policy: add a decapod app for policies

openinfradev · Oct 20, 2023 · d114b89 · d114b89
1 parent 18d35d8
commit d114b89
Show file tree

Hide file tree

Showing 5 changed files with 127 additions and 40 deletions.
diff --git a/deploy_apps/tks-lma-federation-wftpl.yaml b/deploy_apps/tks-lma-federation-wftpl.yaml
@@ -46,9 +46,6 @@ spec:
       value: ""
 
   volumes:
-  - name: tks-proto-vol
-    configMap:
-      name: tks-proto
   - name: kubeconfig-adm
     secret:
       secretName: tks-admin-kubeconfig-secret
@@ -169,12 +166,16 @@ spec:
           - name: base_repo_branch
             value: "{{ workflow.parameters.base_repo_branch }}"
 
-    - - name: argocd-sync-wait
-        template: argocd-sync-wait
+    - - name: garafana-sync-wait
+        templateRef:
+          name: create-application
+          template: argocd-sync-wait
         arguments:
           parameters:
           - name: cluster_id
             value: '{{workflow.parameters.cluster_id}}'
+          - name: appname
+            value: 'grafana'
 
     - - name: grafana-restart
         template: grafana-restart
@@ -316,7 +317,7 @@ spec:
             sleep 5
           done
 
-          grafana_ep_secret=${kubectl --kubeconfig=kubeconfig get secret -n taco-system tks-endpoint-secret -o jsonpath='{.data.grafana}'| base64 -d }
+          grafana_ep_secret=${kubectl get secret -n ${cluster_id} tks-endpoint-secret -o jsonpath='{.data.grafana}'| base64 -d }
           if [ grafana_ep_secret == "" ]; then
             while [ -z $(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath="{.status.loadBalancer.ingress[*].hostname}") ]; do
               if [ "$(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath='{.spec.type}')" != "LoadBalancer" ]; then
@@ -435,35 +436,6 @@ spec:
         - secretRef:
             name: "tks-api-secret"
 
-  - name: argocd-sync-wait
-    inputs:
-      parameters:
-        - name: cluster_id
-    container:
-      name: argocd-sync-wait
-      image: harbor.taco-cat.xyz/tks/argocd-cli:v2.2.5
-      command:
-        - /bin/bash
-        - '-c'
-        - |
-          # log into Argo CD server
-          ./argocd login $ARGO_SERVER --plaintext --insecure --username $ARGO_USERNAME \
-          --password $ARGO_PASSWORD
-          
-          app_name={{inputs.parameters.cluster_id}}-grafana
-          
-          # sync app
-          echo "sync app $app_name"
-          ./argocd app sync $app_name
-          
-          # wait for sync
-          ./argocd app wait $app_name --sync 
-
-      envFrom:
-        - secretRef:
-            name: "decapod-argocd-config"
-    activeDeadlineSeconds: 900
-
   - name: grafana-restart
     inputs:
       parameters:

diff --git a/deploy_apps/tks-policy-wftpl.yaml b/deploy_apps/tks-policy-wftpl.yaml
@@ -0,0 +1,103 @@
+apiVersion: argoproj.io/v1alpha1
+kind: WorkflowTemplate
+metadata:
+  name: tks-policy
+  namespace: argo
+spec:
+  entrypoint: deploy
+  arguments:
+    parameters:
+    - name: site_name
+      value: "coyar0qx1"
+    - name: revision
+      value: "main"
+    - name: app_prefix
+      value: "{{workflow.parameters.site_name}}"
+    - name: cluster_id
+      value: "{{workflow.parameters.site_name}}"
+
+  templates:
+  - name: deploy
+    inputs:
+      parameters:
+      - name: cluster_id
+        value: '{{inputs.parameters.cluster_id}}'
+      - name: appname
+        value: 'policy-resources'
+    steps:
+    - - name: createNamespace
+        template: createNamespace
+        arguments:
+          parameters:
+          - name: target_namespace
+            value: gatekeeper-system
+    - - name: deploy-policy-operator
+        templateRef:
+          name: create-application
+          template: installApps
+        arguments:
+          parameters:
+          - name: list
+            value: |
+              [
+                { "app_group": "policy", "path": "opa-gatekeeper", "namespace": "gatekeeper-system", "target_cluster": "" }
+              ]
+
+    - - name: deploy-default-policy-resources
+        templateRef:
+          name: create-application
+          template: installApps
+        arguments:
+          parameters:
+          - name: list
+            value: |
+              [
+                { "app_group": "policy", "path": "policy-resources", "namespace": "gatekeeper-system", "target_cluster": "" }
+              ]
+
+    - - name: argocd-sync-wait
+        templateRef:
+          name: create-application
+          template: argocd-sync-wait
+        arguments:
+          parameters:
+          - name: cluster_id
+            value: '{{inputs.parameters.cluster_id}}'
+          - name: appname
+            value: 'policy-resources'
+
+  - name: createNamespace
+    inputs:
+      parameters:
+        - name: target_namespace
+    container:
+      name: create-namespace
+      image: harbor.taco-cat.xyz/tks/hyperkube:v1.18.6
+      command:
+        - /bin/bash
+        - '-c'
+        - |
+          function log() {
+            level=$1
+            msg=$2
+            date=$(date '+%F %H:%M:%S')
+            echo "[$date] $level     $msg"
+          }
+
+          kube_secret=$(kubectl get secret -n {{workflow.parameters.cluster_id}} {{workflow.parameters.cluster_id}}-tks-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
+          echo -e "kube_secret:\n$kube_secret" | head -n 5
+          cat <<< "$kube_secret" > /etc/kubeconfig
+
+          kubectl --kubeconfig=/etc/kubeconfig get ns ${TARGET_NAMESPACE}
+          if [[ $? =~ 1 ]]; then
+            kubectl --kubeconfig=/etc/kubeconfig create ns ${TARGET_NAMESPACE}
+            kubectl --kubeconfig=/etc/kubeconfig label ns ${TARGET_NAMESPACE} name=${TARGET_NAMESPACE}
+            kubectl --kubeconfig=/etc/kubeconfig label ns ${TARGET_NAMESPACE} taco-tls=enabled
+            log "INFO" "${TARGET_NAMESPACE} successfully created."
+          fi
+      env:
+        - name: TARGET_NAMESPACE
+          value: '{{inputs.parameters.target_namespace}}'
+    activeDeadlineSeconds: 900
+    retryStrategy:
+      limit: 2
diff --git a/deploy_apps/tks-primary-cluster.yaml b/deploy_apps/tks-primary-cluster.yaml
@@ -445,7 +445,7 @@ spec:
         primary_kube_secret=$(kubectl get secret -n ${primary_cluster} ${primary_cluster}-tks-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
         # echo -e "primary_kube_secret:\n$primary_kube_secret" | head -n 5
         cat <<< "$primary_kube_secret" > kubeconfig
-        LOKI_SERVICE=$(kubectl --kubeconfig=kubeconfig get secret -n taco-system tks-endpoint-secret -o jsonpath='{.data.loki}'| base64 -d )
+        LOKI_SERVICE=$(kubectl get secret -n ${primary_cluster} tks-endpoint-secret -o jsonpath='{.data.loki}'| base64 -d )
 
         if [ "$LOKI_SERVICE" == "" ]; then
           while [ -z $(kubectl --kubeconfig=kubeconfig get svc -n lma loki-loki-distributed-gateway -o jsonpath="{.status.loadBalancer.ingress[*].hostname}") ]
@@ -470,7 +470,7 @@ spec:
         fi
 
         if [ "$OBJECT_SOTRE" == "minio" ]; then
-          S3_SERVICE=$(kubectl --kubeconfig=kubeconfig get secret -n taco-system tks-endpoint-secret -o jsonpath='{.data.minio}'| base64 -d )
+          S3_SERVICE=$(kubectl get secret -n ${primary_cluster} tks-endpoint-secret -o jsonpath='{.data.minio}'| base64 -d )
           if [ "$S3_SERVICE" == "" ]; then
             S3_HOST=$(kubectl --kubeconfig=kubeconfig get svc -n lma minio -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
             S3_PORT=$(kubectl --kubeconfig=kubeconfig get svc -n lma minio -o jsonpath="{.spec.ports[0].port}")
@@ -595,7 +595,7 @@ spec:
         primary_kube_secret=$(kubectl get secret -n ${primary_cluster} ${primary_cluster}-tks-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
         # echo -e "primary_kube_secret:\n$primary_kube_secret" | head -n 5
         cat <<< "$primary_kube_secret" > kubeconfig
-        S3_SERVICE=$(kubectl --kubeconfig=kubeconfig get secret -n taco-system tks-endpoint-secret -o jsonpath='{.data.minio}'| base64 -d )
+        S3_SERVICE=$(kubectl get secret -n ${primary_cluster} tks-endpoint-secret -o jsonpath='{.data.minio}'| base64 -d )
         if [ "$S3_SERVICE" == "" ]; then
           echo "This site uses the predefined loki and static object stores."
           exit 0
@@ -709,7 +709,7 @@ spec:
           # Thanos Endpoints
           kube_secret=$(kubectl get secret -n ${member} ${member}-tks-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
           cat <<< "$kube_secret" > kubeconfig
-          PROMETHEUS_URL=$(kubectl --kubeconfig=kubeconfig get secret -n taco-system tks-endpoint-secret -o jsonpath='{.data.prometheus}'| base64 -d )
+          PROMETHEUS_URL=$(kubectl get secret -n ${member} tks-endpoint-secret -o jsonpath='{.data.prometheus}'| base64 -d )
           if [ "$PROMETHEUS_URL" != "" ]; then
             eplist="${eplist}, \"$(PROMETHEUS_URL)\""
           elif [ `kubectl --kubeconfig=kubeconfig get svc -n lma lma-thanos-external --ignore-not-found=true | grep -v NAME | wc -l ` -eq 1 ]; then

diff --git a/deploy_apps/tks-remove-lma-federation-wftpl.yaml b/deploy_apps/tks-remove-lma-federation-wftpl.yaml
@@ -335,7 +335,7 @@ spec:
             sleep 5
           done
 
-          grafana_ep_secret=${kubectl --kubeconfig=kubeconfig get secret -n taco-system tks-endpoint-secret -o jsonpath='{.data.grafana}'| base64 -d }
+          grafana_ep_secret=${kubectl get secret -n ${cluster_id} tks-endpoint-secret -o jsonpath='{.data.grafana}'| base64 -d }
           if [ grafana_ep_secret == "" ]; then
             while [ -z $(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath="{.status.loadBalancer.ingress[*].hostname}") ]; do
               if [ "$(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath='{.spec.type}')" != "LoadBalancer" ]; then

diff --git a/tks-cluster/create-usercluster-wftpl.yaml b/tks-cluster/create-usercluster-wftpl.yaml
@@ -337,6 +337,18 @@ spec:
                     ]
             when: "{{steps.tks-create-cluster-repo.outputs.parameters.infra_provider}} == byoh"
 
+        - - name: install-policy-management
+            templateRef:
+              name: tks-policy
+              template: deploy
+            arguments:
+              parameters:
+              - name: cluster_id
+                value: '{{workflow.parameters.cluster_id}}'
+              - name: appname
+                value: 'policy-resources'
+            # when: "{{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} != '' && {{workflow.parameters.cluster_id}} != {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}}"
+
     #######################
     # Template Definition #
     #######################