feat: deploy core apps via argocd (#1630)

Co-authored-by: Matthias Erll <[email protected]>
Co-authored-by: jeho <[email protected]>

Author: 3 people

charts/gitea/templates/gitea/statefulset.yaml

@@ -319,7 +319,9 @@ spec:
           emptyDir: {}
   {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       {{- with .Values.persistence.annotations }}
         annotations:

charts/harbor/templates/redis/statefulset.yaml

@@ -85,7 +85,9 @@ spec:
     {{- end }}
   {{- if and .Values.persistence.enabled (not $redis.existingClaim) }}
   volumeClaimTemplates:
-  - metadata:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
       name: data
       labels:
 {{ include "harbor.labels" . | indent 8 }}

charts/harbor/templates/trivy/trivy-sts.yaml

@@ -182,7 +182,9 @@ spec:
     {{- end }}
 {{- if and .Values.persistence.enabled (not $trivy.existingClaim) }}
   volumeClaimTemplates:
-  - metadata:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
       name: data
       labels:
 {{ include "harbor.labels" . | indent 8 }}

charts/oauth2-proxy/charts/redis/templates/master/application.yaml

@@ -496,7 +496,9 @@ spec:
             claimName: {{ printf "redis-data-%s-master" (include "common.names.fullname" .) }}
   {{- else }}
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: redis-data
         labels: {{- include "common.labels.matchLabels" . | nindent 10 }}
           app.kubernetes.io/component: master

charts/oauth2-proxy/charts/redis/templates/replicas/statefulset.yaml

@@ -493,7 +493,9 @@ spec:
             claimName: {{ printf "%s" (tpl .Values.replica.persistence.existingClaim .) }}
   {{- else }}
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: redis-data
         labels: {{- include "common.labels.matchLabels" . | nindent 10 }}
           app.kubernetes.io/component: replica

charts/oauth2-proxy/charts/redis/templates/sentinel/statefulset.yaml

@@ -736,7 +736,9 @@ spec:
             claimName: {{ printf "%s" (tpl .Values.replica.persistence.existingClaim .) }}
   {{- else }}
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: redis-data
         labels: {{- include "common.labels.matchLabels" . | nindent 10 }}
           app.kubernetes.io/component: node

charts/otomi-pipelines/templates/eventlistener.yaml

@@ -7,7 +7,8 @@ spec:
   triggers:
     - name: otomi-tekton-listener
       bindings:
-        - ref: otomi-tekton-binding
+        - kind: TriggerBinding
+          ref: otomi-tekton-binding
       template:
         ref: otomi-tekton-template
   resources:
@@ -18,4 +19,5 @@ spec:
             serviceAccountName: otomi-tekton-triggers-sa
             containers:
               - resources: {{- toYaml .Values.eventListener.resources | nindent 18 }}
+                name: ''
 

charts/otomi-pipelines/templates/tekton-otomi-git-clone.yaml

@@ -6,17 +6,24 @@ metadata:
 spec:
   params:
     - name: repoUrl
+      type: string
     - name: commitMessage
+      type: string
     - name: giteaCredentialsSecretName
+      type: string
   results:
     - name: CI
       description: Determine if pipeline should run based on the commit message
+      type: string
     - name: OTOMI_VERSION
       description: Otomi version as in values/env/settings.yaml
+      type: string
     - name: TRIGGER_TEAMS_PIPELINE
       description: Determine if the otomi-task-teams is about to run
+      type: string
     - name: TRIGGER_PLATFORM_PIPELINE
       description: Determine if the otomi-task is about to run
+      type: string
   workspaces:
     - name: source
       mountPath: /home/app/stack/env/
@@ -28,6 +35,7 @@ spec:
     image: otomi/core:{{ .Values.otomiVersion }}
   steps:
     - name: git-clone
+      computeResources: {}
       script: |
         #!/bin/bash
         set -e

charts/otomi-pipelines/templates/tekton-otomi-task-teams.yaml

@@ -8,9 +8,13 @@ metadata:
 spec:
   params:
     - name: OTOMI_VERSION
+      type: string
     - name: CI
+      type: string
     - name: repoUrl
+      type: string
     - name: giteaCredentialsSecretName
+      type: string
   workspaces:
     - name: source
       mountPath: /home/app/stack/env
@@ -37,6 +41,7 @@ spec:
       value: '2'
   steps:
     - name: git-clone
+      computeResources: {}
       script: |
         #!/bin/bash
         set -e
@@ -57,12 +62,14 @@ spec:
         git clone --depth 1 https://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
         {{- end }}
     - name: test
+      computeResources: {}
       command:
         - '/bin/bash'
       args:
         - '-c'
         - 'binzx/otomi validate-values'
     - name: apply
+      computeResources: {}
       script: |
         #!/bin/bash
         set -e

charts/otomi-pipelines/templates/tekton-otomi-task.yaml

@@ -8,9 +8,13 @@ metadata:
 spec:
   params:
     - name: OTOMI_VERSION
+      type: string
     - name: CI
+      type: string
     - name: repoUrl
+      type: string
     - name: giteaCredentialsSecretName
+      type: string
   workspaces:
     - name: source
       mountPath: /home/app/stack/env
@@ -37,6 +41,7 @@ spec:
       value: '1'
   steps:
     - name: git-clone
+      computeResources: {}
       script: |
         #!/bin/bash
         set -e
@@ -57,18 +62,21 @@ spec:
         git clone --depth 1 https://$GITEA_USERNAME:$GITEA_PASSWORD@$url $ENV_DIR
         {{- end }}
     - name: bootstrap
+      computeResources: {}
       command:
         - '/bin/bash'
       args:
         - '-c'
         - 'binzx/otomi bootstrap'
     - name: test
+      computeResources: {}
       command:
         - '/bin/bash'
       args:
         - '-c'
         - 'binzx/otomi validate-values'
     - name: apply
+      computeResources: {}
       script: |
         #!/bin/bash
         set -e

charts/otomi-pipelines/templates/tekton-pipeline.yaml

@@ -9,8 +9,11 @@ spec:
     - name: gitea-credentials
   params:
     - name: repoUrl
+      type: string
     - name: commitMessage
+      type: string
     - name: giteaCredentialsSecretName
+      type: string
   tasks:
     - name: otomi-git-clone
       params:
@@ -21,6 +24,7 @@ spec:
         - name: giteaCredentialsSecretName
           value: $(params.giteaCredentialsSecretName)
       taskRef:
+        kind: Task
         name: otomi-git-clone
       workspaces:
         - name: source
@@ -38,6 +42,7 @@ spec:
         - name: giteaCredentialsSecretName
           value: $(params.giteaCredentialsSecretName)
       taskRef:
+        kind: Task
         name: otomi-task
       workspaces:
         - name: source
@@ -64,6 +69,7 @@ spec:
         - name: giteaCredentialsSecretName
           value: $(params.giteaCredentialsSecretName)
       taskRef:
+        kind: Task
         name: otomi-task-teams
       workspaces:
         - name: source

charts/tempo/templates/lib/service-monitor.tpl

@@ -47,7 +47,8 @@ spec:
       scrapeTimeout: {{ . }}
       {{- end }}
       relabelings:
-        - sourceLabels: [job]
+        - action: replace
+          sourceLabels: [job]
           replacement: "{{ $.ctx.Release.Namespace }}/{{ $.component }}"
           targetLabel: job
         {{- if kindIs "string" .clusterLabel }}

src/cmd/apply-as-apps.ts

@@ -29,7 +29,7 @@ const setup = (): void => {
   mkdirSync(valuesDir, { recursive: true })
 }
 
-interface HelmRelese {
+interface HelmRelease {
   name: string
   namespace: string
   enabled: boolean
@@ -38,11 +38,11 @@ interface HelmRelese {
   chart: string
   version: string
 }
-const getAppName = (release: HelmRelese): string => {
+const getAppName = (release: HelmRelease): string => {
   return `${release.namespace}-${release.name}`
 }
 
-const getArgocdAppManifest = (release: HelmRelese, values: Record<string, any>, otomiVersion) => {
+const getArgocdAppManifest = (release: HelmRelease, values: Record<string, any>, otomiVersion) => {
   return {
     apiVersion: 'argoproj.io/v1alpha1',
     kind: 'Application',
@@ -80,17 +80,17 @@ const getArgocdAppManifest = (release: HelmRelese, values: Record<string, any>,
   }
 }
 
-const removeApplication = async (release: HelmRelese): Promise<void> => {
+const removeApplication = async (release: HelmRelease): Promise<void> => {
   const name = getAppName(release)
   if (!(await isResourcePresent('application', name, 'argocd'))) return
 
-  // TODO: do we always want to remove finalisers?
+  // TODO: do we always want to remove finalizers?
   await $`kubectl -n argocd patch application ${name}  -p '{"metadata": {"finalizers": null}}' --type merge`
   const resDelete = await $`kubectl -n argocd delete application ${name}`
   d.info(resDelete.stdout.toString())
 }
 
-const writeApplicationManifest = async (release: HelmRelese, otomiVersion: string): Promise<void> => {
+const writeApplicationManifest = async (release: HelmRelease, otomiVersion: string): Promise<void> => {
   const appName = `${release.namespace}-${release.name}`
   // d.info(`Generating Argocd Application at ${appName}`)
   const applicationPath = `${appsDir}/${appName}.yaml`
@@ -125,9 +125,9 @@ export const applyAsApps = async (argv: HelmArguments): Promise<void> => {
   })
   const errors: Array<any> = []
   // Generate JSON object with all helmfile releases defined in helmfile.d
-  const releses: [] = JSON.parse(res.stdout.toString())
+  const releases: [] = JSON.parse(res.stdout.toString())
   await Promise.allSettled(
-    releses.map(async (release: HelmRelese) => {
+    releases.map(async (release: HelmRelease) => {
       try {
         if (release.installed) await writeApplicationManifest(release, otomiVersion)
         else {
@@ -147,10 +147,10 @@ export const applyAsApps = async (argv: HelmArguments): Promise<void> => {
     d.error(e)
     errors.push(e)
   }
-  if (errors.length === 0) d.info(`All applications has been deployed succesfully`)
+  if (errors.length === 0) d.info(`All applications has been deployed successfully`)
   else {
     errors.map((e) => d.error(e))
-    d.error(`Not all applications has been deployed succesfully`)
+    d.error(`Not all applications has been deployed successfully`)
   }
 }
 

src/cmd/apply.ts

@@ -87,27 +87,25 @@ const applyAll = async () => {
     // When Otomi is installed for the very first time and ArgoCD is not yet there.
     // The 'tag!=teams' does not include team-ns-admin release name.
     labelOpts = ['tag!=teams']
+    await hf(
+      {
+        labelOpts,
+        logLevel: logLevelString(),
+        args: hfArgs,
+      },
+      { streams: { stdout: d.stream.log, stderr: d.stream.error } },
+    )
   } else {
     // When Otomi is already installed and Tekton pipeline performs GitOps.
     // We ensure that helmfile does not deploy any team related Helm release.
-    labelOpts = ['pipeline!=otomi-task-teams']
 
     // We still need to deploy all teams because some settings depend on platform apps.
     // Note that team-ns-admin contains ingress for platform apps.
     const params = cloneDeep(argv)
-    params.label = ['pipeline=otomi-task-teams']
+    //TODO here happens the real installation of the apps
     await applyAsApps(params)
   }
 
-  await hf(
-    {
-      labelOpts,
-      logLevel: logLevelString(),
-      args: hfArgs,
-    },
-    { streams: { stdout: d.stream.log, stderr: d.stream.error } },
-  )
-
   await upgrade({ when: 'post' })
   if (!(env.isDev && env.DISABLE_SYNC)) {
     await commit()

values/argocd/argocd.gotmpl

@@ -111,6 +111,20 @@ configs:
     users.anonymous.enabled: "false"
     # Note that the clientSecret is not actually used
     # as for now oauth2-proxy handles the login
+    resource.compareoptions: |
+        # disables status field diffing in specified resource types
+        ignoreAggregatedRoles: true
+    resource.exclusions: |
+        - apiGroups:
+          - "*"
+          kinds:
+          - "PipelineRun"
+          - "TaskRun"
+          clusters:
+          - "*"
+    resource.customizations.knownTypeFields.cert-manager.io_Certificate: |
+        - field: spec.duration
+          type: meta/v1/Duration
     oidc.config: |
       name: Otomi
       issuer: {{ $v._derived.oidcBaseUrl }}

values/jaeger-operator/jaeger-operator.gotmpl

@@ -59,7 +59,7 @@ jaeger:
     securityContext:
       runAsNonRoot: true
       runAsUser: 1000
-    strategy: allInOne
+    strategy: allinone
 
 rbac:
   clusterRole: true