Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions argo-cd-apps/base/internal/argocd-infra-deployments/appset.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: argocd-infra-deployments
spec:
generators:
- clusters:
values:
sourceRoot: components/argocd-infra-deployments
environment: ""
clusterName: ""
template:
metadata:
name: argocd-infra-deployments-{{nameNormalized}}
spec:
project: default
source:
path: '{{values.sourceRoot}}/{{values.environment}}'
repoURL: https://github.com/redhat-appstudio/infra-common-deployments.git
targetRevision: main
Comment thread
enkeefe00 marked this conversation as resolved.
destination:
namespace: argocd-infra-deployments-{{values.environment}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will end up being "argocd-infra-deployments-internal-staging" and not "argocd-infra-deployments-staging" as expected in the rest of this PR.

If you want the suffix staging in the NS name, you will need to use go templating like we did in k8s-groups applicationSet

spec:
goTemplate: true
....
and then this would be:
argocd-infra-deployments-{{trimPrefix "external-" (trimPrefix "internal-" .values.environment)}}

Question, we will have one argocd on common staging cluster for the staging konflux clusters and one on common production cluster for the production konflux clusters, another option is just use argocd-infra-deployments as NS as there will no t be any conflict.

name: in-cluster
Comment thread
enkeefe00 marked this conversation as resolved.
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
retry:
limit: -1
backoff:
duration: 10s
factor: 2
maxDuration: 3m
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- appset.yaml
Comment thread
qodo-for-redhat-appstudio[bot] marked this conversation as resolved.
1 change: 1 addition & 0 deletions argo-cd-apps/base/internal/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- argocd-infra-deployments
- internal-services
- openshift-pipelines
- kargo
Expand Down
7 changes: 7 additions & 0 deletions components/argocd-infra-deployments/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# See the OWNERS docs: https://go.k8s.io/owners

approvers:
- konflux-infra-team

reviewers:
- konflux-infra-team
3 changes: 3 additions & 0 deletions components/argocd-infra-deployments/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# ArgoCD infra-deployments

The ArgoCD infra-deployments component deploys an ArgoCD instance to manage the deployment of components in the [infra-deployments](https://github.com/redhat-appstudio/infra-deployments) repository. At the moment, this ArgoCD instance is only used to deploy components migrating to the universal components standard enacted by the ring deployments feature.
315 changes: 315 additions & 0 deletions components/argocd-infra-deployments/base/argocd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,315 @@
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: argocd-infra-deployments-staging
namespace: argocd-infra-deployments-staging
spec:
kustomizeBuildOptions: "--enable-helm"
resourceTrackingMethod: annotation
extraConfig:
resource.compareoptions: |
# disables status field diffing in specified resource types
ignoreAggregatedRoles: true
resource.customizations.ignoreResourceUpdates.all: |-
jsonPointers:
- /status
resource.ignoreResourceUpdatesEnabled: 'true'
# Taken from: https://docs.crossplane.io/latest/guides/crossplane-with-argo-cd/#set-health-status
resource.customizations: |
"*.crossplane.io/*":
health.lua: |
health_status = {
status = "Progressing",
message = "Provisioning ..."
}

local function contains (table, val)
for i, v in ipairs(table) do
if v == val then
return true
end
end
return false
end

local has_no_status = {
"Composition",
"CompositionRevision",
"DeploymentRuntimeConfig",
"ControllerConfig",
"ProviderConfig",
"ProviderConfigUsage"
}

if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
health_status.status = "Healthy"
health_status.message = "Resource is up-to-date."
return health_status
end

if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
health_status.status = "Healthy"
health_status.message = "Resource is in use."
return health_status
end
return health_status
end

for i, condition in ipairs(obj.status.conditions) do
if condition.type == "LastAsyncOperation" then
if condition.status == "False" then
health_status.status = "Degraded"
health_status.message = condition.message
return health_status
end
end

if condition.type == "Synced" then
if condition.status == "False" then
health_status.status = "Degraded"
health_status.message = condition.message
return health_status
end
end

if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then
if condition.status == "True" then
health_status.status = "Healthy"
health_status.message = "Resource is up-to-date."
return health_status
end
end
end

return health_status
resourceHealthChecks:
- group: logging.openshift.io
kind: ClusterLogForwarder
check: |
local obj = resource
local hs = {
status = "Progressing",
message = "Waiting for pipeline readiness status"
}
local allPipelines = {}
local notReadyPipelines = {}

local pipelines = (obj and obj.status and type(obj.status) == "table" and obj.status.pipelines) or {}
for _, pipeline in ipairs(pipelines) do
local conditions = pipeline.conditions or { { type = "Ready", status = "False", message = "The conditions field is missing for " .. pipeline.name } }
for _, condition in ipairs(conditions) do
if condition.type == "Ready" then
hs.message = condition.message
hs.status = condition.status == "False" and "Degraded" or "Healthy"
table.insert(allPipelines, pipeline.name)
if hs.status == "Degraded" then
table.insert(notReadyPipelines, pipeline.name)
end
end
end
end

hs.status = #notReadyPipelines == 0 and "Healthy" or "Degraded"
hs.message = #notReadyPipelines == 0 and "All pipelines are ready" or "Not ready pipelines: " .. table.concat(notReadyPipelines, ", ")

return hs
- group: operators.coreos.com
kind: Subscription
check: |
health_status = {}
if obj.status ~= nil then
if obj.status.conditions ~= nil then
numDegraded = 0
numPending = 0
msg = ""
for i, condition in pairs(obj.status.conditions) do
msg = msg .. i .. ": " .. condition.type .. " | " .. condition.status .. "\n"
if condition.type == "InstallPlanPending" and condition.status == "True" then
numPending = numPending + 1
elseif (condition.type == "InstallPlanMissing" and condition.reason ~= "ReferencedInstallPlanNotFound") then
numDegraded = numDegraded + 1
elseif (condition.type == "CatalogSourcesUnhealthy" or condition.type == "InstallPlanFailed" or condition.type == "ResolutionFailed") and condition.status == "True" then
numDegraded = numDegraded + 1
end
end
end
if numDegraded == 0 and numPending == 0 then
health_status.status = "Healthy"
health_status.message = msg
return health_status
elseif numPending > 0 and numDegraded == 0 and obj.spec.installPlanApproval == "Manual" then
health_status.status = "Healthy"
health_status.message = "An install plan for a subscription is pending installation but install plan approval is set to manual so considering this as healthy: " .. msg
return health_status
elseif numPending > 0 and numDegraded == 0 then
health_status.status = "Progressing"
health_status.message = "An install plan for a subscription is pending installation"
return health_status
else
health_status.status = "Degraded"
health_status.message = msg
return health_status
end
end
return health_status
server:
annotations:
ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits"
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
resources:
limits:
memory: 256Mi
requests:
cpu: 125m
memory: 128Mi
route:
enabled: true
tls:
termination: reencrypt
service:
type: ''
grafana:
enabled: false
ingress:
enabled: false
resources:
limits:
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
route:
enabled: false
notifications:
enabled: false
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
initialSSHKnownHosts: {}
sso:
dex:
openShiftOAuth: true
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
provider: dex
applicationSet:
annotations:
ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits"
resources:
limits:
memory: 1Gi
requests:
cpu: 250m
memory: 512Mi
webhookServer:
ingress:
enabled: false
route:
enabled: false
rbac:
policy: |
p, role:developer, applications, sync, default/*, allow
p, role:developer, applications, get, default/*, allow
p, role:developer, logs, get, default/*, allow

g, argocd-developers, role:developer

p, role:tenants-config-sync, applications, sync, tenants-config/*, allow
g, system:authenticated, role:tenants-config-sync

p, role:release-eng, applications, sync, tenants-config/*, allow
p, role:release-eng, applications, get, tenants-config/*, allow
p, role:release-eng, logs, get, tenants-config/*, allow

p, role:release-eng, applications, sync, rh-managed-workspaces-config/*, allow
p, role:release-eng, applications, get, rh-managed-workspaces-config/*, allow
p, role:release-eng, logs, get, rh-managed-workspaces-config/*, allow

g, argocd-release-eng, role:release-eng

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to highlight that this will not work. Here we configure argocd permission and map them to the k8s groups "argocd-developers" and "argocd-release-eng". Those 2 groups exist on appsre cluster, created by some yaml in app-interface but they do not in the common cluster.

First, we do not need the tenants-config and releng permissions, this is a left over from when we had single argocd instance deploying both tenant and konflux itself.

For the developer role, that we still need, we could probably do like we did in the local arogcd, i.e. bind all the konflux-* groups to the dev people:

        p, role:konflux-argocd-devs, applications, get, */*, allow
        p, role:konflux-argocd-devs, applications, sync, */*, allow
        p, role:konflux-argocd-devs, logs, get, */*, allow
        g, konflux-admins, role:konflux-argocd-devs
        g, konflux-build, role:konflux-argocd-devs
        g, konflux-contributors, role:konflux-argocd-devs
        g, konflux-devprod, role:konflux-argocd-devs
        g, konflux-ec, role:konflux-argocd-devs
        g, konflux-infra, role:konflux-argocd-devs
        g, konflux-integration, role:konflux-argocd-devs
        g, konflux-kubearchive, role:konflux-argocd-devs
        g, konflux-migration, role:konflux-argocd-devs
        g, konflux-mintmaker-team, role:konflux-argocd-devs
        g, konflux-o11y, role:konflux-argocd-devs
        g, konflux-qe, role:konflux-argocd-devs
        g, konflux-release-team, role:konflux-argocd-devs
        g, konflux-support-ops, role:konflux-argocd-devs
        g, konflux-ui, role:konflux-argocd-devs
        g, konflux-vanguard, role:konflux-argocd-devs


scopes: '[groups]'
repo:
annotations:
ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits"
resources:
limits:
memory: 2Gi
requests:
cpu: 250m
memory: 2Gi
resourceExclusions: |
- apiGroups:
- tekton.dev
clusters:
- '*'
kinds:
- TaskRun
- PipelineRun
- apiGroups:
- '*'
kinds:
- ProviderConfigUsage
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- '*'
ha:
enabled: true
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
tls:
ca: {}
redis:
autotls: openshift
resources:
limits:
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
controller:
annotations:
ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits"
processors: {}
resources:
limits:
memory: 10Gi
requests:
cpu: 3
memory: 5Gi
sharding:
enabled: true
replicas: 3
env:
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
value: round-robin
- name: ARGOCD_CLUSTER_CACHE_LIST_PAGE_SIZE
value: "2000"
- name: ARGOCD_CLUSTER_CACHE_LIST_PAGE_BUFFER_SIZE
value: "4"
logLevel: debug
Loading
Loading