policy: add a decapod app for policies

openinfradev · Nov 16, 2023 · d51d9ab · d51d9ab
1 parent d49835f
commit d51d9ab
Show file tree

Hide file tree

Showing 3 changed files with 123 additions and 37 deletions.
diff --git a/deploy_apps/tks-lma-federation-wftpl.yaml b/deploy_apps/tks-lma-federation-wftpl.yaml
@@ -46,9 +46,6 @@ spec:
       value: ""
 
   volumes:
-  - name: tks-proto-vol
-    configMap:
-      name: tks-proto
   - name: kubeconfig-adm
     secret:
       secretName: tks-admin-kubeconfig-secret
@@ -169,12 +166,16 @@ spec:
             value: "{{ workflow.parameters.github_account }}/{{workflow.parameters.cluster_id}}"
         when: "{{steps.update-auth-oidc-grafana.outputs.parameters.is_changed}} == YES"
 
-    - - name: argocd-sync-wait
-        template: argocd-sync-wait
+    - - name: garafana-sync-wait
+        templateRef:
+          name: create-application
+          template: argocd-sync-wait
         arguments:
           parameters:
           - name: cluster_id
             value: '{{workflow.parameters.cluster_id}}'
+          - name: appname
+            value: 'grafana'
 
     - - name: grafana-restart
         template: grafana-restart
@@ -312,9 +313,9 @@ spec:
             sleep 5
           done
 
-          grafana_ep_secret=$(kubectl get secret -n ${cluster_id} tks-endpoint-secret -o jsonpath='{.data.grafana}'| base64 -d )
-
-          if [[ ${grafana_ep_secret} == "" ]]; then
+          grafana_ep_secret=${kubectl get secret -n ${cluster_id} tks-endpoint-secret -o jsonpath='{.data.grafana}'| base64 -d }
+          
+          if [ grafana_ep_secret == "" ]; then
             while [ -z $(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath="{.status.loadBalancer.ingress[*].hostname}") ]; do
               if [[ "$(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath='{.spec.type}')" != "LoadBalancer" ]]; then
                 log "FAIL" "A service for the grafana in ${cluster_id} is not configured properly.(No LoadBalancer)"
@@ -447,35 +448,6 @@ spec:
           path: /mnt/out/changed.txt
           default: "NO"
 
-  - name: argocd-sync-wait
-    inputs:
-      parameters:
-        - name: cluster_id
-    container:
-      name: argocd-sync-wait
-      image: harbor.taco-cat.xyz/tks/argocd-cli:v2.2.5
-      command:
-        - /bin/bash
-        - '-c'
-        - |
-          # log into Argo CD server
-          ./argocd login $ARGO_SERVER --plaintext --insecure --username $ARGO_USERNAME \
-          --password $ARGO_PASSWORD
-          
-          app_name={{inputs.parameters.cluster_id}}-grafana
-          
-          # sync app
-          echo "sync app $app_name"
-          ./argocd app sync $app_name
-          
-          # wait for sync
-          ./argocd app wait $app_name --sync 
-
-      envFrom:
-        - secretRef:
-            name: "decapod-argocd-config"
-    activeDeadlineSeconds: 900
-
   - name: grafana-restart
     inputs:
       parameters:

diff --git a/deploy_apps/tks-policy-wftpl.yaml b/deploy_apps/tks-policy-wftpl.yaml
@@ -0,0 +1,103 @@
+apiVersion: argoproj.io/v1alpha1
+kind: WorkflowTemplate
+metadata:
+  name: tks-policy
+  namespace: argo
+spec:
+  entrypoint: deploy
+  arguments:
+    parameters:
+    - name: site_name
+      value: "coyar0qx1"
+    - name: revision
+      value: "main"
+    - name: app_prefix
+      value: "{{workflow.parameters.site_name}}"
+    - name: cluster_id
+      value: "{{workflow.parameters.site_name}}"
+
+  templates:
+  - name: deploy
+    inputs:
+      parameters:
+      - name: cluster_id
+        value: '{{inputs.parameters.cluster_id}}'
+      - name: appname
+        value: 'policy-resources'
+    steps:
+    - - name: createNamespace
+        template: createNamespace
+        arguments:
+          parameters:
+          - name: target_namespace
+            value: gatekeeper-system
+    - - name: deploy-policy-operator
+        templateRef:
+          name: create-application
+          template: installApps
+        arguments:
+          parameters:
+          - name: list
+            value: |
+              [
+                { "app_group": "policy", "path": "opa-gatekeeper", "namespace": "gatekeeper-system", "target_cluster": "" }
+              ]
+
+    - - name: deploy-default-policy-resources
+        templateRef:
+          name: create-application
+          template: installApps
+        arguments:
+          parameters:
+          - name: list
+            value: |
+              [
+                { "app_group": "policy", "path": "policy-resources", "namespace": "gatekeeper-system", "target_cluster": "" }
+              ]
+
+    - - name: argocd-sync-wait
+        templateRef:
+          name: create-application
+          template: argocd-sync-wait
+        arguments:
+          parameters:
+          - name: cluster_id
+            value: '{{inputs.parameters.cluster_id}}'
+          - name: appname
+            value: 'policy-resources'
+
+  - name: createNamespace
+    inputs:
+      parameters:
+        - name: target_namespace
+    container:
+      name: create-namespace
+      image: harbor.taco-cat.xyz/tks/hyperkube:v1.18.6
+      command:
+        - /bin/bash
+        - '-c'
+        - |
+          function log() {
+            level=$1
+            msg=$2
+            date=$(date '+%F %H:%M:%S')
+            echo "[$date] $level     $msg"
+          }
+
+          kube_secret=$(kubectl get secret -n {{workflow.parameters.cluster_id}} {{workflow.parameters.cluster_id}}-tks-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
+          echo -e "kube_secret:\n$kube_secret" | head -n 5
+          cat <<< "$kube_secret" > /etc/kubeconfig
+
+          kubectl --kubeconfig=/etc/kubeconfig get ns ${TARGET_NAMESPACE}
+          if [[ $? =~ 1 ]]; then
+            kubectl --kubeconfig=/etc/kubeconfig create ns ${TARGET_NAMESPACE}
+            kubectl --kubeconfig=/etc/kubeconfig label ns ${TARGET_NAMESPACE} name=${TARGET_NAMESPACE}
+            kubectl --kubeconfig=/etc/kubeconfig label ns ${TARGET_NAMESPACE} taco-tls=enabled
+            log "INFO" "${TARGET_NAMESPACE} successfully created."
+          fi
+      env:
+        - name: TARGET_NAMESPACE
+          value: '{{inputs.parameters.target_namespace}}'
+    activeDeadlineSeconds: 900
+    retryStrategy:
+      limit: 2
diff --git a/tks-cluster/create-usercluster-wftpl.yaml b/tks-cluster/create-usercluster-wftpl.yaml
@@ -393,6 +393,17 @@ spec:
                 - name: group_list
                   value: '["{{workflow.parameters.cluster_id}}-cluster-view", "cluster-view"]'
 
+        - - name: install-policy-management
+            templateRef:
+              name: tks-policy
+              template: deploy
+            arguments:
+              parameters:
+              - name: cluster_id
+                value: '{{workflow.parameters.cluster_id}}'
+              - name: appname
+                value: 'policy-resources'
+            # when: "{{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} != '' && {{workflow.parameters.cluster_id}} != {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}}"
 
     #######################
     # Template Definition #