fix: Add entitlement-key to managed cluster where Cloud Pak will be installed

.github/pull_request_template.md

@@ -4,5 +4,5 @@ Description of changes:
 - <change 1 ... >
 - <change 2 ... >
 
-Output of `argocd app list` command or screenshot of the ArgoCD Application synchronization window showing successful application of changes in this branch.
+Output of `argocd app list` command or screenshot of the Argo CD Application synchronization window showing successful application of changes in this branch.
 

config/argocd-rhacm/templates/0200-rhacm-cloudpaks-app.yaml

@@ -9,7 +9,7 @@ metadata:
   namespace: {{.Values.metadata.argocd_namespace}}
 spec:
   destination:
-    namespace: open-cluster-management
+    namespace: {{.Values.metadata.argocd_namespace}}
     server: https://kubernetes.default.svc
   ignoreDifferences:
     - group: argoproj.io

config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml

@@ -0,0 +1,36 @@
+{{- $argocd_namespace := .Values.metadata.argocd_namespace -}}
+{{- range tuple "cp4a" "cp4aiops" "cp4d" "cp4i" "cp4s" }}
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "200"
+  name: placement-openshift-gitops-entitlement-key-{{.}}
+  namespace: "{{ $argocd_namespace }}"
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - key: {{.}}
+        operator: Exists
+        values: []
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "300"
+  name: binding-openshift-gitops-entitlement-key-{{.}}
+  namespace: "{{ $argocd_namespace }}"
+placementRef:
+  name: placement-openshift-gitops-entitlement-key-{{.}}
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: cloudpak-entitlement-key
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+{{- end }}

config/rhacm/cloudpaks/templates/policy-entitlement-key.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: cloudpak-entitlement-key
+  namespace: "{{ .Values.argocd_namespace }}"
+  annotations:
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+    argocd.argoproj.io/sync-options: SkipPrune
+    argocd.argoproj.io/sync-wave: "200"
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+spec:
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-entkey
+        spec:
+          namespaceSelector:
+            exclude:
+              - kube-*
+            include:
+              - default
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: v1
+                data:
+                  .dockerconfigjson: '{{ "{{hub fromSecret \"openshift-gitops\" \"ibm-entitlement-key\" \".dockerconfigjson\" hub}}" }}'
+                kind: Secret
+                metadata:
+                  name: ibm-entitlement-key
+                  namespace: openshift-gitops
+                type: kubernetes.io/dockerconfigjson
+          remediationAction: inform
+          severity: low
+  remediationAction: enforce

config/rhacm/seeds/templates/0020-argocd-roles.yaml

@@ -19,6 +19,24 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "21"
+  creationTimestamp: null
+  name: argocd-rhacm-role
+  namespace: "{{.Values.metadata.argocd_namespace}}"
+rules:
+  - apiGroups:
+      - apps.open-cluster-management.io
+      - operator.open-cluster-management.io
+      - policy.open-cluster-management.io
+    resources:
+      - "*"
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "21"

config/rhacm/seeds/templates/0030-argocd-role-bindings.yaml

@@ -18,6 +18,23 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "30"
+  creationTimestamp: null
+  name: argocd-rhacm-binding
+  namespace: "{{.Values.metadata.argocd_namespace}}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-rhacm-role
+subjects:
+  - kind: ServiceAccount
+    name: "{{.Values.serviceaccount.argocd_application_controller}}"
+    namespace: "{{.Values.metadata.argocd_namespace}}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "30"

config/rhacm/seeds/templates/0200-gitops-managed-cluster-set.yaml

@@ -1,4 +1,4 @@
-# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/applications/managing-applications#gitops-config
+# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/applications/managing-applications#gitops-config
 ---
 apiVersion: cluster.open-cluster-management.io/v1beta2
 kind: ManagedClusterSet

config/rhacm/seeds/templates/9000-post-multi-cluster-engine.yaml

@@ -1,4 +1,4 @@
-# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html-single/clusters/index#hosting-service-cluster-configure-aws
+# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html-single/clusters/index#hosting-service-cluster-configure-aws
 ---
 apiVersion: batch/v1
 kind: Job

docs/install.md

@@ -26,7 +26,7 @@
 
 ## Prerequisites
 
-- An OpenShift Container Platform cluster, version 4.8 or later.
+- An OpenShift Container Platform cluster, version 4.12 or later.
 
   The applications were tested on both managed and self-managed deployments.
 
@@ -61,7 +61,7 @@
    ```sh
    oc version --client
 
-   # Client Version: 4.10.60
+   # Client Version: 4.12.47
    ```
 
    Ideally, the client's minor version should be at most one iteration behind the server version. Most commands here are pretty basic and will work with more significant differences, but keep that in mind if you see errors about unrecognized commands and parameters.
@@ -155,7 +155,7 @@ oc create secret docker-registry ibm-entitlement-key \
         --docker-server=cp.icr.io \
         --docker-username=cp \
         --docker-password="${IBM_ENTITLEMENT_KEY:?}" \
-        --docker-email="non-existent-replace-with0[email protected]" \
+        --docker-email="non-existent-replace-with[email protected]" \
         --namespace=openshift-gitops
 ```
 
@@ -380,7 +380,7 @@ After completing the list of activities listed in the previous sections, you can
    argocd app list -l app.kubernetes.io/instance=${app_name}
    ```
 
-1. You can also use the ArgoCD command-line interface to wait for the application to be synchronized and healthy:
+1. You can also use the Argo CD command-line interface to wait for the application to be synchronized and healthy:
 
    ```sh
    argocd app wait "${app_name}" \

docs/rhacm.md

@@ -5,8 +5,12 @@
 - [Red Hat Advanced Cluster Management for Kubernetes](#red-hat-advanced-cluster-management-for-kubernetes)
   - [Contents](#contents)
   - [Overview](#overview)
+  - [Prerequisites](#prerequisites)
   - [Installation](#installation)
-    - [Install RHACM on OCP cluster via Argo](#install-rhacm-on-ocp-cluster-via-argo)
+    - [Install the OpenShift GitOps operator](#install-the-openshift-gitops-operator)
+    - [Install RHACM on OCP cluster via Argo CD](#install-rhacm-on-ocp-cluster-via-argo-cd)
+  - [Obtain an entitlement key](#obtain-an-entitlement-key)
+  - [Update the pull secret in the openshift-gitops namespace](#update-the-pull-secret-in-the-openshift-gitops-namespace)
   - [Using the policies](#using-the-policies)
     - [Policies](#policies)
     - [Label your clusters](#label-your-clusters)
@@ -23,10 +27,29 @@ Red Hat Advanced Cluster Management for Kubernetes (referred to as RHACM through
 
 This repository contains governance policies and placement rules for Argo CD itself and the Argo CD Application resources representing the Cloud Paks.
 
+---
+
+## Prerequisites
+
+- An OpenShift Container Platform cluster, version 4.12 or later.
+
+  The applications were tested on both managed and self-managed deployments.
+
+- Adequate worker node capacity in the cluster for RHACM to be installed.
+
+  Refer to the [RHACM documentation](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/install/installing#sizing-your-cluster) to determine the required capacity for the cluster.
+
+- [An entitlement key to the IBM Entitled Registry](#obtain-an-entitlement-key). This key is required in the RHACM cluster so it can be copied over to the managed clusters when a cluster matches a policy to install a Cloud Pak.
+
+---
+
 ## Installation
 
+### Install the OpenShift GitOps operator
 
-### Install RHACM on OCP cluster via Argo
+Follow the instructions in the [Red Hat OpenShift GitOps Installation page](https://docs.openshift.com/gitops/1.8/installing_gitops/installing-openshift-gitops.html) with special care to **use the `gitops-1.8` subscription channel instead of `latest`** (at least, until issue [#289](https://github.com/IBM/cloudpak-gitops/issues/289) is addressed.)
+
+### Install RHACM on OCP cluster via Argo CD
 
 These steps assume you logged in to the OCP server with the `oc` command-line interface:
 
@@ -71,6 +94,44 @@ These steps assume you logged in to the OCP server with the `oc` command-line in
          --health
    ```
 
+## Obtain an entitlement key
+
+If you don't already have an entitlement key to the IBM Entitled Registry, obtain your key using the following instructions:
+
+1. Go to the [Container software library](https://myibm.ibm.com/products-services/containerlibrary).
+
+1. Click the "Copy key."
+
+1. Copy the entitlement key to a safe place to update the cluster's global pull secret.
+
+1. (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry using a container tool:
+
+   ```sh
+   export IBM_ENTITLEMENT_KEY=the key from the previous steps
+   podman login cp.icr.io --username cp --password "${IBM_ENTITLEMENT_KEY:?}"
+   ```
+
+---
+
+## Update the pull secret in the openshift-gitops namespace
+
+Global pull secrets require granting too much privilege to the OpenShift GitOps service account, so we have started transitioning to the definition of pull secrets at a namespace level.
+
+The Application resources are transitioning to use `PreSync` hooks to copy the entitlement key from a `Secret` named `ibm-entitlement-key` in the `openshift-gitops` namespace, so issue the following command to create that secret:
+
+```sh
+# Note that if you just created the OpenShift GitOps operator
+# the namespace may not be ready yet, so you may need to wait 
+# a minute or two
+oc create secret docker-registry ibm-entitlement-key \
+        --docker-server=cp.icr.io \
+        --docker-username=cp \
+        --docker-password="${IBM_ENTITLEMENT_KEY:?}" \
+        --docker-email="[email protected]" \
+        --namespace=openshift-gitops
+```
+
+---
 
 ## Using the policies
 
@@ -96,32 +157,32 @@ Labels:
 - `gitops-branch` + `cp4i`: Placement for Cloud Pak for Integration.
 - `gitops-branch` + `cp4s`: Placement for Cloud Pak for Security.
 - `gitops-branch` + `cp4aiops`: Placement for Cloud Pak for AIOps.
-- `gitops-remote` + `true`: Assign cluster to the `gitops-cluster` cluster-set, registering it to the [GitOps Cluster](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/applications/managing-applications#gitops-config).
+- `gitops-remote` + `true`: Assign cluster to the `gitops-cluster` cluster-set, registering it to the [GitOps Cluster](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/applications/managing-applications#gitops-config).
 
 Values for each label:
 
 - `gitops-branch`: Branch of this repo for the Argo applications. Unless you are developing and testing on a new branch, use the default value `main`.
-- cp4a: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`.
-- `cp4aiops`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`.
-- `cp4d`: Namespace for deploying the Cloud Pak. As of release 4.0.6, and as a product limitation, do not use the same namespace as other Cloud Paks if installing  Cloud Pak for Data to the same cluster.
-- `cp4i`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`.
-- `cp4s`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`.
+- cp4a: Namespace for deploying the Cloud Pak.
+- `cp4aiops`: Namespace for deploying the Cloud Pak.
+- `cp4d`: Namespace for deploying the Cloud Pak.
+- `cp4i`: Namespace for deploying the Cloud Pak.
+- `cp4s`: Namespace for deploying the Cloud Pak.
 
 ### Examples
 
-Labeling an OCP cluster with `gitops-branch=main` and `cp4i=ibm-cloudpaks` deploys the following policies to a target cluster:
+Labeling an OCP cluster with `gitops-branch=main` and `cp4i=cp4ins` deploys the following policies to a target cluster:
 
 - `openshift-gitops-installed`
 - `openshift-gitops-argo-app`
 - `openshift-gitops-cloudpaks-cp-shared`
 - `openshift-gitops-cloudpaks-cp4i`
 
-Labeling an OCP cluster with `gitops-branch=main` and `cp4i=ibm-cloudpaks` deploys the following policies to a target cluster:
+Labeling an OCP cluster with `gitops-branch=main` and `cp4i=cp4ins` deploys the following policies to a target cluster:
 
 - `openshift-gitops-installed`: The latest version of the OpenShift GitOps operator.
 - `openshift-gitops-argo-app`: The Argo configuration is pulled from the `main` branch of this repository.
-`openshift-gitops-cloudpaks-cp-shared`: The Argo configuration is pulled from this repository's `main` branch.
-- `openshift-gitops-cloudpaks-cp4i`: The Cloud Pak is deployed to the namespace `ibm-cloudpaks`
+- `openshift-gitops-cloudpaks-cp-shared`: The Argo configuration is pulled from this repository's `main` branch.
+- `openshift-gitops-cloudpaks-cp4i`: The Cloud Pak is deployed to the namespace `cp4ins`
 
 ## The "rhacm-users" group
 
@@ -137,6 +198,7 @@ Once you have the respective users added to the cluster, you can add them to the
 oc adm groups add-users rhacm-users "${username:?}"
 ```
 
+---
 
 ## Contributing
 
@@ -146,6 +208,8 @@ If using OpenShift GitOps installed in the RHACM server, you need to modify the
 
 The instructions for that setup are documented in the [CONTRIBUTING.md](../CONTRIBUTING.md) page, where you need to ensure you use the `rhacm-app` application name as the parameter for the `argocd app set` commands.
 
+---
+
 ## References
 
 - [Announcement of RHACM and GitOps integration](https://cloud.redhat.com/blog/red-hat-advanced-cluster-management-with-openshift-gitops)

tests/prebuild/yamllint-config.yaml

@@ -16,6 +16,7 @@ ignore: |
   config/rhacm/cloudpaks/templates/placement-argocd.yaml
   config/rhacm/cloudpaks/templates/placement-cloudpaks.yaml
   config/rhacm/cloudpaks/templates/placement-cp-shared.yaml
+  config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml
   config/rhacm/seeds/templates/0000-namespace-multi-cluster-engine.yaml
   config/rhacm/seeds/templates/0020-rhacm-hypershift-preview-roles.yaml