Merge pull request #95 from philipwu08/image-mirrors

OCM-18302 | feat: Support for image registry mirrors

Author: hunterkepley

README.md

@@ -34,6 +34,7 @@ Sub-modules included in this module:
 
 - account-iam-resource: Handles the provisioning of Identity and Access Management (IAM) resources required for managing access and permissions in the AWS account associated with the ROSA HCP cluster.
 - idp: Responsible for configuring Identity Providers (IDPs) within the ROSA HCP cluster, faciliting seamless integration with external authentication system such as Github (GH), GitLab, Google, HTPasswd, LDAP and OpenID Connect (OIDC).
+- image-mirrors: Manages the configuration of image digest mirror sets for ROSA HCP clusters, enabling container image mirroring to redirect image pulls from source registries to mirror registries for zero-egress networking and improved performance.
 - machine-pool: Facilitates the management of machine pools within the ROSA HCP cluster, enabling users to scale resources and adjust specifications based on workload demands.
 - oidc-config-and-provider: Manages the configuration of OpenID Connect (OIDC) hosted files and providers for ROSA HCP clusters, enabling secure authentication and access control mechanisms for operator roles.
 - operator-roles: Oversees the management of roles assigned to operators within the ROSA HCP cluster, enabling to perform required actions with appropriate permissions on the lifecyle of a cluster.
@@ -80,6 +81,7 @@ We recommend you install the following CLI tools:
 | <a name="module_account_iam_resources"></a> [account\_iam\_resources](#module\_account\_iam\_resources) | ./modules/account-iam-resources | n/a |
 | <a name="module_oidc_config_and_provider"></a> [oidc\_config\_and\_provider](#module\_oidc\_config\_and\_provider) | ./modules/oidc-config-and-provider | n/a |
 | <a name="module_operator_roles"></a> [operator\_roles](#module\_operator\_roles) | ./modules/operator-roles | n/a |
+| <a name="module_rhcs_hcp_image_mirrors"></a> [rhcs\_hcp\_image\_mirrors](#module\_rhcs\_hcp\_image\_mirrors) | ./modules/image-mirrors | n/a |
 | <a name="module_rhcs_hcp_kubelet_configs"></a> [rhcs\_hcp\_kubelet\_configs](#module\_rhcs\_hcp\_kubelet\_configs) | ./modules/kubelet-configs | n/a |
 | <a name="module_rhcs_hcp_machine_pool"></a> [rhcs\_hcp\_machine\_pool](#module\_rhcs\_hcp\_machine\_pool) | ./modules/machine-pool | n/a |
 | <a name="module_rhcs_identity_provider"></a> [rhcs\_identity\_provider](#module\_rhcs\_identity\_provider) | ./modules/idp | n/a |
@@ -131,6 +133,7 @@ We recommend you install the following CLI tools:
 | <a name="input_https_proxy"></a> [https\_proxy](#input\_https\_proxy) | A proxy URL to use for creating HTTPS connections outside the cluster. | `string` | `null` | no |
 | <a name="input_identity_providers"></a> [identity\_providers](#input\_identity\_providers) | Provides a generic approach to add multiple identity providers after the creation of the cluster. This variable allows users to specify configurations for multiple identity providers in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/idp). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. | `map(any)` | `{}` | no |
 | <a name="input_ignore_machine_pools_deletion_error"></a> [ignore\_machine\_pools\_deletion\_error](#input\_ignore\_machine\_pools\_deletion\_error) | Ignore machine pool deletion error. Assists when cluster resource is managed within the same file for the destroy use case | `bool` | `false` | no |
+| <a name="input_image_mirrors"></a> [image\_mirrors](#input\_image\_mirrors) | Provides a generic approach to add multiple image mirrors after the creation of the cluster. This variable allows users to specify configurations for multiple image mirrors in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [image-mirrors sub-module](./modules/image-mirrors). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. | `map(any)` | `{}` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The key ARN is the Amazon Resource Name (ARN) of a CMK. It is a unique, fully qualified identifier for the CMK. A key ARN includes the AWS account, Region, and the key ID. | `string` | `null` | no |
 | <a name="input_kubelet_configs"></a> [kubelet\_configs](#input\_kubelet\_configs) | Provides a generic approach to add multiple kubelet configs after the creation of the cluster. This variable allows users to specify configurations for multiple kubelet configs in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/kubelet-configs). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string. | `map(any)` | `{}` | no |
 | <a name="input_machine_cidr"></a> [machine\_cidr](#input\_machine\_cidr) | Block of IP addresses used by OpenShift while installing the cluster, for example "10.0.0.0/16". | `string` | `null` | no |
@@ -168,6 +171,7 @@ We recommend you install the following CLI tools:
 | <a name="output_cluster_domain"></a> [cluster\_domain](#output\_cluster\_domain) | The DNS domain of cluster. |
 | <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | Unique identifier of the cluster. |
 | <a name="output_cluster_state"></a> [cluster\_state](#output\_cluster\_state) | The state of the cluster. |
+| <a name="output_image_mirror_ids"></a> [image\_mirror\_ids](#output\_image\_mirror\_ids) | A map of image mirror names to their unique identifiers. |
 | <a name="output_oidc_config_id"></a> [oidc\_config\_id](#output\_oidc\_config\_id) | The unique identifier associated with users authenticated through OpenID Connect (OIDC) generated by this OIDC config. |
 | <a name="output_oidc_endpoint_url"></a> [oidc\_endpoint\_url](#output\_oidc\_endpoint\_url) | Registered OIDC configuration issuer URL, generated by this OIDC config. |
 | <a name="output_operator_role_prefix"></a> [operator\_role\_prefix](#output\_operator\_role\_prefix) | Prefix used for generated AWS operator policies. |

examples/rosa-hcp-public-with-multiple-machinepools-and-idps/README.md

@@ -9,6 +9,7 @@ This example includes:
 - All AWS resources (IAM and networking) that are created as part of the ROSA cluster module execution
 - "Day 2" Machine pool resources - created as part of the root module execution - map of multiple resources is provided.
 - "Day 2" Identity provider resource - created as part of the root module execution - map of multiple resources is provided.
+- "Day 2" Image mirror resources - created as part of the root module execution - map of multiple resources is provided.
 
 Note: This example involves the creation of various identity providers using placeholder values for illustrative purposes. These providers will not grant access to the cluster with the exception of the HTPasswd identity provider. You must supply your own pre-configured values for authentic identity providers.
 
@@ -57,6 +58,18 @@ module "hcp" {
       pod_pids_limit = 16384
     }
   }
+  image_mirrors = {
+    mirror1 = {
+      type    = "digest"
+      source  = "registry.redhat.io"
+      mirrors = ["mirror.example.com", "backup-mirror.example.com"]
+    },
+    mirror2 = {
+      type    = "digest"
+      source  = "quay.io"
+      mirrors = ["internal-quay.corp.example.com"]
+    }
+  }
   machine_pools = {
     pool1 = {
       name = "pool1"

examples/rosa-hcp-public-with-multiple-machinepools-and-idps/main.tf

@@ -29,6 +29,18 @@ module "hcp" {
       pod_pids_limit = 16384
     }
   }
+  image_mirrors = {
+    mirror1 = {
+      type    = "digest"
+      source  = "registry.redhat.io"
+      mirrors = ["mirror.example.com", "backup-mirror.example.com"]
+    },
+    mirror2 = {
+      type    = "digest"
+      source  = "quay.io"
+      mirrors = ["internal-quay.corp.example.com"]
+    }
+  }
   machine_pools = {
     pool1 = {
       name = "pool1"

main.tf

@@ -223,6 +223,19 @@ module "rhcs_hcp_kubelet_configs" {
   pod_pids_limit = each.value.pod_pids_limit
 }
 
+######################################
+# Multiple Image Mirrors block
+######################################
+module "rhcs_hcp_image_mirrors" {
+  source   = "./modules/image-mirrors"
+  for_each = var.image_mirrors
+
+  cluster_id      = module.rosa_cluster_hcp.cluster_id
+  type            = each.value.type
+  source_registry = each.value.source
+  mirrors         = each.value.mirrors
+}
+
 resource "null_resource" "validations" {
   lifecycle {
     precondition {

modules/image-mirrors/README.md

@@ -0,0 +1,58 @@
+# image-mirrors
+
+## Introduction
+
+This Terraform sub-module manages the image mirrors for ROSA HCP clusters. It enables you to efficiently configure image digest mirror sets after cluster deployment. With this module, you can easily set up container image mirroring to redirect image pulls from source registries to mirror registries, enabling zero-egress networking and improved performance.
+
+## Example Usage
+
+```
+module "imagemirror" {
+  source = "terraform-redhat/rosa-hcp/rhcs//modules/image-mirrors"
+
+  cluster_id      = "cluster-id-123"
+  type            = "digest"
+  source_registry = "registry.redhat.io"
+  mirrors         = ["mirror.example.com"]
+}
+```
+
+<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_rhcs"></a> [rhcs](#requirement\_rhcs) | >= 1.7.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_rhcs"></a> [rhcs](#provider\_rhcs) | >= 1.7.2 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [rhcs_image_mirror.image_mirror](https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs/resources/image_mirror) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | Identifier of the cluster. | `string` | n/a | yes |
+| <a name="input_mirrors"></a> [mirrors](#input\_mirrors) | List of mirror registry hostnames. | `list(string)` | n/a | yes |
+| <a name="input_source_registry"></a> [source\_registry](#input\_source\_registry) | The source registry hostname. | `string` | n/a | yes |
+| <a name="input_type"></a> [type](#input\_type) | The type of the image digest mirror set. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_image_mirror_id"></a> [image\_mirror\_id](#output\_image\_mirror\_id) | The unique identifier of the image mirror. |
+<!-- END_AUTOMATED_TF_DOCS_BLOCK -->

modules/image-mirrors/main.tf

@@ -0,0 +1,6 @@
+resource "rhcs_image_mirror" "image_mirror" {
+  cluster_id = var.cluster_id
+  type       = var.type
+  source     = var.source_registry
+  mirrors    = var.mirrors
+}

modules/image-mirrors/outputs.tf

@@ -0,0 +1,4 @@
+output "image_mirror_id" {
+  description = "The unique identifier of the image mirror."
+  value       = rhcs_image_mirror.image_mirror.id
+}

modules/image-mirrors/variables.tf

@@ -0,0 +1,23 @@
+// Required
+variable "cluster_id" {
+  description = "Identifier of the cluster."
+  type        = string
+}
+
+// Required
+variable "type" {
+  description = "The type of the image digest mirror set."
+  type        = string
+}
+
+// Required
+variable "source_registry" {
+  description = "The source registry hostname."
+  type        = string
+}
+
+// Required
+variable "mirrors" {
+  description = "List of mirror registry hostnames."
+  type        = list(string)
+}

modules/image-mirrors/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    rhcs = {
+      version = ">= 1.7.2"
+      source  = "terraform-redhat/rhcs"
+    }
+  }
+}

outputs.tf

@@ -81,3 +81,12 @@ output "operator_roles_arn" {
   value       = var.create_operator_roles ? module.operator_roles[0].operator_roles_arn : null
   description = "List of Amazon Resource Names (ARNs) for all operator roles created."
 }
+
+## Image Mirrors Module Outputs
+
+output "image_mirror_ids" {
+  value = {
+    for k, v in module.rhcs_hcp_image_mirrors : k => v.image_mirror_id
+  }
+  description = "A map of image mirror names to their unique identifiers."
+}