote action

awx-operator/Makefile

Lines 235 to 237 in 07427be

	.PHONY: catalog-build
	catalog-build: opm ## Build a catalog image.
	$(OPM) index add --container-tool ${CONTAINER_CMD} --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT)

Also I noticed that step make catalog-build uses something called opm, what is it and in it's current usage, can it handle docker manifests?

[jon-nfc]

Don't know who to ping, PR ready for review.

also require someone in the know to answer my above question

[rooftopcellist]

@jon-nfc

As part of the publish there is another build and push of the image. Can this be safely removed? AS the complete manifest is already pushed to quay.io in the promote action

The publish-to-operator-hub.sh script is for adding the awx-operator version to https://operatorhub.io/operator/awx-operator so it can be installed with OLM. The bundle image is needed for OLM installs, it contains content from the manifests and crd directories (critically, the CSV).

• bundle image build - This image is separate from the operator image. It is necessary for OLM installs, but shouldn't be any trouble for multi-arch.

Bundle images are not architecture-specific. They contain only plaintext Kubernetes manifests and operator metadata. (Reference)[https://sdk.operatorframework.io/docs/advanced-topics/multi-arch/#operator-lifecycle-manager]

• catalog image build - not strictly necessary, but it is a nice-to-have because it allows for easier testing of OLM-specific parameter changes. Also handy for demos of new features because there can sometimes be a 1-2 day lag for the operator getting published to OperatorHub.io after a release.

---

The opm tool is a cli tool for inspecting and managing catalog images. More information can be found here.

A catalog image is a 3rd image that contains pointers to operator bundle versions it knows about, which populates the list of available operators that can be installed on Openshift or an OLM enabled k8s cluster. The newer catalog images are just plaintext on the inside as far as I know (file-based-catalogs) as far as I know.

This is not strictly needed for users as the folks from https://github.com/k8s-operatorhub/community-operators maintain a catalog image that gets installed as part of OLM when you install an operator from OperatorHub.io. So I don't think we need to worry about multi-arch for these images.

[rooftopcellist]

@jon-nfc it looks like there are a few linting issues that need to be cleaned up.

./.github/workflows/promote.yaml
  Warning: 32:76 [comments] too few spaces before comment
  Warning: 40:76 [comments] too few spaces before comment
  Error: 49:171 [line-length] line too long (176 > 170 characters)
  Error: 54:171 [line-length] line too long (171 > 170 characters)

./.github/workflows/stage.yml
  Warning: 58:76 [comments] too few spaces before comment
  Error: 67:171 [line-length] line too long (216 > 170 characters)

./.github/workflows/devel.yaml
  Warning: 17:76 [comments] too few spaces before comment
  Warning: 25:76 [comments] too few spaces before comment
  Error: [39](https://github.com/ansible/awx-operator/actions/runs/7447379325/job/20266238173?pr=1681#step:6:43):171 [line-length] line too long (176 > 170 characters)
  Error: [40](https://github.com/ansible/awx-operator/actions/runs/7447379325/job/20266238173?pr=1681#step:6:44):1 [empty-lines] too many blank lines (1 > 0)

[jon-nfc]

This is not strictly needed for users as the folks from https://github.com/k8s-operatorhub/community-operators maintain a catalog image that gets installed as part of OLM when you install an operator from OperatorHub.io. So I don't think we need to worry about multi-arch for these images.

I though as much.

[rooftopcellist]

@jon-nfc I think this is a good approach. I didn't spot any issues while reading this through except for one more linting error CI is complaining about. I would like to run through a mock release on my fork first though before merging. I'll plan on doing that tomorrow.

./.github/workflows/devel.yaml
  Error: 42:1 [empty-lines] too many blank lines (1 > 0)

cc @TheRealHaoLiu for review as well.

[jon-nfc]

@jon-nfc I think this is a good approach. I didn't spot any issues while reading this through except for one more linting error CI is complaining about. I would like to run through a mock release on my fork first though before merging. I'll plan on doing that tomorrow.

./.github/workflows/devel.yaml
  Error: 42:1 [empty-lines] too many blank lines (1 > 0)

cc @TheRealHaoLiu for review as well.

Righto, I'll have everything good to go in the next few hours.

tomorrow

depends on where you are, where i am it could still be yesterday for you.

[rooftopcellist]

Suggested change

	IMG=ghcr.io/${{ github.repository_owner }}/${{ github.repository }}:${{ github.event.inputs.version }} \
	IMG=ghcr.io/${{ github.repository }}:${{ github.event.inputs.version }} \

We need to remove ${{ github.repository_owner }} here because it is already there from when it is set during the checkout:

• https://github.com/ansible/awx-operator/pull/1681/files#diff-ca6f66a88a8c14e7412271d092d23b124f23052eb38134788e5a992f0522f574R49

[jon-nfc]

awx-operator/.github/workflows/stage.yml

Lines 46 to 50 in 4d79365

	- name: Checkout awx-operator
	uses: actions/checkout@v3
	with:
	repository: ${{ github.repository_owner }}/awx-operator
	path: awx-operator

I did not know this, however note taken.

question, re variable preceedence

awx-operator/.github/workflows/stage.yml

Lines 40 to 50 in 4d79365

	- name: Checkout awx
	uses: actions/checkout@v3
	with:
	repository: ${{ github.repository_owner }}/awx
	path: awx
	- name: Checkout awx-operator
	uses: actions/checkout@v3
	with:
	repository: ${{ github.repository_owner }}/awx-operator
	path: awx-operator

there are two checkouts, which variable takes precedence? first set, last set?

[jon-nfc]

Don't know if there is an issue with the linter but it inconsistent.

• 466b0cf too many blank lines 0>1 when there were two blank lines https://github.com/ansible/awx-operator/actions/runs/7457722546
• 4d79365 no blank line at end of file no new line character at the end of file https://github.com/ansible/awx-operator/actions/runs/7470471612

[jon-nfc]

branch updated with rebase.

PR ready for review

[TheRealHaoLiu]

based on https://docs.github.com/en/enterprise-cloud@latest/actions/learn-github-actions/variables#default-environment-variables

GITHUB_REPOSITORY | The owner and repository name. For example, octocat/Hello-World.

i think we need to take in a variable for "which quay repo to push this to"

[jon-nfc]

@TheRealHaoLiu

i have an outstanding question above re this from the review that @rooftopcellist did. That's why the discussions are not resolved as the next reviewer can see and resolve as completed and as appropriate.

#1681 (comment). this question still remains!!!!

[rooftopcellist]

@jon-nfc ,

@TheRealHaoLiu and I tested out this workflow on our fork today and got it working with the changes in this PR.

Mainly, we modified how it runs so that we could test it on a fork and push the images to our personal quay registry so as not to affect the official awx-operator images while testing.

There were also a few variable refs that needed to be changed for the workflow to work. Notably:

• ghcr.io/${{ github.repository_owner }}/${{ github.repository }} evaluates to ghcr.io/ansible/ansible/awx-operator, which failed.

I also changed how it creates the draft release so that it uses the github action for it rather than custom logic to git the GitHub API.

I opened a PR to your branch here:

• Modify Release GHA to run on fork jon-nfc/awx-operator#1

Note that a variable needs to be created in the GitHub repo if you want to override the default when triggering the promote pipeline by publishing the draft release:

Here is the successful test release on my fork:

• https://github.com/rooftopcellist/awx-operator/actions/runs/7546887214
• https://github.com/rooftopcellist/awx-operator/actions/runs/7547409029