[minor] Changes made for Govcloud support

README.md

@@ -8,4 +8,3 @@ Documentation
 [https://ibm-mas.github.io/gitops/](https://ibm-mas.github.io/gitops/)
 
 [https://github.com/ibm-mas/gitops-demo/tree/002](https://github.com/ibm-mas/gitops-demo/tree/002)
-

cluster-applications/000-efs-csi-driver/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: efs-csi-driver
+description: Configures AWS EFS CSI Driver
+type: application
+version: 1.0.0
+
+dependencies:
+- name: junitreporter
+  version: 1.0.0
+  repository: "file://../../sub-charts/junitreporter/"
+  condition: junitreporter.devops_mongo_uri != ""

cluster-applications/000-efs-csi-driver/README.md

@@ -0,0 +1,3 @@
+EFS CSI Driver
+===============================================================================
+

cluster-applications/000-efs-csi-driver/templates/aws-efs-cloud-credentials.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aws-efs-cloud-credentials
+  namespace: openshift-cluster-csi-drivers
+  annotations:
+    cloudcredential.openshift.io/secret-sync: "true"
+type: Opaque
+stringData:
+  credentials: |
+    [default]
+    role_arn = {{ .Values.role_arn }}
+    web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token

cluster-applications/000-efs-csi-driver/templates/efs-csi-driver.yml

@@ -0,0 +1,6 @@
+apiVersion: operator.openshift.io/v1
+kind: ClusterCSIDriver
+metadata:
+    name: efs.csi.aws.com
+spec:
+  managementState: Managed

cluster-applications/000-efs-csi-driver/templates/efs-csi-subscription.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  labels:
+    operators.coreos.com/aws-efs-csi-driver-operator.openshift-cluster-csi-drivers: ""
+  name: aws-efs-csi-driver-operator
+  namespace: openshift-cluster-csi-drivers
+spec:
+  channel: "{{ .Values.channel }}"
+  installPlanApproval: Automatic
+  name: aws-efs-csi-driver-operator
+  source: "{{ .Values.catalog_source }}"
+  sourceNamespace: "{{ .Values.catalog_source_namespace }}"

cluster-applications/000-efs-csi-driver/templates/operator-group.yml

@@ -0,0 +1,6 @@
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: openshift-cluster-csi-drivers-operator-group
+  namespace: openshift-cluster-csi-drivers

cluster-applications/000-efs-csi-driver/values.yaml

@@ -0,0 +1 @@
+---

cluster-applications/000-image-mirroring/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: image-mirroring
+description: Establishes resources necessary to support image mirroring via an ImageDigestMirrorSet
+type: application
+version: 1.0.0
+
+dependencies:
+- name: junitreporter
+  version: 1.0.0
+  repository: "file://../../sub-charts/junitreporter/"
+  condition: junitreporter.devops_mongo_uri != ""

cluster-applications/000-image-mirroring/README.md

@@ -0,0 +1,7 @@
+MAS Image Mirroring
+===============================================================================
+
+Establishes resources necessary to support image mirroring via an ImageDigestMirrorSet:
+
+- `ecr-token-rotator` CronJob that rotates the ECR login token and injects it into the global pull-secret.
+- `mas-ecr` `ImageDigestMirrorSet that redirects all image pulls fromn icr.io and cp.icr.io to ECR

cluster-applications/000-image-mirroring/templates/01-aws_Secret.yaml

@@ -0,0 +1,17 @@
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: aws
+  annotations:
+    argocd.argoproj.io/sync-wave: "00"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+stringData:
+  aws_access_key_id: {{ .Values.aws_access_key_id }}
+  aws_secret_access_key: {{ .Values.aws_secret_access_key }}
+  aws_default_region: {{ .Values.region_id }}
+type: Opaque
+

cluster-applications/000-image-mirroring/templates/04-ecr-token-updater_CronJob.yaml

@@ -0,0 +1,136 @@
+{{- if not (empty .Values.ecr_host) }}
+
+{{- $_cli_image_digest := "sha256:1b88f88a1a719d006ea1f4b8dcfd1c2625fa7ecc529c3267e7b4b6afaa1c8da0" }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ecr-token-updater-role
+  annotations:
+    argocd.argoproj.io/sync-wave: "02"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources: 
+      - secrets
+    verbs: 
+      - get
+      - update
+      - patch
+
+---
+# Service account that is authorized to read k8s secrets (needed by the job)
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: "ecr-token-updater-sa"
+  annotations:
+    argocd.argoproj.io/sync-wave: "02"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ecr-token-updater-rolebinding
+  annotations:
+    argocd.argoproj.io/sync-wave: "03"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: ecr-token-updater-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ecr-token-updater-role
+
+
+---
+kind: CronJob
+apiVersion: batch/v1
+metadata:
+  name: "ecr-token-updater"
+  annotations:
+    argocd.argoproj.io/sync-wave: "05"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+spec:
+  schedule: '0 */11 * * *'
+  suspend: false
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+{{- if .Values.custom_labels }}
+          labels:
+{{ .Values.custom_labels | toYaml | indent 12 }}
+{{- end }}
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: "ecr-token-updater-sa"
+          containers:
+            - name: "ecr-token-updater"
+              image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
+              imagePullPolicy: IfNotPresent
+              env:
+                - name: REGION_ID
+                  value: {{ .Values.region_id }}
+                - name: ECR_HOST
+                  value: {{ .Values.ecr_host }}
+                - name: AWS_REGION
+                  valueFrom:
+                    secretKeyRef:
+                      name: aws
+                      key: aws_default_region
+                - name: AWS_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: aws
+                      key: aws_access_key_id
+                - name: AWS_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: aws
+                      key: aws_secret_access_key
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  set -euo pipefail
+
+                  echo "- Get ECR Token"
+                  ECR_TOKEN=$(aws ecr get-login-password --region ${REGION_ID})
+                  ECR_AUTH="AWS:${ECR_TOKEN}"
+                  ECR_AUTH_B64=$(echo "${ECR_AUTH}" | base64 -w0 )
+
+                  echo "- Update .dockerconfigjson"
+                  # Get the current pull-secret and update .dockerconfigjson with the ECR auth
+                  UPDATED_DOCKERCONFIGJSON=$(
+                    oc get secret pull-secret  \
+                      -n openshift-config \
+                      -o json | \
+                      jq -r '.data[".dockerconfigjson"]' | \
+                      base64 -d | \
+                      jq '.auths["'${ECR_HOST}'"] = {"auth": "'${ECR_AUTH_B64}'"}'
+                  )
+
+                  echo "- Update pull-secret"
+                  oc set data secret/pull-secret \
+                    -n openshift-config \
+                    .dockerconfigjson="${UPDATED_DOCKERCONFIGJSON}"
+{{- end }}

cluster-applications/000-image-mirroring/templates/04-mas_ImageDigestMirrorSet.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: config.openshift.io/v1
+kind: ImageDigestMirrorSet
+metadata:
+  name: mas-ecr
+spec:
+  imageDigestMirrors:
+    - mirrorSourcePolicy: NeverContactSource
+      mirrors:
+        - "{{ .Values.ecr_host }}/{{ .Values.repo_path_prefix }}"
+      source: icr.io
+    - mirrorSourcePolicy: NeverContactSource
+      mirrors:
+        - "{{ .Values.ecr_host }}/{{ .Values.repo_path_prefix }}"
+      source: cp.icr.io
+{{- if .Values.additional_image_digest_sources }}
+{{- range $i, $value := .Values.additional_image_digest_sources }}
+    - mirrors:
+        - "{{ $.Values.ecr_host }}/{{ $.Values.repo_path_prefix }}"
+        - "{{ $.Values.ecr_host }}/{{ $.Values.repo_path_prefix }}/cp"
+      source: {{ $value }}
+{{- end }}
+{{- end }}
+

cluster-applications/000-image-mirroring/templates/04-mas_ImageTagMirrorSet.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.additional_image_tag_sources }}
+---
+apiVersion: config.openshift.io/v1
+kind: ImageTagMirrorSet
+metadata:
+  name: mas-ecr-dev
+spec:
+  imageTagMirrors:
+  {{- range $i, $value := .Values.additional_image_tag_sources }}
+    - mirrors:
+        - "{{ $.Values.ecr_host }}/{{ $.Values.repo_path_prefix }}"
+        - "{{ $.Values.ecr_host }}/{{ $.Values.repo_path_prefix }}/cp"
+      source: "{{ $value }}"
+  {{- end }}
+{{- end }}

cluster-applications/000-image-mirroring/values.yaml

@@ -0,0 +1,23 @@
+---
+# Non-expiring IAM credentials for user with policy
+# {
+#   Sid = "ECR"
+#   Effect = "Allow"
+#   Action = [
+#       "ecr:GetAuthorizationToken",
+#       "ecr:BatchGetImage",
+#       "ecr:GetDownloadUrlForLayer"
+#   ]
+#   Resource = [
+#       "*"
+#   ]
+# }
+
+# aws_access_key_id: 
+# aws_secret_access_key
+
+
+# ecr_host: xxxxxx.dkr.ecr.us-gov-east-1.amazonaws.com
+# repo_path_prefix: "250731"
+# additional_image_digest_sources: ["somehost.com/repo"]
+# additional_image_tag_sources: ["somehost.com/repo"]

cluster-applications/000-job-cleaner/templates/04-jobcleaner_CronJob.yaml

@@ -90,7 +90,7 @@ spec:
         spec:
           containers:
             - name: "mas-saas-job-cleaner"
-              image: quay.io/ibmmas/cli@{{ $_cli_image_digest }}
+              image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
               imagePullPolicy: IfNotPresent
               command:
                 - /bin/sh

cluster-applications/010-redhat-cert-manager/templates/02-cert-manager_Subscription.yaml

@@ -17,6 +17,4 @@ spec:
   installPlanApproval: {{ .Values.redhat_cert_manager_install_plan | default "Automatic" | quote }}
   name: openshift-cert-manager-operator
   source: redhat-operators
-  sourceNamespace: openshift-marketplace
-
-
+  sourceNamespace: openshift-marketplace

cluster-applications/010-redhat-cert-manager/templates/04-postsync-update-sm_Job.yaml

@@ -178,7 +178,7 @@ spec:
     spec:
       containers:
         - name: run
-          image: quay.io/ibmmas/cli@{{ $_cli_image_digest }}
+          image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
           imagePullPolicy: IfNotPresent
           resources:
             limits:

cluster-applications/020-ibm-dro/templates/06-marketplaceconfig_Marketplaceconfig.yaml

@@ -11,5 +11,6 @@ metadata:
 {{ .Values.custom_labels | toYaml | indent 4 }}
 {{- end }}
 spec:
+  installIBMCatalogSource: false
   license:
-    accept: true
+    accept: true

cluster-applications/020-ibm-dro/templates/08-postsync-update-sm_Job.yaml

@@ -160,7 +160,7 @@ spec:
     spec:
       containers:
         - name: run
-          image: quay.io/ibmmas/cli@{{ $_cli_image_digest }}
+          image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
           imagePullPolicy: IfNotPresent
           resources:
             limits:

cluster-applications/021-ibm-dro-cleanup/templates/postdelete-MarketplaceConfigs.yaml

@@ -38,7 +38,7 @@ spec:
         - name: run
           # TODO: use a dedicated image with a smaller footprint for this sort of thing?
           # Just using cli for now since it has all the deps we need to talk with AWS SM
-          image: quay.io/ibmmas/cli@{{ $_cli_image_digest }}
+          image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
           imagePullPolicy: IfNotPresent
           resources:
             limits:

cluster-applications/030-ibm-cis-cert-manager/templates/00-3-ibm-cis-webhook_deployment.yml

@@ -1,7 +1,7 @@
 {{- if eq .Values.dns_provider "cis" }}
 
 {{ $cis_apiservice_group_name     :=   "acme.cis.ibm.com" }}
-{{ $cis_webhook_image_repository  :=   "quay.io/ibmmas/cert-manager-webhook-ibm-cis" }}
+{{ $cis_webhook_image_repository  :=   .Values.cis_webhook_image_repo | default "quay.io/ibmmas/cert-manager-webhook-ibm-cis" }}
 {{ $cis_webhook_image_tag         :=   "1.0.0" }}
 {{ $cis_webhook_image_pullpolicy  :=   "Always" }}
 {{ $cis_webhook_service_type      :=   "ClusterIP" }}

cluster-applications/041-cis-compliance-cleanup/templates/postdelete-ProfileBundles.yaml

@@ -41,7 +41,7 @@ spec:
         - name: run
           # TODO: use a dedicated image with a smaller footprint for this sort of thing?
           # Just using cli for now since it has all the deps we need to talk with AWS SM
-          image: quay.io/ibmmas/cli@{{ $_cli_image_digest }}
+          image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
           imagePullPolicy: IfNotPresent
           resources:
             limits:

cluster-applications/055-instana-agent-operator/templates/08-CronJob.yaml

@@ -49,7 +49,7 @@ spec:
           # Additionally, it writes the DB2 certificate to a persistent volume.
           initContainers:
             - name: update-agent-cr
-              image: quay.io/ibmmas/cli@{{ $_cli_image_digest }}
+              image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
               imagePullPolicy: IfNotPresent              
               volumeMounts:
                 - name: instana-db2-jks