update common to fix eso

charts/all/medical-diagnosis/xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: wait-for-objectstore
+ namespace: {{ .Values.global.xraylab.namespace }}
+ annotations:
+ argocd.argoproj.io/sync-wave: "-1"
+data:
+ wait-for-objectstore.sh: |
+ #!/bin/bash
+ # Get ODF version
+ ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 )
+ if [[ ${ODFMINV} -lt 13 ]]
+ then
+ oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s
+ else
+ oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s
+ fi

charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml

@@ -15,8 +15,17 @@ spec:
  - /bin/bash
  - -c
  - |
- oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s
+  '/tmp/wait-for-objectstore.sh'
  name: wait-odf-cephobjectstore-complete
+ volumeMounts:
+ - mountPath: /tmp/wait-for-objectstore.sh
+ name: wait-for-objectstore
+ subPath: wait-for-objectstore.sh
+ volumes:
+ - name: wait-for-objectstore
+ configMap:
+ name: wait-for-objectstore
+ defaultMode: 0755
  dnsPolicy: ClusterFirst
  restartPolicy: Never
  serviceAccount: {{ .Values.global.xraylab.namespace }}-sa

charts/all/medical-diagnosis/xray-init/values.yaml

@@ -54,6 +54,20 @@ rbac:
  - "get"
  - "list"
  - "watch"
+ - name: view-odf-subs
+ createRole: true
+ apiGroups:
+ - "operators.coreos.com"
+ scope:
+ cluster: true
+ namespace: ""
+ resources:
+ - subs
+ - subscriptions
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
  - name: view-odf-objectstoreusers
  createRole: true
  apiGroups:
@@ -133,6 +147,19 @@ rbac:
  roleRef:
  kind: Role
  name: create-pattern-secret
+ - name: view-odf-subs-rb
+ createBinding: true
+ scope:
+ cluster: true
+ namespace: ""
+ subjects:
+ kind: ServiceAccount
+ name: xraylab-1-sa
+ namespace: xraylab-1
+ apiGroup: ""
+ roleRef:
+ kind: ClusterRole
+ name: view-odf-subs
  - name: view-odf-storageclusters
  createBinding: true
  scope:
@@ -184,4 +211,4 @@ rbac:
  apiGroup: ""
  roleRef:
  kind: Role
- name: view-pattern-jobs
+ name: view-pattern-jobs

common/.ansible-lint

@@ -6,3 +6,12 @@ skip_list:
  - template-instead-of-copy # Templated files should use template instead of copy
  - yaml[line-length] # too long lines
  - yaml[indentation] # Forcing lists to be always indented by 2 chars is silly IMO
+ - var-naming[no-role-prefix] # This would be too much churn for very little gain
+ - no-changed-when
+ - var-naming[no-role-prefix] # There are too many changes now and it would be too risky
+
+# ansible-lint gh workflow cannot find ansible.cfg hence fails to import vault_utils role
+exclude_paths:
+ - ./ansible/playbooks/vault/vault.yaml
+ - ./ansible/playbooks/iib-ci/iib-ci.yaml
+ - ./ansible/roles/vault_utils/tests/test.yml

common/.github/dependabot.yml

@@ -0,0 +1,9 @@
+---
+version: 2
+updates:
+ # Check for updates to GitHub Actions every week
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"
+

common/.github/workflows/ansible-lint.yml

@@ -8,11 +8,10 @@ jobs:
 
  steps:
  # Important: This sets up your GITHUB_WORKSPACE environment variable
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
 
  - name: Lint Ansible Playbook
- # Using the latest as of today (2023-01-24) v6.11.0
- uses: ansible/ansible-lint-action@v6.11.0
+ uses: ansible/ansible-lint-action@v6
  # Let's point it to the path
  with:
  path: "ansible/"

common/.github/workflows/ansible-unittest.yml

@@ -20,7 +20,7 @@ jobs:
  name: Ansible unit tests
  strategy:
  matrix:
- python-version: [3.10.10]
+ python-version: [3.11.3]
  # Set the agent to run on
  runs-on: ubuntu-latest
 
@@ -32,13 +32,13 @@ jobs:
  # Checkout the code base #
  ##########################
  - name: Checkout Code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
  with:
  # Full git history is needed to get a proper list of changed files within `super-linter`
  fetch-depth: 0
 
  - name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v1
+ uses: actions/setup-python@v4
  with:
  python-version: ${{ matrix.python-version }}
 

common/.github/workflows/jsonschema.yaml

@@ -20,7 +20,7 @@ jobs:
  name: Json Schema tests
  strategy:
  matrix:
- python-version: [3.11.2]
+ python-version: [3.11.3]
  # Set the agent to run on
  runs-on: ubuntu-latest
 
@@ -32,13 +32,13 @@ jobs:
  # Checkout the code base #
  ##########################
  - name: Checkout Code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
  with:
  # Full git history is needed to get a proper list of changed files within `super-linter`
  fetch-depth: 0
 
  - name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v1
+ uses: actions/setup-python@v4
  with:
  python-version: ${{ matrix.python-version }}
 

common/.github/workflows/linter.yml

@@ -29,7 +29,7 @@ jobs:
  # Checkout the code base #
  ##########################
  - name: Checkout Code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
  with:
  # Full git history is needed to get a proper list of changed files within `super-linter`
  fetch-depth: 0

common/.github/workflows/superlinter.yml

@@ -12,7 +12,7 @@ jobs:
 
  steps:
  - name: Checkout Code
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
  with:
  # Full git history is needed to get a proper list of changed files within `super-linter`
  fetch-depth: 0
@@ -21,7 +21,7 @@ jobs:
  # Run Linter against code base #
  ################################
  - name: Lint Code Base
- uses: github/super-linter/slim@v4
+ uses: github/super-linter/slim@v5
  env:
  VALIDATE_ALL_CODEBASE: true
  DEFAULT_BRANCH: main
@@ -30,7 +30,7 @@ jobs:
  VALIDATE_ANSIBLE: false
  VALIDATE_BASH: false
  VALIDATE_JSCPD: false
- VALIDATE_KUBERNETES_KUBEVAL: false
+ VALIDATE_KUBERNETES_KUBECONFORM: false
  VALIDATE_YAML: false
  # VALIDATE_DOCKERFILE_HADOLINT: false
  # VALIDATE_MARKDOWN: false

common/Changes.md

@@ -1,5 +1,23 @@
 # Changes
 
+## Jul 8, 2023
+
+* Introduced a default of 20 for sync failures retries in argo applications (global override via global.options.applicationRetryLimit
+ and per-app override via .syncPolicy)
+
+## May 22, 2023
+
+* Upgraded ESO to 0.8.2
+* *Important* we now use the newly blessed sso config for argo. This means that gitops < 1.8 are *unsupported*
+
+## May 18, 2023
+
+* Introduce a EXTRA_HELM_OPTS env variable that will be passed to the helm invocations
+
+## April 21, 2023
+
+* Added labels and annotation support to namespaces.yaml template
+
 ## Apr 11, 2023
 
 * Apply the ACM ocp-gitops-policy everywhere but the hub

common/Makefile

@@ -1,11 +1,16 @@
-NAME=$(shell basename "`pwd`")
+NAME ?= $(shell basename "`pwd`")
 ifneq ($(origin TARGET_SITE), undefined)
  TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE)
 endif
 
+# This variable can be set in order to pass additional helm arguments from the
+# the command line. I.e. we can set things without having to tweak values files
+EXTRA_HELM_OPTS ?=
+
 # INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248
-INDEX_IMAGES ?= 
-INDEX_OPTIONS=$(shell echo $(INDEX_IMAGES) | tr ',' '\n' | awk -F: 'match($$1,"/"){print "--set main.extraParameters."NR".name=clusterGroup.indexImages."NR".image --set main.extraParameters."NR".value="$$1":"$$2}')
+# or
+# INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248,registry-proxy.engineering.redhat.com/rh-osbs/iib:394249
+INDEX_IMAGES ?=
 
 TARGET_ORIGIN ?= origin
 # This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL
@@ -15,12 +20,13 @@ TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e '
 TARGET_BRANCH=$(shell git rev-parse --abbrev-ref HEAD)
 
 # --set values always take precedence over the contents of -f
-HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(INDEX_OPTIONS)
+HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(EXTRA_HELM_OPTS)
 
 ##@ Pattern Common Tasks
 
 .PHONY: help
 help: ## This help message
+ @echo "Pattern: $(NAME)"
  @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^(\s|[a-zA-Z_0-9-])+:.*?##/ { printf " \033[36m%-35s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
 # Makefiles in the individual patterns should call these targets explicitly
@@ -55,6 +61,15 @@ uninstall: ## runs helm uninstall
 load-secrets: ## loads the secrets into the vault
  common/scripts/vault-utils.sh push_secrets $(NAME)
 
+.PHONY: load-iib
+load-iib: ## CI target to install Index Image Bundles
+ @set -e; if [ x$(INDEX_IMAGES) != x ]; then \
+ for IIB in $(shell echo $(INDEX_IMAGES) | tr ',' '\n'); do \
+ INDEX_IMAGE="$${IIB}" ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \
+ done; \
+ fi
+
+
 ##@ Validation Tasks
 
 # We only check the remote ssh git branch's existance if we're not running inside a container
@@ -110,7 +125,8 @@ helmlint: ## run helm lint
  @for t in $(CHARTS); do common/scripts/lint.sh $$t $(TEST_OPTS); if [ $$? != 0 ]; then exit 1; fi; done
 
 API_URL ?= https://raw.githubusercontent.com/hybrid-cloud-patterns/ocp-schemas/main/openshift/4.10/
-KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition'
+KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition,ClusterIssuer,CertManager,Certificate,ArgoCD'
+
 # We need to skip 'CustomResourceDefinition' as openapi2jsonschema seems to be unable to generate them ATM
 .PHONY: kubeconform
 kubeconform: ## run helm kubeconform
@@ -122,19 +138,20 @@ super-linter: ## Runs super linter locally
  podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
  -e VALIDATE_BASH=false \
  -e VALIDATE_JSCPD=false \
- -e VALIDATE_KUBERNETES_KUBEVAL=false \
+ -e VALIDATE_KUBERNETES_KUBECONFORM=false \
  -e VALIDATE_YAML=false \
  -e VALIDATE_ANSIBLE=false \
  -e VALIDATE_DOCKERFILE_HADOLINT=false \
  -e VALIDATE_TEKTON=false \
  $(DISABLE_LINTERS) \
  -v $(PWD):/tmp/lint:rw,z \
  -w /tmp/lint \
- docker.io/github/super-linter:slim-v4
+ docker.io/github/super-linter:slim-v5
 
 .PHONY: ansible-lint
 ansible-lint: ## run ansible lint on ansible/ folder
- podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace --entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest "-vvv" "ansible/"
+ podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace --env ANSIBLE_CONFIG=./ansible/ansible.cfg \
+ --entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest "-vvv" "ansible/"
 
 .PHONY: ansible-unittest
 ansible-unittest: ## run ansible unit tests

common/acm/templates/_helpers.tpl

@@ -0,0 +1,13 @@
+{{/*
+Default always defined valueFiles to be included when pushing the cluster wide argo application via acm
+*/}}
+{{- define "acm.app.policies.valuefiles" -}}
+- "/values-global.yaml"
+- "/values-{{ .name }}.yaml"
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml'
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
+# We cannot use $.Values.global.clusterVersion because that gets resolved to the
+# hub's cluster version, whereas we want to include the spoke cluster version
+- '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml'
+{{- end }} {{- /*acm.app.policies.valuefiles */}}

common/acm/templates/multiclusterhub.yaml

@@ -5,4 +5,7 @@ metadata:
  namespace: open-cluster-management
  annotations:
  argocd.argoproj.io/sync-wave: "-1"
+ {{- if kindIs "map" .Values.clusterGroup.subscriptions }}
+ installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.clusterGroup.subscriptions.acm.source }}" }'
+ {{- end }}
 spec: {}

common/acm/templates/policies/application-policies.yaml

@@ -43,14 +43,7 @@ spec:
  helm:
  ignoreMissingValueFiles: true
  valueFiles:
- - "/values-global.yaml"
- - "/values-{{ .name }}.yaml"
- - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
- - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml'
- - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
- # We cannot use $.Values.global.clusterVersion because that gets resolved to the
- # hub's cluster version, whereas we want to include the spoke cluster version
- - '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml'
+ {{- include "acm.app.policies.valuefiles" . | nindent 24 }}
  {{- range $valueFile := .extraValueFiles }}
  - {{ $valueFile | quote }}
  {{- end }}
@@ -95,6 +88,8 @@ spec:
  automated:
  prune: false
  selfHeal: true
+ retry:
+ limit: {{ default 20 $.Values.global.options.applicationRetryLimit }}
  ignoreDifferences:
  - group: apps
  kind: Deployment