sync: stage to production

.secrets.baseline

@@ -349,7 +349,7 @@
         "filename": "internal/dinosaur/pkg/api/public/api/openapi.yaml",
         "hashed_secret": "5b455797b93de5b6a19633ba22127c8a610f5c1b",
         "is_verified": false,
-        "line_number": 1663
+        "line_number": 1531
       }
     ],
     "pkg/client/iam/client_moq.go": [
@@ -462,78 +462,78 @@
         "filename": "templates/service-template.yml",
         "hashed_secret": "13032f402fed753c2248419ea4f69f99931f6dbc",
         "is_verified": false,
-        "line_number": 574
+        "line_number": 514
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "30025f80f6e22cdafb85db387d50f90ea884576a",
         "is_verified": false,
-        "line_number": 574
+        "line_number": 514
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "355f24fd038bcaf85617abdcaa64af51ed19bbcf",
         "is_verified": false,
-        "line_number": 574
+        "line_number": 514
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "3d8a1dcd2c3c765ce35c9a9552d23273cc4ddace",
         "is_verified": false,
-        "line_number": 574
+        "line_number": 514
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "4ac7b0522761eba972467942cd5cd7499dd2c361",
         "is_verified": false,
-        "line_number": 574
+        "line_number": 514
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "7639ab2a6bcf2ea30a055a99468c9cd844d4c22a",
         "is_verified": false,
-        "line_number": 574
+        "line_number": 514
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "b56360daf4793d2a74991a972b34d95bc00fb2da",
         "is_verified": false,
-        "line_number": 574
+        "line_number": 514
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "c9a73ef9ee8ce9f38437227801c70bcc6740d1a1",
         "is_verified": false,
-        "line_number": 574
+        "line_number": 514
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "14736999d9940728c5294277831a702f7882dece",
         "is_verified": false,
-        "line_number": 611
+        "line_number": 551
       },
       {
         "type": "Secret Keyword",
         "filename": "templates/service-template.yml",
         "hashed_secret": "4e199b4a1c40b497a95fcd1cd896351733849949",
         "is_verified": false,
-        "line_number": 698,
+        "line_number": 638,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "templates/service-template.yml",
         "hashed_secret": "9d51dabe59aa776bef2909d3689374ebb93ab2be",
         "is_verified": false,
-        "line_number": 742
+        "line_number": 681
       }
     ],
     "test/support/certs.json": [
@@ -564,5 +564,5 @@
       }
     ]
   },
-  "generated_at": "2023-10-23T12:42:41Z"
+  "generated_at": "2023-11-06T14:09:00Z"
 }

Makefile

@@ -104,7 +104,7 @@ $(TOOLS_VENV_DIR): $(TOOLS_DIR)/requirements.txt
 	trap "rm -rf $(TOOLS_VENV_DIR)" ERR; \
 	python3 -m venv $(TOOLS_VENV_DIR); \
 	. $(TOOLS_VENV_DIR)/bin/activate; \
-	pip install --upgrade pip==22.3.1; \
+	pip install --upgrade pip==23.3.1; \
 	pip install -r $(TOOLS_DIR)/requirements.txt; \
 	touch $(TOOLS_VENV_DIR) # update directory modification timestamp even if no changes were made by pip. This will allow to skip this target if the directory is up-to-date
 
@@ -604,7 +604,6 @@ secrets/touch:
           secrets/central-tls.crt \
           secrets/central-tls.key \
           secrets/central.idp-client-secret \
-          secrets/image-pull.dockerconfigjson \
           secrets/observability-config-access.token \
           secrets/ocm-service.clientId \
           secrets/ocm-service.clientSecret \
@@ -717,7 +716,6 @@ deploy/secrets:
 		-p CENTRAL_TLS_CERT="$(shell ([ -s './secrets/central-tls.crt' ] && [ -z '${CENTRAL_TLS_CERT}' ]) && cat ./secrets/central-tls.crt || echo '${CENTRAL_TLS_CERT}')" \
 		-p CENTRAL_TLS_KEY="$(shell ([ -s './secrets/central-tls.key' ] && [ -z '${CENTRAL_TLS_KEY}' ]) && cat ./secrets/central-tls.key || echo '${CENTRAL_TLS_KEY}')" \
 		-p OBSERVABILITY_CONFIG_ACCESS_TOKEN="$(shell ([ -s './secrets/observability-config-access.token' ] && [ -z '${OBSERVABILITY_CONFIG_ACCESS_TOKEN}' ]) && cat ./secrets/observability-config-access.token || echo '${OBSERVABILITY_CONFIG_ACCESS_TOKEN}')" \
-		-p IMAGE_PULL_DOCKER_CONFIG="$(shell ([ -s './secrets/image-pull.dockerconfigjson' ] && [ -z '${IMAGE_PULL_DOCKER_CONFIG}' ]) && cat ./secrets/image-pull.dockerconfigjson || echo '${IMAGE_PULL_DOCKER_CONFIG}')" \
 		-p KUBE_CONFIG="${KUBE_CONFIG}" \
 		-p OBSERVABILITY_RHSSO_LOGS_CLIENT_ID="$(shell ([ -s './secrets/rhsso-logs.clientId' ] && [ -z '${OBSERVABILITY_RHSSO_LOGS_CLIENT_ID}' ]) && cat ./secrets/rhsso-logs.clientId || echo '${OBSERVABILITY_RHSSO_LOGS_CLIENT_ID}')" \
 		-p OBSERVABILITY_RHSSO_LOGS_SECRET="$(shell ([ -s './secrets/rhsso-logs.clientSecret' ] && [ -z '${OBSERVABILITY_RHSSO_LOGS_SECRET}' ]) && cat ./secrets/rhsso-logs.clientSecret || echo '${OBSERVABILITY_RHSSO_LOGS_SECRET}')" \

cmd/fleet-manager/main_test.go

@@ -38,7 +38,7 @@ func TestInjections(t *testing.T) {
 
 	var bootList []environments.BootService
 	env.MustResolve(&bootList)
-	Expect(len(bootList)).To(Equal(7))
+	Expect(len(bootList)).To(Equal(6))
 
 	_, ok := bootList[0].(*server.APIServer)
 	Expect(ok).To(Equal(true))

dev/env/defaults/00-defaults.env

@@ -45,7 +45,6 @@ export OSD_IDP_SSO_CLIENT_SECRET_DEFAULT=""
 export ROUTE53_ACCESS_KEY_DEFAULT=""
 export ROUTE53_SECRET_ACCESS_KEY_DEFAULT=""
 export OBSERVABILITY_CONFIG_ACCESS_TOKEN_DEFAULT=""
-export IMAGE_PULL_DOCKER_CONFIG_DEFAULT=""
 export SPAWN_LOGGER_DEFAULT="false"
 export DUMP_LOGS_DEFAULT="false"
 export OPERATOR_SOURCE_DEFAULT=""

dev/env/manifests/fleet-manager/01-fleet-manager-secrets.yaml

@@ -24,7 +24,6 @@ stringData:
   aws.route53accesskey: "${ROUTE53_ACCESS_KEY}"
   aws.route53secretaccesskey: "${ROUTE53_SECRET_ACCESS_KEY}"
   observability-config-access.token: "${OBSERVABILITY_CONFIG_ACCESS_TOKEN}"
-  image-pull.dockerconfigjson: "${IMAGE_PULL_DOCKER_CONFIG}"
   rhsso-logs.clientId: ""
   rhsso-logs.clientSecret: ""
   rhsso-metrics.clientId: ""

dev/env/scripts/lib.sh

@@ -127,7 +127,6 @@ init() {
     export ROUTE53_ACCESS_KEY=${ROUTE53_ACCESS_KEY:-$ROUTE53_ACCESS_KEY_DEFAULT}
     export ROUTE53_SECRET_ACCESS_KEY=${ROUTE53_SECRET_ACCESS_KEY:-$ROUTE53_SECRET_ACCESS_KEY_DEFAULT}
     export OBSERVABILITY_CONFIG_ACCESS_TOKEN=${OBSERVABILITY_CONFIG_ACCESS_TOKEN:-$OBSERVABILITY_CONFIG_ACCESS_TOKEN_DEFAULT}
-    export IMAGE_PULL_DOCKER_CONFIG=${IMAGE_PULL_DOCKER_CONFIG:-$IMAGE_PULL_DOCKER_CONFIG_DEFAULT}
     export INHERIT_IMAGEPULLSECRETS=${INHERIT_IMAGEPULLSECRETS:-$INHERIT_IMAGEPULLSECRETS_DEFAULT}
     export SPAWN_LOGGER=${SPAWN_LOGGER:-$SPAWN_LOGGER_DEFAULT}
     export DUMP_LOGS=${DUMP_LOGS:-$DUMP_LOGS_DEFAULT}
@@ -213,7 +212,6 @@ OSD_IDP_SSO_CLIENT_SECRET: ********
 ROUTE53_ACCESS_KEY: ********
 ROUTE53_SECRET_ACCESS_KEY: ********
 OBSERVABILITY_CONFIG_ACCESS_TOKEN: ********
-IMAGE_PULL_DOCKER_CONFIG: ${IMAGE_PULL_DOCKER_CONFIG}
 INHERIT_IMAGEPULLSECRETS: ${INHERIT_IMAGEPULLSECRETS}
 SPAWN_LOGGER: ${SPAWN_LOGGER}
 DUMP_LOGS: ${DUMP_LOGS}

docs/development/populating-configuration.md

@@ -115,22 +115,6 @@ In the Data Plane cluster, the Central Operator and the FleetShard Deployments
 might reference container images that are located in authenticated container
 image registries.
 
-Fleet Manager can be configured to send this authenticated
-container image registry information as a K8s Secret in [`kubernetes.io/.dockerconfigjson` format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials).
-
-In order for the Fleet Manager to be able to start, create the following file:
-```
-touch secrets/image-pull.dockerconfigjson
-```
-
-If you don't need to make use of this functionality you can skip this section.
-Otherwise, keep reading below.
-
-To configure the Fleet Manager with this authenticated registry information so
-the previously mentioned Data Plane elements can pull container images from it:
-* Base-64 encode your [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties).
-* Copy the contents generated from the previous point into the `secrets/image-pull.dockerconfigjson` file
-
 ## Setup the Observability stack secrets
 See [Obsevability](./observability/README.md) to learn more about Observatorium and the observability stack.
 The following command is used to setup the various secrets needed by the Observability stack.

dp-terraform/helm/rhacs-terraform/Chart.lock

@@ -14,5 +14,8 @@ dependencies:
 - name: secured-cluster
   repository: ""
   version: 0.1.0
-digest: sha256:4b3301d2cdd6907207fb21ad741b6fa1e5302aaff1ce6fe5315cab8519908d61
-generated: "2023-07-06T21:15:28.778426+02:00"
+- name: external-secrets
+  repository: https://charts.external-secrets.io/
+  version: 0.9.5
+digest: sha256:4d1257d43daeda9d4f956f141edaba7f708838cbd2de86048f37261e9627f9cc
+generated: "2023-10-30T11:48:03.686258+01:00"

dp-terraform/helm/rhacs-terraform/Chart.yaml

@@ -36,8 +36,10 @@ dependencies:
     condition: logging.enabled
   - name: audit-logs
     version: "0.1.0"
-    repository: ""
     condition: audit-logs.enabled
   - name: secured-cluster
     version: "0.1.0"
     condition: secured-cluster.enabled
+  - name: external-secrets
+    version: "0.9.5"
+    repository: https://charts.external-secrets.io/

dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-05-subscription.yaml

@@ -13,10 +13,8 @@ spec:
   sourceNamespace: {{ include "observability.namespace" . }}
   startingCSV: observability-operator.{{ .Values.observabilityOperatorVersion }}
   config:
+    # set the resources if they are provided
+    {{- if ((.Values.observabilityOperator).resources) }}
     resources:
-      requests:
-        cpu: {{ .Values.observabilityOperator.resources.requests.cpu | quote }}
-        memory: {{ .Values.observabilityOperator.resources.requests.memory | quote }}
-      limits:
-        cpu: {{ .Values.observabilityOperator.resources.limits.cpu | quote }}
-        memory: {{ .Values.observabilityOperator.resources.limits.memory | quote }}
+      {{ .Values.observabilityOperator.resources | toYaml | nindent 6 }}
+    {{- end }}

dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-06-cr.yaml

@@ -50,35 +50,30 @@ spec:
         cpu: {{ .Values.alertManager.resources.requests.cpu | quote }}
         memory: {{ .Values.alertManager.resources.requests.memory | quote }}
       limits:
-        cpu: {{ .Values.alertManager.resources.limits.cpu | quote }}
         memory: {{ .Values.alertManager.resources.limits.memory | quote }}
     prometheusResourceRequirement:
       requests:
         cpu: {{ .Values.prometheus.resources.requests.cpu | quote }}
         memory: {{ .Values.prometheus.resources.requests.memory | quote }}
       limits:
-        cpu: {{ .Values.prometheus.resources.limits.cpu | quote }}
         memory: {{ .Values.prometheus.resources.limits.memory | quote }}
     prometheusOperatorResourceRequirement:
       requests:
         cpu: {{ .Values.prometheusOperator.resources.requests.cpu | quote }}
         memory: {{ .Values.prometheusOperator.resources.requests.memory | quote }}
       limits:
-        cpu: {{ .Values.prometheusOperator.resources.limits.cpu | quote }}
         memory: {{ .Values.prometheusOperator.resources.limits.memory | quote }}
     grafanaResourceRequirement:
       requests:
         cpu: {{ .Values.grafana.resources.requests.cpu | quote }}
         memory: {{ .Values.grafana.resources.requests.memory | quote }}
       limits:
-        cpu: {{ .Values.grafana.resources.limits.cpu | quote }}
         memory: {{ .Values.grafana.resources.limits.memory | quote }}
     grafanaOperatorResourceRequirement:
       requests:
         cpu: {{ .Values.grafanaOperator.resources.requests.cpu | quote }}
         memory: {{ .Values.grafanaOperator.resources.requests.memory | quote }}
       limits:
-        cpu: {{ .Values.grafanaOperator.resources.limits.cpu | quote }}
         memory: {{ .Values.grafanaOperator.resources.limits.memory | quote }}
   storage:
     prometheus:

dp-terraform/helm/rhacs-terraform/charts/observability/values.yaml

@@ -43,25 +43,22 @@ observabilityOperator:
       cpu: "500m"
       memory: "2048Mi"
     limits:
-      cpu: "500m"
       memory: "2048Mi"
 
 prometheus:
   resources:
     requests:
       cpu: 1500m
-      memory: 18Gi
+      memory: 20Gi
     limits:
-      cpu: 1500m
-      memory: 18Gi
+      memory: 20Gi
 
 prometheusOperator:
   resources:
     requests:
       cpu: 200m
       memory: 256Mi
     limits:
-      cpu: 200m
       memory: 256Mi
 
 grafana:
@@ -70,7 +67,6 @@ grafana:
       cpu: 500m
       memory: 1024Mi
     limits:
-      cpu: 500m
       memory: 1024Mi
 
 grafanaOperator:
@@ -79,7 +75,6 @@ grafanaOperator:
       cpu: 200m
       memory: 256Mi
     limits:
-      cpu: 200m
       memory: 256Mi
 
 alertManager:
@@ -88,5 +83,4 @@ alertManager:
       cpu: 200m
       memory: 256Mi
     limits:
-      cpu: 200m
       memory: 256Mi