akuity · krancour · Jan 11, 2024 · Jan 9, 2024 · Jan 9, 2024 · Jan 9, 2024
@@ -91,7 +91,9 @@ k8s_resource(
     'kargo-controller:rolebinding',
     'kargo-controller:serviceaccount',
     'kargo-controller-argocd:clusterrole',
-    'kargo-controller-argocd:clusterrolebinding'
+    'kargo-controller-argocd:clusterrolebinding',
+    'kargo-controller-rollouts:clusterrole',
+    'kargo-controller-rollouts:clusterrolebinding'
   ],
   resource_deps=['back-end-compile']
 )

@@ -20,6 +20,44 @@
 	StagePhaseVerifying StagePhase = "Verifying"
 )
 
+type VerificationPhase string
+
+// Note: VerificationPhases are identical to AnalysisRunPhases. In almost all
+// cases, the VerificationPhase will be a reflection of the underlying
+// AnalysisRunPhase. There are exceptions to this, such as in the case where an
+// AnalysisRun cannot be launched successfully.
+
+const (
+	// VerificationPhasePending denotes a verification process that has not yet
+	// started yet.
+	VerificationPhasePending VerificationPhase = "Pending"
+	// VerificationPhaseRunning denotes a verification that is currently running.
+	VerificationPhaseRunning VerificationPhase = "Running"
+	// VerificationPhaseSuccessful denotes a verification process that has
+	// completed successfully.
+	VerificationPhaseSuccessful VerificationPhase = "Successful"
+	// VerificationPhaseFailed denotes a verification process that has completed
+	// with a failure.
+	VerificationPhaseFailed VerificationPhase = "Failed"
+	// VerificationPhaseError denotes a verification process that has completed
+	// with an error.
+	VerificationPhaseError VerificationPhase = "Error"
+	// VerificationPhaseInconclusive denotes a verification process that has
+	// completed with an inconclusive result.
+	VerificationPhaseInconclusive VerificationPhase = "Inconclusive"
+)
+
+// IsTerminal returns true if the VerificationPhase is a terminal one.
+func (v *VerificationPhase) IsTerminal() bool {
+	switch *v {
+	case VerificationPhaseSuccessful, VerificationPhaseFailed,
+		VerificationPhaseError, VerificationPhaseInconclusive:
+		return true
+	default:
+		return false
+	}
+}
+
 // +kubebuilder:validation:Enum={ImageAndTag,Tag,ImageAndDigest,Digest}
 type ImageUpdateValueType string
 
@@ -485,7 +523,7 @@
 	Charts []Chart `json:"charts,omitempty"`
 	// VerificationInfo is information about any verification process that was
 	// associated with this Freight for this Stage.
-	VerificationInfo *VerificationInfo `json:"verificationResult,omitempty"`
+	VerificationInfo *VerificationInfo `json:"verificationInfo,omitempty"`
 }
 
 type FreightReferenceStack []FreightReference
@@ -673,7 +711,17 @@
 // VerificationInfo contains information about the currently running
 // Verification process.
 type VerificationInfo struct {
-	AnalysisRun AnalysisRunReference `json:"analysisRun"`
+	// Phase describes the current phase of the Verification process. Generally,
+	// this will be a reflection of the underlying AnalysisRun's phase, however,
+	// there are exceptions to this, such as in the case where an AnalysisRun
+	// cannot be launched successfully.
+	Phase VerificationPhase `json:"phase,omitempty"`
+	// Message may contain additional information about why the verification
+	// process is in its current phase.
+	Message string `json:"message,omitempty"`
+	// AnalysisRun is a reference to the Argo Rollouts AnalysisRun that implements
+	// the Verification process.
+	AnalysisRun *AnalysisRunReference `json:"analysisRun,omitempty"`
 }
 
 // AnalysisRunReference is a reference to an AnalysisRun.

@@ -313,6 +313,8 @@ message AnalysisRunArgument {
 
 message VerificationInfo {
   AnalysisRunReference analysis_run = 1 [json_name = "analysisRun"];
+  string phase = 2 [json_name = "phase"];
+  string message = 3 [json_name = "message"];
 }
 
 message AnalysisRunReference {

@@ -602,12 +602,13 @@ spec:
                           type: string
                       type: object
                     type: array
-                  verificationResult:
+                  verificationInfo:
                     description: VerificationInfo is information about any verification
                       process that was associated with this Freight for this Stage.
                     properties:
                       analysisRun:
-                        description: AnalysisRunReference is a reference to an AnalysisRun.
+                        description: AnalysisRun is a reference to the Argo Rollouts
+                          AnalysisRun that implements the Verification process.
                         properties:
                           name:
                             description: Name is the name of the AnalysisRun.
@@ -624,8 +625,17 @@ spec:
                         - namespace
                         - phase
                         type: object
-                    required:
-                    - analysisRun
+                      message:
+                        description: Message may contain additional information about
+                          why the verification process is in its current phase.
+                        type: string
+                      phase:
+                        description: Phase describes the current phase of the Verification
+                          process. Generally, this will be a reflection of the underlying
+                          AnalysisRun's phase, however, there are exceptions to this,
+                          such as in the case where an AnalysisRun cannot be launched
+                          successfully.
+                        type: string
                     type: object
                 type: object
               currentPromotion:
@@ -724,13 +734,13 @@ spec:
                               type: string
                           type: object
                         type: array
-                      verificationResult:
+                      verificationInfo:
                         description: VerificationInfo is information about any verification
                           process that was associated with this Freight for this Stage.
                         properties:
                           analysisRun:
-                            description: AnalysisRunReference is a reference to an
-                              AnalysisRun.
+                            description: AnalysisRun is a reference to the Argo Rollouts
+                              AnalysisRun that implements the Verification process.
                             properties:
                               name:
                                 description: Name is the name of the AnalysisRun.
@@ -747,8 +757,18 @@ spec:
                             - namespace
                             - phase
                             type: object
-                        required:
-                        - analysisRun
+                          message:
+                            description: Message may contain additional information
+                              about why the verification process is in its current
+                              phase.
+                            type: string
+                          phase:
+                            description: Phase describes the current phase of the
+                              Verification process. Generally, this will be a reflection
+                              of the underlying AnalysisRun's phase, however, there
+                              are exceptions to this, such as in the case where an
+                              AnalysisRun cannot be launched successfully.
+                            type: string
                         type: object
                     type: object
                   name:
@@ -915,12 +935,13 @@ spec:
                             type: string
                         type: object
                       type: array
-                    verificationResult:
+                    verificationInfo:
                       description: VerificationInfo is information about any verification
                         process that was associated with this Freight for this Stage.
                       properties:
                         analysisRun:
-                          description: AnalysisRunReference is a reference to an AnalysisRun.
+                          description: AnalysisRun is a reference to the Argo Rollouts
+                            AnalysisRun that implements the Verification process.
                           properties:
                             name:
                               description: Name is the name of the AnalysisRun.
@@ -937,8 +958,17 @@ spec:
                           - namespace
                           - phase
                           type: object
-                      required:
-                      - analysisRun
+                        message:
+                          description: Message may contain additional information
+                            about why the verification process is in its current phase.
+                          type: string
+                        phase:
+                          description: Phase describes the current phase of the Verification
+                            process. Generally, this will be a reflection of the underlying
+                            AnalysisRun's phase, however, there are exceptions to
+                            this, such as in the case where an AnalysisRun cannot
+                            be launched successfully.
+                          type: string
                       type: object
                   type: object
                 type: array

@@ -76,4 +76,12 @@ rules:
     verbs:
       - patch
       - update
+{{- if .Values.api.rollouts.integrationEnabled }}
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - analysistemplates
+    verbs:
+      - "*"
+{{- end }}
 {{- end }}
@@ -55,4 +55,5 @@ data:
   ARGOCD_NAMESPACE: {{ .Values.controller.argocd.namespace }}
   ARGOCD_URLS: {{ range $key, $val := .Values.api.argocd.urls }}{{ $key }}={{ $val }},{{- end }}
   {{- end }}
+  ROLLOUTS_INTEGRATION_ENABLED: {{ quote .Values.api.rollouts.integrationEnabled }}
 {{- end }}
@@ -1,4 +1,4 @@
-{{- if or .Values.controller.argocd.watchArgocdNamespaceOnly .Values.controller.argocd.enableCredentialBorrowing }}
+{{- if and .Values.controller.argocd.integrationEnabled (or .Values.controller.argocd.watchArgocdNamespaceOnly .Values.controller.argocd.enableCredentialBorrowing) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

@@ -1,4 +1,4 @@
-{{- if or .Values.controller.argocd.watchArgocdNamespaceOnly .Values.controller.argocd.enableCredentialBorrowing }}
+{{- if and .Values.controller.argocd.integrationEnabled (or .Values.controller.argocd.watchArgocdNamespaceOnly .Values.controller.argocd.enableCredentialBorrowing) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

@@ -14,8 +14,8 @@ subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
   name: kargo-controller
+{{- if and .Values.controller.argocd.integrationEnabled (not .Values.controller.argocd.watchArgocdNamespaceOnly) }}
 ---
-{{- if not .Values.controller.argocd.watchArgocdNamespaceOnly }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -32,4 +32,22 @@ subjects:
   namespace: {{ .Release.Namespace }}
   name: kargo-controller
 {{- end }}
+{{- if .Values.controller.rollouts.integrationEnabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kargo-controller-rollouts
+  labels:
+    {{- include "kargo.labels" . | nindent 4 }}
+    {{- include "kargo.controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kargo-controller-rollouts
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: kargo-controller
+{{- end }}
 {{- end }}
@@ -72,8 +72,8 @@ rules:
   - get
   - list
   - watch
+{{- if and .Values.controller.argocd.integrationEnabled (not .Values.controller.argocd.watchArgocdNamespaceOnly) }}
 ---
-{{- if not .Values.controller.argocd.watchArgocdNamespaceOnly }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -91,6 +91,17 @@ rules:
   - list
   - patch
   - watch
+{{- end }}
+{{- if .Values.controller.rollouts.integrationEnabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kargo-controller-rollouts
+  labels:
+    {{- include "kargo.labels" . | nindent 4 }}
+    {{- include "kargo.controller.labels" . | nindent 4 }}
+rules:
 - apiGroups:
   - argoproj.io
   resources:
@@ -100,5 +111,5 @@ rules:
   - get
   - list
   - watch
-{{- end }}  
+{{- end }}
 {{- end }}
@@ -16,13 +16,17 @@ data:
   KUBECONFIG: /etc/kargo/kubeconfigs/kubeconfig.yaml
   {{- end }}
   GLOBAL_CREDENTIALS_NAMESPACES: {{ join "," .Values.controller.globalCredentials.namespaces }}
+  ARGOCD_INTEGRATION_ENABLED: {{ quote .Values.controller.argocd.integrationEnabled }}
+  {{- if .Values.controller.argocd.integrationEnabled }}
   {{- if .Values.kubeconfigSecrets.argocd }}
   ARGOCD_KUBECONFIG: /etc/kargo/kubeconfigs/argocd-kubeconfig.yaml
   {{- end }}
-  {{- if .Values.kubeconfigSecrets.rollouts }}
-  ROLLOUTS_KUBECONFIG: /etc/kargo/kubeconfigs/rollouts-kubeconfig.yaml
-  {{- end }}
   ARGOCD_NAMESPACE: {{ .Values.controller.argocd.namespace }}
   ARGOCD_ENABLE_CREDENTIAL_BORROWING: {{ quote .Values.controller.argocd.enableCredentialBorrowing }}
   ARGOCD_WATCH_ARGOCD_NAMESPACE_ONLY: {{ quote .Values.controller.argocd.watchArgocdNamespaceOnly }}
+  {{- end }}
+  ROLLOUTS_INTEGRATION_ENABLED: {{ quote .Values.controller.rollouts.integrationEnabled }}
+  {{- if and .Values.controller.rollouts.integrationEnabled .Values.kubeconfigSecrets.rollouts }}
+  ROLLOUTS_KUBECONFIG: /etc/kargo/kubeconfigs/rollouts-kubeconfig.yaml
+  {{- end }}
 {{- end }}
@@ -199,6 +199,11 @@ api:
       # "": https://argocd.example.com
       # "shard2": https://argocd2.example.com
 
+  ## All settings relating to the use of Argo Rollouts by the API Server.
+  rollouts:
+    ## @param api.rollouts.integrationEnabled Specifies whether Argo Rollouts integration is enabled. When not enabled, the API server will not be capable of creating/updating/applying AnalysesTemplate resources in the Kargo control plane. When enabled, the API server will perform a sanity check at startup. If Argo Rollouts CRDs are not found, the API server will proceed as if this integration had been explicitly disabled. Explicitly disabling is still preferable if this integration is not desired, as it will grant fewer permissions to the API server.
+    integrationEnabled: true
+
 ## @section Controller
 ## All settings for the controller component
 controller:
@@ -213,16 +218,24 @@ controller:
   ## @param controller.shardName [nullable] Set a shard name only if you are running multiple controllers backed by a single underlying control plane. Setting a shard name will cause this controller to operate **only** on resources with a matching shard name. Leaving the shard name undefined will designate this controller as the default controller that is responsible exclusively for resources that are **not** assigned to a specific shard. Leaving this undefined is the correct choice when you are not using sharding at all. It is also the correct setting if you are using sharding and want to designate a controller as the default for handling resources not assigned to a specific shard. In most cases, this setting should simply be left alone.
   # shardName:
 
-  ## All settings relating to the Argo CD control plane this controller will
+  ## All settings relating to the Argo CD control plane this controller might
   ## integrate with.
   argocd:
+    ## @param controller.argocd.integrationEnabled Specifies whether Argo CD integration is enabled. When not enabled, the controller will not watch Argo CD Application resources or factor Application health and sync state into determinations of Stage health. Argo CD-based promotion mechanisms will also fail. When enabled, the controller will perform a sanity check at startup. If Argo CD CRDs are not found, the controller will proceed as if this integration had been explicitly disabled. Explicitly disabling is still preferable if this integration is not desired, as it will grant fewer permissions to the controller.
+    integrationEnabled: true
     ## @param controller.argocd.namespace The namespace into which Argo CD is installed.
     namespace: argocd
     ## @param controller.argocd.watchArgocdNamespaceOnly Specifies whether the reconciler that watches Argo CD Applications for the sake of forcing related Stages to reconcile should only watch Argo CD Application resources residing in Argo CD's own namespace. Note: Older versions of Argo CD only supported Argo CD Application resources in Argo CD's own namespace, but newer versions support Argo CD Application resources in any namespace. This should usually be left as `false`.
     watchArgocdNamespaceOnly: false
     ## @param controller.argocd.enableCredentialBorrowing Specifies whether Kargo may borrow repository credentials (specially formatted and specially annotated Secrets) from Argo CD.
     enableCredentialBorrowing: true
 
+  ## All settings relating to the use of Argo Rollouts AnalysisTemplates and
+  ## AnalysisRuns as a means of verifying Stages after a Promotion.
+  rollouts:
+    ## @param controller.rollouts.integrationEnabled Specifies whether Argo Rollouts integration is enabled. When not enabled, the controller will not reconcile Argo Rollouts AnalysisRun resources and attempts to verify Stages via Analysis will fail. When enabled, the controller will perform a sanity check at startup. If Argo Rollouts CRDs are not found, the controller will proceed as if this integration had been explicitly disabled. Explicitly disabling is still preferable if this integration is not desired, as it will grant fewer permissions to the controller.
+    integrationEnabled: true
+
   ## @param controller.logLevel The log level for the controller.
   logLevel: INFO