validatedpatterns · mbaldessari · May 30, 2024 · May 2, 2024 · May 3, 2024 · May 3, 2024
diff --git a/common/acm/templates/policies/acm-hub-ca-policy.yaml b/common/acm/templates/policies/acm-hub-ca-policy.yaml
@@ -1,5 +1,6 @@
 # This pushes out the HUB's Certificate Authorities on to the imported clusters
-{{ if .Values.clusterGroup.isHubCluster }}
+{{- if .Values.clusterGroup.isHubCluster }}
+{{- if (eq (((.Values.global).secretStore).backend) "vault") }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
@@ -31,7 +32,7 @@ spec:
                 type: Opaque
                 metadata:
                   name: hub-ca
-                  namespace: imperative
+                  namespace: golang-external-secrets
                 data:
                   hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
                   hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
@@ -67,5 +68,5 @@ spec:
         operator: NotIn
         values:
           - 'true'
-{{ end }}
-
+{{- end }}
+{{- end }}
diff --git a/common/acm/templates/policies/application-policies.yaml b/common/acm/templates/policies/application-policies.yaml
@@ -43,9 +43,14 @@ spec:
                     path: {{ default "common/clustergroup" .path }}
                     helm:
                       ignoreMissingValueFiles: true
+                      values: |
+                        extraParametersNested:
+                        {{- range $k, $v := $.Values.extraParametersNested }}
+                          {{ $k }}: {{ printf "%s" $v | quote }}
+                        {{- end }}
                       valueFiles:
                       {{- include "acm.app.policies.valuefiles" . | nindent 22 }}
-                      {{- range $valueFile := $.Values.global.extraValueFiles }}
+                      {{- range $valueFile := .extraValueFiles }}
                       - {{ $valueFile | quote }}
                       {{- end }}
                       parameters:
@@ -73,6 +78,10 @@ spec:
                         value: {{ $group.name }}
                       - name: global.experimentalCapabilities
                         value: {{ $.Values.global.experimentalCapabilities }}
+                      {{- range $k, $v := $.Values.extraParametersNested }}
+                      - name: {{ $k }}
+                        value: {{ printf "%s" $v | quote }}
+                      {{- end }}
                      {{- range .helmOverrides }}
                       - name: {{ .name }}
                         value: {{ .value | quote }}

diff --git a/common/acm/templates/policies/ocp-gitops-policy.yaml b/common/acm/templates/policies/ocp-gitops-policy.yaml
@@ -140,7 +140,7 @@ spec:
                       - -c
                       - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt
                         || true
-                      image: registry.access.redhat.com/ubi9/ubi-minimal:latest
+                      image: registry.redhat.io/ubi9/ubi-minimal:latest
                       name: fetch-ca
                       resources: {}
                       volumeMounts:
@@ -195,6 +195,11 @@ spec:
                         memory: 128Mi
                     route:
                       enabled: true
+                      {{- if and (.Values.global.argocdServer) (.Values.global.argocdServer.route) (.Values.global.argocdServer.route.tls) }}
+                      tls:
+                        insecureEdgeTerminationPolicy: {{ default "Redirect" .Values.global.argocdServer.route.tls.insecureEdgeTerminationPolicy }}
+                        termination: {{ default "reencrypt" .Values.global.argocdServer.route.tls.termination }}
+                      {{- end }}
                     service:
                       type: ""
                   sso:

diff --git a/common/acm/values.yaml b/common/acm/values.yaml
@@ -9,6 +9,8 @@ global:
   targetRevision: main
   options:
     applicationRetryLimit: 20
+  secretStore:
+    backend: "vault"
 
 clusterGroup:
   subscriptions:

diff --git a/common/ansible/roles/iib_ci/README.md b/common/ansible/roles/iib_ci/README.md
@@ -52,12 +52,17 @@ make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.git
 The advanced-cluster-management operator is a little bit more complex than the others because it
 also installes another operator called MCE multicluster-engine. So to install ACM you typically
 need two IIBs (one for acm and one for mce). With those two at hand, do the following (the ordering must be
-consistent: the first IIB corresponds to the first OPERATOR, etc).
+consistent: the first IIB corresponds to the first OPERATOR, etc). The following operation needs to be done
+on both hub *and* spokes:
 
 ```sh
-export OPERATOR=advanced-cluster-management,multicluster-engine
-export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034
-make load-iib
+for i in hub-kubeconfig-file spoke-kubeconfig-file; do
+  export KUBECONFIG="${i}"
+  export KUBEADMINPASS="11111-22222-33333-44444"
+  export OPERATOR=advanced-cluster-management,multicluster-engine
+  export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034
+  make load-iib
+done
 ```
 
 Once the IIBs are loaded into the cluster we need to run the following steps:

diff --git a/common/ansible/roles/iib_ci/tasks/main.yml b/common/ansible/roles/iib_ci/tasks/main.yml
@@ -17,6 +17,9 @@
   ansible.builtin.shell: |
     oc get openshiftcontrollermanager/cluster -o yaml -o jsonpath='{.status.version}'
   register: oc_version_raw
+  retries: 10
+  delay: 10
+  until: oc_version_raw is not failed
   changed_when: false
 
 - name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests)

diff --git a/common/clustergroup/templates/imperative/clusterrole.yaml b/common/clustergroup/templates/imperative/clusterrole.yaml
@@ -1,5 +1,6 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -18,4 +19,19 @@ rules:
     - list
     - watch
 {{- end }}
+{{- end }} {{/* if $.Values.clusterGroup.imperative.serviceAccountCreate */}}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }}
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+{{- end }} {{/* if $.Values.clusterGroup.imperative.adminServiceAccountCreate */}}
 {{- end }}
diff --git a/common/clustergroup/templates/imperative/rbac.yaml b/common/clustergroup/templates/imperative/rbac.yaml
@@ -1,10 +1,11 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-admin-rolebinding
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -17,7 +18,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-rolebinding
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-rolebinding
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -28,3 +29,19 @@ subjects:
     name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
     namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }}
+    namespace: {{ $.Values.clusterGroup.imperative.namespace }}
+{{- end }}
+{{- end }}
diff --git a/common/clustergroup/templates/imperative/serviceaccount.yaml b/common/clustergroup/templates/imperative/serviceaccount.yaml
@@ -1,10 +1,18 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
-{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }}
+  namespace: {{ $.Values.clusterGroup.imperative.namespace }}
+{{- end }}
 {{- end }}
diff --git a/common/clustergroup/templates/plumbing/applications.yaml b/common/clustergroup/templates/plumbing/applications.yaml
@@ -149,6 +149,11 @@ spec:
       {{- else }}
       helm:
         ignoreMissingValueFiles: true
+        values: |
+          extraParametersNested: 
+          {{- range $k, $v := $.Values.extraParametersNested }}
+            {{ $k }}: {{ printf "%s" $v | quote }}
+          {{- end }}
         valueFiles:
         {{- include "clustergroup.app.globalvalues.prefixedvaluefiles" $ | nindent 8 }}
         {{- range $valueFile := $.Values.clusterGroup.sharedValueFiles }}
@@ -216,6 +221,11 @@ spec:
     {{- else if not .kustomize }}
     helm:
       ignoreMissingValueFiles: true
+      values: |
+        extraParametersNested:
+          {{- range $k, $v := $.Values.extraParametersNested }}
+            {{ $k }}: {{ printf "%s" $v | quote }}
+          {{- end }}
       valueFiles:
       {{- include "clustergroup.app.globalvalues.valuefiles" $ | nindent 6 }}
       {{- range $valueFile := $.Values.clusterGroup.sharedValueFiles }}

diff --git a/common/clustergroup/templates/plumbing/argocd-super-role.yaml b/common/clustergroup/templates/plumbing/argocd-super-role.yaml
@@ -4,6 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: openshift-gitops-cluster-admin-rolebinding
+  # We need to have this before anything else or the sync might get stuck forever
+  # due to permission issues
+  annotations:
+    argocd.argoproj.io/sync-wave: "-100"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -22,6 +26,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}-cluster-admin-rolebinding
+  # We need to have this before anything else or the sync might get stuck forever
+  # due to permission issues
+  annotations:
+    argocd.argoproj.io/sync-wave: "-100"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/common/clustergroup/values.schema.json b/common/clustergroup/values.schema.json
@@ -65,6 +65,10 @@
         "clusterGroupName": {
           "type": "string"
         },
+        "extraParameters": {
+          "type": "array",
+          "description": "Pass in extra Helm parameters to all ArgoCD Applications and the framework."
+        },
         "experimentalCapabilities": {
           "type": "string",
           "description": "String to enable certain experimental capabilities in the operator and the framework."
@@ -677,6 +681,15 @@
         },
         "roleYaml": {
           "type": "string"
+        },
+        "adminServiceAccountCreate": {
+          "type": "boolean"
+        },
+        "adminServiceAccountName": {
+          "type": "string"
+        },
+        "adminClusterRoleName": {
+          "type": "string"
         }
       },
       "required": [

diff --git a/common/clustergroup/values.yaml b/common/clustergroup/values.yaml
@@ -51,6 +51,10 @@ clusterGroup:
     clusterRoleYaml: ""
     roleName: imperative-role
     roleYaml: ""
+    adminServiceAccountCreate: true
+    adminServiceAccountName: imperative-admin-sa
+    adminClusterRoleName: imperative-admin-cluster-role
+
   managedClusterGroups: {}
   namespaces: []
 #  - name: factory

diff --git a/common/golang-external-secrets/Chart.yaml b/common/golang-external-secrets/Chart.yaml
@@ -6,6 +6,6 @@ name: golang-external-secrets
 version: 0.0.3
 dependencies:
   - name: external-secrets
-    version: "0.9.16"
+    version: "0.9.18"
     repository: "https://charts.external-secrets.io"
     #"https://external-secrets.github.io/kubernetes-external-secrets"
diff --git a/common/golang-external-secrets/charts/external-secrets-0.9.16.tgz b/common/golang-external-secrets/charts/external-secrets-0.9.16.tgz
diff --git a/common/golang-external-secrets/charts/external-secrets-0.9.18.tgz b/common/golang-external-secrets/charts/external-secrets-0.9.18.tgz
diff --git a/common/golang-external-secrets/values.yaml b/common/golang-external-secrets/values.yaml
@@ -23,7 +23,7 @@ golangExternalSecrets:
       type: Secret
       name: hub-ca
       key: hub-kube-root-ca.crt
-      namespace: imperative
+      namespace: golang-external-secrets
 
 global:
   hubClusterDomain: hub.example.com
@@ -37,10 +37,10 @@ clusterGroup:
 
 external-secrets:
   image:
-    tag: v0.9.16-ubi
+    tag: v0.9.18-ubi
   webhook:
     image:
-      tag: v0.9.16-ubi
+      tag: v0.9.18-ubi
   certController:
     image:
-      tag: v0.9.16-ubi
+      tag: v0.9.18-ubi
diff --git a/common/hashicorp-vault/values.yaml b/common/hashicorp-vault/values.yaml
@@ -48,4 +48,4 @@ vault:
         termination: "reencrypt"
     image:
       repository: "registry.connect.redhat.com/hashicorp/vault"
-      tag: "1.16.1-ubi"
+      tag: "1.16.2-ubi"
diff --git a/common/operator-install/templates/pattern.yaml b/common/operator-install/templates/pattern.yaml
@@ -12,9 +12,6 @@ spec:
     tokenSecret: {{ .Values.main.tokenSecret }}
     tokenSecretNamespace: {{ .Values.main.tokenSecretNamespace }}
 {{- end }} {{/* if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace */}}
-  gitOpsSpec:
-    operatorChannel: {{ default "gitops-1.12" .Values.main.gitops.channel }}
-    operatorSource: {{ default "redhat-operators" .Values.main.gitops.operatorSource }}
   multiSourceConfig:
     enabled: {{ .Values.main.multiSourceConfig.enabled }}
 {{- if .Values.main.analyticsUUID }}

diff --git a/common/operator-install/templates/subscription.yaml b/common/operator-install/templates/subscription.yaml
@@ -7,7 +7,10 @@ metadata:
     operators.coreos.com/patterns-operator.openshift-operators: ""
 spec:
   channel: {{ .Values.main.patternsOperator.channel }}
-  installPlanApproval: Automatic
+  installPlanApproval: {{ .Values.main.patternsOperator.installPlanApproval }}
   name: patterns-operator
   source: {{ .Values.main.patternsOperator.source }}
-  sourceNamespace: openshift-marketplace
+  sourceNamespace: {{ .Values.main.patternsOperator.sourceNamespace }}
+  {{- if .Values.main.patternsOperator.startingCSV }}
+  startingCSV: {{ .Values.main.patternsOperator.startingCSV }}
+  {{- end }}
diff --git a/common/operator-install/values.yaml b/common/operator-install/values.yaml
@@ -20,6 +20,9 @@ main:
   patternsOperator:
     channel: fast
     source: community-operators
+    installPlanApproval: Automatic
+    sourceNamespace: openshift-marketplace
+    startingCSV: null
 
   clusterGroupName: default
 

diff --git a/common/tests/acm-industrial-edge-hub.expected.yaml b/common/tests/acm-industrial-edge-hub.expected.yaml
@@ -167,7 +167,7 @@ spec:
                 type: Opaque
                 metadata:
                   name: hub-ca
-                  namespace: imperative
+                  namespace: golang-external-secrets
                 data:
                   hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}'
                   hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}'
@@ -214,6 +214,8 @@ spec:
                     path: common/clustergroup
                     helm:
                       ignoreMissingValueFiles: true
+                      values: |
+                        extraParametersNested:
                       valueFiles:
                       - "/values-global.yaml"
                       - "/values-factory.yaml"

diff --git a/common/tests/acm-medical-diagnosis-hub.expected.yaml b/common/tests/acm-medical-diagnosis-hub.expected.yaml
@@ -158,7 +158,7 @@ spec:
                 type: Opaque
                 metadata:
                   name: hub-ca
-                  namespace: imperative
+                  namespace: golang-external-secrets
                 data:
                   hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}'
                   hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}'
@@ -205,6 +205,8 @@ spec:
                     path: common/clustergroup
                     helm:
                       ignoreMissingValueFiles: true
+                      values: |
+                        extraParametersNested:
                       valueFiles:
                       - "/values-global.yaml"
                       - "/values-region-one.yaml"