diff --git a/.github/workflows/component-test.yaml b/.github/workflows/component-test.yaml index 3df1f97d8..8aefc326c 100644 --- a/.github/workflows/component-test.yaml +++ b/.github/workflows/component-test.yaml @@ -5,12 +5,16 @@ on: push: branches: - main + - 'stable/*' + - 'monthly/*' paths-ignore: - "*.md" - charts/** pull_request: branches: - main + - 'stable/*' + - 'monthly/*' paths-ignore: - "*.md" - charts/** @@ -68,7 +72,7 @@ jobs: helm repo add gitea-charts https://dl.gitea.com/charts/ helm repo add mockserver https://www.mock-server.com - + - name: Run KUTTL tests run: | - cd tests/component-tests && ./../../bin/kuttl test --parallel 1 --start-kind=false --namespace e2e-test --config startup.yaml \ No newline at end of file + cd tests/component-tests && ./../../bin/kuttl test --parallel 1 --start-kind=false --namespace e2e-test --config startup.yaml diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 87f386914..79cbfe588 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.1.75 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: '0.23.3' +version: '0.24.0' home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -37,6 +37,7 @@ dependencies: - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ version: 2.17.2 + condition: sealed-secrets.enabled - name: codefresh-tunnel-client repository: oci://quay.io/codefresh/charts version: 0.1.21 diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index a5678d955..9c9b2147e 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -15,6 +15,68 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) ## Codefresh official documentation: Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/ +## Multi Runtime Installation +You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace. +To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below: +```yaml +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +gitops-operator: + crds: + install: false +``` + +Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values: +```yaml +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true +``` + +> [!WARNING] +> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`. +> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported. + ## Argo-workflows artifact and log storage Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration. If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values: @@ -415,6 +477,7 @@ gitops-operator: | event-reporters.workflow.sensor.tolerations | list | `[]` | | | event-reporters.workflow.serviceAccount.create | bool | `true` | | | gitops-operator.affinity | object | `{}` | | +| gitops-operator.config | object | `{"commitStatusPollingInterval":"10s","maxConcurrentReleases":100,"promotionWrapperTemplate":"","taskPollingInterval":"10s","workflowMonitorPollingInterval":"10s"}` | GitOps operator configuration | | gitops-operator.config.commitStatusPollingInterval | string | `"10s"` | Commit status polling interval | | gitops-operator.config.maxConcurrentReleases | int | `100` | Maximum number of concurrent releases being processed by the operator (this will not affect the number of releases being processed by the gitops runtime) | | gitops-operator.config.promotionWrapperTemplate | string | `""` | An optional template for the promotion wrapper (empty default will use the embedded one) | @@ -427,9 +490,7 @@ gitops-operator: | gitops-operator.crds.keep | bool | `false` | Keep CRDs if gitops runtime release is uninstalled | | gitops-operator.enabled | bool | `true` | | | gitops-operator.fullnameOverride | string | `""` | | -| gitops-operator.image.registry | string | `"quay.io"` | defaults | -| gitops-operator.image.repository | string | `"codefresh/codefresh-gitops-operator"` | | -| gitops-operator.image.tag | string | `"v0.10.2"` | | +| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"v0.10.2"}` | GitOps operator image | | gitops-operator.imagePullSecrets | list | `[]` | | | gitops-operator.nameOverride | string | `""` | | | gitops-operator.nodeSelector | object | `{}` | | @@ -482,7 +543,7 @@ gitops-operator: | global.httpsProxy | string | `""` | global HTTPS_PROXY for all components | | global.noProxy | string | `""` | global NO_PROXY for all components | | global.nodeSelector | object | `{}` | Global nodeSelector for all components | -| global.runtime | object | `{"cluster":"https://kubernetes.default.svc","codefreshHosted":false,"eventBus":{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"},"gitCredentials":{"password":{"secretKeyRef":{},"value":null},"username":"username"},"ingress":{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]},"ingressUrl":"","isConfigurationRuntime":false,"name":null}` | Runtime level settings | +| global.runtime | object | `{"cluster":"https://kubernetes.default.svc","codefreshHosted":false,"eventBus":{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"},"gitCredentials":{"password":{"secretKeyRef":{},"value":null},"username":"username"},"ingress":{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]},"ingressUrl":"","isConfigurationRuntime":false,"name":null,"singleNamespace":false}` | Runtime level settings | | global.runtime.cluster | string | `"https://kubernetes.default.svc"` | Runtime cluster. Should not be changed. | | global.runtime.codefreshHosted | bool | `false` | Defines whether this is a Codefresh hosted runtime. Should not be changed. | | global.runtime.eventBus | object | `{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"}` | Runtime eventbus | @@ -503,6 +564,7 @@ gitops-operator: | global.runtime.ingressUrl | string | `""` | Explicit url for runtime ingress. Provide this value only if you don't want the chart to create and ingress (global.runtime.ingress.enabled=false) and tunnel-client is not used (tunnel-client.enabled=false) | | global.runtime.isConfigurationRuntime | bool | `false` | is the runtime set as a "configuration runtime". | | global.runtime.name | string | `nil` | Runtime name. Must be unique per platform account. | +| global.runtime.singleNamespace | bool | `false` | Runtime single namespace mode. When true, runtime operates in single namespace scope. | | global.tolerations | list | `[]` | Global tolerations for all components | | installer | object | `{"affinity":{},"argoCdVersionCheck":{"argoServerLabels":{"app.kubernetes.io/component":"server","app.kubernetes.io/part-of":"argocd"}},"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/codefresh/gitops-runtime-installer","tag":""},"nodeSelector":{},"skipUsageValidation":false,"skipValidation":false,"tolerations":[]}` | Runtime installer used for running hooks and checks on the release | | installer.skipUsageValidation | bool | `false` | if set to true, pre-install hook will *not* run | diff --git a/charts/gitops-runtime/README.md.gotmpl b/charts/gitops-runtime/README.md.gotmpl index 1dd14fdf9..49da3087a 100644 --- a/charts/gitops-runtime/README.md.gotmpl +++ b/charts/gitops-runtime/README.md.gotmpl @@ -15,6 +15,69 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) ## Codefresh official documentation: Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/ +## Multi Runtime Installation +You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace. +To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below: +```yaml +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +gitops-operator: + crds: + install: false +``` + +Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values: +```yaml +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true +``` + +> [!WARNING] +> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`. +> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported. + + ## Argo-workflows artifact and log storage Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration. If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values: diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index 479914c47..3941e62cc 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -10,4 +10,5 @@ {{ include "cap-app-proxy.resources.service" . }} --- {{ include "cap-app-proxy.resources.sa" .}} -{{- end }} \ No newline at end of file +--- +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7751eb84e..15798be85 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -4,13 +4,14 @@ argoCdUsername: {{ .Values.config.argoCdUsername }} argoWorkflowsInsecure: {{ .Values.config.argoWorkflowsInsecure | quote }} argoWorkflowsUrl: {{ default "" .Values.config.argoWorkflowsUrl }} cors: {{ .Values.global.codefresh.url }} - {{- with .Values.config.clusterChunkSize }} + {{- with .Values.config.clusterChunkSize }} clusterChunkSize: {{ . | quote }} {{- end }} env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} +isNamespacedRuntime: {{ .Values.global.runtime.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml new file mode 100644 index 000000000..cf8716c78 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -0,0 +1,11 @@ +{{- define "argo-cd.namespaced-rbac.all" }} +{{- if (index .Values "global" "runtime").singleNamespace }} +{{- include "argo-cd.namespaced-rbac.serviceaccount" . }} +--- +{{- include "argo-cd.namespaced-rbac.secret" . }} +--- +{{- include "argo-cd.namespaced-rbac.role" . }} +--- +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} +{{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml new file mode 100644 index 000000000..9656aa3b3 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -0,0 +1,17 @@ +{{- define "argo-cd.namespaced-rbac.role" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argocd-namespaced-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml new file mode 100644 index 000000000..28c529499 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -0,0 +1,18 @@ +{{- define "argo-cd.namespaced-rbac.rolebinding" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argocd-namespaced-rolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-namespaced-role +subjects: +- kind: ServiceAccount + name: argocd-manager + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml new file mode 100644 index 000000000..63100462d --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml @@ -0,0 +1,9 @@ +{{- define "argo-cd.namespaced-rbac.secret" }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-manager-long-lived-token + annotations: + kubernetes.io/service-account.name: argocd-manager +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml new file mode 100644 index 000000000..1f94e491e --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- define "argo-cd.namespaced-rbac.serviceaccount" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml index f59f769ef..87a1d8367 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml @@ -86,6 +86,12 @@ IS_EXTERNAL_ARGOCD: name: cap-app-proxy-cm key: isExternalArgoCD optional: true +IS_NAMESPACED_RUNTIME: + valueFrom: + configMapKeyRef: + name: cap-app-proxy-cm + key: isNamespacedRuntime + optional: true MANAGED: false NAMESPACE: valueFrom: @@ -210,6 +216,7 @@ IRW_JIRA_ENRICHMENT_TASK_IMAGE: name: cap-app-proxy-cm key: enrichmentJiraEnrichmentImage optional: true + NODE_EXTRA_CA_CERTS: /app/config/all/all.cer {{- if gt (int .Values.replicaCount) 1 }} LEADER_ID: diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml index 64cd6d27e..fbd34e3cd 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml @@ -11,6 +11,19 @@ {{/* Workaround to NOT change label selectors from previous runtime release when event-reporter was part of cf-argocd-extras Subchart */}} {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }} +{{/* Remove nonResourceURLs when RBAC is namespaced */}} +{{- $rules := $context.Values.rbac.rules }} +{{- $_ := set $context.Values.rbac "namespaced" (get .Values.global.runtime "singleNamespace") }} +{{- if $context.Values.rbac.namespaced }} + {{- $rules = list }} + {{- range $context.Values.rbac.rules }} + {{- if not .nonResourceURLs }} + {{- $rules = append $rules . }} + {{- end }} + {{- end }} +{{- end }} +{{- $_ := set $context.Values.rbac "rules" $rules }} + {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }} {{- include $templateName $context }} diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_rbac.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_rbac.yaml index 2afcec029..906e68bdc 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_rbac.yaml @@ -10,6 +10,7 @@ {{/* Workaround to NOT change label selectors from previous runtime release when sources-server was part of cf-argocd-extras Subchart */}} {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }} +{{- $_ := set $context.Values.rbac "namespaced" (get .Values.global.runtime "singleNamespace") }} {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }} {{- include $templateName $context }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl index dd552eb82..58ece9658 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl @@ -14,6 +14,9 @@ global: replicaCount: 1 +# -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) +singleNamespace: false + # -- Codefresh gitops operator crds crds: # -- Whether or not to install CRDs diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index f2e10f745..9f51e8d09 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,6 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} +IS_NAMESPACED_RUNTIME: {{ .Values.global.runtime.singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} @@ -36,7 +37,7 @@ NAMESPACE: valueFrom: fieldRef: fieldPath: metadata.namespace -RUNTIME_VERSION: +RUNTIME_VERSION: valueFrom: configMapKeyRef: name: codefresh-cm diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 956c1b6fc..9aabfeef7 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,9 @@ --- {{- include "gitops-operator.crds.product" $context }} --- + {{- if not (get .Values.global "runtime").singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} + {{- end }} --- {{- include "gitops-operator.crds.promotion-policy" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 0f2d1f3e3..f41bc088b 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -45,14 +45,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: promotion-template subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index 8760f4220..0a0d6f33e 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,9 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- + {{- if not (get .Values.global "runtime").singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} + {{- end }} --- {{- include "gitops-operator.resources.rbac-operator" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 4ec54d311..f9d687eb0 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -22,14 +22,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 38df174ba..ed0234c4c 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -26,6 +26,7 @@ rules: - patch - update - watch +{{- if not .Values.global.runtime.singleNamespace }} - apiGroups: - codefresh.io resources: @@ -52,6 +53,7 @@ rules: - get - patch - update +{{- end }} - apiGroups: - "" resources: @@ -69,17 +71,137 @@ rules: - get - list - watch +--- +{{- if .Values.global.runtime.singleNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowartifactgctasks + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator subjects: - kind: ServiceAccount @@ -87,15 +209,15 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-edit + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} + name: {{ .Values.global.runtime.singleNamespace | ternary "argo-role" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml index be27879ce..34c130298 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml @@ -1,5 +1,6 @@ {{- define "gitops-operator.resources.restricted-git-source-rbac" }} + {{- if not .Values.global.runtime.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -80,4 +81,5 @@ subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index 1b66f7107..9f4b88af0 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -431,11 +431,14 @@ Output comma separated list of installed runtime components */}} {{- define "codefresh-gitops-runtime.component-list"}} {{- $argoEvents := dict "name" "argo-events" "version" (get .Subcharts "argo-events").Chart.AppVersion }} - {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} {{- $internalRouter := dict "name" "internal-router" "version" .Chart.AppVersion }} {{- $appProxy := dict "name" "app-proxy" "version" (index (get .Values "app-proxy") "image" "tag") }} {{- $sourcesServer := dict "name" "sources-server" "version" (get .Values "cf-argocd-extras").sourcesServer.container.image.tag }} - {{- $comptList := list $argoEvents $appProxy $sealedSecrets $internalRouter $sourcesServer }} + {{- $comptList := list $argoEvents $appProxy $internalRouter $sourcesServer }} +{{- if and (index .Values "sealed-secrets" "enabled") }} + {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} + {{- $comptList = append $comptList $sealedSecrets }} +{{- end }} {{- if and (index .Values "argo-cd" "enabled") }} {{- $argoCD := dict "name" "argocd" "version" (get .Subcharts "argo-cd").Chart.AppVersion }} {{- $comptList = append $comptList $argoCD }} diff --git a/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml b/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml new file mode 100644 index 000000000..401556a0d --- /dev/null +++ b/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml @@ -0,0 +1 @@ +{{- include "argo-cd.namespaced-rbac.all" . }} diff --git a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml index d3a0b4e2b..02b8dc3dc 100644 --- a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml +++ b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml @@ -4,12 +4,12 @@ {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }} {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ $appProxyContext.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: cap-app-proxy-argo-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ $appProxyContext.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index d070c4d67..40fef25ee 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -14,5 +14,6 @@ data: ingressClassName: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} - isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} - version: {{ .Chart.AppVersion }} \ No newline at end of file + isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} + singleNamespace: {{ .Values.global.runtime.singleNamespace | quote }} + version: {{ .Chart.AppVersion }} diff --git a/charts/gitops-runtime/templates/gitops-operator/crds.yaml b/charts/gitops-runtime/templates/gitops-operator/crds.yaml index e78bb7003..171bf6f0d 100644 --- a/charts/gitops-runtime/templates/gitops-operator/crds.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/crds.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.crds" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.crds" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 81b566099..1124f1099 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -1,3 +1,4 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -5,6 +6,7 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} +{{- $_ := set $context.Values "app-proxy" (deepCopy (get .Values "app-proxy")) }} {{- if and (not (index .Values "argo-cd" "enabled")) }} {{- if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") }} @@ -44,3 +46,4 @@ {{- end }} {{- include "gitops-operator.resources.deployment" $context }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml index 5eb7884c2..789562452 100644 --- a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.promotion-template" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.promotion-template" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml index 41df10f04..96489708f 100644 --- a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.rbac" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.rbac" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml index 022cf4317..87517d1db 100644 --- a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml @@ -1,3 +1,5 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -7,3 +9,5 @@ {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} {{- include "gitops-operator.resources.sa" $context }} + +{{- end }} diff --git a/charts/gitops-runtime/values-multi-runtimes-first.yaml b/charts/gitops-runtime/values-multi-runtimes-first.yaml new file mode 100644 index 000000000..8fcdc2dc9 --- /dev/null +++ b/charts/gitops-runtime/values-multi-runtimes-first.yaml @@ -0,0 +1,15 @@ +## Values for the first runtime in a multi-runtime cluster (installing CRDs on the cluster) +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true diff --git a/charts/gitops-runtime/values-multi-runtimes.yaml b/charts/gitops-runtime/values-multi-runtimes.yaml new file mode 100644 index 000000000..8f5faad8d --- /dev/null +++ b/charts/gitops-runtime/values-multi-runtimes.yaml @@ -0,0 +1,34 @@ +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +gitops-operator: + crds: + install: false diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index f4ce382c1..60b3ad77f 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -49,6 +49,8 @@ global: cluster: https://kubernetes.default.svc # -- Defines whether this is a Codefresh hosted runtime. Should not be changed. codefreshHosted: false + # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. + singleNamespace: false # -- Ingress settings ingress: # -- if set to true, the pre-install hook will validate the existance of appropriate values, but *will not* attempt to make a web request to the ingress host @@ -563,14 +565,14 @@ app-proxy: tag: 1.1.15-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.3727.0 + tag: 1.3736.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.3727.0 + tag: 1.3736.0 pullPolicy: IfNotPresent command: - ./init.sh @@ -710,6 +712,7 @@ gitops-operator: annotations: {} # -- Additional labels for gitops operator CRDs additionalLabels: {} + # -- GitOps operator configuration config: # -- Task polling interval taskPollingInterval: 10s @@ -721,11 +724,13 @@ gitops-operator: maxConcurrentReleases: 100 # -- An optional template for the promotion wrapper (empty default will use the embedded one) promotionWrapperTemplate: '' + # -- GitOps operator image image: - # -- defaults registry: quay.io repository: codefresh/codefresh-gitops-operator - tag: v0.10.2 + tag: 58625b8 + env: + GITOPS_OPERATOR_VERSION: 0.10.1 # hacky workaround, since our tags are no longer semver compliant serviceAccount: create: true annotations: {} diff --git a/tests/component-tests/setup/mocks/platform-mocks.json b/tests/component-tests/setup/mocks/platform-mocks.json index 26b4da51c..24b306ac9 100644 --- a/tests/component-tests/setup/mocks/platform-mocks.json +++ b/tests/component-tests/setup/mocks/platform-mocks.json @@ -177,7 +177,7 @@ "method": "POST", "path": "/2.0/api/graphql", "body": { - "query": "\n query me {\n me {\n runtimeName\n activeAccount {\n id\n name\n gitProvider\n gitApiUrl\n sharedConfigRepo\n }\n }\n }\n" + "query": "\n query me {\n me {\n runtimeName\n activeAccount {\n id\n name\n gitProvider\n gitApiUrl\n sharedConfigRepo\n csdpValidated\n }\n }\n }\n" } }, "httpResponse": { @@ -191,7 +191,8 @@ "name": "local", "gitProvider": "GITHUB", "gitApiUrl": "http://mockserver.mockserver:1080", - "sharedConfigRepo": "http://gitea-http.gitea:3000/test-owner/codefresh-isc" + "sharedConfigRepo": "http://gitea-http.gitea:3000/test-owner/codefresh-isc", + "csdpValidated": true } } }