sync: stage to production (#1711)

sync-branches: New code has just landed in stage, so let's bring
production up to speed!

.github/workflows/ci.yaml

@@ -145,6 +145,10 @@ jobs:
           fetch-depth: 0 # Critical for correct image detection in Makefile
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      - name: Set up Go 1.20
+        uses: actions/setup-go@v2
+        with:
+          go-version: "1.20"
       - name: Build and push fleet-manager-tools image to quay.io
         if: github.event_name == 'push'
         env:

.secrets.baseline

@@ -393,73 +393,6 @@
         "line_number": 594
       }
     ],
-    "pkg/client/iam/client_moq.go": [
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/client_moq.go",
-        "hashed_secret": "44e17306b837162269a410204daaa5ecee4ec22c",
-        "is_verified": false,
-        "line_number": 649
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/client_moq.go",
-        "hashed_secret": "4595e0fe3be13544e523e5f6c1145f15007f7b58",
-        "is_verified": false,
-        "line_number": 650
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/client_moq.go",
-        "hashed_secret": "539fbe365f6c0db26d473d85a736d318c2f565e5",
-        "is_verified": false,
-        "line_number": 991
-      }
-    ],
-    "pkg/client/iam/gocloak_moq.go": [
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/gocloak_moq.go",
-        "hashed_secret": "44e17306b837162269a410204daaa5ecee4ec22c",
-        "is_verified": false,
-        "line_number": 9711
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/gocloak_moq.go",
-        "hashed_secret": "7f0b58c8f07c09a5ed45a784a8e1ea4d3e983d59",
-        "is_verified": false,
-        "line_number": 9712
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/gocloak_moq.go",
-        "hashed_secret": "9b8b876c2782fa992fab14095267bb8757b9fabc",
-        "is_verified": false,
-        "line_number": 13092
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/gocloak_moq.go",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 13095
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/gocloak_moq.go",
-        "hashed_secret": "eb1b883e199141e362a143c51178ab8f09c87751",
-        "is_verified": false,
-        "line_number": 13716
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "pkg/client/iam/gocloak_moq.go",
-        "hashed_secret": "1b46ecc8fb47b1b39a420f00f08dbd58e0313188",
-        "is_verified": false,
-        "line_number": 14023
-      }
-    ],
     "pkg/client/redhatsso/api/api/openapi.yaml": [
       {
         "type": "Secret Keyword",
@@ -493,70 +426,70 @@
         "filename": "templates/service-template.yml",
         "hashed_secret": "13032f402fed753c2248419ea4f69f99931f6dbc",
         "is_verified": false,
-        "line_number": 524
+        "line_number": 512
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "30025f80f6e22cdafb85db387d50f90ea884576a",
         "is_verified": false,
-        "line_number": 524
+        "line_number": 512
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "355f24fd038bcaf85617abdcaa64af51ed19bbcf",
         "is_verified": false,
-        "line_number": 524
+        "line_number": 512
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "3d8a1dcd2c3c765ce35c9a9552d23273cc4ddace",
         "is_verified": false,
-        "line_number": 524
+        "line_number": 512
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "4ac7b0522761eba972467942cd5cd7499dd2c361",
         "is_verified": false,
-        "line_number": 524
+        "line_number": 512
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "7639ab2a6bcf2ea30a055a99468c9cd844d4c22a",
         "is_verified": false,
-        "line_number": 524
+        "line_number": 512
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "b56360daf4793d2a74991a972b34d95bc00fb2da",
         "is_verified": false,
-        "line_number": 524
+        "line_number": 512
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "c9a73ef9ee8ce9f38437227801c70bcc6740d1a1",
         "is_verified": false,
-        "line_number": 524
+        "line_number": 512
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "14736999d9940728c5294277831a702f7882dece",
         "is_verified": false,
-        "line_number": 561
+        "line_number": 549
       },
       {
         "type": "Secret Keyword",
         "filename": "templates/service-template.yml",
         "hashed_secret": "4e199b4a1c40b497a95fcd1cd896351733849949",
         "is_verified": false,
-        "line_number": 708,
+        "line_number": 696,
         "is_secret": false
       }
     ],
@@ -586,5 +519,5 @@
       }
     ]
   },
-  "generated_at": "2024-02-05T19:02:34Z"
+  "generated_at": "2024-03-07T13:45:14Z"
 }

Makefile

@@ -50,8 +50,6 @@ ACSCS_NAMESPACE ?= acscs
 ENABLE_OCM_MOCK ?= false
 OCM_MOCK_MODE ?= emulate-server
 JWKS_URL ?= "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"
-SSO_BASE_URL ?="https://identity.api.stage.openshift.com"
-SSO_REALM ?="rhoas" # update your realm here
 
 GO := go
 GOFMT := gofmt
@@ -732,17 +730,12 @@ deploy/service: ENABLE_CENTRAL_EXTERNAL_CERTIFICATE ?= "false"
 deploy/service: ENABLE_CENTRAL_LIFE_SPAN ?= "false"
 deploy/service: CENTRAL_LIFE_SPAN ?= "48"
 deploy/service: OCM_URL ?= "https://api.stage.openshift.com"
-deploy/service: SSO_BASE_URL ?= "https://identity.api.stage.openshift.com"
-deploy/service: SSO_REALM ?= "rhoas"
-deploy/service: MAX_LIMIT_FOR_SSO_GET_CLIENTS ?= "100"
 deploy/service: TOKEN_ISSUER_URL ?= "https://sso.redhat.com/auth/realms/redhat-external"
 deploy/service: SERVICE_PUBLIC_HOST_URL ?= "https://api.openshift.com"
 deploy/service: ENABLE_TERMS_ACCEPTANCE ?= "false"
 deploy/service: ENABLE_DENY_LIST ?= "false"
 deploy/service: ALLOW_EVALUATOR_INSTANCE ?= "true"
 deploy/service: QUOTA_TYPE ?= "quota-management-list"
-deploy/service: CENTRAL_OPERATOR_OLM_INDEX_IMAGE ?= "quay.io/osd-addons/managed-central:production-82b42db"
-deploy/service: FLEETSHARD_OLM_INDEX_IMAGE ?= "quay.io/osd-addons/fleetshard-operator:production-82b42db"
 deploy/service: OBSERVABILITY_CONFIG_REPO ?= "https://api.github.com/repos/bf2fc6cc711aee1a0c2a/observability-resources-mk/contents"
 deploy/service: OBSERVABILITY_CONFIG_CHANNEL ?= "resources"
 deploy/service: OBSERVABILITY_CONFIG_TAG ?= "main"
@@ -769,9 +762,6 @@ deploy/service: deploy/envoy deploy/route
 		-p OCM_URL="$(OCM_URL)" \
 		-p AMS_URL="${AMS_URL}" \
 		-p JWKS_URL="$(JWKS_URL)" \
-		-p SSO_BASE_URL="$(SSO_BASE_URL)" \
-		-p SSO_REALM="$(SSO_REALM)" \
-		-p MAX_LIMIT_FOR_SSO_GET_CLIENTS="${MAX_LIMIT_FOR_SSO_GET_CLIENTS}" \
 		-p TOKEN_ISSUER_URL="${TOKEN_ISSUER_URL}" \
 		-p SERVICE_PUBLIC_HOST_URL="https://$(shell oc get routes/fleet-manager -o jsonpath="{.spec.host}" -n $(NAMESPACE))" \
 		-p OBSERVATORIUM_RHSSO_GATEWAY="${OBSERVATORIUM_RHSSO_GATEWAY}" \
@@ -784,8 +774,6 @@ deploy/service: deploy/envoy deploy/route
 		-p ENABLE_TERMS_ACCEPTANCE="${ENABLE_TERMS_ACCEPTANCE}" \
 		-p ALLOW_EVALUATOR_INSTANCE="${ALLOW_EVALUATOR_INSTANCE}" \
 		-p QUOTA_TYPE="${QUOTA_TYPE}" \
-		-p FLEETSHARD_OLM_INDEX_IMAGE="${FLEETSHARD_OLM_INDEX_IMAGE}" \
-		-p CENTRAL_OPERATOR_OLM_INDEX_IMAGE="${CENTRAL_OPERATOR_OLM_INDEX_IMAGE}" \
 		-p DATAPLANE_CLUSTER_SCALING_TYPE="${DATAPLANE_CLUSTER_SCALING_TYPE}" \
 		-p CENTRAL_REQUEST_EXPIRATION_TIMEOUT="${CENTRAL_REQUEST_EXPIRATION_TIMEOUT}" \
 		| oc apply -f - -n $(NAMESPACE)

dashboards/grafana-dashboard-acs-fleet-manager.configmap.yaml

@@ -36,7 +36,7 @@ data:
       "fiscalYearStartMonth": 0,
       "graphTooltip": 0,
       "id": 413,
-      "iteration": 1664186027385,
+      "iteration": 1664186027399,
       "links": [],
       "liveNow": false,
       "panels": [
@@ -190,7 +190,7 @@ data:
           },
           "gridPos": {
             "h": 8,
-            "w": 24,
+            "w": 16,
             "x": 0,
             "y": 8
           },
@@ -237,6 +237,31 @@ data:
           "title": "Requests rate",
           "type": "timeseries"
         },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "gridPos": {
+            "h": 8,
+            "w": 8,
+            "x": 16,
+            "y": 8
+          },
+          "id": 13,
+          "options": {
+            "code": {
+              "language": "plaintext",
+              "showLineNumbers": false,
+              "showMiniMap": false
+            },
+            "content": "* The jagged pattern for outbound requests rate\nis expected. Every ~6h, fleet manager sends\na number of requests (one per each organization)\nto AMS to check whether organizations still\nhave entitlement.",
+            "mode": "markdown"
+          },
+          "pluginVersion": "9.3.8",
+          "title": "Requests rate: Legend",
+          "type": "text"
+        },
         {
           "datasource": {
             "type": "prometheus",
@@ -608,7 +633,7 @@ data:
           "type": "timeseries"
         }
       ],
-      "schemaVersion": 36,
+      "schemaVersion": 37,
       "style": "dark",
       "tags": [],
       "templating": {
@@ -667,7 +692,7 @@ data:
         ]
       },
       "time": {
-        "from": "now-12h",
+        "from": "now-14d",
         "to": "now"
       },
       "timepicker": {},

docs/legacy/feature-flags.md

@@ -68,11 +68,8 @@ This lists the feature flags and their sub-configurations to enable/disable and
     - If this is set to `ams`, quotas will be managed via OCM's accounts management service (AMS).
 
 ## IAM
-- **sso-debug** [Optional] Enables IAM debug logging.
-- **sso-base-url** [Required]: The base URL of the IAM instance.
 - **redhat-sso-client-id-file** [Required]: The path to the file containing a RedHat SSO account client ID that has access to the ACS service accounts (default: `'secrets/redhatsso-service.clientId'`).
 - **redhat-sso-client-secret-file** [Required]: The path to the file containing a RedHat SSO account client secret that has access to the ACS service accounts (default: `'secrets/redhatsso-service.clientSecret'`).
-- **sso-insecure** [Optional]: Disables IAM TLS verification
 
 ## Metrics Server
 - **enable-metrics-https**: Enables HTTPS for the metrics server.
@@ -117,16 +114,6 @@ This lists the feature flags and their sub-configurations to enable/disable and
         - `providers-config-file` [Required]: The path to the file containing a list of supported cloud providers that the service can provision dataplane clusters to (default: `'config/provider-configuration.yaml'`, example: [provider-configuration.yaml](../config/provider-configuration.yaml)).
         - `cluster-compute-machine-type` [Optional]: The compute machine type to be used for provisioning a new dataplane cluster (default: `m5.2xlarge`).
         - `cluster-openshift-version` [Optional]: The OpenShift version to be installed on the dataplane cluster (default: `""`, empty string indicates that the latest stable version will be used).
-- **central-operator-cs-namespace**: Central operator catalog source namespace.
-- **central-operator-index-image**: Central operator index image name
-- **central-operator-namespace**: Central operator namespace
-- **central-operator-package**: Central operator package name
-- **central-operator-sub-channel**: Central operator subscription channel
-- **fleetshard-operator-cs-namespace**: fleetshard operator catalog source namespace
-- **fleetshard-operator-index-image**: fleetshard operator index image name
-- **fleetshard-operator-namespace**: fleetshard operator namespace
-- **fleetshard-operator-package**: fleetshard operator package name
-- **fleetshard-operator-sub-channel**: fleetshard operator subscription channel
 
 ## Sentry
 - **enable-sentry**: Enables Sentry error reporting.

dp-terraform/helm/Dockerfile

@@ -21,7 +21,7 @@ RUN microdnf install gzip tar && \
         chmod +x /usr/local/bin/yq && \
         rm /tmp/yq_linux_amd64.tar.gz && \
     cd rhacs-terraform/charts && for filename in *.tgz; do tar -xf "$filename" && rm -f "$filename"; done && \
-    yq -i 'del(.securityContext.runAsUser) | del(.webhook.securityContext.runAsUser) | del(.certController.securityContext.runAsUser)' external-secrets/values.yaml
+    yq -i 'del(.securityContext.runAsUser)' external-secrets/values.yaml
 
 ARG FLEETSHARD_SYNC_IMAGE_TAG=main
 RUN yq -i ".fleetshardSync.image.tag = strenv(FLEETSHARD_SYNC_IMAGE_TAG)" rhacs-terraform/values.yaml

dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml

@@ -76,3 +76,32 @@ spec:
       {{- if .Values.scanner.db.nodeSelector }}
       nodeSelector: {{ toYaml .Values.scanner.db.nodeSelector | nindent 8 }}
       {{- end }}
+
+  scannerV4:
+    {{- if .Values.scannerV4.scannerComponent }}
+    scannerComponent: {{ .Values.scannerV4.scannerComponent }}
+    {{- end }}
+    indexer:
+      {{- if .Values.scannerV4.indexer.resources }}
+      resources: {{ toYaml .Values.scannerV4.indexer.resources | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scannerV4.indexer.tolerations }}
+      tolerations: {{ toYaml .Values.scannerV4.indexer.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scannerV4.indexer.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.scannerV4.indexer.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scannerV4.indexer.scaling }}
+      scaling: {{ toYaml .Values.scannerV4.indexer.scaling | nindent 8 }}
+      {{- end }}
+
+    db:
+      {{- if .Values.scannerV4.db.resources }}
+      resources: {{ toYaml .Values.scannerV4.db.resources | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scannerV4.db.tolerations }}
+      tolerations: {{ toYaml .Values.scannerV4.db.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scannerV4.db.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.scannerV4.db.nodeSelector | nindent 8 }}
+      {{- end }}

dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml

@@ -16,10 +16,10 @@ admissionControl:
 collector:
   resources:
     requests:
-      memory: 200Mi
+      memory: 350Mi
       cpu: 10m
     limits:
-      memory: 200Mi
+      memory: 350Mi
   collection: "CORE_BPF"
 compliance:
   resources:
@@ -51,6 +51,15 @@ scanner:
       requests:
         memory: 100Mi
         cpu: 100m
+scannerV4:
+  scannerComponent: null
+  indexer:
+    tolerations: []
+    nodeSelector: {}
+    scaling: null
+  db:
+    tolerations: []
+    nodeSelector: {}
 sensor:
   resources:
     requests: