Merge pull request #109 from mbaldessari/ourown-gitops

Allow clusterwide namespace to be a parameter

Author: mbaldessari

templates/_helpers.tpl

@@ -38,6 +38,8 @@ Default always defined top-level variables for helm charts
   value: {{ $.Values.global.deletePattern }}
 - name: global.gitOpsSubNamespace
   value: {{ $.Values.global.gitOpsSubNamespace | default "" }}
+- name: global.vpArgoNamespace
+  value: {{ $.Values.global.vpArgoNamespace }}
 {{- end }} {{/* clustergroup.globalvaluesparameters */}}
 
 
@@ -127,13 +129,14 @@ Called from common/clustergroup/templates/plumbing/projects.yaml
 {{- $projects := index . 0 }}
 {{- $namespace := index . 1 }}
 {{- $enabled := index . 2 }}
+{{- $argoNamespace := index . 3 }}
 {{- range $k, $v := $projects}}
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
   name: {{ $k }}
 {{- if (eq $enabled "plumbing") }}
-  namespace: openshift-gitops
+  namespace: {{ $argoNamespace }}
 {{- else }}
   namespace: {{ $namespace }}
 {{- end }}
@@ -155,21 +158,22 @@ status: {}
 {{- end }}
 {{- end }}
 
-{{/* 
+{{/*
   Helper function to generate AppProject from a list object.
-  Called from common/clustergroup/templates/plumbing/projects.yaml 
+  Called from common/clustergroup/templates/plumbing/projects.yaml
 */}}
 {{- define "clustergroup.template.plumbing.projects.list" -}}
 {{- $projects := index . 0 }}
 {{- $namespace := index . 1 }}
 {{- $enabled := index . 2 }}
+{{- $argoNamespace := index . 3 }}
 {{- range $projects}}
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
   name: {{ . }}
 {{- if (eq $enabled "plumbing") }}
-  namespace: openshift-gitops
+  namespace: {{ $argoNamespace }}
 {{- else }}
   namespace: {{ $namespace }}
 {{- end }}

templates/imperative/_helpers.tpl

@@ -46,15 +46,15 @@
   - 'sh'
   - '-c'
   - >-
-    if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then
+    if ! oc get secrets -n {{ $.Values.global.vpArgoNamespace }} vp-private-repo-credentials &> /dev/null; then
       URL="{{ $.Values.global.repoURL }}";
     else
-      if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode}}` }}' &>/dev/null; then
-        U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')";
-        P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')";
+      if ! oc get secrets -n {{ $.Values.global.vpArgoNamespace }} vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode}}` }}' &>/dev/null; then
+        U="$(oc get secret -n {{ $.Values.global.vpArgoNamespace }} vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')";
+        P="$(oc get secret -n {{ $.Values.global.vpArgoNamespace }} vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')";
         URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/");
       else
-        S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')";
+        S="$(oc get secret -n {{ $.Values.global.vpArgoNamespace }} vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')";
         mkdir -p --mode 0700 "${HOME}/.ssh";
         echo "${S}" > "${HOME}/.ssh/id_rsa";
         chmod 0600 "${HOME}/.ssh/id_rsa";

templates/plumbing/argoProjects.yaml

@@ -18,7 +18,7 @@
 {{- end }}
 
 {{- if kindIs "map" $projects }}
-{{- template "clustergroup.template.plumbing.projects.map" (list $projects $namespace $.Values.enabled) }}  
+{{- template "clustergroup.template.plumbing.projects.map" (list $projects $namespace $.Values.enabled $.Values.global.vpArgoNamespace) }}
 {{- else }}
 {{- range $projects }}
 apiVersion: argoproj.io/v1alpha1

templates/plumbing/argocd-super-role.yaml

@@ -1,24 +1,24 @@
 # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
 # This CRB is also pre-created by the ACM policy (application-policies.yaml)
-# on managed clusters to ensure the openshift-gitops controller has cluster-admin
+# on managed clusters to ensure the ArgoCD controller has cluster-admin
 # before the first sync. It's kept here for non-ACM deployments.
 # See the commit messages around this change for a full explanation
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
+  name: {{ $.Values.global.vpArgoNamespace }}-cluster-admin-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
 subjects:
   - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
+    name: {{ $.Values.global.vpArgoNamespace }}-argocd-application-controller
+    namespace: {{ $.Values.global.vpArgoNamespace }}
   # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
   - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
+    name: {{ $.Values.global.vpArgoNamespace }}-argocd-server
+    namespace: {{ $.Values.global.vpArgoNamespace }}
 ---
 # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
 apiVersion: rbac.authorization.k8s.io/v1

tests/application_multi_source_test.yaml

@@ -62,7 +62,7 @@ tests:
           value: acm
         lengthEqual:
           path: spec.sources[1].helm.parameters
-          count: 18
+          count: 19
       - documentSelector:
           path: metadata.name
           value: vault
@@ -96,4 +96,4 @@ tests:
           value: acm
         lengthEqual:
           path: spec.sources[1].helm.parameters
-          count: 20
+          count: 21

tests/argocd_super_role_test.yaml

@@ -0,0 +1,98 @@
+suite: Test argocd-super-role with vpArgoNamespace
+templates:
+  - templates/plumbing/argocd-super-role.yaml
+release:
+  name: release-test
+tests:
+  - it: should use default vpArgoNamespace (openshift-gitops) in first ClusterRoleBinding
+    set:
+      global:
+        pattern: common
+        vpArgoNamespace: openshift-gitops
+      clusterGroup:
+        name: hub
+    asserts:
+      - documentIndex: 0
+        isKind:
+          of: ClusterRoleBinding
+      - documentIndex: 0
+        equal:
+          path: metadata.name
+          value: openshift-gitops-cluster-admin-rolebinding
+      - documentIndex: 0
+        equal:
+          path: subjects[0].name
+          value: openshift-gitops-argocd-application-controller
+      - documentIndex: 0
+        equal:
+          path: subjects[0].namespace
+          value: openshift-gitops
+      - documentIndex: 0
+        equal:
+          path: subjects[1].name
+          value: openshift-gitops-argocd-server
+      - documentIndex: 0
+        equal:
+          path: subjects[1].namespace
+          value: openshift-gitops
+
+  - it: should use custom vpArgoNamespace in first ClusterRoleBinding
+    set:
+      global:
+        pattern: common
+        vpArgoNamespace: my-custom-gitops
+      clusterGroup:
+        name: hub
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: metadata.name
+          value: my-custom-gitops-cluster-admin-rolebinding
+      - documentIndex: 0
+        equal:
+          path: subjects[0].name
+          value: my-custom-gitops-argocd-application-controller
+      - documentIndex: 0
+        equal:
+          path: subjects[0].namespace
+          value: my-custom-gitops
+      - documentIndex: 0
+        equal:
+          path: subjects[1].name
+          value: my-custom-gitops-argocd-server
+      - documentIndex: 0
+        equal:
+          path: subjects[1].namespace
+          value: my-custom-gitops
+
+  - it: should produce two ClusterRoleBinding documents
+    set:
+      global:
+        pattern: common
+        vpArgoNamespace: openshift-gitops
+      clusterGroup:
+        name: hub
+    asserts:
+      - hasDocuments:
+          count: 2
+
+  - it: second ClusterRoleBinding should use pattern-clusterGroup namespace (not vpArgoNamespace)
+    set:
+      global:
+        pattern: mypattern
+        vpArgoNamespace: my-custom-gitops
+      clusterGroup:
+        name: edge
+    asserts:
+      - documentIndex: 1
+        equal:
+          path: metadata.name
+          value: mypattern-edge-cluster-admin-rolebinding
+      - documentIndex: 1
+        equal:
+          path: subjects[0].namespace
+          value: mypattern-edge
+      - documentIndex: 1
+        equal:
+          path: subjects[1].namespace
+          value: mypattern-edge

tests/argoprojects_test.yaml

@@ -105,7 +105,7 @@ tests:
       - hasDocuments:
           count: 2
       - documentSelector:
-          path: metadata.name  
+          path: metadata.name
           value: foo
         isSubset:
           path: spec
@@ -123,7 +123,7 @@ tests:
             sourceRepos:
             - '*'
       - documentSelector:
-          path: metadata.name  
+          path: metadata.name
           value: bar
         isSubset:
           path: spec
@@ -140,3 +140,64 @@ tests:
               kind: '*'
             sourceRepos:
             - '*'
+
+  - it: should use vpArgoNamespace for map projects when enabled is plumbing
+    set:
+      enabled: plumbing
+      global:
+        pattern: testpattern
+        vpArgoNamespace: my-custom-gitops
+      clusterGroup:
+        name: hub
+        argoProjects:
+          proj-one:
+          proj-two:
+    asserts:
+      - hasDocuments:
+          count: 2
+      - documentSelector:
+          path: metadata.name
+          value: proj-one
+        equal:
+          path: metadata.namespace
+          value: my-custom-gitops
+      - documentSelector:
+          path: metadata.name
+          value: proj-two
+        equal:
+          path: metadata.namespace
+          value: my-custom-gitops
+
+  - it: should use default vpArgoNamespace for map projects when enabled is plumbing
+    set:
+      enabled: plumbing
+      global:
+        pattern: testpattern
+        vpArgoNamespace: openshift-gitops
+      clusterGroup:
+        name: hub
+        argoProjects:
+          my-project:
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: metadata.namespace
+          value: openshift-gitops
+
+  - it: should use pattern namespace for map projects when enabled is not plumbing
+    set:
+      enabled: something-else
+      global:
+        pattern: testpattern
+        vpArgoNamespace: my-custom-gitops
+      clusterGroup:
+        name: hub
+        argoProjects:
+          my-project:
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: metadata.namespace
+          value: testpattern-hub

values.yaml

@@ -1,6 +1,8 @@
 global:
   extraValueFiles: []
   pattern: common
+  # cluster-wide argo namespace
+  vpArgoNamespace: openshift-gitops
   secretLoader:
     disabled: false
   secretStore: