feat: add install Zone Argo CD script

Author: KepoParis

INSTALL.md

@@ -376,6 +376,51 @@ watch "kubectl get ns | grep '\-mynamespace'"
   - Pour Kyverno : `-t kyverno`
 - La fonctionnalité actuellement remplie par le role Kyverno était auparavant gérée par un role kubed. C'est la raison pour laquelle la désinstallation de kubed est toujours disponible. Si kubed est encore présent dans votre cluster hébergeant le socle DSO, nous vous recommandons sa désinstallation via l'utilisation du tag `-t kubed` (ou `-t confSyncer`).
 
+### Installation d'un Argo CD dans une nouvelle zone
+
+Cette section décrit comment installer Argo CD dans une nouvelle zone.
+
+Pour cela, connectez vous à votre console DSO et allez dans la page `Zones` dans la section `Administration` et suivez les instructions de la [documentation](https://cloud-pi-native.fr/administration/zones) pour créer une zone.
+
+La création d'une zone déclenchera la création d'un repository GitLab DSO de la zone dans le groupe `infra`.
+
+**NB: Une fois la zone créée, vous aurez besoin du nom court de la zone ainsi que du repository GitLab de la zone pour pouvoir l'utiliser dans l'installation.**
+
+#### Installation
+
+Veuillez suivre les étapes suivantes dans l'ordre pour installer l'instance Argo CD dans la nouvelle zone.
+
+L'installation de l'instance Argo CD se fait de manière automatisée via un script bash.
+
+Assurez-vous d'avoir le CLI [`argocd-vault-plugin`](https://argocd-vault-plugin.readthedocs.io/en/stable/installation/) installé et les variables d'environnement suivantes définies :
+
+```bash
+export GITOPS_REPO_PATH=/chemin/absolu/vers/votre/gitops
+export VAULT_INFRA_DOMAIN=infra-vault.example.com
+export VAULT_INFRA_TOKEN=vault-infra-token
+```
+
+Dans votre repository GitOps, créez un fichier `gitops/envs/conf-dso/apps/argocd/zone-<zoneName>-values.yaml` avec les valeurs suivantes :
+
+```yaml
+# Repository GitLab DSO de la zone (n'oubliez pas le .git à la fin)
+dsoZoneRepo: <repository-git-lab-dso-de-la-zone>
+# Nom court de la zone
+zoneName: <zone-name>
+
+# Les valeurs suivantes correspondent à la configuration de l'instance Argo CD dans la nouvelle zone.
+# Veuillez consulter la documentation Argo CD pour les valeurs possibles (https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/README.md)
+argocd:
+```
+
+Positionnez votre kube context sur la zone cible et exécutez la commande suivante :
+
+```bash
+./admin-tools/install-zone-argocd.sh
+```
+
+Ce script va installer l'instance Argo CD dans la zone dans le namespace `dso-argocd`.
+
 ### Désinstaller un ou plusieurs outils
 
 Le playbook de désinstallation peut aussi être utilisé pour supprimer un ou plusieurs outils **de manière ciblée**, via les tags associés.

admin-tools/install-zone-argocd.sh

@@ -0,0 +1,179 @@
+#!/bin/bash
+
+# Exit immediately if a command exits with a non-zero status
+set -e
+
+echo "Starting deployment pre-flight checks..."
+echo "----------------------------------------"
+
+# 1. Environment Variable Checks
+MISSING_VARS=0
+
+if [[ -z "$GITOPS_REPO_PATH" ]]; then
+    echo "❌ Error: Environment variable GITOPS_REPO_PATH is not defined or is empty."
+    MISSING_VARS=1
+fi
+
+if [[ -z "$VAULT_INFRA_TOKEN" ]]; then
+    echo "❌ Error: Environment variable VAULT_INFRA_TOKEN is not defined or is empty."
+    MISSING_VARS=1
+fi
+
+if [[ -z "$VAULT_INFRA_DOMAIN" ]]; then
+    echo "❌ Error: Environment variable VAULT_INFRA_DOMAIN is not defined or is empty."
+    MISSING_VARS=1
+fi
+
+if [[ $MISSING_VARS -ne 0 ]]; then
+    echo ""
+    echo "⚠️  Please set the missing environment variables and relaunch the script."
+    exit 1
+fi
+
+echo "✅ Environment variables are set."
+
+# 2. Dependency Check: argocd-vault-plugin
+if ! command -v argocd-vault-plugin &> /dev/null; then
+    echo "❌ Error: 'argocd-vault-plugin' CLI is not installed."
+    echo ""
+    echo "To install it via Homebrew, run:"
+    echo "  brew install argocd-vault-plugin"
+    echo ""
+    echo "For Linux or other methods via curl, refer to:"
+    echo "  https://argocd-vault-plugin.readthedocs.io/en/stable/installation/#on-linux-or-macos-via-curl"
+    echo ""
+    echo "⚠️  Please install the CLI, then relaunch this script."
+    exit 1
+fi
+
+echo "✅ argocd-vault-plugin is installed."
+
+# 3. Directory and File Checks
+TARGET_DIR="$GITOPS_REPO_PATH/gitops/envs/conf-dso/apps/argocd"
+
+if [[ ! -d "$TARGET_DIR" ]]; then
+    echo "❌ Error: Directory $TARGET_DIR does not exist."
+    exit 1
+fi
+
+if [[ ! -f "$TARGET_DIR/values.yaml" ]]; then
+    echo "❌ Error: The base 'values.yaml' was not found in $TARGET_DIR."
+    exit 1
+fi
+
+# Find all zone files matching the naming convention
+shopt -s nullglob
+ZONE_FILES=("$TARGET_DIR"/zone-*-values.yaml)
+shopt -u nullglob
+
+if [[ ${#ZONE_FILES[@]} -eq 0 ]]; then
+    echo "❌ Error: No files matching 'zone-<zoneName>-values.yaml' found in $TARGET_DIR."
+    exit 1
+fi
+
+# 4. Zone Selection
+ZONES=()
+for file in "${ZONE_FILES[@]}"; do
+    filename=$(basename "$file")
+    # Extract zoneName by stripping 'zone-' prefix and '-values.yaml' suffix
+    zone=${filename#zone-}
+    zone=${zone%-values.yaml}
+    ZONES+=("$zone")
+done
+
+SELECTED_ZONE=""
+if [[ ${#ZONES[@]} -eq 1 ]]; then
+    SELECTED_ZONE="${ZONES[0]}"
+    echo "✅ Found a single zone configuration: $SELECTED_ZONE"
+else
+    echo ""
+    echo "Multiple zone configurations found. Please select which zone you want to install:"
+    PS3="Enter the number of the zone: "
+    select zone_choice in "${ZONES[@]}"; do
+        if [[ -n "$zone_choice" ]]; then
+            SELECTED_ZONE="$zone_choice"
+            break
+        else
+            echo "Invalid selection. Please try again."
+        fi
+    done
+fi
+
+# 5. Confirmation prompt
+echo ""
+read -p "Do you want to install the '$SELECTED_ZONE' Zone ArgoCD? (y/n): " confirm
+if [[ "$confirm" != "y" && "$confirm" != "Y" ]]; then
+    echo "Installation aborted by administrator."
+    exit 0
+fi
+
+echo "Proceeding with installation for zone: $SELECTED_ZONE..."
+echo "----------------------------------------"
+
+# 6. Render Secrets with argocd-vault-plugin
+# Map the provided environment variables to standard AVP expected variables
+export AVP_TYPE=vault
+export AVP_AUTH_TYPE=token
+export VAULT_ADDR="https://$VAULT_INFRA_DOMAIN"
+export VAULT_TOKEN="$VAULT_INFRA_TOKEN"
+
+# 7. Use AVP as a Helm Wrapper
+# This method renders the chart, injects the values, AND replaces placeholders in templates.
+
+CHART_PATH="$GITOPS_REPO_PATH/gitops/envs/conf-dso/apps/argocd"
+RELEASE_NAME="argocd-$SELECTED_ZONE"
+NAMESPACE="dso-argocd"
+
+echo "Step 1: Generating fully rendered manifest (Helm + AVP)..."
+
+# We use 'helm template' to build the manifest, then pipe it to AVP to swap placeholders.
+# We save this to a temporary file to pipe into 'kubectl apply' or 'helm install'.
+FINAL_MANIFEST=$(mktemp)
+# Ensure the temporary manifest is deleted when the script exits
+trap 'rm -f "$FINAL_MANIFEST"' EXIT
+
+echo "Ensuring namespace '$NAMESPACE' exists..."
+if ! kubectl get namespace "$NAMESPACE" &> /dev/null; then
+    echo "Creating namespace '$NAMESPACE'..."
+    kubectl create namespace "$NAMESPACE"
+else
+    echo "✅ Namespace '$NAMESPACE' already exists."
+fi
+
+helm dependency build "$CHART_PATH"
+helm template "$RELEASE_NAME" "$CHART_PATH" \
+    --namespace "$NAMESPACE" \
+    --values "$CHART_PATH/values.yaml" \
+    --values "$CHART_PATH/zone-$SELECTED_ZONE-values.yaml" \
+    | argocd-vault-plugin generate - > "$FINAL_MANIFEST"
+
+if [[ $? -ne 0 ]]; then
+    echo "❌ Error: argocd-vault-plugin failed to generate the manifest."
+    exit 1
+fi
+
+echo "✅ Manifest generated and secrets injected."
+
+# 8. Deploy to Cluster
+echo "Step 2: Deploying to cluster..."
+
+# 8a. Extract and Apply CRDs first
+echo "Installing CRDs first..."
+# This grep/sed logic finds the blocks that are Kind: CustomResourceDefinition
+# and applies only those to ensure the API server knows about them.
+awk '/^---/{if (p ~ /[kK]ind: CustomResourceDefinition/) print p; p=""} {p=p $0 "\n"} END{if (p ~ /[kK]ind: CustomResourceDefinition/) print p}' "$FINAL_MANIFEST" | kubectl apply -f -
+
+# 8b. Wait for CRDs to be established
+# This gives the Kubernetes API server a few seconds to register the new types
+echo "Waiting for CRDs to be ready..."
+kubectl wait --for condition=established --timeout=60s crd -l "app.kubernetes.io/part-of=argocd" 2>/dev/null || sleep 5
+
+# 8c. Apply the full manifest (including Namespace, Deployments, RBAC, etc.)
+echo "Applying full manifest..."
+echo ""
+if kubectl apply -f "$FINAL_MANIFEST" -n "$NAMESPACE" --server-side; then
+    echo "🎉 Deployment of $SELECTED_ZONE zone completed successfully!"
+else
+    echo "❌ Error: kubectl apply failed."
+    exit 1
+fi

roles/gitops/rendering-apps-files/templates/argocd/templates/argocd-zone-app.yml.j2

@@ -1,32 +1,29 @@
-{% set dsoZoneRepo = 'https://' + gitlab_domain + '/' + dsc.global.projectsRootDir | join('/') + '/infra/' + dsc.argocd.zoneName + '.git' %}
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
-  name: zone-{{ dsc.argocd.zoneName }}-project
-  namespace: {{ dsc.argocd.namespace }}
+  name: "zone-{{ '{{ .Values.zoneName }}' }}-project"
 spec:
   description: "Projet contenant l'Application responsable de tous les déploiements par zone"
   clusterResourceWhitelist:
   - group: '*'
     kind: '*'
   sourceRepos:
     - https://cloud-pi-native.github.io/helm-charts
-    - {{ dsoZoneRepo }}
+    - {{ '{{ .Values.dsoZoneRepo }}' }}
   destinations:
-    - namespace: {{ dsc.argocd.namespace }}
+    - namespace: {{ '{{ .Release.Namespace }}' }}
       server: "https://kubernetes.default.svc"
 
 ---      
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: zone-{{ dsc.argocd.zoneName }}-app
-  namespace: {{ dsc.argocd.namespace }}
+  name: "zone-{{ '{{ .Values.zoneName }}' }}-app"
 spec:
   destination:
-    namespace: {{ dsc.argocd.namespace }}
+    namespace: {{ '{{ .Release.Namespace }}' }}
     server: https://kubernetes.default.svc
-  project: zone-{{ dsc.argocd.zoneName }}-project
+  project: "zone-{{ '{{ .Values.zoneName }}' }}-project"
   sources:
   - chart: dso-argocd-zone
     targetRevision: {{ dsc.argocd.zoneChartVersion | quote }}
@@ -36,8 +33,8 @@ spec:
       - ./values.yaml
       - $argocdValues/argocd-values.yaml
       values: |
-        dsoZoneRepo: {{ dsoZoneRepo }}
+        dsoZoneRepo: {{ '{{ .Values.dsoZoneRepo }}' }}
         autosync: true
-  - repoURL: {{ dsoZoneRepo }}
+  - repoURL: {{ '{{ .Values.dsoZoneRepo }}' }}
     targetRevision: HEAD
     ref: argocdValues

roles/gitops/rendering-apps-files/templates/argocd/templates/clusterrolebinding-openshift.yml.j2

@@ -10,17 +10,17 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: "{{ dsc_name }}-argocd-repo-server"
-  namespace: "{{ dsc.argocd.namespace }}"
+  namespace: "{{ '{{ .Release.Namespace }}' }}"
 - kind: ServiceAccount
   name: argocd-server
-  namespace: "{{ dsc.argocd.namespace }}"
+  namespace: "{{ '{{ .Release.Namespace }}' }}"
 - kind: ServiceAccount
   name: "{{ dsc_name }}-redis"
-  namespace: "{{ dsc.argocd.namespace }}"
+  namespace: "{{ '{{ .Release.Namespace }}' }}"
 - kind: ServiceAccount
   name: "{{ dsc_name }}-redis-ha"
-  namespace: "{{ dsc.argocd.namespace }}"
+  namespace: "{{ '{{ .Release.Namespace }}' }}"
 - kind: ServiceAccount
   name: "{{ dsc_name }}-redis-ha-haproxy"
-  namespace: "{{ dsc.argocd.namespace }}"
+  namespace: "{{ '{{ .Release.Namespace }}' }}"
 {% endif %}

roles/gitops/rendering-apps-files/templates/argocd/templates/helm-docker-registry-secret.yml.j2

@@ -4,7 +4,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: helm-docker-registry-secret
-  namespace: {{ dsc.argocd.namespace }}
 type: Opaque
 stringData:
   username: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#dockerAccount | jsonPath {.username}>