Common (#100)

* Add some comments to make if/else and loops clearer

Let's improve readability by adding some comments to point out which
flow constructs are being ended.

* Add some more comments in applications.yaml

* Add a default for options applicationRetryLimit

* Split out values files to a helper for the acm chart

Just like we did for the clustergroup chart, let's split the values
file list into a dedicated helper. This time since there are no global
variables we include it with the current context and not with the '$'
context.

Tested with MCG: hub and spoke. Correctly observed all the applications
running on the spoke.

* Fix up tests

They changed because we made the list indentation more correct (two
extra spaces to the left)

* Fix sa/namespace mixup in vault_spokes_init

* Update local patch

Also set seccompProfile to null to make things work on OCP 4.10

* Update ESO to 0.8.5

* Tweak ESO UBI images

Tested the ESO upgrade on MCG on both 4.10 and 4.13

* Removed previous version of common to convert to subtree from https://github.com/hybrid-cloud-patterns/common.git main

* make test

---------

Co-authored-by: Michele Baldessari <michele@acksyn.org>
Co-authored-by: Tom Stockwell <2060486+stocky37@users.noreply.github.com>

Author: 3 people

common/acm/templates/_helpers.tpl

@@ -0,0 +1,13 @@
+{{/*
+Default always defined valueFiles to be included when pushing the cluster wide argo application via acm
+*/}}
+{{- define "acm.app.policies.valuefiles" -}}
+- "/values-global.yaml"
+- "/values-{{ .name }}.yaml"
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml'
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
+# We cannot use $.Values.global.clusterVersion because that gets resolved to the
+# hub's cluster version, whereas we want to include the spoke cluster version
+- '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml'
+{{- end }} {{- /*acm.app.policies.valuefiles */}}

common/acm/templates/policies/application-policies.yaml

@@ -43,14 +43,7 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-{{ .name }}.yaml"
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml'
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml'
+                      {{- include "acm.app.policies.valuefiles" . | nindent 24 }}
                       {{- range $valueFile := .extraValueFiles }}
                       - {{ $valueFile | quote }}
                       {{- end }}

common/acm/values.yaml

@@ -6,7 +6,8 @@ global:
   pattern: none
   repoURL: none
   targetRevision: main
-
+  options:
+    applicationRetryLimit: 20
 
 clusterGroup:
   subscriptions:

common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml

@@ -182,8 +182,8 @@
     pod: "{{ vault_pod }}"
     command: >
       vault write auth/"{{ item.value['vault_path'] }}"/role/"{{ item.value['vault_path'] }}"-role
-        bound_service_account_names="{{ external_secrets_ns }}"
-        bound_service_account_namespaces="{{ external_secrets_sa }}"
+        bound_service_account_names="{{ external_secrets_sa }}"
+        bound_service_account_namespaces="{{ external_secrets_ns }}"
         policies="default,{{ vault_global_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}"
   loop: "{{ clusters_info | dict2items }}"
   when:

common/clustergroup/templates/plumbing/applications.yaml

@@ -134,7 +134,7 @@ spec:
     chart: {{ .chart }}
     {{- else }}
     path: {{ .path }}
-    {{- end }}
+    {{- end }}{{- /* if .chart */}}
     {{- if .plugin }}
     plugin: {{ .plugin | toPrettyJson }}
     {{- else if not .kustomize }}
@@ -178,18 +178,18 @@ spec:
         {{- range .overrides }}
         - name: {{ .name }}
           value: {{ .value | quote }}
-        {{- if .forceString }}
+          {{- if .forceString }}
           forceString: true
-        {{- end }}
-        {{- end }}
+          {{- end }}
+        {{- end }}{{- /* range .overrides */}}
       {{- if .fileParameters }}
       fileParameters:
       {{- range .fileParameters }}
         - name: {{ .name }}
           path: {{ .path }}
-      {{- end }}
-      {{- end }}
-    {{- end }}
+      {{- end }}{{- /* range .fileParameters */}}
+      {{- end }}{{- /* if .fileParameters */}}
+    {{- end }}{{- /* if .plugin */}}
   {{- if .ignoreDifferences }}
   ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }}
   {{- end }}
@@ -200,8 +200,8 @@ spec:
     automated: {}
     retry:
       limit: {{ default 20 $.Values.global.applicationRetryLimit }}
-  {{- end }}
+  {{- end }}{{- /* .syncPolicy */}}
 ---
-{{- end }}
-{{- end }}
-{{- end }}
+{{- end }}{{- /* if or (.generators) (.generatorFile) (.useGeneratorValues) (.destinationServer) (.destinationNamespace) */}}
+{{- end }}{{- /* range .Values.clusterGroup.applications */}}
+{{- end }}{{- /* if not (eq .Values.enabled "core") */}}

common/golang-external-secrets/Chart.yaml

@@ -6,6 +6,6 @@ name: golang-external-secrets
 version: 0.0.1
 dependencies:
   - name: external-secrets
-    version: "0.8.3"
+    version: "0.8.5"
     repository: "https://charts.external-secrets.io"
     #"https://external-secrets.github.io/kubernetes-external-secrets"

common/golang-external-secrets/charts/external-secrets-0.8.3.tgz

@@ -1,30 +1,48 @@
-diff --color -urN external-secrets.orig/values.yaml external-secrets/values.yaml
---- external-secrets.orig/values.yaml	2023-05-22 12:42:54.000000000 +0200
-+++ external-secrets/values.yaml	2023-05-22 16:20:02.748621794 +0200
-@@ -117,7 +117,7 @@
+diff -up external-secrets/values.yaml.orig external-secrets/values.yaml
+--- external-secrets/values.yaml.orig	2023-07-31 15:12:18.815909938 +0200
++++ external-secrets/values.yaml	2023-07-31 15:32:59.905360226 +0200
+@@ -117,9 +117,11 @@ securityContext:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
 -  runAsUser: 1000
+-  seccompProfile:
+-    type: RuntimeDefault
 +  # runAsUser: 1000
-   seccompProfile:
-     type: RuntimeDefault
++  # Uncomment this once 4.10 is out of scope
++  # seccompProfile:
++  #   type: RuntimeDefault
++  seccompProfile: null
 
-@@ -331,7 +331,7 @@
+ resources: {}
+   # requests:
+@@ -331,9 +333,11 @@ webhook:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
 -    runAsUser: 1000
+-    seccompProfile:
+-      type: RuntimeDefault
 +    # runAsUser: 1000
-     seccompProfile:
-       type: RuntimeDefault
++    seccompProfile: null
++    # Uncomment this once 4.10 is out of scope
++    # seccompProfile:
++    #   type: RuntimeDefault
 
-@@ -453,7 +453,7 @@
+   resources: {}
+       # requests:
+@@ -453,9 +457,11 @@ certController:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
 -    runAsUser: 1000
+-    seccompProfile:
+-      type: RuntimeDefault
 +    # runAsUser: 1000
-     seccompProfile:
-       type: RuntimeDefault
++    seccompProfile: null
++    # Uncomment this once 4.10 is out of scope
++    # seccompProfile:
++    #   type: RuntimeDefault
 
+   resources: {}
+       # requests:

common/golang-external-secrets/charts/external-secrets-0.8.5.tgz

@@ -11,10 +11,10 @@ clusterGroup:
 
 external-secrets:
   image:
-    tag: v0.8.3-ubi
+    tag: v0.8.5-ubi
   webhook:
     image:
-      tag: v0.8.3-ubi
+      tag: v0.8.5-ubi
   certController:
     image:
-      tag: v0.8.3-ubi
+      tag: v0.8.5-ubi