- Upgraded ESO to v0.9.5
- Introduced support for multisource applications via .chart + .chartVersion
- Introduced a default of 20 for sync failures retries in argo applications (global override via global.options.applicationRetryLimit and per-app override via .syncPolicy)
- Upgraded ESO to 0.8.2
- Important we now use the newly blessed sso config for argo. This means that gitops < 1.8 are unsupported
- Introduce a EXTRA_HELM_OPTS env variable that will be passed to the helm invocations
- Added labels and annotation support to namespaces.yaml template
- Apply the ACM ocp-gitops-policy everywhere but the hub
- Moved to gitops-1.8 channel by default (stable is unmaintained and will be dropped starting with ocp-4.13)
- Upgraded ESO to 0.8.1
- Add support for /values-.yaml and for /values--.yaml
- Stop extracting the HUB's CA via an imperative job running on the imported cluster. Just use ACM to push the HUB's CA out to the managed clusters.
- Add initial support for running ESO on ACM-imported clusters
- Add validate-schema target
- Simplify the secrets paths when using argo hosted sites
- vaultPrefixes is now optional in the v2 secret spec and defaults to ["hub"]
- Dropped insecureUnsealVaultInsideCluster (and file_unseal) entirely. Now vault is always unsealed via a cronjob in the cluster. It is recommended to store the imperative/vaultkeys secret offline securely and then delete it.
- Removed the legacy installation targets:
deploy upgrade legacy-deploy legacy-upgradePatterns must now use the operator-based installation
- Upgraded vault-helm to 0.23.0
- Enable vault-ssl by default
- Implemented a new format for the values-secret.yaml. Example can be found in examples/ folder
- Now the order of values-secret file lookup is the following:
- ~/values-secret-.yaml
- ~/values-secret.yaml
- /values-secret.yaml.template
- Add support for ansible vault encrypted values-secret files. You can now encrypt your values-secret file
at rest with
ansible-vault encrypt ~/values-secret.yaml. When runningmake load-secretsif an encrypted file is encountered the user will be prompted automatically for the password to decrypt it.
- Add support for /values--.yaml (e.g. /values-AWS-group-one.yaml)
- Updated vault helm chart to v0.22.1 and vault containers to 1.12.0
- Updated External Secrets Operator to v0.6.0
- Moved to -UBI based ESO containers
- Added global.clusterVersion as a new helm variable which represents the OCP Major.Minor cluster version. By default now a user can add a values--.yaml file to have specific cluster version overrides (e.g. values-4.10-hub.yaml). Will need Validated Patterns Operator >= 0.0.6 when deploying with the operator. Note: When using the ArgoCD Hub and spoke model, you cannot have spokes with a different version of OCP than the hub.
-
Extended the values-secret.yaml file to support multiple vault paths and re-wrote the push_secrets feature as python module plugin. This requires the following line in a pattern's ansible.cfg's '[defaults]' stanza:
library=~/.ansible/plugins/modules:./ansible/plugins/modules:./common/ansible/plugins/modules:/usr/share/ansible/plugins/modules
-
Restore the ability to install a non-default site:
make TARGET_SITE=mysite install -
Revised tests (new output and filenames, requires adding new result files to git)
-
ACM 2.6 required for ACM-based managed sites
-
Introduced global.clusterDomain template variable (without the
apps.prefix) -
Removed the ability to send specific charts to another cluster, use hosted argo sites instead
-
Added the ability to have the hub host
values-{site}.yamlfor spoke clusters.The following example would deploy the namespaces, subscriptions, and applications defined in
values-group-one.yamlto theperthcluster directly from ArgoCD on the hub.managedClusterGroups: - name: group-one hostedArgoSites: - name: perth domain: perth1.beekhof.net bearerKeyPath: secret/data/hub/cluster_perth caKeyPath: secret/data/hub/cluster_perth_ca