ROX-24127: tenant resources via gitops

.secrets.baseline

@@ -304,14 +304,14 @@
         "filename": "internal/dinosaur/pkg/presenters/managedcentral.go",
         "hashed_secret": "f4ac636d63edfd5477df8f25e4f4794c73e91d51",
         "is_verified": false,
-        "line_number": 207
+        "line_number": 208
       },
       {
         "type": "Secret Keyword",
         "filename": "internal/dinosaur/pkg/presenters/managedcentral.go",
         "hashed_secret": "e26735ec1cbf8ad15cb7d1eea4893035f61297aa",
         "is_verified": false,
-        "line_number": 213
+        "line_number": 214
       }
     ],
     "internal/dinosaur/pkg/services/dinosaurservice_moq.go": [
@@ -463,5 +463,5 @@
       }
     ]
   },
-  "generated_at": "2024-04-12T16:55:50Z"
+  "generated_at": "2024-05-08T19:37:20Z"
 }

e2e/e2e_canary_upgrade_test.go

@@ -153,19 +153,15 @@ var _ = Describe("Fleetshard-sync Targeted Upgrade", Ordered, func() {
 		var centralNamespace string
 
 		It("run only one operator with version: "+operatorVersion1, func() {
-			config := gitops.Config{
-				RHACSOperators: operator.OperatorConfigs{
-					CRDURLs: defaultCRDUrls,
-					Configs: []operator.OperatorConfig{operatorConfig1},
-				},
-				Centrals: gitops.CentralsConfig{
-					Overrides: []gitops.CentralOverride{
-						overrideAllCentralsToBeReconciledByOperator(operatorConfig1),
-						overrideAllCentralsToUseMinimalResources(),
-					},
-				},
-			}
-			Expect(putGitopsConfig(ctx, config)).To(Succeed())
+			Expect(updateGitopsConfig(ctx, func(config gitops.Config) gitops.Config {
+				config = defaultGitopsConfig()
+				config.RHACSOperators.Configs = []operator.OperatorConfig{operatorConfig1}
+				config.Centrals.Overrides = []gitops.CentralOverride{
+					overrideAllCentralsToBeReconciledByOperator(operatorConfig1),
+					overrideAllCentralsToUseMinimalResources(),
+				}
+				return config
+			})).To(Succeed())
 			Eventually(assertDeployedOperators(ctx, operator1DeploymentName)).
 				WithTimeout(waitTimeout).
 				WithPolling(defaultPolling).
@@ -194,25 +190,74 @@ var _ = Describe("Fleetshard-sync Targeted Upgrade", Ordered, func() {
 		})
 
 		It("upgrade central", func() {
-			config := gitops.Config{
-				RHACSOperators: operator.OperatorConfigs{
-					CRDURLs: defaultCRDUrls,
-					Configs: []operator.OperatorConfig{operatorConfig1, operatorConfig2},
-				},
-				Centrals: gitops.CentralsConfig{
-					Overrides: []gitops.CentralOverride{
-						overrideAllCentralsToBeReconciledByOperator(operatorConfig2),
-						overrideAllCentralsToUseMinimalResources(),
-					},
-				},
-			}
-			Expect(putGitopsConfig(ctx, config)).To(Succeed())
+			Expect(updateGitopsConfig(ctx, func(config gitops.Config) gitops.Config {
+				config = defaultGitopsConfig()
+				config.RHACSOperators.Configs = []operator.OperatorConfig{operatorConfig1, operatorConfig2}
+				config.Centrals.Overrides = []gitops.CentralOverride{
+					overrideAllCentralsToBeReconciledByOperator(operatorConfig2),
+					overrideAllCentralsToUseMinimalResources(),
+				}
+				return config
+			})).To(Succeed())
 			Eventually(assertCentralLabelSelectorPresent(ctx, createdCentral, centralNamespace, operatorVersion2)).
 				WithTimeout(waitTimeout).
 				WithPolling(defaultPolling).
 				Should(Succeed())
 		})
 
+		It("changes tenant resources", func() {
+			egressProxy, err := getDeployment(ctx, centralNamespace, "egress-proxy")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(egressProxy.Spec.Template.Spec.Containers).To(HaveLen(1))
+			Expect(egressProxy.Spec.Template.Spec.Containers[0].Resources.Requests.Cpu().String()).To(Equal("100m"))
+			Expect(egressProxy.Spec.Template.Spec.Containers[0].Resources.Requests.Memory().String()).To(Equal("275Mi"))
+			Expect(egressProxy.Spec.Template.Spec.Containers[0].Resources.Limits.Memory().String()).To(Equal("275Mi"))
+			Expect(updateGitopsConfig(ctx, func(config gitops.Config) gitops.Config {
+				config.TenantResources.Default = `
+labels:
+  app.kubernetes.io/managed-by: rhacs-fleetshard
+  app.kubernetes.io/instance: {{ .Name }}
+  rhacs.redhat.com/org-id: {{ .OrganizationID }}
+  rhacs.redhat.com/tenant: {{ .ID }}
+  rhacs.redhat.com/instance-type: {{ .InstanceType }}
+annotations:
+  rhacs.redhat.com/org-name: {{ .OrganizationName }}
+secureTenantNetwork: false
+centralRdsCidrBlock: "10.1.0.0/16"
+egressProxy:
+  image: "registry.redhat.io/openshift4/ose-egress-http-proxy:v4.14"
+  replicas: 2
+  resources:
+	requests:
+	  cpu: 100m
+	  memory: 200Mi
+	limits:
+	  memory: 200Mi
+`
+				return config
+			})).To(Succeed())
+
+			Eventually(func() error {
+				egressProxy, err := getDeployment(ctx, centralNamespace, "egress-proxy")
+				if err != nil {
+					return err
+				}
+				if egressProxy.Spec.Template.Spec.Containers[0].Resources.Requests.Memory().String() != "200Mi" {
+					return fmt.Errorf("egress proxy memory request not updated")
+				}
+				if egressProxy.Spec.Template.Spec.Containers[0].Resources.Limits.Memory().String() != "200Mi" {
+					return fmt.Errorf("egress proxy memory limit not updated")
+				}
+				if egressProxy.Spec.Template.Spec.Containers[0].Resources.Requests.Cpu().String() != "100m" {
+					return fmt.Errorf("egress proxy cpu request not updated")
+				}
+				return nil
+			}).
+				WithTimeout(waitTimeout).
+				WithPolling(defaultPolling).
+				Should(Succeed())
+		})
+
 		It("delete central", func() {
 			Expect(deleteCentralByID(ctx, client, createdCentral.Id)).
 				To(Succeed())
@@ -289,6 +334,24 @@ func putGitopsConfig(ctx context.Context, config gitops.Config) error {
 	return k8sClient.Create(ctx, configMap)
 }
 
+func updateGitopsConfig(ctx context.Context, updateFn func(config gitops.Config) gitops.Config) error {
+	var configMap v1.ConfigMap
+	if err := k8sClient.Get(ctx, ctrlClient.ObjectKey{Namespace: namespace, Name: gitopsConfigmapName}, &configMap); err != nil {
+		return err
+	}
+	var config gitops.Config
+	if err := yaml.Unmarshal([]byte(configMap.Data[gitopsConfigmapDataKey]), &config); err != nil {
+		return err
+	}
+	updated := updateFn(config)
+	configYAML, err := yaml.Marshal(updated)
+	if err != nil {
+		return err
+	}
+	configMap.Data[gitopsConfigmapDataKey] = string(configYAML)
+	return k8sClient.Update(ctx, &configMap)
+}
+
 func operatorConfigForVersion(version string) operator.OperatorConfig {
 	return operator.OperatorConfig{
 		"deploymentName":       getDeploymentName(version),
@@ -481,8 +544,34 @@ metadata:
     ` + key + `: "` + value + `"`)
 }
 
+func defaultTenantResourceValues() string {
+	return `
+labels:
+  app.kubernetes.io/managed-by: rhacs-fleetshard
+  app.kubernetes.io/instance: {{ .Name }}
+  rhacs.redhat.com/org-id: {{ .OrganizationID }}
+  rhacs.redhat.com/tenant: {{ .ID }}
+  rhacs.redhat.com/instance-type: {{ .InstanceType }}
+annotations:
+  rhacs.redhat.com/org-name: {{ .OrganizationName }}
+secureTenantNetwork: false
+centralRdsCidrBlock: "10.1.0.0/16"
+egressProxy:
+  image: "registry.redhat.io/openshift4/ose-egress-http-proxy:v4.14"
+  replicas: 2
+  resources:
+	requests:
+	  cpu: 100m
+	  memory: 275Mi
+	limits:
+	  memory: 275Mi`
+}
+
 func defaultGitopsConfig() gitops.Config {
 	return gitops.Config{
+		TenantResources: gitops.TenantResourceConfig{
+			Default: defaultTenantResourceValues(),
+		},
 		RHACSOperators: operator.OperatorConfigs{
 			CRDURLs: defaultCRDUrls,
 			Configs: []operator.OperatorConfig{

fleetshard/pkg/central/reconciler/reconciler.go

@@ -1732,6 +1732,14 @@ func (r *CentralReconciler) chartValues(c private.ManagedCentral) (chartutil.Val
 		return nil, errors.New("resources chart is not set")
 	}
 	src := r.resourcesChart.Values
+
+	// We are introducing the passing of helm values from fleetManager (and gitops). If the managed central
+	// includes the tenant resource values, we will use them. Otherwise, defaults to the previous
+	// implementation.
+	if len(c.Spec.TenantResourcesValues) > 0 {
+		return chartutil.CoalesceTables(c.Spec.TenantResourcesValues, src), nil
+	}
+
 	dst := map[string]interface{}{
 		"labels":      stringMapToMapInterface(getTenantLabels(c)),
 		"annotations": stringMapToMapInterface(getTenantAnnotations(c)),

internal/dinosaur/pkg/api/private/api/openapi.yaml

@@ -537,6 +537,8 @@ components:
           - eval
           - standard
           type: string
+        tenantResourcesValues:
+          type: object
         centralCRYAML:
           type: string
         owners:

internal/dinosaur/pkg/gitops/config.go

@@ -10,6 +10,7 @@ import (
 
 // Config represents the gitops configuration
 type Config struct {
+	TenantResources   TenantResourceConfig     `json:"tenantResources"`
 	Centrals          CentralsConfig           `json:"centrals"`
 	RHACSOperators    operator.OperatorConfigs `json:"rhacsOperators"`
 	DataPlaneClusters []DataPlaneClusterConfig `json:"dataPlaneClusters"`
@@ -92,10 +93,23 @@ type AddonConfig struct {
 	Parameters map[string]string `json:"parameters"`
 }
 
+// TenantResourceConfig represents the declarative configuration for tenant resource values defaults and overrides.
+type TenantResourceConfig struct {
+	Default   string                   `json:"default"`
+	Overrides []TenantResourceOverride `json:"overrides"`
+}
+
+// TenantResourceOverride represents the configuration for a tenant resource override. The override
+type TenantResourceOverride struct {
+	InstanceIDs []string `json:"instanceIds"`
+	Values      string   `json:"values"`
+}
+
 // ValidateConfig validates the GitOps configuration.
 func ValidateConfig(config Config) field.ErrorList {
 	var errs field.ErrorList
 	errs = append(errs, validateCentralsConfig(field.NewPath("centrals"), config.Centrals)...)
+	errs = append(errs, validateTenantResourcesConfig(field.NewPath("tenantResources"), config.TenantResources)...)
 	errs = append(errs, operator.Validate(field.NewPath("rhacsOperators"), config.RHACSOperators)...)
 	errs = append(errs, validateDataPlaneClusterConfigs(field.NewPath("dataPlaneClusters"), config.DataPlaneClusters)...)
 	return errs
@@ -108,6 +122,38 @@ func validateCentralsConfig(path *field.Path, config CentralsConfig) field.Error
 	return errs
 }
 
+func validateTenantResourcesConfig(path *field.Path, config TenantResourceConfig) field.ErrorList {
+	var errs field.ErrorList
+	errs = append(errs, validateTenantResourcesDefault(path.Child("default"), config.Default)...)
+	errs = append(errs, validateTenantResourceOverrides(path.Child("overrides"), config.Overrides)...)
+	return errs
+}
+
+func validateTenantResourcesDefault(path *field.Path, defaultValues string) field.ErrorList {
+	var errs field.ErrorList
+	if err := tryRenderDummyValuesWithPatch(defaultValues); err != nil {
+		errs = append(errs, field.Invalid(path, defaultValues, "invalid default values: "+err.Error()))
+	}
+	return errs
+}
+
+func validateTenantResourceOverrides(path *field.Path, overrides []TenantResourceOverride) field.ErrorList {
+	var errs field.ErrorList
+	for i, override := range overrides {
+		errs = append(errs, validateTenantResourceOverride(path.Index(i), override)...)
+	}
+	return errs
+}
+
+func validateTenantResourceOverride(path *field.Path, override TenantResourceOverride) field.ErrorList {
+	var errs field.ErrorList
+	errs = append(errs, validateInstanceIDs(path.Child("instanceIds"), override.InstanceIDs)...)
+	if err := tryRenderDummyValuesWithPatch(override.Values); err != nil {
+		errs = append(errs, field.Invalid(path.Child("values"), override.Values, "invalid values: "+err.Error()))
+	}
+	return errs
+}
+
 func validateAdditionalAuthProviders(path *field.Path, providers []AuthProviderAddition) field.ErrorList {
 	var errs field.ErrorList
 	for i, additionalProvider := range providers {
@@ -281,6 +327,24 @@ func tryRenderDummyCentralWithPatch(patch string) error {
 	return nil
 }
 
+func tryRenderDummyValuesWithPatch(patch string) error {
+	var dummyParams = getDummyCentralParams()
+	dummyConfig := Config{
+		TenantResources: TenantResourceConfig{
+			Overrides: []TenantResourceOverride{
+				{
+					Values:      patch,
+					InstanceIDs: []string{"*"},
+				},
+			},
+		},
+	}
+	if _, err := RenderTenantResourceValues(dummyParams, dummyConfig); err != nil {
+		return err
+	}
+	return nil
+}
+
 func getDummyCentralParams() CentralParams {
 	return CentralParams{
 		ID:               "id",