diff --git a/.github/workflows/aws-integration.yaml b/.github/workflows/aws-integration.yaml index d751750592..7c6f3445d5 100644 --- a/.github/workflows/aws-integration.yaml +++ b/.github/workflows/aws-integration.yaml @@ -17,7 +17,6 @@ on: - 'docs/**' - 'pkg/api/openapi/docs/**' - 'pkg/api/openapi/.openapi-generator-ignore' - - 'dp-terraform/**' - 'deploy/**' - '.design-proposals/**' @@ -35,7 +34,6 @@ on: - 'docs/**' - 'pkg/api/openapi/docs/**' - 'pkg/api/openapi/.openapi-generator-ignore' - - 'dp-terraform/**' - 'deploy/**' - '.design-proposals/**' diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index 6853daf239..7cad64ce8a 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -12,6 +12,7 @@ on: - 'scripts/lib/**' - 'internal/central/pkg/handlers/admin_central.go' - 'internal/central/pkg/services/central.go' + - 'deploy/charts/fleetshard-sync/**' pull_request: types: [opened, synchronize, reopened, ready_for_review] @@ -23,6 +24,7 @@ on: - 'scripts/lib/**' - 'internal/central/pkg/handlers/admin_central.go' - 'internal/central/pkg/services/central.go' + - 'deploy/charts/fleetshard-sync/**' # Cancel previous runs # see: https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/control-workflow-concurrency diff --git a/.openshift-ci/e2e-runtime/Dockerfile b/.openshift-ci/e2e-runtime/Dockerfile index bd85b6dc84..64a1e976df 100644 --- a/.openshift-ci/e2e-runtime/Dockerfile +++ b/.openshift-ci/e2e-runtime/Dockerfile @@ -34,6 +34,11 @@ RUN curl -L --retry 10 --silent --show-error --fail -o "/usr/local/bin/ocm" \ "https://github.com/openshift-online/ocm-cli/releases/download/v${OCM_VERSION}/ocm-linux-amd64" && \ chmod +x /usr/local/bin/ocm +RUN curl -L --retry 10 --silent --show-error --fail -o /usr/local/bin/helm \ + "https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-linux-amd64" && \ + chmod +x /usr/local/bin/helm && \ + helm version + RUN mkdir /src $GOPATH WORKDIR /src diff --git a/Makefile b/Makefile index 0014b4c481..dfe8137cce 100644 --- a/Makefile +++ b/Makefile @@ -256,7 +256,7 @@ verify: check-gopath openapi/validate ./fleetshard/... \ ./probe/... \ ./emailsender/... \ - ./dp-terraform/test/... \ + ./deploy/test/... \ ./fleetshard-operator/... .PHONY: verify @@ -342,12 +342,12 @@ test/integration/central: $(GOTESTSUM_BIN) ./internal/central/test/integration/... .PHONY: test/integration/central -test/dp-terraform: $(GOTESTSUM_BIN) +test/deploy: $(GOTESTSUM_BIN) $(GOTESTSUM_BIN) --format $(GOTESTSUM_FORMAT) -- -p 1 -ldflags -s -v -timeout $(TEST_TIMEOUT) -count=1 $(TESTFLAGS) \ - ./dp-terraform/test/... -.PHONY: test/dp-terraform + ./deploy/test... +.PHONY: test/deploy -test/integration: test/integration/central test/dp-terraform +test/integration: test/integration/central test/deploy .PHONY: test/integration # remove OSD cluster after running tests against real OCM @@ -905,6 +905,25 @@ deploy/emailsender: .PHONY: deploy/emailsender undeploy/emailsender: - @helm uninstall -n "$(NAMESPACE)" emailsender - @kubectl delete -n "$(NAMESPACE)" -f "dev/env/manifests/emailsender-db" + @helm uninstall -n "$(NAMESPACE)" emailsender --ignore-not-found + @kubectl delete -n "$(NAMESPACE)" -f "dev/env/manifests/emailsender-db" --ignore-not-found=true .PHONY: undeploy/emailsender + +deploy/fleetshard-sync: FLEET_MANAGER_IMAGE?="$(IMAGE_NAME):$(image_tag)" +deploy/fleetshard-sync: ARGOCD_TENANT_APP_TARGET_REVISION?="HEAD" +deploy/fleetshard-sync: ARGOCD_NAMESPACE?="openshift-gitops" +deploy/fleetshard-sync: MANAGED_DB_ENABLED?="false" +deploy/fleetshard-sync: + @helm upgrade --install -n "$(NAMESPACE)" fleetshard-sync "deploy/charts/fleetshard-sync" \ + --values "dev/env/values/fleetshard-sync/values.yaml" \ + --set image.ref="$(FLEET_MANAGER_IMAGE)" \ + --set gitops.tenantDefaultAppSourceTargetRevision="$(ARGOCD_TENANT_APP_TARGET_REVISION)" \ + --set argoCdNamespace="$(ARGOCD_NAMESPACE)" \ + --set managedDB.enabled="$(MANAGED_DB_ENABLED)" \ + --set managedDB.subnetGroup="$(MANAGED_DB_SUBNET_GROUP)" \ + --set managedDB.securityGroup="$(MANAGED_DB_SECURITY_GROUP)" +.PHONY: deploy/fleetshard-sync + +undeploy/fleetshard-sync: + @helm uninstall -n "$(NAMESPACE)" fleetshard-sync --ignore-not-found +.PHONY: undeploy/fleetshard-sync diff --git a/README.md b/README.md index fbe0cdf5fb..a81c3d1790 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,9 @@ ACS fleet-manager repository for the ACS managed service. ├── cmd -- cmd entry points ├── config -- various fleet-manager configurations ├── dashboards -- grafana dashboards +├── deploy -- helm charts for application deployment ├── docs -- documentation ├── docker -- docker images -├── dp-terraform -- terraforming scripts for data-plane clusters ├── e2e -- e2e tests ├── fleetshard -- source code for fleetshard-synchronizer ├── internal -- internal source code diff --git a/dp-terraform/helm/rhacs-terraform/.helmignore b/deploy/charts/fleetshard-sync/.helmignore similarity index 100% rename from dp-terraform/helm/rhacs-terraform/.helmignore rename to deploy/charts/fleetshard-sync/.helmignore diff --git a/dp-terraform/helm/rhacs-terraform/Chart.yaml b/deploy/charts/fleetshard-sync/Chart.yaml similarity index 85% rename from dp-terraform/helm/rhacs-terraform/Chart.yaml rename to deploy/charts/fleetshard-sync/Chart.yaml index a79f3b0746..8f8681ab3f 100644 --- a/dp-terraform/helm/rhacs-terraform/Chart.yaml +++ b/deploy/charts/fleetshard-sync/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: rhacs-terraform -description: "Chart to terraform data plane OSD clusters" +name: fleetshard-sync +description: Chart to deploy fleetshard-sync component to RHACS dataplane clusters # A chart can be either an 'application' or a 'library' chart. # @@ -15,13 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.5.0" +version: 0.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.5.0" - -# List of sub-charts and other dependencies -dependencies: [] +appVersion: "0.1.0" diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml b/deploy/charts/fleetshard-sync/templates/deployment.yaml similarity index 50% rename from dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml rename to deploy/charts/fleetshard-sync/templates/deployment.yaml index 220c6be74e..ade03b01d9 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml +++ b/deploy/charts/fleetshard-sync/templates/deployment.yaml @@ -15,31 +15,31 @@ spec: template: metadata: annotations: - rhacs.redhat.com/cluster-name: {{ .Values.fleetshardSync.clusterName | quote }} - rhacs.redhat.com/environment: {{ .Values.fleetshardSync.environment | quote }} + rhacs.redhat.com/cluster-name: {{ .Values.clusterName | quote }} + rhacs.redhat.com/environment: {{ .Values.environment | quote }} labels: app: fleetshard-sync spec: - {{- with .Values.fleetshardSync.affinity }} + {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.fleetshardSync.tolerations }} + {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.fleetshardSync.nodeSelector }} + {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: fleetshard-sync containers: - name: fleetshard-sync - {{- with .Values.fleetshardSync.image }} + {{- with .Values.image }} {{- if .ref }} image: "{{ .ref }}" {{- else }} - image: "{{ .repo }}:{{ .tag | default $.Values.global.image.tag }}" + image: "{{ .repo }}:{{ .tag }}" {{- end }} {{- end }} imagePullPolicy: IfNotPresent @@ -47,71 +47,71 @@ spec: - /usr/local/bin/fleetshard-sync env: - name: OCM_TOKEN - value: {{ .Values.fleetshardSync.ocmToken }} + value: {{ .Values.ocmToken }} - name: FLEET_MANAGER_ENDPOINT - value: {{ .Values.fleetshardSync.fleetManagerEndpoint }} + value: {{ .Values.fleetManagerEndpoint }} - name: CLUSTER_ID - value: {{ .Values.fleetshardSync.clusterId }} + value: {{ .Values.clusterId }} - name: CLUSTER_NAME - value: {{ .Values.fleetshardSync.clusterName }} + value: {{ .Values.clusterName }} - name: ENVIRONMENT - value: {{ .Values.fleetshardSync.environment }} + value: {{ .Values.environment }} - name: CREATE_AUTH_PROVIDER - value: "{{ .Values.fleetshardSync.createAuthProvider }}" + value: "{{ .Values.createAuthProvider }}" - name: AUTH_TYPE - value: {{ .Values.fleetshardSync.authType }} - {{- if eq "STATIC_TOKEN" .Values.fleetshardSync.authType }} + value: {{ .Values.authType }} + {{- if eq "STATIC_TOKEN" .Values.authType }} - name: STATIC_TOKEN - value: {{ .Values.fleetshardSync.staticToken }} + value: {{ .Values.staticToken }} {{- end }} - name: AUDIT_LOG_ENABLED - value: {{ .Values.fleetshardSync.auditLogs.enabled | quote }} + value: {{ .Values.auditLogs.enabled | quote }} - name: AUDIT_LOG_SKIP_TLS_VERIFY - value: {{ .Values.fleetshardSync.auditLogs.skipTLSVerify | quote }} + value: {{ .Values.auditLogs.skipTLSVerify | quote }} - name: MANAGED_DB_ENABLED - value: {{ .Values.fleetshardSync.managedDB.enabled | quote }} - {{- if eq .Values.fleetshardSync.managedDB.enabled true }} + value: {{ .Values.managedDB.enabled | quote }} + {{- if eq .Values.managedDB.enabled true }} - name: MANAGED_DB_SUBNET_GROUP - value: {{ required "fleetshardSync.managedDB.subnetGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.subnetGroup }} + value: {{ required "managedDB.subnetGroup is required when managedDB.enabled = true" .Values.managedDB.subnetGroup }} - name: MANAGED_DB_SECURITY_GROUP - value: {{ required "fleetshardSync.managedDB.securityGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.securityGroup }} + value: {{ required "managedDB.securityGroup is required when managedDB.enabled = true" .Values.managedDB.securityGroup }} - name: MANAGED_DB_PERFORMANCE_INSIGHTS - value: {{ .Values.fleetshardSync.managedDB.performanceInsights | quote }} + value: {{ .Values.managedDB.performanceInsights | quote }} - name: MANAGED_DB_ENGINE_VERSION - value: {{ .Values.fleetshardSync.managedDB.engineVersion | quote }} + value: {{ .Values.managedDB.engineVersion | quote }} - name: MANAGED_DB_AUTO_VERSION_UPGRADE - value: {{ .Values.fleetshardSync.managedDB.autoVersionUpgrade | quote }} + value: {{ .Values.managedDB.autoVersionUpgrade | quote }} - name: MANAGED_DB_BACKUP_RETENTION_PERIOD - value: {{ .Values.fleetshardSync.managedDB.backupRetentionPeriod }} + value: {{ .Values.managedDB.backupRetentionPeriod }} - name: MANAGED_DB_CLUSTER_PARAMETER_GROUP - value: {{ .Values.fleetshardSync.managedDB.clusterParameterGroup | quote }} + value: {{ .Values.managedDB.clusterParameterGroup | quote }} - name: MANAGED_DB_MIN_CAPACITY_ACU - value: {{ .Values.fleetshardSync.managedDB.minCapacityACU }} + value: {{ .Values.managedDB.minCapacityACU }} - name: MANAGED_DB_MAX_CAPACITY_ACU - value: {{ .Values.fleetshardSync.managedDB.maxCapacityACU }} - {{- range $i, $tag := .Values.fleetshardSync.managedDB.sharedTags }} + value: {{ .Values.managedDB.maxCapacityACU }} + {{- range $i, $tag := .Values.managedDB.sharedTags }} - name: MANAGED_DB_TAGS_{{ $i }}_KEY value: {{ $tag.key | quote }} - name: MANAGED_DB_TAGS_{{ $i }}_VALUE value: {{ $tag.value | quote }} {{- end }} - name: SECRET_ENCRYPTION_TYPE - value: {{ .Values.fleetshardSync.secretEncryption.type | quote }} + value: {{ .Values.secretEncryption.type | quote }} - name: SECRET_ENCRYPTION_KEY_ID - value: {{ .Values.fleetshardSync.secretEncryption.keyID | quote }} + value: {{ .Values.secretEncryption.keyID | quote }} {{- end }} - name: AWS_REGION - value: {{ .Values.fleetshardSync.aws.region }} + value: {{ .Values.aws.region }} - name: AWS_ROLE_ARN - value: {{ .Values.fleetshardSync.aws.roleArn | quote }} + value: {{ .Values.aws.roleArn | quote }} - name: TELEMETRY_STORAGE_ENDPOINT - value: {{ .Values.fleetshardSync.telemetry.storage.endpoint | quote }} + value: {{ .Values.telemetry.storage.endpoint | quote }} - name: TELEMETRY_STORAGE_KEY valueFrom: secretKeyRef: name: fleetshard-sync key: "telemetry-storage-key" - {{- if .Values.fleetshardSync.aws.enableTokenAuth }} + {{- if .Values.aws.enableTokenAuth }} - name: AWS_WEB_IDENTITY_TOKEN_FILE value: "/var/run/secrets/tokens/aws-token" {{- else }} @@ -127,39 +127,39 @@ spec: key: "aws-secret-access-key" {{- end }} - name: RHACS_GITOPS_ENABLED - value: {{ .Values.fleetshardSync.gitops.enabled | quote }} + value: {{ .Values.gitops.enabled | quote }} - name: RHACS_TARGETED_OPERATOR_UPGRADES - value: {{ .Values.fleetshardSync.targetedOperatorUpgrades.enabled | quote }} + value: {{ .Values.targetedOperatorUpgrades.enabled | quote }} - name: RHACS_ADDON_AUTO_UPGRADE - value: {{ .Values.fleetshardSync.addonAutoUpgradeEnabled | quote }} + value: {{ .Values.addonAutoUpgradeEnabled | quote }} - name: FLEETSHARD_ADDON_NAME - value: {{ .Values.fleetshardSync.addonName | quote }} - {{- if eq "SERVICE_ACCOUNT_TOKEN" .Values.fleetshardSync.authType }} + value: {{ .Values.addonName | quote }} + {{- if eq "SERVICE_ACCOUNT_TOKEN" .Values.authType }} - name: FLEET_MANAGER_TOKEN_FILE value: "/var/run/secrets/tokens/fleet-manager-token" {{- end }} - {{- if .Values.fleetshardSync.tenantImagePullSecret.name }} + {{- if .Values.tenantImagePullSecret.name }} - name: TENANT_IMAGE_PULL_SECRET valueFrom: secretKeyRef: - name: {{ .Values.fleetshardSync.tenantImagePullSecret.name | quote }} - key: {{ .Values.fleetshardSync.tenantImagePullSecret.key | quote }} + name: {{ .Values.tenantImagePullSecret.name | quote }} + key: {{ .Values.tenantImagePullSecret.key | quote }} {{- end }} - name: RHACS_PRINT_CENTRAL_UPDATE_DIFF - value: {{ .Values.fleetshardSync.printCentralUpdateDiff | quote }} + value: {{ .Values.printCentralUpdateDiff | quote }} - name: ARGOCD_NAMESPACE - value: {{ .Values.fleetshardSync.argoCdNamespace | quote }} - {{- if .Values.fleetshardSync.gitops.tenantDefaultAppSourceRepoUrl }} + value: {{ .Values.argoCdNamespace | quote }} + {{- if .Values.gitops.tenantDefaultAppSourceRepoUrl }} - name: TENANT_DEFAULT_ARGOCD_APP_SOURCE_REPO_URL - value: {{ .Values.fleetshardSync.gitops.tenantDefaultAppSourceRepoUrl | quote }} + value: {{ .Values.gitops.tenantDefaultAppSourceRepoUrl | quote }} {{- end }} - {{- if .Values.fleetshardSync.gitops.tenantDefaultAppSourceTargetRevision }} + {{- if .Values.gitops.tenantDefaultAppSourceTargetRevision }} - name: TENANT_DEFAULT_ARGOCD_APP_SOURCE_TARGET_REVISION - value: {{ .Values.fleetshardSync.gitops.tenantDefaultAppSourceTargetRevision | quote }} + value: {{ .Values.gitops.tenantDefaultAppSourceTargetRevision | quote }} {{- end }} - {{- if .Values.fleetshardSync.gitops.tenantDefaultAppSourcePath }} + {{- if .Values.gitops.tenantDefaultAppSourcePath }} - name: TENANT_DEFAULT_ARGOCD_APP_SOURCE_PATH - value: {{ .Values.fleetshardSync.gitops.tenantDefaultAppSourcePath | quote }} + value: {{ .Values.gitops.tenantDefaultAppSourcePath | quote }} {{- end }} volumeMounts: - mountPath: /var/run/secrets/tokens @@ -167,7 +167,7 @@ spec: ports: - name: monitoring containerPort: 8080 - {{- with .Values.fleetshardSync.resources }} + {{- with .Values.resources }} resources: {{- toYaml . | nindent 10 }} {{- end }} volumes: @@ -178,7 +178,7 @@ spec: path: aws-token audience: sts.amazonaws.com expirationSeconds: 3600 - {{- if eq "SERVICE_ACCOUNT_TOKEN" .Values.fleetshardSync.authType }} + {{- if eq "SERVICE_ACCOUNT_TOKEN" .Values.authType }} - serviceAccountToken: path: fleet-manager-token audience: acs-fleet-manager-private-api diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-rbac.yaml b/deploy/charts/fleetshard-sync/templates/rbac.yaml similarity index 100% rename from dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-rbac.yaml rename to deploy/charts/fleetshard-sync/templates/rbac.yaml diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml b/deploy/charts/fleetshard-sync/templates/secret.yaml similarity index 80% rename from dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml rename to deploy/charts/fleetshard-sync/templates/secret.yaml index 33fca2a3b7..590098759a 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml +++ b/deploy/charts/fleetshard-sync/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") .Values.global.createExternalSecrets }} +{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") .Values.createExternalSecrets }} apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: secretStoreRef: - name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }} + name: {{ .Values.secretStore.aws.secretsManagerSecretStoreName }} kind: ClusterSecretStore target: name: fleetshard-sync @@ -16,7 +16,7 @@ spec: remoteRef: key: "fleetshard-sync" property: "telemetry_storage_key" - {{- if not .Values.fleetshardSync.aws.enableTokenAuth }} + {{- if not .Values.aws.enableTokenAuth }} - secretKey: aws-access-key-id # pragma: allowlist secret remoteRef: key: "fleetshard-sync" @@ -26,7 +26,7 @@ spec: key: "fleetshard-sync" property: "aws_secret_access_key" {{- end }} -{{- with .Values.fleetshardSync.tenantImagePullSecret }} +{{- with .Values.tenantImagePullSecret }} {{- if and .create .name }} --- apiVersion: external-secrets.io/v1beta1 @@ -36,7 +36,7 @@ metadata: namespace: {{ $.Release.Namespace }} spec: secretStoreRef: - name: {{ $.Values.global.secretStore.aws.secretsManagerSecretStoreName }} + name: {{ $.Values.secretStore.aws.secretsManagerSecretStoreName }} kind: ClusterSecretStore target: name: {{ .name }} diff --git a/deploy/charts/fleetshard-sync/values.yaml b/deploy/charts/fleetshard-sync/values.yaml new file mode 100644 index 0000000000..3f2e3f7fd6 --- /dev/null +++ b/deploy/charts/fleetshard-sync/values.yaml @@ -0,0 +1,69 @@ +image: + # can be either a full image reference represented by `ref` or a combination of `repo:tag`. `ref` has a higher priority (if set). + ref: "" + repo: "quay.io/redhat-services-prod/acscs-rhacs-tenant/acscs-main/acs-fleet-manager" + tag: "latest" +# Can be either STATIC_TOKEN or SERVICE_ACCOUNT_TOKEN. By default, uses SERVICE_ACCOUNT_TOKEN. +authType: "SERVICE_ACCOUNT_TOKEN" +# OCM refresh token, only required in combination with authType=OCM. +ocmToken: "" +fleetManagerEndpoint: "" +clusterId: "" +clusterName: "" +environment: "" +# Flag controlling whether tenant's sso.redhat.com auth provider will be initialised by fleetshard-sync. +# Currently, this functionality is supported only when fleetshard-sync is deployed in the same k8s cluster as tenant. +createAuthProvider: true +# Static token, only required in combination with authType=STATIC_TOKEN. +# Static token can be issued by the kubernetes issuer with the following command: +# $ kubectl create token -n rhacs fleetshard-sync --audience acs-fleet-manager-private-api +staticToken: "" +auditLogs: + enabled: true + skipTLSVerify: true +managedDB: + enabled: true + subnetGroup: "" + securityGroup: "" + performanceInsights: true + sharedTags: [] +secretEncryption: + type: kms # local or kms + keyID: "" +aws: + region: "" + roleArn: "" + enableTokenAuth: true +telemetry: + storage: + endpoint: "" +resources: + requests: + cpu: "500m" + memory: "512Mi" + limits: + cpu: "500m" + memory: "512Mi" +gitops: + enabled: false + tenantDefaultAppSourceRepoUrl: "" + tenantDefaultAppSourceTargetRevision: "" + tenantDefaultAppSourcePath: "" +targetedOperatorUpgrades: + enabled: false +affinity: {} +nodeSelector: {} +tolerations: [] +addonAutoUpgradeEnabled: true +addonName: acs-fleetshard +tenantImagePullSecret: + name: "" + key: .dockerconfigjson + create: false +printCentralUpdateDiff: false +argoCdNamespace: openshift-gitops + +createExternalSecrets: true +secretStore: + aws: + secretsManagerSecretStoreName: secrets-manager-secret-store # pragma: allowlist secret diff --git a/dp-terraform/test/helm_template_test.go b/deploy/test/fleetshard_sync_chart_test.go similarity index 82% rename from dp-terraform/test/helm_template_test.go rename to deploy/test/fleetshard_sync_chart_test.go index 6479d63edf..426c7d4b1d 100644 --- a/dp-terraform/test/helm_template_test.go +++ b/deploy/test/fleetshard_sync_chart_test.go @@ -16,8 +16,8 @@ func TestHelmTemplate_FleetshardSyncDeployment_ServiceAccountTokenAuthType(t *te t.Parallel() deployment := unmarshalFleetshardSyncDeployment(t, map[string]string{ - "fleetshardSync.managedDB.enabled": "false", - "fleetshardSync.authType": "SERVICE_ACCOUNT_TOKEN", + "managedDB.enabled": "false", + "authType": "SERVICE_ACCOUNT_TOKEN", }) container := deployment.Spec.Template.Spec.Containers[0] @@ -40,7 +40,7 @@ func TestHelmTemplate_FleetshardSyncDeployment_ServiceAccountTokenAuthType(t *te } func renderTemplate(t *testing.T, values map[string]string, template string) string { - helmChartPath, err := filepath.Abs("../helm/rhacs-terraform") + helmChartPath, err := filepath.Abs("../charts/fleetshard-sync") releaseName := "rhacs-terraform" require.NoError(t, err) @@ -59,7 +59,7 @@ func renderTemplate(t *testing.T, values map[string]string, template string) str } func unmarshalFleetshardSyncDeployment(t *testing.T, values map[string]string) appsv1.Deployment { - output := renderTemplate(t, values, "templates/fleetshard-sync.yaml") + output := renderTemplate(t, values, "templates/deployment.yaml") var deployment appsv1.Deployment helm.UnmarshalK8SYaml(t, output, &deployment) return deployment @@ -110,14 +110,14 @@ func TestHelmTemplate_FleetshardSyncDeployment_Tenant(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { values := map[string]string{ - "fleetshardSync.managedDB.enabled": "false", + "managedDB.enabled": "false", } if tt.secretName != "" { - values["fleetshardSync.tenantImagePullSecret.name"] = tt.secretName + values["tenantImagePullSecret.name"] = tt.secretName } if tt.key != "" { - values["fleetshardSync.tenantImagePullSecret.key"] = tt.key + values["tenantImagePullSecret.key"] = tt.key } deployment := unmarshalFleetshardSyncDeployment(t, values) @@ -177,17 +177,17 @@ func TestHelmTemplate_FleetshardSyncDeployment_Image(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { values := map[string]string{ - "fleetshardSync.managedDB.enabled": "false", + "managedDB.enabled": "false", } if tt.repo != "" { - values["fleetshardSync.image.repo"] = tt.repo + values["image.repo"] = tt.repo } if tt.tag != "" { - values["fleetshardSync.image.tag"] = tt.tag + values["image.tag"] = tt.tag } if tt.ref != "" { - values["fleetshardSync.image.ref"] = tt.ref + values["image.ref"] = tt.ref } deployment := unmarshalFleetshardSyncDeployment(t, values) @@ -236,14 +236,14 @@ func TestHelmTemplate_FleetshardSync_ImagePullSecret(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { values := map[string]string{ - "fleetshardSync.managedDB.enabled": "false", - "fleetshardSync.tenantImagePullSecret.create": tt.createPullSecret, + "managedDB.enabled": "false", + "tenantImagePullSecret.create": tt.createPullSecret, } if tt.pullSecret != "" { - values["fleetshardSync.tenantImagePullSecret.name"] = tt.pullSecret // pragma: allowlist secret + values["tenantImagePullSecret.name"] = tt.pullSecret // pragma: allowlist secret } - output := renderTemplate(t, values, "templates/fleetshard-sync-secret.yaml") + output := renderTemplate(t, values, "templates/secret.yaml") allRange := strings.Split(output, "---") for _, rawOutput := range allRange[1:] { var secret corev1.Secret @@ -270,22 +270,22 @@ func TestHelmTemplate_FleetshardSyncDeployment_ManagedDBTags(t *testing.T) { { name: "should not add env vars if managedDB is disabled", values: map[string]string{ - "fleetshardSync.managedDB.enabled": "false", - "fleetshardSync.managedDB.sharedTags[0].key": "tag1", - "fleetshardSync.managedDB.sharedTags[0].value": "value1", + "managedDB.enabled": "false", + "managedDB.sharedTags[0].key": "tag1", + "managedDB.sharedTags[0].value": "value1", }, wantNoEnvs: []string{"MANAGED_DB_TAGS_0_KEY", "MANAGED_DB_TAGS_0_VALUE"}, }, { name: "should add env vars if managedDB is enabled", values: map[string]string{ - "fleetshardSync.managedDB.enabled": "true", - "fleetshardSync.managedDB.subnetGroup": "dummy-subnet-group", - "fleetshardSync.managedDB.securityGroup": "dummy-security-group", - "fleetshardSync.managedDB.sharedTags[0].key": "tag1", - "fleetshardSync.managedDB.sharedTags[0].value": "value1", - "fleetshardSync.managedDB.sharedTags[1].key": "tag2", - "fleetshardSync.managedDB.sharedTags[1].value": "value2", + "managedDB.enabled": "true", + "managedDB.subnetGroup": "dummy-subnet-group", + "managedDB.securityGroup": "dummy-security-group", + "managedDB.sharedTags[0].key": "tag1", + "managedDB.sharedTags[0].value": "value1", + "managedDB.sharedTags[1].key": "tag2", + "managedDB.sharedTags[1].value": "value2", }, wantEnvs: map[string]string{ "MANAGED_DB_TAGS_0_KEY": "tag1", @@ -297,9 +297,9 @@ func TestHelmTemplate_FleetshardSyncDeployment_ManagedDBTags(t *testing.T) { { name: "should not add env vars if managedDB is enabled but no tags are provided", values: map[string]string{ - "fleetshardSync.managedDB.enabled": "true", - "fleetshardSync.managedDB.subnetGroup": "dummy-subnet-group", - "fleetshardSync.managedDB.securityGroup": "dummy-security-group", + "managedDB.enabled": "true", + "managedDB.subnetGroup": "dummy-subnet-group", + "managedDB.securityGroup": "dummy-security-group", }, wantNoEnvs: []string{"MANAGED_DB_TAGS_0_KEY", "MANAGED_DB_TAGS_0_VALUE"}, }, diff --git a/dev/env/defaults/00-defaults.env b/dev/env/defaults/00-defaults.env index 66887237e3..beb23c7b3d 100644 --- a/dev/env/defaults/00-defaults.env +++ b/dev/env/defaults/00-defaults.env @@ -39,9 +39,6 @@ export DUMP_LOGS_DEFAULT="false" export SKIP_TESTS_DEFAULT="false" export ENABLE_CENTRAL_EXTERNAL_DOMAIN_DEFAULT=false -export FLEETSHARD_SYNC_RESOURCES_DEFAULT='{"requests":{"cpu":"200m","memory":"300Mi"},"limits":{"cpu":"200m","memory":"300Mi"}}' -export EMAIL_SENDER_RESOURCES_DEFAULT='{"requests":{"cpu":"200m","memory":"300Mi"},"limits":{"cpu":"200m","memory":"300Mi"}}' - export ENABLE_EXTERNAL_CONFIG_DEFAULT="true" export AWS_AUTH_HELPER_DEFAULT="" diff --git a/dev/env/defaults/cluster-type-infra-openshift/env b/dev/env/defaults/cluster-type-infra-openshift/env index 7b36211c4d..2d7e238056 100644 --- a/dev/env/defaults/cluster-type-infra-openshift/env +++ b/dev/env/defaults/cluster-type-infra-openshift/env @@ -1,4 +1,3 @@ -export FLEETSHARD_SYNC_RESOURCES_DEFAULT='{"requests":{"cpu":"400m","memory":"1000Mi"},"limits":{"cpu":"400m","memory":"1000Mi"}}' export EXPOSE_OPENSHIFT_ROUTER_DEFAULT="true" export ENABLE_EXTERNAL_CONFIG_DEFAULT="true" export AWS_AUTH_HELPER_DEFAULT="aws-saml" diff --git a/dev/env/defaults/cluster-type-openshift-ci/env b/dev/env/defaults/cluster-type-openshift-ci/env index 0c600101da..7f3871cbc0 100644 --- a/dev/env/defaults/cluster-type-openshift-ci/env +++ b/dev/env/defaults/cluster-type-openshift-ci/env @@ -2,5 +2,3 @@ export SPAWN_LOGGER_DEFAULT="true" export DUMP_LOGS_DEFAULT="true" export GOTESTSUM="/usr/local/bin/gotestsum" export ENABLE_CENTRAL_EXTERNAL_DOMAIN=true -# To be adjusted for runnign in OpenShift CI -# export FLEETSHARD_SYNC_RESOURCES_DEFAULT='{"requests":{"cpu":"200m","memory":"300Mi"},"limits":{"cpu":"200m","memory":"300Mi"}}' diff --git a/dev/env/manifests/external-secrets/secretstore/01-clustersecretstore.yaml b/dev/env/manifests/external-secrets/01-clustersecretstore.yaml similarity index 100% rename from dev/env/manifests/external-secrets/secretstore/01-clustersecretstore.yaml rename to dev/env/manifests/external-secrets/01-clustersecretstore.yaml diff --git a/dev/env/manifests/external-secrets/secretstore/02-aws-secret.yaml b/dev/env/manifests/external-secrets/02-aws-secret.yaml similarity index 100% rename from dev/env/manifests/external-secrets/secretstore/02-aws-secret.yaml rename to dev/env/manifests/external-secrets/02-aws-secret.yaml diff --git a/dev/env/manifests/external-secrets/application/00-application.yaml b/dev/env/manifests/external-secrets/application/00-application.yaml deleted file mode 100644 index 90277c6cf4..0000000000 --- a/dev/env/manifests/external-secrets/application/00-application.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: rhacs-external-secrets - namespace: "$ARGOCD_NAMESPACE" -spec: - destination: - namespace: rhacs-external-secrets - server: https://kubernetes.default.svc - project: default - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - managedNamespaceMetadata: - labels: - argocd.argoproj.io/managed-by: "$ARGOCD_NAMESPACE" - app.kubernetes.io/managed-by: "$ARGOCD_NAMESPACE" - retry: - limit: -1 # number of failed sync attempt retries; unlimited number of attempts if less than 0 - backoff: - duration: 5s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") - factor: 2 # a factor to multiply the base duration after each failed retry - maxDuration: 3m # the maximum amount of time allowed for the backoff strategy - source: - chart: external-secrets - repoURL: https://charts.external-secrets.io - targetRevision: "$EXTERNAL_SECRETS_VERSION" diff --git a/dev/env/manifests/fleetshard-operator/01-fleetshard-crd.yaml b/dev/env/manifests/fleetshard-operator/01-fleetshard-crd.yaml deleted file mode 100644 index ff20f1b15f..0000000000 --- a/dev/env/manifests/fleetshard-operator/01-fleetshard-crd.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: fleetshards.cloud.stackrox.io -spec: - group: cloud.stackrox.io - names: - kind: Fleetshard - listKind: FleetshardList - plural: fleetshards - singular: fleetshard - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Fleetshard is the Schema for the fleetshard API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of Fleetshard - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} diff --git a/dev/env/manifests/fleetshard-operator/07-serviceaccount.yaml b/dev/env/manifests/fleetshard-operator/07-serviceaccount.yaml deleted file mode 100644 index a07ba2d295..0000000000 --- a/dev/env/manifests/fleetshard-operator/07-serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: acs-fleetshard-operator - namespace: "$ACSCS_NAMESPACE" diff --git a/dev/env/manifests/fleetshard-operator/15-clusterrole.yaml b/dev/env/manifests/fleetshard-operator/15-clusterrole.yaml deleted file mode 100644 index cd822802a0..0000000000 --- a/dev/env/manifests/fleetshard-operator/15-clusterrole.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: acs-fleetshard -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' - - apiGroups: - - cloud.stackrox.io - resources: - - fleetshards - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - cloud.stackrox.io - resources: - - fleetshards/finalizers - verbs: - - update - - apiGroups: - - cloud.stackrox.io - resources: - - fleetshards/status - verbs: - - get - - patch - - update diff --git a/dev/env/manifests/fleetshard-operator/17-clusterrolebinding.yaml b/dev/env/manifests/fleetshard-operator/17-clusterrolebinding.yaml deleted file mode 100644 index 03ece4135a..0000000000 --- a/dev/env/manifests/fleetshard-operator/17-clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: acs-fleetshard -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: acs-fleetshard -subjects: - - kind: ServiceAccount - name: acs-fleetshard-operator - namespace: rhacs diff --git a/dev/env/manifests/fleetshard-operator/19-role.yaml b/dev/env/manifests/fleetshard-operator/19-role.yaml deleted file mode 100644 index 2e75d7655e..0000000000 --- a/dev/env/manifests/fleetshard-operator/19-role.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: acs-fleetshard - namespace: "$ACSCS_NAMESPACE" -rules: - - apiGroups: - - operators.coreos.com - resourceNames: - - acs-fleetshard - resources: - - operatorconditions - verbs: - - get - - update - - patch - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/dev/env/manifests/fleetshard-operator/21-rolebinding.yaml b/dev/env/manifests/fleetshard-operator/21-rolebinding.yaml deleted file mode 100644 index 453f456f3c..0000000000 --- a/dev/env/manifests/fleetshard-operator/21-rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: acs-fleetshard - namespace: "$ACSCS_NAMESPACE" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: acs-fleetshard -subjects: - - kind: ServiceAccount - name: acs-fleetshard-operator diff --git a/dev/env/manifests/fleetshard-operator/28-deployment.yaml b/dev/env/manifests/fleetshard-operator/28-deployment.yaml deleted file mode 100644 index ae7d544e0b..0000000000 --- a/dev/env/manifests/fleetshard-operator/28-deployment.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: acs-fleetshard-operator - namespace: "$ACSCS_NAMESPACE" -spec: - progressDeadlineSeconds: 1800 - replicas: 1 - selector: - matchLabels: - name: acs-fleetshard-operator - template: - metadata: - labels: - name: acs-fleetshard-operator - annotations: - # Allows deployment to use image streams - alpha.image.policy.openshift.io/resolve-names: '*' - spec: - securityContext: - runAsNonRoot: true - containers: - - args: - - --leader-elect - - --leader-election-id=acs-fleetshard-operator - image: "${FLEETSHARD_OPERATOR_IMAGE}" - name: manager - env: - - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ADDON_NAME - value: acs-fleetshard-dev - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 64Mi - serviceAccountName: acs-fleetshard-operator - terminationGracePeriodSeconds: 10 diff --git a/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml b/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml deleted file mode 100644 index 9f203c74d7..0000000000 --- a/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: cloud.stackrox.io/v1alpha1 -kind: Fleetshard -metadata: - name: rhacs-terraform - namespace: "$ACSCS_NAMESPACE" -spec: - fleetshardSync: - image: - ref: "$FLEET_MANAGER_IMAGE" - authType: "SERVICE_ACCOUNT_TOKEN" - clusterId: "1234567890abcdef1234567890abcdef" # pragma: allowlist secret - clusterName: "acs-dev-dp-01" - environment: "dev" - fleetManagerEndpoint: "http://fleet-manager:8000" - argoCdNamespace: $ARGOCD_NAMESPACE - managedDB: - enabled: $MANAGED_DB_ENABLED - subnetGroup: "$MANAGED_DB_SUBNET_GROUP" - securityGroup: "$MANAGED_DB_SECURITY_GROUP" - aws: - region: "$AWS_REGION" - roleArn: "$AWS_ROLE_ARN" - gitops: - enabled: true - tenantDefaultAppSourceTargetRevision: "$ARGOCD_TENANT_APP_TARGET_REVISION" - targetedOperatorUpgrades: - enabled: true - secretEncryption: - type: "local" - tenantImagePullSecret: - name: "rhacs-registry" - nodeSelector: null - tolerations: null - addonAutoUpgradeEnabled: false - printCentralUpdateDiff: true - resources: $FLEETSHARD_SYNC_RESOURCES diff --git a/dev/env/manifests/fleetshard-sync/01-fleetshard-sync-secrets.yaml b/dev/env/manifests/fleetshard-sync/01-fleetshard-sync-secrets.yaml deleted file mode 100644 index dcb13904f7..0000000000 --- a/dev/env/manifests/fleetshard-sync/01-fleetshard-sync-secrets.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: fleetshard-sync - namespace: "$ACSCS_NAMESPACE" -stringData: - aws-access-key-id: "${AWS_ACCESS_KEY_ID}" - aws-secret-access-key: "${AWS_SECRET_ACCESS_KEY}" - telemetry-storage-key: "${TELEMETRY_STORAGE_KEY}" diff --git a/dev/env/scripts/bootstrap.sh b/dev/env/scripts/bootstrap.sh index 628e48d791..caa05abd24 100755 --- a/dev/env/scripts/bootstrap.sh +++ b/dev/env/scripts/bootstrap.sh @@ -92,15 +92,19 @@ fi if [[ "$INSTALL_EXTERNAL_SECRETS" == "true" ]]; then # pragma: allowlist secret log "Installing External Secrets Operator" - # The following sequence of actions avoids unnecessary waiting for apps, projects, webhooks to be created. - # install CRDs first - $KUBECTL apply -f "https://raw.githubusercontent.com/external-secrets/external-secrets/$EXTERNAL_SECRETS_VERSION/deploy/crds/bundle.yaml" - # then install ClusterSecretStore. Do not wait for the webhook start. - chamber exec external-secrets -- apply "${MANIFESTS_DIR}/external-secrets/secretstore" - # have to wait for CRD when ArgoCD is installed via OLM - wait_for_crd "applications.argoproj.io" - # finally, install ESO ArgoCD app. Sync happens asynchronously. - apply "${MANIFESTS_DIR}/external-secrets/application" + + helm repo add external-secrets https://charts.external-secrets.io 2>/dev/null || true + helm repo update external-secrets + + helm upgrade --install external-secrets \ + external-secrets/external-secrets \ + --version "$EXTERNAL_SECRETS_VERSION" \ + --namespace rhacs-external-secrets \ + --create-namespace \ + --wait \ + --timeout 5m + + chamber exec external-secrets -- apply "${MANIFESTS_DIR}/external-secrets" else log "Skipping installation of External Secrets Operator" fi diff --git a/dev/env/scripts/docker.sh b/dev/env/scripts/docker.sh index e2ada83b19..8fc54312b1 100644 --- a/dev/env/scripts/docker.sh +++ b/dev/env/scripts/docker.sh @@ -61,36 +61,6 @@ ensure_fleet_manager_image_exists() { fi } -ensure_fleetshard_operator_image_exists() { - if should_skip_image_build; then - if [[ -z "${FLEETSHARD_OPERATOR_IMAGE:-}" ]]; then - die "FLEET_MANAGER_IMAGE is not set" - fi - return - fi - - if [[ -z "${FLEETSHARD_OPERATOR_IMAGE:-}" ]]; then - FLEETSHARD_OPERATOR_IMAGE="fleetshard-operator:$(make -s tag)" - export FLEETSHARD_OPERATOR_IMAGE - if [[ "$CLUSTER_TYPE" == "infra-openshift" ]]; then - if [[ -n "${RH_REGISTRY_USER:-}" && -n "${RH_REGISTRY_PW:-}" ]]; then - make -C "${GITROOT}" docker/login/rh-registry - fi - log "Building fleetshard operator image ${FLEETSHARD_OPERATOR_IMAGE} and pushing it to internal registry" - make -C "${GITROOT}" image/push/fleetshard-operator/internal - else - log "Building fleetshard operator image ${FLEETSHARD_OPERATOR_IMAGE}..." - make -C "${GITROOT}" image/build/fleetshard-operator IMAGE_REF="${FLEETSHARD_OPERATOR_IMAGE}" - if [[ "${CLUSTER_TYPE}" == "kind" ]]; then - kind load docker-image "$FLEETSHARD_OPERATOR_IMAGE" - fi - if [[ "${CLUSTER_TYPE}" == "crc" ]]; then - $DOCKER tag "$FLEETSHARD_OPERATOR_IMAGE" "${ACSCS_NAMESPACE}/$FLEETSHARD_OPERATOR_IMAGE" - fi - fi - fi -} - should_skip_image_build() { if [[ "$CLUSTER_TYPE" == "openshift-ci" ]]; then return 0 diff --git a/dev/env/scripts/down.sh b/dev/env/scripts/down.sh index 56c922c556..60c1a50556 100755 --- a/dev/env/scripts/down.sh +++ b/dev/env/scripts/down.sh @@ -15,9 +15,7 @@ log "Stopping db port-forwarding..." port-forwarding stop fleet-manager-db 5432 || true log "Cleanup files..." -make -C "${GITROOT}" undeploy -delete "${MANIFESTS_DIR}/fleetshard-operator" || true -delete "${MANIFESTS_DIR}/fleetshard-sync" || true +make -C "${GITROOT}" undeploy undeploy/fleetshard-sync log "Cleanup namespaces..." delete_tenant_namespaces diff --git a/dev/env/scripts/lib.sh b/dev/env/scripts/lib.sh index 818cf0adc5..f604cf1ba6 100644 --- a/dev/env/scripts/lib.sh +++ b/dev/env/scripts/lib.sh @@ -100,19 +100,14 @@ init() { export DUMP_LOGS=${DUMP_LOGS:-$DUMP_LOGS_DEFAULT} export ENABLE_DB_PORT_FORWARDING=${ENABLE_DB_PORT_FORWARDING:-$ENABLE_DB_PORT_FORWARDING_DEFAULT} export ENABLE_FM_PORT_FORWARDING=${ENABLE_FM_PORT_FORWARDING:-$ENABLE_FM_PORT_FORWARDING_DEFAULT} - export FLEETSHARD_SYNC_RESOURCES=${FLEETSHARD_SYNC_RESOURCES:-$FLEETSHARD_SYNC_RESOURCES_DEFAULT} export SKIP_TESTS=${SKIP_TESTS:-$SKIP_TESTS_DEFAULT} export ENABLE_CENTRAL_EXTERNAL_DOMAIN=${ENABLE_CENTRAL_EXTERNAL_DOMAIN:-$ENABLE_CENTRAL_EXTERNAL_DOMAIN_DEFAULT} export FLEET_MANAGER_IMAGE=${FLEET_MANAGER_IMAGE:-$FLEET_MANAGER_IMAGE_DEFAULT} export ENABLE_EMAIL_SENDER=${ENABLE_EMAIL_SENDER:-$ENABLE_EMAIL_SENDER_DEFAULT} export EMAIL_SENDER_IMAGE=${EMAIL_SENDER_IMAGE:-$EMAIL_SENDER_IMAGE_DEFAULT} - export EMAIL_SENDER_RESOURCES=${EMAIL_SENDER_RESOURCES:-$EMAIL_SENDER_RESOURCES_DEFAULT} export MANAGED_DB_ENABLED=${MANAGED_DB_ENABLED:-$MANAGED_DB_ENABLED_DEFAULT} export ARGOCD_TENANT_APP_TARGET_REVISION=${ARGOCD_TENANT_APP_TARGET_REVISION:-$ARGOCD_TENANT_APP_TARGET_REVISION_DEFAULT} - FLEETSHARD_SYNC_CONTAINER_COMMAND_DEFAULT="/usr/local/bin/fleetshard-sync" - export FLEETSHARD_SYNC_CONTAINER_COMMAND=${FLEETSHARD_SYNC_CONTAINER_COMMAND:-$FLEETSHARD_SYNC_CONTAINER_COMMAND_DEFAULT} - if [[ "$FLEET_MANAGER_IMAGE" == "" ]]; then FLEET_MANAGER_IMAGE=$(make -s -C "$GITROOT" full-image-tag) log "FLEET_MANAGER_IMAGE not set, using ${FLEET_MANAGER_IMAGE}" @@ -168,13 +163,10 @@ SPAWN_LOGGER: ${SPAWN_LOGGER} DUMP_LOGS: ${DUMP_LOGS} ENABLE_DB_PORT_FORWARDING: ${ENABLE_DB_PORT_FORWARDING} ENABLE_FM_PORT_FORWARDING: ${ENABLE_FM_PORT_FORWARDING} -FLEETSHARD_SYNC_RESOURCES: ${FLEETSHARD_SYNC_RESOURCES} SKIP_TESTS: ${SKIP_TESTS} ENABLE_CENTRAL_EXTERNAL_DOMAIN: ${ENABLE_CENTRAL_EXTERNAL_DOMAIN} FLEET_MANAGER_IMAGE: ${FLEET_MANAGER_IMAGE} -FLEETSHARD_SYNC_CONTAINER_COMMAND: ${FLEETSHARD_SYNC_CONTAINER_COMMAND} EMAIL_SENDER_IMAGE: ${EMAIL_SENDER_IMAGE} -EMAIL_SENDER_RESOURCES: ${EMAIL_SENDER_RESOURCES} PATH: ${PATH} EOF } diff --git a/dev/env/scripts/up.sh b/dev/env/scripts/up.sh index 0b273341d6..4f108a6012 100755 --- a/dev/env/scripts/up.sh +++ b/dev/env/scripts/up.sh @@ -29,7 +29,6 @@ KUBE_CONFIG=$(assemble_kubeconfig | yq e . -o=json - | jq -c . -) export KUBE_CONFIG ensure_fleet_manager_image_exists -ensure_fleetshard_operator_image_exists # Apply cluster type specific manifests, if any. if [[ -d "${MANIFESTS_DIR}/cluster-type-${CLUSTER_TYPE}" ]]; then @@ -68,8 +67,7 @@ if [[ -z "${DATAPLANE_ONLY}" ]]; then fi log "Deploying fleetshard-sync" -exec_fleetshard_sync.sh apply "${MANIFESTS_DIR}/fleetshard-sync" -apply "${MANIFESTS_DIR}/fleetshard-operator" +make -C "$GITROOT" deploy/fleetshard-sync wait_for_container_to_appear "$ACSCS_NAMESPACE" "app=fleetshard-sync" "fleetshard-sync" if [[ "$SPAWN_LOGGER" == "true" && -n "${LOG_DIR:-}" ]]; then diff --git a/dev/env/values/fleetshard-sync/values.yaml b/dev/env/values/fleetshard-sync/values.yaml new file mode 100644 index 0000000000..faf3440fbd --- /dev/null +++ b/dev/env/values/fleetshard-sync/values.yaml @@ -0,0 +1,23 @@ +clusterId: "1234567890abcdef1234567890abcdef" # pragma: allowlist secret +clusterName: "acs-dev-dp-01" +environment: "dev" +fleetManagerEndpoint: "http://fleet-manager:8000" +gitops: + enabled: true +targetedOperatorUpgrades: + enabled: true +secretEncryption: + type: "local" +tenantImagePullSecret: + name: "rhacs-registry" +addonAutoUpgradeEnabled: false +printCentralUpdateDiff: true +resources: + requests: + cpu: 200m + memory: 300Mi + limits: + cpu: 200m + memory: 300Mi +managedDB: + enabled: false diff --git a/dp-terraform/helm/rhacs-terraform/.gitignore b/dp-terraform/helm/rhacs-terraform/.gitignore deleted file mode 100644 index 7c2f4cd7b7..0000000000 --- a/dp-terraform/helm/rhacs-terraform/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -# Ignore downloaded external Helm bundles, built with `helm dependencies build`. -*.tgz diff --git a/dp-terraform/helm/rhacs-terraform/Chart.lock b/dp-terraform/helm/rhacs-terraform/Chart.lock deleted file mode 100644 index 405996e28f..0000000000 --- a/dp-terraform/helm/rhacs-terraform/Chart.lock +++ /dev/null @@ -1,3 +0,0 @@ -dependencies: [] -digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 -generated: "2025-10-08T13:55:06.652931+02:00" diff --git a/dp-terraform/helm/rhacs-terraform/README.md b/dp-terraform/helm/rhacs-terraform/README.md deleted file mode 100644 index dc84516919..0000000000 --- a/dp-terraform/helm/rhacs-terraform/README.md +++ /dev/null @@ -1,70 +0,0 @@ -# Data plane terraform Helm chart - -Chart to terraform data plane OSD clusters. - -## Usage - -**Prepare environment variables** - -The env var `FM_ENDPOINT` should point to an endpoint for the fleet manager. An option to use a fleet manager instance running in your laptop is to [setup ngrok](https://ngrok.com/docs/getting-started), launch the fleet manager, and run `ngrok http 8000` to expose it to the internet. That commands outputs an endpoint that you can use for `FM_ENDPOINT`. -To get the cluster id for staging look for `cluster_id` in `dev/config/dataplane-cluster-configuration-staging.yaml` file. Export that value to environment variable `export CLUSTER_ID=""`. - -The FLEETSHARD_SYNC__ environment variables can be used to override the default values for the fleetshard-sync container resource requests and limits. See the `terraform_cluster.sh` for the current default values. - -**Create values file** - -Create a file `~/acs-terraform-values.yaml` with the values for the parameters in [values.yaml](./values.yaml) that are missing or that you want to override. That file will contain credentials, so make sure you put it in a safe location, and with suitable permissions. - -**Render the chart to see the generated templates during development** - -```bash -helm template rhacs-terraform \ - --debug \ - --namespace rhacs \ - --values ~/acs-terraform-values.yaml \ - --set fleetshardSync.ocmToken=$(ocm token --refresh) \ - --set fleetshardSync.fleetManagerEndpoint=${FM_ENDPOINT} \ - --set fleetshardSync.clusterId=${CLUSTER_ID} \ - --set acsOperator.enabled=true . -``` - -**Install the chart** - -```bash -helm install rhacs-terraform \ - --namespace rhacs \ - --create-namespace \ - --values ~/acs-terraform-values.yaml \ - --set fleetshardSync.ocmToken=$(ocm token --refresh) \ - --set fleetshardSync.fleetManagerEndpoint=${FM_ENDPOINT} \ - --set fleetshardSync.clusterId=${CLUSTER_ID} \ - --set acsOperator.enabled=true . -``` - -**Update the helm release (re-terraform data plane cluster)** - -1. Get values used for the latest terraforming -``` -helm get values rhacs-terraform --namespace rhacs > ~/re-terraform-dp-cluster-values.yaml -``` -2. Adjust values in the values file `~/re-terraform-dp-cluster.yaml` accordingly -3. Check changes with the diff plugin -``` -# To install diff plugin please check documentation here: [https://github.com/databus23/helm-diff](https://github.com/databus23/helm-diff) -# TL;DR: -helm plugin install https://github.com/databus23/helm-diff - -helm diff upgrade rhacs-terraform --namespace rhacs --values ~/re-terraform-dp-cluster-values.yaml . -``` -4. Update the helm release -``` -helm upgrade rhacs-terraform --namespace rhacs --values ~/re-terraform-dp-cluster-values.yaml . -``` - -**Uninstall the chart and cleanup all created resources** - -```bash -helm uninstall rhacs-terraform --namespace rhacs -``` - -See internal wiki for an example file `~/acs-terraform-values.yaml`. diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml deleted file mode 100644 index 122c0b8d3e..0000000000 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# Default values for rhacs-terraform. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -fleetshardSync: - image: - # can be either a full image reference represented by `ref` or a combination of `repo:tag`. `ref` has a higher priority (if set). - ref: "" - repo: "quay.io/redhat-services-prod/acscs-rhacs-tenant/acscs-main/acs-fleet-manager" - tag: null - # Can be either STATIC_TOKEN or SERVICE_ACCOUNT_TOKEN. By default, uses SERVICE_ACCOUNT_TOKEN. - authType: "SERVICE_ACCOUNT_TOKEN" - # OCM refresh token, only required in combination with authType=OCM. - ocmToken: "" - fleetManagerEndpoint: "" - clusterId: "" - clusterName: "" - environment: "" - # Flag controlling whether tenant's sso.redhat.com auth provider will be initialised by fleetshard-sync. - # Currently, this functionality is supported only when fleetshard-sync is deployed in the same k8s cluster as tenant. - createAuthProvider: true - # Static token, only required in combination with authType=STATIC_TOKEN. - # Static token can be issued by the kubernetes issuer with the following command: - # $ kubectl create token -n rhacs fleetshard-sync --audience acs-fleet-manager-private-api - staticToken: "" - auditLogs: - enabled: true - skipTLSVerify: true - managedDB: - enabled: true - subnetGroup: "" - securityGroup: "" - performanceInsights: true - sharedTags: [] - secretEncryption: - type: kms # local or kms - keyID: "" - aws: - region: "" - roleArn: "" - enableTokenAuth: true - telemetry: - storage: - endpoint: "" - resources: - requests: - cpu: "500m" - memory: "512Mi" - limits: - cpu: "500m" - memory: "512Mi" - gitops: - enabled: false - tenantDefaultAppSourceRepoUrl: "" - tenantDefaultAppSourceTargetRevision: "" - tenantDefaultAppSourcePath: "" - targetedOperatorUpgrades: - enabled: false - affinity: {} - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - addonAutoUpgradeEnabled: true - addonName: acs-fleetshard - tenantImagePullSecret: - name: "" - key: .dockerconfigjson - create: false - printCentralUpdateDiff: false - argoCdNamespace: openshift-gitops - -global: - image: - tag: "latest" - createExternalSecrets: true - secretStore: - aws: - secretsManagerSecretStoreName: secrets-manager-secret-store # pragma: allowlist secret diff --git a/dp-terraform/helm/watches.yaml b/dp-terraform/helm/watches.yaml deleted file mode 100644 index f4218b345d..0000000000 --- a/dp-terraform/helm/watches.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- group: cloud.stackrox.io - version: v1alpha1 - kind: Fleetshard - chart: rhacs-terraform - overrideValues: - fleetshardSync.addonName: $ADDON_NAME diff --git a/fleetshard-operator/Dockerfile b/fleetshard-operator/Dockerfile index a069d69104..2c0c648e2e 100644 --- a/fleetshard-operator/Dockerfile +++ b/fleetshard-operator/Dockerfile @@ -1,20 +1,4 @@ -FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1295 AS build-helm -ENV HOME=/opt/helm -COPY ./dp-terraform/helm/rhacs-terraform ${HOME}/rhacs-terraform -WORKDIR ${HOME} - -RUN microdnf install gzip tar && \ - curl -L --retry 10 --silent --show-error --fail -o /tmp/yq_linux_amd64.tar.gz \ - "https://github.com/mikefarah/yq/releases/download/v4.44.5/yq_linux_amd64.tar.gz" && \ - tar -xzf /tmp/yq_linux_amd64.tar.gz ./yq_linux_amd64 && \ - mv yq_linux_amd64 /usr/local/bin/yq && \ - chmod +x /usr/local/bin/yq && \ - rm /tmp/yq_linux_amd64.tar.gz - -ARG IMAGE_TAG=latest -RUN yq -i ".global.image.tag = strenv(IMAGE_TAG)" rhacs-terraform/values.yaml - -FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.24.6-1756315360 AS build-go +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.24.6-1756315360 AS build USER root RUN mkdir /src @@ -41,15 +25,16 @@ RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/go/.cache/ \ make fleetshard-operator GOOS=linux GOARCH=${TARGETARCH} -# RH catalog see: https://catalog.redhat.com/en/software/containers/openshift4/ose-helm-rhel9-operator/6528099db4022aa92175dba4 -FROM registry.redhat.io/openshift4/ose-helm-rhel9-operator@sha256:16f3efe11070dab0af40750fa6811c7c6b1866ee10f06dc5820ea1576450adbf +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1295 -ENV HOME=/opt/helm -ENV ADDON_NAME=acs-fleetshard -COPY ./dp-terraform/helm/watches.yaml ${HOME}/watches.yaml -COPY --from=build-helm ${HOME}/rhacs-terraform ${HOME}/rhacs-terraform -COPY --from=build-go /src/fleetshard-operator/bin /usr/local/bin/ -WORKDIR ${HOME} +RUN microdnf install shadow-utils + +RUN useradd -u 1001 unprivilegeduser +# Switch to non-root user +USER unprivilegeduser + +COPY --chown=unprivilegeduser --from=build /src/fleetshard-operator/bin /usr/local/bin/ +ENTRYPOINT ["/usr/local/bin/fleetshard-operator"] LABEL name="acs-fleetshard-operator" \ vendor="Red Hat, Inc." \ diff --git a/scripts/ci/central_compatibility/run_compatibility_test.sh b/scripts/ci/central_compatibility/run_compatibility_test.sh old mode 100644 new mode 100755 diff --git a/scripts/ci/multicluster_tests/deploy.sh b/scripts/ci/multicluster_tests/deploy.sh index 7c1da5a61c..5c2cda025d 100755 --- a/scripts/ci/multicluster_tests/deploy.sh +++ b/scripts/ci/multicluster_tests/deploy.sh @@ -47,13 +47,11 @@ DATAPLANE_ONLY="true" make deploy/dev STATIC_TOKEN=$(KUBECONFIG="$CLUSTER_1_KUBECONFIG" kubectl create token -n rhacs fleetshard-sync --audience acs-fleet-manager-private-api --duration 8760h) # Configure FS on cluster2 to reach out to FM on cluster1 -kubectl patch fleetshards -n rhacs rhacs-terraform --type='merge' -p "{\"spec\":{\"fleetshardSync\":{\"authType\":\"STATIC_TOKEN\",\"staticToken\":\"$STATIC_TOKEN\",\"fleetManagerEndpoint\":\"$FM_URL\",\"clusterId\":\"1234567890abcdef1234567890abcdeg\"}}}" +helm upgrade -n rhacs fleetshard-sync ./deploy/charts/fleetshard-sync \ + --reuse-values \ + --set authType=STATIC_TOKEN \ + --set staticToken="${STATIC_TOKEN}" \ + --set fleetManagerEndpoint="${FM_URL}" \ + --set clusterId="1234567890abcdef1234567890abcdeg" -# TODO: remove this as soon as the feature flag RHACS_CLUSTER_MIGRATION is retired -export KUBECONFIG=$CLUSTER_1_KUBECONFIG -kubectl patch deploy -n rhacs fleetshard-sync -p '{"spec":{"template":{"spec":{"containers":[{"name":"fleetshard-sync","env":[{"name":"RHACS_CLUSTER_MIGRATION", "value":"true"}]}]}}}}' -kubectl patch deploy -n rhacs fleet-manager -p '{"spec":{"template":{"spec":{"containers":[{"name":"service","env":[{"name":"RHACS_CLUSTER_MIGRATION", "value":"true"}]}]}}}}' - -export KUBECONFIG=$CLUSTER_2_KUBECONFIG -kubectl patch deploy -n rhacs fleetshard-sync -p '{"spec":{"template":{"spec":{"containers":[{"name":"fleetshard-sync","env":[{"name":"RHACS_CLUSTER_MIGRATION", "value":"true"}]}]}}}}' # Start test execution in Go