ROX-21531: Add tenant route config (#2154)

Author: kovayur

dev/config/gitops-config.yaml

@@ -1,10 +1,10 @@
 rhacsOperators:
   crdUrls:
-    - https://raw.githubusercontent.com/stackrox/stackrox/4.5.4/operator/bundle/manifests/platform.stackrox.io_securedclusters.yaml
-    - https://raw.githubusercontent.com/stackrox/stackrox/4.5.4/operator/bundle/manifests/platform.stackrox.io_centrals.yaml
+    - https://raw.githubusercontent.com/stackrox/stackrox/4.6.1/operator/bundle/manifests/platform.stackrox.io_securedclusters.yaml
+    - https://raw.githubusercontent.com/stackrox/stackrox/4.6.1/operator/bundle/manifests/platform.stackrox.io_centrals.yaml
   operators:
     - deploymentName: "rhacs-operator-dev"
-      image: "quay.io/rhacs-eng/stackrox-operator:4.5.4"
+      image: "quay.io/rhacs-eng/stackrox-operator:4.6.1"
       centralLabelSelector: "rhacs.redhat.com/version-selector=dev"
       securedClusterReconcilerEnabled: false
 verticalPodAutoscaling:
@@ -41,15 +41,6 @@ tenantResources:
         cpu: 100m
         memory: 100Mi
 
-    labels:
-      app.kubernetes.io/managed-by: rhacs-fleetshard
-      app.kubernetes.io/instance: "{{ .Name }}"
-      rhacs.redhat.com/org-id: "{{ .OrganizationID }}"
-      rhacs.redhat.com/tenant: "{{ .ID }}"
-      rhacs.redhat.com/instance-type: "{{ .InstanceType }}"
-    annotations:
-      rhacs.redhat.com/org-name: "{{ .OrganizationName }}"
-
     centralRdsCidrBlock: "10.1.0.0/16"
 
     verticalPodAutoscalers:

dev/env/defaults/00-defaults.env

@@ -24,6 +24,7 @@ export INSTALL_VERTICAL_POD_AUTOSCALER_OLM_DEFAULT="false"
 export INSTALL_ARGOCD="true"
 export INSTALL_OPENSHIFT_GITOPS="false"
 export ARGOCD_NAMESPACE="argocd"
+export ARGOCD_TENANT_APP_TARGET_REVISION_DEFAULT="HEAD"
 export ENABLE_EMAIL_SENDER_DEFAULT="false"
 export EMAIL_SENDER_IMAGE_DEFAULT=""
 
@@ -58,3 +59,4 @@ export ENABLE_EXTERNAL_CONFIG_DEFAULT="true"
 export AWS_AUTH_HELPER_DEFAULT=""
 
 export MANAGED_DB_ENABLED_DEFAULT=false
+export ENABLE_EXTERNAL_SECRETS_DEFAULT=false # pragma: allowlist secret

dev/env/defaults/cluster-type-infra-openshift/env

@@ -2,3 +2,4 @@ export FLEETSHARD_SYNC_RESOURCES_DEFAULT='{"requests":{"cpu":"400m","memory":"10
 export EXPOSE_OPENSHIFT_ROUTER_DEFAULT="true"
 export ENABLE_EXTERNAL_CONFIG_DEFAULT="true"
 export AWS_AUTH_HELPER_DEFAULT="aws-saml"
+export INHERIT_IMAGEPULLSECRETS_DEFAULT="true" # pragma: allowlist secret

dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml

@@ -23,6 +23,7 @@ spec:
       region: "$AWS_REGION"
     gitops:
       enabled: true
+      tenantDefaultAppSourceTargetRevision: "$ARGOCD_TENANT_APP_TARGET_REVISION"
     targetedOperatorUpgrades:
       enabled: true
     secretEncryption:
@@ -47,7 +48,10 @@ spec:
   secured-cluster:
     enabled: false
   external-secrets:
-    enabled: false
+    enabled: $ENABLE_EXTERNAL_SECRETS
+  secretStore:
+    aws:
+      enableTokenAuth: false
   scc:
     enabled: false
   verticalPodAutoscaler:

dev/env/scripts/lib.sh

@@ -124,6 +124,8 @@ init() {
     export EMAIL_SENDER_IMAGE=${EMAIL_SENDER_IMAGE:-$EMAIL_SENDER_IMAGE_DEFAULT}
     export EMAIL_SENDER_RESOURCES=${EMAIL_SENDER_RESOURCES:-$EMAIL_SENDER_RESOURCES_DEFAULT}
     export MANAGED_DB_ENABLED=${MANAGED_DB_ENABLED:-$MANAGED_DB_ENABLED_DEFAULT}
+    export ARGOCD_TENANT_APP_TARGET_REVISION=${ARGOCD_TENANT_APP_TARGET_REVISION:-$ARGOCD_TENANT_APP_TARGET_REVISION_DEFAULT}
+    export ENABLE_EXTERNAL_SECRETS=${ENABLE_EXTERNAL_SECRETS:-$ENABLE_EXTERNAL_SECRETS_DEFAULT}
 
     FLEETSHARD_SYNC_CONTAINER_COMMAND_DEFAULT="/usr/local/bin/fleetshard-sync"
     export FLEETSHARD_SYNC_CONTAINER_COMMAND=${FLEETSHARD_SYNC_CONTAINER_COMMAND:-$FLEETSHARD_SYNC_CONTAINER_COMMAND_DEFAULT}
@@ -175,6 +177,7 @@ INSTALL_VERTICAL_POD_AUTOSCALER_OLM: ${INSTALL_VERTICAL_POD_AUTOSCALER_OLM}
 INSTALL_ARGOCD: ${INSTALL_ARGOCD}
 INSTALL_OPENSHIFT_GITOPS: ${INSTALL_OPENSHIFT_GITOPS}
 ARGOCD_NAMESPACE: ${ARGOCD_NAMESPACE}
+ARGOCD_TENANT_APP_TARGET_REVISION: ${ARGOCD_TENANT_APP_TARGET_REVISION}
 OCM_SERVICE_CLIENT_ID: ********
 OCM_SERVICE_CLIENT_SECRET: ********
 OCM_SERVICE_TOKEN: ********
@@ -203,6 +206,7 @@ FLEET_MANAGER_IMAGE: ${FLEET_MANAGER_IMAGE}
 FLEETSHARD_SYNC_CONTAINER_COMMAND: ${FLEETSHARD_SYNC_CONTAINER_COMMAND}
 EMAIL_SENDER_IMAGE: ${EMAIL_SENDER_IMAGE}
 EMAIL_SENDER_RESOURCES: ${EMAIL_SENDER_RESOURCES}
+ENABLE_EXTERNAL_SECRETS: ${ENABLE_EXTERNAL_SECRETS}
 PATH: ${PATH}
 EOF
 }

fleetshard/main.go

@@ -50,6 +50,7 @@ func main() {
 	glog.Infof("ManagedDB.Enabled: %t", config.ManagedDB.Enabled)
 	glog.Infof("ManagedDB.SecurityGroup: %s", config.ManagedDB.SecurityGroup)
 	glog.Infof("ManagedDB.SubnetGroup: %s", config.ManagedDB.SubnetGroup)
+	glog.Infof("TenantDefaultArgoCdAppSourceTargetRevision: %s", config.TenantDefaultArgoCdAppSourceTargetRevision)
 	if len(config.TenantImagePullSecret) > 0 {
 		glog.Infof("Image pull secret configured, will be injected into tenant namespaces.")
 	}

fleetshard/pkg/central/reconciler/argo_reconciler.go

@@ -24,7 +24,7 @@ type argoReconciler struct {
 	argoOpts ArgoReconcilerOptions
 }
 
-// ArgoReconcilerOptions defines configuration options for the Argo application reconiliation
+// ArgoReconcilerOptions defines configuration options for the Argo application reconciliation
 type ArgoReconcilerOptions struct {
 	TenantDefaultArgoCdAppSourceRepoURL        string
 	TenantDefaultArgoCdAppSourceTargetRevision string
@@ -105,6 +105,8 @@ func (r *argoReconciler) makeDesiredArgoCDApplication(remoteCentral private.Mana
 	values["telemetryStorageEndpoint"] = r.argoOpts.Telemetry.StorageEndpoint
 	values["centralAdminPasswordEnabled"] = !r.argoOpts.WantsAuthProvider
 	values["centralEnabled"] = true // TODO: Remove once ROX-27129 fully released
+	values["centralUIHost"] = remoteCentral.Spec.UiEndpoint.Host
+	values["centralDataHost"] = remoteCentral.Spec.DataEndpoint.Host
 
 	if remoteCentral.Metadata.ExpiredAt != nil {
 		values["expiredAt"] = remoteCentral.Metadata.ExpiredAt.Format(time.RFC3339)