Application-layer new-cluster automation

See hack/new-cluster/README.md

https://issues.redhat.com/browse/KONFLUX-7471

Author: ralphbean

hack/new-cluster/README.md

@@ -0,0 +1,67 @@
+# Application-layer new-cluster automation
+
+This is step 2 of 3 in automating the rollout of a new cluster.
+
+This automation creates yaml files in the infra-deployments repo locally.
+
+## Prerequisite
+
+1. The cluster-layer terraform automation has been run, and the new cluster is up. This entails that the AWS, IBM, and database secrets have been provisioned and injected into vault in the correct paths. This automation will verify that before proceeding.
+
+2. You need the following installed on your system:
+
+* ansible CLI
+* vault CLI
+* python3-hvac
+* python-requests
+
+3. You have variables that correctly describe the new cluster,
+
+* `longname` - Example: `kflux-prd-rh09.abe9`
+* `shortname` - Example: `kflux-prd-rh09`
+* `cutename` - Example: `rh09`
+* `env` - One of `production` or `staging`.
+* `network` - One of `public` or `private`.
+
+4. You are connected to the VPN.
+
+## Procedure
+
+**Run the playbook**, which will prompt you for the five variables above:
+
+```
+❯ ansible-playbook hack/new-cluster/playbook.yaml
+```
+
+When the playbook completes, consult the output by inspecting `git diff`.
+
+If satisifed, commit the results, push, and post a pull-request for review by your peers.
+
+Include a description of steps you took to run and verify the automation in the description of your pull request to expedite review.
+
+## Tips
+
+If you do not want to run all steps, but only a subset **you can use tags** to run only tasks tagged with certain tags. For example, if you do not want to verify the vault settings or generate the applicationset changes, but you only want to generate the component overlays, use the `components` tag, like this:
+
+```
+❯ ansible-playbook hack/new-cluster/playbook.yaml --tags components
+```
+
+If you don't want to specify the variables at prompts, you can **specify variables when invoking the CLI**, like this:
+
+```
+❯ ansible-playbook hack/new-cluster/playbook.yaml -e 'cutename=rh09 shortname=kflux-prd-rh09 longname=kflux-prd-rh09.abe9 env=production network=public'
+```
+
+If you are **nervous about drift** between the current application manifests and those produced by this automation, you can inspect the different by running this automation and requesting it to produce the config **for an existing cluster**, and then investigate what changes it may have made by looking at `git diff`, like this.
+
+```
+❯ ansible-playbook hack/new-cluster/playbook.yaml --skip-tags vault,chains,github -e 'cutename=rh03 shortname=kflux-prd-rh03 longname=kflux-prd-rh03.nnv1 env=production network=public'
+❯ git diff
+```
+
+The playbook attempts to determine the correct version of some services by inspecting the `main` branch of their git repos. You can override this by setting commit ids specifically, like this:
+
+```
+❯ ansible-playbook hack/new-cluster/playbook.yaml -e 'commit_id_multi_platform_controller=ec950d0cfb87bcfd6e3a79fc2b5ee40989126123 commit_id_build_definitions=ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9 commit_id_tektoncd_results_for_konflux=425fcd0988b50965139238038e0d3bd3cb4f8bbc commit_id_pipeline_service_exporter=9d2439c8a77d2ce0527cc5aea3fc6561b7671b48'
+```

hack/new-cluster/playbook.yaml

@@ -0,0 +1,136 @@
+---
+# This ansible playbook will prepare the application-layer for a new cluster.
+#
+# Major steps:
+# * Provision new github application and insert credentials in vault
+# * Provision new chains signing secret and insert credentials in vault
+# * Locally write out configuration overlays for a new cluster based on templates.
+#
+
+- name: Create and patch YAML files
+  hosts: localhost
+  gather_facts: no
+
+  vars_prompt:
+    - name: cutename
+      prompt: "Cute name of the cluster (like rh09)"
+      private: false
+    - name: shortname
+      prompt: "Short name of the cluster (like kflux-prd-rh09)"
+      private: false
+    - name: longname
+      prompt: "Long name of the cluster (like kflux-prd-rh09.1bz7)"
+      private: false
+    - name: env
+      prompt: "What environment (one of {{allowed_envs}})"
+      private: false
+    - name: network
+      prompt: "What network (one of {{allowed_networks}})"
+      private: false
+
+  vars:
+    vault_addr: "https://vault.devshift.net"
+
+    dst: "{{ lookup('env', 'PWD') }}"
+    github_organization: "redhat-appstudio"
+    github_application: "red-hat-konflux-{{ shortname }}"
+    required_vars:
+      - shortname
+      - longname
+      - env
+    controlplane_cluster: appsrep09ue1
+    allowed_envs:
+      - production
+      - staging
+    allowed_networks:
+      - public
+      - private
+    templated_components:
+      - backup
+      - build-service
+      - integration
+      - konflux-info
+      - konflux-rbac
+      - konflux-ui
+      - kyverno
+      - mintmaker
+      - monitoring/logging
+      - monitoring/prometheus
+      - multi-platform-controller
+      - namespace-lister
+      - pipeline-service
+
+    argo_cd_app_files:
+      - "{{ dst }}/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-logging/monitoring-workload-logging.yaml"
+      - "{{ dst }}/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-prometheus/monitoring-workload-prometheus.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/build-service/build-service.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/integration/integration.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/konflux-info/konflux-info.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/konflux-rbac/konflux-rbac.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/konflux-ui/konflux-ui.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/kyverno/kyverno.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/mintmaker/mintmaker.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/multi-platform-controller/multi-platform-controller.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml"
+      - "{{ dst }}/argo-cd-apps/base/member/infra-deployments/pipeline-service/pipeline-service.yaml"
+
+    expected_vault_secrets:
+      - 'stonesoup/{{ env }}/platform/ansible/generated/{{ shortname }}/github-app'
+      - 'stonesoup/{{ env }}/platform/ansible/generated/{{ shortname }}/chains-signing-secret'
+      - 'stonesoup/{{ env }}/platform/terraform/generated/{{ shortname }}/backup-bucket'
+      - 'stonesoup/{{ env }}/platform/terraform/generated/{{ shortname }}/plnsvc-database'
+      - 'stonesoup/{{ env }}/platform/terraform/generated/{{ shortname }}/tekton-bucket'
+      - 'stonesoup/{{ env }}/platform/terraform/generated/{{ shortname }}/aws-ssh-key'
+      - 'stonesoup/{{ env }}/platform/terraform/generated/{{ shortname }}/aws-account'
+      - 'stonesoup/{{ env }}/platform/terraform/generated/{{ shortname }}/ibm-api-key'
+      - 'stonesoup/{{ env }}/platform/terraform/generated/{{ shortname }}/ibm-s390x-ssh-key'
+      - 'stonesoup/{{ env }}/platform/terraform/generated/{{ shortname }}/ibm-ppc64le-ssh-key'
+
+    github_commit_vars:
+      - slug: openshift-pipelines/tektoncd-results-for-konflux
+        varname: commit_id_tektoncd_results_for_konflux
+      - slug: openshift-pipelines/pipeline-service-exporter
+        varname: commit_id_pipeline_service_exporter
+      - slug: konflux-ci/build-definitions
+        varname: commit_id_build_definitions
+      - slug: konflux-ci/multi-platform-controller
+        varname: commit_id_multi_platform_controller
+
+  pre_tasks:
+    - name: Validate and initialize variables
+      tags: [github]
+      include_tasks: tasks/variables.yaml
+
+  tasks:
+    - name: Login to vault
+      tags: [vault]
+      include_tasks: tasks/vault/login.yaml
+
+    - name: Ensure the chains signing secret exists
+      tags: [chains]
+      include_tasks: tasks/vault/chains.yaml
+
+    - name: Ensure the github application exists
+      tags: [github]
+      include_tasks: tasks/github/app.yaml
+
+    - name: Verify all other vault secrets exist as expected
+      tags: [vault]
+      include_tasks: tasks/vault/verify.yaml
+      loop: "{{ expected_vault_secrets }}"
+      loop_control:
+        loop_var: path
+
+    - name: Patch ApplicationSet files to include new cluster reference
+      tags: [applicationsets]
+      include_tasks: tasks/applicationsets.yaml
+      loop: "{{ argo_cd_app_files }}"
+      loop_control:
+        loop_var: filename
+
+    - name: Copy cluster-specific component manifests
+      tags: [components]
+      include_tasks: tasks/components.yaml
+      loop: "{{ templated_components }}"
+      loop_control:
+        loop_var: component

hack/new-cluster/tasks/applicationsets.yaml

@@ -0,0 +1,12 @@
+- name: Look for {{ shortname }} in ApplicationSet {{ filename.split("/")[-1] }}
+  tags: [applicationsets]
+  command: |
+      yq  '.spec.generators[].merge.generators[] | select(has("list")) | .list.elements[] | select(.nameNormalized == "{{ shortname }}" )' {{ filename }}
+  register: result
+  changed_when: result.stdout == ""
+
+- name: Insert {{ shortname }} into ApplicationSet {{ filename.split("/")[-1] }}
+  tags: [applicationsets]
+  command: |
+      yq -i eval '(.spec.generators[].merge.generators[] | select(has("list")) | .list.elements) += {"nameNormalized": "{{ shortname }}", "values.clusterDir": "{{ shortname }}"}' {{ filename }}
+  when: result.stdout == ""

hack/new-cluster/tasks/components.yaml

@@ -0,0 +1,36 @@
+- name: "Create the components/{{ component }}/{{ env }}/{{ shortname }}/ directory if it does not exist"
+  tags: [components]
+  file:
+    path: "{{ dst }}/components/{{ component }}/{{ env }}/{{ shortname }}/"
+    state: directory
+    mode: '0755'
+
+- name: Set subdir default value
+  tags: [components]
+  set_fact:
+    subdir: "{{ env }}"
+
+- name: Adjust subdir for special MPC case
+  tags: [components]
+  set_fact:
+    subdir: "{{ env }}-downstream"
+  when: network == 'private' and component == 'multi-platform-controller'
+
+- name: "Create any subdirectories if we need them"
+  tags: [components]
+  file:
+    path: "{{ dst }}/components/{{ component }}/{{ subdir }}/{{ shortname }}/{{ item['path'] }}"
+    state: directory
+    mode: '0755'
+  with_filetree:
+  - "templates/{{ component }}/"
+  when: "item['state'] == 'directory'"
+
+- name: "Create files from template for components/{{ component }}/{{ subdir }}/{{ shortname }}"
+  tags: [components]
+  template:
+    src: "{{ item['src'] }}"
+    dest: "{{ dst }}/components/{{ component }}/{{ subdir }}/{{ shortname }}/{{item['path'] }}"
+  with_filetree:
+  - "templates/{{ component }}/"
+  when: "item['state'] == 'file'"

hack/new-cluster/tasks/github/app.yaml

@@ -0,0 +1,86 @@
+- name: Check to see if the {{ github_application }} github application exists
+  tags: [github]
+  uri:
+    url: "https://github.com/apps/{{ github_application }}"
+    method: GET
+    return_content: no
+    headers:
+      Accept: "application/vnd.github.v3+json"
+  register: exists
+  failed_when: exists.status not in [200, 404]
+
+# If the app doesn't exist in github, but a key does exist in vault - then
+# we're in a situation that doesn't make any sense. Fail hard.
+- name: "Verify that it is not already in vault. If it is, that's crazy."
+  tags: [github]
+  when: exists.status != 200
+  command: >
+    vault kv metadata get stonesoup/{{ env }}/platform/ansible/generated/{{ shortname }}/github-app
+  register: sanity_check
+  environment:
+    VAULT_ADDR: "{{ vault_addr }}"
+    VAULT_TOKEN: "{{ vault_token }}"
+  changed_when: false
+  failed_when: "sanity_check.rc != 2"
+
+# Docs https://docs.github.com/en/apps/sharing-github-apps/registering-a-github-app-from-a-manifest
+- name: Create App Manifest
+  tags: [github]
+  when: exists.status != 200
+  set_fact:
+    app_manifest:
+      name: "{{ github_application }}"
+      url: "https://konflux-ui.apps.{{ longname }}.p1.openshiftapps.com"
+      hook_attributes:
+        url:  "https://pipelines-as-code-controller-openshift-pipelines.apps.{{ longname }}.p1.openshiftapps.com"
+        active: true
+      redirect_url: http://localhost:8089
+      description: >
+        The app facilitates the integration between Github events and the OpenShift Pipelines Pipelines As Code component running on your production environment for Red Hat Konflux.
+
+        This will facilitate the running of any Tekton PipelineRuns you have defined in the `.tekton` folder of your repository based on the GitHub events you have associated with each of those PipelineRuns.
+
+        See the Konflux onboarding documentation for more details.
+      public: true
+      default_permissions:
+        checks: write
+        contents: write
+        issues: write
+        pull_requests: write
+        organization_administration: read
+        members: read
+      default_events:
+        - check_run
+        - check_suite
+        - commit_comment
+        - issue_comment
+        - pull_request
+        - push
+
+- name: Go see your browser and click to create the app. The playbook is now awaiting a redirect from github.com.
+  tags: [github]
+  when: exists.status != 200
+  script: "github-app-flow.py {{ github_organization }} '{{ app_manifest | to_json | b64encode }}'"
+  register: details
+
+- name: Insert that into vault
+  tags: [github]
+  when: exists.status != 200
+  command: >
+    vault kv put stonesoup/{{ env }}/platform/ansible/generated/{{ shortname }}/github-app
+      github-application-id={{ details.stdout | from_json | json_query('application_id') }}
+      github-private-key='{{ details.stdout | from_json | json_query('pem') }}'
+      webhook.secret={{ details.stdout | from_json | json_query('webhook_secret') }}
+  environment:
+    VAULT_ADDR: "{{ vault_addr }}"
+    VAULT_TOKEN: "{{ vault_token }}"
+
+- name: Verify that we put it in place correctly
+  tags: [github]
+  when: exists.status != 200
+  command: >
+    vault kv metadata get stonesoup/{{ env }}/platform/ansible/generated/{{ shortname }}/github-app
+  environment:
+    VAULT_ADDR: "{{ vault_addr }}"
+    VAULT_TOKEN: "{{ vault_token }}"
+  changed_when: false

hack/new-cluster/tasks/github/find-latest-commits.yaml

@@ -0,0 +1,14 @@
+- name: Get latest commit SHA from GitHub API for {{ slug }} to be stored as {{ varname }}
+  tags: [always]
+  uri:
+    url: "https://api.github.com/repos/{{ slug }}/commits/main"
+    method: GET
+    return_content: yes
+    headers:
+      Accept: "application/vnd.github.v3+json"
+  register: github_commit
+  when: "vars[varname] is undefined or vars[varname] == ''"
+
+- set_fact: { "{{ varname }}": "{{ github_commit.json.sha }}" }
+  tags: [always]
+  when: "vars[varname] is undefined or vars[varname] == ''"