From 5c90f5655e383f691b5557f7f7f51e5c9476ce41 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Fri, 17 May 2024 12:20:50 +1000 Subject: [PATCH] feat: Add acm back into deployment Signed-off-by: Chris Butler --- common/acm/templates/_helpers.tpl | 2 +- common/acm/templates/multiclusterhub.yaml | 10 +- .../templates/policies/acm-hub-ca-policy.yaml | 3 +- .../policies/application-policies.yaml | 16 +- .../templates/policies/ocp-gitops-policy.yaml | 176 +++++++++++++++++- .../policies/private-repo-policies.yaml | 2 +- .../templates/provision/_install-config.tpl | 2 +- .../acm/templates/provision/clusterpool.yaml | 2 +- .../templates/provision/secrets-azure.yaml | 2 +- .../templates/provision/secrets-common.yaml | 2 +- common/acm/values.yaml | 11 +- values-hub.yaml | 15 +- 12 files changed, 218 insertions(+), 25 deletions(-) diff --git a/common/acm/templates/_helpers.tpl b/common/acm/templates/_helpers.tpl index 910b397..d8bf7ca 100644 --- a/common/acm/templates/_helpers.tpl +++ b/common/acm/templates/_helpers.tpl @@ -10,4 +10,4 @@ Default always defined valueFiles to be included when pushing the cluster wide a # We cannot use $.Values.global.clusterVersion because that gets resolved to the # hub's cluster version, whereas we want to include the spoke cluster version - '/values-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' -{{- end }} {{- /*acm.app.policies.valuefiles */}} +{{- end }} {{- /*acm.app.policies.valuefiles */}} \ No newline at end of file diff --git a/common/acm/templates/multiclusterhub.yaml b/common/acm/templates/multiclusterhub.yaml index 79ef933..b2af9fe 100644 --- a/common/acm/templates/multiclusterhub.yaml +++ b/common/acm/templates/multiclusterhub.yaml @@ -1,3 +1,7 @@ +{{- $channel := "" }} +{{- if .Values.acm.mce_operator.channel }} +{{- $channel = printf ",\"channel\": \"%s\"" .Values.acm.mce_operator.channel }} +{{- end }} apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub metadata: @@ -5,7 +9,5 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" - {{- if kindIs "map" .Values.clusterGroup.subscriptions }} - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.clusterGroup.subscriptions.acm.source }}" }' - {{- end }} -spec: {} + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.acm.mce_operator.source }}" {{- $channel }} }' +spec: {} \ No newline at end of file diff --git a/common/acm/templates/policies/acm-hub-ca-policy.yaml b/common/acm/templates/policies/acm-hub-ca-policy.yaml index 890e6ba..fdfb294 100644 --- a/common/acm/templates/policies/acm-hub-ca-policy.yaml +++ b/common/acm/templates/policies/acm-hub-ca-policy.yaml @@ -67,5 +67,4 @@ spec: operator: NotIn values: - 'true' -{{ end }} - +{{ end }} \ No newline at end of file diff --git a/common/acm/templates/policies/application-policies.yaml b/common/acm/templates/policies/application-policies.yaml index 01082e5..a1c254b 100644 --- a/common/acm/templates/policies/application-policies.yaml +++ b/common/acm/templates/policies/application-policies.yaml @@ -1,4 +1,5 @@ # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} {{- range .Values.clusterGroup.managedClusterGroups }} {{- $group := . }} {{- if not .hostedArgoSites }} @@ -43,18 +44,15 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - {{- include "acm.app.policies.valuefiles" . | nindent 24 }} - {{- range $valueFile := $.Values.global.extraValueFiles }} - - {{ $valueFile | quote }} - {{- end }} + {{- include "acm.app.policies.valuefiles" . | nindent 22 }} {{- range $valueFile := .extraValueFiles }} - {{ $valueFile | quote }} {{- end }} parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: {{ $.Values.global.repoURL }} - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: {{ $.Values.global.targetRevision }} - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -63,10 +61,8 @@ spec: value: {{ $.Values.global.hubClusterDomain }} - name: global.localClusterDomain value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}` }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion value: '{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}' - name: global.localClusterName @@ -75,6 +71,8 @@ spec: value: {{ $.Values.global.clusterPlatform }} - name: clusterGroup.name value: {{ $group.name }} + - name: global.experimentalCapabilities + value: {{ $.Values.global.experimentalCapabilities }} {{- range .helmOverrides }} - name: {{ .name }} value: {{ .value | quote }} @@ -149,4 +147,4 @@ spec: {{- end }} --- {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/common/acm/templates/policies/ocp-gitops-policy.yaml b/common/acm/templates/policies/ocp-gitops-policy.yaml index a0ed611..c4c5cd8 100644 --- a/common/acm/templates/policies/ocp-gitops-policy.yaml +++ b/common/acm/templates/policies/ocp-gitops-policy.yaml @@ -1,3 +1,4 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: @@ -24,6 +25,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -35,7 +45,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: {{ default "gitops-1.11" .Values.main.gitops.channel }} + channel: {{ default "gitops-1.12" .Values.main.gitops.channel }} installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators @@ -44,6 +54,168 @@ spec: env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES value: "*" +{{- if $hasInitContainerCapability }} + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: openshift-gitops + namespace: openshift-gitops + spec: + applicationSet: + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + controller: + processors: {} + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 1Gi + sharding: {} + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + ha: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + initialSSHKnownHosts: {} + monitoring: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + rbac: + defaultPolicy: "" + policy: |- + g, system:cluster-admins, role:admin + g, cluster-admins, role:admin + scopes: '[groups]' + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt + || true + image: registry.redhat.io/ubi9/ubi-minimal:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - emptyDir: {} + name: ca-bundles + resourceExclusions: |- + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + server: + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + {{- if and (.Values.global.argocdServer) (.Values.global.argocdServer.route) (.Values.global.argocdServer.route.tls) }} + tls: + insecureEdgeTerminationPolicy: {{ default "Redirect" .Values.global.argocdServer.route.tls.insecureEdgeTerminationPolicy }} + termination: {{ default "reencrypt" .Values.global.argocdServer.route.tls.termination }} + {{- end }} + service: + type: "" + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + tls: + ca: {} +{{- end }}{{/* if hasInitContainerCapability */}} --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding @@ -79,4 +251,4 @@ spec: - key: local-cluster operator: NotIn values: - - 'true' + - 'true' \ No newline at end of file diff --git a/common/acm/templates/policies/private-repo-policies.yaml b/common/acm/templates/policies/private-repo-policies.yaml index 0b7db0d..04582de 100644 --- a/common/acm/templates/policies/private-repo-policies.yaml +++ b/common/acm/templates/policies/private-repo-policies.yaml @@ -158,4 +158,4 @@ spec: - 'true' {{- end }}{{- /* if not .hostedArgoSites */}} {{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} -{{- end }}{{- /* if $.Values.global.privateRepo */}} +{{- end }}{{- /* if $.Values.global.privateRepo */}} \ No newline at end of file diff --git a/common/acm/templates/provision/_install-config.tpl b/common/acm/templates/provision/_install-config.tpl index b033662..103f2e6 100644 --- a/common/acm/templates/provision/_install-config.tpl +++ b/common/acm/templates/provision/_install-config.tpl @@ -63,4 +63,4 @@ platform: {{- toYaml .platform | nindent 2 }} pullSecret: "" # skip, hive will inject based on it's secrets sshKey: "" # skip, hive will inject based on it's secrets -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/common/acm/templates/provision/clusterpool.yaml b/common/acm/templates/provision/clusterpool.yaml index e2f9d3d..a71b859 100644 --- a/common/acm/templates/provision/clusterpool.yaml +++ b/common/acm/templates/provision/clusterpool.yaml @@ -92,4 +92,4 @@ spec: {{- end }}{{- /* range .range clusters */}} {{- end }}{{- /* range .clusterPools */}} {{- end }}{{- /* if .clusterPools) */}} -{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} +{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} \ No newline at end of file diff --git a/common/acm/templates/provision/secrets-azure.yaml b/common/acm/templates/provision/secrets-azure.yaml index 7fe6271..632ae05 100644 --- a/common/acm/templates/provision/secrets-azure.yaml +++ b/common/acm/templates/provision/secrets-azure.yaml @@ -81,4 +81,4 @@ spec: --- {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/common/acm/templates/provision/secrets-common.yaml b/common/acm/templates/provision/secrets-common.yaml index 21a03b7..0d5e953 100644 --- a/common/acm/templates/provision/secrets-common.yaml +++ b/common/acm/templates/provision/secrets-common.yaml @@ -58,4 +58,4 @@ spec: {{ "{{ .sshPrivateKey | toString }}" }} --- {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/common/acm/values.yaml b/common/acm/values.yaml index fb7cb03..c5f222c 100644 --- a/common/acm/values.yaml +++ b/common/acm/values.yaml @@ -1,6 +1,6 @@ main: gitops: - channel: "gitops-1.11" + channel: "gitops-1.12" global: extraValueFiles: [] @@ -30,6 +30,15 @@ clusterGroup: # - name: clusterGroup # value: region-one +acm: + # Just used for IIB testing, drives the source and channel for the MCE + # subscription triggered by ACM + mce_operator: + source: redhat-operators + channel: null + + + secretStore: name: vault-backend kind: ClusterSecretStore diff --git a/values-hub.yaml b/values-hub.yaml index 0fe1cae..667d3ee 100644 --- a/values-hub.yaml +++ b/values-hub.yaml @@ -16,6 +16,10 @@ clusterGroup: - redis #- rhdh-operator subscriptions: + acm: + name: advanced-cluster-management + namespace: open-cluster-management + channel: release-2.10 rhoai: name: rhods-operator # Fast is required for 2.9.0 @@ -87,7 +91,16 @@ clusterGroup: # - '/overrides/values-{{ $.Values.global.hubClusterDomain }}.yaml' # - '/overrides/values-{{ $.Values.global.localClusterDomain }}.yaml' applications: - + acm: + name: acm + namespace: open-cluster-management + project: hub + path: common/acm + ignoreDifferences: + - group: internal.open-cluster-management.io + kind: ManagedClusterInfo + jsonPointers: + - /spec/loggingCA vault: name: vault namespace: vault