Merge remote-tracking branch 'common-upstream/main' into common-automatic-update

Author: mbaldessari

common/.github/workflows/ansible-unittest.yml

@@ -38,7 +38,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
 

common/.github/workflows/jsonschema.yaml

@@ -38,7 +38,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
 

common/Makefile

@@ -44,6 +44,13 @@ help: ## This help message
 show: ## show the starting template without installing it
 	helm template common/operator-install/ --name-template $(NAME) $(HELM_OPTS)
 
+preview-all:
+	@common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH)
+
+preview-%:
+	CLUSTERGROUP?=$(shell yq ".main.clusterGroupName" values-global.yaml)
+	@common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH)
+
 .PHONY: operator-deploy
 operator-deploy operator-upgrade: validate-prereq validate-origin validate-cluster ## runs helm install
 	@set -e -o pipefail

common/acm/.github/workflows/update-helm-repo.yml

@@ -18,12 +18,12 @@ on:
 
 jobs:
   helmlint:
-    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main
+    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
     permissions:
       contents: read
 
   update-helm-repo:
     needs: [helmlint]
-    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main
+    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
     permissions: read-all
     secrets: inherit

common/acm/templates/policies/private-repo-policies.yaml

@@ -0,0 +1,161 @@
+# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace
+# to the "open-cluster-management" via the "private-hub-policy"
+#
+# Then we copy the secret from the "open-cluster-management" namespace to the
+# managed clusters "openshift-gitops" instance
+#
+# And we also copy the same secret to the namespaced argo's namespace
+{{ if $.Values.global.privateRepo }}
+{{ if .Values.clusterGroup.isHubCluster }}
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: private-hub-policy
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: private-hub-config
+        spec:
+          remediationAction: enforce
+          severity: medium
+          namespaceSelector:
+            include:
+              - default
+          object-templates:
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: Secret
+                apiVersion: v1
+                type: Opaque
+                metadata:
+                  name: vp-private-repo-credentials
+                  namespace: open-cluster-management
+                  labels:
+                    argocd.argoproj.io/secret-type: repository
+                data: '{{ `{{copySecretData "openshift-gitops" "vp-private-repo-credentials"}}` }}'
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: private-hub-placement-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: private-hub-placement
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: private-hub-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: private-hub-placement
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - key: local-cluster
+        operator: In
+        values:
+          - 'true'
+---
+{{ end }}{{- /* if .Values.clusterGroup.isHubCluster */}}
+{{- range .Values.clusterGroup.managedClusterGroups }}
+{{- $group := . }}
+{{- if not .hostedArgoSites }}
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: private-{{ .name }}-policy
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: private-{{ .name }}-config
+        spec:
+          remediationAction: enforce
+          severity: medium
+          namespaceSelector:
+            include:
+              - default
+          object-templates:
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: Secret
+                apiVersion: v1
+                type: Opaque
+                metadata:
+                  name: vp-private-repo-credentials
+                  namespace: openshift-gitops
+                  labels:
+                    argocd.argoproj.io/secret-type: repository
+                data: '{{ `{{hub copySecretData "open-cluster-management" "vp-private-repo-credentials" hub}}` }}'
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: Secret
+                apiVersion: v1
+                type: Opaque
+                metadata:
+                  name: vp-private-repo-credentials
+                  namespace: {{ $.Values.global.pattern }}-{{ .name }}
+                  labels:
+                    argocd.argoproj.io/secret-type: repository
+                data: '{{ `{{hub copySecretData "open-cluster-management" "vp-private-repo-credentials" hub}}` }}'
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: private-{{ .name }}-placement-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: private-{{ .name }}-placement
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: private-{{ .name }}-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: private-{{ .name }}-placement
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - key: local-cluster
+        operator: NotIn
+        values:
+          - 'true'
+{{- end }}{{- /* if not .hostedArgoSites */}}
+{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}}
+{{- end }}{{- /* if $.Values.global.privateRepo */}}

common/ansible/roles/iib_ci/README.md

@@ -54,7 +54,7 @@ export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=ii
 make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${CHANNEL}" install
 ```
 
-*Note*: This needs VP operator version >= 0.0.14
+*Note*: In this case `acm` is the name of the subscription in `values-hub.yaml`
 
 ### OCP 4.13 and onwards
 

common/ansible/roles/iib_ci/tasks/mirror-related-images.yml

@@ -89,7 +89,7 @@
     image_urls: "{{ image_urls | default({}) | combine({item:
       {'mirrordest': mirror_dest + item | basename,
        'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''),
-       'mirrordest_tag': iib}}, recursive=true) }}"
+       'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}"
   loop: "{{ all_images }}"
   when: use_internal_registry
 

common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2

@@ -10,9 +10,9 @@ spec:
     - mirrors:
         - {{ item.mirrordest_nosha }}
       source: {{ item.source_nosha }}
-      mirrorSourcePolicy: NeverContactSource
+      mirrorSourcePolicy: AllowContactingSource
     - mirrors:
         - {{ item.mirrordest_nosha }}
       source: {{ item.image_nosha }}
-      mirrorSourcePolicy: NeverContactSource
+      mirrorSourcePolicy: AllowContactingSource
 {% endfor %}

common/ansible/roles/vault_utils/tasks/push_secrets.yaml

@@ -30,7 +30,9 @@
     command:
       sh -c "vault list auth/{{ vault_hub }}/role | grep '{{ vault_hub }}-role'"
   register: vault_role_cmd
-  until: vault_role_cmd.rc == 0
+  until:
+    - vault_role_cmd.rc is defined
+    - vault_role_cmd.rc == 0
   retries: 20
   delay: 45
   changed_when: false

common/clustergroup/.github/workflows/update-helm-repo.yml

@@ -9,6 +9,7 @@
 # - Contents: r/w
 # - Deployments: r/w
 # - Pages: r/w
+#
 
 name: vp-patterns/update-helm-repo
 on:
@@ -18,12 +19,12 @@ on:
 
 jobs:
   helmlint:
-    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main
+    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
     permissions:
       contents: read
 
   update-helm-repo:
     needs: [helmlint]
-    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main
+    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
     permissions: read-all
     secrets: inherit