policy: add a decapod app for policies

deploy_apps/tks-lma-federation-wftpl.yaml

@@ -46,9 +46,6 @@ spec:
       value: ""
 
   volumes:
-  - name: tks-proto-vol
-    configMap:
-      name: tks-proto
   - name: kubeconfig-adm
     secret:
       secretName: tks-admin-kubeconfig-secret
@@ -169,12 +166,16 @@ spec:
           - name: base_repo_branch
             value: "{{ workflow.parameters.base_repo_branch }}"
 
-    - - name: argocd-sync-wait
-        template: argocd-sync-wait
+    - - name: garafana-sync-wait
+        templateRef:
+          name: create-application
+          template: argocd-sync-wait
         arguments:
           parameters:
           - name: cluster_id
             value: '{{workflow.parameters.cluster_id}}'
+          - name: appname
+            value: 'grafana'
 
     - - name: grafana-restart
         template: grafana-restart
@@ -435,35 +436,6 @@ spec:
         - secretRef:
             name: "tks-api-secret"
 
-  - name: argocd-sync-wait
-    inputs:
-      parameters:
-        - name: cluster_id
-    container:
-      name: argocd-sync-wait
-      image: harbor.taco-cat.xyz/tks/argocd-cli:v2.2.5
-      command:
-        - /bin/bash
-        - '-c'
-        - |
-          # log into Argo CD server
-          ./argocd login $ARGO_SERVER --plaintext --insecure --username $ARGO_USERNAME \
-          --password $ARGO_PASSWORD
-          
-          app_name={{inputs.parameters.cluster_id}}-grafana
-          
-          # sync app
-          echo "sync app $app_name"
-          ./argocd app sync $app_name
-          
-          # wait for sync
-          ./argocd app wait $app_name --sync 
-
-      envFrom:
-        - secretRef:
-            name: "decapod-argocd-config"
-    activeDeadlineSeconds: 900
-
   - name: grafana-restart
     inputs:
       parameters:

deploy_apps/tks-policy-wftpl.yaml

@@ -0,0 +1,103 @@
+apiVersion: argoproj.io/v1alpha1
+kind: WorkflowTemplate
+metadata:
+  name: tks-policy
+  namespace: argo
+spec:
+  entrypoint: deploy
+  arguments:
+    parameters:
+    - name: site_name
+      value: "coyar0qx1"
+    - name: revision
+      value: "main"
+    - name: app_prefix
+      value: "{{workflow.parameters.site_name}}"
+    - name: cluster_id
+      value: "{{workflow.parameters.site_name}}"
+
+  templates:
+  - name: deploy
+    inputs:
+      parameters:
+      - name: cluster_id
+        value: '{{inputs.parameters.cluster_id}}'
+      - name: appname
+        value: 'policy-resources'
+    steps:
+    - - name: createNamespace
+        template: createNamespace
+        arguments:
+          parameters:
+          - name: target_namespace
+            value: gatekeeper-system
+    - - name: deploy-policy-operator
+        templateRef:
+          name: create-application
+          template: installApps
+        arguments:
+          parameters:
+          - name: list
+            value: |
+              [
+                { "app_group": "policy", "path": "opa-gatekeeper", "namespace": "gatekeeper-system", "target_cluster": "" }
+              ]
+
+    - - name: deploy-default-policy-resources
+        templateRef:
+          name: create-application
+          template: installApps
+        arguments:
+          parameters:
+          - name: list
+            value: |
+              [
+                { "app_group": "policy", "path": "policy-resources", "namespace": "gatekeeper-system", "target_cluster": "" }
+              ]
+
+    - - name: argocd-sync-wait
+        templateRef:
+          name: create-application
+          template: argocd-sync-wait
+        arguments:
+          parameters:
+          - name: cluster_id
+            value: '{{inputs.parameters.cluster_id}}'
+          - name: appname
+            value: 'policy-resources'
+
+  - name: createNamespace
+    inputs:
+      parameters:
+        - name: target_namespace
+    container:
+      name: create-namespace
+      image: harbor.taco-cat.xyz/tks/hyperkube:v1.18.6
+      command:
+        - /bin/bash
+        - '-c'
+        - |
+          function log() {
+            level=$1
+            msg=$2
+            date=$(date '+%F %H:%M:%S')
+            echo "[$date] $level     $msg"
+          }
+
+          kube_secret=$(kubectl get secret -n {{workflow.parameters.cluster_id}} {{workflow.parameters.cluster_id}}-tks-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
+          echo -e "kube_secret:\n$kube_secret" | head -n 5
+          cat <<< "$kube_secret" > /etc/kubeconfig
+
+          kubectl --kubeconfig=/etc/kubeconfig get ns ${TARGET_NAMESPACE}
+          if [[ $? =~ 1 ]]; then
+            kubectl --kubeconfig=/etc/kubeconfig create ns ${TARGET_NAMESPACE}
+            kubectl --kubeconfig=/etc/kubeconfig label ns ${TARGET_NAMESPACE} name=${TARGET_NAMESPACE}
+            kubectl --kubeconfig=/etc/kubeconfig label ns ${TARGET_NAMESPACE} taco-tls=enabled
+            log "INFO" "${TARGET_NAMESPACE} successfully created."
+          fi
+      env:
+        - name: TARGET_NAMESPACE
+          value: '{{inputs.parameters.target_namespace}}'
+    activeDeadlineSeconds: 900
+    retryStrategy:
+      limit: 2

tks-cluster/create-usercluster-wftpl.yaml

@@ -337,6 +337,18 @@ spec:
                     ]
             when: "{{steps.tks-create-cluster-repo.outputs.parameters.infra_provider}} == byoh"
 
+        - - name: install-policy-management
+            templateRef:
+              name: tks-policy
+              template: deploy
+            arguments:
+              parameters:
+              - name: cluster_id
+                value: '{{workflow.parameters.cluster_id}}'
+              - name: appname
+                value: 'policy-resources'
+            # when: "{{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} != '' && {{workflow.parameters.cluster_id}} != {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}}"
+
     #######################
     # Template Definition #
     #######################