Skip to content

Commit

Permalink
Add support for custom CAs
Browse files Browse the repository at this point in the history 
This feature relies on the VP operator version >= 0.0.44 in order to
work.

The way to enable this is to add a feature flag called 'initcontainers'
in the VP operator. Once this is enabled, we will detect this and take
over the all ArgoCD instances' definition and add initContainers which
will inject the CAs contained in the trusted-bundle-ca configmap and
also the openshift internal CA.

Testing protocol:

  1. (Operator 0.0.44) MCG deployment with experimentalCapabilities set
     to '' and using a github main upstream (i.e. without this PR)

  2. (Operator 0.0.44) MCG deployment with experimentalCapabilities set
     to 'initcontainers' and using a github diconnected common upstream
     (requiring a custom CA) (i.e. with this PR)

  3. (Operator 0.0.44) MCG deployment with experimentalCapabilities set
     to '' and using a github diconnected common upstream. (same as 1.2)
     and then set the initcontainer capability on the hub. Checked that
     the .global.experimentalCapabilities property replicated from hub to
     spoke and the initcontainers have been generated correctly

  3.1 (Operator 0.0.44) Change the repo from github to an internal one
      that does need the custom ca to work

  4. (Operator 0.0.43) Test an old operator with a newer common that
      contains this very branch

Note: Once we will make initcontainers a default feature of the operator
we will remove the ifs added in this PR and just make it the defaut
behaviour.
  • Loading branch information
@mbaldessari
mbaldessari committed Apr 11, 2024
1 parent 72cb859 commit 29126b2
Show file tree
Hide file tree
Showing 2 changed files with 170 additions and 0 deletions.
3 changes: 3 additions & 0 deletions templates/policies/application-policies.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }}
{{- range .Values.clusterGroup.managedClusterGroups }}
{{- $group := . }}
{{- if not .hostedArgoSites }}
Expand Down Expand Up @@ -75,6 +76,8 @@ spec:
value: {{ $.Values.global.clusterPlatform }}
- name: clusterGroup.name
value: {{ $group.name }}
- name: global.experimentalCapabilities
value: {{ $.Values.global.experimentalCapabilities }}
{{- range .helmOverrides }}
- name: {{ .name }}
value: {{ .value | quote }}
Expand Down
167 changes: 167 additions & 0 deletions templates/policies/ocp-gitops-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }}
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
Expand All @@ -24,6 +25,15 @@ spec:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: trusted-ca-bundle
namespace: openshift-gitops
labels:
config.openshift.io/inject-trusted-cabundle: 'true'
- complianceType: mustonlyhave
objectDefinition:
# This is an auto-generated file. DO NOT EDIT
Expand All @@ -44,6 +54,163 @@ spec:
env:
- name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
value: "*"
{{- if $hasInitContainerCapability }}
- complianceType: mustonlyhave
objectDefinition:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: openshift-gitops
namespace: openshift-gitops
spec:
applicationSet:
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 250m
memory: 512Mi
webhookServer:
ingress:
enabled: false
route:
enabled: false
controller:
processors: {}
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 1Gi
sharding: {}
grafana:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
route:
enabled: false
ha:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
initialSSHKnownHosts: {}
monitoring:
enabled: false
notifications:
enabled: false
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
rbac:
defaultPolicy: ""
policy: |-
g, system:cluster-admins, role:admin
g, cluster-admins, role:admin
scopes: '[groups]'
redis:
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
repo:
initContainers:
- command:
- bash
- -c
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt
|| true
image: registry.access.redhat.com/ubi9/ubi-minimal:latest
name: fetch-ca
resources: {}
volumeMounts:
- mountPath: /var/run/kube-root-ca
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
volumeMounts:
- mountPath: /etc/pki/tls/certs
name: ca-bundles
volumes:
- configMap:
name: kube-root-ca.crt
name: kube-root-ca
- configMap:
name: trusted-ca-bundle
optional: true
name: trusted-ca-bundle
- emptyDir: {}
name: ca-bundles
resourceExclusions: |-
- apiGroups:
- tekton.dev
clusters:
- '*'
kinds:
- TaskRun
- PipelineRun
server:
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 125m
memory: 128Mi
route:
enabled: true
service:
type: ""
sso:
dex:
openShiftOAuth: true
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
provider: dex
tls:
ca: {}
{{- end }}{{/* if hasInitContainerCapability */}}
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
Expand Down

0 comments on commit 29126b2

Please sign in to comment.