diff --git a/.github/workflows/component-test.yaml b/.github/workflows/component-test.yaml index bde0907a1..7a9a134a5 100644 --- a/.github/workflows/component-test.yaml +++ b/.github/workflows/component-test.yaml @@ -68,6 +68,7 @@ jobs: helm repo add mockserver https://www.mock-server.com + - name: Run KUTTL tests run: | cd tests/component-tests && ./../../bin/kuttl test --parallel 1 --start-kind=false --namespace e2e-test --config startup.yaml diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 928351342..0a4c016a4 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -33,6 +33,7 @@ dependencies: - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ version: 2.17.2 + condition: sealed-secrets.enabled - name: codefresh-tunnel-client repository: oci://quay.io/codefresh/charts version: 0.1.22 diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 7fa79bb5c..28550cd3c 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -31,6 +31,68 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) ## Codefresh official documentation: Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/ +## Multi Runtime Installation +You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace. +To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below: +```yaml +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +gitops-operator: + crds: + install: false +``` + +Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values: +```yaml +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true +``` + +> [!WARNING] +> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`. +> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported. + ## Argo-workflows artifact and log storage Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration. If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values: @@ -555,6 +617,7 @@ global: | event-reporters.cluster-event-reporter | object | `{}` | | | event-reporters.runtime-event-reporter | object | `{}` | | | gitops-operator.affinity | object | `{}` | | +| gitops-operator.config | object | `{"commitStatusPollingInterval":"10s","maxConcurrentReleases":100,"promotionWrapperTemplate":"","taskPollingInterval":"10s","workflowMonitorPollingInterval":"10s"}` | GitOps operator configuration | | gitops-operator.config.commitStatusPollingInterval | string | `"10s"` | Commit status polling interval | | gitops-operator.config.maxConcurrentReleases | int | `100` | Maximum number of concurrent releases being processed by the operator (this will not affect the number of releases being processed by the gitops runtime) | | gitops-operator.config.maxReconcileRetries | int | `10` | Maximum number of reconcile retries on promotion-related resources before failing a promotion task | @@ -638,7 +701,7 @@ global: | global.runtime.ingressUrl | string | `""` | Explicit url for runtime ingress. Provide this value only if you don't want the chart to create and ingress (global.runtime.ingress.enabled=false) and tunnel-client is not used (tunnel-client.enabled=false) | | global.runtime.isConfigurationRuntime | bool | `false` | is the runtime set as a "configuration runtime". | | global.runtime.name | string | `nil` | Runtime name. Must be unique per platform account. | -| global.runtime.singleNamespace | bool | `false` | Defines if runtime is namespace scoped. Required for running multiple runtimes in the same cluster | +| global.runtime.singleNamespace | bool | `false` | Runtime single namespace mode. When true, runtime operates in single namespace scope. | | global.tolerations | list | `[]` | Global tolerations for all components | | installer | object | `{"affinity":{},"argoCdVersionCheck":{"argoServerLabels":{"app.kubernetes.io/component":"server","app.kubernetes.io/part-of":"argocd"}},"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/codefresh/gitops-runtime-installer","tag":""},"nodeSelector":{},"skipUsageValidation":false,"skipValidation":false,"tolerations":[]}` | Runtime installer used for running hooks and checks on the release | | installer.skipUsageValidation | bool | `false` | if set to true, pre-install hook will *not* run | diff --git a/charts/gitops-runtime/README.md.gotmpl b/charts/gitops-runtime/README.md.gotmpl index 444f73462..bea6abeac 100644 --- a/charts/gitops-runtime/README.md.gotmpl +++ b/charts/gitops-runtime/README.md.gotmpl @@ -31,6 +31,69 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) ## Codefresh official documentation: Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/ +## Multi Runtime Installation +You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace. +To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below: +```yaml +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +gitops-operator: + crds: + install: false +``` + +Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values: +```yaml +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true +``` + +> [!WARNING] +> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`. +> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported. + + ## Argo-workflows artifact and log storage Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration. If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values: diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index 479914c47..3941e62cc 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -10,4 +10,5 @@ {{ include "cap-app-proxy.resources.service" . }} --- {{ include "cap-app-proxy.resources.sa" .}} -{{- end }} \ No newline at end of file +--- +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml new file mode 100644 index 000000000..cf8716c78 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -0,0 +1,11 @@ +{{- define "argo-cd.namespaced-rbac.all" }} +{{- if (index .Values "global" "runtime").singleNamespace }} +{{- include "argo-cd.namespaced-rbac.serviceaccount" . }} +--- +{{- include "argo-cd.namespaced-rbac.secret" . }} +--- +{{- include "argo-cd.namespaced-rbac.role" . }} +--- +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} +{{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml new file mode 100644 index 000000000..9656aa3b3 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -0,0 +1,17 @@ +{{- define "argo-cd.namespaced-rbac.role" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argocd-namespaced-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml new file mode 100644 index 000000000..28c529499 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -0,0 +1,18 @@ +{{- define "argo-cd.namespaced-rbac.rolebinding" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argocd-namespaced-rolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-namespaced-role +subjects: +- kind: ServiceAccount + name: argocd-manager + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml new file mode 100644 index 000000000..63100462d --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml @@ -0,0 +1,9 @@ +{{- define "argo-cd.namespaced-rbac.secret" }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-manager-long-lived-token + annotations: + kubernetes.io/service-account.name: argocd-manager +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml new file mode 100644 index 000000000..1f94e491e --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- define "argo-cd.namespaced-rbac.serviceaccount" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml index fb85b911c..a2681d339 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml @@ -89,6 +89,12 @@ IS_EXTERNAL_ARGOCD: name: cap-app-proxy-cm key: isExternalArgoCD optional: true +IS_NAMESPACED_RUNTIME: + valueFrom: + configMapKeyRef: + name: cap-app-proxy-cm + key: isNamespacedRuntime + optional: true MANAGED: false NAMESPACE: valueFrom: @@ -213,6 +219,7 @@ IRW_JIRA_ENRICHMENT_TASK_IMAGE: name: cap-app-proxy-cm key: enrichmentJiraEnrichmentImage optional: true + NODE_EXTRA_CA_CERTS: /app/config/all/all.cer {{- if gt (int .Values.replicaCount) 1 }} LEADER_ID: diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl index 6a2c9e2af..db6a171aa 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl @@ -14,6 +14,9 @@ global: replicaCount: 1 +# -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) +singleNamespace: false + # -- Codefresh gitops operator crds crds: # -- Whether or not to install CRDs diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index 11892a073..f03ad010f 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -22,6 +22,7 @@ PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote } RUNTIME: {{ .Values.global.runtime.name }} TASK_POLLING_INTERVAL: {{ .Values.config.taskPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} +IS_NAMESPACED_RUNTIME: {{ .Values.global.runtime.singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} @@ -46,7 +47,7 @@ NAMESPACE: valueFrom: fieldRef: fieldPath: metadata.namespace -RUNTIME_VERSION: +RUNTIME_VERSION: valueFrom: configMapKeyRef: name: codefresh-cm diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 242aae2d1..7630b552e 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,9 @@ --- {{- include "gitops-operator.crds.product" $context }} --- + {{- if not (get .Values.global "runtime").singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} + {{- end }} --- {{- include "gitops-operator.crds.promotion-policy" $context }} --- diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 0f2d1f3e3..f41bc088b 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -45,14 +45,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: promotion-template subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index 8760f4220..0a0d6f33e 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,9 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- + {{- if not (get .Values.global "runtime").singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} + {{- end }} --- {{- include "gitops-operator.resources.rbac-operator" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 4ec54d311..f9d687eb0 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -22,14 +22,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 08f7e84af..aa0d72f7c 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -26,6 +26,7 @@ rules: - patch - update - watch +{{- if not .Values.global.runtime.singleNamespace }} - apiGroups: - codefresh.io resources: @@ -55,6 +56,7 @@ rules: - get - patch - update +{{- end }} - apiGroups: - "" resources: @@ -72,17 +74,137 @@ rules: - get - list - watch +--- +{{- if .Values.global.runtime.singleNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowartifactgctasks + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator subjects: - kind: ServiceAccount @@ -90,15 +212,15 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-edit + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} + name: {{ .Values.global.runtime.singleNamespace | ternary "argo-role" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml index be27879ce..34c130298 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml @@ -1,5 +1,6 @@ {{- define "gitops-operator.resources.restricted-git-source-rbac" }} + {{- if not .Values.global.runtime.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -80,4 +81,5 @@ subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index fd5906499..d08038632 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -378,11 +378,14 @@ Get ingress url for both tunnel based and ingress based runtimes Output comma separated list of installed runtime components */}} {{- define "codefresh-gitops-runtime.component-list"}} - {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} {{- $internalRouter := dict "name" "internal-router" "version" .Chart.AppVersion }} {{- $appProxy := dict "name" "app-proxy" "version" (index (get .Values "app-proxy") "image" "tag") }} {{- $argoApiGateway := dict "name" "argo-gateway" "version" (get .Values "argo-gateway").image.tag }} - {{- $comptList := list $appProxy $sealedSecrets $internalRouter $argoApiGateway }} + {{- $comptList := list $appProxy $internalRouter $argoApiGateway }} + {{- if and (index .Values "sealed-secrets" "enabled") }} + {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} + {{- $comptList = append $comptList $sealedSecrets }} + {{- end }} {{- if and (index .Values "argo-cd" "enabled") }} {{- $argoCD := dict "name" "argocd" "version" (get .Subcharts "argo-cd").Chart.AppVersion }} {{- $comptList = append $comptList $argoCD }} diff --git a/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml b/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml new file mode 100644 index 000000000..401556a0d --- /dev/null +++ b/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml @@ -0,0 +1 @@ +{{- include "argo-cd.namespaced-rbac.all" . }} diff --git a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml index d3a0b4e2b..02b8dc3dc 100644 --- a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml +++ b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml @@ -4,12 +4,12 @@ {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }} {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ $appProxyContext.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: cap-app-proxy-argo-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ $appProxyContext.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/argo-gateway/rbac.yaml b/charts/gitops-runtime/templates/argo-gateway/rbac.yaml index 8f22c5689..d20c33b00 100644 --- a/charts/gitops-runtime/templates/argo-gateway/rbac.yaml +++ b/charts/gitops-runtime/templates/argo-gateway/rbac.yaml @@ -9,7 +9,7 @@ metadata: {{- include "argo-gateway.labels" . | nindent 4 }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ $context.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: name: {{ include "argo-gateway.fullname" . }} labels: @@ -49,14 +49,14 @@ rules: - patch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ $context.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: {{ include "argo-gateway.fullname" . }} labels: {{- include "argo-gateway.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ $context.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "argo-gateway.fullname" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index d070c4d67..40fef25ee 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -14,5 +14,6 @@ data: ingressClassName: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} - isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} - version: {{ .Chart.AppVersion }} \ No newline at end of file + isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} + singleNamespace: {{ .Values.global.runtime.singleNamespace | quote }} + version: {{ .Chart.AppVersion }} diff --git a/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/rbac.yaml b/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/rbac.yaml index 10a3c46d3..4ab10d33e 100644 --- a/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/rbac.yaml +++ b/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/rbac.yaml @@ -11,7 +11,7 @@ metadata: {{- include "cluster-event-reporter.labels" . | nindent 4 }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ $context.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: name: {{ include "cluster-event-reporter.fullname" . }} labels: @@ -29,14 +29,14 @@ rules: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ $context.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: {{ include "cluster-event-reporter.fullname" . }} labels: {{- include "cluster-event-reporter.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ $context.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "cluster-event-reporter.fullname" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/rbac.yaml b/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/rbac.yaml index eecd102a7..a11a1e14c 100644 --- a/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/rbac.yaml +++ b/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/rbac.yaml @@ -11,7 +11,7 @@ metadata: {{- include "runtime-event-reporter.labels" . | nindent 4 }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ $context.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: name: {{ include "runtime-event-reporter.fullname" . }} labels: @@ -29,14 +29,14 @@ rules: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ $context.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: {{ include "runtime-event-reporter.fullname" . }} labels: {{- include "runtime-event-reporter.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ $context.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "runtime-event-reporter.fullname" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/gitops-operator/crds.yaml b/charts/gitops-runtime/templates/gitops-operator/crds.yaml index e78bb7003..171bf6f0d 100644 --- a/charts/gitops-runtime/templates/gitops-operator/crds.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/crds.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.crds" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.crds" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 41a1108c0..5c459c3ac 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -1,3 +1,4 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -5,6 +6,7 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} +{{- $_ := set $context.Values "app-proxy" (deepCopy (get .Values "app-proxy")) }} {{/* Set argo-cd-server service and port */}} {{ if not (index $context.Values "env" "ARGO_CD_URL") }} @@ -26,3 +28,4 @@ {{- end }} {{- include "gitops-operator.resources.deployment" $context }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml index 5eb7884c2..789562452 100644 --- a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.promotion-template" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.promotion-template" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml index 41df10f04..96489708f 100644 --- a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.rbac" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.rbac" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml index 022cf4317..87517d1db 100644 --- a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml @@ -1,3 +1,5 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -7,3 +9,5 @@ {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} {{- include "gitops-operator.resources.sa" $context }} + +{{- end }} diff --git a/charts/gitops-runtime/values-multi-runtimes-first.yaml b/charts/gitops-runtime/values-multi-runtimes-first.yaml new file mode 100644 index 000000000..8fcdc2dc9 --- /dev/null +++ b/charts/gitops-runtime/values-multi-runtimes-first.yaml @@ -0,0 +1,15 @@ +## Values for the first runtime in a multi-runtime cluster (installing CRDs on the cluster) +global: + runtime: + isConfigurationRuntime: true +argo-cd: + crds: + install: true +argo-workflows: + crds: + install: true +argo-rollouts: + installCRDs: true +gitops-operator: + crds: + install: true diff --git a/charts/gitops-runtime/values-multi-runtimes.yaml b/charts/gitops-runtime/values-multi-runtimes.yaml new file mode 100644 index 000000000..8f5faad8d --- /dev/null +++ b/charts/gitops-runtime/values-multi-runtimes.yaml @@ -0,0 +1,34 @@ +global: + runtime: + singleNamespace: true +sealed-secrets: + enabled: false +argo-cd: + createClusterRoles: false + crds: + install: false + configs: + params: + application.namespaces: '' +argo-events: + controller: + rbac: + namespaced: true +argo-workflows: + crds: + install: false + singleNamespace: true + createAggregateRoles: false + controller: + clusterWorkflowTemplates: + enabled: false + server: + clusterWorkflowTemplates: + enabled: false +argo-rollouts: + enabled: false +tunnel-client: + enabled: false +gitops-operator: + crds: + install: false diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index c39d64790..d6f35a54c 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -49,7 +49,7 @@ global: cluster: https://kubernetes.default.svc # -- Defines whether this is a Codefresh hosted runtime. Should not be changed. codefreshHosted: false - # -- Defines if runtime is namespace scoped. Required for running multiple runtimes in the same cluster + # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. singleNamespace: false # -- Ingress settings ingress: @@ -665,6 +665,7 @@ gitops-operator: annotations: {} # -- Additional labels for gitops operator CRDs additionalLabels: {} + # -- GitOps operator configuration config: # -- Task polling interval taskPollingInterval: 10s @@ -678,8 +679,8 @@ gitops-operator: maxReconcileRetries: 10 # -- An optional template for the promotion wrapper (empty default will use the embedded one) promotionWrapperTemplate: '' + # -- GitOps operator image image: - # -- defaults registry: quay.io repository: codefresh/codefresh-gitops-operator tag: "908e003"