CR-17878 - support on-prem platform ca (#35)

* updated chart version to `0.2.1-alpha.14`
* bumped appVersion to `0.1.29`
* updated app-proxy to `1.2245.0`

---------

Co-authored-by: Ilia Medvedev <[email protected]>

Author: ATGardner

charts/gitops-runtime/Chart.yaml

@@ -1,15 +1,20 @@
 apiVersion: v2
-appVersion: 0.1.27
+appVersion: 0.1.29
 description: A Helm chart for Codefresh gitops runtime
 name: gitops-runtime
-version: 0.2.1-alpha.13
+version: 0.2.1-alpha.14
 home: https://github.com/codefresh-io/gitops-runtime-helm
+icon: https://codefresh.io/wp-content/uploads/2022/02/Codefresh_Logo_Vertical_LightBkgd.png
 keywords:
   - codefresh
   - gitops
 maintainers:
   - name: codefresh
     url: https://codefresh-io.github.io/
+annotations:
+  artifacthub.io/changes: |
+    - kind: added
+      description: Added support for custom CA
 dependencies:
 - name: argo-cd
   repository: https://codefresh-io.github.io/argo-helm

charts/gitops-runtime/README.md

@@ -1,6 +1,6 @@
 # gitops-runtime
 
-![Version: 0.2.1-alpha.13](https://img.shields.io/badge/Version-0.2.1--alpha.13-informational?style=flat-square) ![AppVersion: 0.1.27](https://img.shields.io/badge/AppVersion-0.1.27-informational?style=flat-square)
+![Version: 0.2.1-alpha.14](https://img.shields.io/badge/Version-0.2.1--alpha.14-informational?style=flat-square) ![AppVersion: 0.1.29](https://img.shields.io/badge/AppVersion-0.1.29-informational?style=flat-square)
 
 A Helm chart for Codefresh gitops runtime
 
@@ -36,6 +36,8 @@ A Helm chart for Codefresh gitops runtime
 | app-proxy.config.logLevel | string | `"info"` | Log Level |
 | app-proxy.config.skipGitPermissionValidation | string | `"false"` | Skit git permissions validation |
 | app-proxy.env | object | `{}` |  |
+| app-proxy.extraVolumeMounts | list | `[]` | Extra volume mounts for main container |
+| app-proxy.extraVolumes | list | `[]` | extra volumes |
 | app-proxy.fullnameOverride | string | `"cap-app-proxy"` |  |
 | app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration |
 | app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow |
@@ -52,13 +54,14 @@ A Helm chart for Codefresh gitops runtime
 | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use |
 | app-proxy.image.pullPolicy | string | `"IfNotPresent"` |  |
 | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` |  |
-| app-proxy.image.tag | string | `"1.2221.0"` |  |
+| app-proxy.image.tag | string | `"1.2245.0"` |  |
 | app-proxy.imagePullSecrets | list | `[]` |  |
 | app-proxy.initContainer.command[0] | string | `"./init.sh"` |  |
 | app-proxy.initContainer.env | object | `{}` |  |
+| app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container |
 | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` |  |
 | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` |  |
-| app-proxy.initContainer.image.tag | string | `"1.2221.0"` |  |
+| app-proxy.initContainer.image.tag | string | `"1.2245.0"` |  |
 | app-proxy.initContainer.resources.limits.cpu | string | `"1"` |  |
 | app-proxy.initContainer.resources.limits.memory | string | `"512Mi"` |  |
 | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` |  |
@@ -123,9 +126,15 @@ A Helm chart for Codefresh gitops runtime
 | event-reporters.workflow.sensor.replicas | int | `1` |  |
 | event-reporters.workflow.sensor.resources | object | `{}` |  |
 | event-reporters.workflow.serviceAccount.create | bool | `true` |  |
-| global.codefresh | object | `{"accountId":"","apiEventsPath":"/2.0/api/events","url":"https://g.codefresh.io","userToken":{"secretKeyRef":{},"token":""}}` | Codefresh platform and account-related settings |
+| global.codefresh | object | `{"accountId":"","apiEventsPath":"/2.0/api/events","tls":{"caCerts":{"secret":{"annotations":{},"content":"","create":false,"key":"ca-bundle.crt"},"secretKeyRef":{}},"workflowPipelinesGitWebhooks":{"annotatins":{},"certificates":{}}},"url":"https://g.codefresh.io","userToken":{"secretKeyRef":{},"token":""}}` | Codefresh platform and account-related settings |
 | global.codefresh.accountId | string | `""` | Codefresh Account ID. |
 | global.codefresh.apiEventsPath | string | `"/2.0/api/events"` | Events API endpoint URL suffix. |
+| global.codefresh.tls.caCerts | object | `{"secret":{"annotations":{},"content":"","create":false,"key":"ca-bundle.crt"},"secretKeyRef":{}}` | Custom CA certificates bundle for platform access with ssl |
+| global.codefresh.tls.caCerts.secret | object | `{"annotations":{},"content":"","create":false,"key":"ca-bundle.crt"}` | Chart managed secret for custom platform CA certificates |
+| global.codefresh.tls.caCerts.secret.create | bool | `false` | Whether to create the secret. |
+| global.codefresh.tls.caCerts.secret.key | string | `"ca-bundle.crt"` | The secret key that holds the ca bundle |
+| global.codefresh.tls.caCerts.secretKeyRef | object | `{}` | Reference to existing secret |
+| global.codefresh.tls.workflowPipelinesGitWebhooks | object | `{"annotatins":{},"certificates":{}}` | Those will be merged with the certificats defined in argo-cd.configs.tls.certificates - so if the certificates are already provided for ArgoCD, there is no need to provide them again. |
 | global.codefresh.url | string | `"https://g.codefresh.io"` | URL of Codefresh platform. |
 | global.codefresh.userToken | object | `{"secretKeyRef":{},"token":""}` | User token. Used for runtime registration against the patform. One of token (for plain text value) or secretKeyRef must be provided. |
 | global.codefresh.userToken.secretKeyRef | object | `{}` | User token that references an existing secret containing the token. |

charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml

@@ -1,5 +1,7 @@
 {{- define "cap-app-proxy.resources" }}
   {{ include "cap-app-proxy.resources.configmap" . }}
+---
+  {{ include "cap-app-proxy.resources.codefresh-tls-certs" . }}
 ---
   {{ include "cap-app-proxy.resources.deployment" . }}
 ---

charts/gitops-runtime/templates/_components/cap-app-proxy/_deployment.yaml

@@ -37,8 +37,11 @@ spec:
         command:
           {{- toYaml .Values.initContainer.command | nindent 8 }}
         volumeMounts:
-          - mountPath: /app/config/tls
-            name: tls-certs
+        {{- with .Values.initContainer.extraVolumeMounts }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+          - mountPath: /app/config/git-tls-certs
+            name: git-tls-certs
             readOnly: true
           - mountPath: /app/config/all
             name: all-certs
@@ -75,6 +78,9 @@ spec:
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
         volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
         - mountPath: /app/config/all
           name: all-certs
           readOnly: true
@@ -91,10 +97,14 @@ spec:
         {{- toYaml . | nindent 6 }}
       {{- end }}
       volumes:
+      {{- with .Values.extraVolumes }}
+          {{- toYaml . | nindent 6 }}
+      {{- end }}
+      - name: git-tls-certs
+        secret:
+          secretName: codefresh-workflow-pipelines-tls
+          defaultMode: 420
+          optional: true
       - name: all-certs
         emptyDir: {}
-      - name: tls-certs
-        configMap:
-          defaultMode: 420
-          name: argocd-tls-certs-cm
-{{- end }}
+{{- end }}

charts/gitops-runtime/templates/_components/event-reporters/_helpers.tpl

@@ -31,7 +31,6 @@ helm.sh/chart: {{ include "event-reporters.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: Helm
-app.kubernetes.io/part-of: events-reporter
 codefresh.io/internal: "true"
 {{- end }}
 
@@ -79,7 +78,6 @@ helm.sh/chart: {{ include "event-reporters.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: Helm
-app.kubernetes.io/part-of: rollout-reporter
 codefresh.io/internal: "true"
 {{- end }}
 
@@ -127,7 +125,6 @@ helm.sh/chart: {{ include "event-reporters.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: Helm
-app.kubernetes.io/part-of: workflow-reporter
 codefresh.io/internal: "true"
 {{- end }}
 
@@ -148,3 +145,36 @@ Create the name of the service account to use
     {{- default "default" .Values.workflow.serviceAccount.name }}
   {{- end }}
 {{- end }}
+
+{{/*
+Create a single event-source sensor http trigger
+assumes the name, condition and payload.dependencyName are identical
+*/}}
+{{- define "event-reporters.http.trigger" -}}
+{{- $url := (printf "%s%s" .Values.global.codefresh.url .Values.global.codefresh.apiEventsPath | quote) -}}
+- template:
+    name: {{ .name }}
+    conditions: {{ .name }}
+    http:
+      method: POST
+      url: {{ $url }}
+  {{- if or .Values.global.codefresh.tls.caCerts.secret.create .Values.global.codefresh.tls.caCerts.secretKeyRef}}
+      tls:
+        caCertSecret:
+          name: {{ .Values.global.codefresh.tls.caCerts.secret.create | ternary "codefresh-tls-certs" .Values.global.codefresh.tls.caCerts.secretKeyRef.name }}
+          key: {{ .Values.global.codefresh.tls.caCerts.secret.create | ternary (default "ca-bundle.crt" .Values.global.codefresh.tls.caCerts.secret.key) .Values.global.codefresh.tls.caCerts.secretKeyRef.key }}
+  {{- end }}
+      headers:
+        Content-Type: application/json
+      secureHeaders:
+      - name: Authorization
+        valueFrom:
+          secretKeyRef:
+            key: token
+            name: codefresh-token
+      payload:
+      - dest: data
+        src:
+          dataKey: body
+          dependencyName: {{ .name }}
+{{- end -}}

charts/gitops-runtime/templates/_components/event-reporters/events-reporter/_all_resources.yaml

@@ -2,44 +2,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Sensor
 metadata:
+  name: events-reporter
   labels:
     {{- include "event-reporters.events-reporter.labels" . | nindent 4}}
-  name: events-reporter
 spec:
   replicas: {{ .Values.events.sensor.replicas }}
+  dependencies:
+  - name: events
+    eventSourceName: events-reporter
+    eventName: events
+  eventBusName: {{ .Values.global.runtime.eventBusName }}
   template:
     serviceAccountName: {{ include "event-reporters.events-reporter.serviceAccountName" .}}
     container:
       resources:
       {{- with .Values.events.sensor.resources  }}
         {{- . | toYaml | nindent 8 }}
       {{- end }}
-  dependencies:
-  - eventName: events
-    eventSourceName: events-reporter
-    name: events
-  eventBusName: {{ .Values.global.runtime.eventBusName }}
   triggers:
-  - retryStrategy:
-      duration: 0
-      steps: 3
-    template:
-      conditions: events
-      http:
-        headers:
-          Content-Type: application/json
-        method: POST
-        payload:
-        - dest: data
-          src:
-            dataKey: body
-            dependencyName: events
-        secureHeaders:
-        - name: Authorization
-          valueFrom:
-            secretKeyRef:
-              key: token
-              name: codefresh-token
-        url: {{ printf "%s%s" .Values.global.codefresh.url .Values.global.codefresh.apiEventsPath | quote }}
-      name: events
-{{- end }}
+    {{- include "event-reporters.http.trigger" (dict "name" "events" "Values" .Values) | nindent 4 }}
+{{- end }}

charts/gitops-runtime/templates/_components/event-reporters/events-reporter/_sensor.yaml

@@ -8,89 +8,26 @@ metadata:
 spec:
   replicas: {{ .Values.rollout.sensor.replicas }}
   dependencies:
-    - eventName: rollouts
-      eventSourceName: rollout-reporter
-      name: rollouts
-    - eventName: replicasets
-      eventSourceName: rollout-reporter
-      name: replicasets
-    - eventName: analysisruns
-      eventSourceName: rollout-reporter
-      name: analysisruns
+  - name: rollouts
+    eventSourceName: rollout-reporter
+    eventName: rollouts
+  - name: replicasets
+    eventSourceName: rollout-reporter
+    eventName: replicasets
+  - name: analysisruns
+    eventSourceName: rollout-reporter
+    eventName: analysisruns
   eventBusName: {{ .Values.global.runtime.eventBusName }}
   template:
+    serviceAccountName: {{ include "event-reporters.rollout-reporter.serviceAccountName" .}}
     container:
       name: ""
       resources:
       {{- with .Values.rollout.eventSource.resources  }}
         {{- . | toYaml | nindent 8 }}
       {{- end }}
-    serviceAccountName: {{ include "event-reporters.rollout-reporter.serviceAccountName" .}}
   triggers:
-    - retryStrategy:
-        duration: 0
-        steps: 3
-      template:
-        conditions: rollouts
-        http:
-          headers:
-            Content-Type: application/json
-          method: POST
-          payload:
-            - dest: data.object
-              src:
-                dataKey: body
-                dependencyName: rollouts
-          secureHeaders:
-            - name: Authorization
-              valueFrom:
-                secretKeyRef:
-                  key: token
-                  name: codefresh-token
-          url: {{ printf "%s%s" .Values.global.codefresh.url .Values.global.codefresh.apiEventsPath | quote }}
-        name: rollouts
-    - retryStrategy:
-        duration: 0
-        steps: 3
-      template:
-        conditions: replicasets
-        http:
-          headers:
-            Content-Type: application/json
-          method: POST
-          payload:
-            - dest: data.object
-              src:
-                dataKey: body
-                dependencyName: replicasets
-          secureHeaders:
-            - name: Authorization
-              valueFrom:
-                secretKeyRef:
-                  key: token
-                  name: codefresh-token
-          url: {{ printf "%s%s" .Values.global.codefresh.url .Values.global.codefresh.apiEventsPath | quote }}
-        name: replicasets
-    - retryStrategy:
-        duration: 0
-        steps: 3
-      template:
-        conditions: analysisruns
-        http:
-          headers:
-            Content-Type: application/json
-          method: POST
-          payload:
-            - dest: data.object
-              src:
-                dataKey: body
-                dependencyName: analysisruns
-          secureHeaders:
-            - name: Authorization
-              valueFrom:
-                secretKeyRef:
-                  key: token
-                  name: codefresh-token
-          url: {{ printf "%s%s" .Values.global.codefresh.url .Values.global.codefresh.apiEventsPath | quote }}
-        name: analysisruns
-{{- end }}
+  {{- include "event-reporters.http.trigger" (dict "name" "rollouts" "Values" .Values) | nindent 4 }}
+  {{- include "event-reporters.http.trigger" (dict "name" "replicasets" "Values" .Values) | nindent 4 }}
+  {{- include "event-reporters.http.trigger" (dict "name" "analysisruns" "Values" .Values) | nindent 4 }}
+{{- end }}