From 99b8a3465e9339c02f52fd1f014099f152df133f Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:05:53 +0300 Subject: [PATCH 01/27] add parsing of the new single namespace var to cm and env var --- .../cap-app-proxy/_all_resources.yaml | 2 ++ .../_components/cap-app-proxy/_config.yaml | 1 + .../cap-app-proxy/argo-cd/_all.yaml | 3 ++ .../cap-app-proxy/argo-cd/_role.yaml | 28 +++++++++++++++++++ .../cap-app-proxy/argo-cd/_rolebinding.yaml | 20 +++++++++++++ .../_main-container.yaml | 7 +++++ .../_components/gitops-operator/_env.yaml | 1 + .../gitops-operator/crds/_all.yaml | 2 ++ .../gitops-operator/rbac/_all.yaml | 2 ++ .../templates/codefresh-cm.yaml | 1 + charts/gitops-runtime/values.yaml | 2 ++ 11 files changed, 69 insertions(+) create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index 479914c4..ff455cf5 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -10,4 +10,6 @@ {{ include "cap-app-proxy.resources.service" . }} --- {{ include "cap-app-proxy.resources.sa" .}} +--- + {{ include "argo-cd.namespaced-rbac.all" . }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7751eb84..7160728f 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,6 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} +runtimeSingleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml new file mode 100644 index 00000000..1cc7a702 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -0,0 +1,3 @@ +{{- include "argo-cd.namespaced-rbac.role" . }} +--- +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml new file mode 100644 index 00000000..7a7a97ef --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -0,0 +1,28 @@ +{{- if .Values.app-proxy.singleNamespace }} +{{- define "argo-cd.namespaced-rbac.role" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argocd-namespaced-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +rules: +- apiGroups: [""] + resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets", "statefulsets", "daemonsets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml new file mode 100644 index 00000000..32a593f9 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.app-proxy.singleNamespace }} +{{- define "argo-cd.namespaced-rbac.rolebinding" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argocd-namespaced-rolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-namespaced-role +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml index f59f769e..b00b6afb 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml @@ -109,6 +109,12 @@ RUNTIME_NAME: configMapKeyRef: name: cap-app-proxy-cm key: runtimeName +RUNTIME_SINGLE_NAMESPACE: + valueFrom: + configMapKeyRef: + name: cap-app-proxy-cm + key: runtimeSingleNamespace + optional: true RUNTIME_TOKEN: valueFrom: secretKeyRef: @@ -210,6 +216,7 @@ IRW_JIRA_ENRICHMENT_TASK_IMAGE: name: cap-app-proxy-cm key: enrichmentJiraEnrichmentImage optional: true + NODE_EXTRA_CA_CERTS: /app/config/all/all.cer {{- if gt (int .Values.replicaCount) 1 }} LEADER_ID: diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index f2e10f74..113062c0 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,6 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} +RUNTIME_SINGLE_NAMESPACE: {{ .Values.app-proxy.singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 956c1b6f..22474c18 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,9 @@ --- {{- include "gitops-operator.crds.product" $context }} --- + {{- if not .Values.app-proxy.singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} + {{- end }} --- {{- include "gitops-operator.crds.promotion-policy" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index 8760f422..f0054a81 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,9 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- + {{- if not .Values.app-proxy.singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} + {{- end }} --- {{- include "gitops-operator.resources.rbac-operator" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index d070c4d6..17ecd277 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -15,4 +15,5 @@ data: ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} + singleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} version: {{ .Chart.AppVersion }} \ No newline at end of file diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 9035df0a..8acfd399 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -519,6 +519,8 @@ tunnel-client: #----------------------------------------------------------------------------------------------------------------------- app-proxy: replicaCount: 1 + # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. + singleNamespace: false # -- Image enrichment process configuration image-enrichment: # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well. From effb5b665bb18197c3e15fc0bdda702710a4fb24 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:25:28 +0300 Subject: [PATCH 02/27] fixed parsing --- .../templates/_components/cap-app-proxy/_config.yaml | 2 +- .../templates/_components/cap-app-proxy/argo-cd/_role.yaml | 2 +- .../_components/cap-app-proxy/argo-cd/_rolebinding.yaml | 2 +- .../templates/_components/gitops-operator/_env.yaml | 2 +- .../templates/_components/gitops-operator/rbac/_all.yaml | 2 +- charts/gitops-runtime/templates/codefresh-cm.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7160728f..5937d907 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,7 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} -runtimeSingleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} +runtimeSingleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml index 7a7a97ef..4249910a 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.app-proxy.singleNamespace }} +{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.role" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 32a593f9..9e505dea 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.app-proxy.singleNamespace }} +{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.rolebinding" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index 113062c0..1321e06c 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,7 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} -RUNTIME_SINGLE_NAMESPACE: {{ .Values.app-proxy.singleNamespace }} +RUNTIME_SINGLE_NAMESPACE: {{ (get .Values "app-proxy").singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index f0054a81..db0a7c7a 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,7 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- - {{- if not .Values.app-proxy.singleNamespace }} + {{- if not (get .Values "app-proxy").singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} {{- end }} --- diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index 17ecd277..3fba68b9 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -15,5 +15,5 @@ data: ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} - singleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} + singleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} version: {{ .Chart.AppVersion }} \ No newline at end of file From df2f07e9d4500667d944784c7705cd117a6ccaf7 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:29:50 +0300 Subject: [PATCH 03/27] minor parsing fix --- .../templates/_components/gitops-operator/crds/_all.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 22474c18..d7d598f9 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,7 @@ --- {{- include "gitops-operator.crds.product" $context }} --- - {{- if not .Values.app-proxy.singleNamespace }} + {{- if not (get .Values "app-proxy").singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} {{- end }} --- From 77089927a16903957743b805e8e5b7dea014f0f7 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:37:36 +0300 Subject: [PATCH 04/27] fixed conditional including of role and role binding --- .../templates/_components/cap-app-proxy/argo-cd/_all.yaml | 4 +++- .../templates/_components/cap-app-proxy/argo-cd/_role.yaml | 2 -- .../_components/cap-app-proxy/argo-cd/_rolebinding.yaml | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index 1cc7a702..1506617b 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -1,3 +1,5 @@ +{{- if (get .Values "app-proxy").singleNamespace }} {{- include "argo-cd.namespaced-rbac.role" . }} --- -{{- include "argo-cd.namespaced-rbac.rolebinding" . }} \ No newline at end of file +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml index 4249910a..9d138964 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -1,4 +1,3 @@ -{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.role" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -24,5 +23,4 @@ rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 9e505dea..7d320d7a 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -1,4 +1,3 @@ -{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.rolebinding" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -16,5 +15,4 @@ subjects: - kind: ServiceAccount name: default namespace: {{ .Release.Namespace }} -{{- end }} {{- end }} \ No newline at end of file From 3fa40524246e4366fd5003981d7be20626b0d7b4 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:42:05 +0300 Subject: [PATCH 05/27] added app-proxy context --- charts/gitops-runtime/templates/gitops-operator/deployment.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 81b56609..6038cbbc 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -5,6 +5,7 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} +{{- $_ := set $context.Values "app-proxy" (deepCopy (get .Values "app-proxy")) }} {{- if and (not (index .Values "argo-cd" "enabled")) }} {{- if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") }} From 370115e65cd181f6389fb1561f8140d2c9fda34f Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:50:52 +0300 Subject: [PATCH 06/27] fixed something --- .../templates/_components/cap-app-proxy/_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 5937d907..e615c50d 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,7 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} -runtimeSingleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} +runtimeSingleNamespace: {{ .Values.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} From f31c2230b24fb215bce7e37972b697eb02fcff1b Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 09:12:37 +0300 Subject: [PATCH 07/27] added argocd-manager service account --- .../_components/cap-app-proxy/argo-cd/_all.yaml | 2 ++ .../cap-app-proxy/argo-cd/_rolebinding.yaml | 2 +- .../cap-app-proxy/argo-cd/_serviceaccount.yaml | 10 ++++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index 1506617b..d731eade 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -1,4 +1,6 @@ {{- if (get .Values "app-proxy").singleNamespace }} +{{- include "argo-cd.namespaced-rbac.serviceaccount" . }} +--- {{- include "argo-cd.namespaced-rbac.role" . }} --- {{- include "argo-cd.namespaced-rbac.rolebinding" . }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 7d320d7a..28c52949 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -13,6 +13,6 @@ roleRef: name: argocd-namespaced-role subjects: - kind: ServiceAccount - name: default + name: argocd-manager namespace: {{ .Release.Namespace }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml new file mode 100644 index 00000000..1f94e491 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- define "argo-cd.namespaced-rbac.serviceaccount" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +{{- end }} From b08d29a65bf9bf8c0b912b42f6098dc2d1a28acb Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 11:04:57 +0300 Subject: [PATCH 08/27] feat: multi runtime install From 6dc0412121c7144c9c2bdd42c3f799938a53e0ce Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 17:26:20 +0300 Subject: [PATCH 09/27] feat: multi runtime install --- charts/gitops-runtime/Chart.yaml | 1 + .../cf-argocd-extras/event-reporter/_rbac.yaml | 12 ++++++++++++ .../_components/gitops-operator/_default_values.tpl | 3 +++ .../gitops-operator/promotion-template/_rbac.yaml | 6 +++--- .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 6 +++--- .../gitops-operator/rbac/_rbac_operator.yaml | 12 +++++++----- .../rbac/_restricted_git_source.rbac.yaml | 2 ++ charts/gitops-runtime/templates/_helpers.tpl | 7 +++++-- .../templates/app-proxy/workflows-crb.yaml | 4 ++-- charts/gitops-runtime/values.yaml | 5 ++++- 10 files changed, 42 insertions(+), 16 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 5592d2b0..2d9fbd31 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -32,6 +32,7 @@ dependencies: - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ version: 2.17.2 + condition: sealed-secrets.enabled - name: codefresh-tunnel-client repository: oci://quay.io/codefresh/charts version: 0.1.21 diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml index 64cd6d27..6049e633 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml @@ -11,6 +11,18 @@ {{/* Workaround to NOT change label selectors from previous runtime release when event-reporter was part of cf-argocd-extras Subchart */}} {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }} +{{/* Remove nonResourceURLs when RBAC is namespaced */}} +{{- $rules := $context.Values.rbac.rules }} +{{- if $context.Values.rbac.namespaced }} + {{- $rules = list }} + {{- range $context.Values.rbac.rules }} + {{- if not .nonResourceURLs }} + {{- $rules = append $rules . }} + {{- end }} + {{- end }} +{{- end }} +{{- $_ := set $context.Values.rbac "rules" $rules }} + {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }} {{- include $templateName $context }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl index dd552eb8..58ece965 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl @@ -14,6 +14,9 @@ global: replicaCount: 1 +# -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) +singleNamespace: false + # -- Codefresh gitops operator crds crds: # -- Whether or not to install CRDs diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 0f2d1f3e..812ae1dd 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -45,14 +45,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: promotion-template subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 4ec54d31..96f47030 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -22,14 +22,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 38df174b..26832600 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -26,6 +26,7 @@ rules: - patch - update - watch +{{- if not .Values.singleNamespace }} - apiGroups: - codefresh.io resources: @@ -52,6 +53,7 @@ rules: - get - patch - update +{{- end }} - apiGroups: - "" resources: @@ -72,14 +74,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator subjects: - kind: ServiceAccount @@ -87,14 +89,14 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: argo-edit subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml index be27879c..913d131d 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml @@ -1,5 +1,6 @@ {{- define "gitops-operator.resources.restricted-git-source-rbac" }} + {{- if not .Values.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -80,4 +81,5 @@ subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index 1b66f710..9f4b88af 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -431,11 +431,14 @@ Output comma separated list of installed runtime components */}} {{- define "codefresh-gitops-runtime.component-list"}} {{- $argoEvents := dict "name" "argo-events" "version" (get .Subcharts "argo-events").Chart.AppVersion }} - {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} {{- $internalRouter := dict "name" "internal-router" "version" .Chart.AppVersion }} {{- $appProxy := dict "name" "app-proxy" "version" (index (get .Values "app-proxy") "image" "tag") }} {{- $sourcesServer := dict "name" "sources-server" "version" (get .Values "cf-argocd-extras").sourcesServer.container.image.tag }} - {{- $comptList := list $argoEvents $appProxy $sealedSecrets $internalRouter $sourcesServer }} + {{- $comptList := list $argoEvents $appProxy $internalRouter $sourcesServer }} +{{- if and (index .Values "sealed-secrets" "enabled") }} + {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} + {{- $comptList = append $comptList $sealedSecrets }} +{{- end }} {{- if and (index .Values "argo-cd" "enabled") }} {{- $argoCD := dict "name" "argocd" "version" (get .Subcharts "argo-cd").Chart.AppVersion }} {{- $comptList = append $comptList $argoCD }} diff --git a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml index d3a0b4e2..35010bf0 100644 --- a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml +++ b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml @@ -4,12 +4,12 @@ {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }} {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ $appProxyContext.Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: cap-app-proxy-argo-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ $appProxyContext.Values.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 8acfd399..c369ad5c 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -713,6 +713,9 @@ gitops-operator: annotations: {} # -- Additional labels for gitops operator CRDs additionalLabels: {} + # -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) + singleNamespace: false + # -- GitOps operator configuration config: # -- Task polling interval taskPollingInterval: 10s @@ -724,8 +727,8 @@ gitops-operator: maxConcurrentReleases: 100 # -- An optional template for the promotion wrapper (empty default will use the embedded one) promotionWrapperTemplate: '' + # -- GitOps operator image image: - # -- defaults registry: quay.io repository: codefresh/codefresh-gitops-operator tag: v0.11.1 From c6aa9e23bc1a131e8b656db8aed9f69154a1d3bd Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 17:47:53 +0300 Subject: [PATCH 10/27] feat: multi runtime install --- charts/gitops-runtime/templates/gitops-operator/crds.yaml | 4 +++- .../gitops-runtime/templates/gitops-operator/deployment.yaml | 2 ++ .../templates/gitops-operator/promotion-operator.yaml | 4 +++- charts/gitops-runtime/templates/gitops-operator/rbac.yaml | 4 +++- .../templates/gitops-operator/serviceaccount.yaml | 4 ++++ 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/templates/gitops-operator/crds.yaml b/charts/gitops-runtime/templates/gitops-operator/crds.yaml index e78bb700..171bf6f0 100644 --- a/charts/gitops-runtime/templates/gitops-operator/crds.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/crds.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.crds" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.crds" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 6038cbbc..1124f109 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -1,3 +1,4 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -45,3 +46,4 @@ {{- end }} {{- include "gitops-operator.resources.deployment" $context }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml index 5eb7884c..78956245 100644 --- a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.promotion-template" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.promotion-template" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml index 41df10f0..96489708 100644 --- a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.rbac" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.rbac" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml index 022cf431..87517d1d 100644 --- a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml @@ -1,3 +1,5 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -7,3 +9,5 @@ {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} {{- include "gitops-operator.resources.sa" $context }} + +{{- end }} From 43a44af7f3f6d0cf8bd69ee11bb1c1dc75c15132 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 11:10:27 +0300 Subject: [PATCH 11/27] feat: multi runtime install --- .../promotion-template/_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_rbac_operator.yaml | 18 +++++++++--------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 812ae1dd..92d712d3 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: promotion-template + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} rules: - apiGroups: - "" @@ -45,15 +45,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: promotion-template + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: promotion-template + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.promotionTemplate.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 96f47030..9338fbde 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-proxy + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} rules: - apiGroups: - authentication.k8s.io @@ -22,15 +22,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-proxy + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: codefresh-gitops-operator-proxy + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 26832600..aee5c759 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} rules: - apiGroups: - "" @@ -74,29 +74,29 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: codefresh-gitops-operator + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-workflows + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: ClusterRole name: argo-edit subjects: - kind: ServiceAccount From 0176c17c9655709d626c3fc72dbf6fa62939b0c7 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 11:40:41 +0300 Subject: [PATCH 12/27] wip: Wed Jul 30 11:40:41 +03 2025 --- .../_components/gitops-operator/rbac/_rbac_operator.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index aee5c759..ffefcf58 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -89,15 +89,15 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-edit + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: {{ .Values.singleNamespace | ternary "argo-workflow-controller" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} From e5b8cfccd5cc2e3d0dd3ed8d3cab322e6a46f509 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 12:19:46 +0300 Subject: [PATCH 13/27] wip: Wed Jul 30 12:19:46 +03 2025 --- .../gitops-operator/rbac/_rbac_operator.yaml | 122 +++++++++++++++++- 1 file changed, 121 insertions(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index ffefcf58..75310814 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -71,6 +71,126 @@ rules: - get - list - watch +--- +{{- if .Values.singleNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowartifactgctasks + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -97,7 +217,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: {{ .Values.singleNamespace | ternary "argo-workflow-controller" "argo-edit" }} + name: {{ .Values.singleNamespace | ternary "argo-role" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} From 00bd9fb4a08440d7d5130808a1e471a15705f813 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Wed, 20 Aug 2025 13:38:03 +0300 Subject: [PATCH 14/27] feat: multi runtime install --- .../gitops-operator/promotion-template/_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_rbac_operator.yaml | 14 +++++++------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 92d712d3..812ae1dd 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} + name: promotion-template rules: - apiGroups: - "" @@ -45,15 +45,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} + name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: promotion-template subjects: - kind: ServiceAccount name: {{ include "gitops-operator.promotionTemplate.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 9338fbde..96f47030 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} + name: codefresh-gitops-operator-proxy rules: - apiGroups: - authentication.k8s.io @@ -22,15 +22,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} + name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 75310814..317b55a7 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} + name: codefresh-gitops-operator rules: - apiGroups: - "" @@ -194,15 +194,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} + name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: codefresh-gitops-operator subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} @@ -213,7 +213,7 @@ kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows" }} + name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} From 99e35761c1c6301e8877d04fe993c78237533cb5 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Mon, 25 Aug 2025 14:51:24 +0300 Subject: [PATCH 15/27] wip --- .../cap-app-proxy/_all_resources.yaml | 2 +- .../_components/cap-app-proxy/_config.yaml | 4 ++-- .../_components/cap-app-proxy/argo-cd/_all.yaml | 6 ++++-- .../_components/gitops-operator/_env.yaml | 4 ++-- .../_components/gitops-operator/crds/_all.yaml | 2 +- .../promotion-template/_rbac.yaml | 6 +++--- .../_components/gitops-operator/rbac/_all.yaml | 2 +- .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 6 +++--- .../gitops-operator/rbac/_rbac_operator.yaml | 16 ++++++++-------- .../rbac/_restricted_git_source.rbac.yaml | 2 +- .../templates/app-proxy/workflows-crb.yaml | 4 ++-- .../gitops-runtime/templates/codefresh-cm.yaml | 6 +++--- charts/gitops-runtime/values.yaml | 6 ++---- 13 files changed, 33 insertions(+), 33 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index ff455cf5..d60f456b 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -12,4 +12,4 @@ {{ include "cap-app-proxy.resources.sa" .}} --- {{ include "argo-cd.namespaced-rbac.all" . }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index e615c50d..0dd1059d 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -4,14 +4,14 @@ argoCdUsername: {{ .Values.config.argoCdUsername }} argoWorkflowsInsecure: {{ .Values.config.argoWorkflowsInsecure | quote }} argoWorkflowsUrl: {{ default "" .Values.config.argoWorkflowsUrl }} cors: {{ .Values.global.codefresh.url }} - {{- with .Values.config.clusterChunkSize }} + {{- with .Values.config.clusterChunkSize }} clusterChunkSize: {{ . | quote }} {{- end }} env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} -runtimeSingleNamespace: {{ .Values.singleNamespace | quote }} +runtimeSingleNamespace: {{ .Values.global.runtime.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index d731eade..75c737ad 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -1,7 +1,9 @@ -{{- if (get .Values "app-proxy").singleNamespace }} +{{- define "argo-cd.namespaced-rbac.all" }} +{{- if (index .Values "global" "runtime").singleNamespace }} {{- include "argo-cd.namespaced-rbac.serviceaccount" . }} --- {{- include "argo-cd.namespaced-rbac.role" . }} --- {{- include "argo-cd.namespaced-rbac.rolebinding" . }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index 1321e06c..93b22042 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,7 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} -RUNTIME_SINGLE_NAMESPACE: {{ (get .Values "app-proxy").singleNamespace }} +RUNTIME_SINGLE_NAMESPACE: {{ .Values.global.runtime.singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} @@ -37,7 +37,7 @@ NAMESPACE: valueFrom: fieldRef: fieldPath: metadata.namespace -RUNTIME_VERSION: +RUNTIME_VERSION: valueFrom: configMapKeyRef: name: codefresh-cm diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index d7d598f9..9aabfeef 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,7 @@ --- {{- include "gitops-operator.crds.product" $context }} --- - {{- if not (get .Values "app-proxy").singleNamespace }} + {{- if not (get .Values.global "runtime").singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} {{- end }} --- diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 812ae1dd..f41bc088 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -45,14 +45,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: promotion-template subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index db0a7c7a..0a0d6f33 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,7 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- - {{- if not (get .Values "app-proxy").singleNamespace }} + {{- if not (get .Values.global "runtime").singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} {{- end }} --- diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 96f47030..f9d687eb 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -22,14 +22,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 317b55a7..ed0234c4 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -26,7 +26,7 @@ rules: - patch - update - watch -{{- if not .Values.singleNamespace }} +{{- if not .Values.global.runtime.singleNamespace }} - apiGroups: - codefresh.io resources: @@ -72,7 +72,7 @@ rules: - list - watch --- -{{- if .Values.singleNamespace }} +{{- if .Values.global.runtime.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -194,14 +194,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator subjects: - kind: ServiceAccount @@ -209,15 +209,15 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: {{ .Values.singleNamespace | ternary "argo-role" "argo-edit" }} + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} + name: {{ .Values.global.runtime.singleNamespace | ternary "argo-role" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml index 913d131d..34c13029 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml @@ -1,6 +1,6 @@ {{- define "gitops-operator.resources.restricted-git-source-rbac" }} - {{- if not .Values.singleNamespace }} + {{- if not .Values.global.runtime.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml index 35010bf0..02b8dc3d 100644 --- a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml +++ b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml @@ -4,12 +4,12 @@ {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }} {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ $appProxyContext.Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ $appProxyContext.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: cap-app-proxy-argo-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ $appProxyContext.Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: {{ $appProxyContext.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index 3fba68b9..40fef25e 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -14,6 +14,6 @@ data: ingressClassName: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} - isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} - singleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} - version: {{ .Chart.AppVersion }} \ No newline at end of file + isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} + singleNamespace: {{ .Values.global.runtime.singleNamespace | quote }} + version: {{ .Chart.AppVersion }} diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index c369ad5c..284557c1 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -49,6 +49,8 @@ global: cluster: https://kubernetes.default.svc # -- Defines whether this is a Codefresh hosted runtime. Should not be changed. codefreshHosted: false + # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. + singleNamespace: true # -- Ingress settings ingress: # -- if set to true, the pre-install hook will validate the existance of appropriate values, but *will not* attempt to make a web request to the ingress host @@ -519,8 +521,6 @@ tunnel-client: #----------------------------------------------------------------------------------------------------------------------- app-proxy: replicaCount: 1 - # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. - singleNamespace: false # -- Image enrichment process configuration image-enrichment: # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well. @@ -713,8 +713,6 @@ gitops-operator: annotations: {} # -- Additional labels for gitops operator CRDs additionalLabels: {} - # -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) - singleNamespace: false # -- GitOps operator configuration config: # -- Task polling interval From 09faa34e9ffe4460afe2f5e9ab40d150668c43ee Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Mon, 25 Aug 2025 14:51:53 +0300 Subject: [PATCH 16/27] wip --- .../templates/app-proxy/argocd-namespaced-rbac.yaml | 1 + 1 file changed, 1 insertion(+) create mode 100644 charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml diff --git a/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml b/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml new file mode 100644 index 00000000..401556a0 --- /dev/null +++ b/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml @@ -0,0 +1 @@ +{{- include "argo-cd.namespaced-rbac.all" . }} From 70b4b0588dbd647cd788248cd12fbf3fb6bb1220 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Mon, 25 Aug 2025 14:57:10 +0300 Subject: [PATCH 17/27] wip --- charts/gitops-runtime/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 284557c1..dbba7c43 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -50,7 +50,7 @@ global: # -- Defines whether this is a Codefresh hosted runtime. Should not be changed. codefreshHosted: false # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. - singleNamespace: true + singleNamespace: false # -- Ingress settings ingress: # -- if set to true, the pre-install hook will validate the existance of appropriate values, but *will not* attempt to make a web request to the ingress host From 62807f644c0030f25cd522e543ee8360cc4947e4 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Mon, 25 Aug 2025 18:29:03 +0300 Subject: [PATCH 18/27] wip --- .../cap-app-proxy/argo-cd/_role.yaml | 23 ++++++------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml index 9d138964..9656aa3b 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -8,19 +8,10 @@ metadata: {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} codefresh.io/component: argocd-namespaced-rbac rules: -- apiGroups: [""] - resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets", "serviceaccounts"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["apps"] - resources: ["deployments", "replicasets", "statefulsets", "daemonsets"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["batch"] - resources: ["jobs", "cronjobs"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "networkpolicies"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -{{- end }} \ No newline at end of file +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +{{- end }} From 31c5308926cced397644d8e5010ffe5d85a87ff0 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 26 Aug 2025 09:54:33 +0300 Subject: [PATCH 19/27] added argocd-manager SA secret --- .../_components/cap-app-proxy/argo-cd/_all.yaml | 2 ++ .../_components/cap-app-proxy/argo-cd/_secret.yaml | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index 75c737ad..cf8716c7 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -2,6 +2,8 @@ {{- if (index .Values "global" "runtime").singleNamespace }} {{- include "argo-cd.namespaced-rbac.serviceaccount" . }} --- +{{- include "argo-cd.namespaced-rbac.secret" . }} +--- {{- include "argo-cd.namespaced-rbac.role" . }} --- {{- include "argo-cd.namespaced-rbac.rolebinding" . }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml new file mode 100644 index 00000000..63100462 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml @@ -0,0 +1,9 @@ +{{- define "argo-cd.namespaced-rbac.secret" }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-manager-long-lived-token + annotations: + kubernetes.io/service-account.name: argocd-manager +type: kubernetes.io/service-account-token +{{- end }} From 95c55da368c5d99fa80311da74b828ba8283d7a4 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Tue, 26 Aug 2025 18:23:03 +0300 Subject: [PATCH 20/27] removed duplicated include --- .../templates/_components/cap-app-proxy/_all_resources.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index d60f456b..3941e62c 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -11,5 +11,4 @@ --- {{ include "cap-app-proxy.resources.sa" .}} --- - {{ include "argo-cd.namespaced-rbac.all" . }} {{- end }} From 5798335f843890532d95bf227b8eca334d50696e Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Wed, 27 Aug 2025 15:18:51 +0300 Subject: [PATCH 21/27] wip --- charts/gitops-runtime/README.md.gotmpl | 58 +++++++++++++++++++ .../event-reporter/_rbac.yaml | 1 + .../sources-server/_rbac.yaml | 1 + 3 files changed, 60 insertions(+) diff --git a/charts/gitops-runtime/README.md.gotmpl b/charts/gitops-runtime/README.md.gotmpl index 837a55c8..e10629ad 100644 --- a/charts/gitops-runtime/README.md.gotmpl +++ b/charts/gitops-runtime/README.md.gotmpl @@ -15,6 +15,64 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) ## Codefresh official documentation: Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/ +To achieve this, configure your Runtimes to run in namespaced mode, which uses Roles instead of ClusterRoles. See the values.yaml example below: + +## Multi Runtime Installation +You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace. +To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below: +```yaml +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +``` + +Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values: +```yaml +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true +``` + + ## Argo-workflows artifact and log storage Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration. If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values: diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml index 6049e633..fbd34e3c 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml @@ -13,6 +13,7 @@ {{/* Remove nonResourceURLs when RBAC is namespaced */}} {{- $rules := $context.Values.rbac.rules }} +{{- $_ := set $context.Values.rbac "namespaced" (get .Values.global.runtime "singleNamespace") }} {{- if $context.Values.rbac.namespaced }} {{- $rules = list }} {{- range $context.Values.rbac.rules }} diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_rbac.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_rbac.yaml index 2afcec02..906e68bd 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_rbac.yaml @@ -10,6 +10,7 @@ {{/* Workaround to NOT change label selectors from previous runtime release when sources-server was part of cf-argocd-extras Subchart */}} {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }} +{{- $_ := set $context.Values.rbac "namespaced" (get .Values.global.runtime "singleNamespace") }} {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }} {{- include $templateName $context }} From e6caaa35ed7ef8ed9fae382350a0fa6ddabc8f43 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Wed, 27 Aug 2025 15:19:35 +0300 Subject: [PATCH 22/27] wip --- charts/gitops-runtime/README.md.gotmpl | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/gitops-runtime/README.md.gotmpl b/charts/gitops-runtime/README.md.gotmpl index e10629ad..14f55876 100644 --- a/charts/gitops-runtime/README.md.gotmpl +++ b/charts/gitops-runtime/README.md.gotmpl @@ -15,8 +15,6 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) ## Codefresh official documentation: Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/ -To achieve this, configure your Runtimes to run in namespaced mode, which uses Roles instead of ClusterRoles. See the values.yaml example below: - ## Multi Runtime Installation You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace. To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below: From 900a05e78e5817414b679c70e77c85b0f27e91a0 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Wed, 27 Aug 2025 15:44:49 +0300 Subject: [PATCH 23/27] wip --- charts/gitops-runtime/README.md.gotmpl | 3 ++ .../values-multi-runtimes-first.yaml | 15 ++++++++ .../gitops-runtime/values-multi-runtimes.yaml | 34 +++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 charts/gitops-runtime/values-multi-runtimes-first.yaml create mode 100644 charts/gitops-runtime/values-multi-runtimes.yaml diff --git a/charts/gitops-runtime/README.md.gotmpl b/charts/gitops-runtime/README.md.gotmpl index 14f55876..5a2874a5 100644 --- a/charts/gitops-runtime/README.md.gotmpl +++ b/charts/gitops-runtime/README.md.gotmpl @@ -50,6 +50,9 @@ argo-rollouts: enabled: false tunnel-client: enabled: false +gitops-operator: + crds: + install: false ``` Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values: diff --git a/charts/gitops-runtime/values-multi-runtimes-first.yaml b/charts/gitops-runtime/values-multi-runtimes-first.yaml new file mode 100644 index 00000000..8fcdc2dc --- /dev/null +++ b/charts/gitops-runtime/values-multi-runtimes-first.yaml @@ -0,0 +1,15 @@ +## Values for the first runtime in a multi-runtime cluster (installing CRDs on the cluster) +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true diff --git a/charts/gitops-runtime/values-multi-runtimes.yaml b/charts/gitops-runtime/values-multi-runtimes.yaml new file mode 100644 index 00000000..8f5faad8 --- /dev/null +++ b/charts/gitops-runtime/values-multi-runtimes.yaml @@ -0,0 +1,34 @@ +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +gitops-operator: + crds: + install: false From 63d8780f02ec56a806dddcd3139aa7b2b29f22b1 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Thu, 28 Aug 2025 11:54:03 +0300 Subject: [PATCH 24/27] wip --- charts/gitops-runtime/README.md | 76 +++++++++++++++++++++++--- charts/gitops-runtime/README.md.gotmpl | 4 ++ 2 files changed, 73 insertions(+), 7 deletions(-) diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 07345b48..d4389db8 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -15,6 +15,68 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) ## Codefresh official documentation: Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/ +## Multi Runtime Installation +You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace. +To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below: +```yaml +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +gitops-operator: + crds: + install: false +``` + +Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values: +```yaml +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true +``` + +> [!WARNING] +> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`. +> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported. + ## Argo-workflows artifact and log storage Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration. If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values: @@ -395,14 +457,14 @@ gitops-operator: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.3706.0"` | | +| app-proxy.image.tag | string | `"1.3718.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.3706.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.3718.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | @@ -549,6 +611,7 @@ gitops-operator: | event-reporters.workflow.sensor.tolerations | list | `[]` | | | event-reporters.workflow.serviceAccount.create | bool | `true` | | | gitops-operator.affinity | object | `{}` | | +| gitops-operator.config | object | `{"commitStatusPollingInterval":"10s","maxConcurrentReleases":100,"promotionWrapperTemplate":"","taskPollingInterval":"10s","workflowMonitorPollingInterval":"10s"}` | GitOps operator configuration | | gitops-operator.config.commitStatusPollingInterval | string | `"10s"` | Commit status polling interval | | gitops-operator.config.maxConcurrentReleases | int | `100` | Maximum number of concurrent releases being processed by the operator (this will not affect the number of releases being processed by the gitops runtime) | | gitops-operator.config.promotionWrapperTemplate | string | `""` | An optional template for the promotion wrapper (empty default will use the embedded one) | @@ -561,9 +624,7 @@ gitops-operator: | gitops-operator.crds.keep | bool | `false` | Keep CRDs if gitops runtime release is uninstalled | | gitops-operator.enabled | bool | `true` | | | gitops-operator.fullnameOverride | string | `""` | | -| gitops-operator.image.registry | string | `"quay.io"` | defaults | -| gitops-operator.image.repository | string | `"codefresh/codefresh-gitops-operator"` | | -| gitops-operator.image.tag | string | `"v0.11.1"` | | +| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"v0.11.1"}` | GitOps operator image | | gitops-operator.imagePullSecrets | list | `[]` | | | gitops-operator.nameOverride | string | `""` | | | gitops-operator.nodeSelector | object | `{}` | | @@ -616,7 +677,7 @@ gitops-operator: | global.httpsProxy | string | `""` | global HTTPS_PROXY for all components | | global.noProxy | string | `""` | global NO_PROXY for all components | | global.nodeSelector | object | `{}` | Global nodeSelector for all components | -| global.runtime | object | `{"cluster":"https://kubernetes.default.svc","codefreshHosted":false,"eventBus":{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"},"gitCredentials":{"password":{"secretKeyRef":{},"value":null},"username":"username"},"ingress":{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]},"ingressUrl":"","isConfigurationRuntime":false,"name":null}` | Runtime level settings | +| global.runtime | object | `{"cluster":"https://kubernetes.default.svc","codefreshHosted":false,"eventBus":{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"},"gitCredentials":{"password":{"secretKeyRef":{},"value":null},"username":"username"},"ingress":{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]},"ingressUrl":"","isConfigurationRuntime":false,"name":null,"singleNamespace":false}` | Runtime level settings | | global.runtime.cluster | string | `"https://kubernetes.default.svc"` | Runtime cluster. Should not be changed. | | global.runtime.codefreshHosted | bool | `false` | Defines whether this is a Codefresh hosted runtime. Should not be changed. | | global.runtime.eventBus | object | `{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"}` | Runtime eventbus | @@ -637,6 +698,7 @@ gitops-operator: | global.runtime.ingressUrl | string | `""` | Explicit url for runtime ingress. Provide this value only if you don't want the chart to create and ingress (global.runtime.ingress.enabled=false) and tunnel-client is not used (tunnel-client.enabled=false) | | global.runtime.isConfigurationRuntime | bool | `false` | is the runtime set as a "configuration runtime". | | global.runtime.name | string | `nil` | Runtime name. Must be unique per platform account. | +| global.runtime.singleNamespace | bool | `false` | Runtime single namespace mode. When true, runtime operates in single namespace scope. | | global.tolerations | list | `[]` | Global tolerations for all components | | installer | object | `{"affinity":{},"argoCdVersionCheck":{"argoServerLabels":{"app.kubernetes.io/component":"server","app.kubernetes.io/part-of":"argocd"}},"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/codefresh/gitops-runtime-installer","tag":""},"nodeSelector":{},"skipUsageValidation":false,"skipValidation":false,"tolerations":[]}` | Runtime installer used for running hooks and checks on the release | | installer.skipUsageValidation | bool | `false` | if set to true, pre-install hook will *not* run | @@ -649,7 +711,7 @@ gitops-operator: | internal-router.fullnameOverride | string | `"internal-router"` | | | internal-router.image.pullPolicy | string | `"IfNotPresent"` | | | internal-router.image.repository | string | `"docker.io/nginxinc/nginx-unprivileged"` | | -| internal-router.image.tag | string | `"1.28-alpine3.21"` | | +| internal-router.image.tag | string | `"1.29-alpine3.22"` | | | internal-router.imagePullSecrets | list | `[]` | | | internal-router.ipv6 | object | `{"enabled":false}` | For ipv6 enabled clusters switch ipv6 enabled to true | | internal-router.nameOverride | string | `""` | | diff --git a/charts/gitops-runtime/README.md.gotmpl b/charts/gitops-runtime/README.md.gotmpl index 5a2874a5..95e10fe5 100644 --- a/charts/gitops-runtime/README.md.gotmpl +++ b/charts/gitops-runtime/README.md.gotmpl @@ -73,6 +73,10 @@ gitops-operator: install: true ``` +> [!WARNING] +> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`. +> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported. + ## Argo-workflows artifact and log storage Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration. From 58df90bf723e68131de559e42b6ebffa7a940308 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Thu, 28 Aug 2025 15:02:28 +0300 Subject: [PATCH 25/27] wip --- .../argo-events/argoproj.io_eventbus.yaml | 80 +++++++++---------- .../argo-events/argoproj.io_eventsources.yaml | 80 +++++++++---------- .../crds/argo-events/argoproj.io_sensors.yaml | 80 +++++++++---------- .../_components/argo-events/crds/_all.yaml | 16 ++++ .../crds/argoproj.io_eventbus.yaml | 44 ++++++++++ .../crds/argoproj.io_eventsources.yaml | 44 ++++++++++ .../argo-events/crds/argoproj.io_sensors.yaml | 44 ++++++++++ .../templates/argo-events/crds.yaml | 3 + .../gitops-runtime/values-multi-runtimes.yaml | 2 + 9 files changed, 273 insertions(+), 120 deletions(-) create mode 100644 charts/gitops-runtime/templates/_components/argo-events/crds/_all.yaml create mode 100644 charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventbus.yaml create mode 100644 charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventsources.yaml create mode 100644 charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_sensors.yaml create mode 100644 charts/gitops-runtime/templates/argo-events/crds.yaml diff --git a/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml index c9d79737..ffdec2f9 100644 --- a/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml +++ b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml @@ -1,40 +1,40 @@ -# This is an auto-generated file. DO NOT EDIT -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: eventbus.argoproj.io -spec: - group: argoproj.io - names: - kind: EventBus - listKind: EventBusList - plural: eventbus - shortNames: - - eb - singular: eventbus - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} +# # This is an auto-generated file. DO NOT EDIT +# apiVersion: apiextensions.k8s.io/v1 +# kind: CustomResourceDefinition +# metadata: +# name: eventbus.argoproj.io +# spec: +# group: argoproj.io +# names: +# kind: EventBus +# listKind: EventBusList +# plural: eventbus +# shortNames: +# - eb +# singular: eventbus +# scope: Namespaced +# versions: +# - name: v1alpha1 +# schema: +# openAPIV3Schema: +# properties: +# apiVersion: +# type: string +# kind: +# type: string +# metadata: +# type: object +# spec: +# type: object +# x-kubernetes-preserve-unknown-fields: true +# status: +# type: object +# x-kubernetes-preserve-unknown-fields: true +# required: +# - metadata +# - spec +# type: object +# served: true +# storage: true +# subresources: +# status: {} diff --git a/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml index 320aec42..93ce34f4 100644 --- a/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml +++ b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml @@ -1,40 +1,40 @@ -# This is an auto-generated file. DO NOT EDIT -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: eventsources.argoproj.io -spec: - group: argoproj.io - names: - kind: EventSource - listKind: EventSourceList - plural: eventsources - shortNames: - - es - singular: eventsource - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} +# # This is an auto-generated file. DO NOT EDIT +# apiVersion: apiextensions.k8s.io/v1 +# kind: CustomResourceDefinition +# metadata: +# name: eventsources.argoproj.io +# spec: +# group: argoproj.io +# names: +# kind: EventSource +# listKind: EventSourceList +# plural: eventsources +# shortNames: +# - es +# singular: eventsource +# scope: Namespaced +# versions: +# - name: v1alpha1 +# schema: +# openAPIV3Schema: +# properties: +# apiVersion: +# type: string +# kind: +# type: string +# metadata: +# type: object +# spec: +# type: object +# x-kubernetes-preserve-unknown-fields: true +# status: +# type: object +# x-kubernetes-preserve-unknown-fields: true +# required: +# - metadata +# - spec +# type: object +# served: true +# storage: true +# subresources: +# status: {} diff --git a/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml index 473fe87e..02383780 100644 --- a/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml +++ b/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml @@ -1,40 +1,40 @@ -# This is an auto-generated file. DO NOT EDIT -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: sensors.argoproj.io -spec: - group: argoproj.io - names: - kind: Sensor - listKind: SensorList - plural: sensors - shortNames: - - sn - singular: sensor - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} +# # This is an auto-generated file. DO NOT EDIT +# apiVersion: apiextensions.k8s.io/v1 +# kind: CustomResourceDefinition +# metadata: +# name: sensors.argoproj.io +# spec: +# group: argoproj.io +# names: +# kind: Sensor +# listKind: SensorList +# plural: sensors +# shortNames: +# - sn +# singular: sensor +# scope: Namespaced +# versions: +# - name: v1alpha1 +# schema: +# openAPIV3Schema: +# properties: +# apiVersion: +# type: string +# kind: +# type: string +# metadata: +# type: object +# spec: +# type: object +# x-kubernetes-preserve-unknown-fields: true +# status: +# type: object +# x-kubernetes-preserve-unknown-fields: true +# required: +# - metadata +# - spec +# type: object +# served: true +# storage: true +# subresources: +# status: {} diff --git a/charts/gitops-runtime/templates/_components/argo-events/crds/_all.yaml b/charts/gitops-runtime/templates/_components/argo-events/crds/_all.yaml new file mode 100644 index 00000000..ddcde06b --- /dev/null +++ b/charts/gitops-runtime/templates/_components/argo-events/crds/_all.yaml @@ -0,0 +1,16 @@ +{{- define "argo-events.crds" }} + +{{- $context := deepCopy . }} + +{{- $defaultVals := include "argo-events.default-values" . | fromYaml }} +{{- $vals := mergeOverwrite $defaultVals (get .Values "argo-events") }} + +{{- $_ := set $context "Values" $vals }} +{{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} + + {{- include "argo-events.crds.event-bus" $context }} +--- + {{- include "argo-events.crds.event-source" $context }} +--- + {{- include "argo-events.crds.sensor" $context }} +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventbus.yaml b/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventbus.yaml new file mode 100644 index 00000000..34a64819 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventbus.yaml @@ -0,0 +1,44 @@ +# This is an auto-generated file. DO NOT EDIT +{{- define "argo-events.crds.event-bus" }} + {{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: eventbus.argoproj.io +spec: + group: argoproj.io + names: + kind: EventBus + listKind: EventBusList + plural: eventbus + shortNames: + - eb + singular: eventbus + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} + {{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventsources.yaml b/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventsources.yaml new file mode 100644 index 00000000..d7bffb9a --- /dev/null +++ b/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventsources.yaml @@ -0,0 +1,44 @@ +# This is an auto-generated file. DO NOT EDIT +{{- define "argo-events.crds.event-source" }} + {{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: eventsources.argoproj.io +spec: + group: argoproj.io + names: + kind: EventSource + listKind: EventSourceList + plural: eventsources + shortNames: + - es + singular: eventsource + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} + {{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_sensors.yaml b/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_sensors.yaml new file mode 100644 index 00000000..79737f52 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_sensors.yaml @@ -0,0 +1,44 @@ +# This is an auto-generated file. DO NOT EDIT +{{- define "argo-events.crds.sensor" }} + {{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: sensors.argoproj.io +spec: + group: argoproj.io + names: + kind: Sensor + listKind: SensorList + plural: sensors + shortNames: + - sn + singular: sensor + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} + {{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/argo-events/crds.yaml b/charts/gitops-runtime/templates/argo-events/crds.yaml new file mode 100644 index 00000000..27ce2710 --- /dev/null +++ b/charts/gitops-runtime/templates/argo-events/crds.yaml @@ -0,0 +1,3 @@ +{{- if and (index .Values "argo-events" "enabled") }} + {{- include "argo-events.crds" . }} +{{- end }} diff --git a/charts/gitops-runtime/values-multi-runtimes.yaml b/charts/gitops-runtime/values-multi-runtimes.yaml index 8f5faad8..40724dc5 100644 --- a/charts/gitops-runtime/values-multi-runtimes.yaml +++ b/charts/gitops-runtime/values-multi-runtimes.yaml @@ -14,6 +14,8 @@ argo-events: controller: rbac: namespaced: true + crds: + install: false argo-workflows: crds: install: false From 2d7533de96a430383f255212f1006e58035436c8 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Thu, 28 Aug 2025 15:06:05 +0300 Subject: [PATCH 26/27] wip --- .../argo-events/argoproj.io_eventbus.yaml | 40 ------------------- .../argo-events/argoproj.io_eventsources.yaml | 40 ------------------- .../crds/argo-events/argoproj.io_sensors.yaml | 40 ------------------- 3 files changed, 120 deletions(-) delete mode 100644 charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml delete mode 100644 charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml delete mode 100644 charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml diff --git a/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml deleted file mode 100644 index ffdec2f9..00000000 --- a/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# # This is an auto-generated file. DO NOT EDIT -# apiVersion: apiextensions.k8s.io/v1 -# kind: CustomResourceDefinition -# metadata: -# name: eventbus.argoproj.io -# spec: -# group: argoproj.io -# names: -# kind: EventBus -# listKind: EventBusList -# plural: eventbus -# shortNames: -# - eb -# singular: eventbus -# scope: Namespaced -# versions: -# - name: v1alpha1 -# schema: -# openAPIV3Schema: -# properties: -# apiVersion: -# type: string -# kind: -# type: string -# metadata: -# type: object -# spec: -# type: object -# x-kubernetes-preserve-unknown-fields: true -# status: -# type: object -# x-kubernetes-preserve-unknown-fields: true -# required: -# - metadata -# - spec -# type: object -# served: true -# storage: true -# subresources: -# status: {} diff --git a/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml deleted file mode 100644 index 93ce34f4..00000000 --- a/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# # This is an auto-generated file. DO NOT EDIT -# apiVersion: apiextensions.k8s.io/v1 -# kind: CustomResourceDefinition -# metadata: -# name: eventsources.argoproj.io -# spec: -# group: argoproj.io -# names: -# kind: EventSource -# listKind: EventSourceList -# plural: eventsources -# shortNames: -# - es -# singular: eventsource -# scope: Namespaced -# versions: -# - name: v1alpha1 -# schema: -# openAPIV3Schema: -# properties: -# apiVersion: -# type: string -# kind: -# type: string -# metadata: -# type: object -# spec: -# type: object -# x-kubernetes-preserve-unknown-fields: true -# status: -# type: object -# x-kubernetes-preserve-unknown-fields: true -# required: -# - metadata -# - spec -# type: object -# served: true -# storage: true -# subresources: -# status: {} diff --git a/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml deleted file mode 100644 index 02383780..00000000 --- a/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# # This is an auto-generated file. DO NOT EDIT -# apiVersion: apiextensions.k8s.io/v1 -# kind: CustomResourceDefinition -# metadata: -# name: sensors.argoproj.io -# spec: -# group: argoproj.io -# names: -# kind: Sensor -# listKind: SensorList -# plural: sensors -# shortNames: -# - sn -# singular: sensor -# scope: Namespaced -# versions: -# - name: v1alpha1 -# schema: -# openAPIV3Schema: -# properties: -# apiVersion: -# type: string -# kind: -# type: string -# metadata: -# type: object -# spec: -# type: object -# x-kubernetes-preserve-unknown-fields: true -# status: -# type: object -# x-kubernetes-preserve-unknown-fields: true -# required: -# - metadata -# - spec -# type: object -# served: true -# storage: true -# subresources: -# status: {} From 769b3ad82298305e19f1960276a59fdb46b64bc1 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Thu, 28 Aug 2025 15:17:26 +0300 Subject: [PATCH 27/27] wip --- .../argo-events}/argoproj.io_eventbus.yaml | 4 ---- .../argo-events}/argoproj.io_eventsources.yaml | 4 ---- .../argo-events}/argoproj.io_sensors.yaml | 4 ---- .../_components/argo-events/crds/_all.yaml | 16 ---------------- .../templates/argo-events/crds.yaml | 3 --- charts/gitops-runtime/values-multi-runtimes.yaml | 2 -- 6 files changed, 33 deletions(-) rename charts/gitops-runtime/{templates/_components/argo-events/crds => crds/argo-events}/argoproj.io_eventbus.yaml (89%) rename charts/gitops-runtime/{templates/_components/argo-events/crds => crds/argo-events}/argoproj.io_eventsources.yaml (89%) rename charts/gitops-runtime/{templates/_components/argo-events/crds => crds/argo-events}/argoproj.io_sensors.yaml (89%) delete mode 100644 charts/gitops-runtime/templates/_components/argo-events/crds/_all.yaml delete mode 100644 charts/gitops-runtime/templates/argo-events/crds.yaml diff --git a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventbus.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml similarity index 89% rename from charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventbus.yaml rename to charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml index 34a64819..c9d79737 100644 --- a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventbus.yaml +++ b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventbus.yaml @@ -1,6 +1,4 @@ # This is an auto-generated file. DO NOT EDIT -{{- define "argo-events.crds.event-bus" }} - {{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -40,5 +38,3 @@ spec: storage: true subresources: status: {} - {{- end }} -{{- end }} diff --git a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventsources.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml similarity index 89% rename from charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventsources.yaml rename to charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml index d7bffb9a..320aec42 100644 --- a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_eventsources.yaml +++ b/charts/gitops-runtime/crds/argo-events/argoproj.io_eventsources.yaml @@ -1,6 +1,4 @@ # This is an auto-generated file. DO NOT EDIT -{{- define "argo-events.crds.event-source" }} - {{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -40,5 +38,3 @@ spec: storage: true subresources: status: {} - {{- end }} -{{- end }} diff --git a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_sensors.yaml b/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml similarity index 89% rename from charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_sensors.yaml rename to charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml index 79737f52..473fe87e 100644 --- a/charts/gitops-runtime/templates/_components/argo-events/crds/argoproj.io_sensors.yaml +++ b/charts/gitops-runtime/crds/argo-events/argoproj.io_sensors.yaml @@ -1,6 +1,4 @@ # This is an auto-generated file. DO NOT EDIT -{{- define "argo-events.crds.sensor" }} - {{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -40,5 +38,3 @@ spec: storage: true subresources: status: {} - {{- end }} -{{- end }} diff --git a/charts/gitops-runtime/templates/_components/argo-events/crds/_all.yaml b/charts/gitops-runtime/templates/_components/argo-events/crds/_all.yaml deleted file mode 100644 index ddcde06b..00000000 --- a/charts/gitops-runtime/templates/_components/argo-events/crds/_all.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- define "argo-events.crds" }} - -{{- $context := deepCopy . }} - -{{- $defaultVals := include "argo-events.default-values" . | fromYaml }} -{{- $vals := mergeOverwrite $defaultVals (get .Values "argo-events") }} - -{{- $_ := set $context "Values" $vals }} -{{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} - - {{- include "argo-events.crds.event-bus" $context }} ---- - {{- include "argo-events.crds.event-source" $context }} ---- - {{- include "argo-events.crds.sensor" $context }} -{{- end }} diff --git a/charts/gitops-runtime/templates/argo-events/crds.yaml b/charts/gitops-runtime/templates/argo-events/crds.yaml deleted file mode 100644 index 27ce2710..00000000 --- a/charts/gitops-runtime/templates/argo-events/crds.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{- if and (index .Values "argo-events" "enabled") }} - {{- include "argo-events.crds" . }} -{{- end }} diff --git a/charts/gitops-runtime/values-multi-runtimes.yaml b/charts/gitops-runtime/values-multi-runtimes.yaml index 40724dc5..8f5faad8 100644 --- a/charts/gitops-runtime/values-multi-runtimes.yaml +++ b/charts/gitops-runtime/values-multi-runtimes.yaml @@ -14,8 +14,6 @@ argo-events: controller: rbac: namespaced: true - crds: - install: false argo-workflows: crds: install: false