feat: gitops-onprem

Author: mikhail-klimko

charts/codefresh-gitops/Chart.lock

@@ -0,0 +1,42 @@
+dependencies:
+- name: cf-common
+  repository: oci://quay.io/codefresh/charts
+  version: 0.27.0
+- name: internal-gateway
+  repository: oci://quay.io/codefresh/charts
+  version: 0.10.4
+- name: mongodb
+  repository: https://charts.bitnami.com/bitnami
+  version: 15.6.26
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 16.7.4
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 20.13.4
+- name: rabbitmq
+  repository: https://charts.bitnami.com/bitnami
+  version: 15.5.3
+- name: cfapi
+  repository: oci://quay.io/codefresh/charts
+  version: 21.282.3
+- name: runtime-environment-manager
+  repository: oci://quay.io/codefresh/charts
+  version: 3.42.2
+- name: cfui
+  repository: oci://quay.io/codefresh/charts
+  version: 14.99.7
+- name: cf-platform-analytics
+  repository: oci://quay.io/codefresh/charts
+  version: 0.50.2
+- name: cf-platform-analytics
+  repository: oci://quay.io/codefresh/charts
+  version: 0.50.2
+- name: argo-platform
+  repository: oci://quay.io/codefresh/charts
+  version: 1.3570.0
+- name: argo-hub-platform
+  repository: oci://quay.io/codefresh/charts
+  version: 0.1.24
+digest: sha256:37cbd8cc05247116c6592e97f1ac2a694bd18356c56450a01bc834cc5cc0ad55
+generated: "2025-06-12T16:36:27.827516+03:00"

charts/codefresh-gitops/files/seed/accounts.json

@@ -1,5 +1,6 @@
 {
   "_id": ObjectId("59009117c102763beda7ce71"),
+  "systemType": "GITOPS",
   "badgeToken": "eyJhbGciOiJIUzI1NiJ9.NTkwMDkxMTdjMTAyNzYzYmVkYTdjZTcx.B0HOUL6HlpTRNr_e95pVucSRMRzP2cobe5kIoMtrDSc",
   "createdAt": ISODate("2017-04-26T12:22:48.001+0000"),
   "updatedAt": ISODate("2017-04-26T12:27:13.720+0000"),
@@ -34,4 +35,4 @@
   ],
   "localUserPasswordIDPEnabled": true,
   "__v": NumberInt(0)
-}
+}

charts/codefresh-gitops/files/seed/mongoSeedJobScript.sh

@@ -12,34 +12,29 @@ export MONGODB_ROOT_PASSWORD=...
 
 COMMENT
 
-# set -eou pipefail
+if [[ -n $DEBUG ]]; then
+    set -o xtrace
+fi
 
 ASSETS_PATH=${ASSETS_PATH:-/usr/share/extras/}
+MTLS_CERT_PATH=${MTLS_CERT_PATH:-/etc/ssl/mongodb/ca.pem}
 
 MONGODB_DATABASES=(
     "archive"
     "audit"
-    "charts-manager"
-    "cluster-providers"
     "codefresh"
-    "context-manager"
-    "gitops-dashboard-manager"
-    "k8s-monitor"
-    "pipeline-manager"
     "platform-analytics-postgres"
     "read-models"
     "runtime-environment-manager"
-    "onboarding-status"
-    "payments"
 )
 
 disableMongoTelemetry() {
-    mongosh --nodb --eval "disableTelemetry()"
+    mongosh --nodb --eval "disableTelemetry()" || true
 }
 
 waitForMongoDB() {
     while true; do
-        status=$(mongosh ${MONGODB_ROOT_URI} --eval "db.adminCommand('ping')" 2>&1)
+        status=$(mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.adminCommand('ping')" 2>&1)
 
         echo -e "MongoDB status:\n$status"
         if $(echo $status | grep 'ok: 1' -q); then
@@ -56,12 +51,23 @@ parseMongoURI() {
     local parameters="$(echo $1 | grep '?' | cut -d '?' -f2)"; if [[ -n $parameters ]]; then parameters="?${parameters}"; fi
     local url="$(echo ${1/$proto/})"
     local userpass="$(echo $url | grep @ | cut -d@ -f1)"
-    local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+    if [[ -z $userpass ]]; then
+        local hostport="$(echo $url | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+        MONGO_URI="$proto$hostport/${MONGODB_DATABASE}$parameters"
+    else
+        local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+        MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)"
+        MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)"
+        MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters"
+    fi
+
+
+    if [[ -z $MONGODB_ROOT_OPTIONS ]]; then
+        MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters"
+    else
+        MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin?${MONGODB_ROOT_OPTIONS}"
+    fi
 
-    MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)"
-    MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)"
-    MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters"
-    MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters"
 }
 
 getMongoVersion() {
@@ -82,6 +88,14 @@ setPacks() {
 
 parseMongoURI $MONGO_URI
 
+if [[ -s ${MTLS_CERT_PATH} ]]; then
+    MONGO_URI_EXTRA_PARAMS="--tls --tlsCertificateKeyFile ${MTLS_CERT_PATH} --tlsAllowInvalidHostnames --tlsAllowInvalidCertificates"
+    MONGOIMPORT_EXTRA_PARAMS="--ssl --sslPEMKeyFile ${MTLS_CERT_PATH} --sslAllowInvalidHostnames --sslAllowInvalidCertificates"
+else
+    MONGO_URI_EXTRA_PARAMS=""
+    MONGOIMPORT_EXTRA_PARAMS=""
+fi
+
 disableMongoTelemetry
 
 waitForMongoDB
@@ -90,20 +104,23 @@ getMongoVersion
 
 for MONGODB_DATABASE in ${MONGODB_DATABASES[@]}; do
     waitForMongoDB
-    mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true
     waitForMongoDB
-    mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+
+    # MongoDB Atlas
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db = db.getSiblingDB(\"${MONGODB_DATABASE}\"); db[\"${MONGODB_DATABASE}\"].insertOne({ name: \"init\", value: true })" 2>&1 || true
 done
 
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
 
 if [[ $DEVELOPMENT_CHART == "true" ]]; then
     setSystemAdmin
     setPacks
 fi
 
-mongoimport --uri ${MONGO_URI} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json
-mongoimport --uri ${MONGO_URI} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json
-mongoimport --uri ${MONGO_URI} --collection users --type json --legacy --file ${ASSETS_PATH}users.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection users --type json --legacy --file ${ASSETS_PATH}users.json

charts/codefresh-gitops/templates/_env_var_secret_ref.tpl

@@ -189,11 +189,11 @@ valueFrom:
 POSTGRES_SEED_USER env var value
 */}}
 {{- define "codefresh-gitops.postgres-seed-user-env-var-value" }}
-  {{- if or .Values.seed.postgresSeedJob.postgresUserSecretKeyRef .Values.global.postgresSeedJob.postgresUserSecretKeyRef .Values.global.postgresUserSecretKeyRef  }}
+  {{- if and .Values.seed.postgresSeedJob.postgresUserSecretKeyRef  }}
 valueFrom:
   secretKeyRef:
-    {{- coalesce .Values.seed.postgresSeedJob.postgresUserSecretKeyRef .Values.global.postgresSeedJob.postgresUserSecretKeyRef .Values.global.postgresUserSecretKeyRef | toYaml | nindent 4 }}
-  {{- else if or .Values.seed.postgresSeedJob.postgresUser .Values.global.postgresSeedJob.postgresUser .Values.global.postgresUser }}
+    {{- .Values.seed.postgresSeedJob.postgresUserSecretKeyRef | toYaml | nindent 4 }}
+  {{- else if or .Values.seed.postgresSeedJob.postgresUser .Values.global.postgresUser }}
 valueFrom:
   secretKeyRef:
     name: {{ include "codefresh-gitops.fullname" . }}
@@ -206,11 +206,11 @@ valueFrom:
 POSTGRES_SEED_PASSWORD env var value
 */}}
 {{- define "codefresh-gitops.postgres-seed-password-env-var-value" }}
-  {{- if or .Values.seed.postgresSeedJob.postgresPasswordSecretKeyRef .Values.global.postgresSeedJob.postgresPasswordSecretKeyRef .Values.global.postgresPasswordSecretKeyRef  }}
+  {{- if and .Values.seed.postgresSeedJob.postgresPasswordSecretKeyRef }}
 valueFrom:
   secretKeyRef:
-    {{- coalesce .Values.seed.postgresSeedJob.postgresPasswordSecretKeyRef .Values.global.postgresSeedJob.postgresPasswordSecretKeyRef .Values.global.postgresPasswordSecretKeyRef | toYaml | nindent 4 }}
-  {{- else if or .Values.seed.postgresSeedJob.postgresPassword .Values.global.postgresSeedJob.postgresPassword .Values.global.postgresPassword }}
+    {{- coalesce .Values.seed.postgresSeedJob.postgresPasswordSecretKeyRef | toYaml | nindent 4 }}
+  {{- else if or .Values.seed.postgresSeedJob.postgresPassword .Values.global.postgresPassword }}
 valueFrom:
   secretKeyRef:
     name: {{ include "codefresh-gitops.fullname" . }}

charts/codefresh-gitops/templates/_helpers.tpl

@@ -72,3 +72,30 @@ Return the secret containing TLS certificates for Ingress
     {{- printf "%s-%s" (include "codefresh-gitops.fullname" .) .Values.ingress.tls.secretName -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return Image Pull Secret
+*/}}
+{{- define "codefresh-gitops.imagePullSecret" }}
+{{- if index .Values ".dockerconfigjson" -}}
+{{- printf "%s" (index .Values ".dockerconfigjson") }}
+{{- else }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }}
+{{- end }}
+{{- end }}
+
+{{/*
+Calculate Mongo Uri (for On-Prem)
+Usage:
+{{ include "codefresh.calculateMongoUri" (dict "dbName" .Values.path.to.the.value "mongoURI" .Values.path.to.the.value) }}
+*/}}
+{{- define "codefresh-gitops.calculateMongoUri" -}}
+  {{- if contains "?" .mongoURI -}}
+    {{- $mongoURI :=  (splitList "?" .mongoURI) -}}
+    {{- printf "%s%s?%s" (first $mongoURI) .dbName (last $mongoURI) }}
+  {{- else if .mongoURI -}}
+    {{- printf "%s/%s" (trimSuffix "/" .mongoURI) .dbName -}}
+  {{- else -}}
+    {{- printf "" -}}
+  {{- end -}}
+{{- end -}}

charts/codefresh-gitops/templates/configmaps/runtime-envs-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runtime-environments
+  labels:
+    {{ include "codefresh-gitops.labels" . | nindent 4 }}
+data:
+  runtimeEnvironments.json: |
+{{ include "runtime-environment-config" . | indent 4 }}

charts/codefresh-gitops/templates/configmaps/runtimeEnvironments.json.tpl

@@ -0,0 +1,40 @@
+{{- define "runtime-environment-config" -}}
+[
+  {
+    "metadata": {
+      "name": "system/default"
+    },
+    "description": "System default template for plan",
+    "environmentCertPath": "/etc/ssl/cf/",
+    "dockerDaemonScheduler": {
+      "type": "ConsulNodes",
+      "cluster": {
+        "name": "codefresh",
+        "type": "builder",
+        "returnRunnerIfNoBuilder": true
+      },
+      "notCheckServerCa": true,
+      "clientCertPath": "/etc/ssl/cf/"
+    },
+    "runtimeScheduler": {
+      "type": "KubernetesPod",
+      "internalInfra": true,
+      "cluster": {
+        "inCluster": true,
+        "namespace": "{{ .Release.Namespace }}"
+      },
+      "image": "us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/engine:latest",
+      "command": [
+        "npm",
+        "run",
+        "start"
+      ],
+      "envVars": {
+      },
+      "volumeMounts": {},
+      "volumes": {}
+    },
+    "isPublic": true
+  }
+]
+{{- end -}}

charts/codefresh-gitops/templates/configmaps/version-info-cm.yaml

@@ -1,4 +1,4 @@
-{{ $name := printf "%v-%v-%v" .Release.Name .Values.global.codefresh "version-info" }}
+{{ $name := printf "%v-%v" (include "codefresh-gitops.fullname" .) "version-info" }}
 apiVersion: v1
 kind: ConfigMap
 metadata:

charts/codefresh-gitops/templates/hooks/pre-upgrade/set-mongodb-compat-version.yaml

@@ -13,49 +13,49 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ include "codefresh.fullname" . }}-set-mongodb-compat-version
+  name: {{ include "codefresh-gitops.fullname" . }}-set-mongodb-compat-version
   labels:
-    {{ include "codefresh.labels" . | nindent 4 }}
+    {{ include "codefresh-gitops.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   ttlSecondsAfterFinished: 180
   template:
     metadata:
-      name: {{ include "codefresh.fullname" . }}-set-mongodb-compat-version
+      name: {{ include "codefresh-gitops.fullname" . }}-set-mongodb-compat-version
       labels:
-        {{ include "codefresh.labels" . | nindent 8 }}
+        {{ include "codefresh-gitops.labels" . | nindent 8 }}
     spec:
       {{- include (printf "%s.image.pullSecrets" $libTemplateName ) . | nindent 6 }}
       securityContext:
         {{- toYaml .Values.hooks.mongodb.podSecurityContext | nindent 8 }}
       containers:
-      - name: {{ include "codefresh.fullname" . }}-set-mongodb-compat-version
+      - name: {{ include "codefresh-gitops.fullname" . }}-set-mongodb-compat-version
         image: {{ include (printf "%s.image.name" $libTemplateName) (dict "image" .Values.hooks.mongodb.image "context" .) }}
         envFrom:
           - secretRef:
-              name: {{ include "codefresh.fullname" . }}
+              name: {{ include "codefresh-gitops.fullname" . }}
         env:
           - name: MONGODB_HOST
-          {{- include "codefresh.mongodb-host-env-var-value" . | indent 12 }}
+          {{- include "codefresh-gitops.mongodb-host-env-var-value" . | indent 12 }}
           - name: MONGODB_USER
-          {{- include "codefresh.mongodb-user-env-var-value" . | indent 12 }}
+          {{- include "codefresh-gitops.mongodb-user-env-var-value" . | indent 12 }}
           - name: MONGODB_PASSWORD
-          {{- include "codefresh.mongodb-password-env-var-value" . | indent 12 }}
+          {{- include "codefresh-gitops.mongodb-password-env-var-value" . | indent 12 }}
           - name: MONGO_URI
-          {{- include "codefresh.mongo-seed-uri-env-var-value" . | indent 12 }}
+          {{- include "codefresh-gitops.mongo-seed-uri-env-var-value" . | indent 12 }}
           - name: MONGODB_ROOT_USER
-          {{- include "codefresh.mongodb-root-user-env-var-value" . | indent 12 }}
+          {{- include "codefresh-gitops.mongodb-root-user-env-var-value" . | indent 12 }}
           - name: MONGODB_ROOT_PASSWORD
-          {{- include "codefresh.mongodb-root-password-env-var-value" . | indent 12 }}
+          {{- include "codefresh-gitops.mongodb-root-password-env-var-value" . | indent 12 }}
           - name: MONGODB_COMPAT_VERSION
             value: "{{ .Values.mongodb.migration.featureCompatibilityVersion }}"
         command:
           - "/bin/bash"
           - "-c"
           - |
-            {{ .Files.Get "files/mongoSetCompatibilityVersion.sh" | nindent 12  }}
+            {{ .Files.Get "files/hooks/mongoSetCompatibilityVersion.sh" | nindent 12  }}
         resources:
           {{- toYaml .Values.hooks.mongodb.resources | nindent 10 }}
         volumeMounts:

charts/codefresh-gitops/templates/ingress.yaml

@@ -1,4 +1,4 @@
-{{- $ingressName := printf "%s-ingress" (include "codefresh.fullname" .) }}
+{{- $ingressName := printf "%s-ingress" (include "codefresh-gitops.fullname" .) }}
 {{- if and (hasKey .Values.ingress "nameOverride") .Values.ingress.nameOverride }}
   {{- $ingressName = .Values.ingress.nameOverride }}
 {{- end }}
@@ -8,7 +8,7 @@ kind: Ingress
 metadata:
   name: {{ $ingressName }}
   labels:
-    {{ include "codefresh.labels" . | nindent 4 }}
+    {{ include "codefresh-gitops.labels" . | nindent 4 }}
   {{- with .Values.ingress.labels }}
     {{ toYaml . | nindent 4 }}
   {{- end }}