KubeArchive: install kflux-rhel-p01 (#7380)

Signed-off-by: Hector Martinez <[email protected]>

Author: rh-hemartin

argo-cd-apps/base/member/infra-deployments/kubearchive/kubearchive.yaml

@@ -32,9 +32,10 @@ spec:
                 #   values.clusterDir: stone-prd-rh01
                 # - nameNormalized: kflux-prd-rh02
                 #   values.clusterDir: kflux-prd-rh02
-                # database is not created here yet
                 - nameNormalized: kflux-prd-rh03
                   values.clusterDir: kflux-prd-rh03
+                - nameNormalized: kflux-rhel-p01
+                  values.clusterDir: kflux-rhel-p01
   template:
     metadata:
       name: kubearchive-{{nameNormalized}}

components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml

@@ -12,6 +12,7 @@ configMapGenerator:
     literals:
       - IMPERSONATE=true
       - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080
+      - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081
 
 patches:
   - path: add-service-certs-patch.yaml

components/kubearchive/production/kflux-rhel-p01/kustomization.yaml

@@ -0,0 +1,198 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+  - ../base
+  - https://github.com/kubearchive/kubearchive/releases/download/v1.3.0/kubearchive.yaml?timeout=90
+
+namespace: product-kubearchive
+
+patches:
+  - patch: |-
+      apiVersion: batch/v1
+      kind: Job
+      metadata:
+        name: kubearchive-schema-migration
+      spec:
+        template:
+          spec:
+            containers:
+              - name: migration
+                env:
+                  - name: KUBEARCHIVE_VERSION
+                    value: v1.3.0
+  # We don't need the Secret as it will be created by the ExternalSecrets Operator
+  - patch: |-
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: kubearchive-database-credentials
+        namespace: kubearchive
+  - patch: |-
+      apiVersion: external-secrets.io/v1beta1
+      kind: ExternalSecret
+      metadata:
+        name: database-secret
+      spec:
+        secretStoreRef:
+          name: appsre-stonesoup-vault
+        dataFrom:
+          - extract:
+              key: production/platform/terraform/generated/kflux-rhel-p01/kubearchive-database
+  # These patches add an annotation so an OpenShift service
+  # creates the TLS secrets instead of Cert Manager
+  - patch: |-
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: kubearchive-api-server
+        namespace: kubearchive
+        annotations:
+          service.beta.openshift.io/serving-cert-secret-name: kubearchive-api-server-tls
+  - patch: |-
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: kubearchive-operator-webhooks
+        namespace: kubearchive
+        annotations:
+          service.beta.openshift.io/serving-cert-secret-name: kubearchive-operator-tls
+  - patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: MutatingWebhookConfiguration
+      metadata:
+        name: kubearchive-mutating-webhook-configuration
+        annotations:
+          service.beta.openshift.io/inject-cabundle: "true"
+  - patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+      metadata:
+        name: kubearchive-validating-webhook-configuration
+        annotations:
+          service.beta.openshift.io/inject-cabundle: "true"
+  # These patches solve Kube Linter problems
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: kubearchive-api-server
+        namespace: kubearchive
+      spec:
+        template:
+          spec:
+            containers:
+              - name: kubearchive-api-server
+                env:
+                - name: KUBEARCHIVE_OTEL_MODE
+                  value: enabled
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://otel-collector:4318
+                - name: AUTH_IMPERSONATE
+                  value: "true"
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: kubearchive-operator
+        namespace: kubearchive
+      spec:
+        template:
+          spec:
+            containers:
+              - name: manager
+                args: [--health-probe-bind-address=:8081]
+                env:
+                - name: KUBEARCHIVE_OTEL_MODE
+                  value: enabled
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://otel-collector:4318
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
+                ports:
+                  - containerPort: 8081
+                resources:
+                  limits:
+                    cpu: 100m
+                    memory: 512Mi
+                  requests:
+                    cpu: 100m
+                    memory: 512Mi
+
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: kubearchive-sink
+        namespace: kubearchive
+      spec:
+        template:
+          spec:
+            containers:
+              - name: kubearchive-sink
+                env:
+                - name: KUBEARCHIVE_OTEL_MODE
+                  value: enabled
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://otel-collector:4318
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
+                resources:
+                  limits:
+                    cpu: 200m
+                    memory: 128Mi
+                  requests:
+                    cpu: 200m
+                    memory: 128Mi
+
+  # We don't need this CronJob as it is suspended, we can enable it later
+  - patch: |-
+      $patch: delete
+      apiVersion: batch/v1
+      kind: CronJob
+      metadata:
+        name: cluster-vacuum
+        namespace: kubearchive
+  # These patches remove Certificates and Issuer from Cert-Manager
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: "kubearchive-api-server-certificate"
+        namespace: kubearchive
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: "kubearchive-ca"
+        namespace: kubearchive
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Issuer
+      metadata:
+        name: "kubearchive-ca"
+        namespace: kubearchive
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Issuer
+      metadata:
+        name: "kubearchive"
+        namespace: kubearchive
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: "kubearchive-operator-certificate"
+        namespace: kubearchive

components/policies/production/kflux-rhel-p01/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../base
+- ../policies/kubearchive/