ROX-27980: Support argocd reconciliation for routes by kovayur · Pull Request #2197 · stackrox/acs-fleet-manager

kovayur · 2025-02-11T18:38:51Z

Description

Add support for the routes reconciliation on ArgoCD.
The feature can be now enabled by setting the value centralIngressEnabled to true in the gitops config.
If disabled (default), reconciliation should be performed in fleetshard-sync mode as before.
If enabled, the routes created by fleetshard-sync are deleted and the reconciliation will be performed by tenant-resources (ArgoCD).

Next steps:

Enable the feature on dev environment to make E2E tests pass with the new setup.
Enable the feature on the rest environments and effectively delete the routes reconciled by fleetshard-sync.
Set centralIngressEnabled to true by default in tenant-resources
Cleanup the fleetshard-sync source code by removing the switch and code which is responsible for the routes reconciliation.

Checklist (Definition of Done)

Test manual

TODO: Add manual testing efforts

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup
make verify lint binary test test/integration

fleetshard/pkg/central/reconciler/reconciler.go

fleetshard/pkg/k8s/route.go

fleetshard/pkg/central/reconciler/reconciler.go

fleetshard/pkg/k8s/route.go

ludydoo · 2025-02-12T14:16:43Z

fleetshard/pkg/central/reconciler/reconciler.go

+		if apiErrors.IsNotFound(err) {
+			centralTLSSecretFound = false // pragma: allowlist secret
+		}
+		return centralTLSSecretFound, err


Seems there is something wrong here. If the secret doesn't exist, it will never call ensureSecretExists. Or am I missing something?

Suggested change

if apiErrors.IsNotFound(err) {

centralTLSSecretFound = false // pragma: allowlist secret

}

return centralTLSSecretFound, err

if apiErrors.IsNotFound(err) {

centralTLSSecretFound = false // pragma: allowlist secret

} else {

return false, err

}

The purpose of centralTLSSecretFound is to skip the further reconciliation instead of returning the error

But we'll return the error in any case, so the code was correct. I simplified it a bit.

ludydoo · 2025-02-13T18:53:18Z

fleetshard/pkg/central/reconciler/reconciler.go

+func (r *CentralReconciler) ensureCentralCASecretExists(ctx context.Context, centralNamespace string) (centralTLSSecretFound bool, err error) {
+	centralTLSSecret, err := r.getSecret(centralNamespace, k8s.CentralTLSSecretName)
+	if err != nil {
+		return !apiErrors.IsNotFound(err), err


Suggested change

return !apiErrors.IsNotFound(err), err

return false, err

ludydoo

Just this one last comment mentioned above, otherwise 🔥

openshift-ci · 2025-02-14T15:11:35Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kovayur, ludydoo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [kovayur,ludydoo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci bot added the approved label Feb 11, 2025

kovayur temporarily deployed to development February 11, 2025 18:40 — with GitHub Actions Inactive

kovayur temporarily deployed to development February 12, 2025 11:05 — with GitHub Actions Inactive

kovayur added 7 commits February 12, 2025 12:22

Add feature flag for the routes on ArgoCD

ad8ddad

Create TLS secrets

933e037

Empty tls key

5547d89

Base64 encoded certs in the template

54acf25

Ingress return logic

cb9f30d

Toggle centralIngressEnabled off

2b241b7

Refactor routes statuses

f69a0f9

kovayur force-pushed the yury/ROX-27980-routes-argo branch from 1e9d35d to f69a0f9 Compare February 12, 2025 11:22

kovayur temporarily deployed to development February 12, 2025 11:22 — with GitHub Actions Inactive