[minor] Changes made for Govcloud support

[tomklapiscak]

Description

This PR introduces a number of new features and fixes to support ArgoCD-managed MAS deployments in AWS GovCloud environments:

EFS CSI Driver Configuration via ArgoCD

Provides an ArgoCD-managed installation of EFS CSI driver. Enabled only if efs-csi-driver.yaml present at cluster level:

merge-key: <account>/<cluster>
efs_csi_driver:
  catalog_source: redhat-operators
  catalog_source_namespace: openshift-marketplace
  channel: stable
  role_arn: arn:xxx:iam::xxx:role/xxx

Support for auto-generated StorageClasses in masapp-config ArgoCD application

The entries in ibm-mas-masapp-configs.yaml (that configure MAS Application workspaces) now support the storage_class_definitions key, e.g.:

ibm_mas_masapp_configs:
  - mas_app_id: facilities
    ...
    mas_appws_spec:
        storage:
          log:
            class: efs-c1-i1-facilities-main
            ...
          userfiles:
            class: efs-c1-i1-facilities-main
            ...
    ...
    storage_class_definitions:
      efs-c1-i1-facilities-main:
        provisioner: efs.csi.aws.com
        parameters:
          fileSystemId: fs-xxx
          directoryPerms: "777"
          basePath: /rosa-efs-c1-i1-facilities-main
          gid: "0"
          uid: "0"
          provisioningMode: efs-ap

This is used to allow ArgoCD to manage StorageClasses assigned to the Manage and Facilities MAS applications.

Support for Mirroring image pulls from icr.io to AWS ECR.

Allows ArgoCD-based deployment of MAS in environments where access to the standard icr.io repositories is restricted.

Enabled only if image-mirroring.yaml present at cluster level:

merge-key: <account>/<cluster>

image_mirroring:
  ecr_host: xxx.dkr.ecr.xxx.amazonaws.com
  repo_path_prefix: "prod/catalog/250925"
  aws_access_key_id: <path:arn:aws-us-gov:secretsmanager:xxx:xxx:secret:account/cluster/aws_ecr#ecr_aws_access_key_id>
  aws_secret_access_key: <path:arn:xxx:secretsmanager:xxx:xxx:secret:account/cluster/aws_ecr#ecr_aws_secret_access_key>

Parameterises all references to quay.io images

This is to support environments where access to quay.io is blocked (and where pulls to quay.io cannot be redirected to an alternative repo due to environmental policies).

The following images references are now parameterised:

• the CLI image (used by Jobs): Defaults to the existing value of quay.io/ibmmas/cli but can be overridden by setting cli_image_repo: <another-repo> in both ibm-mas-cluster-base.yaml and ibm-mas-instance-base.yaml.

• the cis_webhook_image_repository: Defaults to the existing value of quay.io/ibmmas/cert-manager-webhook-ibm-cis but can be overridden by setting ibm_cis_cert_manager.cis_webhook_image_repo in 030-ibm-cis-cert-manager.yaml.

Do not install unnecessary ibmcatalogsource

Unused in commercial (already in our catalog). Blocks subscriptions from installing (CatalogSourcesUnhealthy) in airgapped envs where the image repo is unreachable.

Allow Git Root CA to be configured in mas-provisioner

Configured by setting (optional) mas_provisioner.git_root_ca property on 300-mas-provisioner-app.yaml.

Allow DocDB add/remove MAS instance user jobs to be disabled

Setting optional disable_docdb_instance_user_management: true on the root application manifest prevents the aws-docdb-add-user and aws-docdb-remove-user Jobs in the syncjobs ArgoCD application from being run. This is to accommodate environments that manage DocDB MAS instance users via some external mechanism.

Support configuration of internal_certificate_authority on Suite and SLS CRs

Controlled by setting ibm_mas_suite.internal_certificate_authority in ibm-mas-suite.yaml and ibm_sls.internal_certificate_authority config files.

Note: this feature is not yet supported by the underlying MAS or SLS operators. These properties should not be set until the support for this feature is announced in a future MAS/SLS release.

Make db2_backup_icd_auth_key optional

To support environments where this is not needed.

Fix Manage sanity test not including Manage CA cert

Fixes sanity test failures in environments where spec.tls.caCertificate on the main Manage Route resource is necessary for establishing trust (i.e. the value of spec.tls.certificate is insufficient on its own).

Add Job to optionally configure MAS welcome message on install (MAS >= 9.1.7 only)

Setting welcome_message in ibm-mas-suite.yaml like so:

ibm_mas_suite:
  ...
  welcome_message: "Hello World!"

will prompt ArgoCD to run a Job after the Suite is installed to update the Welcome message shown on the MAS Login screen

Note:

• This feature depends on a new internal API that will be only available in MAS 9.1.7 or later. Attempting to set this configuration against an earlier version of MAS will result in the Job being stuck in a Failed state and so will prevent ArgoCD sync from progressing past the Suite
• The welcome message will only be updated (a) the first time the Job has run or (b) if the welcome_message set in ibm-mas-suite.yaml is changed. If the customer subsequently overrides the welcome message via the MAS UI/API, the Job will not attempt to revert their change; this is intentional

See for more details: #368

Testing

Changes verified in AWS GovCloud environments.

Not yet tested in FVT / Commercial although all changes should be backwards compatible as any new properties / configuration files are optional and defaults are used to ensure values remain the same unless explicitly overridden.

[rbinns]

👍 LGTM

[tomklapiscak]

NOTE: don't delete the govcloud branch yet