feat: multi runtime install

charts/gitops-runtime/Chart.yaml

@@ -32,6 +32,7 @@ dependencies:
 - name: sealed-secrets
   repository: https://bitnami-labs.github.io/sealed-secrets/
   version: 2.17.2
+  condition: sealed-secrets.enabled
 - name: codefresh-tunnel-client
   repository: oci://quay.io/codefresh/charts
   version: 0.1.21

charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml

@@ -11,6 +11,18 @@
 {{/* Workaround to NOT change label selectors from previous runtime release when event-reporter was part of cf-argocd-extras Subchart */}}
 {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }}
 
+{{/* Remove nonResourceURLs when RBAC is namespaced */}}
+{{- $rules := $context.Values.rbac.rules }}
+{{- if $context.Values.rbac.namespaced }}
+    {{- $rules = list }}
+        {{- range $context.Values.rbac.rules }}
+            {{- if not .nonResourceURLs }}
+                {{- $rules = append $rules . }}
+            {{- end }}
+    {{- end }}
+{{- end }}
+{{- $_ := set $context.Values.rbac "rules" $rules }}
+
 {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }}
 {{- include $templateName $context }}
 

charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl

@@ -14,6 +14,9 @@ global:
 
 replicaCount: 1
 
+# -- Restrict the gitops operator to a single namespace (by the namespace of Helm release)
+singleNamespace: false
+
 # -- Codefresh gitops operator crds
 crds:
   # -- Whether or not to install CRDs

charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml

@@ -5,7 +5,7 @@ kind: ClusterRole
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: promotion-template
+  name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template"  }}
 rules:
 - apiGroups:
   - ""
@@ -49,11 +49,11 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: promotion-template
+  name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template"  }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: promotion-template
+  name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template"  }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.promotionTemplate.serviceAccountName" . }}

charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml

@@ -5,7 +5,7 @@ kind: ClusterRole
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: codefresh-gitops-operator-proxy
+  name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy"  }}
 rules:
 - apiGroups:
   - authentication.k8s.io
@@ -26,11 +26,11 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: codefresh-gitops-operator-proxy
+  name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy"  }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: codefresh-gitops-operator-proxy
+  name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy"  }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.serviceAccountName" . }}

charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml

@@ -5,7 +5,7 @@ kind: ClusterRole
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: codefresh-gitops-operator
+  name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator"  }}
 rules:
 - apiGroups:
     - ""
@@ -26,6 +26,7 @@ rules:
   - patch
   - update
   - watch
+{{- if not .Values.singleNamespace }}
 - apiGroups:
   - codefresh.io
   resources:
@@ -52,6 +53,7 @@ rules:
   - get
   - patch
   - update
+{{- end }}
 - apiGroups:
   - ""
   resources:
@@ -69,33 +71,153 @@ rules:
   - get
   - list
   - watch
+---
+{{- if .Values.singleNamespace }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argo-role
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/exec
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  - persistentvolumeclaims/finalizers
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  - workflowtasksets
+  - workflowtasksets/finalizers
+  - workflowartifactgctasks
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+  - create
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtemplates
+  - workflowtemplates/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflowtaskresults
+  verbs:
+  - list
+  - watch
+  - deletecollection
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - argoproj.io
+  resources:
+  - cronworkflows
+  - cronworkflows/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - get
+  - delete
+{{- end }}
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: codefresh-gitops-operator
+  name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator"  }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: codefresh-gitops-operator
+  name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator"  }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   labels:
     {{- include "gitops-operator.selectorLabels" . | nindent 4 }}
-  name: codefresh-gitops-operator-workflows
+  name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows"  }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: argo-edit
+  kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }}
+  name: {{ .Values.singleNamespace | ternary "argo-role" "argo-edit" }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.serviceAccountName" . }}

charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml

@@ -1,5 +1,6 @@
 
 {{- define "gitops-operator.resources.restricted-git-source-rbac" }}
+  {{- if not .Values.singleNamespace }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -80,4 +81,5 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "gitops-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+  {{- end }}
 {{- end }}

charts/gitops-runtime/templates/_helpers.tpl

@@ -431,11 +431,14 @@ Output comma separated list of installed runtime components
 */}}
 {{- define "codefresh-gitops-runtime.component-list"}}
   {{- $argoEvents := dict "name" "argo-events" "version" (get .Subcharts "argo-events").Chart.AppVersion }}
-  {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }}
   {{- $internalRouter := dict "name" "internal-router" "version" .Chart.AppVersion }}
   {{- $appProxy := dict "name" "app-proxy" "version" (index (get .Values "app-proxy") "image" "tag") }}
   {{- $sourcesServer := dict "name" "sources-server" "version" (get .Values "cf-argocd-extras").sourcesServer.container.image.tag }}
-  {{- $comptList := list $argoEvents $appProxy $sealedSecrets $internalRouter $sourcesServer }}
+  {{- $comptList := list $argoEvents $appProxy $internalRouter $sourcesServer }}
+{{- if and (index .Values "sealed-secrets" "enabled") }}
+  {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }}
+  {{- $comptList = append $comptList $sealedSecrets }}
+{{- end }}
 {{- if and (index .Values "argo-cd" "enabled") }}
   {{- $argoCD := dict "name" "argocd" "version" (get .Subcharts "argo-cd").Chart.AppVersion }}
   {{- $comptList = append $comptList $argoCD }}

charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml

@@ -4,12 +4,12 @@
 {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }}
 {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ $appProxyContext.Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   name: cap-app-proxy-argo-workflows
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ $appProxyContext.Values.singleNamespace | ternary "Role" "ClusterRole" }}
   name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }}
 subjects:
   - kind: ServiceAccount

charts/gitops-runtime/templates/gitops-operator/crds.yaml

@@ -1 +1,3 @@
-{{- include "gitops-operator.crds" . }}
+{{- if and (index .Values "gitops-operator" "enabled") }}
+    {{- include "gitops-operator.crds" . }}
+{{- end }}

charts/gitops-runtime/templates/gitops-operator/deployment.yaml

@@ -1,3 +1,4 @@
+{{- if and (index .Values "gitops-operator" "enabled") }}
 {{- $context := deepCopy . }}
 
 {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }}
@@ -44,3 +45,4 @@
 {{- end }}
 
 {{- include "gitops-operator.resources.deployment" $context }}
+{{- end }}

charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml

@@ -1 +1,3 @@
-{{- include "gitops-operator.resources.promotion-template" . }}
+{{- if and (index .Values "gitops-operator" "enabled") }}
+    {{- include "gitops-operator.resources.promotion-template" . }}
+{{- end }}

charts/gitops-runtime/templates/gitops-operator/rbac.yaml

@@ -1 +1,3 @@
-{{- include "gitops-operator.resources.rbac" . }}
+{{- if and (index .Values "gitops-operator" "enabled") }}
+    {{- include "gitops-operator.resources.rbac" . }}
+{{- end }}

charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml

@@ -1,3 +1,5 @@
+{{- if and (index .Values "gitops-operator" "enabled") }}
+
 {{- $context := deepCopy . }}
 
 {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }}
@@ -7,3 +9,5 @@
 {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }}
 
 {{- include "gitops-operator.resources.sa" $context }}
+
+{{- end }}

charts/gitops-runtime/values.yaml

@@ -519,6 +519,8 @@ tunnel-client:
 #-----------------------------------------------------------------------------------------------------------------------
 app-proxy:
   replicaCount: 1
+  # -- Restrict the app-proxy to a single namespace (by the namespace of Helm release)
+  singleNamespace: false
   # -- Image enrichment process configuration
   image-enrichment:
     # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well.
@@ -685,6 +687,9 @@ gitops-operator:
     annotations: {}
     # -- Additional labels for gitops operator CRDs
     additionalLabels: {}
+  # -- Restrict the gitops operator to a single namespace (by the namespace of Helm release)
+  singleNamespace: false
+  # -- GitOps operator configuration
   config:
     # -- Task polling interval
     taskPollingInterval: 10s
@@ -696,8 +701,8 @@ gitops-operator:
     maxConcurrentReleases: 100
     # -- An optional template for the promotion wrapper (empty default will use the embedded one)
     promotionWrapperTemplate: ''
+  # -- GitOps operator image
   image:
-    # -- defaults
     registry: quay.io
     repository: codefresh/codefresh-gitops-operator
     tag: v0.8.11