Merge pull request #119 from mbaldessari/common-automatic-update

common automatic update

Author: mbaldessari

common/acm/templates/policies/acm-hub-ca-policy.yaml

@@ -1,5 +1,6 @@
 # This pushes out the HUB's Certificate Authorities on to the imported clusters
-{{ if .Values.clusterGroup.isHubCluster }}
+{{- if .Values.clusterGroup.isHubCluster }}
+{{- if (eq (((.Values.global).secretStore).backend) "vault") }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
@@ -31,7 +32,7 @@ spec:
                 type: Opaque
                 metadata:
                   name: hub-ca
-                  namespace: imperative
+                  namespace: golang-external-secrets
                 data:
                   hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
                   hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
@@ -67,5 +68,5 @@ spec:
         operator: NotIn
         values:
           - 'true'
-{{ end }}
-
+{{- end }}
+{{- end }}

common/acm/templates/policies/application-policies.yaml

@@ -43,9 +43,14 @@ spec:
                     path: {{ default "common/clustergroup" .path }}
                     helm:
                       ignoreMissingValueFiles: true
+                      values: |
+                        extraParametersNested:
+                        {{- range $k, $v := $.Values.extraParametersNested }}
+                          {{ $k }}: {{ printf "%s" $v | quote }}
+                        {{- end }}
                       valueFiles:
                       {{- include "acm.app.policies.valuefiles" . | nindent 22 }}
-                      {{- range $valueFile := $.Values.global.extraValueFiles }}
+                      {{- range $valueFile := .extraValueFiles }}
                       - {{ $valueFile | quote }}
                       {{- end }}
                       parameters:
@@ -73,6 +78,10 @@ spec:
                         value: {{ $group.name }}
                       - name: global.experimentalCapabilities
                         value: {{ $.Values.global.experimentalCapabilities }}
+                      {{- range $k, $v := $.Values.extraParametersNested }}
+                      - name: {{ $k }}
+                        value: {{ printf "%s" $v | quote }}
+                      {{- end }}
                      {{- range .helmOverrides }}
                       - name: {{ .name }}
                         value: {{ .value | quote }}

common/acm/templates/policies/ocp-gitops-policy.yaml

@@ -140,7 +140,7 @@ spec:
                       - -c
                       - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt
                         || true
-                      image: registry.access.redhat.com/ubi9/ubi-minimal:latest
+                      image: registry.redhat.io/ubi9/ubi-minimal:latest
                       name: fetch-ca
                       resources: {}
                       volumeMounts:
@@ -195,6 +195,11 @@ spec:
                         memory: 128Mi
                     route:
                       enabled: true
+                      {{- if and (.Values.global.argocdServer) (.Values.global.argocdServer.route) (.Values.global.argocdServer.route.tls) }}
+                      tls:
+                        insecureEdgeTerminationPolicy: {{ default "Redirect" .Values.global.argocdServer.route.tls.insecureEdgeTerminationPolicy }}
+                        termination: {{ default "reencrypt" .Values.global.argocdServer.route.tls.termination }}
+                      {{- end }}
                     service:
                       type: ""
                   sso:

common/acm/values.yaml

@@ -9,6 +9,8 @@ global:
   targetRevision: main
   options:
     applicationRetryLimit: 20
+  secretStore:
+    backend: "vault"
 
 clusterGroup:
   subscriptions:

common/ansible/roles/iib_ci/README.md

@@ -52,12 +52,17 @@ make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.git
 The advanced-cluster-management operator is a little bit more complex than the others because it
 also installes another operator called MCE multicluster-engine. So to install ACM you typically
 need two IIBs (one for acm and one for mce). With those two at hand, do the following (the ordering must be
-consistent: the first IIB corresponds to the first OPERATOR, etc).
+consistent: the first IIB corresponds to the first OPERATOR, etc). The following operation needs to be done
+on both hub *and* spokes:
 
 ```sh
-export OPERATOR=advanced-cluster-management,multicluster-engine
-export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034
-make load-iib
+for i in hub-kubeconfig-file spoke-kubeconfig-file; do
+  export KUBECONFIG="${i}"
+  export KUBEADMINPASS="11111-22222-33333-44444"
+  export OPERATOR=advanced-cluster-management,multicluster-engine
+  export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034
+  make load-iib
+done
 ```
 
 Once the IIBs are loaded into the cluster we need to run the following steps:

common/ansible/roles/iib_ci/tasks/main.yml

@@ -17,6 +17,9 @@
   ansible.builtin.shell: |
     oc get openshiftcontrollermanager/cluster -o yaml -o jsonpath='{.status.version}'
   register: oc_version_raw
+  retries: 10
+  delay: 10
+  until: oc_version_raw is not failed
   changed_when: false
 
 - name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests)

common/clustergroup/templates/imperative/clusterrole.yaml

@@ -1,5 +1,6 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -18,4 +19,19 @@ rules:
     - list
     - watch
 {{- end }}
+{{- end }} {{/* if $.Values.clusterGroup.imperative.serviceAccountCreate */}}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }}
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+{{- end }} {{/* if $.Values.clusterGroup.imperative.adminServiceAccountCreate */}}
 {{- end }}

common/clustergroup/templates/imperative/rbac.yaml

@@ -1,10 +1,11 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-admin-rolebinding
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -17,7 +18,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-rolebinding
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-rolebinding
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -28,3 +29,19 @@ subjects:
     name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
     namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }}
+    namespace: {{ $.Values.clusterGroup.imperative.namespace }}
+{{- end }}
+{{- end }}

common/clustergroup/templates/imperative/serviceaccount.yaml

@@ -1,10 +1,18 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
-{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }}
+  namespace: {{ $.Values.clusterGroup.imperative.namespace }}
+{{- end }}
 {{- end }}

common/clustergroup/templates/plumbing/applications.yaml

@@ -149,6 +149,11 @@ spec:
       {{- else }}
       helm:
         ignoreMissingValueFiles: true
+        values: |
+          extraParametersNested: 
+          {{- range $k, $v := $.Values.extraParametersNested }}
+            {{ $k }}: {{ printf "%s" $v | quote }}
+          {{- end }}
         valueFiles:
         {{- include "clustergroup.app.globalvalues.prefixedvaluefiles" $ | nindent 8 }}
         {{- range $valueFile := $.Values.clusterGroup.sharedValueFiles }}
@@ -216,6 +221,11 @@ spec:
     {{- else if not .kustomize }}
     helm:
       ignoreMissingValueFiles: true
+      values: |
+        extraParametersNested:
+          {{- range $k, $v := $.Values.extraParametersNested }}
+            {{ $k }}: {{ printf "%s" $v | quote }}
+          {{- end }}
       valueFiles:
       {{- include "clustergroup.app.globalvalues.valuefiles" $ | nindent 6 }}
       {{- range $valueFile := $.Values.clusterGroup.sharedValueFiles }}