├── README.md ├── note.txt ├── openshift-gitops-operator └── overlays │ └── dex │ └── kustomization.yaml ├── openshift-gitops ├── base │ ├── cluster-role-binding.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ └── openshift-gitops-cr.yaml └── overlays │ ├── default │ └── kustomization.yaml │ ├── dex │ └── kustomization.yaml │ └── home │ └── kustomization.yaml └── setup.sh /README.md: -------------------------------------------------------------------------------- 1 | ### Introduction 2 | 3 | This repository for bootstrapping the initial Red Hat gitops-operator into a cluster. The `setup.sh` performs the following steps: 4 | 5 | 1. Install operator and wait for it to be complete 6 | 2. Overwrite the default `openshift-gitops` instance with my preferred configuration. 7 | 8 | ### Usage 9 | 10 | To install the operator, login as a user with `cluster-admin` privileges and use the command: 11 | 12 | ``` 13 | ./setup.sh 14 | ``` 15 | 16 | Where `overlay` is the name of the cluster you want to install. This name must match an overlay in the `openshift-gitops/overlays` folder, you do not specify a name it will use the `dex` overlay. 17 | 18 | The reason why we need overlay for specific configurations is to have options for both RH-SSO and Dex for integrated authentication. Using an SSO instance to manage the argocd authentication requires a cluster specific issuer URL, see the `home` overlay for an example. -------------------------------------------------------------------------------- /note.txt: -------------------------------------------------------------------------------- 1 | Use env variable ARGOCD_CLUSTER_CONFIG_NAMESPACES to deploy in alternate namespace 2 | -------------------------------------------------------------------------------- /openshift-gitops-operator/overlays/dex/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - github.com/redhat-cop/gitops-catalog/openshift-gitops-operator/overlays/latest -------------------------------------------------------------------------------- /openshift-gitops/base/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: argocd-application-controller-cluster-admin 5 | subjects: 6 | - kind: ServiceAccount 7 | name: openshift-gitops-argocd-application-controller 8 | namespace: openshift-gitops 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: cluster-admin 13 | -------------------------------------------------------------------------------- /openshift-gitops/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | # - namespace.yaml 6 | - cluster-role-binding.yaml 7 | - openshift-gitops-cr.yaml -------------------------------------------------------------------------------- /openshift-gitops/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | openshift.io/display-name: OpenShift GitOps 6 | name: openshift-gitops -------------------------------------------------------------------------------- /openshift-gitops/base/openshift-gitops-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: ArgoCD 3 | metadata: 4 | name: openshift-gitops 5 | namespace: openshift-gitops 6 | spec: 7 | resourceTrackingMethod: annotation 8 | applicationSet: {} 9 | kustomizeBuildOptions: "--enable-helm" 10 | sso: 11 | dex: 12 | openShiftOAuth: true 13 | provider: dex 14 | controller: 15 | resources: 16 | limits: 17 | cpu: '2' 18 | memory: 3Gi 19 | requests: 20 | cpu: 250m 21 | memory: 2Gi 22 | notifications: 23 | enabled: true 24 | repo: 25 | resources: 26 | limits: 27 | cpu: '1' 28 | memory: 1.5Gi 29 | requests: 30 | cpu: 250m 31 | memory: 768Mi 32 | redis: 33 | resources: 34 | limits: 35 | cpu: 500m 36 | memory: 512Mi 37 | requests: 38 | cpu: 250m 39 | memory: 256Mi 40 | server: 41 | insecure: true 42 | route: 43 | enabled: true 44 | tls: 45 | termination: edge 46 | insecureEdgeTerminationPolicy: Redirect 47 | resourceCustomizations: | 48 | argoproj.io/Application: 49 | health.lua: | 50 | hs = {} 51 | hs.status = "Progressing" 52 | hs.message = "" 53 | if obj.status ~= nil then 54 | if obj.status.health ~= nil then 55 | hs.status = obj.status.health.status 56 | hs.message = obj.status.health.message 57 | end 58 | end 59 | return hs 60 | operators.coreos.com/Subscription: 61 | health.lua: | 62 | health_status = {} 63 | if obj.status ~= nil then 64 | if obj.status.conditions ~= nil then 65 | numDegraded = 0 66 | numPending = 0 67 | msg = "" 68 | for i, condition in pairs(obj.status.conditions) do 69 | msg = msg .. i .. ": " .. condition.type .. " | " .. condition.status .. "\n" 70 | if condition.type == "InstallPlanPending" and condition.status == "True" then 71 | numPending = numPending + 1 72 | elseif (condition.type == "InstallPlanMissing" and condition.reason ~= "ReferencedInstallPlanNotFound") then 73 | numDegraded = numDegraded + 1 74 | elseif (condition.type == "CatalogSourcesUnhealthy" or condition.type == "InstallPlanFailed" or condition.type == "ResolutionFailed") and condition.status == "True" then 75 | numDegraded = numDegraded + 1 76 | end 77 | end 78 | if numDegraded == 0 and numPending == 0 then 79 | health_status.status = "Healthy" 80 | health_status.message = msg 81 | return health_status 82 | elseif numPending > 0 and numDegraded == 0 then 83 | health_status.status = "Progressing" 84 | health_status.message = "An install plan for a subscription is pending installation" 85 | return health_status 86 | else 87 | health_status.status = "Degraded" 88 | health_status.message = msg 89 | return health_status 90 | end 91 | end 92 | end 93 | health_status.status = "Progressing" 94 | health_status.message = "An install plan for a subscription is pending installation" 95 | return health_status 96 | platform.stackrox.io/Central: 97 | health.lua: | 98 | hs = {} 99 | if obj.status ~= nil and obj.status.conditions ~= nil then 100 | for i, condition in ipairs(obj.status.conditions) do 101 | if condition.status == "True" or condition.reason == "InstallSuccessful" or condition.reason == "UpgradeSuccessful" then 102 | hs.status = "Healthy" 103 | hs.message = "Install Successful" 104 | return hs 105 | end 106 | end 107 | end 108 | hs.status = "Progressing" 109 | hs.message = "Waiting for Central to deploy." 110 | return hs 111 | route.openshift.io/Route: 112 | ignoreDifferences: | 113 | jsonPointers: 114 | - /status/ingress 115 | image.openshift.io/ImageStream: 116 | health.lua: | 117 | hs = {} 118 | hs.status = "Progressing" 119 | hs.message = "" 120 | if obj.status ~= nil then 121 | if obj.status.tags ~= nil then 122 | numTags = 0 123 | for _ , item in pairs(obj.status.tags) do 124 | numTags = numTags + 1 125 | numItems = 0 126 | if item.tags ~= nil then 127 | for _ , item in pairs(item.tags) do 128 | numItems = numItems + 1 129 | end 130 | if numItems == 0 then 131 | return hs 132 | end 133 | end 134 | end 135 | if numTags > 0 then 136 | hs.status = "Healthy" 137 | hs.message = "ImageStream has tags resolved" 138 | return hs 139 | end 140 | end 141 | end 142 | return hs 143 | quay.redhat.com/QuayRegistry: 144 | ignoreDifferences: | 145 | jsonPointers: 146 | - /spec/components 147 | operators.coreos.com/InstallPlan: 148 | health.lua: | 149 | hs = {} 150 | if obj.status ~= nil then 151 | if obj.status.phase ~= nil then 152 | if obj.status.phase == "Complete" then 153 | hs.status = "Healthy" 154 | hs.message = obj.status.phase 155 | return hs 156 | end 157 | end 158 | end 159 | hs.status = "Progressing" 160 | hs.message = "Waiting for InstallPlan to complete" 161 | return hs 162 | build.openshift.io/Build: 163 | health.lua: | 164 | hs = {} 165 | if obj.status ~= nil then 166 | if obj.status.phase ~= nil then 167 | if obj.status.phase == "Complete" then 168 | hs.status = "Healthy" 169 | hs.message = obj.status.phase 170 | return hs 171 | end 172 | end 173 | end 174 | hs.status = "Progressing" 175 | hs.message = "Waiting for Build to complete" 176 | return hs 177 | PersistentVolumeClaim: 178 | health.lua: | 179 | hs = {} 180 | if obj.status ~= nil then 181 | if obj.status.phase ~= nil then 182 | if obj.status.phase == "Pending" then 183 | hs.status = "Healthy" 184 | hs.message = obj.status.phase 185 | return hs 186 | end 187 | if obj.status.phase == "Bound" then 188 | hs.status = "Healthy" 189 | hs.message = obj.status.phase 190 | return hs 191 | end 192 | end 193 | end 194 | hs.status = "Progressing" 195 | hs.message = "Waiting for certificate" 196 | return hs 197 | resourceExclusions: | 198 | - apiGroups: 199 | - tekton.dev 200 | clusters: 201 | - '*' 202 | kinds: 203 | - TaskRun 204 | - PipelineRun 205 | - apiGroups: 206 | - compliance.openshift.io 207 | kinds: 208 | - ComplianceCheckResult 209 | - ComplianceRemediation 210 | ha: 211 | enabled: false 212 | rbac: 213 | defaultPolicy: role:readonly 214 | policy: | 215 | g, system:cluster-admins, role:admin 216 | g, argocdadmins, role:admin 217 | g, argocdusers, role:readonly 218 | scopes: "[groups]" -------------------------------------------------------------------------------- /openshift-gitops/overlays/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../../base -------------------------------------------------------------------------------- /openshift-gitops/overlays/dex/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../../base 6 | 7 | patches: 8 | - patch: |- 9 | - op: add 10 | path: /spec/sso/dex 11 | value: 12 | openShiftOAuth: true 13 | target: 14 | kind: ArgoCD 15 | -------------------------------------------------------------------------------- /openshift-gitops/overlays/home/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../../base 6 | 7 | patches: 8 | - patch: |- 9 | - op: add 10 | path: /spec/oidcConfig 11 | value: | 12 | name: OpenShift Single Sign-On 13 | issuer: https://sso-sso.apps.home.ocplab.com/auth/realms/openshift 14 | clientID: openshift-gitops 15 | clientSecret: $oidc.keycloak.clientSecret 16 | requestedScopes: ["openid", "profile", "email", "groups"] 17 | target: 18 | kind: ArgoCD -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | LANG=C 4 | SLEEP_SECONDS=45 5 | 6 | OVERLAY=dex 7 | 8 | if [ $# -gt 0 ]; then 9 | OVERLAY=$1 10 | echo "Using specified overlay $1" 11 | fi 12 | 13 | if [ ! -d "openshift-gitops/overlays/${OVERLAY}" ]; then 14 | echo "Overlay ${OVERLAY} does not exist in path openshift-gitops/overlays/${OVERLAY}" 15 | exit 1 16 | fi 17 | 18 | echo "" 19 | echo "Installing GitOps Operator." 20 | 21 | kustomize build openshift-gitops-operator/overlays/dex | oc apply -f - 22 | 23 | echo "Pause $SLEEP_SECONDS seconds for the creation of the gitops-operator..." 24 | sleep $SLEEP_SECONDS 25 | 26 | echo "Waiting for operator to start" 27 | until oc get deployment gitops-operator-controller-manager -n openshift-operators 28 | do 29 | sleep 5; 30 | done 31 | 32 | echo "Waiting for openshift-gitops namespace to be created" 33 | until oc get ns openshift-gitops 34 | do 35 | sleep 5; 36 | done 37 | 38 | echo "Waiting for deployments to start" 39 | until oc get deployment cluster -n openshift-gitops 40 | do 41 | sleep 5; 42 | done 43 | 44 | echo "Waiting for all pods to be created" 45 | deployments=(cluster kam openshift-gitops-applicationset-controller openshift-gitops-redis openshift-gitops-repo-server openshift-gitops-server) 46 | for i in "${deployments[@]}"; 47 | do 48 | echo "Waiting for deployment $i"; 49 | oc rollout status deployment $i -n openshift-gitops 50 | done 51 | 52 | echo "Apply overlay to override default instance" 53 | # echo "Create default instance of gitops operator" 54 | kustomize build openshift-gitops/overlays/${OVERLAY} | oc apply -f - 55 | 56 | sleep 10 57 | echo "Waiting for all pods to redeploy" 58 | deployments=(cluster kam openshift-gitops-applicationset-controller openshift-gitops-redis openshift-gitops-repo-server openshift-gitops-server) 59 | for i in "${deployments[@]}"; 60 | do 61 | echo "Waiting for deployment $i"; 62 | oc rollout status deployment $i -n openshift-gitops 63 | done 64 | 65 | echo "GitOps Operator ready" 66 | --------------------------------------------------------------------------------