Merge pull request #110 from mbaldessari/common-automatic-update

common automatic update
validatedpatterns · Dec 18, 2023 · 69a4216 · 69a4216
2 parents 84ac25d + 66101f9
commit 69a4216
Show file tree

Hide file tree

Showing 80 changed files with 6,640 additions and 1,615 deletions.
diff --git a/common/.github/workflows/ansible-unittest.yml b/common/.github/workflows/ansible-unittest.yml
@@ -38,7 +38,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
 

diff --git a/common/.github/workflows/jsonschema.yaml b/common/.github/workflows/jsonschema.yaml
@@ -38,7 +38,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
 

diff --git a/common/Makefile b/common/Makefile
@@ -44,6 +44,13 @@ help: ## This help message
 show: ## show the starting template without installing it
 	helm template common/operator-install/ --name-template $(NAME) $(HELM_OPTS)
 
+preview-all:
+	@common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH)
+
+preview-%:
+	CLUSTERGROUP?=$(shell yq ".main.clusterGroupName" values-global.yaml)
+	@common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH)
+
 .PHONY: operator-deploy
 operator-deploy operator-upgrade: validate-prereq validate-origin validate-cluster ## runs helm install
 	@set -e -o pipefail

diff --git a/common/acm/.github/workflows/update-helm-repo.yml b/common/acm/.github/workflows/update-helm-repo.yml
@@ -18,12 +18,12 @@ on:
 
 jobs:
   helmlint:
-    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main
+    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
     permissions:
       contents: read
 
   update-helm-repo:
     needs: [helmlint]
-    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main
+    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
     permissions: read-all
     secrets: inherit
diff --git a/common/acm/templates/policies/private-repo-policies.yaml b/common/acm/templates/policies/private-repo-policies.yaml
@@ -0,0 +1,161 @@
+# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace
+# to the "open-cluster-management" via the "private-hub-policy"
+#
+# Then we copy the secret from the "open-cluster-management" namespace to the
+# managed clusters "openshift-gitops" instance
+#
+# And we also copy the same secret to the namespaced argo's namespace
+{{ if $.Values.global.privateRepo }}
+{{ if .Values.clusterGroup.isHubCluster }}
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: private-hub-policy
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: private-hub-config
+        spec:
+          remediationAction: enforce
+          severity: medium
+          namespaceSelector:
+            include:
+              - default
+          object-templates:
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: Secret
+                apiVersion: v1
+                type: Opaque
+                metadata:
+                  name: vp-private-repo-credentials
+                  namespace: open-cluster-management
+                  labels:
+                    argocd.argoproj.io/secret-type: repository
+                data: '{{ `{{copySecretData "openshift-gitops" "vp-private-repo-credentials"}}` }}'
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: private-hub-placement-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: private-hub-placement
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: private-hub-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: private-hub-placement
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - key: local-cluster
+        operator: In
+        values:
+          - 'true'
+---
+{{ end }}{{- /* if .Values.clusterGroup.isHubCluster */}}
+{{- range .Values.clusterGroup.managedClusterGroups }}
+{{- $group := . }}
+{{- if not .hostedArgoSites }}
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: private-{{ .name }}-policy
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: private-{{ .name }}-config
+        spec:
+          remediationAction: enforce
+          severity: medium
+          namespaceSelector:
+            include:
+              - default
+          object-templates:
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: Secret
+                apiVersion: v1
+                type: Opaque
+                metadata:
+                  name: vp-private-repo-credentials
+                  namespace: openshift-gitops
+                  labels:
+                    argocd.argoproj.io/secret-type: repository
+                data: '{{ `{{hub copySecretData "open-cluster-management" "vp-private-repo-credentials" hub}}` }}'
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: Secret
+                apiVersion: v1
+                type: Opaque
+                metadata:
+                  name: vp-private-repo-credentials
+                  namespace: {{ $.Values.global.pattern }}-{{ .name }}
+                  labels:
+                    argocd.argoproj.io/secret-type: repository
+                data: '{{ `{{hub copySecretData "open-cluster-management" "vp-private-repo-credentials" hub}}` }}'
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: private-{{ .name }}-placement-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: private-{{ .name }}-placement
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: private-{{ .name }}-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: private-{{ .name }}-placement
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - key: local-cluster
+        operator: NotIn
+        values:
+          - 'true'
+{{- end }}{{- /* if not .hostedArgoSites */}}
+{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}}
+{{- end }}{{- /* if $.Values.global.privateRepo */}}
diff --git a/common/ansible/roles/iib_ci/README.md b/common/ansible/roles/iib_ci/README.md
@@ -54,7 +54,7 @@ export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=ii
 make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${CHANNEL}" install
 ```
 
-*Note*: This needs VP operator version >= 0.0.14
+*Note*: In this case `acm` is the name of the subscription in `values-hub.yaml`
 
 ### OCP 4.13 and onwards
 

diff --git a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml
@@ -89,7 +89,7 @@
     image_urls: "{{ image_urls | default({}) | combine({item:
       {'mirrordest': mirror_dest + item | basename,
        'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''),
-       'mirrordest_tag': iib}}, recursive=true) }}"
+       'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}"
   loop: "{{ all_images }}"
   when: use_internal_registry
 

diff --git a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2
@@ -10,9 +10,9 @@ spec:
     - mirrors:
         - {{ item.mirrordest_nosha }}
       source: {{ item.source_nosha }}
-      mirrorSourcePolicy: NeverContactSource
+      mirrorSourcePolicy: AllowContactingSource
     - mirrors:
         - {{ item.mirrordest_nosha }}
       source: {{ item.image_nosha }}
-      mirrorSourcePolicy: NeverContactSource
+      mirrorSourcePolicy: AllowContactingSource
 {% endfor %}
diff --git a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml
@@ -30,7 +30,9 @@
     command:
       sh -c "vault list auth/{{ vault_hub }}/role | grep '{{ vault_hub }}-role'"
   register: vault_role_cmd
-  until: vault_role_cmd.rc == 0
+  until:
+    - vault_role_cmd.rc is defined
+    - vault_role_cmd.rc == 0
   retries: 20
   delay: 45
   changed_when: false

diff --git a/common/clustergroup/.github/workflows/update-helm-repo.yml b/common/clustergroup/.github/workflows/update-helm-repo.yml
@@ -9,6 +9,7 @@
 # - Contents: r/w
 # - Deployments: r/w
 # - Pages: r/w
+#
 
 name: vp-patterns/update-helm-repo
 on:
@@ -18,12 +19,12 @@ on:
 
 jobs:
   helmlint:
-    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main
+    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
     permissions:
       contents: read
 
   update-helm-repo:
     needs: [helmlint]
-    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main
+    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
     permissions: read-all
     secrets: inherit
diff --git a/common/clustergroup/Chart.yaml b/common/clustergroup/Chart.yaml
@@ -3,4 +3,4 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any
 keywords:
 - pattern
 name: clustergroup
-version: 0.0.4
+version: 0.8.2
diff --git a/common/clustergroup/templates/_helpers.tpl b/common/clustergroup/templates/_helpers.tpl
@@ -20,6 +20,8 @@ Default always defined top-level variables for helm charts
   value: {{ $.Values.global.hubClusterDomain }}
 - name: global.localClusterDomain
   value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }}
+- name: global.privateRepo
+  value: {{ $.Values.global.privateRepo | quote }}
 {{- end }} {{/* clustergroup.globalvaluesparameters */}}
 
 

diff --git a/common/clustergroup/templates/core/operatorgroup.yaml b/common/clustergroup/templates/core/operatorgroup.yaml
@@ -5,17 +5,23 @@
 
   {{- if kindIs "map" $ns }}
   {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}}
-
+  {{- if $v.operatorGroup }}{{- /* Checks if the user sets operatorGroup: false */}}
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
   name: {{ $k }}-operator-group
   namespace: {{ $k }}
 spec:
   targetNamespaces:
+    {{- if (hasKey $v "targetNamespaces") }}
+      {{- range $v.targetNamespaces }}{{- /* We loop through the list of tergetnamespaces */}}
+  - {{ . }}
+      {{- end }}{{- /* End range targetNamespaces */}}
+    {{- else }}
   - {{ $k }}
+    {{- end }}{{- /* End of if operatorGroup */}}
   {{- end }}{{- /* range $k, $v := $ns */}}
-
+  {{- end }}{{- /* End of if operatorGroup */}}
   {{- else if kindIs "string" $ns }}
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup

diff --git a/common/clustergroup/templates/imperative/_helpers.tpl b/common/clustergroup/templates/imperative/_helpers.tpl
@@ -1,3 +1,9 @@
+# Pseudo-code
+# 1. Get the pattern's CR
+# 2. If there is a secret called vp-private-repo-credentials in the current namespace, fetch it
+# 3. If it is an http secret, generate the correct URL
+# 4. If it is an ssh secret, create the private ssh key and make sure the git clone works
+
 {{/* git-init InitContainer */}}
 {{- define "imperative.initcontainers.gitinit" }}
 - name: git-init
@@ -9,7 +15,28 @@
   command:
   - 'sh'
   - '-c'
-  - "mkdir /git/{repo,home};git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- {{ $.Values.global.repoURL }} /git/repo;chmod 0770 /git/{repo,home}"
+  - >-
+    if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
+      URL="{{ $.Values.global.repoURL }}";
+    else
+      if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode}}` }}' &>/dev/null; then
+        U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')";
+        P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')";
+        URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
+        echo "USER/PASS: ${URL}";
+      else
+        S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')";
+        mkdir -p --mode 0700 "${HOME}/.ssh";
+        echo "${S}" > "${HOME}/.ssh/id_rsa";
+        chmod 0600 "${HOME}/.ssh/id_rsa";
+        URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/");
+        git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
+        echo "SSH: ${URL}";
+      fi;
+    fi;
+    mkdir /git/{repo,home};
+    git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo;
+    chmod 0770 /git/{repo,home};
   volumeMounts:
   - name: git
     mountPath: "/git"

diff --git a/common/clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml b/common/clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml
@@ -0,0 +1,12 @@
+{{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }}
+{{- if $cmp.pluginConfig }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: "argocd-cmp-{{ $cmp.name }}"
+  namespace: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
+data:
+  "plugin.yaml": | {{ tpl $cmp.pluginConfig $ | nindent 4 }}
+{{- end }}
+{{- end }}