feat: deploy dh and gitops in their own namespaces

There's no good reason for the 2 services to share the same namespace. This change helps with segregation of services. This in turn helps with development, as it guarantee that there is no unknown link between the 2 services and one can reset a service by deleting the namespace and redeploying the cluster. With this change, the `rhtap` namespace becomes a location for integration secrets. rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
redhat-appstudio · Feb 11, 2025 · 44728b5 · 44728b5
1 parent 3f6e6c6
commit 44728b5
Show file tree

Hide file tree

Showing 24 changed files with 111 additions and 131 deletions.
diff --git a/installer/charts/rhtap-app-namespaces/hooks/post-deploy.sh b/installer/charts/rhtap-app-namespaces/hooks/post-deploy.sh
@@ -21,6 +21,8 @@ patch_serviceaccount() {
     local NAMESPACE="$1"
     local SA="$2"
 
+    echo -n "- Patching ServiceAccount '$SA' in '$NAMESPACE': "
+
     # Wait until the ServiceAccount is available and get the definition
     until "$KUBECTL" get serviceaccounts --namespace "$NAMESPACE" "$SA" >/dev/null 2>&1; do
         echo -n "_"
@@ -44,14 +46,12 @@ patch_serviceaccount() {
         fi
     done
 
-    if [ -e "$SA_DEFINITION_UPDATED" ]; then
-        echo -n "- Patching ServiceAccount '$SA' in '$NAMESPACE': "
-        "$KUBECTL" apply -f "$SA_DEFINITION_UPDATED"
-    fi
+    echo "OK"
+    "$KUBECTL" apply -f "$SA_DEFINITION_UPDATED"
 }
 
 app_namespaces() {
-    NAMESPACE="$INSTALLER__DEVELOPERHUB__NAMESPACE"
+    NAMESPACE="$INSTALLER__QUAY__SECRET__NAMESPACE"
 
     for env in "development" "prod" "stage"; do
         for SA in "default" "pipeline"; do

diff --git a/installer/charts/rhtap-app-namespaces/templates/NOTES.txt b/installer/charts/rhtap-app-namespaces/templates/NOTES.txt
@@ -0,0 +1,5 @@
+{{- $namespace := .Release.Namespace -}}
+OpenShift Projects:
+{{- range tuple "development" "prod" "stage" }}
+  - "{{ $namespace }}-app-{{ . }}"
+{{- end }}
diff --git a/installer/charts/rhtap-app-namespaces/templates/namespaces.yaml b/installer/charts/rhtap-app-namespaces/templates/namespaces.yaml
@@ -1,11 +1,11 @@
 {{ $namespace := .Release.Namespace }}
-{{ $argoCD := .Values.argoCD }}
+{{ $argoCD := .Values.appNamespaces.argoCD.name }}
 {{- range tuple "development" "prod" "stage" }}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   labels:
-    argocd.argoproj.io/managed-by: {{ $argoCD.name }}
+    argocd.argoproj.io/managed-by: {{ $argoCD }}
   name: {{ $namespace }}-app-{{ . }}
 {{- end }}
diff --git a/installer/charts/rhtap-app-namespaces/values.yaml b/installer/charts/rhtap-app-namespaces/values.yaml
@@ -1,4 +1,4 @@
 ---
-argoCD:
-  # ArgoCD instance name controlling the namespace
-  name: __OVERWRITE_ME__
+appNamespaces:
+  argoCD:
+    name: __OVERWRITE_ME__
diff --git a/installer/charts/rhtap-dh/templates/app-config-content.yaml b/installer/charts/rhtap-dh/templates/app-config-content.yaml
@@ -1,18 +1,19 @@
 {{- define "rhtap-dh.app-conf" }}
+{{- $integrationNamespace := .Values.developerHub.integrationSecrets.namespace }}
 app:
   title: Red Hat Developer Hub
   baseUrl: ${BACKEND_URL}
 # Lookup for all the required secrets
-{{- $argocdSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-argocd-integration") }}
+{{- $argocdSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-argocd-integration") }}
 {{- $argocdSecretData := ($argocdSecretObj.data | default dict) }}
-{{- $bbSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-bitbucket-integration") }}
-{{- $ghSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-github-integration") }}
-{{- $gitlabSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-gitlab-integration") }}
-{{- $jenkinsSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-jenkins-integration") }}
-{{- $quaySecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-quay-integration") }}
+{{- $bbSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-bitbucket-integration") }}
+{{- $githubSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-github-integration") }}
+{{- $gitlabSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-gitlab-integration") }}
+{{- $jenkinsSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-jenkins-integration") }}
+{{- $quaySecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-quay-integration") }}
 {{- $quaySecretData := ($quaySecretObj.data | default dict) }}
-{{- $nexusSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-nexus-integration") }}
-{{- $artifactorySecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-artifactory-integration") }}
+{{- $nexusSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-nexus-integration") }}
+{{- $artifactorySecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-artifactory-integration") }}
 {{- $artifactorySecretData := ($artifactorySecretObj.data | default dict) }}
 
 {{- if $argocdSecretData }}
@@ -35,25 +36,23 @@ auth:
   environment: production
   providers:
   {{- $signInPage := "" }}
-  {{- $ghSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-github-integration") }}
-  {{- if $ghSecretObj }}
+  {{- if $githubSecretObj }}
     {{- $signInPage = "github" }}
     github:
       production:
         clientId: ${GITHUB__APP__CLIENT__ID}
         clientSecret: ${GITHUB__APP__CLIENT__SECRET}
-      {{- if ne ($ghSecretObj.data.host | b64dec) "github.com" }}
+      {{- if ne ($githubSecretObj.data.host | b64dec) "github.com" }}
         enterpriseInstanceUrl: ${GITHUB__URL}
       {{- end }}
   {{- end }}
-  {{- $glSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-gitlab-integration") }}
-  {{- $glSecretData := ($glSecretObj.data | default dict) }}
-  {{- if $glSecretData }}
-    {{- if and $glSecretData.clientId $glSecretData.clientSecret }}
+  {{- $gitlabSecretData := ($gitlabSecretObj.data | default dict) }}
+  {{- if $gitlabSecretData }}
+    {{- if and $gitlabSecretData.clientId $gitlabSecretData.clientSecret }}
     {{- $signInPage = "gitlab" }}
     gitlab:
       production:
-      {{- if ne ($glSecretData.host | b64dec) "gitlab.com" }}
+      {{- if ne ($gitlabSecretData.host | b64dec) "gitlab.com" }}
         audience: ${GITLAB__URL}
       {{- end }}
         clientId: ${GITLAB__APP__CLIENT__ID}
@@ -90,7 +89,7 @@ integrations:
     - appPassword: ${BITBUCKET__APP_PASSWORD}
       username: ${BITBUCKET__USERNAME}
 {{- end }}
-{{- if $ghSecretObj }}
+{{- if $githubSecretObj }}
   github:
     - host: ${GITHUB__HOST}
       token: ${GITHUB__TOKEN}
@@ -108,7 +107,7 @@ integrations:
       apiBaseUrl: https://${GITLAB__HOST}/api/v4
       token: ${GITLAB__TOKEN}
 {{- end }}
-{{- if (lookup "v1" "Secret" .Release.Namespace "rhtap-jenkins-integration") }}
+{{- if $jenkinsSecretObj }}
 jenkins:
   instances:
     - name: default

diff --git a/installer/charts/rhtap-dh/templates/extra-env.yaml b/installer/charts/rhtap-dh/templates/extra-env.yaml
@@ -1,3 +1,4 @@
+{{- $integrationNamespace := .Values.developerHub.integrationSecrets.namespace -}}
 ---
 apiVersion: v1
 kind: Secret
@@ -13,21 +14,21 @@ data:
     BACKEND_SECRET: {{ randAlphaNum 16 | b64enc }}
     BACKEND_URL: {{ printf "https://backstage-developer-hub-%s.%s" .Release.Namespace .Values.developerHub.ingressDomain | b64enc }}
     NODE_TLS_REJECT_UNAUTHORIZED:  {{ "0" | b64enc }}
-{{- $argocdSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-argocd-integration") }}
+{{- $argocdSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-argocd-integration") }}
 {{- $argocdSecretData := ($argocdSecretObj.data | default dict) }}
 {{- if $argocdSecretData }}
     ARGOCD__API_TOKEN: {{ $argocdSecretData.ARGOCD_API_TOKEN }}
     ARGOCD__PASSWORD: {{ $argocdSecretData.ARGOCD_PASSWORD }}
     ARGOCD__URL: {{ print "https://" ($argocdSecretData.ARGOCD_HOSTNAME | b64dec) | b64enc }}
     ARGOCD__USER: {{ $argocdSecretData.ARGOCD_USER }}
 {{- end }}
-{{- $artifactorySecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-artifactory-integration") }}
+{{- $artifactorySecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-artifactory-integration") }}
 {{- $artifactorySecretData := ($artifactorySecretObj.data | default dict) }}
 {{- if $artifactorySecretData }}
     ARTIFACTORY__API_TOKEN: {{ $artifactorySecretData.token }}
     ARTIFACTORY__URL: {{ $artifactorySecretData.url }}
 {{- end }}
-{{- $bbSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-bitbucket-integration") }}
+{{- $bbSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-bitbucket-integration") }}
 {{- $bbSecretData := ($bbSecretObj.data | default dict) }}
 {{- if $bbSecretData }}
     BITBUCKET__APP_PASSWORD:  {{ $bbSecretData.appPassword }}
@@ -36,7 +37,7 @@ data:
     DEVELOPER_HUB__CATALOG__URL: {{
         required ".developerHub.catalogURL is required" .Values.developerHub.catalogURL | b64enc
     }}
-{{- $ghSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-github-integration") }}
+{{- $ghSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-github-integration") }}
 {{- $ghSecretData := ($ghSecretObj.data | default dict) }}
 {{- if $ghSecretData }}
     GITHUB__APP__ID: {{ $ghSecretData.id }}
@@ -53,7 +54,7 @@ data:
     GITHUB__URL: {{ print "https://" ($ghSecretData.host | b64dec) | b64enc }}
     {{- end }}
 {{- end }}
-{{- $glSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-gitlab-integration") -}}
+{{- $glSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-gitlab-integration") -}}
 {{- $glSecretData := ($glSecretObj.data | default dict) -}}
 {{- if $glSecretData }}
     GITLAB__HOST: {{ $glSecretData.host }}
@@ -64,24 +65,24 @@ data:
     GITLAB__APP__CLIENT__SECRET: {{ $glSecretData.clientSecret }}
     {{- end }}
 {{- end }}
-{{- $jenkinsSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-jenkins-integration") }}
+{{- $jenkinsSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-jenkins-integration") }}
 {{- $jenkinsSecretData := ($jenkinsSecretObj.data | default dict) }}
 {{- if $jenkinsSecretData }}
     JENKINS__BASEURL: {{ $jenkinsSecretData.baseUrl }}
     JENKINS__USERNAME: {{ $jenkinsSecretData.username }}
     JENKINS__TOKEN: {{ $jenkinsSecretData.token }}
 {{- end }}
-{{- $k8sSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-k8s-integration") }}
+{{- $k8sSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-k8s-integration") }}
 {{- $k8sSecretData := ($k8sSecretObj.data | default dict) }}
 {{- if $k8sSecretData }}
     K8S_SERVICEACCOUNT_TOKEN: {{ $k8sSecretData.token }}
 {{- end }}
-{{- $nexusSecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-nexus-integration") }}
+{{- $nexusSecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-nexus-integration") }}
 {{- $nexusSecretData := ($nexusSecretObj.data | default dict) }}
 {{- if $nexusSecretData }}
     NEXUS__URL: {{ $nexusSecretData.url }}
 {{- end }}
-{{- $quaySecretObj := (lookup "v1" "Secret" .Release.Namespace "rhtap-quay-integration") }}
+{{- $quaySecretObj := (lookup "v1" "Secret" $integrationNamespace "rhtap-quay-integration") }}
 {{- $quaySecretData := ($quaySecretObj.data | default dict) }}
 {{- if $quaySecretData }}
     {{- if $quaySecretData.token }}

diff --git a/installer/charts/rhtap-dh/templates/plugins-content.yaml b/installer/charts/rhtap-dh/templates/plugins-content.yaml
@@ -1,10 +1,11 @@
 {{- define "rhtap-dh.plugins-conf" }}
+{{- $integrationNamespace := .Values.developerHub.integrationSecrets.namespace }}
 includes:
   - dynamic-plugins.default.yaml
 plugins:
   # Installed plugins can be listed at:
   # https://DH_HOSTNAME/api/dynamic-plugins-info/loaded-plugins
-{{- if (lookup "v1" "Secret" .Release.Namespace "rhtap-argocd-integration") }}
+{{- if (lookup "v1" "Secret" $integrationNamespace "rhtap-argocd-integration") }}
   #
   # ArgoCD
   #
@@ -44,17 +45,17 @@ plugins:
                     gridRowStart: 1
                 importName: TektonCI
                 mountPoint: entity.page.ci/cards
-{{- if (lookup "v1" "Secret" .Release.Namespace "rhtap-github-integration") }}
+{{- if (lookup "v1" "Secret" $integrationNamespace "rhtap-github-integration") }}
   - disabled: false
     package: ./dynamic-plugins/dist/backstage-community-plugin-github-actions
 {{- end }}
-{{- if (lookup "v1" "Secret" .Release.Namespace "rhtap-gitlab-integration") }}
+{{- if (lookup "v1" "Secret" $integrationNamespace "rhtap-gitlab-integration") }}
   - disabled: false
     package: ./dynamic-plugins/dist/immobiliarelabs-backstage-plugin-gitlab
   - disabled: false
     package: ./dynamic-plugins/dist/immobiliarelabs-backstage-plugin-gitlab-backend-dynamic
 {{- end }}
-{{- if (lookup "v1" "Secret" .Release.Namespace "rhtap-jenkins-integration") }}
+{{- if (lookup "v1" "Secret" $integrationNamespace "rhtap-jenkins-integration") }}
   - disabled: false
     package: ./dynamic-plugins/dist/backstage-community-plugin-jenkins
     pluginConfig:
@@ -86,15 +87,15 @@ plugins:
   #
   # Image Registry
   #
-{{- if (lookup "v1" "Secret" .Release.Namespace "rhtap-artifactory-integration") }}
+{{- if (lookup "v1" "Secret" $integrationNamespace "rhtap-artifactory-integration") }}
   - disabled: false
     package: ./dynamic-plugins/dist/backstage-community-plugin-jfrog-artifactory
 {{- end }}
-{{- if (lookup "v1" "Secret" .Release.Namespace "rhtap-nexus-integration") }}
+{{- if (lookup "v1" "Secret" $integrationNamespace "rhtap-nexus-integration") }}
   - disabled: false
     package: ./dynamic-plugins/dist/backstage-community-plugin-nexus-repository-manager
 {{- end }}
-{{- if (lookup "v1" "Secret" .Release.Namespace "rhtap-quay-integration") }}
+{{- if (lookup "v1" "Secret" $integrationNamespace "rhtap-quay-integration") }}
   - disabled: false
     package: ./dynamic-plugins/dist/backstage-community-plugin-quay
 {{- end }}

diff --git a/installer/charts/rhtap-dh/templates/tests/test.yaml b/installer/charts/rhtap-dh/templates/tests/test.yaml
@@ -1,4 +1,5 @@
 {{- $name := printf "%s-test-%d" .Chart.Name .Release.Revision -}}
+{{- $integrationNamespace := .Values.developerHub.integrationSecrets.namespace -}}
 ---
 apiVersion: v1
 kind: Pod
@@ -8,7 +9,8 @@ metadata:
     helm.sh/hook-delete-policy: hook-succeeded
   labels:
     {{- include "rhtap-dh.labels" . | nindent 4 }}
-  name: {{ $name }} 
+  name: {{ $name }}
+  namespace: {{ $integrationNamespace }}
 spec:
   restartPolicy: Never
   serviceAccountName: rhdh-kubernetes-plugin

diff --git a/installer/charts/rhtap-dh/values.yaml b/installer/charts/rhtap-dh/values.yaml
@@ -6,3 +6,5 @@ developerHub:
   instanceName: developer-hub
   catalogURL: __OVERWRITE_ME__
   ingressDomain: __OVERWRITE_ME__
+  integrationSecrets:
+    namespace: __OVERWRITE_ME__
diff --git a/installer/charts/rhtap-gitops/templates/job-post-deploy.yaml b/installer/charts/rhtap-gitops/templates/job-post-deploy.yaml
@@ -71,9 +71,9 @@ spec:
           image: quay.io/codeready-toolchain/oc-client-base:latest
           env:
             - name: SECRET_NAME
-              value: {{ $argoCD.secretName }}
+              value: {{ $argoCD.integrationSecret.name }}
             - name: NAMESPACE
-              value: {{ $argoCD.namespace }}
+              value: {{ $argoCD.integrationSecret.namespace }}
             - name: ARGOCD_ENV_FILE
               value: {{ $argoCDEnvFile }}
           command:

diff --git a/installer/charts/rhtap-gitops/values.yaml b/installer/charts/rhtap-gitops/values.yaml
@@ -9,9 +9,10 @@ argoCD:
   namespace: __OVERWRITE_ME__
   # The domain for the ArgoCD instance, used to define the final route.
   ingressDomain: __OVERWRITE_ME__
-  # The secret name to store the ArgoCD API credentials, this secret is later on
+  # The secret namespace to store the ArgoCD API credentials, this secret is later on
   # used for integration with other services.
-  secretName: __OVERWRITE_ME__
+  integrationSecret:
+    namespace: __OVERWRITE_ME__
   # Route configuration for all ArgoCD components.
   route:
     # Toggles the route for the ArgoCD components.

diff --git a/installer/charts/rhtap-openshift/templates/NOTES.txt b/installer/charts/rhtap-openshift/templates/NOTES.txt
@@ -1,4 +1,4 @@
 OpenShift Projects:
-{{- range $p := .Values.openshift.projects }}
+{{- range $p := .Values.openshift.projects | sortAlpha }}
   - {{ $p | quote }}
 {{- end }}