sync: stage to production (#1753)

sync-branches: New code has just landed in stage, so let's bring
production up to speed!

Author: ivan-degtiarenko

.github/dependabot.yaml

@@ -25,3 +25,7 @@ updates:
     directory: "/dp-terraform/helm"
     schedule:
       interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: 'weekly'

.github/workflows/ci.yaml

@@ -5,18 +5,6 @@ on:
     branches:
       - main
       - stage
-    paths-ignore:
-      - '*.md'
-      - '*.sh'
-      - '.github/*.md'
-      - '.github/workflows/openapi_update.yaml'
-      - '.github/CODEOWNERS'
-      - 'templates/**'
-      - '.openapi-generator-ignore'
-      - 'openapi/**'
-      - 'docs/**'
-      - 'pkg/api/openapi/docs/**'
-      - 'pkg/api/openapi/.openapi-generator-ignore'
 
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]

…tes/01-operator-02-secret-ocm-token.yaml …probe/templates/01-secret-ocm-token.yamldeploy/helm/probe/templates/01-operator-02-secret-ocm-token.yaml renamed to deploy/helm/probe/templates/01-secret-ocm-token.yaml deploy/helm/probe/templates/01-operator-02-secret-ocm-token.yaml renamed to deploy/helm/probe/templates/01-secret-ocm-token.yaml

@@ -60,6 +60,5 @@ spec:
               cpu: {{ .Values.resources.requests.cpu | quote }}
               memory: {{ .Values.resources.requests.memory | quote }}
             limits:
-              cpu: {{ .Values.resources.limits.cpu | quote }}
               memory: {{ .Values.resources.limits.memory | quote }}
       terminationGracePeriodSeconds: 300

…rator-02-secret-rhsso-client-secret.yaml …lates/01-secret-rhsso-client-secret.yamldeploy/helm/probe/templates/01-operator-02-secret-rhsso-client-secret.yaml renamed to deploy/helm/probe/templates/01-secret-rhsso-client-secret.yaml deploy/helm/probe/templates/01-operator-02-secret-rhsso-client-secret.yaml renamed to deploy/helm/probe/templates/01-secret-rhsso-client-secret.yaml

@@ -18,7 +18,6 @@ redHatSSO:
   realm: "redhat-external"
 resources:
   limits:
-    cpu: "100m"
     memory: "128Mi"
   requests:
     cpu: "100m"

…templates/01-operator-04-deployment.yaml …/helm/probe/templates/02-deployment.yamldeploy/helm/probe/templates/01-operator-04-deployment.yaml renamed to deploy/helm/probe/templates/02-deployment.yaml deploy/helm/probe/templates/01-operator-04-deployment.yaml renamed to deploy/helm/probe/templates/02-deployment.yaml

@@ -32,7 +32,6 @@ import (
 	"github.com/stackrox/rox/operator/apis/platform/v1alpha1"
 	"github.com/stackrox/rox/pkg/declarativeconfig"
 	"github.com/stackrox/rox/pkg/random"
-	"golang.org/x/exp/maps"
 	"gopkg.in/yaml.v2"
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chartutil"
@@ -61,10 +60,14 @@ const (
 	envAnnotationKey          = "rhacs.redhat.com/environment"
 	clusterNameAnnotationKey  = "rhacs.redhat.com/cluster-name"
 	orgNameAnnotationKey      = "rhacs.redhat.com/org-name"
-	instanceTypeLabelKey      = "rhacs.redhat.com/instance-type"
-	orgIDLabelKey             = "rhacs.redhat.com/org-id"
-	tenantIDLabelKey          = "rhacs.redhat.com/tenant"
-	centralExpiredAtKey       = "rhacs.redhat.com/expired-at"
+
+	labelManagedByFleetshardValue = "rhacs-fleetshard"
+	instanceLabelKey              = "app.kubernetes.io/instance"
+	instanceTypeLabelKey          = "rhacs.redhat.com/instance-type"
+	managedByLabelKey             = "app.kubernetes.io/managed-by"
+	orgIDLabelKey                 = "rhacs.redhat.com/org-id"
+	tenantIDLabelKey              = "rhacs.redhat.com/tenant"
+	centralExpiredAtKey           = "rhacs.redhat.com/expired-at"
 
 	auditLogNotifierKey  = "com.redhat.rhacs.auditLogNotifier"
 	auditLogNotifierName = "Platform Audit Logs"
@@ -196,17 +199,7 @@ func (r *CentralReconciler) Reconcile(ctx context.Context, remoteCentral private
 		return status, err
 	}
 
-	namespaceLabels := map[string]string{
-		orgIDLabelKey:    remoteCentral.Spec.Auth.OwnerOrgId,
-		tenantIDLabelKey: remoteCentral.Id,
-	}
-	namespaceAnnotations := map[string]string{
-		orgNameAnnotationKey: remoteCentral.Spec.Auth.OwnerOrgName,
-	}
-	if remoteCentral.Metadata.ExpiredAt != nil {
-		namespaceAnnotations[centralExpiredAtKey] = remoteCentral.Metadata.ExpiredAt.Format(time.RFC3339)
-	}
-	if err := r.reconcileNamespace(ctx, remoteCentralNamespace, namespaceLabels, namespaceAnnotations); err != nil {
+	if err := r.reconcileNamespace(ctx, remoteCentral); err != nil {
 		return nil, errors.Wrapf(err, "unable to ensure that namespace %s exists", remoteCentralNamespace)
 	}
 
@@ -1133,17 +1126,11 @@ func (r *CentralReconciler) computeCentralHash(central private.ManagedCentral) (
 }
 
 func (r *CentralReconciler) getNamespace(name string) (*corev1.Namespace, error) {
-	namespace := &corev1.Namespace{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name,
-		},
-	}
-	err := r.client.Get(context.Background(), ctrlClient.ObjectKey{Name: name}, namespace)
-	if err != nil {
-		// Propagate corev1.Namespace to the caller so that the namespace can be easily created
-		return namespace, fmt.Errorf("retrieving resource for namespace %q from Kubernetes: %w", name, err)
+	var namespace corev1.Namespace
+	if err := r.client.Get(context.Background(), ctrlClient.ObjectKey{Name: name}, &namespace); err != nil {
+		return nil, fmt.Errorf("getting namespace %q: %w", name, err)
 	}
-	return namespace, nil
+	return &namespace, nil
 }
 
 func (r *CentralReconciler) getSecret(namespaceName string, secretName string) (*corev1.Secret, error) {
@@ -1178,36 +1165,54 @@ func (r *CentralReconciler) createImagePullSecret(ctx context.Context, namespace
 	return nil
 }
 
-func (r *CentralReconciler) createTenantNamespace(ctx context.Context, namespace *corev1.Namespace) error {
-	err := r.client.Create(ctx, namespace)
-	if err != nil {
-		return fmt.Errorf("creating namespace %q: %w", namespace.ObjectMeta.Name, err)
-	}
-	return nil
-}
+func (r *CentralReconciler) reconcileNamespace(ctx context.Context, c private.ManagedCentral) error {
+	desiredNamespace := getDesiredNamespace(c)
 
-func (r *CentralReconciler) reconcileNamespace(ctx context.Context, name string, labels map[string]string, annotations map[string]string) error {
-	namespace, err := r.getNamespace(name)
+	existingNamespace, err := r.getNamespace(desiredNamespace.Name)
 	if err != nil {
 		if apiErrors.IsNotFound(err) {
-			namespace.Annotations = annotations
-			namespace.Labels = labels
-			return r.createTenantNamespace(ctx, namespace)
-		}
-		return fmt.Errorf("getting namespace %s: %w", name, err)
-	} else if !maps.Equal(labels, namespace.Labels) ||
-		!maps.Equal(annotations, namespace.Annotations) {
-		namespace.Annotations = annotations
-		namespace.Labels = labels
-		if err = r.client.Update(ctx, namespace, &ctrlClient.UpdateOptions{
+			if err := r.client.Create(ctx, desiredNamespace); err != nil {
+				return fmt.Errorf("creating namespace %q: %w", desiredNamespace.Name, err)
+			}
+			return nil
+		}
+		return fmt.Errorf("getting namespace %q: %w", desiredNamespace.Name, err)
+	}
+
+	if stringMapNeedsUpdating(desiredNamespace.Annotations, existingNamespace.Annotations) || stringMapNeedsUpdating(desiredNamespace.Labels, existingNamespace.Labels) {
+		glog.Infof("Updating namespace %q", desiredNamespace.Name)
+		if existingNamespace.Annotations == nil {
+			existingNamespace.Annotations = map[string]string{}
+		}
+		for k, v := range desiredNamespace.Annotations {
+			existingNamespace.Annotations[k] = v
+		}
+		if existingNamespace.Labels == nil {
+			existingNamespace.Labels = map[string]string{}
+		}
+		for k, v := range desiredNamespace.Labels {
+			existingNamespace.Labels[k] = v
+		}
+		if err = r.client.Update(ctx, existingNamespace, &ctrlClient.UpdateOptions{
 			FieldManager: "fleetshard-sync",
 		}); err != nil {
-			return fmt.Errorf("updating namespace %s: %w", name, err)
+			return fmt.Errorf("updating namespace %q: %w", desiredNamespace.Name, err)
 		}
 	}
+
 	return nil
 }
 
+func getDesiredNamespace(c private.ManagedCentral) *corev1.Namespace {
+	return &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        c.Metadata.Namespace,
+			Annotations: getNamespaceAnnotations(c),
+			Labels:      getNamespaceLabels(c),
+		},
+	}
+}
+
 func (r *CentralReconciler) ensureImagePullSecretConfigured(ctx context.Context, namespaceName string, secretName string, imagePullSecret []byte) error {
 	// Ensure that the secret exists.
 	_, err := r.getSecret(namespaceName, secretName)
@@ -1682,15 +1687,42 @@ func (r *CentralReconciler) ensureRouteDeleted(ctx context.Context, routeSupplie
 	return false, nil
 }
 
-func (r *CentralReconciler) chartValues(_ private.ManagedCentral) (chartutil.Values, error) {
+func getTenantLabels(c private.ManagedCentral) map[string]string {
+	return map[string]string{
+		managedByLabelKey:    labelManagedByFleetshardValue,
+		instanceLabelKey:     c.Metadata.Name,
+		orgIDLabelKey:        c.Spec.Auth.OwnerOrgId,
+		tenantIDLabelKey:     c.Id,
+		instanceTypeLabelKey: c.Spec.InstanceType,
+	}
+}
+
+func getTenantAnnotations(c private.ManagedCentral) map[string]string {
+	return map[string]string{
+		orgNameAnnotationKey: c.Spec.Auth.OwnerOrgName,
+	}
+}
+
+func getNamespaceLabels(c private.ManagedCentral) map[string]string {
+	return getTenantLabels(c)
+}
+
+func getNamespaceAnnotations(c private.ManagedCentral) map[string]string {
+	namespaceAnnotations := getTenantAnnotations(c)
+	if c.Metadata.ExpiredAt != nil {
+		namespaceAnnotations[centralExpiredAtKey] = c.Metadata.ExpiredAt.Format(time.RFC3339)
+	}
+	return namespaceAnnotations
+}
+
+func (r *CentralReconciler) chartValues(c private.ManagedCentral) (chartutil.Values, error) {
 	if r.resourcesChart == nil {
 		return nil, errors.New("resources chart is not set")
 	}
 	src := r.resourcesChart.Values
 	dst := map[string]interface{}{
-		"labels": map[string]interface{}{
-			k8s.ManagedByLabelKey: k8s.ManagedByFleetshardValue,
-		},
+		"labels":      stringMapToMapInterface(getTenantLabels(c)),
+		"annotations": stringMapToMapInterface(getTenantAnnotations(c)),
 	}
 	if r.egressProxyImage != "" {
 		dst["egressProxy"] = map[string]interface{}{
@@ -1700,6 +1732,14 @@ func (r *CentralReconciler) chartValues(_ private.ManagedCentral) (chartutil.Val
 	return chartutil.CoalesceTables(dst, src), nil
 }
 
+func stringMapToMapInterface(m map[string]string) map[string]interface{} {
+	result := make(map[string]interface{}, len(m))
+	for k, v := range m {
+		result[k] = v
+	}
+	return result
+}
+
 func (r *CentralReconciler) shouldSkipReadyCentral(remoteCentral private.ManagedCentral) bool {
 	return r.wantsAuthProvider == r.hasAuthProvider &&
 		isRemoteCentralReady(&remoteCentral)