Skip to content

Commit

Permalink
Merge pull request #389 from mbaldessari/common-automatic-update
Browse files Browse the repository at this point in the history 
common automatic update
  • Loading branch information
@mbaldessari
mbaldessari authored Jun 18, 2024
2 parents 039e748 + d95084c commit fd29238
Show file tree
Hide file tree
Showing 26 changed files with 1,758 additions and 57 deletions.
158 changes: 156 additions & 2 deletions common/acm/templates/policies/acm-hub-ca-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,18 @@ spec:
data:
hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
- complianceType: mustonlyhave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: trusted-hub-bundle
namespace: imperative
data:
hub-kube-root-ca.crt: |
{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
hub-openshift-service-ca.crt: |
{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }}
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
Expand Down Expand Up @@ -68,5 +80,147 @@ spec:
operator: NotIn
values:
- 'true'
{{- end }}
{{- end }}
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: hub-argo-ca-openshift-gitops-policy
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/compare-options: IgnoreExtraneous
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: hub-argo-ca-openshift-gitops-config
spec:
remediationAction: enforce
severity: medium
namespaceSelector:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: trusted-hub-bundle
namespace: openshift-gitops
data:
hub-kube-root-ca.crt: |
{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
hub-openshift-service-ca.crt: |
{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }}
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: hub-argo-ca-openshift-gitops-policy-binding
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
placementRef:
name: hub-argo-ca-openshift-gitops-policy-placement
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: hub-argo-ca-openshift-gitops-policy
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: hub-argo-ca-openshift-gitops-policy-placement
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
clusterConditions:
- status: 'True'
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- key: local-cluster
operator: NotIn
values:
- 'true'

{{- end }}{{/* if (eq (((.Values.global).secretStore).backend) "vault") */}}
{{- range .Values.clusterGroup.managedClusterGroups }}
{{- $group := . }}
{{- if not .hostedArgoSites }}
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: hub-argo-ca-{{ .name }}-policy
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/compare-options: IgnoreExtraneous
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: hub-argo-ca-{{ .name }}-config
spec:
remediationAction: enforce
severity: medium
namespaceSelector:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: trusted-hub-bundle
namespace: {{ $.Values.global.pattern }}-{{ .name }}
data:
hub-kube-root-ca.crt: |
{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
hub-openshift-service-ca.crt: |
{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }}
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: hub-argo-ca-{{ .name }}-placement-binding
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
placementRef:
name: hub-argo-ca-{{ .name }}-placement
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: hub-argo-ca-{{ .name }}-policy
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: hub-argo-ca-{{ .name }}-placement
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
clusterConditions:
- status: 'True'
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- key: local-cluster
operator: NotIn
values:
- 'true'
{{- end }}{{/* if not .hostedArgoSites */}}
{{- end }}{{/* range .Values.clusterGroup.managedClusterGroups */}}
{{- end }}{{/* isHubCluster */}}
13 changes: 12 additions & 1 deletion common/acm/templates/policies/ocp-gitops-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,11 @@ spec:
kind: Policy
name: openshift-gitops-policy
namespace: open-cluster-management
- apiVersion: policy.open-cluster-management.io/v1
compliance: Compliant
kind: Policy
name: hub-argo-ca-openshift-gitops-policy
namespace: open-cluster-management
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
Expand Down Expand Up @@ -209,7 +214,7 @@ spec:
- command:
- bash
- -c
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt
|| true
image: registry.redhat.io/ubi9/ubi-minimal:latest
name: fetch-ca
Expand All @@ -219,6 +224,8 @@ spec:
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /var/run/trusted-hub
name: trusted-hub-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
resources:
Expand All @@ -239,6 +246,10 @@ spec:
name: trusted-ca-bundle
optional: true
name: trusted-ca-bundle
- configMap:
name: trusted-hub-bundle
optional: true
name: trusted-hub-bundle
- emptyDir: {}
name: ca-bundles
resourceExclusions: |-
Expand Down
26 changes: 9 additions & 17 deletions common/clustergroup/templates/imperative/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,15 @@
- 'sh'
- '-c'
- >-
cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt || true;
cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true;
ls -l /tmp/ca-bundles/
volumeMounts:
- mountPath: /var/run/kube-root-ca
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /var/run/trusted-hub
name: trusted-hub-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
{{- end }}
Expand Down Expand Up @@ -95,25 +97,11 @@
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /var/run/trusted-hub
name: trusted-hub-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
{{- end }}
{{- define "imperative.volumemounts" }}
- name: git
mountPath: "/git"
- name: values-volume
mountPath: /values/values.yaml
subPath: values.yaml
{{- end }}

{{/* volumes for all containers */}}
{{- define "imperative.volumes" }}
- name: git
emptyDir: {}
- name: values-volume
configMap:
name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
{{- end }}

{{- define "imperative.volumes_ca" }}
- name: git
Expand All @@ -128,6 +116,10 @@
name: trusted-ca-bundle
optional: true
name: trusted-ca-bundle
- configMap:
name: trusted-hub-bundle
optional: true
name: trusted-hub-bundle
- name: ca-bundles
emptyDir: {}
{{- end }}
9 changes: 8 additions & 1 deletion common/clustergroup/templates/plumbing/argocd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ spec:
hs.message = "Waiting for PVC"
return hs
resourceTrackingMethod: {{ $.Values.clusterGroup.argoCD.resourceTrackingMethod}}
applicationInstanceLabelKey: argocd.argoproj.io/instance
applicationSet:
resources:
Expand Down Expand Up @@ -73,7 +74,7 @@ spec:
- command:
- bash
- -c
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt || true
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true
image: {{ $.Values.clusterGroup.imperative.image }}
name: fetch-ca
resources: {}
Expand All @@ -82,6 +83,8 @@ spec:
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /var/run/trusted-hub
name: trusted-hub-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
resources:
Expand All @@ -102,6 +105,10 @@ spec:
name: trusted-ca-bundle
optional: true
name: trusted-ca-bundle
- configMap:
name: trusted-hub-bundle
optional: true
name: trusted-hub-bundle
- emptyDir: {}
name: ca-bundles
{{- if len $.Values.clusterGroup.argoCD.initContainers }}
Expand Down
9 changes: 9 additions & 0 deletions common/clustergroup/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -549,6 +549,15 @@
"type": "array",
"description": "A list of initContainers to add to the repo-server if needed"
},
"resourceTrackingMethod": {
"type": "string",
"description": "ResourceTrackingMethod defines how Argo CD should track resources that it manages",
"enum": [
"annotation",
"label",
"annotation+label"
]
},
"resourceExclusions": {
"type": "string",
"description": "ResourceExclusions is used to completely ignore entire classes of resource group/kinds."
Expand Down
2 changes: 2 additions & 0 deletions common/clustergroup/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ clusterGroup:
argoCD:
initContainers: []
configManagementPlugins: []
# resource tracking can be set to annotation, label, or annotation+label
resourceTrackingMethod: label
resourceHealthChecks:
- kind: PersistentVolumeClaim
check: |
Expand Down
13 changes: 12 additions & 1 deletion common/tests/acm-industrial-edge-factory.expected.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,11 @@ spec:
kind: Policy
name: openshift-gitops-policy
namespace: open-cluster-management
- apiVersion: policy.open-cluster-management.io/v1
compliance: Compliant
kind: Policy
name: hub-argo-ca-openshift-gitops-policy
namespace: open-cluster-management
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
Expand Down Expand Up @@ -278,7 +283,7 @@ spec:
- command:
- bash
- -c
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt
|| true
image: registry.redhat.io/ubi9/ubi-minimal:latest
name: fetch-ca
Expand All @@ -288,6 +293,8 @@ spec:
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /var/run/trusted-hub
name: trusted-hub-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
resources:
Expand All @@ -308,6 +315,10 @@ spec:
name: trusted-ca-bundle
optional: true
name: trusted-ca-bundle
- configMap:
name: trusted-hub-bundle
optional: true
name: trusted-hub-bundle
- emptyDir: {}
name: ca-bundles
resourceExclusions: |-
Expand Down
Loading

0 comments on commit fd29238

Please sign in to comment.