Release 2023 05 16.1.fa26250 (#1037)

## Description
<!-- Please include a summary of the change and a link to the JIRA
ticket. Please add any additional motivation and context as needed.
Screenshots are also welcome -->

Release ACSCS 2023-05-16.1.fa26250

## Checklist (Definition of Done)
<!-- Please strikethrough options not relevant using two tildes
~~Text~~. Do not delete non relevant options -->
- [ ] Unit and integration tests added
- [ ] Added test description under `Test manual`
- [ ] Documentation added if necessary (i.e. changes to dev setup, test
execution, ...)
- [ ] CI and all relevant tests are passing
- [ ] Add the ticket number to the PR title if available, i.e.
`ROX-12345: ...`
- [ ] Discussed security and business related topics privately. Will
move any security and business related topics that arise to private
communication channel.
- [ ] Add secret to app-interface Vault or Secrets Manager if necessary

## Test manual

**TODO:** Add manual testing efforts

```
# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup OCM_OFFLINE_TOKEN=<ocm-offline-token> OCM_ENV=development
make verify lint binary test test/integration
```

.github/workflows/ci.yaml

@@ -80,10 +80,10 @@ jobs:
         uses: n1hility/cancel-previous-runs@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Go 1.19
+      - name: Set up Go 1.20
         uses: actions/setup-go@v2
         with:
-          go-version: "1.19"
+          go-version: "1.20"
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
       - name: Cache go module

.github/workflows/deploy-data-plane.yaml

@@ -48,10 +48,10 @@ jobs:
       contents: read
     environment: ${{ inputs.github_environment }}
     steps:
-      - name: Set up Go 1.19
+      - name: Set up Go 1.20
         uses: actions/setup-go@v3
         with:
-          go-version: "1.19"
+          go-version: "1.20"
       - name: Checkout
         uses: actions/checkout@v3
         with:
@@ -81,10 +81,10 @@ jobs:
       contents: read
     environment: ${{ inputs.github_environment }}
     steps:
-      - name: Set up Go 1.19
+      - name: Set up Go 1.20
         uses: actions/setup-go@v3
         with:
-          go-version: "1.19"
+          go-version: "1.20"
       - name: Checkout
         uses: actions/checkout@v3
         with:

.github/workflows/deploy-stage.yaml

@@ -12,5 +12,5 @@ jobs:
     with:
       acs_environment: stage
       github_environment: stage
-      deploy_clusters: "acs-stage-dp-02 acs-stage-eu-01 acs-stage-eu-02"
+      deploy_clusters: "acs-stage-dp-02 acs-stage-eu-02"
       probe_clusters: "acs-stage-dp-02 acs-stage-eu-02"

.github/workflows/pre-commit.yaml

@@ -16,7 +16,7 @@ jobs:
       - uses: actions/setup-python@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.19"
+          go-version: "1.20"
       - uses: pre-commit/[email protected]
       - uses: pre-commit/[email protected]
         name: Verify generated files are up-to-date

.github/workflows/probe.yaml

@@ -15,10 +15,10 @@ jobs:
         uses: n1hility/cancel-previous-runs@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Go 1.19
+      - name: Set up Go 1.20
         uses: actions/setup-go@v2
         with:
-          go-version: "1.19"
+          go-version: "1.20"
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
       - name: Cache go module

.github/workflows/rds.yaml

@@ -32,6 +32,7 @@ on:
       - 'docs/**'
       - 'pkg/api/openapi/docs/**'
       - 'pkg/api/openapi/.openapi-generator-ignore'
+      - 'dp-terraform/**'
 
 jobs:
   verify-test:
@@ -43,10 +44,10 @@ jobs:
       contents: read
     environment: development
     steps:
-      - name: Set up Go 1.19
+      - name: Set up Go 1.20
         uses: actions/setup-go@v2
         with:
-          go-version: "1.19"
+          go-version: "1.20"
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
       - name: Cache go module
@@ -67,4 +68,4 @@ jobs:
           AWS_AUTH_HELPER: "none"
         run: |
           ./dev/env/scripts/exec_fleetshard_sync.sh make test/rds
-        timeout-minutes: 35
+        timeout-minutes: 50

.golangci.yml

@@ -90,7 +90,7 @@ linters-settings:
     require-explanation: false # don't require an explanation for nolint directives
     require-specific: true # require nolint directives to be specific about which linter is being skipped
   staticcheck:
-    go: "1.19"
+    go: "1.20"
     checks: [ all,-ST1000,-ST1001,-ST1003,-ST1005,-SA1019,-SA4001,-ST1016 ]
   wrapcheck:
     # ignoreSigRegexps: uncomment to add ignore rules

.openshift-ci/e2e-runtime/Dockerfile

@@ -5,7 +5,7 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
 
 RUN dnf update -y --disablerepo=\* --enablerepo=baseos,appstream && dnf -y install make which git gettext jq gcc && dnf clean all && rm -rf /var/cache/dnf
 
-COPY --from=registry.ci.openshift.org/openshift/release:golang-1.19 /usr/local/go /usr/local/go
+COPY --from=registry.ci.openshift.org/stolostron/builder:go1.20-linux /usr/local/go /usr/local/go
 COPY --from=quay.io/openshift/origin-cli:4.13 /usr/bin/oc /usr/bin
 COPY --from=quay.io/operator-framework/operator-sdk:v1.25 /usr/local/bin/operator-sdk /usr/local/bin
 

.pre-commit-config.yaml

@@ -15,19 +15,19 @@ repos:
       - id: detect-secrets
         args: ["--baseline", ".secrets.baseline"]
   - repo: https://github.com/golangci/golangci-lint
-    rev: v1.51.1
+    rev: v1.52.2
     hooks:
       - id: golangci-lint
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: trailing-whitespace
         args: ["--markdown-linebreak-ext=md"]
       - id: end-of-file-fixer
         exclude: '^(?:secrets/db.*|internal/dinosaur/pkg/api/(admin|private|public)/.*|pkg/client/redhatsso/api/.*)$' # Matches either secrets/db.* files or the generated files under internal/dinosaur/pkg/api/(admin|private|public) and pkg/client/redhatsso/client/api.
       - id: check-json
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.8.0.4
+    rev: v0.9.0.2
     hooks:
       - id: shellcheck
         # Ignore scripts generated by openapi-generator.

.secrets.baseline

@@ -316,13 +316,22 @@
         "line_number": 86
       }
     ],
+    "dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-06-cr.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-06-cr.yaml",
+        "hashed_secret": "3e513f12b341ed3327bea645a728401b5d0f9ddb",
+        "is_verified": false,
+        "line_number": 15
+      }
+    ],
     "fleetshard/pkg/central/cloudprovider/dbclient_moq.go": [
       {
         "type": "Secret Keyword",
         "filename": "fleetshard/pkg/central/cloudprovider/dbclient_moq.go",
         "hashed_secret": "80519927d0f3ce1efe933f46ca9e05e68e491adc",
         "is_verified": false,
-        "line_number": 118
+        "line_number": 127
       }
     ],
     "internal/dinosaur/pkg/api/public/api/openapi.yaml": [
@@ -546,5 +555,5 @@
       }
     ]
   },
-  "generated_at": "2023-03-28T21:54:47Z"
+  "generated_at": "2023-05-10T10:12:08Z"
 }

Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.ci.openshift.org/openshift/release:golang-1.19 AS build
+FROM registry.ci.openshift.org/stolostron/builder:go1.20-linux AS build
 
 ENV GOFLAGS="-mod=mod"
 

Makefile

@@ -326,15 +326,10 @@ test: $(GOTESTSUM_BIN)
 # Runs the AWS RDS integration tests.
 test/rds: $(GOTESTSUM_BIN)
 	RUN_RDS_TESTS=true \
-	$(GOTESTSUM_BIN) --junitfile data/results/rds-integration-tests.xml --format $(GOTESTSUM_FORMAT) -- -p 1 -v -timeout 30m -count=1 \
+	$(GOTESTSUM_BIN) --junitfile data/results/rds-integration-tests.xml --format $(GOTESTSUM_FORMAT) -- -p 1 -v -timeout 45m -count=1 \
 		./fleetshard/pkg/central/cloudprovider/awsclient/...
 .PHONY: test/rds
 
-# Precompile everything required for development/test.
-test/prepare:
-	$(GO) test -i ./internal/dinosaur/test/integration/...
-.PHONY: test/prepare
-
 # Runs the integration tests.
 #
 # Args:
@@ -345,7 +340,7 @@ test/prepare:
 #   make test/integration TESTFLAGS="-run TestAccounts"     acts as TestAccounts* and run TestAccountsGet, TestAccountsPost, etc.
 #   make test/integration TESTFLAGS="-run TestAccountsGet"  runs TestAccountsGet
 #   make test/integration TESTFLAGS="-short"                skips long-run tests
-test/integration/dinosaur: test/prepare $(GOTESTSUM_BIN)
+test/integration/dinosaur: $(GOTESTSUM_BIN)
 	$(GOTESTSUM_BIN) --junitfile data/results/fleet-manager-integration-tests.xml --format $(GOTESTSUM_FORMAT) -- -p 1 -ldflags -s -v -timeout $(TEST_TIMEOUT) -count=1 $(TESTFLAGS) \
 				./internal/dinosaur/test/integration/...
 .PHONY: test/integration/dinosaur

README.md

@@ -32,7 +32,7 @@ ACS fleet-manager repository for the ACS managed service.
 
 #### Prerequisites
 
-* [Golang 1.19+](https://golang.org/dl/)
+* [Golang 1.20+](https://golang.org/dl/)
 * [Docker](https://docs.docker.com/get-docker/) - to create database
 * [ocm cli](https://github.com/openshift-online/ocm-cli/releases) - ocm command line tool
 * [Node.js v12.20+](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm)

cmd/fleet-manager/main.go

@@ -4,6 +4,8 @@ package main
 import (
 	"flag"
 
+	"github.com/stackrox/acs-fleet-manager/internal/dinosaur/pkg/cmd/admin"
+	"github.com/stackrox/acs-fleet-manager/internal/dinosaur/pkg/cmd/centrals"
 	"github.com/stackrox/acs-fleet-manager/pkg/cmd/migrate"
 	"github.com/stackrox/acs-fleet-manager/pkg/cmd/serve"
 
@@ -46,8 +48,9 @@ func main() {
 
 	rootCmd.AddCommand(migrate.NewMigrateCommand(env))
 	rootCmd.AddCommand(serve.NewServeCommand(env))
+	rootCmd.AddCommand(centrals.NewCentralsCommand())
+	rootCmd.AddCommand(admin.NewAdminCommand())
 	// Unsupported CLI commands. Eventually some of them can be removed.
-	// rootCmd.AddCommand(central.NewCentralCommand(env))
 	// rootCmd.AddCommand(cluster.NewClusterCommand(env))
 	// rootCmd.AddCommand(cloudprovider.NewCloudProviderCommand(env))
 	// rootCmd.AddCommand(observatorium.NewRunObservatoriumCommand(env))

deploy/helm/probe/templates/01-operator-04-deployment.yaml

@@ -55,4 +55,11 @@ spec:
           ports:
             - name: monitoring
               containerPort: 7070
+          resources:
+            requests:
+              cpu: {{ .Values.resources.requests.cpu | quote }}
+              memory: {{ .Values.resources.requests.memory | quote }}
+            limits:
+              cpu: {{ .Values.resources.limits.cpu | quote }}
+              memory: {{ .Values.resources.limits.memory | quote }}
       terminationGracePeriodSeconds: 300

deploy/helm/probe/values.yaml

@@ -16,3 +16,10 @@ redHatSSO:
   clientSecret: ""
   endpoint: "https://sso.redhat.com"
   realm: "redhat-external"
+resources:
+  limits:
+    cpu: "100m"
+    memory: "128Mi"
+  requests:
+    cpu: "100m"
+    memory: "128Mi"

dev/config/dataplane-cluster-configuration-crc.yaml

@@ -15,6 +15,7 @@ clusters:
    provider_type: standalone
    supported_instance_type: "eval,standard"
    cluster_dns: apps-crc.testing
+   multi_az: true
    available_central_operator_versions:
     - version: "0.1.0"
       ready: true

docs/development/howto-e2e-test-rds.md

@@ -0,0 +1,60 @@
+# How to e2e test RDS
+
+At the point in time this documentation was written AWS RDS DB creation and deletion is not e2e tested with a full setup of fleet-manager and fleetshard-sync. Everytime a change to the RDS provisioning logic is introduced we need to e2e test that change manually using the steps described here.
+
+**Prerequisites:**
+
+- A K8s cluster to create central resources on (using CRC as an example here)
+- Kubeconfig configured with access to that cluster
+- Setup personal AWS access through `aws-saml.py` (see [secret-management.md](./secret-management.md))
+- RHACS Operator running or installed in the cluster
+
+1. Run local fleet-manager
+
+    ```
+    make db/teardown db/setup db/migrate
+
+    make binary
+
+    ./fleet-manager serve --dataplane-cluster-config-file ./dev/config
+    ```
+
+1. Run local fleetshard-sync
+
+    ```
+    # Prepare environment and secrets
+    export PATH="$PATH:$(pwd)/bin"
+    source ./scripts/lib/external_config.sh
+    kinit # get a kerberos ticket
+    export AWS_AUTH_HELPER=aws-saml
+    init_chamber
+    # When prompted select your profile for the dev AWS account arn:aws:iam::047735621815:role/047735621815-poweruser
+
+    source <(run_chamber env "fleetshard-sync")
+    source <(run_chamber env -b secretsmanager "fleetshard-sync")
+    source <(run_chamber env "local_cluster")
+    export MANAGED_DB_ENABLED=true
+    # flip the PublicAcessible flag to true in rds.go line 354
+    make binary
+
+    ./fleetshard-sync
+    ```
+
+1. Create a central instance and wait for DB Creation
+
+    ```
+    central_id=$(./scripts/create-centrals.sh | jq '.id' -r)
+    # Watch the fleetshard-sync logs to tell what's happening in the background.
+    # It should print something like this if everything works like expected:
+    # RDS instance status: creating (instance ID: rhacs-chcb5m8ah6b2ko6qut0g-db-instance)
+
+    # At some point your central instance should become ready
+    ```
+
+1. Make sure DB state is available and 2 instances exist in state available the central pod is ready
+1. Delete the central
+
+    ```
+    export OCM_TOKEN=$(ocm token)
+    ./scripts/fmcurl "rhacs/v1/centrals/$central_id?async=true" -XDELETE  
+    ```

dp-terraform/helm/rhacs-terraform/README.md

@@ -17,6 +17,8 @@ Run the script for your environment and cluster name:
 The env var `FM_ENDPOINT` should point to an endpoint for the fleet manager. An option to use a fleet manager instance running in your laptop is to [setup ngrok](https://ngrok.com/docs/getting-started), launch the fleet manager, and run `ngrok http 8000` to expose it to the internet. That commands outputs an endpoint that you can use for `FM_ENDPOINT`.  
 To get the cluster id for staging look for `cluster_id` in `dev/config/dataplane-cluster-configuration-staging.yaml` file. Export that value to environment variable `export CLUSTER_ID="<cluster_id from config file>"`.
 
+The FLEETSHARD_SYNC_<CPU|MEMORY>_<REQUEST|LIMIT> environment variables can be used to override the default values for the fleetshard-sync container resource requests and limits. See the `terraform_cluster.sh` for the current default values.
+
 **Create values file**
 
 Create a file `~/acs-terraform-values.yaml` with the values for the parameters in [values.yaml](./values.yaml) that are missing or that you want to override. That file will contain credentials, so make sure you put it in a safe location, and with suitable permissions.

dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-03-secret-alertmanager.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rhacs-alertmanager-configuration
+  namespace: {{ include "observability.namespace" . }}
+stringData:
+  alertmanager.yaml: |
+    global:
+      resolve_timeout: 5m
+    route:
+      receiver: default-receiver
+      repeat_interval: 12h
+      routes:
+      - receiver: managed-rhacs-pagerduty
+        match:
+          observability: managed-rhacs
+          severity: critical
+      - receiver: managed-rhacs-deadmanssnitch
+        repeat_interval: 5m
+        match:
+          alertname: DeadMansSwitch
+          observability: managed-rhacs
+    receivers:
+    - name: default-receiver
+    - name: managed-rhacs-pagerduty
+      pagerduty_configs:
+      - service_key: {{ .Values.pagerduty.key | quote }}
+    - name: managed-rhacs-deadmanssnitch
+      webhook_configs:
+      - url: {{ .Values.deadMansSwitch.url | quote }}
+type: Opaque

dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-05-subscription.yaml

@@ -12,3 +12,11 @@ spec:
   source: observability-operator-manifests
   sourceNamespace: {{ include "observability.namespace" . }}
   startingCSV: observability-operator.{{ .Values.observabilityOperatorVersion }}
+  config:
+    resources:
+      requests:
+        cpu: {{ .Values.observabilityOperator.resources.requests.cpu | quote }}
+        memory: {{ .Values.observabilityOperator.resources.requests.memory | quote }}
+      limits:
+        cpu: {{ .Values.observabilityOperator.resources.limits.cpu | quote }}
+        memory: {{ .Values.observabilityOperator.resources.limits.memory | quote }}