KubeArchive: kflux-prd-rh03 (#7294)

Signed-off-by: Hector Martinez <[email protected]>

Author: rh-hemartin

argo-cd-apps/base/member/infra-deployments/kubearchive/kubearchive.yaml

@@ -33,8 +33,8 @@ spec:
                 # - nameNormalized: kflux-prd-rh02
                 #   values.clusterDir: kflux-prd-rh02
                 # database is not created here yet
-                # - nameNormalized: kflux-prd-rh03
-                #   values.clusterDir: kflux-prd-rh03
+                - nameNormalized: kflux-prd-rh03
+                  values.clusterDir: kflux-prd-rh03
   template:
     metadata:
       name: kubearchive-{{nameNormalized}}

argo-cd-apps/overlays/konflux-public-production/delete-applications.yaml

@@ -6,13 +6,6 @@ metadata:
   name: tempo
 $patch: delete
 ---
-# KubeArchive not yet ready to go to production
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: kubearchive
-$patch: delete
----
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:

components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml

@@ -12,6 +12,7 @@ configMapGenerator:
     literals:
       - IMPERSONATE=true
       - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080
+      - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081
 
 patches:
   - path: add-service-certs-patch.yaml

components/kubearchive/production/README.md

@@ -11,6 +11,28 @@ via ArgoCD.
 
 ## DB Secret Paths
 
+For new clusters the database is created automatically with a Konflux automation and the secret
+is stored in a different place. Older clusters had the database created using `app-interface`.
+
+Old clusters (`app-interface`)
+
+* stone-stg-rh01
+* stone-stage-p01
+* stone-prd-rh01
+* kflux-prd-rh02
+* stone-prod-p01
+* stone-prod-p02
+* kflux-ocp-p01
+
+New clusters (Konflux Automation):
+
+* kflux-prd-rh03
+* kflux-rhel-p01
+* kflux-osp-p01
+
+
+### app-interface databases
+
 The paths to the DB secrets are built from
 [App Interface Konflux Namespaces](https://gitlab.cee.redhat.com/service/app-interface/-/tree/master/data/services/stonesoup/namespaces?ref_type=heads).
 For example, the information to build the DB path for the cluster `stone-prod-p01` is defined on the file `stonesoup-prod-private-1.appsrep09ue1.yaml`.
@@ -29,3 +51,45 @@ So the path for `stone-prod-p01` is:
 ```text
 integrations-output/external-resources/appsrep09ue1/stone-prod-p01/stone-prod-p01-kube-archive-rds
 ```
+
+### Konflux Automation
+
+The databases created using the new Konflux Automation use `ExternalSecret` with a Vault instance. The
+`secretStoreRef` should be `apprse-stonesoup-vault` and the `key` contains the name of the cluster.
+This is an example using the `kflux-prd-rh03` cluster:
+
+```yaml
+--
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+  name: database-secret
+  namespace: product-kubearchive
+spec:
+  dataFrom:
+  - extract:
+      key: production/platform/terraform/generated/kflux-prd-rh03/kubearchive-database
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: appsre-stonesoup-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Delete
+    name: kubearchive-database-credentials
+    template:
+      data:
+        DATABASE_DB: '{{ index . "db.name" }}'
+        DATABASE_KIND: postgresql
+        DATABASE_PASSWORD: '{{ index . "db.password" }}'
+        DATABASE_PORT: "5432"
+        DATABASE_URL: '{{ index . "db.host" }}'
+        DATABASE_USER: '{{ index . "db.user" }}'
+```
+
+To check if the database is created, ask [#forum-konflux-infrastructure](https://redhat.enterprise.slack.com/archives/C04F4NE15U1).
+However you can assume the database and its secret were created successfuly. If something goes wrong
+with the `ExternalSecret` contact the infrastructure team.

components/kubearchive/production/kflux-prd-rh03/kustomization.yaml

@@ -0,0 +1,197 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+  - ../base
+  - https://github.com/kubearchive/kubearchive/releases/download/v1.2.0/kubearchive.yaml?timeout=90
+
+namespace: product-kubearchive
+
+patches:
+  - patch: |-
+      apiVersion: batch/v1
+      kind: Job
+      metadata:
+        name: kubearchive-schema-migration
+      spec:
+        template:
+          spec:
+            containers:
+              - name: migration
+                env:
+                  - name: KUBEARCHIVE_VERSION
+                    value: v1.2.0
+  # We don't need the Secret as it will be created by the ExternalSecrets Operator
+  - patch: |-
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: kubearchive-database-credentials
+        namespace: kubearchive
+  - patch: |-
+      apiVersion: external-secrets.io/v1beta1
+      kind: ExternalSecret
+      metadata:
+        name: database-secret
+      spec:
+        secretStoreRef:
+          name: appsre-stonesoup-vault
+        dataFrom:
+          - extract:
+              key: production/platform/terraform/generated/kflux-prd-rh03/kubearchive-database
+  # These patches add an annotation so an OpenShift service
+  # creates the TLS secrets instead of Cert Manager
+  - patch: |-
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: kubearchive-api-server
+        namespace: kubearchive
+        annotations:
+          service.beta.openshift.io/serving-cert-secret-name: kubearchive-api-server-tls
+  - patch: |-
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: kubearchive-operator-webhooks
+        namespace: kubearchive
+        annotations:
+          service.beta.openshift.io/serving-cert-secret-name: kubearchive-operator-tls
+  - patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: MutatingWebhookConfiguration
+      metadata:
+        name: kubearchive-mutating-webhook-configuration
+        annotations:
+          service.beta.openshift.io/inject-cabundle: "true"
+  - patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+      metadata:
+        name: kubearchive-validating-webhook-configuration
+        annotations:
+          service.beta.openshift.io/inject-cabundle: "true"
+  # These patches solve Kube Linter problems
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: kubearchive-api-server
+        namespace: kubearchive
+      spec:
+        template:
+          spec:
+            containers:
+              - name: kubearchive-api-server
+                env:
+                - name: KUBEARCHIVE_OTEL_MODE
+                  value: enabled
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://otel-collector:4318
+                - name: AUTH_IMPERSONATE
+                  value: "true"
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: kubearchive-operator
+        namespace: kubearchive
+      spec:
+        template:
+          spec:
+            containers:
+              - name: manager
+                env:
+                - name: KUBEARCHIVE_OTEL_MODE
+                  value: enabled
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://otel-collector:4318
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
+                ports:
+                  - containerPort: 8081
+                resources:
+                  limits:
+                    cpu: 100m
+                    memory: 512Mi
+                  requests:
+                    cpu: 100m
+                    memory: 512Mi
+
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: kubearchive-sink
+        namespace: kubearchive
+      spec:
+        template:
+          spec:
+            containers:
+              - name: kubearchive-sink
+                env:
+                - name: KUBEARCHIVE_OTEL_MODE
+                  value: enabled
+                - name: OTEL_EXPORTER_OTLP_ENDPOINT
+                  value: http://otel-collector:4318
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
+                resources:
+                  limits:
+                    cpu: 200m
+                    memory: 128Mi
+                  requests:
+                    cpu: 200m
+                    memory: 128Mi
+
+  # We don't need this CronJob as it is suspended, we can enable it later
+  - patch: |-
+      $patch: delete
+      apiVersion: batch/v1
+      kind: CronJob
+      metadata:
+        name: cluster-vacuum
+        namespace: kubearchive
+  # These patches remove Certificates and Issuer from Cert-Manager
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: "kubearchive-api-server-certificate"
+        namespace: kubearchive
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: "kubearchive-ca"
+        namespace: kubearchive
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Issuer
+      metadata:
+        name: "kubearchive-ca"
+        namespace: kubearchive
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Issuer
+      metadata:
+        name: "kubearchive"
+        namespace: kubearchive
+  - patch: |-
+      $patch: delete
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: "kubearchive-operator-certificate"
+        namespace: kubearchive