Skip to content

Commit

Permalink
Merge pull request #36 from mbaldessari/common-automatic-update
Browse files Browse the repository at this point in the history
common automatic update
  • Loading branch information
mbaldessari authored Apr 29, 2024
2 parents 95b2f21 + d4383b9 commit 57a6bb3
Show file tree
Hide file tree
Showing 150 changed files with 46,787 additions and 10,193 deletions.
3 changes: 3 additions & 0 deletions common/.ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,7 @@ skip_list:
exclude_paths:
- ./ansible/playbooks/vault/vault.yaml
- ./ansible/playbooks/iib-ci/iib-ci.yaml
- ./ansible/playbooks/k8s_secrets/k8s_secrets.yml
- ./ansible/playbooks/process_secrets/process_secrets.yml
- ./ansible/playbooks/process_secrets/display_secrets_info.yml
- ./ansible/roles/vault_utils/tests/test.yml
2 changes: 1 addition & 1 deletion common/.github/workflows/chart-branches.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
- name: Checkout Code
uses: actions/checkout@v4

- uses: dorny/paths-filter@v2
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
Expand Down
4 changes: 2 additions & 2 deletions common/.github/workflows/linter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ jobs:
# Full git history is needed to get a proper list of changed files within `super-linter`
fetch-depth: 0
- name: Setup helm
uses: azure/setup-helm@v3
uses: azure/setup-helm@v4
with:
version: 'v3.12.3'
version: 'v3.13.2'


################################
Expand Down
1 change: 1 addition & 0 deletions common/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ __pycache__/
*.swo
values-secret.yaml
.*.expected.yaml
.vscode
pattern-vault.init
pattern-vault.init.bak
super-linter.log
Expand Down
69 changes: 49 additions & 20 deletions common/Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
NAME ?= $(shell basename "`pwd`")

ifneq ($(origin TARGET_SITE), undefined)
TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE)
endif
Expand Down Expand Up @@ -55,11 +56,12 @@ help: ## This help message
show: ## show the starting template without installing it
helm template common/operator-install/ --name-template $(NAME) $(HELM_OPTS)

preview-all:
preview-all: ## (EXPERIMENTAL) Previews all applications on hub and managed clusters
@echo "NOTE: This is just a tentative approximation of rendering all hub and managed clusters templates"
@common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH)

preview-%:
CLUSTERGROUP?=$(shell yq ".main.clusterGroupName" values-global.yaml)
$(eval CLUSTERGROUP ?= $(shell yq ".main.clusterGroupName" values-global.yaml))
@common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH)

.PHONY: operator-deploy
Expand All @@ -77,9 +79,37 @@ uninstall: ## runs helm uninstall
@oc delete csv -n openshift-operators $(CSV)

.PHONY: load-secrets
load-secrets: ## loads the secrets into the vault
load-secrets: ## loads the secrets into the backend determined by values-global setting
common/scripts/process-secrets.sh $(NAME)

.PHONY: legacy-load-secrets
legacy-load-secrets: ## loads the secrets into vault (only)
common/scripts/vault-utils.sh push_secrets $(NAME)

.PHONY: secrets-backend-vault
secrets-backend-vault: ## Edits values files to use default Vault+ESO secrets config
common/scripts/set-secret-backend.sh vault
common/scripts/manage-secret-app.sh vault present
common/scripts/manage-secret-app.sh golang-external-secrets present
common/scripts/manage-secret-namespace.sh validated-patterns-secrets absent
@git diff --exit-code || echo "Secrets backend set to vault, please review changes, commit, and push to activate in the pattern"

.PHONY: secrets-backend-kubernetes
secrets-backend-kubernetes: ## Edits values file to use Kubernetes+ESO secrets config
common/scripts/set-secret-backend.sh kubernetes
common/scripts/manage-secret-namespace.sh validated-patterns-secrets present
common/scripts/manage-secret-app.sh vault absent
common/scripts/manage-secret-app.sh golang-external-secrets present
@git diff --exit-code || echo "Secrets backend set to kubernetes, please review changes, commit, and push to activate in the pattern"

.PHONY: secrets-backend-none
secrets-backend-none: ## Edits values files to remove secrets manager + ESO
common/scripts/set-secret-backend.sh none
common/scripts/manage-secret-app.sh vault absent
common/scripts/manage-secret-app.sh golang-external-secrets absent
common/scripts/manage-secret-namespace.sh validated-patterns-secrets absent
@git diff --exit-code || echo "Secrets backend set to none, please review changes, commit, and push to activate in the pattern"

.PHONY: load-iib
load-iib: ## CI target to install Index Image Bundles
@set -e; if [ x$(INDEX_IMAGES) != x ]; then \
Expand All @@ -99,14 +129,9 @@ load-iib: ## CI target to install Index Image Bundles
.PHONY: validate-origin
validate-origin: ## verify the git origin is available
@echo "Checking repository:"
@echo -n " $(TARGET_REPO) - branch $(TARGET_BRANCH): "
@if [ ! -f /run/.containerenv ]; then\
git ls-remote --exit-code --heads $(TARGET_REPO) $(TARGET_BRANCH) >/dev/null &&\
echo "OK" ||\
(echo "NOT FOUND"; exit 1);\
else\
echo "Running inside a container: Skipping git ssh checks";\
fi
@echo -n " $(TARGET_REPO) - branch '$(TARGET_BRANCH)': "
@git ls-remote --exit-code --heads $(TARGET_REPO) $(TARGET_BRANCH) >/dev/null &&\
echo "OK" || (echo "NOT FOUND"; exit 1)

.PHONY: validate-cluster
validate-cluster: ## Do some cluster validations before installing
Expand All @@ -130,15 +155,19 @@ validate-schema: ## validates values files against schema in common/clustergroup

.PHONY: validate-prereq
validate-prereq: ## verify pre-requisites
@echo "Checking prerequisites:"
@for t in $(EXECUTABLES); do if ! which $$t > /dev/null 2>&1; then echo "No $$t in PATH"; exit 1; fi; done
@echo " Check for '$(EXECUTABLES)': OK"
@echo -n " Check for python-kubernetes: "
@if ! ansible -m ansible.builtin.command -a "{{ ansible_python_interpreter }} -c 'import kubernetes'" localhost > /dev/null 2>&1; then echo "Not found"; exit 1; fi
@echo "OK"
@echo -n " Check for kubernetes.core collection: "
@if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi
@echo "OK"
@if [ ! -f /run/.containerenv ]; then\
echo "Checking prerequisites:";\
for t in $(EXECUTABLES); do if ! which $$t > /dev/null 2>&1; then echo "No $$t in PATH"; exit 1; fi; done;\
echo " Check for '$(EXECUTABLES)': OK";\
echo -n " Check for python-kubernetes: ";\
if ! ansible -m ansible.builtin.command -a "{{ ansible_python_interpreter }} -c 'import kubernetes'" localhost > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\
echo "OK";\
echo -n " Check for kubernetes.core collection: ";\
if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\
echo "OK";\
else\
echo "Skipping prerequisites check as we're running inside a container";\
fi

.PHONY: argo-healthcheck
argo-healthcheck: ## Checks if all argo applications are synced
Expand Down
4 changes: 2 additions & 2 deletions common/acm/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ Default always defined valueFiles to be included when pushing the cluster wide a
- "/values-global.yaml"
- "/values-{{ .name }}.yaml"
- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml'
- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml'
- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
# We cannot use $.Values.global.clusterVersion because that gets resolved to the
# hub's cluster version, whereas we want to include the spoke cluster version
- '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml'
- '/values-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml'
{{- end }} {{- /*acm.app.policies.valuefiles */}}
16 changes: 7 additions & 9 deletions common/acm/templates/policies/application-policies.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }}
{{- range .Values.clusterGroup.managedClusterGroups }}
{{- $group := . }}
{{- if not .hostedArgoSites }}
Expand Down Expand Up @@ -43,18 +44,15 @@ spec:
helm:
ignoreMissingValueFiles: true
valueFiles:
{{- include "acm.app.policies.valuefiles" . | nindent 24 }}
{{- include "acm.app.policies.valuefiles" . | nindent 22 }}
{{- range $valueFile := $.Values.global.extraValueFiles }}
- {{ $valueFile | quote }}
{{- end }}
{{- range $valueFile := .extraValueFiles }}
- {{ $valueFile | quote }}
{{- end }}
parameters:
- name: global.repoURL
value: $ARGOCD_APP_SOURCE_REPO_URL
value: {{ $.Values.global.repoURL }}
- name: global.targetRevision
value: $ARGOCD_APP_SOURCE_TARGET_REVISION
value: {{ $.Values.global.targetRevision }}
- name: global.namespace
value: $ARGOCD_APP_NAMESPACE
- name: global.pattern
Expand All @@ -63,18 +61,18 @@ spec:
value: {{ $.Values.global.hubClusterDomain }}
- name: global.localClusterDomain
value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}` }}'
# Requires ACM 2.6 or higher
- name: global.clusterDomain
value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}'
# Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min)
- name: global.clusterVersion
value: '{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}'
value: '{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}'
- name: global.localClusterName
value: '{{ `{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}` }}'
- name: global.clusterPlatform
value: {{ $.Values.global.clusterPlatform }}
- name: clusterGroup.name
value: {{ $group.name }}
- name: global.experimentalCapabilities
value: {{ $.Values.global.experimentalCapabilities }}
{{- range .helmOverrides }}
- name: {{ .name }}
value: {{ .value | quote }}
Expand Down
169 changes: 168 additions & 1 deletion common/acm/templates/policies/ocp-gitops-policy.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }}
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
Expand All @@ -24,6 +25,15 @@ spec:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: trusted-ca-bundle
namespace: openshift-gitops
labels:
config.openshift.io/inject-trusted-cabundle: 'true'
- complianceType: mustonlyhave
objectDefinition:
# This is an auto-generated file. DO NOT EDIT
Expand All @@ -35,7 +45,7 @@ spec:
labels:
operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
spec:
channel: {{ default "gitops-1.8" .Values.main.gitops.channel }}
channel: {{ default "gitops-1.11" .Values.main.gitops.channel }}
installPlanApproval: Automatic
name: openshift-gitops-operator
source: redhat-operators
Expand All @@ -44,6 +54,163 @@ spec:
env:
- name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
value: "*"
{{- if $hasInitContainerCapability }}
- complianceType: mustonlyhave
objectDefinition:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: openshift-gitops
namespace: openshift-gitops
spec:
applicationSet:
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 250m
memory: 512Mi
webhookServer:
ingress:
enabled: false
route:
enabled: false
controller:
processors: {}
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 1Gi
sharding: {}
grafana:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
route:
enabled: false
ha:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
initialSSHKnownHosts: {}
monitoring:
enabled: false
notifications:
enabled: false
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
rbac:
defaultPolicy: ""
policy: |-
g, system:cluster-admins, role:admin
g, cluster-admins, role:admin
scopes: '[groups]'
redis:
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
repo:
initContainers:
- command:
- bash
- -c
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt
|| true
image: registry.access.redhat.com/ubi9/ubi-minimal:latest
name: fetch-ca
resources: {}
volumeMounts:
- mountPath: /var/run/kube-root-ca
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
volumeMounts:
- mountPath: /etc/pki/tls/certs
name: ca-bundles
volumes:
- configMap:
name: kube-root-ca.crt
name: kube-root-ca
- configMap:
name: trusted-ca-bundle
optional: true
name: trusted-ca-bundle
- emptyDir: {}
name: ca-bundles
resourceExclusions: |-
- apiGroups:
- tekton.dev
clusters:
- '*'
kinds:
- TaskRun
- PipelineRun
server:
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 125m
memory: 128Mi
route:
enabled: true
service:
type: ""
sso:
dex:
openShiftOAuth: true
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
provider: dex
tls:
ca: {}
{{- end }}{{/* if hasInitContainerCapability */}}
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
Expand Down
Loading

0 comments on commit 57a6bb3

Please sign in to comment.