From faa943964d6a6a8d2d7d1618b3c11c65e8f4a931 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Fri, 27 Oct 2023 15:00:43 +0500 Subject: [PATCH 01/29] document secrets --- .../tutorials/outer-loop/deploying-secrets.md | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 content/for-developers/tutorials/outer-loop/deploying-secrets.md diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md new file mode 100644 index 00000000..c5680361 --- /dev/null +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -0,0 +1,72 @@ +# Deploying Required Secrets + + + +Application and Gitops repository specific secrets. + +1. gitops-repo-ssh-creds +1. application-pat-creds +1. application-ssh-creds +1. git-auth-creds + +# Secrets + +We will need the following secrets for running a fully functional pipeline using pipeline as code. + +1. infra-gitops-creds: + **Why?** This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. + **Where?** The secret will be deployed in the rh-openshift-gitops-instance namespace + **Who?** The owner of this secret will be customer's delivery engineer + **Format** Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it. + + ```yaml + apiVersion: v1 + kind: Secret + metadata: + name: private-repo + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository + stringData: + type: git + url: git@github.com:argoproj/my-private-repository + sshPrivateKey: | + -----BEGIN OPENSSH PRIVATE KEY----- + ... + -----END OPENSSH PRIVATE KEY----- + ``` + +1. apps-gitops-creds + + **Why?** This secret is added so ArgoCD can sync the apps-gitops repository. You can either use an ssh key or a personal access token for this purpose. + **Where?** The secret will be deployed in the rh-openshift-gitops-instance namespace **through the infra-gitops repository**. + **Who?** The owner of this secret will be customer's delivery engineer + **Format** Will have the same format as that of infra-gitops-creds secret + +Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect Pipeline as Code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secreta to connect with the application's repository in the SCM. +1. git-pat-creds + + **Why?** Used for three reasons: + 1. In the Repository CR so Pipeline as Code can talk to the repository + 2. In create-environment task to get commit hashes + 3. In TronadorConfig to allow Tronador to access the application repository. + **Where** This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. + **Who?** The owner of this secret will be customer's delivery engineer +1. -git-webhook-creds +1. +1. +1. +1. + +Auto-distributed secrets + +We will need a few secrets to get our pipelines working. Here is a list of secrets that will need to be present in the namespace in which your pipeline will run: + +1. sonar-creds +1. docker-reg-creds +1. helm-reg-creds +1. rox-creds + +Infra gitops (org level) +Apps gitops (repo level) +SAAP distributed (SAAP specific) \ No newline at end of file From b39d94f58f5cbc89e4c6d169b4ecb9602e5dd2e8 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Fri, 27 Oct 2023 16:15:51 +0500 Subject: [PATCH 02/29] secret docs --- .../tutorials/outer-loop/deploying-secrets.md | 41 +++++++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index c5680361..acc940fc 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -53,20 +53,53 @@ Once you have the both the repositories bootstrapped with ArgoCD, the first thin **Where** This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. **Who?** The owner of this secret will be customer's delivery engineer 1. -git-webhook-creds -1. -1. -1. -1. + **Why** Used in the Repository CR. Pipeline as Code needs this to verify the webhook payload set + **Where** In build namespace of the tenant through apps-gitops repository + **Who** Developer owns this secret. + +1. -ssh-creds + **Why** Used by multiple tekton tasks: + git-clone + push-main-tag + create-git-tag + update-cd-repo + **Where** In build namespace of the tenant through apps-gitops repository. + **Who** Developer owns it + Auto-distributed secrets We will need a few secrets to get our pipelines working. Here is a list of secrets that will need to be present in the namespace in which your pipeline will run: 1. sonar-creds + **Why** Used by sonarqube-scan pipeline task + **Where** In build namespace of the tenant through apps-gitops repository. + **Who** SAAP admins + 1. docker-reg-creds + **Why** Used by buildah and the application itself to pull the image from the nexus registry + + **Where** Needs to be deployed in all of the tenants namespace. We distribute it using a TGI + **Who** SAAP admins 1. helm-reg-creds + **Why** Used by: + 1. stakater-helm-push + 2. ArgoCD to fetch the helm chart + + **Where** Needs to be deployed in build namespace and rh-openshift-gitops-instance namespace. We deploy it using TGI + **Who** SAAP admins 1. rox-creds + **Why** Used by: + 1. + 2. stakater-rox-deployment-check + stakater-rox-image-check + stakater-rox-image-scan + + **Where** Needs to be deployed in build namespace. We deploy it using TGI + **Who** SAAP admins + + Infra gitops (org level) Apps gitops (repo level) SAAP distributed (SAAP specific) \ No newline at end of file From 0bd594f22c91d283745f440ca803797f39fa302b Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Mon, 30 Oct 2023 15:37:54 +0500 Subject: [PATCH 03/29] secrets --- .../tutorials/outer-loop/deploying-secrets.md | 132 ++++++++++-------- 1 file changed, 71 insertions(+), 61 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index acc940fc..ebead394 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -12,11 +12,53 @@ Application and Gitops repository specific secrets. # Secrets We will need the following secrets for running a fully functional pipeline using pipeline as code. +To have a fully functional pipeline, we will be needing a few secrets. Some of the secrets are Auto-distributed in the build namespaces of all tenants. While the rest will be deployed through your infra repository (organization level secrets) and gitops repository (repository/application level secrets) +## Auto Generated Secrets + +1. sonar-creds + +**Purpose:** Used by sonarqube-scan pipeline task +**Owner:** SAAP admins +**Type:** Login credentials for sonarqube. +**Use for:** For running sonarqube scan in pipeline +**Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. Sonarqube credentials are not rotated and remain the same. +**Misc:** The origin of this secret is the sonarqube namespace. Secret is copied over to build namespace using a MTO template and Template Group Instance. + +1. docker-reg-creds + + **Purpose** Used by buildah and the application itself to pull the image from the nexus registry + **Owner** SAAP admins + **Type:** Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson + **Use for** Pulling images from the nexus registry. Needs to be deployed in all namespaces of the tenant. We distribute it using a TGI + **Lifecycle:** Every time a new tenant is created, the secret gets deployed in all its namespaces. + +1. helm-reg-creds + **Purpose** Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: + 1. stakater-helm-push task + 1. ArgoCD to fetch the helm chart + **Owner** SAAP Admins + **Use for** Pulling Charts from Nexus. + **Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the rh-openshift-gitops-instance when SAAP is provisioned. + +1. rox-creds + + **Purpose** Used by three Tekton Tasks: + 1. stakater-rox-deployment-check + 1. stakater-rox-image-check + 1. stakater-rox-image-scan + **Owner** SAAP admins + **Use for** Talking to RHACS api to scan images and deployments + **Lifecycle** Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. + **Misc** Needs to be deployed in build namespace. We deploy it using TGI + +## INFRA GITOPS CREDS +This secret needs to deployed on the cluster directly. 1. infra-gitops-creds: - **Why?** This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. - **Where?** The secret will be deployed in the rh-openshift-gitops-instance namespace - **Who?** The owner of this secret will be customer's delivery engineer + **Purpose** This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. + **Owner?** The owner of this secret will be customer's delivery engineer + **Where to find it** The secret will be deployed in the rh-openshift-gitops-instance namespace + **Use for** Use only for the purpose of syncing your infra gitops repository with ArgoCD. **Format** Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it. ```yaml @@ -35,71 +77,39 @@ We will need the following secrets for running a fully functional pipeline using ... -----END OPENSSH PRIVATE KEY----- ``` - +## Organization Level Secrets + +These secrets need to go into your Infra Gitops Repository + 1. apps-gitops-creds - **Why?** This secret is added so ArgoCD can sync the apps-gitops repository. You can either use an ssh key or a personal access token for this purpose. - **Where?** The secret will be deployed in the rh-openshift-gitops-instance namespace **through the infra-gitops repository**. - **Who?** The owner of this secret will be customer's delivery engineer + **Purpose** This secret is added so ArgoCD can sync the apps-gitops repository. You can either use an ssh key or a personal access token for this purpose. + **Where to find it** The secret will be deployed in the rh-openshift-gitops-instance namespace **through the infra-gitops repository**. + **Owner** The owner of this secret will be customer's delivery engineer **Format** Will have the same format as that of infra-gitops-creds secret + **Use for** Syncing apps gitops repository -Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect Pipeline as Code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secreta to connect with the application's repository in the SCM. -1. git-pat-creds +Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect Pipeline as Code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secrets to connect with the application's repository in the SCM. +1. git-pat-creds - **Why?** Used for three reasons: + **Purpose?** Used for three reasons: 1. In the Repository CR so Pipeline as Code can talk to the repository 2. In create-environment task to get commit hashes 3. In TronadorConfig to allow Tronador to access the application repository. - **Where** This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. - **Who?** The owner of this secret will be customer's delivery engineer -1. -git-webhook-creds - **Why** Used in the Repository CR. Pipeline as Code needs this to verify the webhook payload set - **Where** In build namespace of the tenant through apps-gitops repository - **Who** Developer owns this secret. + **Owner** The owner of this secret will be customer's delivery engineer + **Where to find it** This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. 1. -ssh-creds - **Why** Used by multiple tekton tasks: - git-clone - push-main-tag - create-git-tag - update-cd-repo - **Where** In build namespace of the tenant through apps-gitops repository. - **Who** Developer owns it - - -Auto-distributed secrets - -We will need a few secrets to get our pipelines working. Here is a list of secrets that will need to be present in the namespace in which your pipeline will run: - -1. sonar-creds - **Why** Used by sonarqube-scan pipeline task - **Where** In build namespace of the tenant through apps-gitops repository. - **Who** SAAP admins - -1. docker-reg-creds - **Why** Used by buildah and the application itself to pull the image from the nexus registry - - **Where** Needs to be deployed in all of the tenants namespace. We distribute it using a TGI - **Who** SAAP admins -1. helm-reg-creds - **Why** Used by: - 1. stakater-helm-push - 2. ArgoCD to fetch the helm chart - - **Where** Needs to be deployed in build namespace and rh-openshift-gitops-instance namespace. We deploy it using TGI - **Who** SAAP admins -1. rox-creds - - **Why** Used by: - 1. - 2. stakater-rox-deployment-check - stakater-rox-image-check - stakater-rox-image-scan - - **Where** Needs to be deployed in build namespace. We deploy it using TGI - **Who** SAAP admins - - -Infra gitops (org level) -Apps gitops (repo level) -SAAP distributed (SAAP specific) \ No newline at end of file + **Purpose** Used by multiple tekton tasks: + 1. git-clone + 1. push-main-tag + 1. create-git-tag + 1. update-cd-repo + **Where to find it** In build namespace of the tenant through apps-gitops repository. + **Owner** Customer's delivery engineer. + +## Repository level secrets +1. -git-webhook-creds + **Purpose** Used in the Repository CR. Pipeline as Code needs this to verify the webhook payload set + **Owner** Developer owns this secret. + **Where to find it** In build namespace of the tenant through apps-gitops repository From b36bf5474f697d8afb670f768af2316457d77c7e Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Mon, 30 Oct 2023 15:44:52 +0500 Subject: [PATCH 04/29] secrets --- .../tutorials/outer-loop/deploying-secrets.md | 116 +++++++++++------- 1 file changed, 70 insertions(+), 46 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index ebead394..014d8150 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -1,14 +1,3 @@ -# Deploying Required Secrets - - - -Application and Gitops repository specific secrets. - -1. gitops-repo-ssh-creds -1. application-pat-creds -1. application-ssh-creds -1. git-auth-creds - # Secrets We will need the following secrets for running a fully functional pipeline using pipeline as code. @@ -18,48 +7,71 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. sonar-creds -**Purpose:** Used by sonarqube-scan pipeline task -**Owner:** SAAP admins +**Purpose:** Used by sonarqube-scan pipeline task. + +**Owner:** SAAP admins. + **Type:** Login credentials for sonarqube. + **Use for:** For running sonarqube scan in pipeline + **Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. Sonarqube credentials are not rotated and remain the same. + **Misc:** The origin of this secret is the sonarqube namespace. Secret is copied over to build namespace using a MTO template and Template Group Instance. 1. docker-reg-creds - **Purpose** Used by buildah and the application itself to pull the image from the nexus registry - **Owner** SAAP admins - **Type:** Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson - **Use for** Pulling images from the nexus registry. Needs to be deployed in all namespaces of the tenant. We distribute it using a TGI - **Lifecycle:** Every time a new tenant is created, the secret gets deployed in all its namespaces. +**Purpose** Used by buildah and the application itself to pull the image from the nexus registry + +**Owner** SAAP admins + +**Type:** Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson + +**Use for** Pulling images from the nexus registry. Needs to be deployed in all namespaces of the tenant. We distribute it using a TGI + +**Lifecycle:** Every time a new tenant is created, the secret gets deployed in all its namespaces. 1. helm-reg-creds - **Purpose** Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: + +**Purpose** Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: 1. stakater-helm-push task 1. ArgoCD to fetch the helm chart - **Owner** SAAP Admins - **Use for** Pulling Charts from Nexus. - **Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the rh-openshift-gitops-instance when SAAP is provisioned. + +**Owner** SAAP Admins + +**Use for** Pulling Charts from Nexus. + +**Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the rh-openshift-gitops-instance when SAAP is provisioned. 1. rox-creds - **Purpose** Used by three Tekton Tasks: +**Purpose** Used by three Tekton Tasks: 1. stakater-rox-deployment-check 1. stakater-rox-image-check 1. stakater-rox-image-scan - **Owner** SAAP admins - **Use for** Talking to RHACS api to scan images and deployments - **Lifecycle** Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. - **Misc** Needs to be deployed in build namespace. We deploy it using TGI + +**Owner** SAAP admins + +**Use for** Talking to RHACS api to scan images and deployments + +**Lifecycle** Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. + +**Misc** Needs to be deployed in build namespace. We deploy it using TGI ## INFRA GITOPS CREDS + This secret needs to deployed on the cluster directly. + 1. infra-gitops-creds: - **Purpose** This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. - **Owner?** The owner of this secret will be customer's delivery engineer - **Where to find it** The secret will be deployed in the rh-openshift-gitops-instance namespace - **Use for** Use only for the purpose of syncing your infra gitops repository with ArgoCD. - **Format** Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it. +**Purpose** This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. + +**Owner?** The owner of this secret will be customer's delivery engineer + +**Where to find it** The secret will be deployed in the rh-openshift-gitops-instance namespace + +**Use for** Use only for the purpose of syncing your infra gitops repository with ArgoCD. + +**Format** Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it. ```yaml apiVersion: v1 @@ -83,33 +95,45 @@ These secrets need to go into your Infra Gitops Repository 1. apps-gitops-creds - **Purpose** This secret is added so ArgoCD can sync the apps-gitops repository. You can either use an ssh key or a personal access token for this purpose. - **Where to find it** The secret will be deployed in the rh-openshift-gitops-instance namespace **through the infra-gitops repository**. - **Owner** The owner of this secret will be customer's delivery engineer - **Format** Will have the same format as that of infra-gitops-creds secret - **Use for** Syncing apps gitops repository +**Purpose** This secret is added so ArgoCD can sync the apps-gitops repository. You can either use an ssh key or a personal access token for this purpose. + +**Where to find it** The secret will be deployed in the rh-openshift-gitops-instance namespace **through the infra-gitops repository**. + +**Owner** The owner of this secret will be customer's delivery engineer + +**Format** Will have the same format as that of infra-gitops-creds secret + +**Use for** Syncing apps gitops repository Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect Pipeline as Code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secrets to connect with the application's repository in the SCM. 1. git-pat-creds - **Purpose?** Used for three reasons: +**Purpose?** Used for three reasons: 1. In the Repository CR so Pipeline as Code can talk to the repository 2. In create-environment task to get commit hashes 3. In TronadorConfig to allow Tronador to access the application repository. - **Owner** The owner of this secret will be customer's delivery engineer - **Where to find it** This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. + +**Owner** The owner of this secret will be customer's delivery engineer + +**Where to find it** This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. 1. -ssh-creds - **Purpose** Used by multiple tekton tasks: + +**Purpose** Used by multiple tekton tasks: 1. git-clone 1. push-main-tag 1. create-git-tag 1. update-cd-repo - **Where to find it** In build namespace of the tenant through apps-gitops repository. - **Owner** Customer's delivery engineer. + +**Where to find it** In build namespace of the tenant through apps-gitops repository. + +**Owner** Customer's delivery engineer. ## Repository level secrets 1. -git-webhook-creds - **Purpose** Used in the Repository CR. Pipeline as Code needs this to verify the webhook payload set - **Owner** Developer owns this secret. - **Where to find it** In build namespace of the tenant through apps-gitops repository + +**Purpose** Used in the Repository CR. Pipeline as Code needs this to verify the webhook payload set + +**Owner** Developer owns this secret. + +**Where to find it** In build namespace of the tenant through apps-gitops repository From b46e9eb6fa64535fc02e3a3304ada7e0494319e2 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Mon, 30 Oct 2023 15:47:24 +0500 Subject: [PATCH 05/29] secrets --- .../tutorials/outer-loop/deploying-secrets.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 014d8150..b960548e 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -5,7 +5,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t ## Auto Generated Secrets -1. sonar-creds +### sonar-creds **Purpose:** Used by sonarqube-scan pipeline task. @@ -19,7 +19,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t **Misc:** The origin of this secret is the sonarqube namespace. Secret is copied over to build namespace using a MTO template and Template Group Instance. -1. docker-reg-creds +### docker-reg-creds **Purpose** Used by buildah and the application itself to pull the image from the nexus registry @@ -31,7 +31,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t **Lifecycle:** Every time a new tenant is created, the secret gets deployed in all its namespaces. -1. helm-reg-creds +### helm-reg-creds **Purpose** Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: 1. stakater-helm-push task @@ -43,7 +43,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t **Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the rh-openshift-gitops-instance when SAAP is provisioned. -1. rox-creds +### rox-creds **Purpose** Used by three Tekton Tasks: 1. stakater-rox-deployment-check @@ -62,7 +62,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t This secret needs to deployed on the cluster directly. -1. infra-gitops-creds: +### infra-gitops-creds: **Purpose** This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. **Owner?** The owner of this secret will be customer's delivery engineer @@ -93,7 +93,7 @@ This secret needs to deployed on the cluster directly. These secrets need to go into your Infra Gitops Repository -1. apps-gitops-creds +### apps-gitops-creds **Purpose** This secret is added so ArgoCD can sync the apps-gitops repository. You can either use an ssh key or a personal access token for this purpose. @@ -106,7 +106,7 @@ These secrets need to go into your Infra Gitops Repository **Use for** Syncing apps gitops repository Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect Pipeline as Code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secrets to connect with the application's repository in the SCM. -1. git-pat-creds +### git-pat-creds **Purpose?** Used for three reasons: 1. In the Repository CR so Pipeline as Code can talk to the repository @@ -130,7 +130,7 @@ Once you have the both the repositories bootstrapped with ArgoCD, the first thin **Owner** Customer's delivery engineer. ## Repository level secrets -1. -git-webhook-creds +### -git-webhook-creds **Purpose** Used in the Repository CR. Pipeline as Code needs this to verify the webhook payload set From 283ec4a46243811a9f12972034326ab1c6e48616 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Mon, 30 Oct 2023 16:41:45 +0500 Subject: [PATCH 06/29] secrets --- .../tutorials/outer-loop/deploying-secrets.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index b960548e..112b88b7 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -5,7 +5,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t ## Auto Generated Secrets -### sonar-creds +### 1. sonar-creds **Purpose:** Used by sonarqube-scan pipeline task. @@ -19,7 +19,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t **Misc:** The origin of this secret is the sonarqube namespace. Secret is copied over to build namespace using a MTO template and Template Group Instance. -### docker-reg-creds +### 2. docker-reg-creds **Purpose** Used by buildah and the application itself to pull the image from the nexus registry @@ -31,7 +31,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t **Lifecycle:** Every time a new tenant is created, the secret gets deployed in all its namespaces. -### helm-reg-creds +### 3. helm-reg-creds **Purpose** Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: 1. stakater-helm-push task @@ -43,7 +43,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t **Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the rh-openshift-gitops-instance when SAAP is provisioned. -### rox-creds +### 4. rox-creds **Purpose** Used by three Tekton Tasks: 1. stakater-rox-deployment-check @@ -52,13 +52,13 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t **Owner** SAAP admins -**Use for** Talking to RHACS api to scan images and deployments +**Use for** communicating with RHACS api to scan images and deployments **Lifecycle** Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. **Misc** Needs to be deployed in build namespace. We deploy it using TGI -## INFRA GITOPS CREDS +## Infra GitOps Creds This secret needs to deployed on the cluster directly. From b87ee45f197e6ca336bf170b6aa70c9a3e1f44e3 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Mon, 30 Oct 2023 16:47:56 +0500 Subject: [PATCH 07/29] secrets --- .../tutorials/outer-loop/deploying-secrets.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 112b88b7..590bf5c8 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -93,7 +93,7 @@ This secret needs to deployed on the cluster directly. These secrets need to go into your Infra Gitops Repository -### apps-gitops-creds +### 1. apps-gitops-creds **Purpose** This secret is added so ArgoCD can sync the apps-gitops repository. You can either use an ssh key or a personal access token for this purpose. @@ -106,18 +106,18 @@ These secrets need to go into your Infra Gitops Repository **Use for** Syncing apps gitops repository Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect Pipeline as Code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secrets to connect with the application's repository in the SCM. -### git-pat-creds +### 2. git-pat-creds -**Purpose?** Used for three reasons: - 1. In the Repository CR so Pipeline as Code can talk to the repository - 2. In create-environment task to get commit hashes - 3. In TronadorConfig to allow Tronador to access the application repository. +**Purpose** Used for three reasons: + 1. In the Repository CR so Pipeline as Code can talk to the repository + 1. In create-environment task to get commit hashes + 1. In TronadorConfig to allow Tronador to access the application repository. **Owner** The owner of this secret will be customer's delivery engineer **Where to find it** This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. -1. -ssh-creds +1. [app-name]-ssh-creds **Purpose** Used by multiple tekton tasks: 1. git-clone @@ -130,7 +130,7 @@ Once you have the both the repositories bootstrapped with ArgoCD, the first thin **Owner** Customer's delivery engineer. ## Repository level secrets -### -git-webhook-creds +### 1. [app-name]-git-webhook-creds **Purpose** Used in the Repository CR. Pipeline as Code needs this to verify the webhook payload set From 6b072128e323e6253168d65a2fe23b51b0403fff Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Mon, 30 Oct 2023 16:48:24 +0500 Subject: [PATCH 08/29] update --- .../tutorials/outer-loop/deploying-secrets.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 590bf5c8..4c6550fd 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -46,9 +46,9 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t ### 4. rox-creds **Purpose** Used by three Tekton Tasks: - 1. stakater-rox-deployment-check - 1. stakater-rox-image-check - 1. stakater-rox-image-scan + 1. stakater-rox-deployment-check + 1. stakater-rox-image-check + 1. stakater-rox-image-scan **Owner** SAAP admins From 335a1955b21ce8f787397e9ad586d315d5c60334 Mon Sep 17 00:00:00 2001 From: Karl Johan Grahn Date: Mon, 30 Oct 2023 14:38:54 +0100 Subject: [PATCH 09/29] update --- .../pipeline-as-code-env.md | 2 +- .../add-ci-pipeline/add-ci-pipeline.md | 2 +- .../outer-loop/add-ci-pipeline/overview.md | 2 +- .../tutorials/outer-loop/deploying-secrets.md | 201 +++++++----------- .../outer-loop/webhook-setup/webhook-setup.md | 8 +- .../argocd/for-administrators/architecture.md | 0 mkdocs.yml | 5 + 7 files changed, 94 insertions(+), 126 deletions(-) delete mode 100644 content/managed-addons/argocd/for-administrators/architecture.md diff --git a/content/for-delivery-engineers/tutorials/04-preparing-pac-env/pipeline-as-code-env.md b/content/for-delivery-engineers/tutorials/04-preparing-pac-env/pipeline-as-code-env.md index 1b1c2a59..be1fe39c 100644 --- a/content/for-delivery-engineers/tutorials/04-preparing-pac-env/pipeline-as-code-env.md +++ b/content/for-delivery-engineers/tutorials/04-preparing-pac-env/pipeline-as-code-env.md @@ -1,4 +1,4 @@ -# Preparing Environment for Pipeline as code +# Preparing Environment for pipeline-as-code ## Prerequisites diff --git a/content/for-developers/tutorials/outer-loop/add-ci-pipeline/add-ci-pipeline.md b/content/for-developers/tutorials/outer-loop/add-ci-pipeline/add-ci-pipeline.md index 74b631d1..afa0aea8 100644 --- a/content/for-developers/tutorials/outer-loop/add-ci-pipeline/add-ci-pipeline.md +++ b/content/for-developers/tutorials/outer-loop/add-ci-pipeline/add-ci-pipeline.md @@ -1,4 +1,4 @@ -# Creating a Pipeline Using Pipeline as Code +# Creating a Pipeline Using pipeline-as-code In modern software development practices, pipelines play a crucial role in automating and streamlining the process of building, testing, and deploying applications. This tutorial will guide you through creating a pipeline using pipeline-as-code concepts. We'll focus on GitHub as the provider and assume that you have a SAAP set up with pipeline-as-code capabilities. diff --git a/content/for-developers/tutorials/outer-loop/add-ci-pipeline/overview.md b/content/for-developers/tutorials/outer-loop/add-ci-pipeline/overview.md index 482c49ae..7facc078 100644 --- a/content/for-developers/tutorials/outer-loop/add-ci-pipeline/overview.md +++ b/content/for-developers/tutorials/outer-loop/add-ci-pipeline/overview.md @@ -2,7 +2,7 @@ In modern software development practices, pipelines play a crucial role in automating and streamlining the process of building, testing, and deploying applications. This tutorial will guide you through creating a pipeline using pipeline-as-code concepts. We'll focus on GitHub as the provider and assume that you have a SAAP set up with pipeline-as-code capabilities. -To be able to run a pipeline using Tekton pipeline as code. The delivery engineer will need to perform a few steps: +To be able to run a pipeline using Tekton pipeline-as-code. The delivery engineer will need to perform a few steps: **For the Delivery Engineer:** diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 4c6550fd..663a258f 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -1,139 +1,102 @@ # Secrets -We will need the following secrets for running a fully functional pipeline using pipeline as code. -To have a fully functional pipeline, we will be needing a few secrets. Some of the secrets are Auto-distributed in the build namespaces of all tenants. While the rest will be deployed through your infra repository (organization level secrets) and gitops repository (repository/application level secrets) +[TOC] -## Auto Generated Secrets - -### 1. sonar-creds - -**Purpose:** Used by sonarqube-scan pipeline task. - -**Owner:** SAAP admins. - -**Type:** Login credentials for sonarqube. - -**Use for:** For running sonarqube scan in pipeline - -**Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. Sonarqube credentials are not rotated and remain the same. - -**Misc:** The origin of this secret is the sonarqube namespace. Secret is copied over to build namespace using a MTO template and Template Group Instance. - -### 2. docker-reg-creds - -**Purpose** Used by buildah and the application itself to pull the image from the nexus registry - -**Owner** SAAP admins - -**Type:** Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson - -**Use for** Pulling images from the nexus registry. Needs to be deployed in all namespaces of the tenant. We distribute it using a TGI - -**Lifecycle:** Every time a new tenant is created, the secret gets deployed in all its namespaces. - -### 3. helm-reg-creds - -**Purpose** Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: - 1. stakater-helm-push task - 1. ArgoCD to fetch the helm chart - -**Owner** SAAP Admins - -**Use for** Pulling Charts from Nexus. - -**Lifecycle:** Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the rh-openshift-gitops-instance when SAAP is provisioned. - -### 4. rox-creds - -**Purpose** Used by three Tekton Tasks: - 1. stakater-rox-deployment-check - 1. stakater-rox-image-check - 1. stakater-rox-image-scan - -**Owner** SAAP admins +We will need the following secrets for running a fully functional pipeline using pipeline-as-code. +To have a fully functional pipeline, we will be needing a few secrets. Some of the secrets are Auto-distributed in the build namespaces of all tenants. While the rest will be deployed through your infra repository (organization level secrets) and GitOps repository (repository/application level secrets) -**Use for** communicating with RHACS api to scan images and deployments - -**Lifecycle** Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. +## Auto Generated Secrets -**Misc** Needs to be deployed in build namespace. We deploy it using TGI + + +* `sonar-creds` + * _Purpose_: Used by `sonarqube-scan` pipeline task + * _Owner_: SAAP admins + * _Type_: Login credentials for SonarQube + * _Used for_: For running SonarQube scan in pipeline + * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. SonarQube credentials are not rotated and remain the same. + * _Comment_: The origin of this secret is the SonarQube namespace. Secret is copied over to build namespace using a MTO template and Template Group Instance. +* `docker-reg-creds` + * _Purpose_: Used by buildah and the application itself to pull the image from the nexus registry + * _Owner_: SAAP admins + * _Type_: Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson. + * _Used for_: Pulling images from the nexus registry. Needs to be deployed in all namespaces of the tenant. We distribute it using a TGI. + * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in all its namespaces. +* `helm-reg-creds` + * _Purpose_: Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: + 1. `stakater-helm-push` task + 1. ArgoCD to fetch the helm chart + * _Owner_: SAAP Admins + * _Used for_: Pulling Charts from Nexus + * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the `rh-openshift-gitops-instance` when SAAP is provisioned. +* `rox-creds` + * _Purpose_: Used by three Tekton Tasks: + 1. `stakater-rox-deployment-check` + 1. `stakater-rox-image-check` + 1. `stakater-rox-image-scan` + * _Owner_: SAAP admins + * _Used for_: Communicating with RHACS API to scan images and deployments + * _Lifecycle_: Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. + * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. ## Infra GitOps Creds This secret needs to deployed on the cluster directly. -### infra-gitops-creds: -**Purpose** This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. - -**Owner?** The owner of this secret will be customer's delivery engineer +* `infra-gitops-creds` + * _Purpose_: This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. + * _Owner_: The owner of this secret will be customer's delivery engineer + * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace + * _Used for_: Use only for the purpose of syncing your infra GitOps repository with ArgoCD + * _Format_: Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it. -**Where to find it** The secret will be deployed in the rh-openshift-gitops-instance namespace - -**Use for** Use only for the purpose of syncing your infra gitops repository with ArgoCD. - -**Format** Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it. - - ```yaml + ```yaml apiVersion: v1 kind: Secret metadata: - name: private-repo - namespace: argocd - labels: - argocd.argoproj.io/secret-type: repository + name: private-repo + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository stringData: - type: git - url: git@github.com:argoproj/my-private-repository - sshPrivateKey: | - -----BEGIN OPENSSH PRIVATE KEY----- - ... - -----END OPENSSH PRIVATE KEY----- - ``` -## Organization Level Secrets - -These secrets need to go into your Infra Gitops Repository - -### 1. apps-gitops-creds - -**Purpose** This secret is added so ArgoCD can sync the apps-gitops repository. You can either use an ssh key or a personal access token for this purpose. - -**Where to find it** The secret will be deployed in the rh-openshift-gitops-instance namespace **through the infra-gitops repository**. - -**Owner** The owner of this secret will be customer's delivery engineer + type: git + url: git@github.com:argoproj/my-private-repository + sshPrivateKey: | + -----BEGIN OPENSSH PRIVATE KEY----- + ... + -----END OPENSSH PRIVATE KEY----- + ``` -**Format** Will have the same format as that of infra-gitops-creds secret - -**Use for** Syncing apps gitops repository - -Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect Pipeline as Code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secrets to connect with the application's repository in the SCM. -### 2. git-pat-creds - -**Purpose** Used for three reasons: - 1. In the Repository CR so Pipeline as Code can talk to the repository - 1. In create-environment task to get commit hashes - 1. In TronadorConfig to allow Tronador to access the application repository. - -**Owner** The owner of this secret will be customer's delivery engineer - -**Where to find it** This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. - -1. [app-name]-ssh-creds - -**Purpose** Used by multiple tekton tasks: - 1. git-clone - 1. push-main-tag - 1. create-git-tag - 1. update-cd-repo - -**Where to find it** In build namespace of the tenant through apps-gitops repository. +## Organization Level Secrets -**Owner** Customer's delivery engineer. +These secrets need to go into your Infra GitOps Repository: + +* `apps-gitops-creds` + * _Purpose_: This secret is added so ArgoCD can sync the `apps-gitops` repository. You can either use an ssh key or a personal access token for this purpose. + * _Owner_: The owner of this secret will be customer's delivery engineer + * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace **through the `infra-gitops` repository** + * _Format_: Will have the same format as that of `infra-gitops-creds` secret + * _Use for_: Syncing apps GitOps repository + * _Comment_: Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect pipeline-as-code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secrets to connect with the application's repository in the SCM. +* `git-pat-creds` + * _Purpose_: Used for three reasons: + 1. In the Repository CR so pipeline-as-code can talk to the repository + 1. In create-environment task to get commit hashes + 1. In TronadorConfig to allow Tronador to access the application repository + * _Owner_: The owner of this secret will be customer's delivery engineer + * _Location_: This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. +* `[app-name]-ssh-creds` + * _Purpose_: Used by these Tekton tasks: + * `git-clone` + * `push-main-tag` + * `create-git-tag` + * `update-cd-repo` + * _Owner_: Customer's delivery engineer + * _Location_: In build namespace of the tenant through `apps-gitops` repository ## Repository level secrets -### 1. [app-name]-git-webhook-creds - -**Purpose** Used in the Repository CR. Pipeline as Code needs this to verify the webhook payload set - -**Owner** Developer owns this secret. -**Where to find it** In build namespace of the tenant through apps-gitops repository +* `[app-name]-git-webhook-creds` + * _Purpose_: Used in the Repository CR. pipeline-as-code needs this to verify the webhook payload set + * _Owner_: Developer owns this secret + * _Location_: In build namespace of the tenant through `apps-gitops` repository diff --git a/content/for-developers/tutorials/outer-loop/webhook-setup/webhook-setup.md b/content/for-developers/tutorials/outer-loop/webhook-setup/webhook-setup.md index 1240d781..b6777a84 100644 --- a/content/for-developers/tutorials/outer-loop/webhook-setup/webhook-setup.md +++ b/content/for-developers/tutorials/outer-loop/webhook-setup/webhook-setup.md @@ -1,4 +1,4 @@ -# Setting Up Webhook for Pipeline as Code +# Setting Up Webhook for pipeline-as-code The webhook setup acts as a bridge between your code repository and the CI/CD pipeline. It allows your pipeline to be triggered automatically whenever specific events occur in your repository, such as code pushes or pull requests. The webhook secret further ensures that these interactions are secured and authenticated. @@ -21,11 +21,11 @@ The webhook setup acts as a bridge between your code repository and the CI/CD pi 1. Click on the option to `Add a new webhook` to initiate the process of creating a new webhook for your repository. -1. To set up the webhook, you'll need the `URL of the Pipeline as Code interceptor`. This URL is used to connect GitHub with your SAAP's pipeline system. +1. To set up the webhook, you'll need the `URL of the pipeline-as-code interceptor`. This URL is used to connect GitHub with your SAAP's pipeline system. -1. Ask the SAAP admin to provide you with the `Interceptor URL` "route" from the project or namespace where the Pipeline as Code is installed. +1. Ask the SAAP admin to provide you with the `Interceptor URL` "route" from the project or namespace where the pipeline-as-code is installed. -1. Back in the GitHub repository's webhook settings, enter the `Pipeline as Code interceptor URL` you obtained in the previous step in the `Payload URL`. +1. Back in the GitHub repository's webhook settings, enter the `pipeline-as-code interceptor URL` you obtained in the previous step in the `Payload URL`. 1. Choose `Content type` as `application/json`. diff --git a/content/managed-addons/argocd/for-administrators/architecture.md b/content/managed-addons/argocd/for-administrators/architecture.md deleted file mode 100644 index e69de29b..00000000 diff --git a/mkdocs.yml b/mkdocs.yml index c369b55f..400d2933 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,6 +29,10 @@ markdown_extensions: emoji_index: !!python/name:materialx.emoji.twemoji emoji_generator: !!python/name:materialx.emoji.to_svg +extra_javascript: + - https://unpkg.com/tablesort@5.3.0/dist/tablesort.min.js + - javascripts/tablesort.js + extra: analytics: provider: google @@ -143,6 +147,7 @@ nav: - for-developers/tutorials/outer-loop/access-cluster/access-the-cluster.md - for-developers/tutorials/outer-loop/add-build-environment/add-environment.md - Configure Pipeline for your application: + - for-developers/tutorials/outer-loop/deploying-secrets.md - for-developers/tutorials/outer-loop/add-ci-pipeline/overview.md - for-developers/tutorials/outer-loop/github-pat/github-pat.md - for-developers/tutorials/outer-loop/webhook-setup/webhook-setup.md From 065a07f6290f8a27bfaacc14a366db6b66a03967 Mon Sep 17 00:00:00 2001 From: Karl Johan Grahn Date: Mon, 30 Oct 2023 14:39:33 +0100 Subject: [PATCH 10/29] update --- mkdocs.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index 400d2933..c1fa9c8d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,10 +29,6 @@ markdown_extensions: emoji_index: !!python/name:materialx.emoji.twemoji emoji_generator: !!python/name:materialx.emoji.to_svg -extra_javascript: - - https://unpkg.com/tablesort@5.3.0/dist/tablesort.min.js - - javascripts/tablesort.js - extra: analytics: provider: google From 4bdad78abc9feefe70080eb82556890c3dd1e917 Mon Sep 17 00:00:00 2001 From: Karl Johan Grahn Date: Mon, 30 Oct 2023 14:40:47 +0100 Subject: [PATCH 11/29] update --- .../tutorials/outer-loop/deploying-secrets.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 663a258f..29fd13c5 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -48,24 +48,24 @@ This secret needs to deployed on the cluster directly. * _Owner_: The owner of this secret will be customer's delivery engineer * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace * _Used for_: Use only for the purpose of syncing your infra GitOps repository with ArgoCD - * _Format_: Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it. + * _Format_: Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it: - ```yaml - apiVersion: v1 - kind: Secret - metadata: - name: private-repo - namespace: argocd - labels: - argocd.argoproj.io/secret-type: repository - stringData: - type: git - url: git@github.com:argoproj/my-private-repository - sshPrivateKey: | - -----BEGIN OPENSSH PRIVATE KEY----- - ... - -----END OPENSSH PRIVATE KEY----- - ``` + ```yaml + apiVersion: v1 + kind: Secret + metadata: + name: private-repo + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository + stringData: + type: git + url: git@github.com:argoproj/my-private-repository + sshPrivateKey: | + -----BEGIN OPENSSH PRIVATE KEY----- + ... + -----END OPENSSH PRIVATE KEY----- + ``` ## Organization Level Secrets From ea2a039f238bcd8762e4c259290d845183672f40 Mon Sep 17 00:00:00 2001 From: Karl Johan Grahn Date: Mon, 30 Oct 2023 14:43:12 +0100 Subject: [PATCH 12/29] update --- .../tutorials/outer-loop/deploying-secrets.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 29fd13c5..08a0bd01 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -15,7 +15,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Type_: Login credentials for SonarQube * _Used for_: For running SonarQube scan in pipeline * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. SonarQube credentials are not rotated and remain the same. - * _Comment_: The origin of this secret is the SonarQube namespace. Secret is copied over to build namespace using a MTO template and Template Group Instance. + * _Comment_: The origin of this secret is the SonarQube namespace. Secret is copied over to build namespace using an MTO template and Template Group Instance. * `docker-reg-creds` * _Purpose_: Used by buildah and the application itself to pull the image from the nexus registry * _Owner_: SAAP admins @@ -41,8 +41,6 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t ## Infra GitOps Creds -This secret needs to deployed on the cluster directly. - * `infra-gitops-creds` * _Purpose_: This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. * _Owner_: The owner of this secret will be customer's delivery engineer @@ -67,9 +65,12 @@ This secret needs to deployed on the cluster directly. -----END OPENSSH PRIVATE KEY----- ``` + * _Comment_: This secret needs to be deployed on the cluster directly. + ## Organization Level Secrets -These secrets need to go into your Infra GitOps Repository: +!!! note + These secrets need to go into your Infra GitOps Repository * `apps-gitops-creds` * _Purpose_: This secret is added so ArgoCD can sync the `apps-gitops` repository. You can either use an ssh key or a personal access token for this purpose. From 70ce816ce6ed9956f12d8a67446b526b420853ae Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Wed, 1 Nov 2023 14:22:52 +0500 Subject: [PATCH 13/29] update deployment process --- .../for-developers/tutorials/outer-loop/deploying-secrets.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 08a0bd01..ee4bc769 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -16,12 +16,15 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Used for_: For running SonarQube scan in pipeline * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. SonarQube credentials are not rotated and remain the same. * _Comment_: The origin of this secret is the SonarQube namespace. Secret is copied over to build namespace using an MTO template and Template Group Instance. + * _Deployment Process_: The SonarQube deployed on SAAP contains a secret named `sonar-creds` in its namespace. This secret contains the username and password for SonarQube. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it the build namespaces of all tenants. The Template and TemplateGroupInstance are both named `sonar-creds` * `docker-reg-creds` * _Purpose_: Used by buildah and the application itself to pull the image from the nexus registry * _Owner_: SAAP admins * _Type_: Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson. * _Used for_: Pulling images from the nexus registry. Needs to be deployed in all namespaces of the tenant. We distribute it using a TGI. * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in all its namespaces. + * _Deployment Process_: Nexus comes shipped with SAAP. The `nexus3` namespace contains a secret named `docker-reg-creds`. This secret contains the .dockerconfigjson file. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it all namespaces of the tenants. The Template and TemplateGroupInstance are both named `docker-reg-creds` + * `helm-reg-creds` * _Purpose_: Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: 1. `stakater-helm-push` task From 5bed060bcd1692d318ba2ad4d3915dfbaeecb0de Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Wed, 1 Nov 2023 22:51:52 +0500 Subject: [PATCH 14/29] secrets update --- .../tutorials/outer-loop/deploying-secrets.md | 118 +++++++++++++++++- 1 file changed, 113 insertions(+), 5 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index ee4bc769..f2224bec 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -32,6 +32,8 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Owner_: SAAP Admins * _Used for_: Pulling Charts from Nexus * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the `rh-openshift-gitops-instance` when SAAP is provisioned. + * _Deployment Process_: Nexus comes shipped with SAAP. The `nexus3` namespace contains a secret named `helm-reg-creds`. This secret contains the username and password for the helm registry. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it all namespaces of the tenants. The Template and TemplateGroupInstance are both named `helm-reg-creds`. Another TGI named `helm-reg-creds-gitops` deploys the secret in GitOps namespace so ArgoCD can fetch the charts. + * `rox-creds` * _Purpose_: Used by three Tekton Tasks: 1. `stakater-rox-deployment-check` @@ -41,6 +43,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Used for_: Communicating with RHACS API to scan images and deployments * _Lifecycle_: Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. + * _Deployment Process_: After StackRox is installed on the SAAP cluster. An api token is created and stored in the rox-creds secret in the stakater-stackrox namespaces. We then use a Template and a TemplateGroupInstance with the same name to distribute the secret in the build namespace of tenants. ## Infra GitOps Creds @@ -76,19 +79,96 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t These secrets need to go into your Infra GitOps Repository * `apps-gitops-creds` - * _Purpose_: This secret is added so ArgoCD can sync the `apps-gitops` repository. You can either use an ssh key or a personal access token for this purpose. + * _Purpose_: This secret is added so ArgoC + * _Used for_: Communicating with RHACS API to scan images and deployments + * _Lifecycle_: Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. + * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. + * _Deployment Process_: After RD can sync the `apps-gitops` repository. You can either use an ssh key or a personal access token for this purpose. * _Owner_: The owner of this secret will be customer's delivery engineer * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace **through the `infra-gitops` repository** * _Format_: Will have the same format as that of `infra-gitops-creds` secret * _Use for_: Syncing apps GitOps repository * _Comment_: Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect pipeline-as-code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secrets to connect with the application's repository in the SCM. + * _Deployment Process_: To deploy the apps-gitops-creds, follow the below-mentioned steps: + 1. Navigate to your infra-gitops repository. + 1. At the base level, your infra repository should already have a folder with cluster name. You can refer to this tutorial for defining your infra gitops repository structure. Open up the relevant cluster folder. + 1. Inside it, create a folder named gitops-repositories. + 1. Now add an external secret that has the following structure. Remember to replace the placeholder. + + ```yaml + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: apps-gitops-creds + namespace: rh-openshift-gitops-instance + spec: + secretStoreRef: + name: stakater-cluster-secret-store + kind: ClusterSecretStore + data: + - remoteRef: + key: git-pat-creds + property: username + secretKey: username + - remoteRef: + key: git-pat-creds + property: password + secretKey: password + target: + name: apps-gitops-creds + template: + metadata: + labels: + argocd.argoproj.io/secret-type: repository + data: + name: apps-gitops-creds + password: "{{ .password | toString }}" + username: "{{ .username | toString }}" + project: TENANT_NAME + type: git + url: "https://github.com/DESTINATION_ORG/apps-gitops-config.git" + ``` + 1. Now open up vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'usrname'. Password should have Personal Access Token with that can access your apps gitops repository. + 1. Now go to the argocd-apps folder in the infra-gitops repo and add and ArgoCD application pointing to your gitops-repositories folder. + + ```yaml + + apiVersion: argoproj.io/v1alpha1 + kind: Application + metadata: + name: gitops-repositories + namespace: rh-openshift-gitops-instance + finalizers: + - resources-finalizer.argocd.argoproj.io + spec: + destination: + server: 'https://kubernetes.default.svc' + source: + path: cluster-name/gitops-repositories + repoURL: YOUR_INFRA_REPO_URL + targetRevision: main + directory: + recurse: true + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + + ``` + 1. Wait for ArgoCd to sync your changes. + * `git-pat-creds` * _Purpose_: Used for three reasons: 1. In the Repository CR so pipeline-as-code can talk to the repository 1. In create-environment task to get commit hashes 1. In TronadorConfig to allow Tronador to access the application repository * _Owner_: The owner of this secret will be customer's delivery engineer - * _Location_: This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador. + * _Location_: This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador.\ + * _Deployment Process_: To deploy the git-pat-creds, follow the below-mentioned steps: + +## Repository level secrets + * `[app-name]-ssh-creds` * _Purpose_: Used by these Tekton tasks: * `git-clone` @@ -97,9 +177,37 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * `update-cd-repo` * _Owner_: Customer's delivery engineer * _Location_: In build namespace of the tenant through `apps-gitops` repository - -## Repository level secrets - + * _Deployment Process_: To deploy the git-pat-creds, follow the below-mentioned steps: + 1. Navigate to your apps-gitops repository + 1. Open up the tenant for which you want to deploy this secret. + 1. Now navigate to the folder which bears the name of the application for which you want to run the pipelines. + 1. Open the build folder. + 1. Add an external secret named [app-name]-ssh-creds. + ```yaml + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: [app-name]-ssh-creds + spec: + secretStoreRef: + name: tenant-vault-secret-store + kind: SecretStore + refreshInterval: "1m0s" + target: + name: [app-name]-ssh-creds + creationPolicy: 'Owner' + template: + data: + id_rsa: "{{ .id_rsa | b64dec | toString }}" + data: + - secretKey: id_rsa + remoteRef: + key: [app-name]-ssh-creds + property: api_private_key + ``` + 1. Now open up the tenant path in vault and add a secret named [app-name]-ssh-creds. Add a key api_private_key. The value should have a private ssh key that has access to your application repository as well as you apps-gitops repository. + 1. Assuming you have already set up the apps-gitops repository, you should be able to see the secret deployed to your tenant's build namespace. + * `[app-name]-git-webhook-creds` * _Purpose_: Used in the Repository CR. pipeline-as-code needs this to verify the webhook payload set * _Owner_: Developer owns this secret From 6b1d9ba851753ec27150b32bc566e0825577f241 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 18:33:32 +0500 Subject: [PATCH 15/29] secrets --- .../tutorials/outer-loop/deploying-secrets.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index f2224bec..54d73685 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -166,6 +166,49 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Owner_: The owner of this secret will be customer's delivery engineer * _Location_: This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador.\ * _Deployment Process_: To deploy the git-pat-creds, follow the below-mentioned steps: + 1. Navigate to your infra-gitops repository. + 1. At the base level, your infra repository should already have a folder with cluster name. Open up the tenant-operator-config and create a folder named templates if it is not already there. + 1. Now add a template with the following structure. Remember to replace the placeholders. + ```yaml + apiVersion: tenantoperator.stakater.com/v1alpha1 + kind: Template + metadata: + name: git-pat-creds + resources: + manifests: + - apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: git-pat-creds + spec: + dataFrom: + - extract: + conversionStrategy: Default + key: git-pat-creds + refreshInterval: 1m0s + secretStoreRef: + kind: SecretStore + name: tenant-vault-shared-secret-store + target: + name: git-pat-creds + ``` + 1. Now add a TemplateGroupInstance: + + ```yaml + apiVersion: tenantoperator.stakater.com/v1alpha1 + kind: TemplateGroupInstance + metadata: + name: git-pat-creds + spec: + template: git-pat-creds + selector: + matchExpressions: + - key: stakater.com/kind + operator: In + values: [ build, pr ] + sync: true + ``` + 1. If you have correctly configured your infra repository, ArgoCD should be able to sync the changes and deploy the secret in build namespaces of the tenants. ## Repository level secrets From 715eb8782a570c0f8526b4c30fc975566aad74d6 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 18:38:32 +0500 Subject: [PATCH 16/29] add secrets --- .../tutorials/outer-loop/deploying-secrets.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 54d73685..255d3ecf 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -255,3 +255,37 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Purpose_: Used in the Repository CR. pipeline-as-code needs this to verify the webhook payload set * _Owner_: Developer owns this secret * _Location_: In build namespace of the tenant through `apps-gitops` repository + * _Deployment Process_: Follow the below mentioned steps for deploying the secret: + 1. Navigate to your apps-gitops repository + 1. Open up the tenant for which you want to deploy this secret. + 1. Now navigate to the folder which bears the name of the application for which you want to run the pipelines. + 1. Open the build folder. + 1. Add an external secret named [app-name]-git-webhook-creds + + ```yaml + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: github-webhook-config + spec: + secretStoreRef: + name: tenant-vault-secret-store + kind: SecretStore + refreshInterval: "1m0s" + target: + name: github-webhook-config + creationPolicy: 'Owner' + template: + data: + provider.token: "{{ .password | toString }}" + webhook.secret: "{{ .secret | toString }}" + data: + - secretKey: password + remoteRef: + key: github-webhook-config + property: provider.token + - secretKey: secret + remoteRef: + key: github-webhook-config + property: webhook.secret + ``` From 3217b15091bf501890cfbcbe3d230d4d0bd9b89e Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 18:53:27 +0500 Subject: [PATCH 17/29] lint --- .../for-developers/tutorials/outer-loop/deploying-secrets.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 255d3ecf..04748fb9 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -1,14 +1,10 @@ # Secrets -[TOC] - We will need the following secrets for running a fully functional pipeline using pipeline-as-code. To have a fully functional pipeline, we will be needing a few secrets. Some of the secrets are Auto-distributed in the build namespaces of all tenants. While the rest will be deployed through your infra repository (organization level secrets) and GitOps repository (repository/application level secrets) ## Auto Generated Secrets - - * `sonar-creds` * _Purpose_: Used by `sonarqube-scan` pipeline task * _Owner_: SAAP admins From 79edf940f17291d6ed009c288dc83ef306dcbfc4 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 18:54:57 +0500 Subject: [PATCH 18/29] lint --- .../tutorials/outer-loop/deploying-secrets.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 04748fb9..78e3f27d 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -123,12 +123,12 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t project: TENANT_NAME type: git url: "https://github.com/DESTINATION_ORG/apps-gitops-config.git" - ``` + ``` + 1. Now open up vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'usrname'. Password should have Personal Access Token with that can access your apps gitops repository. 1. Now go to the argocd-apps folder in the infra-gitops repo and add and ArgoCD application pointing to your gitops-repositories folder. ```yaml - apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -150,8 +150,8 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t automated: prune: true selfHeal: true - ``` + 1. Wait for ArgoCd to sync your changes. * `git-pat-creds` @@ -165,6 +165,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. Navigate to your infra-gitops repository. 1. At the base level, your infra repository should already have a folder with cluster name. Open up the tenant-operator-config and create a folder named templates if it is not already there. 1. Now add a template with the following structure. Remember to replace the placeholders. + ```yaml apiVersion: tenantoperator.stakater.com/v1alpha1 kind: Template @@ -188,6 +189,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t target: name: git-pat-creds ``` + 1. Now add a TemplateGroupInstance: ```yaml @@ -204,6 +206,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t values: [ build, pr ] sync: true ``` + 1. If you have correctly configured your infra repository, ArgoCD should be able to sync the changes and deploy the secret in build namespaces of the tenants. ## Repository level secrets @@ -222,6 +225,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. Now navigate to the folder which bears the name of the application for which you want to run the pipelines. 1. Open the build folder. 1. Add an external secret named [app-name]-ssh-creds. + ```yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret @@ -244,6 +248,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t key: [app-name]-ssh-creds property: api_private_key ``` + 1. Now open up the tenant path in vault and add a secret named [app-name]-ssh-creds. Add a key api_private_key. The value should have a private ssh key that has access to your application repository as well as you apps-gitops repository. 1. Assuming you have already set up the apps-gitops repository, you should be able to see the secret deployed to your tenant's build namespace. From 3ae44c80bb2a7cd9d5749e4b08098605c89151fb Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 18:57:30 +0500 Subject: [PATCH 19/29] lint --- .../tutorials/outer-loop/deploying-secrets.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 78e3f27d..dc14f694 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -90,7 +90,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. At the base level, your infra repository should already have a folder with cluster name. You can refer to this tutorial for defining your infra gitops repository structure. Open up the relevant cluster folder. 1. Inside it, create a folder named gitops-repositories. 1. Now add an external secret that has the following structure. Remember to replace the placeholder. - + ```yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret @@ -123,11 +123,11 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t project: TENANT_NAME type: git url: "https://github.com/DESTINATION_ORG/apps-gitops-config.git" - ``` - - 1. Now open up vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'usrname'. Password should have Personal Access Token with that can access your apps gitops repository. + ``` + + 1. Now open up vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'usrname'. Password should have Personal Access Token with that can access your apps gitops repository. 1. Now go to the argocd-apps folder in the infra-gitops repo and add and ArgoCD application pointing to your gitops-repositories folder. - + ```yaml apiVersion: argoproj.io/v1alpha1 kind: Application From 716e13410222eafcca94cb055d61996f2abd7dc1 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 19:04:00 +0500 Subject: [PATCH 20/29] lint --- .../tutorials/outer-loop/deploying-secrets.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index dc14f694..b8b3b5e5 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -151,9 +151,9 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t prune: true selfHeal: true ``` - - 1. Wait for ArgoCd to sync your changes. - + + 1. Wait for ArgoCd to sync your changes. + * `git-pat-creds` * _Purpose_: Used for three reasons: 1. In the Repository CR so pipeline-as-code can talk to the repository @@ -165,7 +165,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. Navigate to your infra-gitops repository. 1. At the base level, your infra repository should already have a folder with cluster name. Open up the tenant-operator-config and create a folder named templates if it is not already there. 1. Now add a template with the following structure. Remember to replace the placeholders. - + ```yaml apiVersion: tenantoperator.stakater.com/v1alpha1 kind: Template @@ -189,9 +189,9 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t target: name: git-pat-creds ``` - + 1. Now add a TemplateGroupInstance: - + ```yaml apiVersion: tenantoperator.stakater.com/v1alpha1 kind: TemplateGroupInstance @@ -206,7 +206,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t values: [ build, pr ] sync: true ``` - + 1. If you have correctly configured your infra repository, ArgoCD should be able to sync the changes and deploy the secret in build namespaces of the tenants. ## Repository level secrets @@ -225,7 +225,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. Now navigate to the folder which bears the name of the application for which you want to run the pipelines. 1. Open the build folder. 1. Add an external secret named [app-name]-ssh-creds. - + ```yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret @@ -248,10 +248,10 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t key: [app-name]-ssh-creds property: api_private_key ``` - + 1. Now open up the tenant path in vault and add a secret named [app-name]-ssh-creds. Add a key api_private_key. The value should have a private ssh key that has access to your application repository as well as you apps-gitops repository. 1. Assuming you have already set up the apps-gitops repository, you should be able to see the secret deployed to your tenant's build namespace. - + * `[app-name]-git-webhook-creds` * _Purpose_: Used in the Repository CR. pipeline-as-code needs this to verify the webhook payload set * _Owner_: Developer owns this secret @@ -262,7 +262,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. Now navigate to the folder which bears the name of the application for which you want to run the pipelines. 1. Open the build folder. 1. Add an external secret named [app-name]-git-webhook-creds - + ```yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret From 18bac9d5fe5e50c526694c5cec200954f0d4cde0 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 19:09:47 +0500 Subject: [PATCH 21/29] lint --- .../tutorials/outer-loop/deploying-secrets.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index b8b3b5e5..2cfdf1ea 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -39,7 +39,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Used for_: Communicating with RHACS API to scan images and deployments * _Lifecycle_: Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. - * _Deployment Process_: After StackRox is installed on the SAAP cluster. An api token is created and stored in the rox-creds secret in the stakater-stackrox namespaces. We then use a Template and a TemplateGroupInstance with the same name to distribute the secret in the build namespace of tenants. + * _Deployment Process_: After StackRox is installed on the SAAP cluster. An api token is created and stored in the rox-creds secret in the `stakater-stackrox` namespaces. We then use a Template and a TemplateGroupInstance with the same name to distribute the secret in the build namespace of tenants. ## Infra GitOps Creds @@ -79,16 +79,16 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Used for_: Communicating with RHACS API to scan images and deployments * _Lifecycle_: Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. - * _Deployment Process_: After RD can sync the `apps-gitops` repository. You can either use an ssh key or a personal access token for this purpose. + * _Deployment Process_: After RD can sync the `apps-gitops-config` repository. You can either use an ssh key or a personal access token for this purpose. * _Owner_: The owner of this secret will be customer's delivery engineer * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace **through the `infra-gitops` repository** * _Format_: Will have the same format as that of `infra-gitops-creds` secret * _Use for_: Syncing apps GitOps repository * _Comment_: Once you have the both the repositories bootstrapped with ArgoCD, the first thing we will need to do for our pipelines to function is to connect pipeline-as-code to our applications repository. We do this using a Repository CR. The Repository CR references a couple of secrets to connect with the application's repository in the SCM. - * _Deployment Process_: To deploy the apps-gitops-creds, follow the below-mentioned steps: - 1. Navigate to your infra-gitops repository. - 1. At the base level, your infra repository should already have a folder with cluster name. You can refer to this tutorial for defining your infra gitops repository structure. Open up the relevant cluster folder. - 1. Inside it, create a folder named gitops-repositories. + * _Deployment Process_: To deploy the `apps-gitops-creds`, follow the below-mentioned steps: + 1. Navigate to your `infra-gitops-config` repository. + 1. At the base level, your infra repository should already have a folder with cluster name. You can refer to this tutorial for defining your Infra GitOps Repository structure. Open up the relevant cluster folder. + 1. Inside it, create a folder named `gitops-repositories`. 1. Now add an external secret that has the following structure. Remember to replace the placeholder. ```yaml @@ -125,8 +125,8 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t url: "https://github.com/DESTINATION_ORG/apps-gitops-config.git" ``` - 1. Now open up vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'usrname'. Password should have Personal Access Token with that can access your apps gitops repository. - 1. Now go to the argocd-apps folder in the infra-gitops repo and add and ArgoCD application pointing to your gitops-repositories folder. + 1. Now open up Vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'username'. Password should have Personal Access Token with that can access your apps gitops repository. + 1. Now go to the `argocd-apps` folder in the `infra-gitops-config` repo and add and ArgoCD application pointing to your `gitops-repositories` folder. ```yaml apiVersion: argoproj.io/v1alpha1 From 6fc0ac5aab59f4a077f80988c89a6e87bf64a379 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 19:12:48 +0500 Subject: [PATCH 22/29] lint --- .../for-developers/tutorials/outer-loop/deploying-secrets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 2cfdf1ea..f90c94e6 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -127,7 +127,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. Now open up Vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'username'. Password should have Personal Access Token with that can access your apps gitops repository. 1. Now go to the `argocd-apps` folder in the `infra-gitops-config` repo and add and ArgoCD application pointing to your `gitops-repositories` folder. - + ```yaml apiVersion: argoproj.io/v1alpha1 kind: Application @@ -206,7 +206,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t values: [ build, pr ] sync: true ``` - + 1. If you have correctly configured your infra repository, ArgoCD should be able to sync the changes and deploy the secret in build namespaces of the tenants. ## Repository level secrets From 71fff0a30c84047b965e6e6eda7e3947bf86df8e Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 19:17:18 +0500 Subject: [PATCH 23/29] lint --- .../tutorials/outer-loop/deploying-secrets.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index f90c94e6..12adc679 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -125,7 +125,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t url: "https://github.com/DESTINATION_ORG/apps-gitops-config.git" ``` - 1. Now open up Vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'username'. Password should have Personal Access Token with that can access your apps gitops repository. + 1. Now open up Vault and open the common-secrets path. Add a secret named git-pat-creds and add two key 'password' and 'username'. Password should have Personal Access Token with that can access your `apps-gitops-config` repository. 1. Now go to the `argocd-apps` folder in the `infra-gitops-config` repo and add and ArgoCD application pointing to your `gitops-repositories` folder. ```yaml @@ -152,7 +152,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t selfHeal: true ``` - 1. Wait for ArgoCd to sync your changes. + 1. Wait for ArgoCD to sync your changes. * `git-pat-creds` * _Purpose_: Used for three reasons: @@ -162,7 +162,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Owner_: The owner of this secret will be customer's delivery engineer * _Location_: This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador.\ * _Deployment Process_: To deploy the git-pat-creds, follow the below-mentioned steps: - 1. Navigate to your infra-gitops repository. + 1. Navigate to your `infra-gitops-config` repository. 1. At the base level, your infra repository should already have a folder with cluster name. Open up the tenant-operator-config and create a folder named templates if it is not already there. 1. Now add a template with the following structure. Remember to replace the placeholders. @@ -220,7 +220,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Owner_: Customer's delivery engineer * _Location_: In build namespace of the tenant through `apps-gitops` repository * _Deployment Process_: To deploy the git-pat-creds, follow the below-mentioned steps: - 1. Navigate to your apps-gitops repository + 1. Navigate to your `apps-gitops-config` repository 1. Open up the tenant for which you want to deploy this secret. 1. Now navigate to the folder which bears the name of the application for which you want to run the pipelines. 1. Open the build folder. @@ -249,15 +249,15 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t property: api_private_key ``` - 1. Now open up the tenant path in vault and add a secret named [app-name]-ssh-creds. Add a key api_private_key. The value should have a private ssh key that has access to your application repository as well as you apps-gitops repository. - 1. Assuming you have already set up the apps-gitops repository, you should be able to see the secret deployed to your tenant's build namespace. + 1. Now open up the tenant path in Vault and add a secret named [app-name]-ssh-creds. Add a key api_private_key. The value should have a private ssh key that has access to your application repository as well as you `apps-gitops-config` repository. + 1. Assuming you have already set up the `apps-gitops-config` repository, you should be able to see the secret deployed to your tenant's build namespace. * `[app-name]-git-webhook-creds` * _Purpose_: Used in the Repository CR. pipeline-as-code needs this to verify the webhook payload set * _Owner_: Developer owns this secret * _Location_: In build namespace of the tenant through `apps-gitops` repository * _Deployment Process_: Follow the below mentioned steps for deploying the secret: - 1. Navigate to your apps-gitops repository + 1. Navigate to your `apps-gitops-config` repository 1. Open up the tenant for which you want to deploy this secret. 1. Now navigate to the folder which bears the name of the application for which you want to run the pipelines. 1. Open the build folder. From bdca5f5a8785b64c2ce30512f9f8087aece55b88 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 19:18:48 +0500 Subject: [PATCH 24/29] lint --- .../for-developers/tutorials/outer-loop/deploying-secrets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 12adc679..12d21ac1 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -256,7 +256,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Purpose_: Used in the Repository CR. pipeline-as-code needs this to verify the webhook payload set * _Owner_: Developer owns this secret * _Location_: In build namespace of the tenant through `apps-gitops` repository - * _Deployment Process_: Follow the below mentioned steps for deploying the secret: + * _Deployment Process_: Follow the below-mentioned steps for deploying the secret: 1. Navigate to your `apps-gitops-config` repository 1. Open up the tenant for which you want to deploy this secret. 1. Now navigate to the folder which bears the name of the application for which you want to run the pipelines. From 17f5f45487ceaf7383b3097ff850acffa3a31998 Mon Sep 17 00:00:00 2001 From: asfamumtaz Date: Thu, 2 Nov 2023 19:30:20 +0500 Subject: [PATCH 25/29] numbering --- .../tutorials/outer-loop/deploying-secrets.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 12d21ac1..7fc5575b 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -5,7 +5,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t ## Auto Generated Secrets -* `sonar-creds` +1. `sonar-creds` * _Purpose_: Used by `sonarqube-scan` pipeline task * _Owner_: SAAP admins * _Type_: Login credentials for SonarQube @@ -13,7 +13,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. SonarQube credentials are not rotated and remain the same. * _Comment_: The origin of this secret is the SonarQube namespace. Secret is copied over to build namespace using an MTO template and Template Group Instance. * _Deployment Process_: The SonarQube deployed on SAAP contains a secret named `sonar-creds` in its namespace. This secret contains the username and password for SonarQube. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it the build namespaces of all tenants. The Template and TemplateGroupInstance are both named `sonar-creds` -* `docker-reg-creds` +1. `docker-reg-creds` * _Purpose_: Used by buildah and the application itself to pull the image from the nexus registry * _Owner_: SAAP admins * _Type_: Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson. @@ -21,7 +21,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in all its namespaces. * _Deployment Process_: Nexus comes shipped with SAAP. The `nexus3` namespace contains a secret named `docker-reg-creds`. This secret contains the .dockerconfigjson file. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it all namespaces of the tenants. The Template and TemplateGroupInstance are both named `docker-reg-creds` -* `helm-reg-creds` +1. `helm-reg-creds` * _Purpose_: Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: 1. `stakater-helm-push` task 1. ArgoCD to fetch the helm chart @@ -30,7 +30,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the `rh-openshift-gitops-instance` when SAAP is provisioned. * _Deployment Process_: Nexus comes shipped with SAAP. The `nexus3` namespace contains a secret named `helm-reg-creds`. This secret contains the username and password for the helm registry. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it all namespaces of the tenants. The Template and TemplateGroupInstance are both named `helm-reg-creds`. Another TGI named `helm-reg-creds-gitops` deploys the secret in GitOps namespace so ArgoCD can fetch the charts. -* `rox-creds` +1. `rox-creds` * _Purpose_: Used by three Tekton Tasks: 1. `stakater-rox-deployment-check` 1. `stakater-rox-image-check` @@ -43,7 +43,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t ## Infra GitOps Creds -* `infra-gitops-creds` +1. `infra-gitops-creds` * _Purpose_: This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. * _Owner_: The owner of this secret will be customer's delivery engineer * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace @@ -74,7 +74,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t !!! note These secrets need to go into your Infra GitOps Repository -* `apps-gitops-creds` +1. `apps-gitops-creds` * _Purpose_: This secret is added so ArgoC * _Used for_: Communicating with RHACS API to scan images and deployments * _Lifecycle_: Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. @@ -154,7 +154,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. Wait for ArgoCD to sync your changes. -* `git-pat-creds` +1. `git-pat-creds` * _Purpose_: Used for three reasons: 1. In the Repository CR so pipeline-as-code can talk to the repository 1. In create-environment task to get commit hashes @@ -211,7 +211,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t ## Repository level secrets -* `[app-name]-ssh-creds` +1. `[app-name]-ssh-creds` * _Purpose_: Used by these Tekton tasks: * `git-clone` * `push-main-tag` @@ -252,7 +252,7 @@ To have a fully functional pipeline, we will be needing a few secrets. Some of t 1. Now open up the tenant path in Vault and add a secret named [app-name]-ssh-creds. Add a key api_private_key. The value should have a private ssh key that has access to your application repository as well as you `apps-gitops-config` repository. 1. Assuming you have already set up the `apps-gitops-config` repository, you should be able to see the secret deployed to your tenant's build namespace. -* `[app-name]-git-webhook-creds` +1. `[app-name]-git-webhook-creds` * _Purpose_: Used in the Repository CR. pipeline-as-code needs this to verify the webhook payload set * _Owner_: Developer owns this secret * _Location_: In build namespace of the tenant through `apps-gitops` repository From 356336692966950373ba11489182d22a2f5a72e2 Mon Sep 17 00:00:00 2001 From: Karl Johan Grahn Date: Thu, 2 Nov 2023 23:00:13 +0100 Subject: [PATCH 26/29] update --- content/managed-addons/overview.md | 2 +- vocabulary | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/managed-addons/overview.md b/content/managed-addons/overview.md index a666ab07..5c0c9e88 100644 --- a/content/managed-addons/overview.md +++ b/content/managed-addons/overview.md @@ -37,5 +37,5 @@ Ingress controller | [OpenShift Router](./ingress-controller/overview.md) Kubernetes event routing | [Event Router](./event-router/overview.md) Lock manager | [RDLM](./rdlm/overview.md) Local development | [Tilt](./tilt/overview.md) -Showback | [OpenCost](./opencost/overview.md) +Show-back | [OpenCost](./opencost/overview.md) Intrusion detection | Falco (coming soon) diff --git a/vocabulary b/vocabulary index c85a24b9..4fb42902 160000 --- a/vocabulary +++ b/vocabulary @@ -1 +1 @@ -Subproject commit c85a24b97a148bbad30b23d4bd39260b9920172b +Subproject commit 4fb4290235638237f2c987937f943d18ffb0641b From 2842cb98c25ff1b5ea5eeca4175f0cf4216e2f8d Mon Sep 17 00:00:00 2001 From: Karl Johan Grahn Date: Thu, 2 Nov 2023 23:00:28 +0100 Subject: [PATCH 27/29] update --- vocabulary | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vocabulary b/vocabulary index 4fb42902..c85a24b9 160000 --- a/vocabulary +++ b/vocabulary @@ -1 +1 @@ -Subproject commit 4fb4290235638237f2c987937f943d18ffb0641b +Subproject commit c85a24b97a148bbad30b23d4bd39260b9920172b From 9a7e5022b3b475813631dca99d5161eb72a4abd2 Mon Sep 17 00:00:00 2001 From: Karl Johan Grahn Date: Thu, 2 Nov 2023 23:00:42 +0100 Subject: [PATCH 28/29] update --- content/managed-addons/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/managed-addons/overview.md b/content/managed-addons/overview.md index 5c0c9e88..a666ab07 100644 --- a/content/managed-addons/overview.md +++ b/content/managed-addons/overview.md @@ -37,5 +37,5 @@ Ingress controller | [OpenShift Router](./ingress-controller/overview.md) Kubernetes event routing | [Event Router](./event-router/overview.md) Lock manager | [RDLM](./rdlm/overview.md) Local development | [Tilt](./tilt/overview.md) -Show-back | [OpenCost](./opencost/overview.md) +Showback | [OpenCost](./opencost/overview.md) Intrusion detection | Falco (coming soon) From 55020f4eab0952c60c1e80118da36ce97ce6f51a Mon Sep 17 00:00:00 2001 From: Karl Johan Grahn Date: Thu, 2 Nov 2023 23:08:45 +0100 Subject: [PATCH 29/29] update --- mkdocs.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index 6e083c67..86fbcdf0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -196,7 +196,7 @@ nav: - managed-addons/nexus/how-to-guide/how-to-upload-from-ui.md - managed-addons/nexus/how-to-guide/how-to-upload-local-machine.md - managed-addons/nexus/how-to-guide/how-to-grant-admin-privileges.md - - Explanation: + - Explanation: - managed-addons/nexus/explanation/routes.md - managed-addons/nexus/explanation/permissions.md - Vault: @@ -215,6 +215,16 @@ nav: - managed-addons/forecastle/overview.md - Tutorials: - managed-addons/forecastle/tutorial/add-forecastle-app.md + - Tilt: + - managed-addons/tilt/overview.md + - Dependency updates: + - managed-addons/renovate/overview.md + - Gatekeeper: + - managed-addons/gatekeeper/overview.md + - Showback: + - managed-addons/opencost/overview.md + - Restful Distributed Lock Manager (RDLM): + - managed-addons/rdlm/overview.md - Ingress Monitor Controller: - managed-addons/imc/overview.md - Tutorials: @@ -261,15 +271,15 @@ nav: - Horizontal Pod Autoscaler (HPA): - managed-addons/horizontal-pod-autoscaler/overview.md - Pelorus: - - managed-addons/pelorus/overview.md + - managed-addons/pelorus/overview.md - Service Mesh: - managed-addons/service-mesh/overview.md - Patch Operator: - - managed-addons/patch-operator/overview.md + - managed-addons/patch-operator/overview.md - Ingress Controller: - - managed-addons/ingress-controller/overview.md + - managed-addons/ingress-controller/overview.md - Event Router: - - managed-addons/event-router/overview.md + - managed-addons/event-router/overview.md - Legal Documents: - legal-documents/gtc.md - legal-documents/sla.md