Create and Delete a unique gallery name if required

1. If IMAGE_GALLERY_NAME in azure-podvm-image-cm is empty, then a
   gallery name will be created with the pattern
   "PodVMGallery_$clusterid. Note that only the first 8 chars of the
   clusterid is used.
2. ClusterID is added as a tag to the OSC created gallery (eg.
   clusterID=12345678)
3. PodVM image deletion function has been extended to also support
   deletion of gallery via a CLI option. This is used by OSC to ensure
   deletion of the OSC created gallery during podvm image deletion. This
   ensures if gallery is created as part of kataconfig creation, then
   the same gallery is deleted as well during kataconfig deletion
4. LATEST_IMAGE_ID and IMAGE_GALLERY_NAME annotations to peer-pods-cm
   configMap is added and removed by the code
5. Add a readme (podvm-handling.md) with details on the workflow and job
   manifests
Fixes: #KATA-2958

Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>

config/peerpods/podvm/azure-podvm-image-cm.yaml

@@ -8,7 +8,17 @@ data:
   PODVM_DISTRO: rhel
 
   # Gallery
-  IMAGE_GALLERY_NAME: "PodVMGallery"
+  # Set the gallery name explicitly, otherwise it'll be set by the operator to
+  # PodVMGallery_${cluster-id}. If a gallery name is provided, the job will
+  # use the specific gallery name.
+  # Note that the gallery name must be unique across the subscription and not exceed 80 characters.
+  # Also, the allowed characters are English alphanumeric characters,
+  # with underscores and periods allowed in the middle
+  IMAGE_GALLERY_NAME: ""
+  IMAGE_GALLERY_NAME_PREFIX: "PodVMGallery"
+  # Set any gallery tags "k1=v1 k2=v2" required
+  # Note that tag key and values must not use spaces
+  IMAGE_GALLERY_TAGS: ""
 
   # Image definition
   IMAGE_DEFINITION_NAME: "podvm-image"

config/peerpods/podvm/azure-podvm-image-handler.sh

@@ -47,7 +47,10 @@ function verify_vars() {
     # Ensure that the image defintion variables are set
     [[ -z "${IMAGE_DEFINITION_PUBLISHER}" ]] && error_exit "IMAGE_DEFINITION_PUBLISHER is empty"
     [[ -z "${IMAGE_DEFINITION_OFFER}" ]] && error_exit "IMAGE_DEFINITION_OFFER is empty"
+
+    [[ -z "${IMAGE_GALLERY_NAME_PREFIX}" ]] && error_exit "IMAGE_GALLERY_NAME_PREFIX is empty"
     [[ -z "${IMAGE_GALLERY_NAME}" ]] && error_exit "IMAGE_GALLERY_NAME is empty"
+
     [[ -z "${IMAGE_DEFINITION_SKU}" ]] && error_exit "IMAGE_DEFINITION_SKU is empty"
     [[ -z "${IMAGE_DEFINITION_OS_TYPE}" ]] && error_exit "IMAGE_DEFINITION_OS_TYPE is empty"
     [[ -z "${IMAGE_DEFINITION_OS_STATE}" ]] && error_exit "IMAGE_DEFINITION_OS_STATE is empty"
@@ -135,6 +138,7 @@ function login_to_azure() {
 
 # Function to create Azure image gallery
 # The gallery name is available in the variable IMAGE_GALLERY_NAME
+# Any tags to apply is available in the variale IMAGE_GALLERY_TAGS
 
 function create_image_gallery() {
     echo "Creating Azure image gallery"
@@ -155,10 +159,15 @@ function create_image_gallery() {
     # If any error occurs, exit the script with an error message
 
     # Create the image gallery
+    echo "Creating image gallery ${IMAGE_GALLERY_NAME} with tags: ${IMAGE_GALLERY_TAGS}"
+
     az sig create --resource-group "${AZURE_RESOURCE_GROUP}" \
-        --gallery-name "${IMAGE_GALLERY_NAME}" ||
+        --gallery-name "${IMAGE_GALLERY_NAME}" --tags "${IMAGE_GALLERY_TAGS}" ||
         error_exit "Failed to create Azure image gallery"
 
+    # Update peer-pods-cm configmap with the gallery name
+    add_image_gallery_annotation_to_peer_pods_cm
+
     echo "Azure image gallery created successfully"
 
 }
@@ -361,15 +370,6 @@ function create_or_update_image_configmap() {
         IMAGE_ID_LIST="${IMAGE_ID}"
     fi
 
-    # Create or update the value of the azure key in podvm-images configmap with all the images
-    # If any error occurs, exit the script with an error message
-    kubectl create configmap podvm-images \
-        -n openshift-sandboxed-containers-operator \
-        --from-literal=azure="${IMAGE_ID_LIST}" \
-        --dry-run=client -o yaml |
-        kubectl apply -f - ||
-        error_exit "Failed to create or update podvm-images configmap"
-
     echo "podvm-images configmap created or updated successfully"
 }
 
@@ -397,7 +397,7 @@ function recreate_image_configmap() {
 # Function to add the image id as annotation in the peer-pods-cm configmap
 
 function add_image_id_annotation_to_peer_pods_cm() {
-    echo "Adding image id to peer-pods-cm configmap"
+    echo "Adding image id annotation to peer-pods-cm configmap"
 
     # Check if the peer-pods-cm configmap exists
     if ! kubectl get configmap peer-pods-cm -n openshift-sandboxed-containers-operator >/dev/null 2>&1; then
@@ -410,7 +410,64 @@ function add_image_id_annotation_to_peer_pods_cm() {
         "LATEST_IMAGE_ID=${IMAGE_ID}" ||
         error_exit "Failed to add the image id as annotation to peer-pods-cm configmap"
 
-    echo "Image id added as annotation to peer-pods-cm configmap successfully"
+    echo "Image id annotation added as annotation to peer-pods-cm configmap successfully"
+}
+
+# Function to delete the LATEST_IMAGE_ID annotation from the peer-pods-cm configmap
+
+function delete_image_id_annotation_from_peer_pods_cm() {
+    echo "Deleting image id annotation from peer-pods-cm configmap"
+
+    # Check if the peer-pods-cm configmap exists
+    if ! kubectl get configmap peer-pods-cm -n openshift-sandboxed-containers-operator >/dev/null 2>&1; then
+        echo "peer-pods-cm configmap does not exist. Skipping deleting the image id"
+        return
+    fi
+
+    # Delete the image id annotation from peer-pods-cm configmap
+    kubectl annotate configmap peer-pods-cm -n openshift-sandboxed-containers-operator \
+        "LATEST_IMAGE_ID-" ||
+        error_exit "Failed to delete the image id annotation from peer-pods-cm configmap"
+
+    echo "Image id annotation deleted from peer-pods-cm configmap successfully"
+}
+
+# Function to add image gallery annotation to peer-pods-cm configmap
+
+function add_image_gallery_annotation_to_peer_pods_cm() {
+    echo "Adding IMAGE_GALLERY_NAME annotation to peer-pods-cm configmap"
+
+    # Check if the peer-pods-cm configmap exists
+    if ! kubectl get configmap peer-pods-cm -n openshift-sandboxed-containers-operator >/dev/null 2>&1; then
+        echo "peer-pods-cm configmap does not exist. Skipping adding the IMAGE_GALLERY_NAME annotation"
+        return
+    fi
+
+    # Add IMAGE_GALLERY_NAME annotation to peer-pods-cm configmap
+    kubectl annotate configmap peer-pods-cm -n openshift-sandboxed-containers-operator \
+        "IMAGE_GALLERY_NAME=${IMAGE_GALLERY_NAME}" ||
+        error_exit "Failed to add the IMAGE_GALLERY_NAME annotation to peer-pods-cm configmap"
+
+    echo "IMAGE_GALLERY_NAME annotation added to peer-pods-cm configmap successfully"
+}
+
+# Function to delete the image gallery annotation from peer-pods-cm configmap
+
+function delete_image_gallery_annotation_from_peer_pods_cm() {
+    echo "Deleting IMAGE_GALLERY_NAME annotation from peer-pods-cm configmap"
+
+    # Check if the peer-pods-cm configmap exists
+    if ! kubectl get configmap peer-pods-cm -n openshift-sandboxed-containers-operator >/dev/null 2>&1; then
+        echo "peer-pods-cm configmap does not exist. Skipping deleting the IMAGE_GALLERY_NAME annotation"
+        return
+    fi
+
+    # Delete the IMAGE_GALLERY_NAME annotation from peer-pods-cm configmap
+    kubectl annotate configmap peer-pods-cm -n openshift-sandboxed-containers-operator \
+        "IMAGE_GALLERY_NAME-" ||
+        error_exit "Failed to delete the IMAGE_GALLERY_NAME annotation from peer-pods-cm configmap"
+
+    echo "IMAGE_GALLERY_NAME annotation deleted from peer-pods-cm configmap successfully"
 }
 
 # Function to create the image in Azure
@@ -534,6 +591,7 @@ function delete_image_definition() {
 
 # Function to delete the image gallery from Azure
 # Accept force argument to delete the gallery even if image versions exist
+# IMAGE_GALLERY_NAME and IMAGE_GALLERY_TAGS are assumed to be populated
 
 function delete_image_gallery() {
     echo "Deleting Azure image gallery"
@@ -552,9 +610,32 @@ function delete_image_gallery() {
         return
     fi
 
+    # If IMAGE_GALLERY_TAGS is set, then query the gallery with the tags. If false, then skip deleting the gallery
+
+    # If the gallery_tag is not present, then skip deleting the gallery
+
+    if [[ "${IMAGE_GALLERY_TAGS}" ]]; then
+        # The IMAGE_GALLERY_TAGS is of the form k1=v1 k2=v2 .. This needs to be converted to
+        # JMESPath query format for az sig show
+        # tags.k1=='v1' &&  tags.k2=='v2' ..
+        query_tags=$(convert_tags_to_jmespath_query_fmt "${IMAGE_GALLERY_TAGS}")
+
+        # Check if the tags exist in the gallery
+        echo "Checking if the gallery ${IMAGE_GALLERY_NAME} has the tags ${IMAGE_GALLERY_TAGS}"
+        gallery_tag_query_result=$(az sig show --resource-group "${AZURE_RESOURCE_GROUP}" \
+            --gallery-name "${IMAGE_GALLERY_NAME}" --query "${query_tags}" --output tsv)
+
+        # If gallery_tag_query_result is false then skip deleting the gallery
+        if [[ "${gallery_tag_query_result}" != "true" ]]; then
+            echo "Gallery ${IMAGE_GALLERY_NAME} does not contain the tag ${IMAGE_GALLERY_TAGS}. Skipping deleting the gallery"
+            return
+        fi
+    fi
+
     # Check if the gallery has any image versions
     get_all_image_ids
 
+    # This will set the IMAGE_ID_LIST variable
     # If the gallery has image versions, then skip deleting the gallery if "force" option is not passed
     if [[ "${IMAGE_ID_LIST}" ]] && [[ "${1}" != "force" ]]; then
         echo "Gallery ${IMAGE_GALLERY_NAME} has image versions. Skipping deleting the gallery"
@@ -574,6 +655,9 @@ function delete_image_gallery() {
         --gallery-name "${IMAGE_GALLERY_NAME}" ||
         error_exit "Failed to delete the image gallery"
 
+    # Remove the image gallery annotation from peer-pods-cm configmap
+    delete_image_gallery_annotation_from_peer_pods_cm
+
     echo "Azure image gallery deleted successfully"
 }
 
@@ -608,9 +692,49 @@ function delete_image_using_id() {
     az image delete --ids "${IMAGE_ID}" ||
         error_exit "Failed to delete the image"
 
+    # Remove the image id annotation from peer-pods-cm configmap
+    delete_image_id_annotation_from_peer_pods_cm
+
     echo "Azure image deleted successfully"
 }
 
+# Function to convert tags in "k1=v1 k2=v2" format to JMESPath query format
+
+function convert_tags_to_jmespath_query_fmt() {
+    local input_tags=$1
+    local jmespath_query=""
+
+    # Split the input string by spaces
+    local -a keys_values=()
+    while IFS=" " read -r -a kv; do
+        keys_values+=("${kv[@]}")
+    done <<<"$input_tags"
+
+    for kv in "${keys_values[@]}"; do
+        # Split each key-value pair by the equals sign
+
+        local key value
+        IFS="=" read -r key value <<<"$kv"
+
+        # Append the JMESPath query for this key-value pair
+        # The az CLI json needs tags.k1=='v1' && tags.k2=='v2' ..
+        # sample json
+        #{
+        #"name": "test_12345",
+        #"tags": {
+        #  "created_by": "osc-job"
+        #},
+        #"type": "Microsoft.Compute/galleries"
+        #}
+        jmespath_query="${jmespath_query}tags.${key}=='${value}' && "
+    done
+
+    # Remove the trailing " && " from the query
+    jmespath_query="${jmespath_query% && }"
+
+    echo "$jmespath_query"
+}
+
 # display help message
 
 function display_help() {

config/peerpods/podvm/osc-podvm-delete-job.yaml

@@ -39,6 +39,6 @@ spec:
             - configMapRef:
                 name: aws-podvm-image-cm
                 optional: true
-          command: ["/podvm-builder.sh", "delete", "-f"]
+          command: ["/podvm-builder.sh", "delete", "-f", "-g"]
 
       restartPolicy: Never

config/peerpods/podvm/podvm-builder.sh

@@ -26,8 +26,7 @@ function check_peer_pods_cm_exists() {
   fi
 }
 
-# function to create podvm image
-
+# Function to create podvm image
 function create_podvm_image() {
   case "${CLOUD_PROVIDER}" in
   azure)
@@ -87,9 +86,28 @@ function create_podvm_image() {
 # Function to delete podvm image
 # IMAGE_ID or AMI_ID is the input and expected to be set
 # These are checked in individual cloud provider scripts and if not set, the script will exit
+# Accepts two optional arguments
+# -f : force delete the image
+# -g : delete the image gallery
 
 function delete_podvm_image() {
 
+  local max_args=3
+  if (("${#@}" > max_args)); then
+    error_exit "Too many arguments passed to delete_podvm_image (max ${max_args} allowed)"
+  fi
+
+  local args=("$@")
+  local force=false
+  local delete_gallery=false
+
+  for ((i = 0; i < ${#args[@]}; i++)); do
+    case "${args[$i]}" in
+    -f) force=true ;;
+    -g) delete_gallery=true ;;
+    esac
+  done
+
   # Check for the existence of peer-pods-cm configmap. If not present, then exit
   if ! check_peer_pods_cm_exists; then
     echo "peer-pods-cm configmap does not exist. Skipping image deletion"
@@ -115,20 +133,26 @@ function delete_podvm_image() {
     # check if the AZURE_IMAGE_ID value in peer-pods-cm is same as the input IMAGE_ID
     # If yes, then don't delete the image unless force option is provided
     if [ "${AZURE_IMAGE_ID}" == "${IMAGE_ID}" ]; then
-      if [ "$1" != "-f" ]; then
+      if ! ${force}; then
         echo "AZURE_IMAGE_ID in peer-pods-cm is same as the input image to be deleted. Skipping the deletion of Azure image"
         exit 0
       fi
     fi
 
-    echo "Deleting Azure image"
+    echo "Deleting Azure image $IMAGE_ID"
     /scripts/azure-podvm-image-handler.sh -C
 
     # Update the peer-pods-cm configmap and remove the AZURE_IMAGE_ID value
     if [ "${UPDATE_PEERPODS_CM}" == "yes" ]; then
       kubectl patch configmap peer-pods-cm -n openshift-sandboxed-containers-operator --type merge -p "{\"data\":{\"AZURE_IMAGE_ID\":\"\"}}"
     fi
 
+    # If delete_gallery is set, then delete the image gallery
+    if ${delete_gallery}; then
+      echo "Deleting Azure image gallery (by force) since -g option is set"
+      delete_podvm_image_gallery -f
+    fi
+
     ;;
   aws)
     # If AMI_ID is not set, then exit
@@ -171,6 +195,8 @@ function delete_podvm_image() {
 }
 
 # Delete the podvm image gallery in Azure
+# It accepts an optional argument
+# -f : force delete the image gallery
 
 function delete_podvm_image_gallery() {
   echo "Deleting Azure image gallery"
@@ -180,12 +206,27 @@ function delete_podvm_image_gallery() {
     return
   fi
 
-  # Check if force option is passed
+  # Check if peer-pods-cm configmap exists
+  if ! check_peer_pods_cm_exists; then
+    echo "peer-pods-cm configmap does not exist. Skipping image gallery deletion"
+    exit 0
+  fi
+
+  # Get the IMAGE_GALLERY_NAME from the IMAGE_GALLERY_NAME annotation key in peer-pods-cm configmap
+  IMAGE_GALLERY_NAME=$(kubectl get configmap peer-pods-cm -n openshift-sandboxed-containers-operator -o jsonpath='{.metadata.annotations.IMAGE_GALLERY_NAME}')
+
+  # If IMAGE_GALLERY_NAME is not set, then exit
+  if [ -z "${IMAGE_GALLERY_NAME}" ]; then
+    echo "IMAGE_GALLERY_NAME is not set in peer-pods-cm. Skipping image gallery deletion"
+    exit 0
+  fi
+
   if [ "$1" == "-f" ]; then
     /scripts/azure-podvm-image-handler.sh -G force
   else
     /scripts/azure-podvm-image-handler.sh -G
   fi
+
 }
 
 function display_usage() {
@@ -214,7 +255,9 @@ create)
   create_podvm_image
   ;;
 delete)
-  delete_podvm_image "$2"
+  # Pass the arguments to delete_podvm_image function except the first argument
+  shift
+  delete_podvm_image "$@"
   ;;
 delete-gallery)
   delete_podvm_image_gallery "$2"