Skip to content

Commit

Permalink
Bump the versions of the operators (#164)
Browse files Browse the repository at this point in the history 
* Bump the versions of the operators for: Tekton, GitOps & ArgoCD. Review instructions

Signed-off-by: cmoulliard <[email protected]>

* Remove pipelineRun as resource to be excluded

Signed-off-by: cmoulliard <[email protected]>

* Add RBAC for the backstage SA used to access the kubernetes resources

Signed-off-by: cmoulliard <[email protected]>

---------

Signed-off-by: cmoulliard <[email protected]>
  • Loading branch information
@cmoulliard
cmoulliard authored Jun 26, 2024
1 parent eec2062 commit 6a5e61b
Show file tree
Hide file tree
Showing 6 changed files with 133 additions and 124 deletions.
71 changes: 35 additions & 36 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,20 +19,20 @@ The backstage QShift application has been designed to showcase QShift (Quarkus o
| Backstage plugin | Backend system |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|
| [Core - 1.27.x](https://github.com/backstage/versions/blob/main/v1/releases/1.23.4/manifest.json) | GitHub |
| [Kubernetes](https://backstage.io/docs/features/kubernetes/) | OpenShift 4.14 |
| [Quarkus front & backend](https://github.com/q-shift/backstage-plugins) | code.quarkus.io, OpenShift Virtualization 4.14.3 |
| [Quarkus Console](https://github.com/q-shift/backstage-plugins?tab=readme-ov-file#quarkus-console) | OpenShift 4.14 |
| ArgoCD [front](https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/frontend/backstage-plugin-argo-cd) & [backend](https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/scaffolder-actions/scaffolder-backend-argocd) | OpenShift GitOps 1.11.1 |
| [Tekton](https://github.com/janus-idp/backstage-plugins/tree/main/plugins/tekton) | OpenShift Pipelines 1.13.1 |
| [Topology](https://github.com/janus-idp/backstage-plugins/tree/main/plugins/topology) | OpenShift 4.14 |
| [Kubernetes](https://backstage.io/docs/features/kubernetes/) | OpenShift 4.15 |
| [Quarkus front & backend](https://github.com/q-shift/backstage-plugins) | code.quarkus.io, OpenShift Virtualization 4.15.2 |
| [Quarkus Console](https://github.com/q-shift/backstage-plugins?tab=readme-ov-file#quarkus-console) | OpenShift 4.15 |
| ArgoCD [front](https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/frontend/backstage-plugin-argo-cd) & [backend](https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/scaffolder-actions/scaffolder-backend-argocd) | OpenShift GitOps 1.12.3 |
| [Tekton](https://github.com/janus-idp/backstage-plugins/tree/main/plugins/tekton) | OpenShift Pipelines 1.15.0 |
| [Topology](https://github.com/janus-idp/backstage-plugins/tree/main/plugins/topology) | OpenShift 4.15 |
| [DevTools](https://github.com/backstage/backstage/blob/master/plugins/devtools/README.md) | |

**Note**: This backstage application is based on the backstage's version: 1.27.x

## Prerequisites

- [nvm](https://github.com/nvm-sh/nvm)
- [Node.js](https://nodejs.org/en) (18 or 20.x but not 22 as it fails on macOS as node-gyp fails to build: isolated-vm)
- [Node.js](https://nodejs.org/en) (20.x but not 22 as it fails on macOS as node-gyp fails to build: isolated-vm)
- [Yarn](https://yarnpkg.com/migration/guide). It is mandatory to migrate from yarn 1.x to 4.x and to enable `corepack enable` !
- [GitHub client](https://cli.github.com/) (optional)
- [argocd client](https://argo-cd.readthedocs.io/en/stable/getting_started/#2-download-argo-cd-cli) (optional)
Expand All @@ -41,7 +41,7 @@ The backstage QShift application has been designed to showcase QShift (Quarkus o

## Provision an ocp cluster

The following section details the different commands to be used to deploy the backend systems needed by QShift on a new OCP cluster (e.g. 4.14.10)
The following section details the different commands to be used to deploy the backend systems needed by QShift on a new OCP cluster (e.g. 4.15.x)

#### Kubevirt

Expand Down Expand Up @@ -75,42 +75,25 @@ kubectl apply -f subscription-gitops.yml

To use ArgoCD with QShift, it is needed to delete the existing `ArgoCD` CR and to deploy our `ArgoCD` CR.

**Note**: Our CR includes different changes needed to work with QShift: `sourceNamespaces`, `extraConfig` and `tls.termination: reencrypt` and `resourceExclusions`
**Note**: Our CR includes different changes needed to work with QShift:
- `extraConfig: resource.customizations.health.PersistentVolumeClaim` to avoid that ArgoCD watch the PVC resources
- `tls.termination: reencrypt` to allow to access the ArgoCD route

**Todo**: The previous note should be documented to explain the changes needed !

```bash
kubectl delete argocd/openshift-gitops -n openshift-gitops
```
Substitute within the `ArgoCD` CR the <MY_NAMESPACE> to be used using this command
```bash
cat argocd.tmpl | NAMESPACE=<MY_NAMESPACE> envsubst > argocd.yml
kubectl delete argocd/argocd -n openshift-gitops
kubectl apply -f argocd.yml
```
**Todo**: Instead of deleting and recreating a new ArgoCD CR, we should patch it or install it using kustomize, helm chart. Example: https://github.com/redhat-cop/agnosticd/blob/development/ansible/roles_ocp_workloads/ocp4_workload_openshift_gitops/templates/openshift-gitops.yaml.j2
**Todo**: Instead of deleting and recreating a new ArgoCD CR, we should patch it or install it using kustomize. Example: https://github.com/redhat-cop/agnosticd/blob/development/ansible/roles_ocp_workloads/ocp4_workload_openshift_gitops/templates/openshift-gitops.yaml.j2

Patch the `AppProject` CR to support to deploy the `Applications` CR in [different namespaces](https://github.com/q-shift/backstage-playground/issues/39#issuecomment-1938403564).
Patch the default `AppProject` CR to support to deploy the `Applications` CR in [different namespaces](https://github.com/q-shift/backstage-playground/issues/39#issuecomment-1938403564).
```bash
kubectl get AppProject/default -n openshift-gitops -o json | jq '.spec.sourceNamespaces += ["*"]' | kubectl apply -f -
```

Finally, create a new ClusterRoleBinding to give the `Admin` role to the ServiceAccount `openshift-gitops-argocd-application-controller`. That will allow it to manage the `Applications` CR deployed in any namespace of the cluster.

```bash
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-controller-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: openshift-gitops-argocd-application-controller
namespace: openshift-gitops
EOF
kubectl apply -f rbac.yml
```

#### Tekton
Expand Down Expand Up @@ -174,14 +157,29 @@ The commands described hereafter will help you to set up what it is needed:
```bash
kubectl create secret generic dockerconfig-secret --from-file=config.json
```
- **Warning**: To let ArgoCD to handle the `Applications` CR within your namespace, it is needed to patch the resource `kind: ArgoCD` to add your namespace using the field: `.spec.sourceNamespaces`. When patched, the ArgoCD operator will roll out automatically the ArgoCD server.
- **Warning**: To allow Argo CD to manage resources in [other namespaces](https://docs.openshift.com/gitops/1.12/argocd_instance/setting-up-argocd-instance.html#gitops-deploy-resources-different-namespaces_setting-up-argocd-instance) apart from where it is installed, configure the target namespace with a `argocd.argoproj.io/managed-by` label.
```bash
kubectl get argocd/openshift-gitops -n openshift-gitops -o json \
| jq '.spec.sourceNamespaces += ["<MY_NAMESPACE>"]' | kubectl apply -f -
kubectl label namespace <MY_NAMESPACE> \
argocd.argoproj.io/managed-by=<argocd_namespace>
```
- And finally, create the service account `my-backstage`.
- And finally, create the service account `my-backstage` and give it `admin` rights using the following RBAC to access the Kubernetes API resources.
```bash
kubectl create sa my-backstage
NAMESPACE=<MY_NAMESPACE>
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: backstage-$NAMESPACE-cluster-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: my-backstage
namespace: $NAMESPACE
EOF
```
**Note**: This is needed to create the SA in order to get the secret generated and containing the token that we will use at the step `Deploy and use Backstage on OCP`

Expand Down Expand Up @@ -254,6 +252,7 @@ Next run the following commands to start the front and backend using the `app-co

```sh
yarn install
export NODE_TLS_REJECT_UNAUTHORIZED=0
yarn dev
```

Expand Down
168 changes: 83 additions & 85 deletions manifest/installation/gitops/argocd.tmpl → manifest/installation/gitops/argocd.yml
View file
Original file line number Diff line number Diff line change
@@ -1,69 +1,13 @@
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: openshift-gitops
name: argocd
namespace: openshift-gitops
spec:
server:
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 125m
memory: 128Mi
route:
enabled: true
tls:
termination: reencrypt
service:
type: ''
grafana:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
route:
enabled: false
monitoring:
enabled: false
notifications:
enabled: true
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
initialSSHKnownHosts: {}
sso:
dex:
openShiftOAuth: true
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
provider: dex
applicationSet:
resources:
limits:
cpu: '2'
cpu: "2"
memory: 1Gi
requests:
cpu: 250m
Expand All @@ -73,12 +17,16 @@ spec:
enabled: false
route:
enabled: false
rbac:
defaultPolicy: ''
policy: |
g, system:cluster-admins, role:admin
g, cluster-admins, role:admin
scopes: '[groups]'
controller:
processors: {}
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 1Gi
sharding: {}
extraConfig:
resource.customizations.health.PersistentVolumeClaim: |
hs = {}
Expand All @@ -99,23 +47,19 @@ spec:
hs.status = "Progressing"
hs.message = "Waiting for PVC"
return hs
repo:
grafana:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: '1'
memory: 1Gi
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 256Mi
sourceNamespaces:
- $NAMESPACE
resourceExclusions: |
- apiGroups:
- tekton.dev
clusters:
- '*'
kinds:
- TaskRun
memory: 128Mi
route:
enabled: false
ha:
enabled: false
resources:
Expand All @@ -125,8 +69,23 @@ spec:
requests:
cpu: 250m
memory: 128Mi
tls:
ca: {}
initialSSHKnownHosts: {}
monitoring:
enabled: false
notifications:
enabled: true
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
rbac:
defaultPolicy: ""
policy: |
g, system:cluster-admins, role:admin
g, cluster-admins, role:admin
scopes: '[groups]'
redis:
resources:
limits:
Expand All @@ -135,13 +94,52 @@ spec:
requests:
cpu: 250m
memory: 128Mi
controller:
processors: {}
repo:
resources:
limits:
cpu: '2'
memory: 2Gi
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 1Gi
sharding: {}
memory: 256Mi
resourceExclusions: |
- apiGroups:
- tekton.dev
clusters:
- '*'
kinds:
- TaskRun
server:
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 125m
memory: 128Mi
route:
enabled: true
tls:
termination: reencrypt
service:
type: ""
sso:
dex:
openShiftOAuth: true
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
provider: dex
tls:
ca: {}
12 changes: 12 additions & 0 deletions manifest/installation/gitops/rbac.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-controller-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: openshift-gitops-argocd-application-controller
namespace: openshift-gitops
2 changes: 1 addition & 1 deletion manifest/installation/gitops/subscription-gitops.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ spec:
name: openshift-gitops-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
startingCSV: openshift-gitops-operator.v1.11.1
startingCSV: openshift-gitops-operator.v1.12.3
2 changes: 1 addition & 1 deletion manifest/installation/tekton/subscription-pipelines.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ spec:
name: openshift-pipelines-operator-rh
source: redhat-operators
sourceNamespace: openshift-marketplace
startingCSV: openshift-pipelines-operator-rh.v1.13.1
startingCSV: openshift-pipelines-operator-rh.v1.15.0
2 changes: 1 addition & 1 deletion manifest/installation/virt/subscription-kubevirt-hyperconverged.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ spec:
name: kubevirt-hyperconverged
source: redhat-operators
sourceNamespace: openshift-marketplace
startingCSV: kubevirt-hyperconverged-operator.v4.14.3
startingCSV: kubevirt-hyperconverged-operator.v4.15.2

0 comments on commit 6a5e61b

Please sign in to comment.