feat: multi runtime install

mikhail-klimko · mikhail-klimko · commit 03343f5f7a29 · 2025-07-25T17:26:20.000+03:00
diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml
@@ -32,6 +32,7 @@ dependencies:
 - name: sealed-secrets
   repository: https://bitnami-labs.github.io/sealed-secrets/
   version: 2.17.2
+  condition: sealed-secrets.enabled
 - name: codefresh-tunnel-client
   repository: oci://quay.io/codefresh/charts
   version: 0.1.21
diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml
@@ -11,6 +11,18 @@
 {{/* Workaround to NOT change label selectors from previous runtime release when event-reporter was part of cf-argocd-extras Subchart */}}
 {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }}
 
+{{/* Remove nonResourceURLs when RBAC is namespaced */}}
+{{- $rules := $context.Values.rbac.rules }}
+{{- if $context.Values.rbac.namespaced }}
+    {{- $rules = list }}
+        {{- range $context.Values.rbac.rules }}
+            {{- if not .nonResourceURLs }}
+                {{- $rules = append $rules . }}
+            {{- end }}
+    {{- end }}
+{{- end }}
+{{- $_ := set $context.Values.rbac "rules" $rules }}
+
 {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }}
 {{- include $templateName $context }}
 
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl
@@ -14,6 +14,9 @@ global:
 
 replicaCount: 1
 
+# -- Restrict the gitops operator to a single namespace (by the namespace of Helm release)
+singleNamespace: false
+
 # -- Codefresh gitops operator crds
 crds:
   # -- Whether or not to install CRDs
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml
@@ -1,7 +1,7 @@
 
 {{- define "gitops-operator.resources.promotion-template-rbac" }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }}
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
@@ -45,14 +45,14 @@ rules:
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
   name: promotion-template
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }}
   name: promotion-template
 subjects:
 - kind: ServiceAccount
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml
@@ -1,7 +1,7 @@
 
 {{- define "gitops-operator.resources.auth-proxy-rbac" }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }}
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
@@ -22,14 +22,14 @@ rules:
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
   name: codefresh-gitops-operator-proxy
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }}
   name: codefresh-gitops-operator-proxy
 subjects:
 - kind: ServiceAccount
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml
@@ -1,7 +1,7 @@
 
 {{- define "gitops-operator.resources.rbac-operator" }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }}
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
@@ -26,6 +26,7 @@ rules:
   - patch
   - update
   - watch
+{{- if not .Values.singleNamespace }}
 - apiGroups:
   - codefresh.io
   resources:
@@ -52,6 +53,7 @@ rules:
   - get
   - patch
   - update
+{{- end }}
 - apiGroups:
   - ""
   resources:
@@ -72,29 +74,29 @@ rules:
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
   name: codefresh-gitops-operator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }}
   name: codefresh-gitops-operator
 subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
   name: codefresh-gitops-operator-workflows
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }}
   name: argo-edit
 subjects:
 - kind: ServiceAccount
diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml
@@ -1,5 +1,6 @@
 
 {{- define "gitops-operator.resources.restricted-git-source-rbac" }}
+  {{- if not .Values.singleNamespace }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -80,4 +81,5 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+  {{- end }}
 {{- end }}
diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl
@@ -431,11 +431,14 @@ Output comma separated list of installed runtime components
 */}}
 {{- define "codefresh-gitops-runtime.component-list"}}
   {{- $argoEvents := dict "name" "argo-events" "version" (get .Subcharts "argo-events").Chart.AppVersion }}
-  {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }}
   {{- $internalRouter := dict "name" "internal-router" "version" .Chart.AppVersion }}
   {{- $appProxy := dict "name" "app-proxy" "version" (index (get .Values "app-proxy") "image" "tag") }}
   {{- $sourcesServer := dict "name" "sources-server" "version" (get .Values "cf-argocd-extras").sourcesServer.container.image.tag }}
-  {{- $comptList := list $argoEvents $appProxy $sealedSecrets $internalRouter $sourcesServer }}
+  {{- $comptList := list $argoEvents $appProxy $internalRouter $sourcesServer }}
+{{- if and (index .Values "sealed-secrets" "enabled") }}
+  {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }}
+  {{- $comptList = append $comptList $sealedSecrets }}
+{{- end }}
 {{- if and (index .Values "argo-cd" "enabled") }}
   {{- $argoCD := dict "name" "argocd" "version" (get .Subcharts "argo-cd").Chart.AppVersion }}
   {{- $comptList = append $comptList $argoCD }}
diff --git a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml
@@ -4,12 +4,12 @@
 {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }}
 {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ $appProxyContext.Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   name: cap-app-proxy-argo-workflows
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ $appProxyContext.Values.singleNamespace | ternary "Role" "ClusterRole" }}
   name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }}
 subjects:
   - kind: ServiceAccount
diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml
@@ -519,6 +519,8 @@ tunnel-client:
 #-----------------------------------------------------------------------------------------------------------------------
 app-proxy:
   replicaCount: 1
+  # -- Restrict the app-proxy to a single namespace (by the namespace of Helm release)
+  singleNamespace: false
   # -- Image enrichment process configuration
   image-enrichment:
     # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well.
@@ -685,6 +687,9 @@ gitops-operator:
     annotations: {}
     # -- Additional labels for gitops operator CRDs
     additionalLabels: {}
+  # -- Restrict the gitops operator to a single namespace (by the namespace of Helm release)
+  singleNamespace: false
+  # -- GitOps operator configuration
   config:
     # -- Task polling interval
     taskPollingInterval: 10s
@@ -696,8 +701,8 @@ gitops-operator:
     maxConcurrentReleases: 100
     # -- An optional template for the promotion wrapper (empty default will use the embedded one)
     promotionWrapperTemplate: ''
+  # -- GitOps operator image
   image:
-    # -- defaults
     registry: quay.io
     repository: codefresh/codefresh-gitops-operator
     tag: v0.8.7
