Merge pull request validatedpatterns#259 from claudiol/common-automat…

…ic-update

Automatic common/ update

common/acm/templates/policies/application-policies.yaml

@@ -45,7 +45,7 @@ spec:
                       ignoreMissingValueFiles: true
                       valueFiles:
                       {{- include "acm.app.policies.valuefiles" . | nindent 22 }}
-                      {{- range $valueFile := $.Values.global.extraValueFiles }}
+                      {{- range $valueFile := .extraValueFiles }}
                       - {{ $valueFile | quote }}
                       {{- end }}
                       parameters:

common/acm/templates/policies/ocp-gitops-policy.yaml

@@ -140,7 +140,7 @@ spec:
                       - -c
                       - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt
                         || true
-                      image: registry.access.redhat.com/ubi9/ubi-minimal:latest
+                      image: registry.redhat.io/ubi9/ubi-minimal:latest
                       name: fetch-ca
                       resources: {}
                       volumeMounts:
@@ -195,6 +195,11 @@ spec:
                         memory: 128Mi
                     route:
                       enabled: true
+                      {{- if and (.Values.global.argocdServer) (.Values.global.argocdServer.route) (.Values.global.argocdServer.route.tls) }}
+                      tls:
+                        insecureEdgeTerminationPolicy: {{ default "Redirect" .Values.global.argocdServer.route.tls.insecureEdgeTerminationPolicy }}
+                        termination: {{ default "reencrypt" .Values.global.argocdServer.route.tls.termination }}
+                      {{- end }}
                     service:
                       type: ""
                   sso:

common/ansible/roles/iib_ci/README.md

@@ -52,12 +52,17 @@ make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.git
 The advanced-cluster-management operator is a little bit more complex than the others because it
 also installes another operator called MCE multicluster-engine. So to install ACM you typically
 need two IIBs (one for acm and one for mce). With those two at hand, do the following (the ordering must be
-consistent: the first IIB corresponds to the first OPERATOR, etc).
+consistent: the first IIB corresponds to the first OPERATOR, etc). The following operation needs to be done
+on both hub *and* spokes:
 
 ```sh
-export OPERATOR=advanced-cluster-management,multicluster-engine
-export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034
-make load-iib
+for i in hub-kubeconfig-file spoke-kubeconfig-file; do
+  export KUBECONFIG="${i}"
+  export KUBEADMINPASS="11111-22222-33333-44444"
+  export OPERATOR=advanced-cluster-management,multicluster-engine
+  export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034
+  make load-iib
+done
 ```
 
 Once the IIBs are loaded into the cluster we need to run the following steps:

common/ansible/roles/iib_ci/tasks/main.yml

@@ -17,6 +17,9 @@
   ansible.builtin.shell: |
     oc get openshiftcontrollermanager/cluster -o yaml -o jsonpath='{.status.version}'
   register: oc_version_raw
+  retries: 10
+  delay: 10
+  until: oc_version_raw is not failed
   changed_when: false
 
 - name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests)

common/clustergroup/templates/imperative/clusterrole.yaml

@@ -1,5 +1,6 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -18,4 +19,19 @@ rules:
     - list
     - watch
 {{- end }}
+{{- end }} {{/* if $.Values.clusterGroup.imperative.serviceAccountCreate */}}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }}
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+{{- end }} {{/* if $.Values.clusterGroup.imperative.adminServiceAccountCreate */}}
 {{- end }}

common/clustergroup/templates/imperative/rbac.yaml

@@ -1,10 +1,11 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-admin-rolebinding
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -17,7 +18,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-rolebinding
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-rolebinding
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -28,3 +29,19 @@ subjects:
     name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
     namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }}
+    namespace: {{ $.Values.clusterGroup.imperative.namespace }}
+{{- end }}
+{{- end }}

common/clustergroup/templates/imperative/serviceaccount.yaml

@@ -1,10 +1,18 @@
 {{- if not (eq .Values.enabled "plumbing") }}
 {{/* This is always defined as we always unseal the cluster with an imperative job */}}
-{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
+{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
   namespace: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
+{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }}
+  namespace: {{ $.Values.clusterGroup.imperative.namespace }}
+{{- end }}
 {{- end }}

common/clustergroup/values.schema.json

@@ -677,6 +677,15 @@
         },
         "roleYaml": {
           "type": "string"
+        },
+        "adminServiceAccountCreate": {
+          "type": "boolean"
+        },
+        "adminServiceAccountName": {
+          "type": "string"
+        },
+        "adminClusterRoleName": {
+          "type": "string"
         }
       },
       "required": [

common/clustergroup/values.yaml

@@ -51,6 +51,10 @@ clusterGroup:
     clusterRoleYaml: ""
     roleName: imperative-role
     roleYaml: ""
+    adminServiceAccountCreate: true
+    adminServiceAccountName: imperative-admin-sa
+    adminClusterRoleName: imperative-admin-cluster-role
+
   managedClusterGroups: {}
   namespaces: []
 #  - name: factory

common/operator-install/templates/pattern.yaml

@@ -12,9 +12,6 @@ spec:
     tokenSecret: {{ .Values.main.tokenSecret }}
     tokenSecretNamespace: {{ .Values.main.tokenSecretNamespace }}
 {{- end }} {{/* if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace */}}
-  gitOpsSpec:
-    operatorChannel: {{ default "gitops-1.12" .Values.main.gitops.channel }}
-    operatorSource: {{ default "redhat-operators" .Values.main.gitops.operatorSource }}
   multiSourceConfig:
     enabled: {{ .Values.main.multiSourceConfig.enabled }}
 {{- if .Values.main.analyticsUUID }}

common/operator-install/templates/subscription.yaml

@@ -7,7 +7,10 @@ metadata:
     operators.coreos.com/patterns-operator.openshift-operators: ""
 spec:
   channel: {{ .Values.main.patternsOperator.channel }}
-  installPlanApproval: Automatic
+  installPlanApproval: {{ .Values.main.patternsOperator.installPlanApproval }}
   name: patterns-operator
   source: {{ .Values.main.patternsOperator.source }}
-  sourceNamespace: openshift-marketplace
+  sourceNamespace: {{ .Values.main.patternsOperator.sourceNamespace }}
+  {{- if .Values.main.patternsOperator.startingCSV }}
+  startingCSV: {{ .Values.main.patternsOperator.startingCSV }}
+  {{- end }}

common/operator-install/values.yaml

@@ -20,6 +20,9 @@ main:
   patternsOperator:
     channel: fast
     source: community-operators
+    installPlanApproval: Automatic
+    sourceNamespace: openshift-marketplace
+    startingCSV: null
 
   clusterGroupName: default
 

common/tests/clustergroup-industrial-edge-factory.expected.yaml

@@ -64,6 +64,13 @@ metadata:
   name: imperative-sa
   namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: imperative-admin-sa
+  namespace: imperative
+---
 # Source: clustergroup/templates/imperative/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
@@ -116,6 +123,9 @@ data:
         initContainers: []
       imperative:
         activeDeadlineSeconds: 3600
+        adminClusterRoleName: imperative-admin-cluster-role
+        adminServiceAccountCreate: true
+        adminServiceAccountName: imperative-admin-sa
         clusterRoleName: imperative-cluster-role
         clusterRoleYaml: ""
         cronJobName: imperative-cronjob
@@ -264,11 +274,24 @@ rules:
     - list
     - watch
 ---
+# Source: clustergroup/templates/imperative/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: imperative-admin-cluster-role
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+---
 # Source: clustergroup/templates/imperative/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: imperative-cluster-admin-rolebinding
+  name: imperative-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -278,6 +301,20 @@ subjects:
     name: imperative-sa
     namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: imperative-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: imperative-admin-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: imperative-admin-sa
+    namespace: imperative
+---
 # Source: clustergroup/templates/plumbing/argocd-super-role.yaml
 # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
 apiVersion: rbac.authorization.k8s.io/v1
@@ -340,7 +377,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: imperative-admin-rolebinding
+  name: imperative-rolebinding
   namespace: imperative
 roleRef:
   apiGroup: rbac.authorization.k8s.io

common/tests/clustergroup-industrial-edge-hub.expected.yaml

@@ -109,6 +109,13 @@ metadata:
   name: imperative-sa
   namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: imperative-admin-sa
+  namespace: imperative
+---
 # Source: clustergroup/templates/imperative/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
@@ -237,6 +244,9 @@ data:
         initContainers: []
       imperative:
         activeDeadlineSeconds: 3600
+        adminClusterRoleName: imperative-admin-cluster-role
+        adminServiceAccountCreate: true
+        adminServiceAccountName: imperative-admin-sa
         clusterRoleName: imperative-cluster-role
         clusterRoleYaml: ""
         cronJobName: imperative-cronjob
@@ -425,11 +435,24 @@ rules:
     - list
     - watch
 ---
+# Source: clustergroup/templates/imperative/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: imperative-admin-cluster-role
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+---
 # Source: clustergroup/templates/imperative/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: imperative-cluster-admin-rolebinding
+  name: imperative-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -439,6 +462,20 @@ subjects:
     name: imperative-sa
     namespace: imperative
 ---
+# Source: clustergroup/templates/imperative/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: imperative-admin-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: imperative-admin-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: imperative-admin-sa
+    namespace: imperative
+---
 # Source: clustergroup/templates/plumbing/argocd-super-role.yaml
 # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
 apiVersion: rbac.authorization.k8s.io/v1
@@ -501,7 +538,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: imperative-admin-rolebinding
+  name: imperative-rolebinding
   namespace: imperative
 roleRef:
   apiGroup: rbac.authorization.k8s.io