From 3bc4dbac562832a6f0cde8b44be266a326e6692d Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Wed, 8 Oct 2025 17:44:48 +0200 Subject: [PATCH 01/12] ROX-31204: Standalone emailsender chart --- .github/dependabot.yaml | 2 +- .github/pull_request_template.md | 1 - .github/workflows/aws-integration.yaml | 3 + Makefile | 13 +++++ deploy/charts/emailsender/.helmignore | 23 ++++++++ deploy/charts/emailsender/Chart.yaml | 24 ++++++++ deploy/charts/emailsender/README.md | 57 +++++++++++++++++++ .../templates/emailsender-rbac.yaml | 2 - .../templates/emailsender-secret.yaml | 16 +++--- .../emailsender}/templates/emailsender.yaml | 39 ++++++------- deploy/charts/emailsender/values.yaml | 42 ++++++++++++++ .../fleetshard-operator/51-fleetshard-cr.yaml | 4 -- dev/env/scripts/up.sh | 2 + dev/env/values/emailsender/values.yaml | 5 ++ dp-terraform/osd-cluster-idp-setup.sh | 0 emailsender/Dockerfile | 2 +- emailsender/README.md | 2 +- .../emailsender-values.yaml | 28 ++++----- .../run_compatibility_test.sh | 8 +-- scripts/dev-with-openshift-ci.sh | 2 +- 20 files changed, 212 insertions(+), 63 deletions(-) create mode 100644 deploy/charts/emailsender/.helmignore create mode 100644 deploy/charts/emailsender/Chart.yaml create mode 100644 deploy/charts/emailsender/README.md rename {dp-terraform/helm/rhacs-terraform => deploy/charts/emailsender}/templates/emailsender-rbac.yaml (91%) rename {dp-terraform/helm/rhacs-terraform => deploy/charts/emailsender}/templates/emailsender-secret.yaml (68%) rename {dp-terraform/helm/rhacs-terraform => deploy/charts/emailsender}/templates/emailsender.yaml (65%) create mode 100644 deploy/charts/emailsender/values.yaml create mode 100644 dev/env/values/emailsender/values.yaml mode change 100755 => 100644 dp-terraform/osd-cluster-idp-setup.sh diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 74c3a3ffdc..9a64146bd3 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -22,7 +22,7 @@ updates: schedule: interval: "weekly" - package-ecosystem: "docker" - directory: "/dp-terraform/helm" + directory: "/fleetshard-operator" schedule: interval: "weekly" - package-ecosystem: "github-actions" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 23ee51ba26..85c675f6e8 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -12,7 +12,6 @@ - [ ] Add secret to app-interface Vault or Secrets Manager if necessary - [ ] RDS changes were e2e tested [manually](../docs/development/howto-e2e-test-rds.md) - [ ] Check AWS limits are reasonable for changes provisioning new resources -- [ ] (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment ## Test manual diff --git a/.github/workflows/aws-integration.yaml b/.github/workflows/aws-integration.yaml index baf465a8c2..d751750592 100644 --- a/.github/workflows/aws-integration.yaml +++ b/.github/workflows/aws-integration.yaml @@ -17,6 +17,8 @@ on: - 'docs/**' - 'pkg/api/openapi/docs/**' - 'pkg/api/openapi/.openapi-generator-ignore' + - 'dp-terraform/**' + - 'deploy/**' - '.design-proposals/**' pull_request: @@ -34,6 +36,7 @@ on: - 'pkg/api/openapi/docs/**' - 'pkg/api/openapi/.openapi-generator-ignore' - 'dp-terraform/**' + - 'deploy/**' - '.design-proposals/**' jobs: diff --git a/Makefile b/Makefile index 04e865cc5c..da76dbbfc0 100644 --- a/Makefile +++ b/Makefile @@ -895,3 +895,16 @@ CLUSTER_ID ?= test run/emailsender: @CLUSTER_ID=$(CLUSTER_ID) go run emailsender/cmd/app/main.go .PHONY: run/emailsender + +deploy/emailsender: IMAGE_REPO?="$(external_image_registry)/$(emailsender_image_repository)" +deploy/emailsender: IMAGE_TAG?="$(image_tag)" +deploy/emailsender: + @helm upgrade --install -n "$(NAMESPACE)" emailsender "deploy/charts/emailsender" \ + --values "dev/env/values/emailsender/values.yaml" \ + --set image.repo="$(IMAGE_REPO)" \ + --set image.tag="$(IMAGE_TAG)" +.PHONY: deploy/emailsender + +undeploy/emailsender: + @helm uninstall -n "$(NAMESPACE)" emailsender +.PHONY: undeploy/emailsender diff --git a/deploy/charts/emailsender/.helmignore b/deploy/charts/emailsender/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/deploy/charts/emailsender/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/charts/emailsender/Chart.yaml b/deploy/charts/emailsender/Chart.yaml new file mode 100644 index 0000000000..61182fe267 --- /dev/null +++ b/deploy/charts/emailsender/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: emailsender +description: "Chart to deploy emailsender service for RHACS dataplane clusters" + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: "0.1.0" + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/deploy/charts/emailsender/README.md b/deploy/charts/emailsender/README.md new file mode 100644 index 0000000000..2f06dd2f88 --- /dev/null +++ b/deploy/charts/emailsender/README.md @@ -0,0 +1,57 @@ +# Emailsender Helm Chart + +This Helm chart deploys the emailsender service for RHACS dataplane clusters. + +## Overview + +The emailsender service handles email notifications for RHACS tenants. It uses AWS SES as the email provider and requires a PostgreSQL database for storing email records. + +## Prerequisites + +- Kubernetes cluster with OpenShift service-ca operator (for HTTPS support) +- External Secrets Operator (for AWS secrets management) +- AWS IAM role for SES access + +## Configuration + +See [values.yaml](values.yaml) for the full list of configuration options. + +### Key Configuration Values + +- `replicas`: Number of replicas (default: 3) +- `image.repo`: Container image repository +- `image.tag`: Container image tag +- `clusterId`: Data plane cluster ID +- `clusterName`: Data plane cluster name +- `environment`: Environment name (e.g., "production", "staging") +- `senderAddress`: Email sender address +- `emailProvider`: Email provider (default: "AWS_SES") +- `aws.region`: AWS region for SES + +## Installation + +```bash +helm install emailsender ./deploy/charts/emailsender \ + --set clusterId=my-cluster \ + --set clusterName=my-cluster \ + --set environment=production \ + --set aws.region=us-east-1 +``` + +## Components + +The chart deploys: + +1. **Deployment**: The emailsender service with 3 replicas by default +2. **Service**: ClusterIP service exposing port 443 (HTTPS) +3. **ServiceAccount**: For AWS IAM role integration +4. **RBAC**: ClusterRole and ClusterRoleBinding +5. **ExternalSecrets**: For database credentials and AWS role ARN + +## Database + +The emailsender requires a PostgreSQL database. Database credentials are managed via External Secrets Operator and stored in AWS Secrets Manager. + +## HTTPS/TLS + +The service uses OpenShift's service-ca operator to generate TLS certificates. This can be disabled by setting `enableHTTPS=false` for clusters without the service-ca operator. diff --git a/dp-terraform/helm/rhacs-terraform/templates/emailsender-rbac.yaml b/deploy/charts/emailsender/templates/emailsender-rbac.yaml similarity index 91% rename from dp-terraform/helm/rhacs-terraform/templates/emailsender-rbac.yaml rename to deploy/charts/emailsender/templates/emailsender-rbac.yaml index f253648684..cf31308d02 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/emailsender-rbac.yaml +++ b/deploy/charts/emailsender/templates/emailsender-rbac.yaml @@ -1,4 +1,3 @@ -{{- if .Values.emailsender.enabled }} apiVersion: v1 kind: ServiceAccount metadata: @@ -22,4 +21,3 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: emailsender-role -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/templates/emailsender-secret.yaml b/deploy/charts/emailsender/templates/emailsender-secret.yaml similarity index 68% rename from dp-terraform/helm/rhacs-terraform/templates/emailsender-secret.yaml rename to deploy/charts/emailsender/templates/emailsender-secret.yaml index 9208b5d76c..6ceb5f3fb0 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/emailsender-secret.yaml +++ b/deploy/charts/emailsender/templates/emailsender-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") .Values.global.createExternalSecrets }} +{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") .Values.createExternalSecrets }} apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: secretStoreRef: - name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }} + name: {{ .Values.secretStore.aws.secretsManagerSecretStoreName }} kind: ClusterSecretStore target: name: emailsender-db @@ -14,23 +14,23 @@ spec: data: - secretKey: db.user # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "username" - secretKey: db.name # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "databaseName" - secretKey: db.host # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "host" - secretKey: db.password # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "password" # pragma: allowlist secret - secretKey: db.port # pragma: allowlist secret remoteRef: - key: "cluster-{{ .Values.emailsender.clusterName }}-emailsender-db" + key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "port" --- apiVersion: external-secrets.io/v1beta1 @@ -40,7 +40,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: secretStoreRef: - name: {{ .Values.global.secretStore.aws.parameterStoreSecretStoreName }} + name: {{ .Values.secretStore.aws.parameterStoreSecretStoreName }} kind: ClusterSecretStore target: name: emailsender-parameters diff --git a/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml b/deploy/charts/emailsender/templates/emailsender.yaml similarity index 65% rename from dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml rename to deploy/charts/emailsender/templates/emailsender.yaml index 1d4f231fa8..4e947c2069 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml +++ b/deploy/charts/emailsender/templates/emailsender.yaml @@ -1,4 +1,3 @@ -{{- if .Values.emailsender.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -7,7 +6,7 @@ metadata: labels: app: emailsender spec: - replicas: {{ .Values.emailsender.replicas }} + replicas: {{ .Values.replicas }} selector: matchLabels: app: emailsender @@ -21,42 +20,39 @@ spec: serviceAccountName: emailsender containers: - name: emailsender - image: "{{ .Values.emailsender.image.repo }}:{{ .Values.emailsender.image.tag | default .Values.global.image.tag }}" + image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}" imagePullPolicy: IfNotPresent command: - /acscs/emailsender env: - # TODO(ROX-23260): use emailsender values once their are available via the Addon flow - name: CLUSTER_ID - value: {{ .Values.fleetshardSync.clusterId }} + value: {{ .Values.clusterId }} - name: CLUSTER_NAME - value: {{ .Values.fleetshardSync.clusterName }} + value: {{ .Values.clusterName }} - name: ENVIRONMENT - value: {{ .Values.fleetshardSync.environment }} + value: {{ .Values.environment }} - name: SENDER_ADDRESS - value: {{ .Values.emailsender.senderAddress }} + value: {{ .Values.senderAddress }} - name: EMAIL_PROVIDER - value: {{ .Values.emailsender.emailProvider }} + value: {{ .Values.emailProvider }} - name: HTTPS_CERT_FILE value: "/var/run/certs/tls.crt" - name: HTTPS_KEY_FILE value: "/var/run/certs/tls.key" - name: DATABASE_SSL_MODE - value: {{ .Values.emailsender.db.sslMode }} + value: {{ .Values.db.sslMode }} - name: DATABASE_CA_CERT_FILE - value: {{ .Values.emailsender.db.caCertFile }} - {{- if .Values.emailsender.authConfigFromKubernetes }} + value: {{ .Values.db.caCertFile }} + {{- if .Values.authConfigFromKubernetes }} - name: AUTH_CONFIG_FROM_KUBERNETES value: "true" {{- end }} - {{- if .Values.emailsender.enableHTTPS }} + {{- if .Values.enableHTTPS }} - name: ENABLE_HTTPS value: "true" {{- end }} - # Reusing fleetshardSync.aws.region here since the Values file defines multiple - # aws region for different components and the emailsender should always use the same as FS - name: AWS_REGION - value: {{ .Values.fleetshardSync.aws.region }} + value: {{ .Values.aws.region }} - name: AWS_ROLE_ARN valueFrom: secretKeyRef: @@ -71,10 +67,10 @@ spec: containerPort: 8080 resources: limits: - memory: {{ .Values.emailsender.resources.limits.memory | quote }} + memory: {{ .Values.resources.limits.memory | quote }} requests: - cpu: {{ .Values.emailsender.resources.requests.cpu | quote }} - memory: {{ .Values.emailsender.resources.requests.memory | quote }} + cpu: {{ .Values.resources.requests.cpu | quote }} + memory: {{ .Values.resources.requests.memory | quote }} volumeMounts: - name: aws-token mountPath: /var/run/secrets/tokens @@ -82,7 +78,7 @@ spec: - name: emailsender-db mountPath: /secrets readOnly: true - {{- if .Values.emailsender.enableHTTPS }} + {{- if .Values.enableHTTPS }} - name: emailsender-tls mountPath: /var/run/certs readOnly: true @@ -91,7 +87,7 @@ spec: - name: emailsender-db secret: secretName: emailsender-db # pragma: allowlist secret - {{- if .Values.emailsender.enableHTTPS }} + {{- if .Values.enableHTTPS }} - name: emailsender-tls secret: secretName: emailsender-tls # pragma: allowlist secret @@ -122,4 +118,3 @@ spec: selector: app: emailsender type: ClusterIP -{{- end }} diff --git a/deploy/charts/emailsender/values.yaml b/deploy/charts/emailsender/values.yaml new file mode 100644 index 0000000000..02f4368067 --- /dev/null +++ b/deploy/charts/emailsender/values.yaml @@ -0,0 +1,42 @@ +# Default values for emailsender. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +replicas: 3 +image: + repo: "quay.io/redhat-services-prod/acscs-rhacs-tenant/acscs-main/acs-emailsender" + tag: "latest" +# Use this in case you apply this manifest against a cluster without service-ca operator +# to turn off HTTPS and mounting the service-ca certs since they'll not be created +enableHTTPS: true +# Database connection settings +# Use this in case you apply this manifest against a cluster without service-ca operator +# to turn of HTTPS and mounting the service-ca certs since they'll not be created +db: + sslMode: "verify-full" + caCertFile: /rds_ca/aws-rds-ca-global-bundle.pem +# Cluster information +clusterId: "" +clusterName: "" +environment: "" +# Email provider configuration +senderAddress: "noreply@mail.rhacs-dev.com" +emailProvider: "AWS_SES" +# Authentication configuration +authConfigFromKubernetes: true +# AWS configuration +aws: + region: "us-east-1" +# Resource limits and requests +resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + cpu: "200m" + memory: "512Mi" + +createExternalSecrets: true +secretStore: + aws: + secretsManagerSecretStoreName: secrets-manager-secret-store # pragma: allowlist secret + parameterStoreSecretStoreName: parameter-store-secret-store # pragma: allowlist secret diff --git a/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml b/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml index 8f05d7e77d..71ecc8d3d8 100644 --- a/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml +++ b/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml @@ -33,7 +33,3 @@ spec: addonAutoUpgradeEnabled: false printCentralUpdateDiff: true resources: $FLEETSHARD_SYNC_RESOURCES - emailsender: - enabled: $ENABLE_EMAIL_SENDER - enableHTTPS: false - replicas: 1 diff --git a/dev/env/scripts/up.sh b/dev/env/scripts/up.sh index bb8a30a617..0b273341d6 100755 --- a/dev/env/scripts/up.sh +++ b/dev/env/scripts/up.sh @@ -77,6 +77,8 @@ if [[ "$SPAWN_LOGGER" == "true" && -n "${LOG_DIR:-}" ]]; then fi if [[ "$ENABLE_EMAIL_SENDER" == "true" ]]; then + log "Deploying emailsender" + make -C "$GITROOT" deploy/emailsender wait_for_container_to_appear "$ACSCS_NAMESPACE" "application=emailsender" "emailsender" if [[ "$SPAWN_LOGGER" == "true" && -n "${LOG_DIR:-}" ]]; then $KUBECTL -n "$ACSCS_NAMESPACE" logs -l application=emailsender --all-containers --pod-running-timeout=1m --since=1m --tail=100 -f >"${LOG_DIR}/pod-logs_emailsender_emailsender.txt" 2>&1 & diff --git a/dev/env/values/emailsender/values.yaml b/dev/env/values/emailsender/values.yaml new file mode 100644 index 0000000000..3790d5bc2f --- /dev/null +++ b/dev/env/values/emailsender/values.yaml @@ -0,0 +1,5 @@ +clusterId: 1234567890abcdef1234567890abcdef # pragma: allowlist secret +clusterName: dev +environment: dev +enableHTTPS: false +replicas: 1 diff --git a/dp-terraform/osd-cluster-idp-setup.sh b/dp-terraform/osd-cluster-idp-setup.sh old mode 100755 new mode 100644 diff --git a/emailsender/Dockerfile b/emailsender/Dockerfile index 60cbe38a36..d6796c960d 100644 --- a/emailsender/Dockerfile +++ b/emailsender/Dockerfile @@ -10,7 +10,7 @@ COPY . ./ RUN make emailsender -FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1295 as standard +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10-1295 AS standard RUN microdnf install shadow-utils diff --git a/emailsender/README.md b/emailsender/README.md index 71ba3f2a72..bd350e390e 100644 --- a/emailsender/README.md +++ b/emailsender/README.md @@ -33,7 +33,7 @@ All related AWS and emailsender limits and how to change them are document in th ## Deployment -The emailsender is deployed as part of the acs-fleetshard-sync addon. The helm chart is defined in `dp-terraform/helm/rhacs-terraform/templates/emailsender*.yaml`. +The emailsender is deployed as part of the acs-fleetshard-sync addon. The helm chart is defined in `deploy/charts/emailsender`. The most important helm values are exposed for configuration through the addon. diff --git a/scripts/ci/central_compatibility/emailsender-values.yaml b/scripts/ci/central_compatibility/emailsender-values.yaml index 79baec53bd..fa6033a43e 100644 --- a/scripts/ci/central_compatibility/emailsender-values.yaml +++ b/scripts/ci/central_compatibility/emailsender-values.yaml @@ -1,21 +1,13 @@ # This values file is used to render emailsender related kubernetes resources # in context of emailsender <> central compatiblity tests. Values that are not # below the emailsender field are the minimum required values for the helm chart -fleetshardSync: - clusterName: test - clusterId: test - environment: dev - managedDB: - enabled: false - subnetGroup: "dummyGroup" -emailsender: - db: - sslMode: "disable" - caCertFile: "" - image: - repo: "quay.io/rhacs-eng/emailsender" - enabled: true - enableHTTPS: false - clusterName: test - replicas: 1 - authConfigFromKubernetes: true +db: + sslMode: "disable" + caCertFile: "" +image: + repo: "quay.io/rhacs-eng/emailsender" +enabled: true +enableHTTPS: false +clusterName: test +replicas: 1 +authConfigFromKubernetes: true diff --git a/scripts/ci/central_compatibility/run_compatibility_test.sh b/scripts/ci/central_compatibility/run_compatibility_test.sh index dc4f66bef1..d629c18015 100644 --- a/scripts/ci/central_compatibility/run_compatibility_test.sh +++ b/scripts/ci/central_compatibility/run_compatibility_test.sh @@ -7,7 +7,7 @@ set -eux # 2. acs-fleet-manager repo to be available at the execution path with directory name acs-fleet-manager ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../../.. && pwd)" SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -EMAILSENDER_HELM_DIR="$ROOT_DIR/dp-terraform/helm/rhacs-terraform" +EMAILSENDER_HELM_DIR="$ROOT_DIR/deploy/charts/emailsender" STACKROX_DIR="$(cd "$ROOT_DIR/../stackrox" && pwd)" EMAILSENDER_NS="rhacs" @@ -48,8 +48,8 @@ kubectl create ns $CENTRAL_NS -o yaml --dry-run=client | kubectl apply -f - # Render emailsender kubernetes resources helm template --namespace "${EMAILSENDER_NS}" \ -f "${SOURCE_DIR}/emailsender-values.yaml" "${EMAILSENDER_HELM_DIR}" \ - --set emailsender.image.repo="${EMAILSENDER_IMG_NAME}" \ - --set emailsender.image.tag="${EMAILSENDER_IMG_TAG}" \ + --set image.repo="${EMAILSENDER_IMG_NAME}" \ + --set image.tag="${EMAILSENDER_IMG_TAG}" \ | yq e '. | select(.metadata.name == "emailsender")' \ > emailsender-manifests.yaml @@ -60,7 +60,7 @@ log "Emailsender deployed to Kind." log "Starting to deploy central services..." # use nightly if GH action running for acs-fleet-manager -# use the stackrox tag otherwise +# use the stackrox tag otherwise log "Running for repository: $GITHUB_REPOSITORY" if [ "$GITHUB_REPOSITORY" = "stackrox/stackrox" ]; then ACS_VERSION="$(make --no-print-directory -C "$STACKROX_DIR" tag)" diff --git a/scripts/dev-with-openshift-ci.sh b/scripts/dev-with-openshift-ci.sh index f97db7d111..7c595ffc5d 100755 --- a/scripts/dev-with-openshift-ci.sh +++ b/scripts/dev-with-openshift-ci.sh @@ -77,7 +77,7 @@ spec: git: uri: 'https://github.com/stackrox/acs-fleet-manager' ref: ${CUR_BRANCH} - contextDir: /dp-terraform/helm + contextDir: /fleetshard-operator runPolicy: Serial EOF From e910e1e75c75d7e2d26fc59a6231a5c2d3d1c85f Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 9 Oct 2025 13:33:10 +0200 Subject: [PATCH 02/12] Compatibility test --- Makefile | 2 + .../emailsender-db/emailsender-db.yaml | 66 +++++++++++++++++ dev/env/values/emailsender/values.yaml | 7 ++ .../central_compatibility/emailsender-db.yaml | 70 ------------------- .../emailsender-values.yaml | 13 ---- .../run_compatibility_test.sh | 17 +---- 6 files changed, 77 insertions(+), 98 deletions(-) create mode 100644 dev/env/manifests/emailsender-db/emailsender-db.yaml delete mode 100644 scripts/ci/central_compatibility/emailsender-db.yaml delete mode 100644 scripts/ci/central_compatibility/emailsender-values.yaml diff --git a/Makefile b/Makefile index da76dbbfc0..6e378387d8 100644 --- a/Makefile +++ b/Makefile @@ -899,6 +899,7 @@ run/emailsender: deploy/emailsender: IMAGE_REPO?="$(external_image_registry)/$(emailsender_image_repository)" deploy/emailsender: IMAGE_TAG?="$(image_tag)" deploy/emailsender: + @kubectl apply -n "$(NAMESPACE)" -f "dev/env/manifests/emailsender-db" @helm upgrade --install -n "$(NAMESPACE)" emailsender "deploy/charts/emailsender" \ --values "dev/env/values/emailsender/values.yaml" \ --set image.repo="$(IMAGE_REPO)" \ @@ -907,4 +908,5 @@ deploy/emailsender: undeploy/emailsender: @helm uninstall -n "$(NAMESPACE)" emailsender + @kubectl delete -n "$(NAMESPACE)" -f "dev/env/manifests/emailsender-db" .PHONY: undeploy/emailsender diff --git a/dev/env/manifests/emailsender-db/emailsender-db.yaml b/dev/env/manifests/emailsender-db/emailsender-db.yaml new file mode 100644 index 0000000000..5b9ffddaec --- /dev/null +++ b/dev/env/manifests/emailsender-db/emailsender-db.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailsender-db + labels: + app: emailsender-db +spec: + replicas: 1 + selector: + matchLabels: + app: emailsender-db + strategy: {} + template: + metadata: + labels: + app: emailsender-db + spec: + containers: + - image: postgres:13 + name: postgres + ports: + - containerPort: 5432 + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + cpu: "150m" + memory: 300Mi + env: + - name: POSTGRES_PASSWORD + value: "postgres" + - name: POSTGRES_USER + value: "postgres" + - name: POSTGRES_DB + value: "postgres" +--- +apiVersion: v1 +kind: Service +metadata: + name: emailsender-db + labels: + app: emailsender-db +spec: + ports: + - name: 5432-5432 + port: 5432 + protocol: TCP + targetPort: 5432 + selector: + app: emailsender-db + type: ClusterIP +--- +apiVersion: v1 +kind: Secret +metadata: + name: emailsender-db +stringData: + db.host: "emailsender-db" +--- +apiVersion: v1 +kind: Secret +metadata: + name: emailsender-parameters +stringData: + aws-role-arn: "placeholder" diff --git a/dev/env/values/emailsender/values.yaml b/dev/env/values/emailsender/values.yaml index 3790d5bc2f..f873a5557e 100644 --- a/dev/env/values/emailsender/values.yaml +++ b/dev/env/values/emailsender/values.yaml @@ -3,3 +3,10 @@ clusterName: dev environment: dev enableHTTPS: false replicas: 1 +authConfigFromKubernetes: true +db: + sslMode: "disable" + caCertFile: "" +image: + repo: "quay.io/rhacs-eng/emailsender" +createExternalSecrets: false diff --git a/scripts/ci/central_compatibility/emailsender-db.yaml b/scripts/ci/central_compatibility/emailsender-db.yaml deleted file mode 100644 index c511ff30c5..0000000000 --- a/scripts/ci/central_compatibility/emailsender-db.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: emailsender-db - name: emailsender-db - namespace: rhacs -spec: - replicas: 1 - selector: - matchLabels: - app: emailsender-db - strategy: {} - template: - metadata: - labels: - app: emailsender-db - spec: - containers: - - image: postgres:13 - name: postgres - ports: - - containerPort: 5432 - resources: - requests: - cpu: "100m" - memory: 250Mi - limits: - cpu: "150m" - memory: 300Mi - env: - - name: POSTGRES_PASSWORD - value: "postgres" - - name: POSTGRES_USER - value: "postgres" - - name: POSTGRES_DB - value: "postgres" ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: emailsender-db - name: emailsender-db - namespace: rhacs -spec: - ports: - - name: 5432-5432 - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - app: emailsender-db - type: ClusterIP ---- -apiVersion: v1 -data: - db.host: ZW1haWxzZW5kZXItZGI= -kind: Secret -metadata: - name: emailsender-db - namespace: rhacs ---- -apiVersion: v1 -data: - aws-role-arn: "cGxhY2Vob2xkZXIK" -kind: Secret -metadata: - name: emailsender-parameters - namespace: rhacs diff --git a/scripts/ci/central_compatibility/emailsender-values.yaml b/scripts/ci/central_compatibility/emailsender-values.yaml deleted file mode 100644 index fa6033a43e..0000000000 --- a/scripts/ci/central_compatibility/emailsender-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# This values file is used to render emailsender related kubernetes resources -# in context of emailsender <> central compatiblity tests. Values that are not -# below the emailsender field are the minimum required values for the helm chart -db: - sslMode: "disable" - caCertFile: "" -image: - repo: "quay.io/rhacs-eng/emailsender" -enabled: true -enableHTTPS: false -clusterName: test -replicas: 1 -authConfigFromKubernetes: true diff --git a/scripts/ci/central_compatibility/run_compatibility_test.sh b/scripts/ci/central_compatibility/run_compatibility_test.sh index d629c18015..6b506155cb 100644 --- a/scripts/ci/central_compatibility/run_compatibility_test.sh +++ b/scripts/ci/central_compatibility/run_compatibility_test.sh @@ -7,7 +7,6 @@ set -eux # 2. acs-fleet-manager repo to be available at the execution path with directory name acs-fleet-manager ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../../.. && pwd)" SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -EMAILSENDER_HELM_DIR="$ROOT_DIR/deploy/charts/emailsender" STACKROX_DIR="$(cd "$ROOT_DIR/../stackrox" && pwd)" EMAILSENDER_NS="rhacs" @@ -36,25 +35,13 @@ function pull_to_kind() { kind load docker-image "${img}" } -EMAILSENDER_IMG_TAG="$(make --no-print-directory -C "$ROOT_DIR" tag)" -EMAILSENDER_IMG_NAME="$(make --no-print-directory -C "$ROOT_DIR" image-name/emailsender)" -EMAILSENDER_IMG="$(make --no-print-directory -C "$ROOT_DIR" image-tag/emailsender)" make --no-print-directory -C "$ROOT_DIR" image/build/emailsender -kind load docker-image "${EMAILSENDER_IMG}" +kind load docker-image "$(make --no-print-directory -C "$ROOT_DIR" image-tag/emailsender)" kubectl create ns $EMAILSENDER_NS -o yaml --dry-run=client | kubectl apply -f - kubectl create ns $CENTRAL_NS -o yaml --dry-run=client | kubectl apply -f - -# Render emailsender kubernetes resources -helm template --namespace "${EMAILSENDER_NS}" \ - -f "${SOURCE_DIR}/emailsender-values.yaml" "${EMAILSENDER_HELM_DIR}" \ - --set image.repo="${EMAILSENDER_IMG_NAME}" \ - --set image.tag="${EMAILSENDER_IMG_TAG}" \ - | yq e '. | select(.metadata.name == "emailsender")' \ - > emailsender-manifests.yaml - -kubectl apply -f emailsender-manifests.yaml -kubectl apply -f "${SOURCE_DIR}/emailsender-db.yaml" +make --no-print-directory -C "$ROOT_DIR" deploy/emailsender log "Emailsender deployed to Kind." From 2b90977ab1d07204c50820c84960c719e231cae5 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Mon, 20 Oct 2025 15:10:10 +0200 Subject: [PATCH 03/12] Fix Multicluster test --- .../01-acs-fleetshard-addon.yaml | 0 .../02-acs-fleetshard-parameters-secret.yaml | 0 .../manifests/addons/{ => crds}/00-addon-crd.yaml | 0 dev/env/scripts/bootstrap.sh | 12 +++++++++--- 4 files changed, 9 insertions(+), 3 deletions(-) rename dev/env/manifests/addons/{ => acs-fleetshard}/01-acs-fleetshard-addon.yaml (100%) rename dev/env/manifests/addons/{ => acs-fleetshard}/02-acs-fleetshard-parameters-secret.yaml (100%) rename dev/env/manifests/addons/{ => crds}/00-addon-crd.yaml (100%) diff --git a/dev/env/manifests/addons/01-acs-fleetshard-addon.yaml b/dev/env/manifests/addons/acs-fleetshard/01-acs-fleetshard-addon.yaml similarity index 100% rename from dev/env/manifests/addons/01-acs-fleetshard-addon.yaml rename to dev/env/manifests/addons/acs-fleetshard/01-acs-fleetshard-addon.yaml diff --git a/dev/env/manifests/addons/02-acs-fleetshard-parameters-secret.yaml b/dev/env/manifests/addons/acs-fleetshard/02-acs-fleetshard-parameters-secret.yaml similarity index 100% rename from dev/env/manifests/addons/02-acs-fleetshard-parameters-secret.yaml rename to dev/env/manifests/addons/acs-fleetshard/02-acs-fleetshard-parameters-secret.yaml diff --git a/dev/env/manifests/addons/00-addon-crd.yaml b/dev/env/manifests/addons/crds/00-addon-crd.yaml similarity index 100% rename from dev/env/manifests/addons/00-addon-crd.yaml rename to dev/env/manifests/addons/crds/00-addon-crd.yaml diff --git a/dev/env/scripts/bootstrap.sh b/dev/env/scripts/bootstrap.sh index 9bc40342e9..2a9cfb64ee 100755 --- a/dev/env/scripts/bootstrap.sh +++ b/dev/env/scripts/bootstrap.sh @@ -110,9 +110,15 @@ if ! is_openshift_cluster "$CLUSTER_TYPE"; then apply "${MANIFESTS_DIR}/monitoring" fi -apply "${MANIFESTS_DIR}/addons/00-addon-crd.yaml" -wait_for_crd "addons.addons.managed.openshift.io" -apply "${MANIFESTS_DIR}/addons" +# Apply addon CRD only if it doesn't exist +if ! $KUBECTL get crd addons.addons.managed.openshift.io &>/dev/null; then + log "Addon CRD not found, applying..." + apply "${MANIFESTS_DIR}/addons/crds/00-addon-crd.yaml" + wait_for_crd "addons.addons.managed.openshift.io" +else + log "Addon CRD already exists, skipping..." +fi +apply "${MANIFESTS_DIR}/addons/acs-fleetshard" if is_openshift_cluster "$CLUSTER_TYPE"; then log "Installing ExternalDNS for OpenShift" From e76cf91a69d7b36834b4275e1641303115905200 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 12:58:28 +0200 Subject: [PATCH 04/12] Fix multicluster E2E tests --- .github/workflows/multicluster-e2e.yaml | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index 66f164f8d5..262ba03640 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -33,13 +33,24 @@ jobs: strategy: matrix: name: [acscs1, acscs2] + outputs: + cluster_id: ${{ steps.cluster_id.outputs.short_sha }} steps: + - name: Generate cluster ID + id: cluster_id + run: | + # OSD cluster names are limited to 15 characters. + # Use first 7 chars of commit SHA for traceability and uniqueness. + # Format: -<7-char-sha> (e.g., acscs1-a1b2c3d = 14 chars) + SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) + echo "short_sha=$SHORT_SHA" >> "$GITHUB_OUTPUT" + - name: Create cluster uses: stackrox/actions/infra/create-cluster@v1 with: token: ${{ secrets.INFRA_TOKEN }} flavor: osd-on-aws - name: ${{ matrix.name }}-${{ github.run_id }}${{ github.run_attempt }} + name: ${{ matrix.name }}-${{ steps.cluster_id.outputs.short_sha }} lifespan: 3h args: nodes=3,machine-type=m5.2xlarge wait: true @@ -66,13 +77,14 @@ jobs: - name: Set cluster credentials run: | set -eo pipefail + SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) mkdir kube cluster1Conf="$(pwd)/kube/cluster1" - url=$(infractl artifacts "acscs1-${{ github.run_id }}${{ github.run_attempt }}" --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r) + url=$(infractl artifacts "acscs1-${SHORT_SHA}" --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r) wget -O "$cluster1Conf" "$url" cluster2Conf="$(pwd)/kube/cluster2" - url=$(infractl artifacts "acscs2-${{ github.run_id }}${{ github.run_attempt }}" --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r) + url=$(infractl artifacts "acscs2-${SHORT_SHA}" --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r) wget -O "$cluster2Conf" "$url" echo "CLUSTER_1_KUBECONFIG=$cluster1Conf" >> "$GITHUB_ENV" @@ -112,6 +124,7 @@ jobs: - name: Delete test clusters run: | set -o pipefail - infractl delete "acscs1-${{ github.run_id }}${{ github.run_attempt }}" - infractl delete "acscs2-${{ github.run_id }}${{ github.run_attempt }}" + SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) + infractl delete "acscs1-${SHORT_SHA}" + infractl delete "acscs2-${SHORT_SHA}" exit 0 From 6e8fbfaa4b2b9e251ebe2ee12ae1ea639e95b5d5 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 16:55:30 +0200 Subject: [PATCH 05/12] Review comments --- deploy/charts/emailsender/values.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/deploy/charts/emailsender/values.yaml b/deploy/charts/emailsender/values.yaml index 02f4368067..d5358a5321 100644 --- a/deploy/charts/emailsender/values.yaml +++ b/deploy/charts/emailsender/values.yaml @@ -1,6 +1,3 @@ -# Default values for emailsender. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. replicas: 3 image: repo: "quay.io/redhat-services-prod/acscs-rhacs-tenant/acscs-main/acs-emailsender" @@ -9,10 +6,10 @@ image: # to turn off HTTPS and mounting the service-ca certs since they'll not be created enableHTTPS: true # Database connection settings -# Use this in case you apply this manifest against a cluster without service-ca operator -# to turn of HTTPS and mounting the service-ca certs since they'll not be created db: + # Possible values: disable, require, verify-ca, verify-full sslMode: "verify-full" + # Can be empty if sslMode is disabled caCertFile: /rds_ca/aws-rds-ca-global-bundle.pem # Cluster information clusterId: "" From f939e4ecb53d511b436b0847972502fd3f2f37f3 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 16:57:23 +0200 Subject: [PATCH 06/12] Remove the emailsender values from dp-terraform --- dp-terraform/helm/rhacs-terraform/values.yaml | 28 ------------------- 1 file changed, 28 deletions(-) diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml index 623f3954ab..9798e85e12 100644 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ b/dp-terraform/helm/rhacs-terraform/values.yaml @@ -71,34 +71,6 @@ fleetshardSync: printCentralUpdateDiff: false argoCdNamespace: openshift-gitops -# Email sender service parameters -# - enabled flag is used to completely enable/disable email sender service -emailsender: - enabled: false - # Use this in case you apply this manifest against a cluster without service-ca operator - # to turn of HTTPS and mounting the service-ca certs since they'll not be created - db: - sslMode: "verify-full" - caCertFile: /rds_ca/aws-rds-ca-global-bundle.pem - enableHTTPS: true - replicas: 3 - image: - repo: "quay.io/redhat-services-prod/acscs-rhacs-tenant/acscs-main/acs-emailsender" - tag: null - clusterId: "" - clusterName: "" - environment: "" - senderAddress: "noreply@mail.rhacs-dev.com" - authConfigFromKubernetes: true - emailProvider: "AWS_SES" - resources: - requests: - cpu: "100m" - memory: "512Mi" - limits: - cpu: "200m" - memory: "512Mi" - global: image: tag: "latest" From d899d77ab55d447d2a0d8e78d9292730e3fe6ea8 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 17:00:01 +0200 Subject: [PATCH 07/12] Cancel previous runs --- .github/workflows/multicluster-e2e.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index 262ba03640..6ff2167637 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -24,6 +24,12 @@ on: - 'internal/central/pkg/handlers/admin_central.go' - 'internal/central/pkg/services/central.go' +# Cancel previous runs +# see: https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/control-workflow-concurrency +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }} + cancel-in-progress: true + jobs: create-cluster: name: "Create Test Infra Clusters" From 2bf58e8e1ec1c592763308a61dcf3ff96f0780ec Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 17:51:47 +0200 Subject: [PATCH 08/12] No slack --- .github/workflows/multicluster-e2e.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index 6ff2167637..97c8981838 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -60,6 +60,7 @@ jobs: lifespan: 3h args: nodes=3,machine-type=m5.2xlarge wait: true + no-slack: true e2e-test: name: "Multicluster e2e tests" From d1a38867ab7ddaca5594cee41900d00f144c369b Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 18:22:16 +0200 Subject: [PATCH 09/12] Add description --- .github/workflows/multicluster-e2e.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index 97c8981838..ef233a83b1 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -57,6 +57,7 @@ jobs: token: ${{ secrets.INFRA_TOKEN }} flavor: osd-on-aws name: ${{ matrix.name }}-${{ steps.cluster_id.outputs.short_sha }} + description: "Used for acs-fleet-manager Multicluster E2E tests. Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" lifespan: 3h args: nodes=3,machine-type=m5.2xlarge wait: true From adc52ffe189720373418b2dc90c89ef1174e8c92 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 21:56:56 +0200 Subject: [PATCH 10/12] Switch multicluster test to rosa HCP --- .github/workflows/multicluster-e2e.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index ef233a83b1..b7291134a5 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -55,7 +55,7 @@ jobs: uses: stackrox/actions/infra/create-cluster@v1 with: token: ${{ secrets.INFRA_TOKEN }} - flavor: osd-on-aws + flavor: rosahcp name: ${{ matrix.name }}-${{ steps.cluster_id.outputs.short_sha }} description: "Used for acs-fleet-manager Multicluster E2E tests. Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" lifespan: 3h From 6b03eeb71f66e1993c2c1701f698968071555df2 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 22:39:33 +0200 Subject: [PATCH 11/12] Do not use the app for the external-dns-operator --- .../external-dns-operator/00-application.yaml | 30 ------------------- .../00-namespace.yaml | 0 .../01-subscription.yaml | 11 +++++++ .../02-operatorgroup.yaml | 9 ++++++ dev/env/scripts/bootstrap.sh | 2 -- 5 files changed, 20 insertions(+), 32 deletions(-) delete mode 100644 dev/env/manifests/external-dns-operator/00-application.yaml rename dev/env/manifests/{external-dns => external-dns-operator}/00-namespace.yaml (100%) create mode 100644 dev/env/manifests/external-dns-operator/01-subscription.yaml create mode 100644 dev/env/manifests/external-dns-operator/02-operatorgroup.yaml diff --git a/dev/env/manifests/external-dns-operator/00-application.yaml b/dev/env/manifests/external-dns-operator/00-application.yaml deleted file mode 100644 index 635a377520..0000000000 --- a/dev/env/manifests/external-dns-operator/00-application.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: rhacs-external-dns-operator - namespace: "$ARGOCD_NAMESPACE" -spec: - destination: - namespace: external-dns-operator - server: https://kubernetes.default.svc - project: default - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - managedNamespaceMetadata: - labels: - argocd.argoproj.io/managed-by: "$ARGOCD_NAMESPACE" - app.kubernetes.io/managed-by: "$ARGOCD_NAMESPACE" - retry: - limit: -1 - backoff: - duration: 5s - factor: 2 - maxDuration: 3m - source: - repoURL: https://github.com/stackrox/acscs-manifests - targetRevision: HEAD - path: external-dns-operator diff --git a/dev/env/manifests/external-dns/00-namespace.yaml b/dev/env/manifests/external-dns-operator/00-namespace.yaml similarity index 100% rename from dev/env/manifests/external-dns/00-namespace.yaml rename to dev/env/manifests/external-dns-operator/00-namespace.yaml diff --git a/dev/env/manifests/external-dns-operator/01-subscription.yaml b/dev/env/manifests/external-dns-operator/01-subscription.yaml new file mode 100644 index 0000000000..df212f6266 --- /dev/null +++ b/dev/env/manifests/external-dns-operator/01-subscription.yaml @@ -0,0 +1,11 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: external-dns-operator + namespace: external-dns-operator +spec: + channel: stable-v1 + installPlanApproval: Automatic + name: external-dns-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/dev/env/manifests/external-dns-operator/02-operatorgroup.yaml b/dev/env/manifests/external-dns-operator/02-operatorgroup.yaml new file mode 100644 index 0000000000..7ddf7f88cd --- /dev/null +++ b/dev/env/manifests/external-dns-operator/02-operatorgroup.yaml @@ -0,0 +1,9 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: external-dns-operator + namespace: external-dns-operator +spec: + targetNamespaces: + - external-dns-operator + upgradeStrategy: Default diff --git a/dev/env/scripts/bootstrap.sh b/dev/env/scripts/bootstrap.sh index 2a9cfb64ee..628e48d791 100755 --- a/dev/env/scripts/bootstrap.sh +++ b/dev/env/scripts/bootstrap.sh @@ -122,8 +122,6 @@ apply "${MANIFESTS_DIR}/addons/acs-fleetshard" if is_openshift_cluster "$CLUSTER_TYPE"; then log "Installing ExternalDNS for OpenShift" - wait_for_crd "applications.argoproj.io" - apply "${MANIFESTS_DIR}/external-dns-operator" wait_for_crd externaldnses.externaldns.olm.openshift.io From 71b2fc661f282ec0bcc6548a729851405e6249f4 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 23 Oct 2025 22:42:10 +0200 Subject: [PATCH 12/12] keep the clusters in case of failure for debugging --- .github/workflows/multicluster-e2e.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index b7291134a5..6853daf239 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -122,7 +122,9 @@ jobs: name: "Cleanup Test Infra Clusters" runs-on: ubuntu-latest needs: [create-cluster, e2e-test] - if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft && always() }} # do not run for PRs from forks + # do not run for PRs from forks + # keep the clusters in case of failure for debugging + if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft && (success() || cancelled()) }} environment: development env: INFRA_TOKEN: ${{ secrets.INFRA_TOKEN }}