Merge pull request #86 from codefresh-io/release-0.3.0-new

Release 0.3.0(0.1.36)
codefresh-io · Oct 16, 2023 · f2f720e · f2f720e
2 parents db286d8 + 3772d14
commit f2f720e
Show file tree

Hide file tree

Showing 18 changed files with 1,385 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,7 @@ output
 # only ignore the values.yaml file at the root of the repo
 /values.yaml
 .devcontainer
+
+# ignore local dev
+values-dev.yaml
+dry-run.yaml
diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 0.1.35
+appVersion: 0.1.36
 description: A Helm chart for Codefresh gitops runtime
 name: gitops-runtime
-version: 0.2.21
+version: 0.3.0
 home: https://github.com/codefresh-io/gitops-runtime-helm
 icon: https://avatars1.githubusercontent.com/u/11412079?v=3
 keywords:
@@ -14,10 +14,14 @@ maintainers:
 annotations:
   artifacthub.io/alternativeName: "codefresh-gitops-runtime"
   artifacthub.io/changes: |
-    - kind: fixed
-      description: Fix argoCDServerServiceName and argoCDServerServicePort overrides
+    - kind: added
+      description: Add codefresh-gitops-operator
+    - kind: changed
+      description: Update app-proxy
     - kind: changed
-      description: Update app-proxy for ARM support
+      description: Update argo-workflowschart. Fix podGC label selector
+    - kind: fixed
+      description: Set default auth to client on workflows to be able to see workflow logs in UI
 dependencies:
 - name: argo-cd
   repository: https://codefresh-io.github.io/argo-helm
@@ -27,7 +31,7 @@ dependencies:
   version: 2.0.9-1-cap-CR-19893
 - name: argo-workflows
   repository: https://codefresh-io.github.io/argo-helm
-  version: 0.22.9-1-CR-17426
+  version: 0.22.10-1-CR-17426
   condition: argo-workflows.enabled
 - name: argo-rollouts
   repository: https://codefresh-io.github.io/argo-helm

diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md
@@ -1,5 +1,5 @@
 ## Codefresh gitops runtime
-![Version: 0.2.21](https://img.shields.io/badge/Version-0.2.21-informational?style=flat-square) ![AppVersion: 0.1.35](https://img.shields.io/badge/AppVersion-0.1.35-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![AppVersion: 0.1.36](https://img.shields.io/badge/AppVersion-0.1.36-informational?style=flat-square)
 
 ## Codefresh official documentation:
 Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/
@@ -15,7 +15,7 @@ We have created a helper utility to resolve this issue:
 The utility is packaged in a container image. Below are instructions on executing the utility using Docker:
 
 ```
-docker run -v <output_dir>:/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.2.21 <local_registry>
+docker run -v <output_dir>:/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.3.0 <local_registry>
 ```
 `output_dir` - is a local directory where the utility will output files. <br>
 `local_registry` - is your local registry where you want to mirror the images to
@@ -130,7 +130,9 @@ sealed-secrets:
 | app-proxy.serviceAccount.name | string | `"cap-app-proxy"` |  |
 | app-proxy.tolerations | list | `[]` |  |
 | argo-cd.configs.cm."accounts.admin" | string | `"apiKey,login"` |  |
+| argo-cd.configs.cm."application.resourceTrackingMethod" | string | `"annotation+label"` |  |
 | argo-cd.configs.cm."timeout.reconciliation" | string | `"20s"` |  |
+| argo-cd.configs.params."application.namespaces" | string | `"cf-*"` |  |
 | argo-cd.configs.params."server.insecure" | bool | `true` |  |
 | argo-cd.crds.install | bool | `true` |  |
 | argo-cd.fullnameOverride | string | `"argo-cd"` |  |
@@ -144,6 +146,7 @@ sealed-secrets:
 | argo-workflows.crds.install | bool | `true` | Install and upgrade CRDs |
 | argo-workflows.enabled | bool | `true` |  |
 | argo-workflows.fullnameOverride | string | `"argo"` |  |
+| argo-workflows.server.extraArgs | list | `["--auth-mode=client"]` | auth-mode needs to be set to client to be able to see workflow logs from Codefresh UI |
 | event-reporters.events.argoCDServerServiceName | string | `nil` | LEAVE EMPTY and let the chart logic determine the name. Change only if you are totally sure you need to override ArgoCD service name. |
 | event-reporters.events.argoCDServerServicePort | string | `nil` | LEAVE EMPTY and let the chart logic determine the name. Change only if you are totally sure you need to override ArgoCD service port. |
 | event-reporters.events.eventSource.affinity | object | `{}` |  |
@@ -179,6 +182,53 @@ sealed-secrets:
 | event-reporters.workflow.sensor.resources | object | `{}` |  |
 | event-reporters.workflow.sensor.tolerations | list | `[]` |  |
 | event-reporters.workflow.serviceAccount.create | bool | `true` |  |
+| gitops-operator.affinity | object | `{}` |  |
+| gitops-operator.crds | object | `{"additionalLabels":{},"annotations":{},"install":true,"keep":false}` | Codefresh gitops operator crds |
+| gitops-operator.crds.additionalLabels | object | `{}` | Additional labels for gitops operator CRDs |
+| gitops-operator.crds.annotations | object | `{}` | Annotations on gitops operator CRDs |
+| gitops-operator.crds.install | bool | `true` | Whether or not to install CRDs |
+| gitops-operator.crds.keep | bool | `false` | Keep CRDs if gitops runtime release is uninstalled |
+| gitops-operator.env | object | `{}` |  |
+| gitops-operator.fullnameOverride | string | `""` |  |
+| gitops-operator.image.pullPolicy | string | `"IfNotPresent"` |  |
+| gitops-operator.image.repository | string | `"quay.io/codefresh/codefresh-gitops-operator"` |  |
+| gitops-operator.image.tag | string | `"v0.1.0-alpha.3"` |  |
+| gitops-operator.imagePullSecrets | list | `[]` |  |
+| gitops-operator.kube-rbac-proxy.image.pullPolicy | string | `"IfNotPresent"` |  |
+| gitops-operator.kube-rbac-proxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` |  |
+| gitops-operator.kube-rbac-proxy.image.tag | string | `"v0.14.1"` |  |
+| gitops-operator.kube-rbac-proxy.resources.limits.cpu | string | `"500m"` |  |
+| gitops-operator.kube-rbac-proxy.resources.limits.memory | string | `"128Mi"` |  |
+| gitops-operator.kube-rbac-proxy.resources.requests.cpu | string | `"100m"` |  |
+| gitops-operator.kube-rbac-proxy.resources.requests.memory | string | `"64Mi"` |  |
+| gitops-operator.kube-rbac-proxy.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| gitops-operator.kube-rbac-proxy.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| gitops-operator.livenessProbe.failureThreshold | int | `10` |  |
+| gitops-operator.livenessProbe.initialDelaySeconds | int | `10` |  |
+| gitops-operator.livenessProbe.periodSeconds | int | `10` |  |
+| gitops-operator.livenessProbe.successThreshold | int | `1` |  |
+| gitops-operator.livenessProbe.timeoutSeconds | int | `10` |  |
+| gitops-operator.nameOverride | string | `""` |  |
+| gitops-operator.nodeSelector | object | `{}` |  |
+| gitops-operator.podAnnotations | object | `{}` |  |
+| gitops-operator.podLabels | object | `{}` |  |
+| gitops-operator.podSecurityContext.runAsNonRoot | bool | `true` |  |
+| gitops-operator.readinessProbe.failureThreshold | int | `3` |  |
+| gitops-operator.readinessProbe.initialDelaySeconds | int | `10` |  |
+| gitops-operator.readinessProbe.periodSeconds | int | `10` |  |
+| gitops-operator.readinessProbe.successThreshold | int | `1` |  |
+| gitops-operator.readinessProbe.timeoutSeconds | int | `10` |  |
+| gitops-operator.replicaCount | int | `1` |  |
+| gitops-operator.resources.limits.cpu | string | `"500m"` |  |
+| gitops-operator.resources.limits.memory | string | `"128Mi"` |  |
+| gitops-operator.resources.requests.cpu | string | `"100m"` |  |
+| gitops-operator.resources.requests.memory | string | `"64Mi"` |  |
+| gitops-operator.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| gitops-operator.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| gitops-operator.serviceAccount.annotations | object | `{}` |  |
+| gitops-operator.serviceAccount.create | bool | `true` |  |
+| gitops-operator.serviceAccount.name | string | `"gitops-operator-controller-manager"` |  |
+| gitops-operator.tolerations | list | `[]` |  |
 | global.codefresh | object | `{"accountId":"","apiEventsPath":"/2.0/api/events","tls":{"caCerts":{"secret":{"annotations":{},"content":"","create":false,"key":"ca-bundle.crt"},"secretKeyRef":{}},"workflowPipelinesGitWebhooks":{"annotatins":{},"certificates":{}}},"url":"https://g.codefresh.io","userToken":{"secretKeyRef":{},"token":""}}` | Codefresh platform and account-related settings |
 | global.codefresh.accountId | string | `""` | Codefresh Account ID. |
 | global.codefresh.apiEventsPath | string | `"/2.0/api/events"` | Events API endpoint URL suffix. |

diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_all_resources.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_all_resources.yaml
@@ -0,0 +1,16 @@
+{{- define "gitops-operator.resources" }}
+---
+  {{ include "gitops-operator.resources.deployment" . }} #
+---
+  {{ include "gitops-operator.resources.rbac" . }}
+---
+  {{ include "gitops-operator.resources.auth_proxy_rbac" . }}
+---
+  {{ include "gitops-operator.resources.leader_election_rbac" . }}
+---
+  {{ include "gitops-operator.resources.restricted_git_source_rbac" . }}
+---
+  {{ include "gitops-operator.resources.sa" .}}
+---
+  {{- include "gitops-operator.crds.restricted-gitsource" . }} #
+{{- end }}
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml
@@ -0,0 +1,106 @@
+{{- define "gitops-operator.resources.deployment" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "gitops-operator.fullname" . }}
+  labels:
+    {{- include "gitops-operator.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "gitops-operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gitops-operator.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gitops-operator.serviceAccountName" . }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: kube-rbac-proxy
+        securityContext:
+          {{- toYaml (index .Values "kube-rbac-proxy" "securityContext") | nindent 12 }}
+        image: '{{ index .Values "kube-rbac-proxy" "image" "repository" }}:{{ index .Values "kube-rbac-proxy" "image" "tag" }}'
+        imagePullPolicy: {{ index .Values "kube-rbac-proxy" "image" "pullPolicy" }}
+        ports:
+          - name: https
+            containerPort: 8443
+            protocol: TCP
+        resources:
+          {{- toYaml (index .Values "kube-rbac-proxy" "resources") | nindent 12 }}
+        args:
+          - "--secure-listen-address=0.0.0.0:8443"
+          - "--upstream=http://127.0.0.1:8080/"
+          - "--logtostderr=true"
+          - "--v=0"
+      - name: manager
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        {{- include "codefresh-gitops-runtime.components.common_helpers.container-templates.env-vars" .Values.env | nindent 8 }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command:
+          - /manager
+        args:
+          - "--health-probe-bind-address=:8081"
+          - "--metrics-bind-address=127.0.0.1:8080"
+          - "--leader-elect"
+        ports:
+        - name: http
+          containerPort: 8081
+        - name: http-metrics
+          containerPort: 8080
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            port: http
+            path: /readyz
+        livenessProbe:
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+          httpGet:
+            port: http
+            path: /healthz
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8}}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+          {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_helpers.tpl b/charts/gitops-runtime/templates/_components/gitops-operator/_helpers.tpl
@@ -0,0 +1,47 @@
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gitops-operator.fullname" -}}
+{{- print "gitops-operator" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gitops-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "gitops-operator.labels" -}}
+helm.sh/chart: {{ include "gitops-operator.chart" . }}
+{{ include "gitops-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/part-of: gitops-operator
+codefresh.io/internal: "true"
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gitops-operator.selectorLabels" -}}
+app: gitops-operator
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "gitops-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "gitops-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_rbac.yaml
@@ -0,0 +1,63 @@
+
+{{- define "gitops-operator.resources.rbac" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
+  name: codefresh-gitops-operator
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - csdp.codefresh.io
+  resources:
+  - restrictedgitsources
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csdp.codefresh.io
+  resources:
+  - restrictedgitsources/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - csdp.codefresh.io
+  resources:
+  - restrictedgitsources/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
+  name: codefresh-gitops-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: codefresh-gitops-operator
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gitops-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_serviceaccount.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_serviceaccount.yaml
@@ -0,0 +1,14 @@
+{{- define "gitops-operator.resources.sa" }}
+  {{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gitops-operator.serviceAccountName" . }}
+  labels:
+    {{- include "gitops-operator.labels" . | nindent 4 }}
+    {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}