diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 74c3a3ffdc..9a64146bd3 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -22,7 +22,7 @@ updates: schedule: interval: "weekly" - package-ecosystem: "docker" - directory: "/dp-terraform/helm" + directory: "/fleetshard-operator" schedule: interval: "weekly" - package-ecosystem: "github-actions" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 23ee51ba26..85c675f6e8 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -12,7 +12,6 @@ - [ ] Add secret to app-interface Vault or Secrets Manager if necessary - [ ] RDS changes were e2e tested [manually](../docs/development/howto-e2e-test-rds.md) - [ ] Check AWS limits are reasonable for changes provisioning new resources -- [ ] (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment ## Test manual diff --git a/.github/workflows/aws-integration.yaml b/.github/workflows/aws-integration.yaml index baf465a8c2..d751750592 100644 --- a/.github/workflows/aws-integration.yaml +++ b/.github/workflows/aws-integration.yaml @@ -17,6 +17,8 @@ on: - 'docs/**' - 'pkg/api/openapi/docs/**' - 'pkg/api/openapi/.openapi-generator-ignore' + - 'dp-terraform/**' + - 'deploy/**' - '.design-proposals/**' pull_request: @@ -34,6 +36,7 @@ on: - 'pkg/api/openapi/docs/**' - 'pkg/api/openapi/.openapi-generator-ignore' - 'dp-terraform/**' + - 'deploy/**' - '.design-proposals/**' jobs: diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index 66f164f8d5..6853daf239 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -24,6 +24,12 @@ on: - 'internal/central/pkg/handlers/admin_central.go' - 'internal/central/pkg/services/central.go' +# Cancel previous runs +# see: https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/control-workflow-concurrency +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }} + cancel-in-progress: true + jobs: create-cluster: name: "Create Test Infra Clusters" @@ -33,16 +39,29 @@ jobs: strategy: matrix: name: [acscs1, acscs2] + outputs: + cluster_id: ${{ steps.cluster_id.outputs.short_sha }} steps: + - name: Generate cluster ID + id: cluster_id + run: | + # OSD cluster names are limited to 15 characters. + # Use first 7 chars of commit SHA for traceability and uniqueness. + # Format: -<7-char-sha> (e.g., acscs1-a1b2c3d = 14 chars) + SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) + echo "short_sha=$SHORT_SHA" >> "$GITHUB_OUTPUT" + - name: Create cluster uses: stackrox/actions/infra/create-cluster@v1 with: token: ${{ secrets.INFRA_TOKEN }} - flavor: osd-on-aws - name: ${{ matrix.name }}-${{ github.run_id }}${{ github.run_attempt }} + flavor: rosahcp + name: ${{ matrix.name }}-${{ steps.cluster_id.outputs.short_sha }} + description: "Used for acs-fleet-manager Multicluster E2E tests. Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" lifespan: 3h args: nodes=3,machine-type=m5.2xlarge wait: true + no-slack: true e2e-test: name: "Multicluster e2e tests" @@ -66,13 +85,14 @@ jobs: - name: Set cluster credentials run: | set -eo pipefail + SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) mkdir kube cluster1Conf="$(pwd)/kube/cluster1" - url=$(infractl artifacts "acscs1-${{ github.run_id }}${{ github.run_attempt }}" --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r) + url=$(infractl artifacts "acscs1-${SHORT_SHA}" --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r) wget -O "$cluster1Conf" "$url" cluster2Conf="$(pwd)/kube/cluster2" - url=$(infractl artifacts "acscs2-${{ github.run_id }}${{ github.run_attempt }}" --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r) + url=$(infractl artifacts "acscs2-${SHORT_SHA}" --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r) wget -O "$cluster2Conf" "$url" echo "CLUSTER_1_KUBECONFIG=$cluster1Conf" >> "$GITHUB_ENV" @@ -102,7 +122,9 @@ jobs: name: "Cleanup Test Infra Clusters" runs-on: ubuntu-latest needs: [create-cluster, e2e-test] - if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft && always() }} # do not run for PRs from forks + # do not run for PRs from forks + # keep the clusters in case of failure for debugging + if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft && (success() || cancelled()) }} environment: development env: INFRA_TOKEN: ${{ secrets.INFRA_TOKEN }} @@ -112,6 +134,7 @@ jobs: - name: Delete test clusters run: | set -o pipefail - infractl delete "acscs1-${{ github.run_id }}${{ github.run_attempt }}" - infractl delete "acscs2-${{ github.run_id }}${{ github.run_attempt }}" + SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) + infractl delete "acscs1-${SHORT_SHA}" + infractl delete "acscs2-${SHORT_SHA}" exit 0 diff --git a/Makefile b/Makefile index 04e865cc5c..6e378387d8 100644 --- a/Makefile +++ b/Makefile @@ -895,3 +895,18 @@ CLUSTER_ID ?= test run/emailsender: @CLUSTER_ID=$(CLUSTER_ID) go run emailsender/cmd/app/main.go .PHONY: run/emailsender + +deploy/emailsender: IMAGE_REPO?="$(external_image_registry)/$(emailsender_image_repository)" +deploy/emailsender: IMAGE_TAG?="$(image_tag)" +deploy/emailsender: + @kubectl apply -n "$(NAMESPACE)" -f "dev/env/manifests/emailsender-db" + @helm upgrade --install -n "$(NAMESPACE)" emailsender "deploy/charts/emailsender" \ + --values "dev/env/values/emailsender/values.yaml" \ + --set image.repo="$(IMAGE_REPO)" \ + --set image.tag="$(IMAGE_TAG)" +.PHONY: deploy/emailsender + +undeploy/emailsender: + @helm uninstall -n "$(NAMESPACE)" emailsender + @kubectl delete -n "$(NAMESPACE)" -f "dev/env/manifests/emailsender-db" +.PHONY: undeploy/emailsender diff --git a/deploy/charts/emailsender/.helmignore b/deploy/charts/emailsender/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/deploy/charts/emailsender/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/charts/emailsender/Chart.yaml b/deploy/charts/emailsender/Chart.yaml new file mode 100644 index 0000000000..61182fe267 --- /dev/null +++ b/deploy/charts/emailsender/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: emailsender +description: "Chart to deploy emailsender service for RHACS dataplane clusters" + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: "0.1.0" + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/deploy/charts/emailsender/README.md b/deploy/charts/emailsender/README.md new file mode 100644 index 0000000000..2f06dd2f88 --- /dev/null +++ b/deploy/charts/emailsender/README.md @@ -0,0 +1,57 @@ +# Emailsender Helm Chart + +This Helm chart deploys the emailsender service for RHACS dataplane clusters. + +## Overview + +The emailsender service handles email notifications for RHACS tenants. It uses AWS SES as the email provider and requires a PostgreSQL database for storing email records. + +## Prerequisites + +- Kubernetes cluster with OpenShift service-ca operator (for HTTPS support) +- External Secrets Operator (for AWS secrets management) +- AWS IAM role for SES access + +## Configuration + +See [values.yaml](values.yaml) for the full list of configuration options. + +### Key Configuration Values + +- `replicas`: Number of replicas (default: 3) +- `image.repo`: Container image repository +- `image.tag`: Container image tag +- `clusterId`: Data plane cluster ID +- `clusterName`: Data plane cluster name +- `environment`: Environment name (e.g., "production", "staging") +- `senderAddress`: Email sender address +- `emailProvider`: Email provider (default: "AWS_SES") +- `aws.region`: AWS region for SES + +## Installation + +```bash +helm install emailsender ./deploy/charts/emailsender \ + --set clusterId=my-cluster \ + --set clusterName=my-cluster \ + --set environment=production \ + --set aws.region=us-east-1 +``` + +## Components + +The chart deploys: + +1. **Deployment**: The emailsender service with 3 replicas by default +2. **Service**: ClusterIP service exposing port 443 (HTTPS) +3. **ServiceAccount**: For AWS IAM role integration +4. **RBAC**: ClusterRole and ClusterRoleBinding +5. **ExternalSecrets**: For database credentials and AWS role ARN + +## Database + +The emailsender requires a PostgreSQL database. Database credentials are managed via External Secrets Operator and stored in AWS Secrets Manager. + +## HTTPS/TLS + +The service uses OpenShift's service-ca operator to generate TLS certificates. This can be disabled by setting `enableHTTPS=false` for clusters without the service-ca operator. diff --git a/dp-terraform/helm/rhacs-terraform/templates/emailsender-rbac.yaml b/deploy/charts/emailsender/templates/emailsender-rbac.yaml similarity index 91% rename from dp-terraform/helm/rhacs-terraform/templates/emailsender-rbac.yaml rename to deploy/charts/emailsender/templates/emailsender-rbac.yaml index f253648684..cf31308d02 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/emailsender-rbac.yaml +++ b/deploy/charts/emailsender/templates/emailsender-rbac.yaml @@ -1,4 +1,3 @@ -{{- if .Values.emailsender.enabled }} apiVersion: v1 kind: ServiceAccount metadata: @@ -22,4 +21,3 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: emailsender-role -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/templates/emailsender-secret.yaml b/deploy/charts/emailsender/templates/emailsender-secret.yaml similarity index 68% rename from dp-terraform/helm/rhacs-terraform/templates/emailsender-secret.yaml rename to deploy/charts/emailsender/templates/emailsender-secret.yaml index 9208b5d76c..6ceb5f3fb0 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/emailsender-secret.yaml +++ b/deploy/charts/emailsender/templates/emailsender-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") .Values.global.createExternalSecrets }} +{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") .Values.createExternalSecrets }} apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: secretStoreRef: - name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }} + name: {{ .Values.secretStore.aws.secretsManagerSecretStoreName }} kind: ClusterSecretStore target: name: emailsender-db @@ -14,23 +14,23 @@ spec: data: - secretKey: db.user # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "username" - secretKey: db.name # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "databaseName" - secretKey: db.host # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "host" - secretKey: db.password # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "password" # pragma: allowlist secret - secretKey: db.port # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "port" --- apiVersion: external-secrets.io/v1beta1 @@ -40,7 +40,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: secretStoreRef: - name: {{ .Values.global.secretStore.aws.parameterStoreSecretStoreName }} + name: {{ .Values.secretStore.aws.parameterStoreSecretStoreName }} kind: ClusterSecretStore target: name: emailsender-parameters diff --git a/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml b/deploy/charts/emailsender/templates/emailsender.yaml similarity index 65% rename from dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml rename to deploy/charts/emailsender/templates/emailsender.yaml index 1d4f231fa8..4e947c2069 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml +++ b/deploy/charts/emailsender/templates/emailsender.yaml @@ -1,4 +1,3 @@ -{{- if .Values.emailsender.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -7,7 +6,7 @@ metadata: labels: app: emailsender spec: - replicas: {{ .Values.emailsender.replicas }} + replicas: {{ .Values.replicas }} selector: matchLabels: app: emailsender @@ -21,42 +20,39 @@ spec: serviceAccountName: emailsender containers: - name: emailsender - image: "{{ .Values.emailsender.image.repo }}:{{ .Values.emailsender.image.tag | default .Values.global.image.tag }}" + image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}" imagePullPolicy: IfNotPresent command: - /acscs/emailsender env: - # TODO(ROX-23260): use emailsender values once their are available via the Addon flow - name: CLUSTER_ID - value: {{ .Values.fleetshardSync.clusterId }} + value: {{ .Values.clusterId }} - name: CLUSTER_NAME - value: {{ .Values.fleetshardSync.clusterName }} + value: {{ .Values.clusterName }} - name: ENVIRONMENT - value: {{ .Values.fleetshardSync.environment }} + value: {{ .Values.environment }} - name: SENDER_ADDRESS - value: {{ .Values.emailsender.senderAddress }} + value: {{ .Values.senderAddress }} - name: EMAIL_PROVIDER - value: {{ .Values.emailsender.emailProvider }} + value: {{ .Values.emailProvider }} - name: HTTPS_CERT_FILE value: "/var/run/certs/tls.crt" - name: HTTPS_KEY_FILE value: "/var/run/certs/tls.key" - name: DATABASE_SSL_MODE - value: {{ .Values.emailsender.db.sslMode }} + value: {{ .Values.db.sslMode }} - name: DATABASE_CA_CERT_FILE - value: {{ .Values.emailsender.db.caCertFile }} - {{- if .Values.emailsender.authConfigFromKubernetes }} + value: {{ .Values.db.caCertFile }} + {{- if .Values.authConfigFromKubernetes }} - name: AUTH_CONFIG_FROM_KUBERNETES value: "true" {{- end }} - {{- if .Values.emailsender.enableHTTPS }} + {{- if .Values.enableHTTPS }} - name: ENABLE_HTTPS value: "true" {{- end }} - # Reusing fleetshardSync.aws.region here since the Values file defines multiple - # aws region for different components and the emailsender should always use the same as FS - name: AWS_REGION - value: {{ .Values.fleetshardSync.aws.region }} + value: {{ .Values.aws.region }} - name: AWS_ROLE_ARN valueFrom: secretKeyRef: @@ -71,10 +67,10 @@ spec: containerPort: 8080 resources: limits: - memory: {{ .Values.emailsender.resources.limits.memory | quote }} + memory: {{ .Values.resources.limits.memory | quote }} requests: - cpu: {{ .Values.emailsender.resources.requests.cpu | quote }} - memory: {{ .Values.emailsender.resources.requests.memory | quote }} + cpu: {{ .Values.resources.requests.cpu | quote }} + memory: {{ .Values.resources.requests.memory | quote }} volumeMounts: - name: aws-token mountPath: /var/run/secrets/tokens @@ -82,7 +78,7 @@ spec: - name: emailsender-db mountPath: /secrets readOnly: true - {{- if .Values.emailsender.enableHTTPS }} + {{- if .Values.enableHTTPS }} - name: emailsender-tls mountPath: /var/run/certs readOnly: true @@ -91,7 +87,7 @@ spec: - name: emailsender-db secret: secretName: emailsender-db # pragma: allowlist secret - {{- if .Values.emailsender.enableHTTPS }} + {{- if .Values.enableHTTPS }} - name: emailsender-tls secret: secretName: emailsender-tls # pragma: allowlist secret @@ -122,4 +118,3 @@ spec: selector: app: emailsender type: ClusterIP -{{- end }} diff --git a/deploy/charts/emailsender/values.yaml b/deploy/charts/emailsender/values.yaml new file mode 100644 index 0000000000..d5358a5321 --- /dev/null +++ b/deploy/charts/emailsender/values.yaml @@ -0,0 +1,39 @@ +replicas: 3 +image: + repo: "quay.io/redhat-services-prod/acscs-rhacs-tenant/acscs-main/acs-emailsender" + tag: "latest" +# Use this in case you apply this manifest against a cluster without service-ca operator +# to turn off HTTPS and mounting the service-ca certs since they'll not be created +enableHTTPS: true +# Database connection settings +db: + # Possible values: disable, require, verify-ca, verify-full + sslMode: "verify-full" + # Can be empty if sslMode is disabled + caCertFile: /rds_ca/aws-rds-ca-global-bundle.pem +# Cluster information +clusterId: "" +clusterName: "" +environment: "" +# Email provider configuration +senderAddress: "noreply@mail.rhacs-dev.com" +emailProvider: "AWS_SES" +# Authentication configuration +authConfigFromKubernetes: true +# AWS configuration +aws: + region: "us-east-1" +# Resource limits and requests +resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + cpu: "200m" + memory: "512Mi" + +createExternalSecrets: true +secretStore: + aws: + secretsManagerSecretStoreName: secrets-manager-secret-store # pragma: allowlist secret + parameterStoreSecretStoreName: parameter-store-secret-store # pragma: allowlist secret diff --git a/dev/env/manifests/addons/01-acs-fleetshard-addon.yaml b/dev/env/manifests/addons/acs-fleetshard/01-acs-fleetshard-addon.yaml similarity index 100% rename from dev/env/manifests/addons/01-acs-fleetshard-addon.yaml rename to dev/env/manifests/addons/acs-fleetshard/01-acs-fleetshard-addon.yaml diff --git a/dev/env/manifests/addons/02-acs-fleetshard-parameters-secret.yaml b/dev/env/manifests/addons/acs-fleetshard/02-acs-fleetshard-parameters-secret.yaml similarity index 100% rename from dev/env/manifests/addons/02-acs-fleetshard-parameters-secret.yaml rename to dev/env/manifests/addons/acs-fleetshard/02-acs-fleetshard-parameters-secret.yaml diff --git a/dev/env/manifests/addons/00-addon-crd.yaml b/dev/env/manifests/addons/crds/00-addon-crd.yaml similarity index 100% rename from dev/env/manifests/addons/00-addon-crd.yaml rename to dev/env/manifests/addons/crds/00-addon-crd.yaml diff --git a/dev/env/manifests/emailsender-db/emailsender-db.yaml b/dev/env/manifests/emailsender-db/emailsender-db.yaml new file mode 100644 index 0000000000..5b9ffddaec --- /dev/null +++ b/dev/env/manifests/emailsender-db/emailsender-db.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailsender-db + labels: + app: emailsender-db +spec: + replicas: 1 + selector: + matchLabels: + app: emailsender-db + strategy: {} + template: + metadata: + labels: + app: emailsender-db + spec: + containers: + - image: postgres:13 + name: postgres + ports: + - containerPort: 5432 + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + cpu: "150m" + memory: 300Mi + env: + - name: POSTGRES_PASSWORD + value: "postgres" + - name: POSTGRES_USER + value: "postgres" + - name: POSTGRES_DB + value: "postgres" +--- +apiVersion: v1 +kind: Service +metadata: + name: emailsender-db + labels: + app: emailsender-db +spec: + ports: + - name: 5432-5432 + port: 5432 + protocol: TCP + targetPort: 5432 + selector: + app: emailsender-db + type: ClusterIP +--- +apiVersion: v1 +kind: Secret +metadata: + name: emailsender-db +stringData: + db.host: "emailsender-db" +--- +apiVersion: v1 +kind: Secret +metadata: + name: emailsender-parameters +stringData: + aws-role-arn: "placeholder" diff --git a/dev/env/manifests/external-dns-operator/00-application.yaml b/dev/env/manifests/external-dns-operator/00-application.yaml deleted file mode 100644 index 635a377520..0000000000 --- a/dev/env/manifests/external-dns-operator/00-application.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: rhacs-external-dns-operator - namespace: "$ARGOCD_NAMESPACE" -spec: - destination: - namespace: external-dns-operator - server: https://kubernetes.default.svc - project: default - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - managedNamespaceMetadata: - labels: - argocd.argoproj.io/managed-by: "$ARGOCD_NAMESPACE" - app.kubernetes.io/managed-by: "$ARGOCD_NAMESPACE" - retry: - limit: -1 - backoff: - duration: 5s - factor: 2 - maxDuration: 3m - source: - repoURL: https://github.com/stackrox/acscs-manifests - targetRevision: HEAD - path: external-dns-operator diff --git a/dev/env/manifests/external-dns/00-namespace.yaml b/dev/env/manifests/external-dns-operator/00-namespace.yaml similarity index 100% rename from dev/env/manifests/external-dns/00-namespace.yaml rename to dev/env/manifests/external-dns-operator/00-namespace.yaml diff --git a/dev/env/manifests/external-dns-operator/01-subscription.yaml b/dev/env/manifests/external-dns-operator/01-subscription.yaml new file mode 100644 index 0000000000..df212f6266 --- /dev/null +++ b/dev/env/manifests/external-dns-operator/01-subscription.yaml @@ -0,0 +1,11 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: external-dns-operator + namespace: external-dns-operator +spec: + channel: stable-v1 + installPlanApproval: Automatic + name: external-dns-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/dev/env/manifests/external-dns-operator/02-operatorgroup.yaml b/dev/env/manifests/external-dns-operator/02-operatorgroup.yaml new file mode 100644 index 0000000000..7ddf7f88cd --- /dev/null +++ b/dev/env/manifests/external-dns-operator/02-operatorgroup.yaml @@ -0,0 +1,9 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: external-dns-operator + namespace: external-dns-operator +spec: + targetNamespaces: + - external-dns-operator + upgradeStrategy: Default diff --git a/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml b/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml index 8f05d7e77d..71ecc8d3d8 100644 --- a/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml +++ b/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml @@ -33,7 +33,3 @@ spec: addonAutoUpgradeEnabled: false printCentralUpdateDiff: true resources: $FLEETSHARD_SYNC_RESOURCES - emailsender: - enabled: $ENABLE_EMAIL_SENDER - enableHTTPS: false - replicas: 1 diff --git a/dev/env/scripts/bootstrap.sh b/dev/env/scripts/bootstrap.sh index 9bc40342e9..628e48d791 100755 --- a/dev/env/scripts/bootstrap.sh +++ b/dev/env/scripts/bootstrap.sh @@ -110,14 +110,18 @@ if ! is_openshift_cluster "$CLUSTER_TYPE"; then apply "${MANIFESTS_DIR}/monitoring" fi -apply "${MANIFESTS_DIR}/addons/00-addon-crd.yaml" -wait_for_crd "addons.addons.managed.openshift.io" -apply "${MANIFESTS_DIR}/addons" +# Apply addon CRD only if it doesn't exist +if ! $KUBECTL get crd addons.addons.managed.openshift.io &>/dev/null; then + log "Addon CRD not found, applying..." + apply "${MANIFESTS_DIR}/addons/crds/00-addon-crd.yaml" + wait_for_crd "addons.addons.managed.openshift.io" +else + log "Addon CRD already exists, skipping..." +fi +apply "${MANIFESTS_DIR}/addons/acs-fleetshard" if is_openshift_cluster "$CLUSTER_TYPE"; then log "Installing ExternalDNS for OpenShift" - wait_for_crd "applications.argoproj.io" - apply "${MANIFESTS_DIR}/external-dns-operator" wait_for_crd externaldnses.externaldns.olm.openshift.io diff --git a/dev/env/scripts/up.sh b/dev/env/scripts/up.sh index bb8a30a617..0b273341d6 100755 --- a/dev/env/scripts/up.sh +++ b/dev/env/scripts/up.sh @@ -77,6 +77,8 @@ if [[ "$SPAWN_LOGGER" == "true" && -n "${LOG_DIR:-}" ]]; then fi if [[ "$ENABLE_EMAIL_SENDER" == "true" ]]; then + log "Deploying emailsender" + make -C "$GITROOT" deploy/emailsender wait_for_container_to_appear "$ACSCS_NAMESPACE" "application=emailsender" "emailsender" if [[ "$SPAWN_LOGGER" == "true" && -n "${LOG_DIR:-}" ]]; then $KUBECTL -n "$ACSCS_NAMESPACE" logs -l application=emailsender --all-containers --pod-running-timeout=1m --since=1m --tail=100 -f >"${LOG_DIR}/pod-logs_emailsender_emailsender.txt" 2>&1 & diff --git a/dev/env/values/emailsender/values.yaml b/dev/env/values/emailsender/values.yaml new file mode 100644 index 0000000000..f873a5557e --- /dev/null +++ b/dev/env/values/emailsender/values.yaml @@ -0,0 +1,12 @@ +clusterId: 1234567890abcdef1234567890abcdef # pragma: allowlist secret +clusterName: dev +environment: dev +enableHTTPS: false +replicas: 1 +authConfigFromKubernetes: true +db: + sslMode: "disable" + caCertFile: "" +image: + repo: "quay.io/rhacs-eng/emailsender" +createExternalSecrets: false diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml index 623f3954ab..9798e85e12 100644 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ b/dp-terraform/helm/rhacs-terraform/values.yaml @@ -71,34 +71,6 @@ fleetshardSync: printCentralUpdateDiff: false argoCdNamespace: openshift-gitops -# Email sender service parameters -# - enabled flag is used to completely enable/disable email sender service -emailsender: - enabled: false - # Use this in case you apply this manifest against a cluster without service-ca operator - # to turn of HTTPS and mounting the service-ca certs since they'll not be created - db: - sslMode: "verify-full" - caCertFile: /rds_ca/aws-rds-ca-global-bundle.pem - enableHTTPS: true - replicas: 3 - image: - repo: "quay.io/redhat-services-prod/acscs-rhacs-tenant/acscs-main/acs-emailsender" - tag: null - clusterId: "" - clusterName: "" - environment: "" - senderAddress: "noreply@mail.rhacs-dev.com" - authConfigFromKubernetes: true - emailProvider: "AWS_SES" - resources: - requests: - cpu: "100m" - memory: "512Mi" - limits: - cpu: "200m" - memory: "512Mi" - global: image: tag: "latest" diff --git a/dp-terraform/osd-cluster-idp-setup.sh b/dp-terraform/osd-cluster-idp-setup.sh old mode 100755 new mode 100644 diff --git a/emailsender/Dockerfile b/emailsender/Dockerfile index 60cbe38a36..d6796c960d 100644 --- a/emailsender/Dockerfile +++ b/emailsender/Dockerfile @@ -10,7 +10,7 @@ COPY . ./ RUN make emailsender -FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1295 as standard +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1295 AS standard RUN microdnf install shadow-utils diff --git a/emailsender/README.md b/emailsender/README.md index 71ba3f2a72..bd350e390e 100644 --- a/emailsender/README.md +++ b/emailsender/README.md @@ -33,7 +33,7 @@ All related AWS and emailsender limits and how to change them are document in th ## Deployment -The emailsender is deployed as part of the acs-fleetshard-sync addon. The helm chart is defined in `dp-terraform/helm/rhacs-terraform/templates/emailsender*.yaml`. +The emailsender is deployed as part of the acs-fleetshard-sync addon. The helm chart is defined in `deploy/charts/emailsender`. The most important helm values are exposed for configuration through the addon. diff --git a/scripts/ci/central_compatibility/emailsender-db.yaml b/scripts/ci/central_compatibility/emailsender-db.yaml deleted file mode 100644 index c511ff30c5..0000000000 --- a/scripts/ci/central_compatibility/emailsender-db.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: emailsender-db - name: emailsender-db - namespace: rhacs -spec: - replicas: 1 - selector: - matchLabels: - app: emailsender-db - strategy: {} - template: - metadata: - labels: - app: emailsender-db - spec: - containers: - - image: postgres:13 - name: postgres - ports: - - containerPort: 5432 - resources: - requests: - cpu: "100m" - memory: 250Mi - limits: - cpu: "150m" - memory: 300Mi - env: - - name: POSTGRES_PASSWORD - value: "postgres" - - name: POSTGRES_USER - value: "postgres" - - name: POSTGRES_DB - value: "postgres" ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: emailsender-db - name: emailsender-db - namespace: rhacs -spec: - ports: - - name: 5432-5432 - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - app: emailsender-db - type: ClusterIP ---- -apiVersion: v1 -data: - db.host: ZW1haWxzZW5kZXItZGI= -kind: Secret -metadata: - name: emailsender-db - namespace: rhacs ---- -apiVersion: v1 -data: - aws-role-arn: "cGxhY2Vob2xkZXIK" -kind: Secret -metadata: - name: emailsender-parameters - namespace: rhacs diff --git a/scripts/ci/central_compatibility/emailsender-values.yaml b/scripts/ci/central_compatibility/emailsender-values.yaml deleted file mode 100644 index 79baec53bd..0000000000 --- a/scripts/ci/central_compatibility/emailsender-values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This values file is used to render emailsender related kubernetes resources -# in context of emailsender <> central compatiblity tests. Values that are not -# below the emailsender field are the minimum required values for the helm chart -fleetshardSync: - clusterName: test - clusterId: test - environment: dev - managedDB: - enabled: false - subnetGroup: "dummyGroup" -emailsender: - db: - sslMode: "disable" - caCertFile: "" - image: - repo: "quay.io/rhacs-eng/emailsender" - enabled: true - enableHTTPS: false - clusterName: test - replicas: 1 - authConfigFromKubernetes: true diff --git a/scripts/ci/central_compatibility/run_compatibility_test.sh b/scripts/ci/central_compatibility/run_compatibility_test.sh index dc4f66bef1..6b506155cb 100644 --- a/scripts/ci/central_compatibility/run_compatibility_test.sh +++ b/scripts/ci/central_compatibility/run_compatibility_test.sh @@ -7,7 +7,6 @@ set -eux # 2. acs-fleet-manager repo to be available at the execution path with directory name acs-fleet-manager ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../../.. && pwd)" SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -EMAILSENDER_HELM_DIR="$ROOT_DIR/dp-terraform/helm/rhacs-terraform" STACKROX_DIR="$(cd "$ROOT_DIR/../stackrox" && pwd)" EMAILSENDER_NS="rhacs" @@ -36,31 +35,19 @@ function pull_to_kind() { kind load docker-image "${img}" } -EMAILSENDER_IMG_TAG="$(make --no-print-directory -C "$ROOT_DIR" tag)" -EMAILSENDER_IMG_NAME="$(make --no-print-directory -C "$ROOT_DIR" image-name/emailsender)" -EMAILSENDER_IMG="$(make --no-print-directory -C "$ROOT_DIR" image-tag/emailsender)" make --no-print-directory -C "$ROOT_DIR" image/build/emailsender -kind load docker-image "${EMAILSENDER_IMG}" +kind load docker-image "$(make --no-print-directory -C "$ROOT_DIR" image-tag/emailsender)" kubectl create ns $EMAILSENDER_NS -o yaml --dry-run=client | kubectl apply -f - kubectl create ns $CENTRAL_NS -o yaml --dry-run=client | kubectl apply -f - -# Render emailsender kubernetes resources -helm template --namespace "${EMAILSENDER_NS}" \ - -f "${SOURCE_DIR}/emailsender-values.yaml" "${EMAILSENDER_HELM_DIR}" \ - --set emailsender.image.repo="${EMAILSENDER_IMG_NAME}" \ - --set emailsender.image.tag="${EMAILSENDER_IMG_TAG}" \ - | yq e '. | select(.metadata.name == "emailsender")' \ - > emailsender-manifests.yaml - -kubectl apply -f emailsender-manifests.yaml -kubectl apply -f "${SOURCE_DIR}/emailsender-db.yaml" +make --no-print-directory -C "$ROOT_DIR" deploy/emailsender log "Emailsender deployed to Kind." log "Starting to deploy central services..." # use nightly if GH action running for acs-fleet-manager -# use the stackrox tag otherwise +# use the stackrox tag otherwise log "Running for repository: $GITHUB_REPOSITORY" if [ "$GITHUB_REPOSITORY" = "stackrox/stackrox" ]; then ACS_VERSION="$(make --no-print-directory -C "$STACKROX_DIR" tag)" diff --git a/scripts/dev-with-openshift-ci.sh b/scripts/dev-with-openshift-ci.sh index f97db7d111..7c595ffc5d 100755 --- a/scripts/dev-with-openshift-ci.sh +++ b/scripts/dev-with-openshift-ci.sh @@ -77,7 +77,7 @@ spec: git: uri: 'https://github.com/stackrox/acs-fleet-manager' ref: ${CUR_BRANCH} - contextDir: /dp-terraform/helm + contextDir: /fleetshard-operator runPolicy: Serial EOF