diff --git a/argo-cd-apps/base/internal/argocd-infra-deployments/appset.yaml b/argo-cd-apps/base/internal/argocd-infra-deployments/appset.yaml new file mode 100644 index 00000000..00e84806 --- /dev/null +++ b/argo-cd-apps/base/internal/argocd-infra-deployments/appset.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: argocd-infra-deployments +spec: + generators: + - clusters: + values: + sourceRoot: components/argocd-infra-deployments + environment: "" + clusterName: "" + template: + metadata: + name: argocd-infra-deployments-{{nameNormalized}} + spec: + project: default + source: + path: '{{values.sourceRoot}}/{{values.environment}}' + repoURL: https://github.com/redhat-appstudio/infra-common-deployments.git + targetRevision: main + destination: + namespace: argocd-infra-deployments-{{values.environment}} + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + backoff: + duration: 10s + factor: 2 + maxDuration: 3m diff --git a/argo-cd-apps/base/internal/argocd-infra-deployments/kustomization.yaml b/argo-cd-apps/base/internal/argocd-infra-deployments/kustomization.yaml new file mode 100644 index 00000000..af45573e --- /dev/null +++ b/argo-cd-apps/base/internal/argocd-infra-deployments/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - appset.yaml diff --git a/argo-cd-apps/base/internal/kustomization.yaml b/argo-cd-apps/base/internal/kustomization.yaml index a5c4f48d..ec0080c4 100644 --- a/argo-cd-apps/base/internal/kustomization.yaml +++ b/argo-cd-apps/base/internal/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - argocd-infra-deployments - internal-services - openshift-pipelines - kargo diff --git a/components/argocd-infra-deployments/OWNERS b/components/argocd-infra-deployments/OWNERS new file mode 100644 index 00000000..13ca2f19 --- /dev/null +++ b/components/argocd-infra-deployments/OWNERS @@ -0,0 +1,7 @@ +# See the OWNERS docs: https://go.k8s.io/owners + +approvers: + - konflux-infra-team + +reviewers: + - konflux-infra-team diff --git a/components/argocd-infra-deployments/README.md b/components/argocd-infra-deployments/README.md new file mode 100644 index 00000000..64cb86b6 --- /dev/null +++ b/components/argocd-infra-deployments/README.md @@ -0,0 +1,3 @@ +# ArgoCD infra-deployments + +The ArgoCD infra-deployments component deploys an ArgoCD instance to manage the deployment of components in the [infra-deployments](https://github.com/redhat-appstudio/infra-deployments) repository. At the moment, this ArgoCD instance is only used to deploy components migrating to the universal components standard enacted by the ring deployments feature. \ No newline at end of file diff --git a/components/argocd-infra-deployments/base/argocd.yaml b/components/argocd-infra-deployments/base/argocd.yaml new file mode 100644 index 00000000..eb1bd22c --- /dev/null +++ b/components/argocd-infra-deployments/base/argocd.yaml @@ -0,0 +1,315 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd-infra-deployments-staging + namespace: argocd-infra-deployments-staging +spec: + kustomizeBuildOptions: "--enable-helm" + resourceTrackingMethod: annotation + extraConfig: + resource.compareoptions: | + # disables status field diffing in specified resource types + ignoreAggregatedRoles: true + resource.customizations.ignoreResourceUpdates.all: |- + jsonPointers: + - /status + resource.ignoreResourceUpdatesEnabled: 'true' + # Taken from: https://docs.crossplane.io/latest/guides/crossplane-with-argo-cd/#set-health-status + resource.customizations: | + "*.crossplane.io/*": + health.lua: | + health_status = { + status = "Progressing", + message = "Provisioning ..." + } + + local function contains (table, val) + for i, v in ipairs(table) do + if v == val then + return true + end + end + return false + end + + local has_no_status = { + "Composition", + "CompositionRevision", + "DeploymentRuntimeConfig", + "ControllerConfig", + "ProviderConfig", + "ProviderConfigUsage" + } + + if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + + if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then + if obj.kind == "ProviderConfig" and obj.status.users ~= nil then + health_status.status = "Healthy" + health_status.message = "Resource is in use." + return health_status + end + return health_status + end + + for i, condition in ipairs(obj.status.conditions) do + if condition.type == "LastAsyncOperation" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + + if condition.type == "Synced" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + + if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end + end + + return health_status + resourceHealthChecks: + - group: logging.openshift.io + kind: ClusterLogForwarder + check: | + local obj = resource + local hs = { + status = "Progressing", + message = "Waiting for pipeline readiness status" + } + local allPipelines = {} + local notReadyPipelines = {} + + local pipelines = (obj and obj.status and type(obj.status) == "table" and obj.status.pipelines) or {} + for _, pipeline in ipairs(pipelines) do + local conditions = pipeline.conditions or { { type = "Ready", status = "False", message = "The conditions field is missing for " .. pipeline.name } } + for _, condition in ipairs(conditions) do + if condition.type == "Ready" then + hs.message = condition.message + hs.status = condition.status == "False" and "Degraded" or "Healthy" + table.insert(allPipelines, pipeline.name) + if hs.status == "Degraded" then + table.insert(notReadyPipelines, pipeline.name) + end + end + end + end + + hs.status = #notReadyPipelines == 0 and "Healthy" or "Degraded" + hs.message = #notReadyPipelines == 0 and "All pipelines are ready" or "Not ready pipelines: " .. table.concat(notReadyPipelines, ", ") + + return hs + - group: operators.coreos.com + kind: Subscription + check: | + health_status = {} + if obj.status ~= nil then + if obj.status.conditions ~= nil then + numDegraded = 0 + numPending = 0 + msg = "" + for i, condition in pairs(obj.status.conditions) do + msg = msg .. i .. ": " .. condition.type .. " | " .. condition.status .. "\n" + if condition.type == "InstallPlanPending" and condition.status == "True" then + numPending = numPending + 1 + elseif (condition.type == "InstallPlanMissing" and condition.reason ~= "ReferencedInstallPlanNotFound") then + numDegraded = numDegraded + 1 + elseif (condition.type == "CatalogSourcesUnhealthy" or condition.type == "InstallPlanFailed" or condition.type == "ResolutionFailed") and condition.status == "True" then + numDegraded = numDegraded + 1 + end + end + end + if numDegraded == 0 and numPending == 0 then + health_status.status = "Healthy" + health_status.message = msg + return health_status + elseif numPending > 0 and numDegraded == 0 and obj.spec.installPlanApproval == "Manual" then + health_status.status = "Healthy" + health_status.message = "An install plan for a subscription is pending installation but install plan approval is set to manual so considering this as healthy: " .. msg + return health_status + elseif numPending > 0 and numDegraded == 0 then + health_status.status = "Progressing" + health_status.message = "An install plan for a subscription is pending installation" + return health_status + else + health_status.status = "Degraded" + health_status.message = msg + return health_status + end + end + return health_status + server: + annotations: + ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits" + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + tls: + termination: reencrypt + service: + type: '' + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + initialSSHKnownHosts: {} + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + applicationSet: + annotations: + ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits" + resources: + limits: + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + rbac: + policy: | + p, role:developer, applications, sync, default/*, allow + p, role:developer, applications, get, default/*, allow + p, role:developer, logs, get, default/*, allow + + g, argocd-developers, role:developer + + p, role:tenants-config-sync, applications, sync, tenants-config/*, allow + g, system:authenticated, role:tenants-config-sync + + p, role:release-eng, applications, sync, tenants-config/*, allow + p, role:release-eng, applications, get, tenants-config/*, allow + p, role:release-eng, logs, get, tenants-config/*, allow + + p, role:release-eng, applications, sync, rh-managed-workspaces-config/*, allow + p, role:release-eng, applications, get, rh-managed-workspaces-config/*, allow + p, role:release-eng, logs, get, rh-managed-workspaces-config/*, allow + + g, argocd-release-eng, role:release-eng + + scopes: '[groups]' + repo: + annotations: + ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits" + resources: + limits: + memory: 2Gi + requests: + cpu: 250m + memory: 2Gi + resourceExclusions: | + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + - apiGroups: + - '*' + kinds: + - ProviderConfigUsage + - apiGroups: + - kyverno.io + kinds: + - AdmissionReport + - BackgroundScanReport + - ClusterAdmissionReport + - ClusterBackgroundScanReport + clusters: + - '*' + ha: + enabled: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + tls: + ca: {} + redis: + autotls: openshift + resources: + limits: + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + controller: + annotations: + ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits" + processors: {} + resources: + limits: + memory: 10Gi + requests: + cpu: 3 + memory: 5Gi + sharding: + enabled: true + replicas: 3 + env: + - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM + value: round-robin + - name: ARGOCD_CLUSTER_CACHE_LIST_PAGE_SIZE + value: "2000" + - name: ARGOCD_CLUSTER_CACHE_LIST_PAGE_BUFFER_SIZE + value: "4" + logLevel: debug diff --git a/components/argocd-infra-deployments/base/clusterrole.yaml b/components/argocd-infra-deployments/base/clusterrole.yaml new file mode 100644 index 00000000..3e3bca1b --- /dev/null +++ b/components/argocd-infra-deployments/base/clusterrole.yaml @@ -0,0 +1,243 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argocd-infra-deployments-custom-permissions + labels: + app.kubernetes.io/managed-by: argocd + app.kubernetes.io/name: argocd-infra-deployments-staging + app.kubernetes.io/part-of: argocd + argocd/aggregate-to-controller: "true" + annotations: + argocds.argoproj.io/name: argocd-infra-deployments-staging + argocds.argoproj.io/namespace: argocd-infra-deployments-staging +rules: +- apiGroups: + - "" + resources: + - configmaps + - limitranges + - namespaces + - persistentvolumeclaims + - resourcequotas + - secrets + - services + - serviceaccounts + verbs: + - "*" +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - "*" +- apiGroups: + - "appstudio.redhat.com" + resources: + - internalservicesconfigs + verbs: + - "*" +- apiGroups: + - "apps" + resources: + - deployments + - statefulsets + - daemonsets + verbs: + - "*" +- apiGroups: + - "batch" + resources: + - cronjobs + - jobs + verbs: + - "*" +- apiGroups: + - "cert-manager.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "config.openshift.io" + resources: + - proxies + verbs: + - "*" +- apiGroups: + - "dynatrace.com" + resources: + - dynakubes + verbs: + - "*" +- apiGroups: + - "external-secrets.io" + resources: + - clustersecretstores + - externalsecrets + - secretstores + verbs: + - "*" +- apiGroups: + - "grafana.integreatly.org" + resources: + - grafanas + - grafanadashboards + - grafanadatasources + verbs: + - "*" +- apiGroups: + - "kargo.akuity.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "kueue.x-k8s.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "kyverno.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "logging.openshift.io" + resources: + - clusterlogforwarders + - clusterloggings + verbs: + - "*" +- apiGroups: + - "monitoring.coreos.com" + resources: + - servicemonitors + - prometheusrules + - podmonitors + verbs: + - "*" +- apiGroups: + - "monitoring.rhobs" + resources: + - monitoringstacks + - servicemonitors + - probes + verbs: + - "*" +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - "*" +- apiGroups: + - "oadp.openshift.io" + resources: + - dataprotectionapplications + verbs: + - "*" +- apiGroups: + - "observability.openshift.io" + resources: + - clusterlogforwarders + verbs: + - "*" +- apiGroups: + - "operator.external-secrets.io" + resources: + - operatorconfigs + verbs: + - "*" +- apiGroups: + - "operator.openshift.io" + resources: + - kueues + verbs: + - "*" +- apiGroups: + - "operator.tekton.dev" + resources: + - tektonconfigs + verbs: + - "*" +- apiGroups: + - "kueue.openshift.io" + resources: + - kueues + verbs: + - "*" +- apiGroups: + - "operators.coreos.com" + resources: + - catalogsources + - olmconfigs + - operatorgroups + - subscriptions + verbs: + - "*" +- apiGroups: + - "pipelinesascode.tekton.dev" + resources: + - repositories + verbs: + - "*" +- apiGroups: + - "policy" + resources: + - poddisruptionbudgets + verbs: + - "*" +- apiGroups: + - "redhatcop.redhat.io" + resources: + - groupsyncs + verbs: + - "*" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - "*" +- apiGroups: + - "route.openshift.io" + resources: + - routes + - routes/custom-host + verbs: + - "*" +- apiGroups: + - "scheduling.k8s.io" + resources: + - priorityclasses + verbs: + - "*" +- apiGroups: + - "security.openshift.io" + resources: + - securitycontextconstraints + verbs: + - "*" +- apiGroups: + - "tekton.dev" + resources: + - tasks + verbs: + - "*" +- apiGroups: + - "velero.io" + resources: + - schedules + verbs: + - "*" +- apiGroups: + - "user.openshift.io" + resources: + - groups + verbs: + - "*" diff --git a/components/argocd-infra-deployments/base/kustomization.yaml b/components/argocd-infra-deployments/base/kustomization.yaml new file mode 100644 index 00000000..d8a36906 --- /dev/null +++ b/components/argocd-infra-deployments/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - argocd.yaml + - clusterrole.yaml + - ns.yaml diff --git a/components/argocd-infra-deployments/base/ns.yaml b/components/argocd-infra-deployments/base/ns.yaml new file mode 100644 index 00000000..75062807 --- /dev/null +++ b/components/argocd-infra-deployments/base/ns.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: argocd-infra-deployments-staging + labels: + app.kubernetes.io/name: argocd-infra-deployments-staging + app.kubernetes.io/part-of: konflux-common + app.kubernetes.io/instance: argocd-infra-deployments-staging diff --git a/components/argocd-infra-deployments/internal-production/kustomization.yaml b/components/argocd-infra-deployments/internal-production/kustomization.yaml new file mode 100644 index 00000000..efbb3106 --- /dev/null +++ b/components/argocd-infra-deployments/internal-production/kustomization.yaml @@ -0,0 +1,3 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] # Not yet deployed to production diff --git a/components/argocd-infra-deployments/internal-staging/external-secrets/infra-deployments-es.yaml b/components/argocd-infra-deployments/internal-staging/external-secrets/infra-deployments-es.yaml new file mode 100644 index 00000000..b173c7d7 --- /dev/null +++ b/components/argocd-infra-deployments/internal-staging/external-secrets/infra-deployments-es.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: infra-deployments-es + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "-1" + labels: + argocd.argoproj.io/secret-type: repo-creds +spec: + dataFrom: + - extract: + conversionStrategy: Default + decodingStrategy: None + key: staging/infrastructure/github-argocd/kflux-c-stg-i01/infra-deployments + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: appsre-stonesoup-vault + target: + creationPolicy: Owner + deletionPolicy: Delete + name: infra-deployments-secret diff --git a/components/argocd-infra-deployments/internal-staging/external-secrets/kustomization.yaml b/components/argocd-infra-deployments/internal-staging/external-secrets/kustomization.yaml new file mode 100644 index 00000000..85686529 --- /dev/null +++ b/components/argocd-infra-deployments/internal-staging/external-secrets/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: argocd-infra-deployments-staging + +resources: + - stg-rh01-es.yaml + - stg-es01-es.yaml + - stg-p01-es.yaml + - infra-deployments-es.yaml diff --git a/components/argocd-infra-deployments/internal-staging/external-secrets/stg-es01-es.yaml b/components/argocd-infra-deployments/internal-staging/external-secrets/stg-es01-es.yaml new file mode 100644 index 00000000..645d45f7 --- /dev/null +++ b/components/argocd-infra-deployments/internal-staging/external-secrets/stg-es01-es.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: stg-es01-es + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "-1" + labels: + argocd.argoproj.io/secret-type: cluster +spec: + dataFrom: + - extract: + conversionStrategy: Default + decodingStrategy: None + key: staging/platform/kflux-stg-es01 + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: appsre-stonesoup-vault + target: + creationPolicy: Owner + deletionPolicy: Delete + name: stg-es01-secret diff --git a/components/argocd-infra-deployments/internal-staging/external-secrets/stg-p01-es.yaml b/components/argocd-infra-deployments/internal-staging/external-secrets/stg-p01-es.yaml new file mode 100644 index 00000000..ddc50ac3 --- /dev/null +++ b/components/argocd-infra-deployments/internal-staging/external-secrets/stg-p01-es.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: stg-p01-es + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "-1" + labels: + argocd.argoproj.io/secret-type: cluster +spec: + dataFrom: + - extract: + conversionStrategy: Default + decodingStrategy: None + key: staging/platform/stone-stage-p01 + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: appsre-stonesoup-vault + target: + creationPolicy: Owner + deletionPolicy: Delete + name: stg-p01-secret diff --git a/components/argocd-infra-deployments/internal-staging/external-secrets/stg-rh01-es.yaml b/components/argocd-infra-deployments/internal-staging/external-secrets/stg-rh01-es.yaml new file mode 100644 index 00000000..18d6cd73 --- /dev/null +++ b/components/argocd-infra-deployments/internal-staging/external-secrets/stg-rh01-es.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: stg-rh01-es + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "-1" + labels: + argocd.argoproj.io/secret-type: cluster +spec: + dataFrom: + - extract: + conversionStrategy: Default + decodingStrategy: None + key: staging/platform/stone-stg-rh01 + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: appsre-stonesoup-vault + target: + creationPolicy: Owner + deletionPolicy: Delete + name: stg-rh01-secret diff --git a/components/argocd-infra-deployments/internal-staging/kustomization.yaml b/components/argocd-infra-deployments/internal-staging/kustomization.yaml new file mode 100644 index 00000000..edd45ccc --- /dev/null +++ b/components/argocd-infra-deployments/internal-staging/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: argocd-infra-deployments-staging + +resources: + - ../base + - external-secrets diff --git a/components/cluster-secret-store/internal-staging/kustomization.yaml b/components/cluster-secret-store/internal-staging/kustomization.yaml index 27bb5cb0..4eb3613f 100644 --- a/components/cluster-secret-store/internal-staging/kustomization.yaml +++ b/components/cluster-secret-store/internal-staging/kustomization.yaml @@ -2,3 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../base + +patches: + - path: patches/add-argocd-namespace-patch.yaml + target: + group: external-secrets.io + version: v1beta1 + kind: ClusterSecretStore + name: appsre-stonesoup-vault diff --git a/components/cluster-secret-store/internal-staging/patches/add-argocd-namespace-patch.yaml b/components/cluster-secret-store/internal-staging/patches/add-argocd-namespace-patch.yaml new file mode 100644 index 00000000..49fc6082 --- /dev/null +++ b/components/cluster-secret-store/internal-staging/patches/add-argocd-namespace-patch.yaml @@ -0,0 +1,3 @@ +- op: add + path: /spec/conditions/0/namespaces/- + value: argocd-infra-deployments-staging