Merge pull request #216 from projectsyn/feat/additional-root-apps

Add support for additional root apps

.cruft.json

@@ -1,13 +1,13 @@
 {
   "template": "https://github.com/projectsyn/commodore-component-template.git",
-  "commit": "ff9d5a839714344345b76be069ea23e39e580f38",
+  "commit": "98d16f99766e6c6d97322dbe42e058f0e2bf73d0",
   "checkout": "main",
   "context": {
     "cookiecutter": {
       "name": "Argo CD",
       "slug": "argocd",
       "parameter_key": "argocd",
-      "test_cases": "defaults openshift params prometheus https-catalog",
+      "test_cases": "defaults openshift params prometheus https-catalog syn-teams",
       "add_lib": "y",
       "add_pp": "n",
       "add_golden": "y",

.github/workflows/test.yaml

@@ -37,6 +37,7 @@ jobs:
           - params
           - prometheus
           - https-catalog
+          - syn-teams
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -56,6 +57,7 @@ jobs:
           - params
           - prometheus
           - https-catalog
+          - syn-teams
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

.gitignore

@@ -19,3 +19,4 @@
 /_public
 
 # Additional entries
+jsonnetfile.json

Makefile.vars.mk

@@ -57,4 +57,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/openshift.yml tests/params.yml tests/prometheus.yml tests/https-catalog.yml
+test_instances = tests/defaults.yml tests/openshift.yml tests/params.yml tests/prometheus.yml tests/https-catalog.yml tests/syn-teams.yml

class/argocd.yml

@@ -4,7 +4,7 @@ parameters:
       - input_paths:
           - argocd/component/app.jsonnet
         input_type: jsonnet
-        output_path: apps/
+        output_path: .
       - output_path: argocd/01_namespace/
         input_type: jsonnet
         input_paths:

class/defaults.yml

@@ -1,6 +1,9 @@
 ---
 parameters:
   argocd:
+    =_metadata:
+      # This component can't be assigned to a team
+      multi_tenant: false
     namespace: syn
 
     distribution: ${facts:distribution}

component/app.jsonnet

@@ -1,8 +1,10 @@
+local com = import 'lib/commodore.libjsonnet';
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
 local inv = kap.inventory();
 local params = inv.parameters.argocd;
 local argocd = import 'lib/argocd.libjsonnet';
+local syn_teams = import 'syn/syn-teams.libsonnet';
 
 local syn_project = argocd.Project('syn');
 local default_project = argocd.Project('default') {
@@ -18,22 +20,38 @@ local default_project = argocd.Project('default') {
     sourceRepos: [ '*' ],
   },
 };
-local root_app = argocd.App('root', params.namespace, secrets=false) {
-  metadata: {
-    name: 'root',
-    namespace: params.namespace,
-  },
-  spec+: {
-    source+: {
-      path: 'manifests/apps/',
+
+local root_app(team) =
+  local project = if team == 'root' then
+    'syn'
+  else
+    team;
+
+  local name = if team == 'root' then
+    'root'
+  else
+    'root-%s' % team;
+
+  argocd.App(name, params.namespace, secrets=false) {
+    metadata: {
+      name: name,
+      namespace: params.namespace,
     },
-    syncPolicy+: {
-      automated+: {
-        prune: false,
+    spec+: {
+      project: project,
+      source+: {
+        path: if team == 'root' then
+          'manifests/apps/'
+        else
+          'manifests/apps-%s/' % team,
+      },
+      syncPolicy+: {
+        automated+: {
+          prune: false,
+        },
       },
     },
-  },
-};
+  };
 
 local app = argocd.App('argocd', params.namespace, secrets=false) {
   metadata+: {
@@ -54,8 +72,14 @@ local app = argocd.App('argocd', params.namespace, secrets=false) {
 };
 
 {
-  '00_syn-project': syn_project,
-  '00_default-project': default_project,
-  '01_rootapp': root_app,
-  '10_argocd': app,
+  'apps/00_syn-project': syn_project,
+  'apps/00_default-project': default_project,
+  'apps/01_rootapp': root_app('root'),
+  'apps/10_argocd': app,
+} + {
+  ['apps-%s/01_rootapp' % team]: root_app(team)
+  for team in syn_teams.teams()
+} + {
+  ['apps-%s/00_project' % team]: argocd.Project(team)
+  for team in syn_teams.teams()
 }

component/monitoring.libsonnet

@@ -1,6 +1,8 @@
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
 local prometheus = import 'lib/prometheus.libsonnet';
+local syn_teams = import 'syn/syn-teams.libsonnet';
+
 local inv = kap.inventory();
 local params = inv.parameters.argocd;
 
@@ -29,6 +31,12 @@ local serviceMonitor(objname, name) =
   };
 
 local alert_rules =
+  local team_label =
+    if syn_teams.owner != null then
+      '{{if eq $labels.project "syn"}}{{ "%s" }}{{else}}{{ $labels.project }}{{end}}' % syn_teams.owner
+    else
+      null;
+
   kube._Object('monitoring.coreos.com/v1', 'PrometheusRule', 'argocd') {
     metadata: {
       name: 'argocd',
@@ -47,10 +55,11 @@ local alert_rules =
               alert: 'ArgoCDAppUnsynced',
               expr: 'argocd_app_info{exported_namespace="' + params.namespace + '", sync_status!="Synced"} > 0',
               'for': '10m',
-              labels: {
+              labels: std.prune({
                 severity: 'warning',
                 syn: 'true',
-              },
+                syn_team: team_label,
+              }),
               annotations: {
                 message: 'Argo CD app {{ $labels.name }} is not synced',
                 description: 'kubectl -n ' + params.namespace + ' describe app {{ $labels.name }}',
@@ -61,10 +70,11 @@ local alert_rules =
               alert: 'ArgoCDAppUnhealthy',
               expr: 'argocd_app_info{exported_namespace="' + params.namespace + '", health_status!="Healthy"} > 0',
               'for': '10m',
-              labels: {
+              labels: std.prune({
                 severity: 'critical',
                 syn: 'true',
-              },
+                syn_team: team_label,
+              }),
               annotations: {
                 message: 'Argo CD app {{ $labels.name }} is not healthy',
                 description: 'kubectl -n ' + params.namespace + ' describe app {{ $labels.name }}',
@@ -75,10 +85,11 @@ local alert_rules =
               alert: 'ArgoCDDown',
               expr: 'up{namespace="' + params.namespace + '", job=~"^syn-argocd-.+$"} != 1',
               'for': '5m',
-              labels: {
+              labels: std.prune({
                 severity: 'critical',
                 syn: 'true',
-              },
+                syn_team: team_label,
+              }),
               annotations: {
                 message: 'Argo CD job {{ $labels.job }} is down',
                 dashboard: 'argocd',

jsonnetfile.jsonnet

@@ -0,0 +1,16 @@
+{
+  version: 1,
+  dependencies: [
+    {
+      source: {
+        git: {
+          remote: 'https://github.com/projectsyn/jsonnet-libs',
+          subdir: '',
+        },
+      },
+      version: 'main',
+      name: 'syn',
+    },
+  ],
+  legacyImports: true,
+}

lib/argocd.libjsonnet

@@ -5,6 +5,8 @@
 
 
 local kap = import 'lib/kapitan.libjsonnet';
+local syn_teams = import 'syn/syn-teams.libsonnet';
+
 local inv = kap.inventory();
 local params = inv.parameters.argocd;
 
@@ -20,43 +22,58 @@ local params = inv.parameters.argocd;
  *
  * See the documentation https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#applications
  */
-local ArgoApp(component, namespace, project='syn', secrets=true) = {
-  apiVersion: 'argoproj.io/v1alpha1',
-  kind: 'Application',
-  metadata: {
-    name: component,
-    namespace: params.namespace,
-    finalizers: [
-      'resources-finalizer.argocd.argoproj.io',
-    ],
-  },
-  spec: {
-    project: project,
-    source: {
-      repoURL: inv.parameters.cluster.catalog_url,
-      targetRevision: 'HEAD',
-      path: 'manifests/' + component,
-    } + if secrets then {
-      plugin: {
-        name: 'kapitan',
+local ArgoApp(component, namespace, project=null, secrets=true) =
+  local team = syn_teams.teamForApplication(component);
+  local proj =
+    if project != null then (
+      std.trace('Parameter `project` for `ArgoApp` is deprecated and will be removed in a future version. Set to `%s`' % project, project)
+    ) else if team != syn_teams.owner then (
+      if syn_teams.isMultiTenantAware(component) then
+        team
+      else
+        error
+          "Component instance %s isn't team-aware. " % component +
+          'Please check https://syn.tools/... for details on how to refactor your component to make it team-aware.'
+    ) else
+      'syn';
+
+  {
+    apiVersion: 'argoproj.io/v1alpha1',
+    kind: 'Application',
+    metadata: {
+      name: component,
+      namespace: params.namespace,
+      finalizers: [
+        'resources-finalizer.argocd.argoproj.io',
+      ],
+    },
+    spec: {
+      project: proj,
+      source: {
+        repoURL: inv.parameters.cluster.catalog_url,
+        targetRevision: 'HEAD',
+        path: 'manifests/' + component,
+      } + if secrets then {
+        plugin: {
+          name: 'kapitan',
+        },
+      } else {
+        directory: {
+          recurse: true,
+        },
       },
-    } else {
-      directory: {
-        recurse: true,
+      syncPolicy: {
+        automated: {
+          prune: true,
+          selfHeal: true,
+        },
       },
-    },
-    syncPolicy: {
-      automated: {
-        prune: true,
-        selfHeal: true,
+      destination: {
+        server: 'https://kubernetes.default.svc',
+        namespace: namespace,
       },
     },
-    destination: {
-      server: 'https://kubernetes.default.svc',
-      namespace: namespace,
-    },
-  },
-};
+  };
 
 /**
  * \brief `ArgoProject` creates an Argo CD AppProject

tests/golden/syn-teams/argocd/apps-fragrant-flower/00_project.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: fragrant-flower
+  namespace: syn
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: https://kubernetes.default.svc
+  orphanedResources:
+    warn: false
+  sourceRepos:
+    - ssh://[email protected]/org/repo.git

tests/golden/syn-teams/argocd/apps-fragrant-flower/01_rootapp.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: root-fragrant-flower
+  namespace: syn
+spec:
+  destination:
+    namespace: syn
+    server: https://kubernetes.default.svc
+  project: fragrant-flower
+  source:
+    directory:
+      recurse: true
+    path: manifests/apps-fragrant-flower/
+    repoURL: ssh://[email protected]/org/repo.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: true

tests/golden/syn-teams/argocd/apps/00_default-project.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: default
+  namespace: syn
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: '*'
+  sourceRepos:
+    - '*'

tests/golden/syn-teams/argocd/apps/00_syn-project.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: syn
+  namespace: syn
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: https://kubernetes.default.svc
+  orphanedResources:
+    warn: false
+  sourceRepos:
+    - ssh://[email protected]/org/repo.git