feat: only deploy gitops essential apps on initial install (#1690)

Co-authored-by: jeho <[email protected]>

Author: CasLubbers

.env.sample

@@ -22,3 +22,9 @@ AWS_SECRET_ACCESS_KEY=''
 
 
 OTOMI_CHARTS_URL='https://github.com/linode/apl-charts.git'
+
+
+RETRIES=6
+RANDOM=false
+MIN_TIMEOUT=10000
+FACTOR=1

charts/otomi-pipelines/templates/tekton-otomi-git-clone.yaml

@@ -59,7 +59,7 @@ spec:
 
         # Cloning the values
         {{- if .Values.cloneUnsecure }}
-        git clone -c http.sslVerify=false --depth 2 https://$GITEA_USERNAME:$GITEA_PASSWORD@$url
+        git clone -c http.sslVerify=false --depth 2 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url
         {{- else }}
         git clone --depth 2 https://$GITEA_USERNAME:$GITEA_PASSWORD@$url
         {{- end }}
@@ -82,5 +82,12 @@ spec:
         if git diff --name-only HEAD~1 | grep -v "env/teams/"; then
           echo -n "1" > $(results.TRIGGER_PLATFORM_PIPELINE.path)
         fi
+
+        # Allows to trigger pipeline without making any change in the values repo
+        if [[ ! $COMMIT_MESSAGE == "[apl-trigger]" ]]; then
+            echo -n "1" > $(results.TRIGGER_PLATFORM_PIPELINE.path)
+            echo -n "1" > $(results.TRIGGER_TEAMS_PIPELINE.path)
+        fi
+
       args:
         - '$(params["commitMessage"])'

charts/otomi-pipelines/templates/tekton-otomi-task-teams.yaml

@@ -57,7 +57,7 @@ spec:
 
         # Cloning the values
         {{- if .Values.cloneUnsecure }}
-        git clone -c http.sslVerify=false --depth 1 https://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
+        git clone -c http.sslVerify=false --depth 1 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
         {{- else}}
         git clone --depth 1 https://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
         {{- end }}

charts/otomi-pipelines/templates/tekton-otomi-task.yaml

@@ -57,7 +57,7 @@ spec:
 
         # Cloning the values
         {{- if .Values.cloneUnsecure }}
-        git clone -c http.sslVerify=false --depth 1 https://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
+        git clone -c http.sslVerify=false --depth 1 http://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
         {{- else}}
         git clone --depth 1 https://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
         {{- end }}

charts/otomi-pipelines/templates/tekton-pipeline.yaml

@@ -18,7 +18,7 @@ spec:
     - name: otomi-git-clone
       params:
         - name: repoUrl
-          value: '$(params.repoUrl)'
+          value: 'gitea-http.gitea.svc.cluster.local:3000/otomi/values.git/'
         - name: commitMessage
           value: '$(params.commitMessage)'
         - name: giteaCredentialsSecretName
@@ -34,7 +34,7 @@ spec:
     - name: otomi-task
       params:
         - name: repoUrl
-          value: '$(params.repoUrl)'
+          value: 'gitea-http.gitea.svc.cluster.local:3000/otomi/values.git/'
         - name: OTOMI_VERSION
           value: $(tasks.otomi-git-clone.results.OTOMI_VERSION)
         - name: CI
@@ -61,7 +61,7 @@ spec:
     - name: otomi-task-teams
       params:
         - name: repoUrl
-          value: '$(params.repoUrl)'
+          value: 'gitea-http.gitea.svc.cluster.local:3000/otomi/values.git/'
         - name: OTOMI_VERSION
           value: $(tasks.otomi-git-clone.results.OTOMI_VERSION)
         - name: CI

helmfile.d/helmfile-02.init.yaml

@@ -44,4 +44,5 @@ releases:
     namespace: cnpg-system
     labels:
       pkg: cloudnative-pg
+      app: core
     <<: *default

helmfile.d/helmfile-03.init.yaml

@@ -15,6 +15,8 @@ releases:
   - name: argocd
     installed: {{ $a | get "argocd.enabled" }}
     namespace: argocd
+    labels:
+      app: core
     <<: *default 
   - name: otomi-operator
     installed: true
@@ -39,18 +41,21 @@ releases:
     namespace: gitea
     labels:
       pkg: gitea
+      app: core
     <<: *raw
   - name: apl-gitea-operator-artifacts
     installed: {{ $a | get "gitea.enabled" }}
     namespace: apl-gitea-operator
     labels:
       pkg: apl-gitea-operator
+      app: core
     <<: *raw
   - name: apl-gitea-operator
     installed: {{ $a | get "gitea.enabled" }}
     namespace: apl-gitea-operator
     labels:
       pkg: apl-gitea-operator
+      app: core
     <<: *default
   - name: apl-harbor-operator-artifacts
     installed: {{ $a | get "harbor.enabled" }}
@@ -106,12 +111,14 @@ releases:
     namespace: tekton-pipelines
     labels:
       pkg: tekton-pipelines
+      app: core
     <<: *default
   - name: tekton-dashboard
     installed: true
     namespace: tekton-pipelines
     labels:
       pkg: tekton-pipelines
+      app: core
     chart: ../charts/tekton-dashboard
     values:
       - ../values/tekton-dashboard/tekton-dashboard.gotmpl

helmfile.d/helmfile-04.databases.yaml

@@ -31,4 +31,5 @@ releases:
     namespace: gitea
     labels:
       pkg: gitea
+      app: core
     <<: *otomiDb

helmfile.d/helmfile-05.init.yaml

@@ -17,12 +17,14 @@ releases:
     namespace: argocd
     labels:
       pkg: argocd
+      app: core
     <<: *raw
   - name: istio-operator
     installed: true
     namespace: istio-operator
     labels:
       pkg: istio
+      app: core
     <<: *default
   - name: keycloak-artifacts
     installed: true

helmfile.d/helmfile-06.init.yaml

@@ -29,6 +29,7 @@ releases:
     namespace: istio-operator
     labels:
       pkg: istio
+      app: core
     chart: ../charts/raw
     values:
       - ../values/istio-operator/istio-operator-raw.gotmpl

helmfile.d/helmfile-09.init.yaml

@@ -51,8 +51,11 @@ releases:
     namespace: tekton-pipelines
     labels:
       pkg: tekton-triggers
+      app: core
     <<: *default
   - name: otomi-pipelines
     installed: true
     namespace: otomi-pipelines
+    labels:
+      app: core
     <<: *default

helmfile.d/helmfile-50.services.yaml

@@ -21,6 +21,7 @@ releases:
     namespace: gitea
     labels:
       pkg: gitea
+      app: core
     <<: *default
   - name: velero
     installed: {{ $a | get "velero.enabled" }}

helmfile.d/helmfile-70.shared.yaml

@@ -48,6 +48,7 @@ releases:
     labels:
       tag: ingress
       pkg: oauth2-proxy
+      app: core
     <<: *raw
   - name: otomi-api
     installed: true

helmfile.d/helmfile-90.artifacts.yaml

@@ -17,6 +17,7 @@ releases:
     namespace: istio-system
     labels:
       pkg: istio
+      app: core
     chart: ../charts/raw
     values:
       - ../values/raw/istio-raw.gotmpl

helmfile.d/helmfile-91.artifacts.yaml

@@ -17,4 +17,5 @@ releases:
     namespace: istio-system
     labels:
       pkg: istio
+      app: core
     <<: *raw

src/cmd/apply-as-apps.ts

@@ -52,6 +52,11 @@ const getArgocdAppManifest = (release: HelmRelease, values: Record<string, any>,
         'otomi.io/app': 'managed',
       },
       namespace: 'argocd',
+      annotations: ['tempo', 'thanos'].includes(release.name)
+        ? {
+            'argocd.argoproj.io/compare-options': 'ServerSideDiff=true,IncludeMutationWebhook=true',
+          }
+        : {},
     },
     spec: {
       syncPolicy: {

src/cmd/apply.ts

@@ -14,7 +14,7 @@ import { ProcessOutputTrimmed } from 'src/common/zx-enhance'
 import { Argv, CommandModule } from 'yargs'
 import { $, nothrow } from 'zx'
 import { applyAsApps } from './apply-as-apps'
-import { cloneOtomiChartsInGitea, commit, printWelcomeMessage } from './commit'
+import { cloneOtomiChartsInGitea, commit, printWelcomeMessage, retryCheckingForPipelinerun } from './commit'
 import { upgrade } from './upgrade'
 
 const cmdName = getFilename(__filename)
@@ -85,8 +85,8 @@ const applyAll = async () => {
   let labelOpts = ['']
   if (intitalInstall) {
     // When Otomi is installed for the very first time and ArgoCD is not yet there.
-    // The 'tag!=teams' does not include team-ns-admin release name.
-    labelOpts = ['tag!=teams']
+    // Only install the core apps
+    labelOpts = ['app=core']
     await hf(
       {
         labelOpts,
@@ -120,6 +120,7 @@ const applyAll = async () => {
         { streams: { stdout: d.stream.log, stderr: d.stream.error } },
       )
       await cloneOtomiChartsInGitea()
+      await retryCheckingForPipelinerun()
       await printWelcomeMessage()
     }
   }

src/cmd/commit.ts

@@ -12,6 +12,8 @@ import { Argv } from 'yargs'
 import { $, cd } from 'zx'
 import { Arguments as DroneArgs } from './gen-drone'
 import { validateValues } from './validate-values'
+import { CustomObjectsApi, KubeConfig } from '@kubernetes/client-node'
+import retry from 'async-retry'
 
 const cmdName = getFilename(__filename)
 
@@ -104,17 +106,57 @@ export const cloneOtomiChartsInGitea = async (): Promise<void> => {
   d.info('Cloned apl-charts in Gitea')
 }
 
+export async function retryCheckingForPipelinerun() {
+  const d = terminal(`cmd:${cmdName}:apply`)
+  await retry(
+    async () => {
+      await checkIfPipelineRunExists()
+    },
+    { retries: env.RETRIES, randomize: env.RANDOM, minTimeout: env.MIN_TIMEOUT, factor: env.FACTOR },
+  ).catch((e) => {
+    d.error('Error retrieving PipelineRuns:', e)
+    throw e
+  })
+}
+
+export async function checkIfPipelineRunExists(): Promise<void> {
+  const d = terminal(`cmd:${cmdName}:pipelinerun`)
+  const kc = new KubeConfig()
+  kc.loadFromDefault()
+  const customObjectsApi = kc.makeApiClient(CustomObjectsApi)
+
+  const response = await customObjectsApi.listNamespacedCustomObject(
+    'tekton.dev',
+    'v1beta1',
+    'otomi-pipelines',
+    'pipelineruns',
+  )
+
+  const pipelineRuns = (response.body as { items: any[] }).items
+  if (pipelineRuns.length === 0) {
+    d.info(`No Tekton pipeline runs found, triggering a new one...`)
+    await $`git commit --allow-empty -m "[apl-trigger]"`
+    await $`git push`
+    throw new Error('PipelineRun not found in otomi-pipelines namespace')
+  }
+  d.info(`There is a Tekton PipelineRuns continuing...`)
+}
+
 export const printWelcomeMessage = async (): Promise<void> => {
   const d = terminal(`cmd:${cmdName}:commit`)
   const values = (await hfValues()) as Record<string, any>
   const credentials = values.apps.keycloak
   const message = `
-    ########################################################################################################################################
-    #
-    #  To start using APL, go to https://console.${values.cluster.domainSuffix} and sign in to the web console
-    #  with username "${credentials.adminUsername}" and password "${credentials.adminPassword}".
-    #
-    ########################################################################################################################################`
+  ########################################################################################################################################
+  #
+  #  Core apps installation complete! ArgoCD will now deploy the remaining applications. 
+  #  To monitor the progress, run: kubectl get applications -A
+  #  Once ArgoCD finishes, you can start using APL. Visit: https://console.${values.cluster.domainSuffix}
+  #  Sign in to the web console with the following credentials:
+  #    - Username: "${credentials.adminUsername}"
+  #    - Password: "${credentials.adminPassword}"
+  #
+  ########################################################################################################################################`
   d.info(message)
 }
 

src/common/envalid.ts

@@ -37,6 +37,10 @@ export const cliEnvSpec = {
   TRACE: bool({ default: false }),
   VERBOSITY: num({ desc: 'The verbosity level', default: 1 }),
   VALUES_INPUT: str({ desc: 'The chart values.yaml file', default: undefined }),
+  RETRIES: num({ desc: 'The maximum amount of times to retry the operation by the reconciler', default: 6 }),
+  RANDOM: bool({ desc: 'Randomizes the timeouts by multiplying with a factor between 1 to 2', default: false }),
+  MIN_TIMEOUT: num({ desc: 'The number of milliseconds before starting the first retry', default: 10000 }),
+  FACTOR: num({ desc: 'The factor to multiply the timeout with', default: 1 }),
 }
 
 export function cleanEnv<T>(

values/argocd/argocd.gotmpl

@@ -99,6 +99,10 @@ configs:
       oidc.clientSecret: {{ $k.idp.clientSecret }}
   params:
     server.insecure: true # nginx terminates tls
+    # -- Number of application status processors
+    controller.status.processors: 10
+    # -- Number of application operation processors
+    controller.operation.processors: 5
 
   rbac:
     policy.csv: |

values/otomi-pipelines/otomi-pipelines.gotmpl

@@ -8,6 +8,4 @@ kms: {{- $kms | toYaml | nindent 2 }}
 giteaPassword: {{ $g.adminPassword }}
 otomiVersion: {{ $v.otomi.version }}
 
-{{- if $v._derived.untrustedCA }}
-cloneUnsecure: true
-{{- end }}
+cloneUnsecure: true