sync: stage to production (#1495)

Author: ivan-degtiarenko

cmd/acsfleetctl/main.go

@@ -7,6 +7,7 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/stackrox/acs-fleet-manager/internal/dinosaur/pkg/cmd/admin"
 	"github.com/stackrox/acs-fleet-manager/internal/dinosaur/pkg/cmd/centrals"
+	gitopsCmd "github.com/stackrox/acs-fleet-manager/internal/dinosaur/pkg/gitops/cmd"
 )
 
 func main() {
@@ -26,4 +27,5 @@ func main() {
 func setupSubCommands(rootCmd *cobra.Command) {
 	rootCmd.AddCommand(centrals.NewCentralsCommand())
 	rootCmd.AddCommand(admin.NewAdminCommand())
+	rootCmd.AddCommand(gitopsCmd.NewGitOpsCommand())
 }

dp-terraform/helm/Dockerfile

@@ -1,6 +1,32 @@
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as build
+ENV HOME=/opt/helm
+COPY rhacs-terraform  ${HOME}/rhacs-terraform
+WORKDIR ${HOME}
+
+RUN curl -L --retry 10 --silent --show-error --fail -o /usr/local/bin/helm \
+    "https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-linux-amd64" && \
+    chmod +x /usr/local/bin/helm && \
+    helm version
+
+RUN helm repo add external-secrets "https://charts.external-secrets.io/" && \
+    helm dependencies build ${HOME}/rhacs-terraform
+
+# Workaround for deleting securityContext.runAsUser from the dependent chart
+# see: https://github.com/operator-framework/operator-sdk/issues/6635
+RUN microdnf install gzip tar && \
+    curl -L --retry 10 --silent --show-error --fail -o /tmp/yq_linux_amd64.tar.gz \
+        "https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64.tar.gz" && \
+        tar -xzf /tmp/yq_linux_amd64.tar.gz ./yq_linux_amd64 && \
+        mv yq_linux_amd64 /usr/local/bin/yq && \
+        chmod +x /usr/local/bin/yq && \
+        rm /tmp/yq_linux_amd64.tar.gz && \
+    cd rhacs-terraform/charts && for filename in *.tgz; do tar -xf "$filename" && rm -f "$filename"; done && \
+    yq -i 'del(.securityContext.runAsUser) | del(.webhook.securityContext.runAsUser) | del(.certController.securityContext.runAsUser)' external-secrets/values.yaml
+
+
 FROM quay.io/operator-framework/helm-operator:v1.32.0
 
 ENV HOME=/opt/helm
 COPY watches.yaml ${HOME}/watches.yaml
-COPY rhacs-terraform  ${HOME}/rhacs-terraform
+COPY --from=build ${HOME}/rhacs-terraform ${HOME}/rhacs-terraform
 WORKDIR ${HOME}

dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-02-secret-dead-mans-switch.yaml

@@ -1,9 +1,21 @@
-apiVersion: v1
-kind: Secret
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
   name: rhacs-cloudwatch-exporter
   namespace: {{ include "cloudwatch.namespace" . }}
-stringData:
-  AWS_ACCESS_KEY_ID: {{ .Values.aws.accessKeyId | quote }}
-  AWS_SECRET_ACCESS_KEY: {{ .Values.aws.secretAccessKey | quote }}
-type: Opaque
+spec:
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }}
+    kind: ClusterSecretStore
+  target:
+    name: rhacs-cloudwatch-exporter
+    creationPolicy: Owner
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID # pragma: allowlist secret
+      remoteRef:
+        key: "cloudwatch-exporter"
+        property: aws_access_key_id
+    - secretKey: AWS_SECRET_ACCESS_KEY # pragma: allowlist secret
+      remoteRef:
+        key: "cloudwatch-exporter"
+        property: "aws_secret_access_key"

dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml

@@ -1,8 +1,3 @@
-# AWS credentials
-aws:
-  accessKeyId: ""
-  secretAccessKey: ""
-
 clusterName: ""
 environment: ""
 image: "ghcr.io/nerdswords/yet-another-cloudwatch-exporter:v0.55.0"

dp-terraform/helm/rhacs-terraform/charts/logging/templates/01-logging-02-secret-cloudwatch.yaml

@@ -1,8 +1,21 @@
-apiVersion: v1
-kind: Secret
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
   name: cloudwatch
   namespace: openshift-logging
-data:
-  aws_access_key_id: {{ .Values.aws.accessKeyId | b64enc | quote }}
-  aws_secret_access_key: {{ .Values.aws.secretAccessKey | b64enc | quote }}
+spec:
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }}
+    kind: ClusterSecretStore
+  target:
+    name: cloudwatch
+    creationPolicy: Owner
+  data:
+    - secretKey: aws_access_key_id # pragma: allowlist secret
+      remoteRef:
+        key: "logging"
+        property: "aws_access_key_id"
+    - secretKey: aws_secret_access_key # pragma: allowlist secret
+      remoteRef:
+        key: "logging"
+        property: "aws_secret_access_key"

dp-terraform/helm/rhacs-terraform/charts/logging/values.yaml

@@ -5,8 +5,6 @@
 groupPrefix: ""
 aws:
   region: "us-east-1"
-  accessKeyId: ""
-  secretAccessKey: ""
 
 nodeSelector: {}
 

dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-03-secret-alertmanager.yaml

@@ -1,52 +1,75 @@
-apiVersion: v1
-kind: Secret
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
   name: rhacs-alertmanager-configuration
   namespace: {{ include "observability.namespace" . }}
-stringData:
-  alertmanager.yaml: |
-    global:
-      resolve_timeout: 5m
-    route:
-      receiver: managed-rhacs-pagerduty
-      repeat_interval: 12h
-      group_by:
-      - cluster_id
-      - severity
-      routes:
-      - receiver: managed-rhacs-deadmanssnitch
-        repeat_interval: 5m
-        continue: false
-        match:
-          alertname: DeadMansSwitch
-          observability: managed-rhacs
-      - receiver: managed-rhacs-pagerduty
-        group_by:
-        - namespace
-        - severity
-        matchers:
-        - "namespace =~ \"rhacs-.*\""
-    receivers:
-    - name: managed-rhacs-pagerduty
-      pagerduty_configs:
-      - routing_key: {{ .Values.pagerduty.key | quote }}
-        {{- /*
-          We want the severity to be based on the severity label coming from the
-          alert itself. If there is no severity label common to the group of
-          alerts, then default to info. That looks like:
-              `or .GroupLabels.severity "info"`
-          in Go templating. To properly escape for Helm templating, the Helm
-          templating engine needs to output the literal string `{{`, since
-          Alertmanager templating syntax is the same as Helm. To do that,
-          the expression `{{` is used inside the double bracket syntax for
-          evaluating Go template expressions. Thus: `{{ "{{" }}`.
+spec:
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }}
+    kind: ClusterSecretStore
+  target:
+    name: rhacs-alertmanager-configuration
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      engineVersion: v2
+      data:
+        alertmanager.yaml: |
+          global:
+            resolve_timeout: 5m
+          route:
+            receiver: managed-rhacs-pagerduty
+            repeat_interval: 12h
+            group_by:
+            - cluster_id
+            - severity
+            routes:
+            - receiver: managed-rhacs-deadmanssnitch
+              repeat_interval: 5m
+              continue: false
+              match:
+                alertname: DeadMansSwitch
+                observability: managed-rhacs
+            - receiver: managed-rhacs-pagerduty
+              group_by:
+              - namespace
+              - severity
+              matchers:
+              - "namespace =~ \"rhacs-.*\""
+          receivers:
+          - name: managed-rhacs-pagerduty
+            pagerduty_configs:
+            - routing_key: {{ printf "{{ .pagerduty_key }}" | quote }}
+              {{- /*
+                We want the severity to be based on the severity label coming from the
+                alert itself. If there is no severity label common to the group of
+                alerts, then default to info. That looks like:
+                    `or .GroupLabels.severity "info"`
+                in Go templating.
 
-          The inner double quotes work because Helm evaluates the expression
-          that includes the inner double quotes before the document is parsed
-          as yaml.
-        */}}
-        severity: "{{ "{{" }} or .GroupLabels.severity \"info\" }}"
-    - name: managed-rhacs-deadmanssnitch
-      webhook_configs:
-      - url: {{ .Values.deadMansSwitch.url | quote }}
-type: Opaque
+                To properly escape for External Secrets Operator (ESO) templating,
+                the ESO templating engine needs to output the literal string "{{", since
+                Alertmanager templating syntax is the same as ESO. To do that,
+                the expression "{{" is used inside the double bracket syntax for
+                evaluating Go template expressions. Thus: `{{ "{{" }}`.
+
+                The inner double quotes work because ESO evaluates the expression
+                that includes the inner double quotes before the document is parsed
+                as yaml.
+
+                `printf` is used to escape curly braces when rendering the Helm template and leave them for ESO template.
+              */}}
+              severity: "{{ printf `{{ "{{" }} or .GroupLabels.severity \"info\" }}` }}"
+          - name: managed-rhacs-deadmanssnitch
+            webhook_configs:
+            - url: {{ printf "{{ .dead_mans_switch_url }}" | quote }}
+  data:
+    - secretKey: dead_mans_switch_url # pragma: allowlist secret
+      remoteRef:
+        key: "observability"
+        property: "dead_mans_switch_url"
+    # PagerDuty's integration key, which is generated within a Ruleset.
+    - secretKey: pagerduty_key # pragma: allowlist secret
+      remoteRef:
+        key: "observability"
+        property: "pagerduty_routing_key"

dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-03-secret-github.yaml

@@ -1,13 +1,28 @@
-apiVersion: v1
-kind: Secret
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
   name: rhacs-observability-configuration
   namespace: {{ include "observability.namespace" . }}
-  labels:
-    configures: observability-operator
-stringData:
-  access_token: {{ .Values.github.accessToken | quote }}
-  repository: {{ .Values.github.repository | quote }}
-  tag: {{ .Values.github.tag | quote }}
-  channel: 'resources'
-type: Opaque
+spec:
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }}
+    kind: ClusterSecretStore
+  target:
+    name: rhacs-observability-configuration
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      engineVersion: v2
+      metadata:
+        labels:
+          configures: observability-operator
+      data:
+        access_token: {{ printf "'{{ .access_token }}'" }}
+        repository: {{ .Values.github.repository | quote }}
+        tag: {{ .Values.github.tag | quote }}
+        channel: 'resources'
+  data:
+    - secretKey: access_token # pragma: allowlist secret
+      remoteRef:
+        key: "observability"
+        property: "github_access_token"

dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-03-secret-observatorium.yaml

@@ -1,14 +1,32 @@
-kind: Secret
-apiVersion: v1
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
   name: rhacs-observatorium
   namespace: {{ include "observability.namespace" . }}
-stringData:
-  tenant: {{ .Values.observatorium.tenant | quote }}
-  authType: {{ .Values.observatorium.authType | quote }}
-  redHatSsoAuthServerUrl: {{ .Values.observatorium.redHatSsoAuthServerUrl | quote }}
-  redHatSsoRealm: {{ .Values.observatorium.redHatSsoRealm | quote }}
-  gateway: {{ .Values.observatorium.gateway | quote }}
-  metricsClientId: {{ .Values.observatorium.metricsClientId | quote }}
-  metricsSecret: {{ .Values.observatorium.metricsSecret | quote }}
-type: Opaque
+spec:
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }}
+    kind: ClusterSecretStore
+  target:
+    name: rhacs-observatorium
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      engineVersion: v2
+      data:
+        tenant: {{ .Values.observatorium.tenant | quote }}
+        authType: {{ .Values.observatorium.authType | quote }}
+        redHatSsoAuthServerUrl: {{ .Values.observatorium.redHatSsoAuthServerUrl | quote }}
+        redHatSsoRealm: {{ .Values.observatorium.redHatSsoRealm | quote }}
+        gateway: {{ .Values.observatorium.gateway | quote }}
+        metricsClientId: {{ printf "'{{ .metrics_client_id }}'" }}
+        metricsSecret: {{ printf "'{{ .metrics_secret }}'" }}
+  data:
+    - secretKey: metrics_client_id # pragma: allowlist secret
+      remoteRef:
+        key: "observability"
+        property: "observatorium_metrics_client_id"
+    - secretKey: metrics_secret # pragma: allowlist secret
+      remoteRef:
+        key: "observability"
+        property: "observatorium_metrics_secret"

dp-terraform/helm/rhacs-terraform/charts/observability/values.yaml

@@ -7,11 +7,7 @@
 observabilityOperatorVersion: "v4.2.1"
 
 github:
-  # You can generate a new one at https://github.com/settings/tokens/new, for a user
-  # with access to the repository specified at `github.repository`, and with "repo" scope.
-  # Be mindful of the token expiration.
-  accessToken: ""
-  repository: ""
+  repository: "https://api.github.com/repos/stackrox/rhacs-observability-resources/contents"
   tag: "master"
 
 clusterName: ""
@@ -25,12 +21,6 @@ observatorium:
   redHatSsoAuthServerUrl: "https://sso.redhat.com/auth/"
   redHatSsoRealm: "redhat-external"
   gateway: ""
-  metricsClientId: ""
-  metricsSecret: ""
-
-pagerduty:
-  # PagerDuty integration key, which is generated within a Ruleset.
-  key: ""
 
 deadMansSwitch:
   # Webhook URL of the dead man's switch provider.