Release 2022 12 12.1.b7b15aa

.github/workflows/deploy-production.yaml

@@ -1,23 +1,15 @@
 name: Deploy Prod Env
 
+concurrency: production
+
 on:
   push:
     branches:
       - production
 
 jobs:
-  cancel:
-    name: Cancel previous runs
-    runs-on: ubuntu-latest
-    steps:
-      - name: Cancel Previous Runs
-        uses: n1hility/cancel-previous-runs@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
   terraform:
     name: Re-terraform production clusters
-    needs: cancel
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -30,6 +22,8 @@ jobs:
           go-version: "1.18"
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Critical for correct image detection in deploy script
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
@@ -45,7 +39,6 @@ jobs:
 
   deploy-probe:
     name: Deploy blackbox monitoring probe service to production
-    needs: cancel
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -58,6 +51,8 @@ jobs:
           go-version: "1.18"
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Critical for correct image detection in deploy script
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:

.github/workflows/deploy-stage.yaml

@@ -1,23 +1,15 @@
 name: Deploy Stage Env
 
+concurrency: stage
+
 on:
   push:
     branches:
       - main
 
 jobs:
-  cancel:
-    name: Cancel previous runs
-    runs-on: ubuntu-latest
-    steps:
-      - name: Cancel Previous Runs
-        uses: n1hility/cancel-previous-runs@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
   terraform:
     name: Re-terraform stage clusters
-    needs: cancel
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -30,6 +22,8 @@ jobs:
           go-version: "1.18"
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Critical for correct image detection in deploy script
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
@@ -45,7 +39,6 @@ jobs:
 
   deploy-probe:
     name: Deploy blackbox monitoring probe service to stage
-    needs: cancel
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -58,6 +51,8 @@ jobs:
           go-version: "1.18"
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Critical for correct image detection in deploy script
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:

CHANGELOG.md

@@ -10,6 +10,8 @@ This Changelog should be updated for:
 ### Added
 ### Changed
 - Data Plane terraforming now deploys fleetshard image obtained dynamically rather than hardcoded in the script
+- Upgrade StackRox operator to v3.73.0
+- Add managed DB values to the Data Plane terraforming Helm Chart
 ### Deprecated
 ### Removed
 

dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml

@@ -49,6 +49,8 @@ spec:
               value: "$MANAGED_DB_SECURITY_GROUP"
             - name: MANAGED_DB_SUBNET_GROUP
               value: "$MANAGED_DB_SUBNET_GROUP"
+            - name: MANAGED_DB_PERFORMANCE_INSIGHTS
+              value: "$MANAGED_DB_PERFORMANCE_INSIGHTS"
             - name: AWS_ROLE_ARN
               valueFrom:
                 secretKeyRef:

dev/env/manifests/rhacs-operator/marketplace/03-subscription.yaml

@@ -9,6 +9,6 @@ spec:
   installPlanApproval: Automatic
   source: redhat-operators
   sourceNamespace: openshift-marketplace
-  startingCSV: rhacs-operator.v3.72.0
+  startingCSV: rhacs-operator.v3.73.0
   config:
     resources: $RHACS_OPERATOR_RESOURCES

dp-terraform/helm/rhacs-terraform/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.1.0"
+version: "0.4.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.4.0"
 
 # List of sub-charts and other dependencies
 dependencies:

dp-terraform/helm/rhacs-terraform/check_image_exists.sh

@@ -30,3 +30,4 @@ do
     fi
 done
 echo >&2 "Timed out waiting for the image to appear."
+exit 1

dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: fleetshard-sync
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: fleetshard-sync
+stringData:
+  rhsso-service-account-client-id: {{ .Values.fleetshardSync.redHatSSO.clientId | quote }}
+  rhsso-service-account-client-secret: {{ .Values.fleetshardSync.redHatSSO.clientSecret | quote }}

dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml

@@ -40,13 +40,35 @@ spec:
         - name: EGRESS_PROXY_IMAGE
           value: {{ .Values.fleetshardSync.egressProxy.image | quote }}
         - name: RHSSO_SERVICE_ACCOUNT_CLIENT_ID
-          value: {{ .Values.fleetshardSync.redHatSSO.clientId }}
+          valueFrom:
+            secretKeyRef:
+              name: fleetshard-sync
+              key: "rhsso-service-account-client-id"
+              optional: false
         - name: RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET
-          value: {{ .Values.fleetshardSync.redHatSSO.clientSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: fleetshard-sync
+              key: "rhsso-service-account-client-secret"
+              optional: false
         - name: RHSSO_REALM
           value: {{ .Values.fleetshardSync.redHatSSO.realm }}
         - name: RHSSO_ENDPOINT
           value: {{ .Values.fleetshardSync.redHatSSO.endpoint }}
+        - name: MANAGED_DB_ENABLED
+          value: {{ .Values.fleetshardSync.managedDB.enabled | quote }}
+        {{- if eq .Values.fleetshardSync.managedDB.enabled true }}
+        - name: MANAGED_DB_SUBNET_GROUP
+          value: {{ required "fleetshardSync.managedDB.subnetGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.subnetGroup }}
+        - name: MANAGED_DB_SECURITY_GROUP
+          value: {{ required "fleetshardSync.managedDB.securityGroup is required when fleetshardSync.managedDB.enabled = true" .Values.fleetshardSync.managedDB.securityGroup }}
+        - name: MANAGED_DB_PERFORMANCE_INSIGHTS
+          value: {{ .Values.fleetshardSync.managedDB.performanceInsights | quote }}
+        {{- end }}
+        - name: AWS_REGION
+          value: {{ .Values.fleetshardSync.aws.region }}
+        - name: AWS_ROLE_ARN
+          value: {{ .Values.fleetshardSync.aws.roleARN }}
         ports:
         - name: monitoring
           containerPort: 8080

dp-terraform/helm/rhacs-terraform/terraform_cluster.sh

@@ -32,25 +32,12 @@ case $ENVIRONMENT in
     FM_ENDPOINT="https://xtr6hh3mg6zc80v.api.stage.openshift.com"
     OBSERVABILITY_GITHUB_TAG="master"
     OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.stage.openshift.com"
-    # TODO Use downstream operator after downstream release 3.73.0
-    OPERATOR_USE_UPSTREAM=true
-    OPERATOR_VERSION="v3.73.0"
-
-    # Get the first non-merge commit, starting with HEAD.
-    # On main this should be HEAD
-    FLEETSHARD_SYNC_TAG="$(git rev-list --no-merges --max-count 1 --abbrev-commit --abbrev=7 HEAD)"
-    "${SCRIPT_DIR}/check_image_exists.sh" "${FLEETSHARD_SYNC_TAG}"
     ;;
 
   prod)
     FM_ENDPOINT="https://api.openshift.com"
     OBSERVABILITY_GITHUB_TAG="production"
     OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.openshift.com"
-
-    OPERATOR_USE_UPSTREAM=false
-    OPERATOR_VERSION="v3.72.0"
-
-    FLEETSHARD_SYNC_TAG="1df0bc5"
     ;;
 
   *)
@@ -65,10 +52,21 @@ if [[ $CLUSTER_ENVIRONMENT != "$ENVIRONMENT" ]]; then
     exit 2
 fi
 
+# Get the first non-merge commit, starting with HEAD.
+# On main this should be HEAD, on production, the latest merged main commit.
+FLEETSHARD_SYNC_TAG="$(git rev-list --no-merges --max-count 1 --abbrev-commit --abbrev=7 HEAD)"
+
+if [[ "${HELM_PRINT_ONLY:-}" == "true" ]]; then
+    HELM_DEBUG_FLAGS="--debug --dry-run"
+else
+    "${SCRIPT_DIR}/check_image_exists.sh" "${FLEETSHARD_SYNC_TAG}"
+fi
+
 load_external_config "cluster-${CLUSTER_NAME}" CLUSTER_
 oc login --token="${CLUSTER_ROBOT_OC_TOKEN}" --server="$CLUSTER_URL"
 
 OPERATOR_SOURCE="redhat-operators"
+OPERATOR_USE_UPSTREAM="${OPERATOR_USE_UPSTREAM:-false}"
 if [[ "${OPERATOR_USE_UPSTREAM}" == "true" ]]; then
     load_external_config quay/rhacs-eng QUAY_
     quay_basic_auth="${QUAY_READ_ONLY_USERNAME}:${QUAY_READ_ONLY_PASSWORD}"
@@ -81,22 +79,27 @@ if [[ "${OPERATOR_USE_UPSTREAM}" == "true" ]]; then
     OPERATOR_SOURCE="rhacs-operators"
 fi
 
-# helm template --debug ... to debug changes
-helm upgrade rhacs-terraform "${SCRIPT_DIR}" \
+# shellcheck disable=SC2086
+helm upgrade rhacs-terraform "${SCRIPT_DIR}" ${HELM_DEBUG_FLAGS:-} \
   --install \
   --namespace rhacs \
   --create-namespace \
   --set acsOperator.enabled=true \
   --set acsOperator.source="${OPERATOR_SOURCE}" \
   --set acsOperator.sourceNamespace=openshift-marketplace \
-  --set acsOperator.version="${OPERATOR_VERSION}" \
+  --set acsOperator.version=v3.73.0 \
   --set acsOperator.upstream="${OPERATOR_USE_UPSTREAM}" \
   --set fleetshardSync.image="quay.io/app-sre/acs-fleet-manager:${FLEETSHARD_SYNC_TAG}" \
   --set fleetshardSync.authType="RHSSO" \
   --set fleetshardSync.clusterId="${CLUSTER_ID}" \
   --set fleetshardSync.fleetManagerEndpoint="${FM_ENDPOINT}" \
   --set fleetshardSync.redHatSSO.clientId="${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_ID}" \
   --set fleetshardSync.redHatSSO.clientSecret="${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET}" \
+  --set fleetshardSync.managedDB.enabled=true \
+  --set fleetshardSync.managedDB.subnetGroup="${FLEETSHARD_SYNC_MANAGED_DB_SUBNET_GROUP}" \
+  --set fleetshardSync.managedDB.securityGroup="${FLEETSHARD_SYNC_MANAGED_DB_SECURITY_GROUP}" \
+  --set fleetshardSync.managedDB.performanceInsights=true \
+  --set fleetshardSync.aws.roleARN="${FLEETSHARD_SYNC_AWS_ROLE_ARN}" \
   --set logging.aws.accessKeyId="${LOGGING_AWS_ACCESS_KEY_ID}" \
   --set logging.aws.secretAccessKey="${LOGGING_AWS_SECRET_ACCESS_KEY}" \
   --set observability.github.accessToken="${OBSERVABILITY_GITHUB_ACCESS_TOKEN}" \

dp-terraform/helm/rhacs-terraform/values.yaml

@@ -25,6 +25,14 @@ fleetshardSync:
     realm: "redhat-external"
   egressProxy:
     image: "registry.redhat.io/openshift4/ose-egress-http-proxy:v4.11.0"
+  managedDB:
+    enabled: true
+    subnetGroup: ""
+    securityGroup: ""
+    performanceInsights: true
+  aws:
+    region: "us-east-1"
+    roleARN: ""
 
 acsOperator:
   enabled: false