Document on how to use Argo CD for managing OpenShift cluster configurations across multiple clusters

Srivaralakshmi · Srivaralakshmi · commit 7bd4328520d3 · 2023-05-08T13:43:22.000+05:30
document installing cluster-scoped and namespace-scoped Operators using GitOps
diff --git a/cicd/gitops/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc b/cicd/gitops/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc
@@ -10,8 +10,13 @@ With {gitops-title}, you can configure Argo CD to recursively sync the content o
 
 .Prerequisites
 
-* {gitops-title} is installed in your cluster.
-* Logged into Argo CD instance.
+* You have logged in to the `product-title` cluster as an administrator.
+* You have installed the `gitops-title` Operator in your cluster.
+* You have logged into Argo CD instance.
+
+include::modules/gitops-using-argo-cd-instance-to-manage-cluster-scoped-resources.adoc[leveloffset=+1]
+
+include::modules/gitops-default-permissions-of-an-argocd-instance.adoc[leveloffset=+1]
 
 include::modules/go-run-argo-cd-instance-on-infrastructure-nodes.adoc[leveloffset=+1]
 
@@ -29,3 +34,5 @@ include::modules/gitops-synchronizing-your-application-application-with-your-git
 include::modules/gitops-inbuilt-permissions-for-cluster-config.adoc[leveloffset=+1]
 
 include::modules/gitops-additional-permissions-for-cluster-config.adoc[leveloffset=+1]
+
+include::modules/gitops-installing-olm-operators-using-gitops.adoc[leveloffset=+1]
diff --git a/modules/gitops-default-permissions-of-an-argocd-instance.adoc b/modules/gitops-default-permissions-of-an-argocd-instance.adoc
@@ -0,0 +1,43 @@
+// Module included in the following assembly:
+//
+// * gitops/configuring_argo_cd_to_recursively_sync_a_git_repository_with_your_application/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc
+
+:_content-type: PROCEDURE
+[id="default-permissions-of-an-argocd-instance.adoc{context}"]
+
+= Default permissions of an Argocd instance
+
+By default Argo CD instance has the following permissions:
+
+* Argo CD instance has the `admin` privileges to manage resources only in the namespace where it is deployed. For instance, an Argo CD instance deployed in the **foo** namespace has the `admin` privileges to manage resources only for that namespace.
+
+* Argo CD has the following cluster-scoped permissions because Argo CD requires cluster-wide `read` privileges on resources to function appropriately:
++
+[source,yaml]
+----
+- verbs:
+    - get
+    - list
+    - watch
+   apiGroups:
+    - '*'
+   resources:
+    - '*'
+ - verbs:
+    - get
+    - list
+   nonResourceURLs:
+    - '*'
+----
+
+[NOTE]
+====
+* You can edit the cluster roles used by the `argocd-server` and `argocd-application-controller` components where Argo CD is running such that the `write` privileges are limited to only the namespaces and resources that you wish Argo CD to manage.
++
+[source,terminal]
+----
+$ oc edit clusterrole argocd-server
+$ oc edit clusterrole argocd-application-controller
+----
+====
+
diff --git a/modules/gitops-installing-olm-operators-using-gitops.adoc b/modules/gitops-installing-olm-operators-using-gitops.adoc
@@ -0,0 +1,80 @@
+// Module included in the following assembly:
+//
+// * configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc
+
+:_content-type: PROCEDURE
+[id="gitops-installing-olm-operators-using-gitops_{context}"]
+= Installing OLM Operators using {gitops-title}
+
+{gitops-title} with cluster configurations manages specific cluster-scoped resources and takes care of installing cluster Operators or any namespace-scoped OLM Operators.
+
+Consider a case where as a cluster administrator, you have to install an OLM Operator such as Tekton. You use the {product-title} web console to manually install a Tekton Operator or the OpenShift CLI to manually install a Tekton subscription and Tekton Operator group on your cluster.
+
+{gitops-title} places your Kubernetes resources in your Git repository. As a cluster administrator, use {gitops-title} to manage and automate the installation of other OLM Operators without any manual procedures. For example, after you place the Tekton subscription in your Git repository by using {gitops-title}, the {gitops-title} automatically takes this Tekton subscription from your Git repository and installs the Tekton Operator on your cluster.
+
+== Installing cluster-scoped Operators
+
+Operator Lifecycle Manager (OLM) uses a default `global-operators` Operator group in the `openshift-operators` namespace for cluster-scoped Operators. Hence you do not have to manage the `OperatorGroup` resource in your Gitops repository. However, for namespace-scoped Operators, you must manage the `OperatorGroup` resource in that namespace.
+
+To install cluster-scoped Operators, create and place the `Subscription` resource of the required Operator in your Git repository.
+
+.Example: Grafana Operator subscription
+
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: grafana
+spec:
+  channel: v4
+  installPlanApproval: Automatic
+  name: grafana-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+----
+
+== Installing namepace-scoped Operators
+
+To install namespace-scoped Operators, create and place the `Subscription` and `OperatorGroup` resources of the required Operator in your Git repository.
+
+.Example: Ansible Automation Platform Resource Operator
+
+[source,yaml]
+----
+...
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    openshift.io/cluster-monitoring: "true"
+  name: ansible-automation-platform
+...
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: ansible-automation-platform-operator
+  namespace: ansible-automation-platform
+spec:
+  targetNamespaces:
+    - ansible-automation-platform
+...
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: ansible-automation-platform
+  namespace: ansible-automation-platform
+spec:
+  channel: patch-me
+  installPlanApproval: Automatic
+  name: ansible-automation-platform-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+...
+----
+
+[IMPORTANT]
+====
+When deploying multiple Operators using {gitops-title}, you must create only a single Operator group in the corresponding namespace. If more than one Operator group exists in a single namespace, any CSV created in that namespace transition to a `failure` state with the `TooManyOperatorGroups` reason. After the number of Operator groups in their corresponding namespaces reaches one, all the previous `failure` state CSVs transition to `pending` state. You must manually approve the pending install plan to complete the Operator installation.
+====
+
diff --git a/modules/gitops-using-argo-cd-instance-to-manage-cluster-scoped-resources.adoc b/modules/gitops-using-argo-cd-instance-to-manage-cluster-scoped-resources.adoc
@@ -0,0 +1,51 @@
+// Module included in the following assembly:
+//
+// * gitops/configuring_argo_cd_to_recursively_sync_a_git_repository_with_your_application/configuring-an-openshift-cluster-by-deploying-an-application-with-cluster-configurations.adoc
+
+:_content-type: PROCEDURE
+[id="using-argo-cd-instance-to-manage-cluster-scoped-resources{context}"]
+
+= Using an Argo CD instance to manage cluster-scoped resources
+
+To manage cluster-scoped resources, update the existing `Subscription` object for the `gitops-title` Operator and add the namespace of the Argo CD instance to the `ARGOCD_CLUSTER_CONFIG_NAMESPACES` environment variable in the `spec` section.
+
+[discrete]
+.Procedure
+. In the **Administrator** perspective of the web console, navigate to **Operators** → **Installed Operators** → **{gitops-title}** → **Subscription**. 
+. Click the **Actions** drop-down menu then click **Edit Subscription**.
+. On the **openshift-gitops-operator** Subscription details page, under the **YAML** tab, edit the `Subscription` YAML file by adding the namespace of the Argo CD instance to the `ARGOCD_CLUSTER_CONFIG_NAMESPACES` environment variable in the `spec` section:
++
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: openshift-gitops-operator
+  namespace: openshift-operators
+...
+spec:
+  config:
+    env:
+    - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
+      value: openshift-gitops, <list of namespaces of cluster-scoped Argo CD instances>
+...
+----
++
+. To verify that the Argo instance is configured with a cluster role to manage cluster-scoped resources, perform the following steps:
++
+.. Navigate to **User Management** → **Roles** and from the **Filter**  drop-down menu select **Cluster-wide Roles**.
+.. Search for the `argocd-application-controller` by using the **Search by name** field.
++
+The **Roles** page displays the created cluster role.
++
+[TIP]
+====
+Alternatively, in the OpenShift CLI, run the following command:
+
+[source,terminal]
+----
+oc auth can-i create oauth -n openshift-gitops --as system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller
+----
+
+The output `yes` verifies that the Argo instance is configured with a cluster role to manage cluster-scoped resources. Else, check your configurations and take necessary steps as required.
+====
