Bodhi: try and do critical path data generation in openshift

The previous attempt to have staging Bodhi use grouped JSON
critical path data didn't work because we did it in the backend
(i.e. the composer), not the openshift pods where the web UI
and the consumers run.

We need at least the web UI and consumer pods to have the
critpath data, as both those pods may create updates (Bodhi
decides if the update is critical path at creation time). This
attempts to handle that by having a daily openshift cron job
that runs a simple container with the necessary packages in it,
checks out the script, and runs it. It's run on a persistent
storage volume which is also mounted by all the Bodhi pods in
the place where Bodhi will look for the data.

The cron job frequency is temporarily set to once an hour; this
is so it will run soon after initial deployment. Once it has
run once we can cut it back to once a day.

Signed-off-by: Adam Williamson <awilliam@redhat.com>

playbooks/openshift-apps/bodhi.yml

@@ -67,6 +67,10 @@
     tags:
       - apply-appowners
     when: env == "staging"
+  - role: openshift/object
+    app: bodhi
+    file: pvc.yml
+    objectname: pvc.yml
   - role: openshift/keytab
     app: bodhi
     key: koji-keytab
@@ -132,6 +136,13 @@
     app: bodhi
     template: deploymentconfig.yml
     objectname: deploymentconfig.yml
+  - role: openshift/object
+    app: bodhi
+    template: critpathcron.yml
+    objectname: critpathcron.yml
+  - role: openshift/imagestream
+    app: bodhi
+    imagename: bodhi-critpathcron
   - role: openshift/rollout
     app: bodhi
     dcname: bodhi-web
@@ -165,3 +176,8 @@
     command: "oc -n bodhi annotate route bodhi-web --overwrite haproxy.router.openshift.io/timeout=180s"
     tags:
     - route-timeout
+  - name: trigger critpath cronjob
+    command: "oc -n bodhi create job critpathcron-manual-{{ lookup('pipe','date +%s') }} --from=cronjob/fedora-bodhi-critpathcron"
+    tags:
+    - never
+    - critpathcron

roles/openshift-apps/bodhi/files/pvc.yml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bodhi-critpath-storage
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Mi
+  storageClassName: ocs-storagecluster-cephfs

roles/openshift-apps/bodhi/templates/buildconfig.yml

@@ -25,5 +25,29 @@ items:
       to:
         kind: ImageStreamTag
         name: bodhi-base:latest
+- apiVersion: v1
+  kind: BuildConfig
+  metadata:
+    labels:
+      build: bodhi-critpathcron
+    name: bodhi-critpathcron
+  spec:
+    runPolicy: Serial
+    source:
+      dockerfile: |-
+        {{ load_file('dockerfile-critpathcron') | indent(8) }}
+      type: Dockerfile
+    strategy:
+      type: Docker
+      dockerStrategy:
+{% if env == "staging" %}
+        noCache: True
+{% else %}
+        noCache: False
+{% endif %}
+    output:
+      to:
+        kind: ImageStreamTag
+        name: bodhi-critpathcron:latest
 kind: List
 metadata: {}

roles/openshift-apps/bodhi/templates/critpathcron.yml

@@ -0,0 +1,42 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: fedora-bodhi-critpathcron
+spec:
+  concurrencyPolicy: Forbid
+  schedule: "10 3 * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  activeDeadlineSeconds: 900
+  startingDeadlineSeconds: 300
+  jobTemplate:
+    spec:
+      backoffLimit: 0
+      template:
+        metadata:
+          labels:
+            parent: "cronjobbuild"
+        spec:
+          containers:
+          - name: critpath
+            image: image-registry.openshift-image-registry.svc:5000/bodhi/bodhi-critpathcron:latest
+            command: ["/bin/bash", "-c"]
+            args:
+            - |
+              cd /tmp
+              git clone --depth 1 --single-branch https://pagure.io/releng.git
+              cd /bodhi-critpath
+              /tmp/releng/scripts/critpath.py all
+            env:
+            - name: BUILD_ENV
+              value: "{{ env_short }}"
+            volumeMounts:
+            - name: bodhi-critpath
+              mountPath: /bodhi-critpath
+              readOnly: false
+          restartPolicy: Never
+          startingDeadlineSeconds: 600
+          volumes:
+          - name: bodhi-critpath
+            persistentVolumeClaim:
+              claimName: bodhi-critpath-storage

roles/openshift-apps/bodhi/templates/deploymentconfig.yml

@@ -53,6 +53,9 @@ items:
           - name: config-volume
             mountPath: /etc/bodhi
             readOnly: true
+          - name: bodhi-critpath-storage
+            mountPath: /etc/bodhi/critpath
+            readOnly: true
           - name: keytab-volume
             mountPath: /etc/keytabs
             readOnly: true
@@ -91,6 +94,9 @@ items:
         - name: config-volume
           configMap:
             name: bodhi-configmap
+        - name: bodhi-critpath-storage
+          persistentVolumeClaim:
+            claimName: "bodhi-critpath-storage"
         - name: keytab-volume
           secret:
             secretName: bodhi-keytab
@@ -164,6 +170,9 @@ items:
           - name: config-volume
             mountPath: /etc/bodhi
             readOnly: true
+          - name: bodhi-critpath-storage
+            mountPath: /etc/bodhi/critpath
+            readOnly: true
           - name: keytab-volume
             mountPath: /etc/keytabs
             readOnly: true
@@ -186,6 +195,9 @@ items:
         - name: config-volume
           configMap:
             name: bodhi-configmap
+        - name: bodhi-critpath-storage
+          persistentVolumeClaim:
+            claimName: "bodhi-critpath-storage"
         - name: keytab-volume
           secret:
             secretName: bodhi-keytab
@@ -257,6 +269,9 @@ items:
           - name: config-volume
             mountPath: /etc/bodhi
             readOnly: true
+          - name: bodhi-critpath-storage
+            mountPath: /etc/bodhi/critpath
+            readOnly: true
           - name: keytab-volume
             mountPath: /etc/keytabs
             readOnly: true
@@ -279,6 +294,9 @@ items:
         - name: config-volume
           configMap:
             name: bodhi-configmap
+        - name: bodhi-critpath-storage
+          persistentVolumeClaim:
+            claimName: "bodhi-critpath-storage"
         - name: keytab-volume
           secret:
             secretName: bodhi-keytab
@@ -352,6 +370,9 @@ items:
           - name: config-volume
             mountPath: /etc/bodhi
             readOnly: true
+          - name: bodhi-critpath-storage
+            mountPath: /etc/bodhi/critpath
+            readOnly: true
           - name: keytab-volume
             mountPath: /etc/keytabs
             readOnly: true
@@ -374,6 +395,9 @@ items:
         - name: config-volume
           configMap:
             name: bodhi-configmap
+        - name: bodhi-critpath-storage
+          persistentVolumeClaim:
+            claimName: "bodhi-critpath-storage"
         - name: keytab-volume
           secret:
             secretName: bodhi-keytab

roles/openshift-apps/bodhi/templates/dockerfile-critpathcron

@@ -0,0 +1,16 @@
+{% if env == "staging" %}
+FROM fedora:37
+{% else %}
+FROM fedora:37
+{% endif %}
+LABEL \
+    name="bodhi-critpathcron" \
+    vendor="Fedora Infrastructure" \
+    license="MIT"
+{% if env == "staging" %}
+RUN curl -o /etc/yum.repos.d/infra-tags.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/fedora-infra-tags.repo
+RUN curl -o /etc/yum.repos.d/infra-tags-stg.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/fedora-infra-tags-stg.repo
+{% else %}
+RUN curl -o /etc/yum.repos.d/infra-tags.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/fedora-infra-tags.repo
+{% endif %}
+RUN dnf install -y python3-dnf git fedora-repos