Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom CA support #461

Merged
merged 2 commits into from
Apr 12, 2024
Merged

Custom CA support #461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8dbb5ff
Add support for custom CAs
mbaldessari Feb 20, 2024
4e75d71
Update tests
mbaldessari Apr 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions acm/templates/policies/application-policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }}
{{- range .Values.clusterGroup.managedClusterGroups }}
{{- $group := . }}
{{- if not .hostedArgoSites }}
Expand Down Expand Up @@ -75,6 +76,8 @@ spec:
value: {{ $.Values.global.clusterPlatform }}
- name: clusterGroup.name
value: {{ $group.name }}
- name: global.experimentalCapabilities
value: {{ $.Values.global.experimentalCapabilities }}
{{- range .helmOverrides }}
- name: {{ .name }}
value: {{ .value | quote }}
Expand Down
167 changes: 167 additions & 0 deletions acm/templates/policies/ocp-gitops-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }}
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
Expand All @@ -24,6 +25,15 @@ spec:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: trusted-ca-bundle
namespace: openshift-gitops
labels:
config.openshift.io/inject-trusted-cabundle: 'true'
- complianceType: mustonlyhave
objectDefinition:
# This is an auto-generated file. DO NOT EDIT
Expand All @@ -44,6 +54,163 @@ spec:
env:
- name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
value: "*"
{{- if $hasInitContainerCapability }}
- complianceType: mustonlyhave
objectDefinition:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: openshift-gitops
namespace: openshift-gitops
spec:
applicationSet:
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 250m
memory: 512Mi
webhookServer:
ingress:
enabled: false
route:
enabled: false
controller:
processors: {}
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 1Gi
sharding: {}
grafana:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
route:
enabled: false
ha:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
initialSSHKnownHosts: {}
monitoring:
enabled: false
notifications:
enabled: false
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
rbac:
defaultPolicy: ""
policy: |-
g, system:cluster-admins, role:admin
g, cluster-admins, role:admin
scopes: '[groups]'
redis:
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
repo:
mhjacks marked this conversation as resolved.
Show resolved Hide resolved
initContainers:
- command:
- bash
- -c
- cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt
|| true
image: registry.access.redhat.com/ubi9/ubi-minimal:latest
name: fetch-ca
resources: {}
volumeMounts:
- mountPath: /var/run/kube-root-ca
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
volumeMounts:
- mountPath: /etc/pki/tls/certs
name: ca-bundles
volumes:
- configMap:
name: kube-root-ca.crt
name: kube-root-ca
- configMap:
name: trusted-ca-bundle
optional: true
name: trusted-ca-bundle
- emptyDir: {}
name: ca-bundles
resourceExclusions: |-
- apiGroups:
- tekton.dev
clusters:
- '*'
kinds:
- TaskRun
- PipelineRun
server:
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 125m
memory: 128Mi
route:
enabled: true
service:
type: ""
sso:
dex:
openShiftOAuth: true
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
provider: dex
tls:
ca: {}
{{- end }}{{/* if hasInitContainerCapability */}}
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
Expand Down
2 changes: 2 additions & 0 deletions clustergroup/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ Default always defined top-level variables for helm charts
value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }}
- name: global.privateRepo
value: {{ $.Values.global.privateRepo | quote }}
- name: global.experimentalCapabilities
value: {{ $.Values.global.experimentalCapabilities | default "" }}
{{- end }} {{/* clustergroup.globalvaluesparameters */}}


Expand Down
103 changes: 102 additions & 1 deletion clustergroup/templates/imperative/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,29 @@
# 3. If it is an http secret, generate the correct URL
# 4. If it is an ssh secret, create the private ssh key and make sure the git clone works

{{/* fetch-ca InitContainer */}}
{{- define "imperative.initcontainers.fetch-ca" }}
- name: fetch-ca
image: {{ $.Values.clusterGroup.imperative.image }}
imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }}
env:
- name: HOME
value: /git/home
command:
- 'sh'
- '-c'
- >-
cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt || true;
ls -l /tmp/ca-bundles/
volumeMounts:
- mountPath: /var/run/kube-root-ca
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
{{- end }}

{{/* git-init InitContainer */}}
{{- define "imperative.initcontainers.gitinit" }}
- name: git-init
Expand All @@ -12,6 +35,9 @@
env:
- name: HOME
value: /git/home
volumeMounts:
- name: git
mountPath: "/git"
command:
- 'sh'
- '-c'
Expand All @@ -37,11 +63,47 @@
mkdir /git/{repo,home};
git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo;
chmod 0770 /git/{repo,home};
{{- end }}

{{/* git-init-ca InitContainer */}}
{{- define "imperative.initcontainers.gitinit-ca" }}
- name: git-init
image: {{ $.Values.clusterGroup.imperative.image }}
imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }}
env:
- name: HOME
value: /git/home
volumeMounts:
- name: git
mountPath: "/git"
- name: ca-bundles
mountPath: /etc/pki/tls/certs
command:
- 'sh'
- '-c'
- >-
if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
URL="{{ $.Values.global.repoURL }}";
else
if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode}}` }}' &>/dev/null; then
U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')";
P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')";
URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
echo "USER/PASS: ${URL}";
else
S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')";
mkdir -p --mode 0700 "${HOME}/.ssh";
echo "${S}" > "${HOME}/.ssh/id_rsa";
chmod 0600 "${HOME}/.ssh/id_rsa";
URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/");
git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
echo "SSH: ${URL}";
fi;
fi;
mkdir /git/{repo,home};
git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo;
chmod 0770 /git/{repo,home};
{{- end }}

{{/* Final done container */}}
{{- define "imperative.containers.done" }}
- name: "done"
Expand All @@ -56,10 +118,49 @@
{{- end }}

{{/* volume-mounts for all containers */}}
{{- define "imperative.volumemounts_ca" }}
- name: git
mountPath: "/git"
- name: values-volume
mountPath: /values/values.yaml
subPath: values.yaml
- mountPath: /var/run/kube-root-ca
name: kube-root-ca
- mountPath: /var/run/trusted-ca
name: trusted-ca-bundle
- mountPath: /tmp/ca-bundles
name: ca-bundles
{{- end }}
{{- define "imperative.volumemounts" }}
- name: git
mountPath: "/git"
- name: values-volume
mountPath: /values/values.yaml
subPath: values.yaml
{{- end }}

{{/* volumes for all containers */}}
{{- define "imperative.volumes" }}
- name: git
emptyDir: {}
- name: values-volume
configMap:
name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
{{- end }}

{{- define "imperative.volumes_ca" }}
- name: git
emptyDir: {}
- name: values-volume
configMap:
name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
- configMap:
name: kube-root-ca.crt
name: kube-root-ca
- configMap:
name: trusted-ca-bundle
optional: true
name: trusted-ca-bundle
- name: ca-bundles
emptyDir: {}
{{- end }}
9 changes: 9 additions & 0 deletions clustergroup/templates/imperative/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,13 @@ metadata:
data:
values.yaml: |
{{ tpl $valuesyaml . | indent 4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: trusted-ca-bundle
namespace: {{ $.Values.clusterGroup.imperative.namespace}}
annotations:
labels:
config.openshift.io/inject-trusted-cabundle: 'true'
{{- end }}
Loading
Loading