From 8841af534c1d14e86a58c4cafbee0a2ba13f0950 Mon Sep 17 00:00:00 2001 From: Yury Kovalev <8366110+kovayur@users.noreply.github.com> Date: Wed, 7 Dec 2022 13:26:57 +0100 Subject: [PATCH 01/16] Use downstream version of the StackRox operator on stage (#641) --- CHANGELOG.md | 1 + .../rhacs-operator/marketplace/03-subscription.yaml | 2 +- dp-terraform/helm/rhacs-terraform/terraform_cluster.sh | 10 ++-------- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e3399fab1f..21b881c4af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ This Changelog should be updated for: ### Added ### Changed - Data Plane terraforming now deploys fleetshard image obtained dynamically rather than hardcoded in the script +- Upgrade StackRox operator to v3.73.0 ### Deprecated ### Removed diff --git a/dev/env/manifests/rhacs-operator/marketplace/03-subscription.yaml b/dev/env/manifests/rhacs-operator/marketplace/03-subscription.yaml index a747bc9537..abe3b4c4bc 100644 --- a/dev/env/manifests/rhacs-operator/marketplace/03-subscription.yaml +++ b/dev/env/manifests/rhacs-operator/marketplace/03-subscription.yaml @@ -9,6 +9,6 @@ spec: installPlanApproval: Automatic source: redhat-operators sourceNamespace: openshift-marketplace - startingCSV: rhacs-operator.v3.72.0 + startingCSV: rhacs-operator.v3.73.0 config: resources: $RHACS_OPERATOR_RESOURCES diff --git a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh index 03c51179d8..dd3dc7284e 100755 --- a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh +++ b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh @@ -32,10 +32,6 @@ case $ENVIRONMENT in FM_ENDPOINT="https://xtr6hh3mg6zc80v.api.stage.openshift.com" OBSERVABILITY_GITHUB_TAG="master" OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.stage.openshift.com" - # TODO Use downstream operator after downstream release 3.73.0 - OPERATOR_USE_UPSTREAM=true - OPERATOR_VERSION="v3.73.0" - # Get the first non-merge commit, starting with HEAD. # On main this should be HEAD FLEETSHARD_SYNC_TAG="$(git rev-list --no-merges --max-count 1 --abbrev-commit --abbrev=7 HEAD)" @@ -47,9 +43,6 @@ case $ENVIRONMENT in OBSERVABILITY_GITHUB_TAG="production" OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.openshift.com" - OPERATOR_USE_UPSTREAM=false - OPERATOR_VERSION="v3.72.0" - FLEETSHARD_SYNC_TAG="1df0bc5" ;; @@ -69,6 +62,7 @@ load_external_config "cluster-${CLUSTER_NAME}" CLUSTER_ oc login --token="${CLUSTER_ROBOT_OC_TOKEN}" --server="$CLUSTER_URL" OPERATOR_SOURCE="redhat-operators" +OPERATOR_USE_UPSTREAM="${OPERATOR_USE_UPSTREAM:-false}" if [[ "${OPERATOR_USE_UPSTREAM}" == "true" ]]; then load_external_config quay/rhacs-eng QUAY_ quay_basic_auth="${QUAY_READ_ONLY_USERNAME}:${QUAY_READ_ONLY_PASSWORD}" @@ -89,7 +83,7 @@ helm upgrade rhacs-terraform "${SCRIPT_DIR}" \ --set acsOperator.enabled=true \ --set acsOperator.source="${OPERATOR_SOURCE}" \ --set acsOperator.sourceNamespace=openshift-marketplace \ - --set acsOperator.version="${OPERATOR_VERSION}" \ + --set acsOperator.version=v3.73.0 \ --set acsOperator.upstream="${OPERATOR_USE_UPSTREAM}" \ --set fleetshardSync.image="quay.io/app-sre/acs-fleet-manager:${FLEETSHARD_SYNC_TAG}" \ --set fleetshardSync.authType="RHSSO" \ From 72addce8fe8b1ca70344abf1e86437f9b33e1117 Mon Sep 17 00:00:00 2001 From: Stephan Hesselmann Date: Wed, 7 Dec 2022 13:34:38 +0100 Subject: [PATCH 02/16] ROX-13593: Add tenant ID as a k8s label (#627) * ROX-13593: Add tenant ID as a k8s label The tenant ID may be used to query tenant resources in scripts and tooling. In addition, the tenant ID identifies the Segment group for telemetry users. * fix style after rebase * add tenant id to namespace label --- .../pkg/central/reconciler/reconciler.go | 20 +++++++++++-------- .../pkg/central/reconciler/reconciler_test.go | 2 ++ 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/fleetshard/pkg/central/reconciler/reconciler.go b/fleetshard/pkg/central/reconciler/reconciler.go index fcda06bb8e..8e8b05f6e0 100644 --- a/fleetshard/pkg/central/reconciler/reconciler.go +++ b/fleetshard/pkg/central/reconciler/reconciler.go @@ -40,6 +40,7 @@ const ( helmReleaseName = "tenant-resources" managedServicesAnnotation = "platform.stackrox.io/managed-services" + tenantIDLabelKey = "rhacs.redhat.com/tenant" centralDbSecretName = "central-db-password" // pragma: allowlist secret ) @@ -115,9 +116,12 @@ func (r *CentralReconciler) Reconcile(ctx context.Context, remoteCentral private central := &v1alpha1.Central{ ObjectMeta: metav1.ObjectMeta{ - Name: remoteCentralName, - Namespace: remoteCentralNamespace, - Labels: map[string]string{k8s.ManagedByLabelKey: k8s.ManagedByFleetshardValue}, + Name: remoteCentralName, + Namespace: remoteCentralNamespace, + Labels: map[string]string{ + k8s.ManagedByLabelKey: k8s.ManagedByFleetshardValue, + tenantIDLabelKey: remoteCentral.Id, + }, Annotations: map[string]string{managedServicesAnnotation: "true"}, }, Spec: v1alpha1.CentralSpec{ @@ -183,7 +187,7 @@ func (r *CentralReconciler) Reconcile(ctx context.Context, remoteCentral private return nil, ErrDeletionInProgress } - if err := r.ensureNamespaceExists(remoteCentralNamespace); err != nil { + if err := r.ensureNamespaceExists(remoteCentralNamespace, remoteCentral.Id); err != nil { return nil, errors.Wrapf(err, "unable to ensure that namespace %s exists", remoteCentralNamespace) } @@ -429,9 +433,9 @@ func (r *CentralReconciler) getNamespace(name string) (*corev1.Namespace, error) return namespace, nil } -func (r *CentralReconciler) createTenantNamespace(ctx context.Context, namespace *corev1.Namespace) error { +func (r *CentralReconciler) createTenantNamespace(ctx context.Context, namespace *corev1.Namespace, tenantID string) error { namespace.Labels = make(map[string]string) - namespace.Labels["rhacs.redhat.com/tenant"] = "" + namespace.Labels[tenantIDLabelKey] = tenantID err := r.client.Create(ctx, namespace) if err != nil { return fmt.Errorf("creating namespace %q: %w", namespace.ObjectMeta.Name, err) @@ -439,11 +443,11 @@ func (r *CentralReconciler) createTenantNamespace(ctx context.Context, namespace return nil } -func (r *CentralReconciler) ensureNamespaceExists(name string) error { +func (r *CentralReconciler) ensureNamespaceExists(name string, tenantID string) error { namespace, err := r.getNamespace(name) if err != nil { if apiErrors.IsNotFound(err) { - return r.createTenantNamespace(context.Background(), namespace) + return r.createTenantNamespace(context.Background(), namespace, tenantID) } return fmt.Errorf("getting namespace %s: %w", name, err) } diff --git a/fleetshard/pkg/central/reconciler/reconciler_test.go b/fleetshard/pkg/central/reconciler/reconciler_test.go index e7b0959049..13c9cd8c60 100644 --- a/fleetshard/pkg/central/reconciler/reconciler_test.go +++ b/fleetshard/pkg/central/reconciler/reconciler_test.go @@ -44,6 +44,7 @@ const ( ) var simpleManagedCentral = private.ManagedCentral{ + Id: centralID, Metadata: private.ManagedCentralAllOfMetadata{ Name: centralName, Namespace: centralNamespace, @@ -87,6 +88,7 @@ func TestReconcileCreate(t *testing.T) { err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: centralName, Namespace: centralNamespace}, central) require.NoError(t, err) assert.Equal(t, centralName, central.GetName()) + assert.Equal(t, simpleManagedCentral.Id, central.GetLabels()[tenantIDLabelKey]) assert.Equal(t, "1", central.GetAnnotations()[revisionAnnotationKey]) assert.Equal(t, "true", central.GetAnnotations()[managedServicesAnnotation]) assert.Equal(t, true, *central.Spec.Central.Exposure.Route.Enabled) From e73ba151210c97d2bcfe6985c944b43a2c47bb63 Mon Sep 17 00:00:00 2001 From: Yury Kovalev <8366110+kovayur@users.noreply.github.com> Date: Wed, 7 Dec 2022 14:16:32 +0100 Subject: [PATCH 03/16] ROX-13756: Add managed DB parameters to the Helm chart (#638) --- CHANGELOG.md | 1 + dp-terraform/helm/rhacs-terraform/Chart.yaml | 4 ++-- .../templates/fleetshard-sync-secret.yaml | 10 ++++++++++ .../templates/fleetshard-sync.yaml | 20 +++++++++++++++++-- .../helm/rhacs-terraform/terraform_cluster.sh | 14 ++++++++++--- dp-terraform/helm/rhacs-terraform/values.yaml | 4 ++++ 6 files changed, 46 insertions(+), 7 deletions(-) create mode 100644 dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 21b881c4af..092daa3344 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ This Changelog should be updated for: ### Changed - Data Plane terraforming now deploys fleetshard image obtained dynamically rather than hardcoded in the script - Upgrade StackRox operator to v3.73.0 +- Add managed DB values to the Data Plane terraforming Helm Chart ### Deprecated ### Removed diff --git a/dp-terraform/helm/rhacs-terraform/Chart.yaml b/dp-terraform/helm/rhacs-terraform/Chart.yaml index c9cf2a7598..51ed5f9134 100644 --- a/dp-terraform/helm/rhacs-terraform/Chart.yaml +++ b/dp-terraform/helm/rhacs-terraform/Chart.yaml @@ -15,13 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.1.0" +version: "0.2.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.0" +appVersion: "0.2.0" # List of sub-charts and other dependencies dependencies: diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml new file mode 100644 index 0000000000..716016cf78 --- /dev/null +++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: fleetshard-sync + namespace: {{ .Release.Namespace }} + labels: + app: fleetshard-sync +stringData: + rhsso-service-account-client-id: {{ .Values.fleetshardSync.redHatSSO.clientId | quote }} + rhsso-service-account-client-secret: {{ .Values.fleetshardSync.redHatSSO.clientSecret | quote }} diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml index 6a37a67bf7..d8c55cb841 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml +++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml @@ -40,13 +40,29 @@ spec: - name: EGRESS_PROXY_IMAGE value: {{ .Values.fleetshardSync.egressProxy.image | quote }} - name: RHSSO_SERVICE_ACCOUNT_CLIENT_ID - value: {{ .Values.fleetshardSync.redHatSSO.clientId }} + valueFrom: + secretKeyRef: + name: fleetshard-sync + key: "rhsso-service-account-client-id" + optional: false - name: RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET - value: {{ .Values.fleetshardSync.redHatSSO.clientSecret }} + valueFrom: + secretKeyRef: + name: fleetshard-sync + key: "rhsso-service-account-client-secret" + optional: false - name: RHSSO_REALM value: {{ .Values.fleetshardSync.redHatSSO.realm }} - name: RHSSO_ENDPOINT value: {{ .Values.fleetshardSync.redHatSSO.endpoint }} + - name: MANAGED_DB_ENABLED + value: {{ .Values.fleetshardSync.managedDB.enabled }} + {{ if eq .Values.fleetshardSync.managedDB.enabled true }} + - name: MANAGED_DB_SUBNET_GROUP + value: {{ required "fleetshardSync.managedDB.subnetGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.subnetGroup }} + - name: MANAGED_DB_SECURITY_GROUP + value: {{ required "fleetshardSync.managedDB.securityGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.securityGroup }} + {{ end }} ports: - name: monitoring containerPort: 8080 diff --git a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh index dd3dc7284e..95f14511bc 100755 --- a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh +++ b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh @@ -35,7 +35,6 @@ case $ENVIRONMENT in # Get the first non-merge commit, starting with HEAD. # On main this should be HEAD FLEETSHARD_SYNC_TAG="$(git rev-list --no-merges --max-count 1 --abbrev-commit --abbrev=7 HEAD)" - "${SCRIPT_DIR}/check_image_exists.sh" "${FLEETSHARD_SYNC_TAG}" ;; prod) @@ -58,6 +57,12 @@ if [[ $CLUSTER_ENVIRONMENT != "$ENVIRONMENT" ]]; then exit 2 fi +if [[ "${HELM_PRINT_ONLY:-}" == "true" ]]; then + HELM_DEBUG_FLAGS="--debug --dry-run" +else + "${SCRIPT_DIR}/check_image_exists.sh" "${FLEETSHARD_SYNC_TAG}" +fi + load_external_config "cluster-${CLUSTER_NAME}" CLUSTER_ oc login --token="${CLUSTER_ROBOT_OC_TOKEN}" --server="$CLUSTER_URL" @@ -75,8 +80,8 @@ if [[ "${OPERATOR_USE_UPSTREAM}" == "true" ]]; then OPERATOR_SOURCE="rhacs-operators" fi -# helm template --debug ... to debug changes -helm upgrade rhacs-terraform "${SCRIPT_DIR}" \ +# shellcheck disable=SC2086 +helm upgrade rhacs-terraform "${SCRIPT_DIR}" ${HELM_DEBUG_FLAGS:-} \ --install \ --namespace rhacs \ --create-namespace \ @@ -91,6 +96,9 @@ helm upgrade rhacs-terraform "${SCRIPT_DIR}" \ --set fleetshardSync.fleetManagerEndpoint="${FM_ENDPOINT}" \ --set fleetshardSync.redHatSSO.clientId="${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_ID}" \ --set fleetshardSync.redHatSSO.clientSecret="${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET}" \ + --set fleetshardSync.managedDB.enabled=true \ + --set fleetshardSync.managedDB.subnetGroup="${FLEETSHARD_SYNC_MANAGED_DB_SUBNET_GROUP}" \ + --set fleetshardSync.managedDB.securityGroup="${FLEETSHARD_SYNC_MANAGED_DB_SECURITY_GROUP}" \ --set logging.aws.accessKeyId="${LOGGING_AWS_ACCESS_KEY_ID}" \ --set logging.aws.secretAccessKey="${LOGGING_AWS_SECRET_ACCESS_KEY}" \ --set observability.github.accessToken="${OBSERVABILITY_GITHUB_ACCESS_TOKEN}" \ diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml index 839bca219f..6b58458618 100644 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ b/dp-terraform/helm/rhacs-terraform/values.yaml @@ -25,6 +25,10 @@ fleetshardSync: realm: "redhat-external" egressProxy: image: "registry.redhat.io/openshift4/ose-egress-http-proxy:v4.11.0" + managedDB: + enabled: true + subnetGroup: "" + securityGroup: "" acsOperator: enabled: false From 234634cddf770b0cacdc86c067438c8b3e8f0825 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Wed, 7 Dec 2022 14:30:48 +0100 Subject: [PATCH 04/16] Quote MANAGED_DB_ENABLED value --- .../helm/rhacs-terraform/templates/fleetshard-sync.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml index d8c55cb841..d70de2de13 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml +++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml @@ -56,7 +56,7 @@ spec: - name: RHSSO_ENDPOINT value: {{ .Values.fleetshardSync.redHatSSO.endpoint }} - name: MANAGED_DB_ENABLED - value: {{ .Values.fleetshardSync.managedDB.enabled }} + value: {{ .Values.fleetshardSync.managedDB.enabled | quote }} {{ if eq .Values.fleetshardSync.managedDB.enabled true }} - name: MANAGED_DB_SUBNET_GROUP value: {{ required "fleetshardSync.managedDB.subnetGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.subnetGroup }} From f4e727b2a7a7310cfaaa459f6eb472b8b505385c Mon Sep 17 00:00:00 2001 From: Vlad Bologa Date: Wed, 7 Dec 2022 14:37:35 +0100 Subject: [PATCH 05/16] Remove unused RDS code (#642) --- fleetshard/pkg/central/cloudprovider/awsclient/rds.go | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/fleetshard/pkg/central/cloudprovider/awsclient/rds.go b/fleetshard/pkg/central/cloudprovider/awsclient/rds.go index 5f9c59954e..3092c4c821 100644 --- a/fleetshard/pkg/central/cloudprovider/awsclient/rds.go +++ b/fleetshard/pkg/central/cloudprovider/awsclient/rds.go @@ -44,16 +44,6 @@ type RDS struct { rdsClient *rds.RDS } -// AWSCredentials stores the credentials for the AWS RDS API. -type AWSCredentials struct { - // AccessKeyID is the AWS access key identifier. - AccessKeyID string - // SecretAccessKey is the AWS secret access key. - SecretAccessKey string - // SessionToken is a token required for temporary security credentials retrieved via STS. - SessionToken string -} - // EnsureDBProvisioned is a blocking function that makes sure that an RDS database was provisioned for a Central func (r *RDS) EnsureDBProvisioned(ctx context.Context, databaseID, masterPassword string) (string, error) { clusterID := getClusterID(databaseID) From d7c2ebd0262ca5bb94594afba2652f6063a11240 Mon Sep 17 00:00:00 2001 From: Yury Kovalev <8366110+kovayur@users.noreply.github.com> Date: Wed, 7 Dec 2022 16:30:18 +0100 Subject: [PATCH 06/16] Add AWS role arn parameter to the Helm chart (#649) --- dp-terraform/helm/rhacs-terraform/Chart.yaml | 4 ++-- .../helm/rhacs-terraform/templates/fleetshard-sync.yaml | 8 ++++++-- dp-terraform/helm/rhacs-terraform/terraform_cluster.sh | 1 + dp-terraform/helm/rhacs-terraform/values.yaml | 3 +++ 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/dp-terraform/helm/rhacs-terraform/Chart.yaml b/dp-terraform/helm/rhacs-terraform/Chart.yaml index 51ed5f9134..02466b0751 100644 --- a/dp-terraform/helm/rhacs-terraform/Chart.yaml +++ b/dp-terraform/helm/rhacs-terraform/Chart.yaml @@ -15,13 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.2.0" +version: "0.3.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.2.0" +appVersion: "0.3.0" # List of sub-charts and other dependencies dependencies: diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml index d70de2de13..5a929e8d57 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml +++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml @@ -57,12 +57,16 @@ spec: value: {{ .Values.fleetshardSync.redHatSSO.endpoint }} - name: MANAGED_DB_ENABLED value: {{ .Values.fleetshardSync.managedDB.enabled | quote }} - {{ if eq .Values.fleetshardSync.managedDB.enabled true }} + {{- if eq .Values.fleetshardSync.managedDB.enabled true }} - name: MANAGED_DB_SUBNET_GROUP value: {{ required "fleetshardSync.managedDB.subnetGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.subnetGroup }} - name: MANAGED_DB_SECURITY_GROUP value: {{ required "fleetshardSync.managedDB.securityGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.securityGroup }} - {{ end }} + {{- end }} + - name: AWS_REGION + value: {{ .Values.fleetshardSync.aws.region }} + - name: AWS_ROLE_ARN + value: {{ .Values.fleetshardSync.aws.roleARN }} ports: - name: monitoring containerPort: 8080 diff --git a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh index 95f14511bc..f05687b0e6 100755 --- a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh +++ b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh @@ -99,6 +99,7 @@ helm upgrade rhacs-terraform "${SCRIPT_DIR}" ${HELM_DEBUG_FLAGS:-} \ --set fleetshardSync.managedDB.enabled=true \ --set fleetshardSync.managedDB.subnetGroup="${FLEETSHARD_SYNC_MANAGED_DB_SUBNET_GROUP}" \ --set fleetshardSync.managedDB.securityGroup="${FLEETSHARD_SYNC_MANAGED_DB_SECURITY_GROUP}" \ + --set fleetshardSync.aws.roleARN="${FLEETSHARD_SYNC_AWS_ROLE_ARN}" \ --set logging.aws.accessKeyId="${LOGGING_AWS_ACCESS_KEY_ID}" \ --set logging.aws.secretAccessKey="${LOGGING_AWS_SECRET_ACCESS_KEY}" \ --set observability.github.accessToken="${OBSERVABILITY_GITHUB_ACCESS_TOKEN}" \ diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml index 6b58458618..b6686ec3df 100644 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ b/dp-terraform/helm/rhacs-terraform/values.yaml @@ -29,6 +29,9 @@ fleetshardSync: enabled: true subnetGroup: "" securityGroup: "" + aws: + region: "us-east-1" + roleARN: "" acsOperator: enabled: false From ca967818d11766507c9076203cb119c4c1aa3608 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Thu, 8 Dec 2022 07:29:16 +0100 Subject: [PATCH 07/16] ROX-13737: Use built-in concurrency control. (#640) --- .github/workflows/deploy-production.yaml | 11 ++--------- .github/workflows/deploy-stage.yaml | 11 ++--------- 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/.github/workflows/deploy-production.yaml b/.github/workflows/deploy-production.yaml index c36fe2f9e7..ac1bbef056 100644 --- a/.github/workflows/deploy-production.yaml +++ b/.github/workflows/deploy-production.yaml @@ -1,20 +1,13 @@ name: Deploy Prod Env +concurrency: production + on: push: branches: - production jobs: - cancel: - name: Cancel previous runs - runs-on: ubuntu-latest - steps: - - name: Cancel Previous Runs - uses: n1hility/cancel-previous-runs@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - terraform: name: Re-terraform production clusters needs: cancel diff --git a/.github/workflows/deploy-stage.yaml b/.github/workflows/deploy-stage.yaml index 8739a7e2f3..9ca65fb0f8 100644 --- a/.github/workflows/deploy-stage.yaml +++ b/.github/workflows/deploy-stage.yaml @@ -1,20 +1,13 @@ name: Deploy Stage Env +concurrency: stage + on: push: branches: - main jobs: - cancel: - name: Cancel previous runs - runs-on: ubuntu-latest - steps: - - name: Cancel Previous Runs - uses: n1hility/cancel-previous-runs@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - terraform: name: Re-terraform stage clusters needs: cancel From a5d705d022b5c00660b7651638e9941dc2572b3c Mon Sep 17 00:00:00 2001 From: Yury Kovalev <8366110+kovayur@users.noreply.github.com> Date: Thu, 8 Dec 2022 09:21:26 +0100 Subject: [PATCH 08/16] ROX-13227: Fix negative DNS caching (#636) --- e2e/e2e_test.go | 29 ++++++++++++++------ internal/dinosaur/pkg/presenters/dinosaur.go | 15 ++++++++-- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go index 7f09cbb359..2faede0b09 100644 --- a/e2e/e2e_test.go +++ b/e2e/e2e_test.go @@ -131,6 +131,26 @@ var _ = Describe("Central", func() { }).WithTimeout(waitTimeout).WithPolling(defaultPolling).Should(Succeed()) }) + It("should not expose URLs until the routes are created", func() { + if createdCentral == nil { + Fail("central not created") + } + if !routesEnabled { + Skip(skipRouteMsg) + } + Expect(createdCentral.CentralUIURL).To(BeEmpty()) + Expect(createdCentral.CentralDataURL).To(BeEmpty()) + }) + + It("should transition central's state to ready", func() { + if createdCentral == nil { + Fail("central not created") + } + Eventually(func() string { + return centralStatus(createdCentral.Id, client) + }).WithTimeout(waitTimeout).WithPolling(defaultPolling).Should(Equal(constants.CentralRequestStatusReady.String())) + }) + It("should create central routes", func() { if createdCentral == nil { Fail("central not created") @@ -207,15 +227,6 @@ var _ = Describe("Central", func() { } }) - It("should transition central's state to ready", func() { - if createdCentral == nil { - Fail("central not created") - } - Eventually(func() string { - return centralStatus(createdCentral.Id, client) - }).WithTimeout(waitTimeout).WithPolling(defaultPolling).Should(Equal(constants.CentralRequestStatusReady.String())) - }) - It("should spin up an egress proxy with two healthy replicas", func() { if createdCentral == nil { Fail("central not created") diff --git a/internal/dinosaur/pkg/presenters/dinosaur.go b/internal/dinosaur/pkg/presenters/dinosaur.go index f7ffa8bcec..fe2fff5a84 100644 --- a/internal/dinosaur/pkg/presenters/dinosaur.go +++ b/internal/dinosaur/pkg/presenters/dinosaur.go @@ -26,7 +26,7 @@ func ConvertDinosaurRequest(dinosaurRequestPayload public.CentralRequestPayload, // PresentCentralRequest - create CentralRequest in an appropriate format ready to be returned by the API func PresentCentralRequest(request *dbapi.CentralRequest) public.CentralRequest { - return public.CentralRequest{ + outputRequest := public.CentralRequest{ Id: request.ID, Kind: "CentralRequest", Href: fmt.Sprintf("/api/rhacs/v1/centrals/%s", request.ID), @@ -37,12 +37,21 @@ func PresentCentralRequest(request *dbapi.CentralRequest) public.CentralRequest Region: request.Region, Owner: request.Owner, Name: request.Name, - CentralUIURL: fmt.Sprintf("https://%s", request.GetUIHost()), - CentralDataURL: fmt.Sprintf("%s:%d", request.GetDataHost(), sensorDataPort), CreatedAt: request.CreatedAt, UpdatedAt: request.UpdatedAt, FailedReason: request.FailedReason, Version: request.ActualCentralVersion, InstanceType: request.InstanceType, } + + if request.RoutesCreated { + if request.GetUIHost() != "" { + outputRequest.CentralUIURL = fmt.Sprintf("https://%s", request.GetUIHost()) + } + if request.GetDataHost() != "" { + outputRequest.CentralDataURL = fmt.Sprintf("%s:%d", request.GetDataHost(), sensorDataPort) + } + } + + return outputRequest } From 946a96320caac05f9e521cf7484fb9a433bfd6ac Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Thu, 8 Dec 2022 11:53:35 +0100 Subject: [PATCH 09/16] ROX-13737: remove stale dependencies (#651) --- .github/workflows/deploy-production.yaml | 2 -- .github/workflows/deploy-stage.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/.github/workflows/deploy-production.yaml b/.github/workflows/deploy-production.yaml index ac1bbef056..f2691118a2 100644 --- a/.github/workflows/deploy-production.yaml +++ b/.github/workflows/deploy-production.yaml @@ -10,7 +10,6 @@ on: jobs: terraform: name: Re-terraform production clusters - needs: cancel runs-on: ubuntu-latest permissions: id-token: write @@ -38,7 +37,6 @@ jobs: deploy-probe: name: Deploy blackbox monitoring probe service to production - needs: cancel runs-on: ubuntu-latest permissions: id-token: write diff --git a/.github/workflows/deploy-stage.yaml b/.github/workflows/deploy-stage.yaml index 9ca65fb0f8..c955325fff 100644 --- a/.github/workflows/deploy-stage.yaml +++ b/.github/workflows/deploy-stage.yaml @@ -10,7 +10,6 @@ on: jobs: terraform: name: Re-terraform stage clusters - needs: cancel runs-on: ubuntu-latest permissions: id-token: write @@ -38,7 +37,6 @@ jobs: deploy-probe: name: Deploy blackbox monitoring probe service to stage - needs: cancel runs-on: ubuntu-latest permissions: id-token: write From 7b2bd8f726bce442ef5dc65b80160ac3297f2f4d Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Thu, 8 Dec 2022 12:27:24 +0100 Subject: [PATCH 10/16] ROX-13450: fix image check (#652) Do return error when check fails :facepalm:. --- dp-terraform/helm/rhacs-terraform/check_image_exists.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dp-terraform/helm/rhacs-terraform/check_image_exists.sh b/dp-terraform/helm/rhacs-terraform/check_image_exists.sh index 8ae36b6a03..d3a445a80c 100755 --- a/dp-terraform/helm/rhacs-terraform/check_image_exists.sh +++ b/dp-terraform/helm/rhacs-terraform/check_image_exists.sh @@ -30,3 +30,4 @@ do fi done echo >&2 "Timed out waiting for the image to appear." +exit 1 From 134a3fd941f10410aa0a2405b23fe14c9a845711 Mon Sep 17 00:00:00 2001 From: Stephan Hesselmann Date: Thu, 8 Dec 2022 12:47:01 +0100 Subject: [PATCH 11/16] ROX-13593: Add tenant ID to managed resources (#650) In addition to labelling the Central CR (see pull/627), this applies the labels to resources managed by the ACS operator. --- fleetshard/pkg/central/reconciler/reconciler.go | 3 +++ fleetshard/pkg/central/reconciler/reconciler_test.go | 1 + 2 files changed, 4 insertions(+) diff --git a/fleetshard/pkg/central/reconciler/reconciler.go b/fleetshard/pkg/central/reconciler/reconciler.go index 8e8b05f6e0..6a24dcc696 100644 --- a/fleetshard/pkg/central/reconciler/reconciler.go +++ b/fleetshard/pkg/central/reconciler/reconciler.go @@ -154,6 +154,9 @@ func (r *CentralReconciler) Reconcile(ctx context.Context, remoteCentral private }, Customize: &v1alpha1.CustomizeSpec{ EnvVars: envVars, + Labels: map[string]string{ + tenantIDLabelKey: remoteCentral.Id, + }, }, }, } diff --git a/fleetshard/pkg/central/reconciler/reconciler_test.go b/fleetshard/pkg/central/reconciler/reconciler_test.go index 13c9cd8c60..6ae9b34358 100644 --- a/fleetshard/pkg/central/reconciler/reconciler_test.go +++ b/fleetshard/pkg/central/reconciler/reconciler_test.go @@ -89,6 +89,7 @@ func TestReconcileCreate(t *testing.T) { require.NoError(t, err) assert.Equal(t, centralName, central.GetName()) assert.Equal(t, simpleManagedCentral.Id, central.GetLabels()[tenantIDLabelKey]) + assert.Equal(t, simpleManagedCentral.Id, central.Spec.Customize.Labels[tenantIDLabelKey]) assert.Equal(t, "1", central.GetAnnotations()[revisionAnnotationKey]) assert.Equal(t, "true", central.GetAnnotations()[managedServicesAnnotation]) assert.Equal(t, true, *central.Spec.Central.Exposure.Route.Enabled) From 6dc1858f79290ba88f57ec8791867f778283f0a6 Mon Sep 17 00:00:00 2001 From: Vlad Bologa Date: Thu, 8 Dec 2022 13:13:15 +0100 Subject: [PATCH 12/16] ROX-13811: Enable Performance Insights for managed DBs (#643) Co-authored-by: Yury Kovalev <8366110+kovayur@users.noreply.github.com> --- .../02-fleetshard-sync-deployment.yaml | 2 + dp-terraform/helm/rhacs-terraform/Chart.yaml | 4 +- .../templates/fleetshard-sync.yaml | 2 + .../helm/rhacs-terraform/terraform_cluster.sh | 1 + dp-terraform/helm/rhacs-terraform/values.yaml | 1 + fleetshard/config/config.go | 7 +-- .../central/cloudprovider/awsclient/rds.go | 51 +++++++++++-------- 7 files changed, 43 insertions(+), 25 deletions(-) diff --git a/dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml b/dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml index ccc5298321..f55397113c 100644 --- a/dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml +++ b/dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml @@ -49,6 +49,8 @@ spec: value: "$MANAGED_DB_SECURITY_GROUP" - name: MANAGED_DB_SUBNET_GROUP value: "$MANAGED_DB_SUBNET_GROUP" + - name: MANAGED_DB_PERFORMANCE_INSIGHTS + value: "$MANAGED_DB_PERFORMANCE_INSIGHTS" - name: AWS_ROLE_ARN valueFrom: secretKeyRef: diff --git a/dp-terraform/helm/rhacs-terraform/Chart.yaml b/dp-terraform/helm/rhacs-terraform/Chart.yaml index 02466b0751..fd864420d3 100644 --- a/dp-terraform/helm/rhacs-terraform/Chart.yaml +++ b/dp-terraform/helm/rhacs-terraform/Chart.yaml @@ -15,13 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.3.0" +version: "0.4.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.3.0" +appVersion: "0.4.0" # List of sub-charts and other dependencies dependencies: diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml index 5a929e8d57..111bdca7c1 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml +++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml @@ -62,6 +62,8 @@ spec: value: {{ required "fleetshardSync.managedDB.subnetGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.subnetGroup }} - name: MANAGED_DB_SECURITY_GROUP value: {{ required "fleetshardSync.managedDB.securityGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.securityGroup }} + - name: MANAGED_DB_PERFORMANCE_INSIGHTS + value: {{ .Values.fleetshardSync.managedDB.performanceInsights | quote }} {{- end }} - name: AWS_REGION value: {{ .Values.fleetshardSync.aws.region }} diff --git a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh index f05687b0e6..83b1a114c9 100755 --- a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh +++ b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh @@ -99,6 +99,7 @@ helm upgrade rhacs-terraform "${SCRIPT_DIR}" ${HELM_DEBUG_FLAGS:-} \ --set fleetshardSync.managedDB.enabled=true \ --set fleetshardSync.managedDB.subnetGroup="${FLEETSHARD_SYNC_MANAGED_DB_SUBNET_GROUP}" \ --set fleetshardSync.managedDB.securityGroup="${FLEETSHARD_SYNC_MANAGED_DB_SECURITY_GROUP}" \ + --set fleetshardSync.managedDB.performanceInsights=true \ --set fleetshardSync.aws.roleARN="${FLEETSHARD_SYNC_AWS_ROLE_ARN}" \ --set logging.aws.accessKeyId="${LOGGING_AWS_ACCESS_KEY_ID}" \ --set logging.aws.secretAccessKey="${LOGGING_AWS_SECRET_ACCESS_KEY}" \ diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml index b6686ec3df..9bd0d61fd3 100644 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ b/dp-terraform/helm/rhacs-terraform/values.yaml @@ -29,6 +29,7 @@ fleetshardSync: enabled: true subnetGroup: "" securityGroup: "" + performanceInsights: true aws: region: "us-east-1" roleARN: "" diff --git a/fleetshard/config/config.go b/fleetshard/config/config.go index 04a39f3762..04fd884dfb 100644 --- a/fleetshard/config/config.go +++ b/fleetshard/config/config.go @@ -38,9 +38,10 @@ type AWS struct { // ManagedDB for configuring managed DB specific parameters type ManagedDB struct { - Enabled bool `env:"MANAGED_DB_ENABLED" envDefault:"false"` - SecurityGroup string `env:"MANAGED_DB_SECURITY_GROUP"` - SubnetGroup string `env:"MANAGED_DB_SUBNET_GROUP"` + Enabled bool `env:"MANAGED_DB_ENABLED" envDefault:"false"` + SecurityGroup string `env:"MANAGED_DB_SECURITY_GROUP"` + SubnetGroup string `env:"MANAGED_DB_SUBNET_GROUP"` + PerformanceInsights bool `env:"MANAGED_DB_PERFORMANCE_INSIGHTS" envDefault:"false"` } // GetConfig retrieves the current runtime configuration from the environment and returns it. diff --git a/fleetshard/pkg/central/cloudprovider/awsclient/rds.go b/fleetshard/pkg/central/cloudprovider/awsclient/rds.go index 3092c4c821..11d2dc69b8 100644 --- a/fleetshard/pkg/central/cloudprovider/awsclient/rds.go +++ b/fleetshard/pkg/central/cloudprovider/awsclient/rds.go @@ -23,23 +23,32 @@ const ( dbAvailableStatus = "available" dbDeletingStatus = "deleting" - dbEngine = "aurora-postgresql" - dbEngineVersion = "13.7" - dbInstanceClass = "db.serverless" dbUser = "rhacs_master" dbPrefix = "rhacs-" dbInstanceSuffix = "-db-instance" dbClusterSuffix = "-db-cluster" - dbPostgresPort = 5432 - dbName = "postgres" awsRetrySeconds = 30 + + // DB cluster / instance configuration parameters + dbEngine = "aurora-postgresql" + dbEngineVersion = "13.7" + dbInstanceClass = "db.serverless" + dbPostgresPort = 5432 + dbName = "postgres" + dbBackupRetentionPeriod = 30 + + // The Aurora Serverless v2 DB instance configuration in ACUs (Aurora Capacity Units) + // 1 ACU = 1 vCPU + 2GB RAM + dbMinCapacityACU = 0.5 + dbMaxCapacityACU = 16 ) // RDS is an AWS RDS client tied to one Central instance. It provisions and deprovisions databases // for the Central. type RDS struct { - dbSecurityGroup string - dbSubnetGroup string + dbSecurityGroup string + dbSubnetGroup string + performanceInsights bool rdsClient *rds.RDS } @@ -135,7 +144,7 @@ func (r *RDS) ensureDBInstanceCreated(instanceID string, clusterID string) error } glog.Infof("Initiating provisioning of RDS database instance %s.", instanceID) - _, err = r.rdsClient.CreateDBInstance(newCreateCentralDBInstanceInput(clusterID, instanceID)) + _, err = r.rdsClient.CreateDBInstance(newCreateCentralDBInstanceInput(clusterID, instanceID, r.performanceInsights)) if err != nil { return fmt.Errorf("creating DB instance: %w", err) } @@ -262,9 +271,10 @@ func NewRDSClient(config *config.Config, auth fleetmanager.Auth) (*RDS, error) { } return &RDS{ - rdsClient: rdsClient, - dbSecurityGroup: config.ManagedDB.SecurityGroup, - dbSubnetGroup: config.ManagedDB.SubnetGroup, + rdsClient: rdsClient, + dbSecurityGroup: config.ManagedDB.SecurityGroup, + dbSubnetGroup: config.ManagedDB.SubnetGroup, + performanceInsights: config.ManagedDB.PerformanceInsights, }, nil } @@ -286,21 +296,22 @@ func newCreateCentralDBClusterInput(clusterID, dbPassword, securityGroup, subnet VpcSecurityGroupIds: aws.StringSlice([]string{securityGroup}), DBSubnetGroupName: aws.String(subnetGroup), ServerlessV2ScalingConfiguration: &rds.ServerlessV2ScalingConfiguration{ - MinCapacity: aws.Float64(0.5), - MaxCapacity: aws.Float64(16), + MinCapacity: aws.Float64(dbMinCapacityACU), + MaxCapacity: aws.Float64(dbMaxCapacityACU), }, - BackupRetentionPeriod: aws.Int64(30), + BackupRetentionPeriod: aws.Int64(dbBackupRetentionPeriod), StorageEncrypted: aws.Bool(true), } } -func newCreateCentralDBInstanceInput(clusterID, instanceID string) *rds.CreateDBInstanceInput { +func newCreateCentralDBInstanceInput(clusterID, instanceID string, performanceInsights bool) *rds.CreateDBInstanceInput { return &rds.CreateDBInstanceInput{ - DBInstanceClass: aws.String(dbInstanceClass), - DBClusterIdentifier: aws.String(clusterID), - DBInstanceIdentifier: aws.String(instanceID), - Engine: aws.String(dbEngine), - PubliclyAccessible: aws.Bool(false), + DBInstanceClass: aws.String(dbInstanceClass), + DBClusterIdentifier: aws.String(clusterID), + DBInstanceIdentifier: aws.String(instanceID), + Engine: aws.String(dbEngine), + PubliclyAccessible: aws.Bool(false), + EnablePerformanceInsights: aws.Bool(performanceInsights), } } From 2826f6134f3bf1ed49d2713f50dd51c506322f5c Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Thu, 8 Dec 2022 14:19:50 +0100 Subject: [PATCH 13/16] ROX-13648: check out full history (#647) --- .github/workflows/deploy-production.yaml | 4 ++++ .github/workflows/deploy-stage.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/deploy-production.yaml b/.github/workflows/deploy-production.yaml index f2691118a2..8a2c59ca8f 100644 --- a/.github/workflows/deploy-production.yaml +++ b/.github/workflows/deploy-production.yaml @@ -22,6 +22,8 @@ jobs: go-version: "1.18" - name: Checkout uses: actions/checkout@v3 + with: + fetch-depth: 0 # Critical for correct image detection in deploy script - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1-node16 with: @@ -49,6 +51,8 @@ jobs: go-version: "1.18" - name: Checkout uses: actions/checkout@v3 + with: + fetch-depth: 0 # Critical for correct image detection in deploy script - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1-node16 with: diff --git a/.github/workflows/deploy-stage.yaml b/.github/workflows/deploy-stage.yaml index c955325fff..fb2feef0d3 100644 --- a/.github/workflows/deploy-stage.yaml +++ b/.github/workflows/deploy-stage.yaml @@ -22,6 +22,8 @@ jobs: go-version: "1.18" - name: Checkout uses: actions/checkout@v3 + with: + fetch-depth: 0 # Critical for correct image detection in deploy script - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1-node16 with: @@ -49,6 +51,8 @@ jobs: go-version: "1.18" - name: Checkout uses: actions/checkout@v3 + with: + fetch-depth: 0 # Critical for correct image detection in deploy script - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1-node16 with: From f29ca513d7f87980ef18a658fd4f8f2722786559 Mon Sep 17 00:00:00 2001 From: Vlad Bologa Date: Fri, 9 Dec 2022 09:57:08 +0100 Subject: [PATCH 14/16] Improve RDS instance status log message (#655) --- fleetshard/pkg/central/cloudprovider/awsclient/rds.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fleetshard/pkg/central/cloudprovider/awsclient/rds.go b/fleetshard/pkg/central/cloudprovider/awsclient/rds.go index 11d2dc69b8..c22400213a 100644 --- a/fleetshard/pkg/central/cloudprovider/awsclient/rds.go +++ b/fleetshard/pkg/central/cloudprovider/awsclient/rds.go @@ -252,7 +252,7 @@ func (r *RDS) waitForInstanceToBeAvailable(ctx context.Context, instanceID strin return connectionString, nil } - glog.Infof("RDS instance status: %s", dbInstanceStatus) + glog.Infof("RDS instance status: %s (instance ID: %s)", dbInstanceStatus, instanceID) ticker := time.NewTicker(awsRetrySeconds * time.Second) select { case <-ticker.C: From 6af5d55b76a3a61eb4785342bde9007d10463eef Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Fri, 9 Dec 2022 10:12:14 +0100 Subject: [PATCH 15/16] ROX-13648: Revert "Rollback automatic tag resolution on prod (#645)" (#656) Revert "Rollback automatic tag resolution on prod (#645)" This reverts commit 1847f55d50861bfa2b309927b1f64365840164c7. --- dp-terraform/helm/rhacs-terraform/terraform_cluster.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh index 83b1a114c9..8e2e679e98 100755 --- a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh +++ b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh @@ -32,17 +32,12 @@ case $ENVIRONMENT in FM_ENDPOINT="https://xtr6hh3mg6zc80v.api.stage.openshift.com" OBSERVABILITY_GITHUB_TAG="master" OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.stage.openshift.com" - # Get the first non-merge commit, starting with HEAD. - # On main this should be HEAD - FLEETSHARD_SYNC_TAG="$(git rev-list --no-merges --max-count 1 --abbrev-commit --abbrev=7 HEAD)" ;; prod) FM_ENDPOINT="https://api.openshift.com" OBSERVABILITY_GITHUB_TAG="production" OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.openshift.com" - - FLEETSHARD_SYNC_TAG="1df0bc5" ;; *) @@ -57,6 +52,10 @@ if [[ $CLUSTER_ENVIRONMENT != "$ENVIRONMENT" ]]; then exit 2 fi +# Get the first non-merge commit, starting with HEAD. +# On main this should be HEAD, on production, the latest merged main commit. +FLEETSHARD_SYNC_TAG="$(git rev-list --no-merges --max-count 1 --abbrev-commit --abbrev=7 HEAD)" + if [[ "${HELM_PRINT_ONLY:-}" == "true" ]]; then HELM_DEBUG_FLAGS="--debug --dry-run" else From b7b15aa20503cc34af015625a7ae6c11e73a6a3e Mon Sep 17 00:00:00 2001 From: Yury Kovalev <8366110+kovayur@users.noreply.github.com> Date: Sat, 10 Dec 2022 13:27:06 +0100 Subject: [PATCH 16/16] Remove Openshift CI build root Dockerfile (#657) --- .openshift-ci/build-root/Dockerfile | 101 ---------------------------- 1 file changed, 101 deletions(-) delete mode 100644 .openshift-ci/build-root/Dockerfile diff --git a/.openshift-ci/build-root/Dockerfile b/.openshift-ci/build-root/Dockerfile deleted file mode 100644 index 81d4c2a1ca..0000000000 --- a/.openshift-ci/build-root/Dockerfile +++ /dev/null @@ -1,101 +0,0 @@ -# Changes to this file are not validated automatically by CI. That is because -# the CI as defined in openshift/release runs against HEAD and uses the version -# of this file found there. - -# In order to validate a change to this file i.e. a new version of the test environment: -# - make the change on a stackrox/stackrox PR (do not use / in the branch name as it is not supported in openshift/release) -# - open a PR in openshift/release (this is just for test. mark the PR with `/hold` and `/uncc` autoassigned reviewers to reduce noise) -# - duplicate the main branch CI workflow to a workflow that tests the stackrox/stackrox PR branch -# - run openshift/release automation to generate the prow config -# - `make update` and commit the results -# - run `/test pj-rehearse-max` on the openshift/release PR to validate the change - -FROM quay.io/centos/centos:stream9 - -RUN rm -f /etc/yum.repos.d/* && { \ - echo "[baseos]"; \ - echo "name=CentOS Stream \$releasever - BaseOS"; \ - echo "baseurl=http://mirror.stream.centos.org/\$releasever-stream/BaseOS/\$basearch/os/"; \ - echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial"; \ - echo "gpgcheck=1"; \ - echo "repo_gpgcheck=0"; \ - echo "metadata_expire=6h"; \ - echo "countme=1"; \ - echo "enabled=1"; \ - echo; \ - echo "[appstream]"; \ - echo "name=CentOS Stream $releasever - AppStream"; \ - echo "baseurl=http://mirror.stream.centos.org/\$releasever-stream/AppStream/\$basearch/os/"; \ - echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial"; \ - echo "gpgcheck=1"; \ - echo "repo_gpgcheck=0"; \ - echo "metadata_expire=6h"; \ - echo "countme=1"; \ - echo "enabled=1"; \ - } > "/etc/yum.repos.d/centos.repo" - -RUN dnf update -y && dnf -y install make which git gettext jq gcc - -ARG GO_VERSION=1.18.8 -RUN curl -L --retry 10 --silent --show-error --fail -o /tmp/go.linux-amd64.tar.gz \ - "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" && \ - tar -C /usr/local -xzf /tmp/go.linux-amd64.tar.gz && \ - rm -f /tmp/go.linux-amd64.tar.gz -ENV PATH="/usr/local/go/bin:${PATH}" - -ARG YQ_VERSION=4.27.5 -RUN curl -L --retry 10 --silent --show-error --fail -o /tmp/yq_linux_amd64.tar.gz \ - "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64.tar.gz" && \ - tar -xzf /tmp/yq_linux_amd64.tar.gz ./yq_linux_amd64 && \ - mv yq_linux_amd64 /usr/local/bin/yq && \ - chmod +x /usr/local/bin/yq && \ - rm /tmp/yq_linux_amd64.tar.gz - -ARG NODE_VERSION=16.15.1 -RUN curl -L --retry 10 --silent --show-error --fail -o /tmp/node-linux-x64.tar.gz \ - "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.gz" && \ - mkdir -p /usr/local/lib/nodejs && \ - tar -xzf /tmp/node-linux-x64.tar.gz -C /usr/local/lib/nodejs && \ - rm /tmp/node-linux-x64.tar.gz -ENV PATH="/usr/local/lib/nodejs/node-v${NODE_VERSION}-linux-x64/bin:${PATH}" - -ARG STERN_VERSION="1.22.0" -RUN curl -L --retry 10 --silent --show-error --fail -o "/tmp/stern_linux_amd64.tar.gz" \ - "https://github.com/stern/stern/releases/download/v${STERN_VERSION}/stern_${STERN_VERSION}_linux_amd64.tar.gz" && \ - tar -xf /tmp/stern_linux_amd64.tar.gz stern && \ - mv stern /usr/local/bin/stern && \ - chmod +x /usr/local/bin/stern - -ARG GOTESTSUM_VERSION=1.8.1 -RUN curl -L --retry 10 --silent --show-error --fail -o /tmp/gotestsum_linux_amd64.tar.gz \ - "https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_linux_amd64.tar.gz" && \ - tar -xzvf /tmp/gotestsum_linux_amd64.tar.gz gotestsum && \ - mv gotestsum /usr/local/bin && \ - chmod +x /usr/local/bin/gotestsum && \ - rm /tmp/gotestsum_linux_amd64.tar.gz - -RUN mkdir -p /stackrox/crds && \ - curl -L --retry 10 --silent --show-error --fail -o /stackrox/crds/platform.stackrox.io_centrals.yaml \ - https://raw.githubusercontent.com/stackrox/stackrox/release/3.70.x/operator/config/crd/bases/platform.stackrox.io_centrals.yaml && \ - curl -L --retry 10 --silent --show-error --fail -o /stackrox/crds/platform.stackrox.io_securedclusters.yaml \ - https://raw.githubusercontent.com/stackrox/stackrox/release/3.70.x/operator/config/crd/bases/platform.stackrox.io_securedclusters.yaml - -ARG OCM_VERSION=0.1.64 -RUN curl -L --retry 10 --silent --show-error --fail -o "/usr/local/bin/ocm" \ - "https://github.com/openshift-online/ocm-cli/releases/download/v${OCM_VERSION}/ocm-linux-amd64" && \ - chmod +x /usr/local/bin/ocm - -ARG GOPATH=/go -ENV GOPATH=${GOPATH} - -ARG GOCACHE=/go/.cache -ENV GOCACHE=${GOCACHE} - -ARG GOROOT=/usr/local/go -ENV GOROOT=${GOROOT} - -ARG GOFLAGS=-mod=mod -ENV GOFLAGS=${GOFLAGS} - -RUN mkdir -p ${GOPATH} -WORKDIR ${GOPATH}