Sync Common subtree

README.md

@@ -1,6 +1,6 @@
 # Start Here
 
-If you've followed a link to this repo, but are not really sure what it contains
+If you've followed a link to this repository, but are not really sure what it contains
 or how to use it, head over to [Multicloud GitOps](http://hybrid-cloud-patterns.io/multicloud-gitops/)
 for additional context and installation instructions
 

common/.ansible-lint

@@ -1,3 +1,7 @@
 # Vim filetype=yaml
 ---
 offline: false
+skip_list:
+  - name[template] # Allow Jinja templating inside task and play names
+  - template-instead-of-copy # Templated files should use template instead of copy
+  - yaml[line-length] # too long lines

common/.github/workflows/ansible-lint.yml

@@ -11,8 +11,8 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Lint Ansible Playbook
-        # Using the latest as of today (2022-06-23) v6.2.1
-        uses: ansible/ansible-lint-action@v6.2.1
+        # Using the latest as of today (2022-09-02) v6.6.1
+        uses: ansible/ansible-lint-action@v6.6.1
         # Let's point it to the path
         with:
           path: "ansible/"

common/.github/workflows/superlinter.yml

@@ -27,11 +27,11 @@ jobs:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # These are the validation we disable atm
+          VALIDATE_ANSIBLE: false
           VALIDATE_BASH: false
           VALIDATE_JSCPD: false
           VALIDATE_KUBERNETES_KUBEVAL: false
           VALIDATE_YAML: false
-          # VALIDATE_ANSIBLE: false
           # VALIDATE_DOCKERFILE_HADOLINT: false
           # VALIDATE_MARKDOWN: false
           # VALIDATE_NATURAL_LANGUAGE: false

common/Changes.md

@@ -0,0 +1,24 @@
+# Changes
+
+## October 3, 2022
+
+* Restore the ability to install a non-default site: `make TARGET_SITE=mysite install`
+* Revised tests (new output and filenames, requires adding new result files to git)
+* ACM 2.6 required for ACM-based managed sites
+* Introduced global.clusterDomain template variable (without the `apps.` prefix)
+* Removed the ability to send specific charts to another cluster, use hosted argo sites instead
+* Added the ability to have the hub host `values-{site}.yaml` for spoke clusters.
+
+  The following example would deploy the namespaces, subscriptions, and
+  applications defined in `values-group-one.yaml` to the `perth` cluster
+  directly from ArgoCD on the hub.
+
+  ```yaml
+  managedClusterGroups:
+  - name: group-one
+    hostedArgoSites:
+    - name: perth
+      domain: perth1.beekhof.net
+      bearerKeyPath: secret/data/hub/cluster_perth
+      caKeyPath: secret/data/hub/cluster_perth_ca
+  ```

common/Makefile

@@ -1,6 +1,10 @@
 NAME=$(shell basename `pwd`)
 # This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL
 # This is because we expect to use tokens for repo authentication as opposed to SSH keys
+ifneq ($(origin TARGET_SITE), undefined)
+  TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE)
+endif
+
 TARGET_ORIGIN ?= origin
 TARGET_REPO=$(shell git remote show $(TARGET_ORIGIN) | grep Push | sed -e 's/.*URL:[[:space:]]*//' -e 's%^git@%%' -e 's%^https://%%' -e 's%:%/%' -e 's%^%https://%')
 # git branch --show-current is also available as of git 2.22, but we will use this for compatibility
@@ -9,10 +13,10 @@ HUBCLUSTER_APPS_DOMAIN=$(shell oc get ingresses.config/cluster -o jsonpath={.spe
 
 # --set values always take precedence over the contents of -f
 HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) \
-	--set global.hubClusterDomain=$(HUBCLUSTER_APPS_DOMAIN)
+	--set global.hubClusterDomain=$(HUBCLUSTER_APPS_DOMAIN) $(TARGET_SITE_OPT)
 TEST_OPTS= -f common/examples/values-secret.yaml -f values-global.yaml --set global.repoURL="https://github.com/pattern-clone/mypattern" \
 	--set main.git.repoURL="https://github.com/pattern-clone/mypattern" --set main.git.revision=main --set global.pattern="mypattern" \
-	--set global.namespace="pattern-namespace" --set global.hubClusterDomain=hub.example.com --set global.localClusterDomain=region.example.com \
+	--set global.namespace="pattern-namespace" --set global.hubClusterDomain=apps.hub.example.com --set global.localClusterDomain=apps.region.example.com --set global.clusterDomain=region.example.com\
 	--set "clusterGroup.imperative.jobs[0].name"="test" --set "clusterGroup.imperative.jobs[0].playbook"="ansible/test.yml" \
 	--set clusterGroup.insecureUnsealVaultInsideCluster=true
 PATTERN_OPTS=-f common/examples/values-example.yaml
@@ -29,10 +33,7 @@ show: ## show the starting template without installing it
 
 CHARTS=$(shell find . -type f -iname 'Chart.yaml' -exec dirname "{}"  \; | sed -e 's/.\///')
 test: ## run helm tests
-# Test that all values used by the chart are in values.yaml with the same defaults as the pattern
-	@for t in $(CHARTS); do common/scripts/test.sh $$t naked ""; if [ $$? != 0 ]; then exit 1; fi; done
-# Test the charts as the pattern would drive them
-	@for t in $(CHARTS); do common/scripts/test.sh $$t normal "$(TEST_OPTS) $(PATTERN_OPTS)"; if [ $$? != 0 ]; then exit 1; fi; done
+	@for t in $(CHARTS); do common/scripts/test.sh $$t all "$(TEST_OPTS) $(PATTERN_OPTS)"; if [ $$? != 0 ]; then exit 1; fi; done
 
 helmlint: ## run helm lint
 	@for t in $(CHARTS); do helm lint $(TEST_OPTS) $(PATTERN_OPTS) $$t; if [ $$? != 0 ]; then exit 1; fi; done

common/acm/templates/policies/application-policies.yaml

@@ -1,6 +1,7 @@
 # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
 {{- range .Values.clusterGroup.managedClusterGroups }}
 {{- $group := . }}
+{{- if not .hostedArgoSites }}
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
 metadata:
@@ -60,6 +61,11 @@ spec:
                         value: {{ $.Values.global.hubClusterDomain }}
                       - name: global.localClusterDomain
                         value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}` }}'
+                      # Requires ACM 2.6 or higher
+                      - name: global.clusterDomain
+                        value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}'
+                      - name: clusterGroup.name
+                        value: {{ $group.name }}
                      {{- range .helmOverrides }}
                       - name: {{ .name }}
                         value: {{ .value | quote }}
@@ -113,12 +119,21 @@ spec:
       type: ManagedClusterConditionAvailable
   {{- if .clusterSelector }}
   clusterSelector: {{ .clusterSelector | toPrettyJson }}
+  {{- else if (not $group.acmlabels) }}
+  clusterSelector:
+    matchLabels:
+      clusterGroup: {{ $group.name }}
+  {{- else if eq (len $group.acmlabels) 0 }}
+  clusterSelector:
+    matchLabels:
+      clusterGroup: {{ $group.name }}
   {{- else }}
   clusterSelector:
     matchLabels:
-    {{- range .labels }}
+    {{- range .acmlabels }}
       {{ .name }}: {{ .value }}
     {{- end }}
   {{- end }}
 ---
 {{- end }}
+{{- end }}

common/acm/templates/provision/clusterpool.yaml

@@ -14,7 +14,7 @@ spec:
 {{- range .clusterPools }}
 
 {{- $pool := . }}
-{{- $poolName := cat .name $group.name | replace " " "-" }}
+{{- $poolName := print .name "-" $group.name }}
 
 {{- $cloud := "None" }}
 {{- $region := "None" }}
@@ -52,8 +52,6 @@ spec:
     name: img{{ .openshiftVersion }}-x86-64-appsub
   pullSecretRef:
     name: {{ $poolName }}-pull-secret
-  sshPrivateKeySecretRef:
-    name: {{ $poolName }}-ssh-private-key
   skipMachinePools: true # Disable MachinePool as using custom install-config
   platform:
     {{ $cloud }}:
@@ -71,9 +69,15 @@ metadata:
     cluster.open-cluster-management.io/createmanagedcluster: "true"
   labels:
     clusterClaimName: {{ . }}-{{ $group.name }}
-    {{- range $group.labels }}
+  {{- if (not $group.acmlabels) }}
+    clusterGroup: {{ $group.name }}
+  {{- else if eq (len $group.acmlabels) 0 }}
+    clusterGroup: {{ $group.name }}
+  {{- else }}
+    {{- range $group.acmlabels }}
     {{ .name }}: {{ .value }}
     {{- end }}
+  {{- end }}
 spec:
   clusterPoolName: {{ $pool.name }}
 ---

common/acm/templates/provision/secrets-aws.yaml

@@ -1,7 +1,7 @@
 {{- range .Values.clusterGroup.managedClusterGroups }}
 {{- $group := . }}
 {{- range .clusterPools }}
-{{- $poolName := cat .name $group.name | replace " " "-" }}
+{{- $poolName := print .name "-" $group.name }}
 {{- if .platform.aws }}
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret

common/acm/templates/provision/secrets-azure.yaml

@@ -1,7 +1,7 @@
 {{- range .Values.clusterGroup.managedClusterGroups }}
 {{- $group := . }}
 {{- range .clusterPools }}
-{{- $poolName := cat .name $group.name | replace " " "-" }}
+{{- $poolName := print .name "-" $group.name }}
 {{- if .platform.azure }}
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -78,6 +78,7 @@ spec:
         httpsProxy: ""
         noProxy: ""
         additionalTrustBundle: ""
+---
+{{- end }}
 {{- end }}
 {{- end }}
-{{- end }}

common/acm/templates/provision/secrets-common.yaml

@@ -1,7 +1,7 @@
 {{- range .Values.clusterGroup.managedClusterGroups }}
 {{- $group := . }}
 {{- range .clusterPools }}
-{{- $poolName := cat .name $group.name | replace " " "-" }}
+{{- $poolName := print .name "-" $group.name }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -56,5 +56,6 @@ spec:
       data:
         ssh-privatekey: |-
           {{ "{{ .sshPrivateKey | toString }}" }}
+---
+{{- end }}
 {{- end }}
-{{- end }}

common/acm/test.yaml

@@ -27,7 +27,7 @@ clusterGroup:
           clusters:
           - Two
           - Three
-      labels:
+      acmlabels:
       - name: clusterGroup
         value: region-one
       helmOverrides:

common/ansible/roles/vault_utils/tasks/push_secrets.yaml

@@ -65,12 +65,12 @@
   loop:
     "{{ file_secrets | dict2items }}"
 
-- name: debug file_stat
+- name: Debug file_stat
   ansible.builtin.debug:
     var: file_stat
   when: debug | default(False) | bool
 
-- name: debug file_values
+- name: Debug file_values
   ansible.builtin.debug:
     var: file_values
   when: debug | default(False) | bool

common/clustergroup/templates/catalog-sources.yaml → common/clustergroup/templates/core/catalog-sources.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{- range .Values.clusterGroup.indexImages }}
 apiVersion: operators.coreos.com/v1alpha1
 kind: CatalogSource
@@ -7,4 +8,6 @@ metadata:
 spec:
   sourceType: grpc
   image: {{ .image }}:{{ .version }}
+---
+{{- end -}}
 {{- end -}}

common/clustergroup/templates/namespaces.yaml → common/clustergroup/templates/core/namespaces.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{- range .Values.clusterGroup.namespaces }}
 apiVersion: v1
 kind: Namespace
@@ -9,3 +10,4 @@ metadata:
 spec:
 ---
 {{- end }}
+{{- end }}

common/clustergroup/templates/operatorgroup.yaml → common/clustergroup/templates/core/operatorgroup.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{- range .Values.clusterGroup.namespaces }}
 
 {{- if empty $.Values.clusterGroup.operatorgroupExcludes }}
@@ -23,3 +24,4 @@ spec:
 {{- end }}
 
 {{- end }}
+{{- end }}

common/clustergroup/templates/subscriptions.yaml → common/clustergroup/templates/core/subscriptions.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{- range .Values.clusterGroup.subscriptions }}
 {{- $subs := . }}
 {{- $installPlanValue := .installPlanApproval }}
@@ -65,3 +66,4 @@ spec:
 {{- end }}
 {{- end }}
 ---
+{{- end }}

common/clustergroup/templates/imperative/clusterrole.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{/* Define this if needed (jobs defined or insecure unseal configured) */}}
 {{- if or (gt (len $.Values.clusterGroup.imperative.jobs) 0)
     (and $.Values.clusterGroup.insecureUnsealVaultInsideCluster $.Values.clusterGroup.isHubCluster) -}}
@@ -20,3 +21,4 @@ rules:
     - watch
 {{- end }}
 {{- end }}
+{{- end }}

common/clustergroup/templates/imperative/configmap.yaml

@@ -1,13 +1,15 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{/* Define this if needed (jobs defined or insecure unseal configured) */}}
 {{- if or (gt (len $.Values.clusterGroup.imperative.jobs) 0)
     (and $.Values.clusterGroup.insecureUnsealVaultInsideCluster $.Values.clusterGroup.isHubCluster) -}}
 {{- $valuesyaml := toYaml $.Values -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}
+  name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
   namespace: {{ $.Values.clusterGroup.imperative.namespace}}
 data:
   values.yaml: |
 {{ tpl $valuesyaml . | indent 4 }}
-{{ end }}
+{{- end }}
+{{- end }}

common/clustergroup/templates/imperative/job.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{/* Define this if needed (jobs defined */}}
 {{- if (gt (len $.Values.clusterGroup.imperative.jobs) 0) -}}
 ---
@@ -62,6 +63,7 @@ spec:
             emptyDir: {}
           - name: values-volume
             configMap:
-              name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}
+              name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
           restartPolicy: Never
-{{ end }}
+{{- end }}
+{{- end }}

common/clustergroup/templates/imperative/namespace.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{/* Define this if needed (jobs defined or insecure unseal configured) */}}
 {{- if or (gt (len $.Values.clusterGroup.imperative.jobs) 0)
     (and $.Values.clusterGroup.insecureUnsealVaultInsideCluster $.Values.clusterGroup.isHubCluster) -}}
@@ -8,4 +9,5 @@ metadata:
     name: {{ $.Values.clusterGroup.imperative.namespace }}
     argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
   name: {{ $.Values.clusterGroup.imperative.namespace }}
-{{ end }}
+{{- end }}
+{{- end }}

common/clustergroup/templates/imperative/rbac.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{/* Define this if needed (jobs defined or insecure unseal configured) */}}
 {{- if or (gt (len $.Values.clusterGroup.imperative.jobs) 0)
     (and $.Values.clusterGroup.insecureUnsealVaultInsideCluster $.Values.clusterGroup.isHubCluster) -}}
@@ -28,4 +29,5 @@ subjects:
   - kind: ServiceAccount
     name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
     namespace: {{ $.Values.clusterGroup.imperative.namespace }}
-{{ end }}
+{{- end }}
+{{- end }}

common/clustergroup/templates/imperative/role.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{/* Define this if needed (jobs defined or insecure unseal configured) */}}
 {{- if or (gt (len $.Values.clusterGroup.imperative.jobs) 0)
     (and $.Values.clusterGroup.insecureUnsealVaultInsideCluster $.Values.clusterGroup.isHubCluster) -}}
@@ -19,3 +20,4 @@ rules:
     - '*'
 {{- end }}
 {{- end }}
+{{- end }}

common/clustergroup/templates/imperative/serviceaccount.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{/* Define this if needed (jobs defined or insecure unseal configured) */}}
 {{- if or (gt (len $.Values.clusterGroup.imperative.jobs) 0)
     (and $.Values.clusterGroup.insecureUnsealVaultInsideCluster $.Values.clusterGroup.isHubCluster) -}}
@@ -9,3 +10,4 @@ metadata:
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
 {{- end }}
+{{- end }}

common/clustergroup/templates/imperative/unsealjob.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.enabled "plumbing") }}
 {{/* Only define this if the values.insecureUnsealVaultInsideCluster is set to tre and we're on the cluster */}}
 {{- if and $.Values.clusterGroup.insecureUnsealVaultInsideCluster $.Values.clusterGroup.isHubCluster }}
 ---
@@ -54,6 +55,7 @@ spec:
             emptyDir: {}
           - name: values-volume
             configMap:
-              name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}
+              name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
           restartPolicy: Never
-{{ end }}
+{{- end }}
+{{- end }}