-
Notifications
You must be signed in to change notification settings - Fork 44
KFLUXINFRA-4167: Create a staging ArgoCD instance for infra-deployments #532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| --- | ||
| apiVersion: argoproj.io/v1alpha1 | ||
| kind: ApplicationSet | ||
| metadata: | ||
| name: argocd-infra-deployments | ||
| spec: | ||
| generators: | ||
| - clusters: | ||
| values: | ||
| sourceRoot: components/argocd-infra-deployments | ||
| environment: "" | ||
| clusterName: "" | ||
| template: | ||
| metadata: | ||
| name: argocd-infra-deployments-{{nameNormalized}} | ||
| spec: | ||
| project: default | ||
| source: | ||
| path: '{{values.sourceRoot}}/{{values.environment}}' | ||
| repoURL: https://github.com/redhat-appstudio/infra-common-deployments.git | ||
| targetRevision: main | ||
| destination: | ||
| namespace: argocd-infra-deployments-{{values.environment}} | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this will end up being "argocd-infra-deployments-internal-staging" and not "argocd-infra-deployments-staging" as expected in the rest of this PR. If you want the suffix staging in the NS name, you will need to use go templating like we did in k8s-groups applicationSet spec: Question, we will have one argocd on common staging cluster for the staging konflux clusters and one on common production cluster for the production konflux clusters, another option is just use argocd-infra-deployments as NS as there will no t be any conflict. |
||
| name: in-cluster | ||
|
enkeefe00 marked this conversation as resolved.
|
||
| syncPolicy: | ||
| automated: | ||
| prune: true | ||
| selfHeal: true | ||
| syncOptions: | ||
| - CreateNamespace=true | ||
| retry: | ||
| limit: -1 | ||
| backoff: | ||
| duration: 10s | ||
| factor: 2 | ||
| maxDuration: 3m | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - appset.yaml | ||
|
qodo-for-redhat-appstudio[bot] marked this conversation as resolved.
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # See the OWNERS docs: https://go.k8s.io/owners | ||
|
|
||
| approvers: | ||
| - konflux-infra-team | ||
|
|
||
| reviewers: | ||
| - konflux-infra-team |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # ArgoCD infra-deployments | ||
|
|
||
| The ArgoCD infra-deployments component deploys an ArgoCD instance to manage the deployment of components in the [infra-deployments](https://github.com/redhat-appstudio/infra-deployments) repository. At the moment, this ArgoCD instance is only used to deploy components migrating to the universal components standard enacted by the ring deployments feature. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,315 @@ | ||
| apiVersion: argoproj.io/v1beta1 | ||
| kind: ArgoCD | ||
| metadata: | ||
| name: argocd-infra-deployments-staging | ||
| namespace: argocd-infra-deployments-staging | ||
| spec: | ||
| kustomizeBuildOptions: "--enable-helm" | ||
| resourceTrackingMethod: annotation | ||
| extraConfig: | ||
| resource.compareoptions: | | ||
| # disables status field diffing in specified resource types | ||
| ignoreAggregatedRoles: true | ||
| resource.customizations.ignoreResourceUpdates.all: |- | ||
| jsonPointers: | ||
| - /status | ||
| resource.ignoreResourceUpdatesEnabled: 'true' | ||
| # Taken from: https://docs.crossplane.io/latest/guides/crossplane-with-argo-cd/#set-health-status | ||
| resource.customizations: | | ||
| "*.crossplane.io/*": | ||
| health.lua: | | ||
| health_status = { | ||
| status = "Progressing", | ||
| message = "Provisioning ..." | ||
| } | ||
|
|
||
| local function contains (table, val) | ||
| for i, v in ipairs(table) do | ||
| if v == val then | ||
| return true | ||
| end | ||
| end | ||
| return false | ||
| end | ||
|
|
||
| local has_no_status = { | ||
| "Composition", | ||
| "CompositionRevision", | ||
| "DeploymentRuntimeConfig", | ||
| "ControllerConfig", | ||
| "ProviderConfig", | ||
| "ProviderConfigUsage" | ||
| } | ||
|
|
||
| if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then | ||
| health_status.status = "Healthy" | ||
| health_status.message = "Resource is up-to-date." | ||
| return health_status | ||
| end | ||
|
|
||
| if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then | ||
| if obj.kind == "ProviderConfig" and obj.status.users ~= nil then | ||
| health_status.status = "Healthy" | ||
| health_status.message = "Resource is in use." | ||
| return health_status | ||
| end | ||
| return health_status | ||
| end | ||
|
|
||
| for i, condition in ipairs(obj.status.conditions) do | ||
| if condition.type == "LastAsyncOperation" then | ||
| if condition.status == "False" then | ||
| health_status.status = "Degraded" | ||
| health_status.message = condition.message | ||
| return health_status | ||
| end | ||
| end | ||
|
|
||
| if condition.type == "Synced" then | ||
| if condition.status == "False" then | ||
| health_status.status = "Degraded" | ||
| health_status.message = condition.message | ||
| return health_status | ||
| end | ||
| end | ||
|
|
||
| if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then | ||
| if condition.status == "True" then | ||
| health_status.status = "Healthy" | ||
| health_status.message = "Resource is up-to-date." | ||
| return health_status | ||
| end | ||
| end | ||
| end | ||
|
|
||
| return health_status | ||
| resourceHealthChecks: | ||
| - group: logging.openshift.io | ||
| kind: ClusterLogForwarder | ||
| check: | | ||
| local obj = resource | ||
| local hs = { | ||
| status = "Progressing", | ||
| message = "Waiting for pipeline readiness status" | ||
| } | ||
| local allPipelines = {} | ||
| local notReadyPipelines = {} | ||
|
|
||
| local pipelines = (obj and obj.status and type(obj.status) == "table" and obj.status.pipelines) or {} | ||
| for _, pipeline in ipairs(pipelines) do | ||
| local conditions = pipeline.conditions or { { type = "Ready", status = "False", message = "The conditions field is missing for " .. pipeline.name } } | ||
| for _, condition in ipairs(conditions) do | ||
| if condition.type == "Ready" then | ||
| hs.message = condition.message | ||
| hs.status = condition.status == "False" and "Degraded" or "Healthy" | ||
| table.insert(allPipelines, pipeline.name) | ||
| if hs.status == "Degraded" then | ||
| table.insert(notReadyPipelines, pipeline.name) | ||
| end | ||
| end | ||
| end | ||
| end | ||
|
|
||
| hs.status = #notReadyPipelines == 0 and "Healthy" or "Degraded" | ||
| hs.message = #notReadyPipelines == 0 and "All pipelines are ready" or "Not ready pipelines: " .. table.concat(notReadyPipelines, ", ") | ||
|
|
||
| return hs | ||
| - group: operators.coreos.com | ||
| kind: Subscription | ||
| check: | | ||
| health_status = {} | ||
| if obj.status ~= nil then | ||
| if obj.status.conditions ~= nil then | ||
| numDegraded = 0 | ||
| numPending = 0 | ||
| msg = "" | ||
| for i, condition in pairs(obj.status.conditions) do | ||
| msg = msg .. i .. ": " .. condition.type .. " | " .. condition.status .. "\n" | ||
| if condition.type == "InstallPlanPending" and condition.status == "True" then | ||
| numPending = numPending + 1 | ||
| elseif (condition.type == "InstallPlanMissing" and condition.reason ~= "ReferencedInstallPlanNotFound") then | ||
| numDegraded = numDegraded + 1 | ||
| elseif (condition.type == "CatalogSourcesUnhealthy" or condition.type == "InstallPlanFailed" or condition.type == "ResolutionFailed") and condition.status == "True" then | ||
| numDegraded = numDegraded + 1 | ||
| end | ||
| end | ||
| end | ||
| if numDegraded == 0 and numPending == 0 then | ||
| health_status.status = "Healthy" | ||
| health_status.message = msg | ||
| return health_status | ||
| elseif numPending > 0 and numDegraded == 0 and obj.spec.installPlanApproval == "Manual" then | ||
| health_status.status = "Healthy" | ||
| health_status.message = "An install plan for a subscription is pending installation but install plan approval is set to manual so considering this as healthy: " .. msg | ||
| return health_status | ||
| elseif numPending > 0 and numDegraded == 0 then | ||
| health_status.status = "Progressing" | ||
| health_status.message = "An install plan for a subscription is pending installation" | ||
| return health_status | ||
| else | ||
| health_status.status = "Degraded" | ||
| health_status.message = msg | ||
| return health_status | ||
| end | ||
| end | ||
| return health_status | ||
| server: | ||
| annotations: | ||
| ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits" | ||
| autoscale: | ||
| enabled: false | ||
| grpc: | ||
| ingress: | ||
| enabled: false | ||
| ingress: | ||
| enabled: false | ||
| resources: | ||
| limits: | ||
| memory: 256Mi | ||
| requests: | ||
| cpu: 125m | ||
| memory: 128Mi | ||
| route: | ||
| enabled: true | ||
| tls: | ||
| termination: reencrypt | ||
| service: | ||
| type: '' | ||
| grafana: | ||
| enabled: false | ||
| ingress: | ||
| enabled: false | ||
| resources: | ||
| limits: | ||
| memory: 256Mi | ||
| requests: | ||
| cpu: 250m | ||
| memory: 128Mi | ||
| route: | ||
| enabled: false | ||
| notifications: | ||
| enabled: false | ||
| prometheus: | ||
| enabled: false | ||
| ingress: | ||
| enabled: false | ||
| route: | ||
| enabled: false | ||
| initialSSHKnownHosts: {} | ||
| sso: | ||
| dex: | ||
| openShiftOAuth: true | ||
| resources: | ||
| limits: | ||
| cpu: 500m | ||
| memory: 256Mi | ||
| requests: | ||
| cpu: 250m | ||
| memory: 128Mi | ||
| provider: dex | ||
| applicationSet: | ||
| annotations: | ||
| ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits" | ||
| resources: | ||
| limits: | ||
| memory: 1Gi | ||
| requests: | ||
| cpu: 250m | ||
| memory: 512Mi | ||
| webhookServer: | ||
| ingress: | ||
| enabled: false | ||
| route: | ||
| enabled: false | ||
| rbac: | ||
| policy: | | ||
| p, role:developer, applications, sync, default/*, allow | ||
| p, role:developer, applications, get, default/*, allow | ||
| p, role:developer, logs, get, default/*, allow | ||
|
|
||
| g, argocd-developers, role:developer | ||
|
|
||
| p, role:tenants-config-sync, applications, sync, tenants-config/*, allow | ||
| g, system:authenticated, role:tenants-config-sync | ||
|
|
||
| p, role:release-eng, applications, sync, tenants-config/*, allow | ||
| p, role:release-eng, applications, get, tenants-config/*, allow | ||
| p, role:release-eng, logs, get, tenants-config/*, allow | ||
|
|
||
| p, role:release-eng, applications, sync, rh-managed-workspaces-config/*, allow | ||
| p, role:release-eng, applications, get, rh-managed-workspaces-config/*, allow | ||
| p, role:release-eng, logs, get, rh-managed-workspaces-config/*, allow | ||
|
|
||
| g, argocd-release-eng, role:release-eng | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I want to highlight that this will not work. Here we configure argocd permission and map them to the k8s groups "argocd-developers" and "argocd-release-eng". Those 2 groups exist on appsre cluster, created by some yaml in app-interface but they do not in the common cluster. First, we do not need the tenants-config and releng permissions, this is a left over from when we had single argocd instance deploying both tenant and konflux itself. For the developer role, that we still need, we could probably do like we did in the local arogcd, i.e. bind all the konflux-* groups to the dev people: |
||
|
|
||
| scopes: '[groups]' | ||
| repo: | ||
| annotations: | ||
| ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits" | ||
| resources: | ||
| limits: | ||
| memory: 2Gi | ||
| requests: | ||
| cpu: 250m | ||
| memory: 2Gi | ||
| resourceExclusions: | | ||
| - apiGroups: | ||
| - tekton.dev | ||
| clusters: | ||
| - '*' | ||
| kinds: | ||
| - TaskRun | ||
| - PipelineRun | ||
| - apiGroups: | ||
| - '*' | ||
| kinds: | ||
| - ProviderConfigUsage | ||
| - apiGroups: | ||
| - kyverno.io | ||
| kinds: | ||
| - AdmissionReport | ||
| - BackgroundScanReport | ||
| - ClusterAdmissionReport | ||
| - ClusterBackgroundScanReport | ||
| clusters: | ||
| - '*' | ||
| ha: | ||
| enabled: true | ||
| resources: | ||
| limits: | ||
| cpu: 500m | ||
| memory: 256Mi | ||
| requests: | ||
| cpu: 250m | ||
| memory: 128Mi | ||
| tls: | ||
| ca: {} | ||
| redis: | ||
| autotls: openshift | ||
| resources: | ||
| limits: | ||
| memory: 256Mi | ||
| requests: | ||
| cpu: 250m | ||
| memory: 128Mi | ||
| controller: | ||
| annotations: | ||
| ignore-check.kube-linter.io/unset-cpu-requirements: "no cpu limits" | ||
| processors: {} | ||
| resources: | ||
| limits: | ||
| memory: 10Gi | ||
| requests: | ||
| cpu: 3 | ||
| memory: 5Gi | ||
| sharding: | ||
| enabled: true | ||
| replicas: 3 | ||
| env: | ||
| - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM | ||
| value: round-robin | ||
| - name: ARGOCD_CLUSTER_CACHE_LIST_PAGE_SIZE | ||
| value: "2000" | ||
| - name: ARGOCD_CLUSTER_CACHE_LIST_PAGE_BUFFER_SIZE | ||
| value: "4" | ||
| logLevel: debug | ||
Uh oh!
There was an error while loading. Please reload this page.