WIP: initial migration of only argocd application related manifests

.aicoe-ci.yaml

@@ -0,0 +1,2 @@
+---
+check: []

.pre-commit-config.yaml

@@ -0,0 +1,43 @@
+---
+exclude: scripts|argocd/overlays/dev/configs|argocd/overlays/moc-infra/configs|.github/workflows
+
+repos:
+  - repo: https://github.com/Lucas-C/pre-commit-hooks
+    rev: v1.1.9
+    hooks:
+      - id: remove-tabs
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.3.0
+    hooks:
+      - id: trailing-whitespace
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+        args:
+          - '--maxkb=600'
+      - id: check-case-conflict
+      - id: check-json
+      - id: check-symlinks
+      - id: detect-private-key
+
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.25.0
+    hooks:
+      - id: yamllint
+        files: \.(yaml|yml)$
+        types: [file, yaml]
+        entry: yamllint --strict -c yamllint-config.yaml
+
+  - repo: https://github.com/os-climate/osc-trino-acl-dsl
+    rev: v0.3.1
+    hooks:
+      # manage rules.json files using a DSL for trino ACL
+      # this check enforces that rules.json is consistent with dsl file
+      # https://github.com/os-climate/osc-trino-acl-dsl/blob/main/.pre-commit-hooks.yaml
+      - id: trino-acl-dsl-check
+        files: |
+          (?x)^(.*/)?(
+            trino-acl-dsl\.yaml|
+            rules\.json
+          )$

.prow.yaml

@@ -0,0 +1,58 @@
+presubmits:
+  - name: kustomize-build
+    decorate: true
+    max_concurrency: 1
+    skip_if_only_changed: "^docs/|\\.md$|^(OWNERS|LICENSE)$|^\\."
+    skip_report: false
+    context: aicoe-ci/prow/kustomize-build
+    spec:
+      containers:
+        - image: quay.io/operate-first/opf-toolbox:latest
+          command:
+            - "test-kustomize-build"
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "1500m"
+            limits:
+              memory: "500Mi"
+              cpu: "2"
+
+  - name: kubeval-validation
+    decorate: true
+    max_concurrency: 1
+    skip_if_only_changed: "^docs/|\\.md$|^(OWNERS|LICENSE)$|^\\."
+    skip_report: false
+    context: aicoe-ci/prow/kubeval-validation
+    spec:
+      containers:
+        - image: quay.io/operate-first/opf-toolbox:latest
+          command:
+            - "test-kubeval-validation"
+          resources:
+            requests:
+              memory: "512Mi"
+              cpu: "1500m"
+            limits:
+              memory: "2Gi"
+              cpu: "2"
+
+  - name: pre-commit
+    decorate: true
+    skip_report: false
+    always_run: true
+    context: aicoe-ci/prow/pre-commit
+    spec:
+      containers:
+        - image: quay.io/thoth-station/thoth-precommit-py38:v0.12.5
+          command:
+            - "pre-commit"
+            - "run"
+            - "--all-files"
+          resources:
+            requests:
+              memory: "500Mi"
+              cpu: "4"
+            limits:
+              memory: "2Gi"
+              cpu: "4"

argocd/cluster-resources/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../cluster-scope/base/apiextensions.k8s.io/customresourcedefinitions/appprojects.argoproj.io
+- ../../cluster-scope/base/apiextensions.k8s.io/customresourcedefinitions/applications.argoproj.io
+- ../../cluster-scope/base/apiextensions.k8s.io/customresourcedefinitions/applicationsets.argoproj.io
+- ../../cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/argocd-server
+- ../../cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/argocd-application-controller
+- ../../cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/argocd-manager
+- ../../cluster-scope/base/rbac.authorization.k8s.io/clusterroles/argocd-application-controller
+- ../../cluster-scope/base/rbac.authorization.k8s.io/clusterroles/argocd-server
+- ../../cluster-scope/base/rbac.authorization.k8s.io/clusterroles/argocd-proj-apps-aggregate-to-admin
+- ../../cluster-scope/base/rbac.authorization.k8s.io/clusterroles/argocd-events-create-aggregate-to-admin

argocd/overlays/rosa/alerts.yaml

@@ -0,0 +1,37 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: argocd-alerts
+spec:
+  groups:
+    - name: argocd-alerts
+      rules:
+        - alert: ArgoAppSyncFailed
+          expr: argocd_app_sync_total{phase!="Succeeded"} == 1  # Triggered when argocd-application is not succeeded
+          for: 1m
+          labels:
+            severity: warning
+          annotations:
+            summary: "'{{ $labels.name }}' Application has sync phase as '{{ $labels.phase }}'"
+            description: >
+              For the last minute, ArgoCD applications sync status is not succeeded.
+              The `argocd_app_sync_total` metric is the counter for application sync history.
+        - alert: ArgoAppMissing
+          expr: absent(argocd_app_info)                         # Triggered when argocd-application info is not found
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            summary: "[ArgoCD] No reported applications"
+            description: >
+              ArgoCD has not reported any applications data for the past 15 minutes which
+              means that it must be down or not functioning properly.
+    - name: argocd-app-alerts
+      rules:
+        - alert: ArgoCDAppOutOfSync
+          expr: argocd_app_info{sync_status="OutOfSync"}  # Triggered when argocd-application is `OutofSync`
+          for: 1m
+          labels:
+            severity: warning
+          annotations:
+            summary: "'{{ $labels.name }}' Application has sync status as '{{ $labels.sync_status }}'"

argocd/overlays/rosa/applications/app-of-apps/app-of-apps-ROSA.yaml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opf-app-of-apps-ROSA
+spec:
+  destination:
+    namespace: argocd
+    name: ROSA
+  project: rosa
+  source:
+    path: argocd/overlays/rosa/applications/envs/rosa
+    repoURL: https://github.com/redhat-et/rosa-apps.git
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+    - Validate=false
+    - ApplyOutOfSyncOnly=true

argocd/overlays/rosa/applications/app-of-apps/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+resources:
+  - app-of-apps-ROSA.yaml

argocd/overlays/rosa/applications/envs/rosa/cluster-management/argocd-projects.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-projects
+spec:
+  destination:
+    name: moc-infra
+    namespace: argocd
+  project: default
+  source:
+    path: argocd/overlays/rosa/projects
+    repoURL: https://github.com/redhat-et/rosa-apps.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+    - Validate=false

argocd/overlays/rosa/applications/envs/rosa/cluster-management/argocd.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+spec:
+  destination:
+    name: moc-infra
+    namespace: argocd
+  project: default
+  source:
+    path: argocd/overlays/rosa
+    repoURL: https://github.com/redhat-et/rosa-apps.git
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+      - Validate=false

argocd/overlays/rosa/applications/envs/rosa/cluster-management/cert-manager.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+spec:
+  destination:
+    name: moc-infra
+    namespace: openshift-ingress
+  project: cluster-management
+  source:
+    repoURL: https://github.com/operate-first/apps.git
+    path: cert-manager/overlays/moc/infra
+    targetRevision: HEAD

argocd/overlays/rosa/applications/envs/rosa/cluster-management/cluster-resources.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-resources
+spec:
+  destination:
+    name: moc-infra
+    namespace: open-cluster-management-agent
+  project: cluster-management
+  source:
+    path: cluster-scope/overlays/prod/moc/infra
+    repoURL: https://github.com/operate-first/apps.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - Validate=false
+    - ApplyOutOfSyncOnly=true

argocd/overlays/rosa/applications/envs/rosa/cluster-management/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - acm.yaml
+  - alertreceiver.yaml
+  - argocd-notifications.yaml
+  - argocd-projects.yaml
+  - argocd.yaml
+  - cert-manager.yaml
+  - cluster-resources.yaml
+  - external-secrets.yaml
+  - kubevirt-hyperconverged.yaml
+  - odf-fake-metrics-exporter.yaml

argocd/overlays/rosa/applications/envs/rosa/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+resources:
+  - cluster-management
+
+nameSuffix: -rosa

argocd/overlays/rosa/applications/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # Note that we don't include `env` here because
+  # the Applications deployed from `app-of-apps` dir
+  # will auto deploy the applications in `env`
+  - app-of-apps

argocd/overlays/rosa/configs/argo_cm/configManagementPlugins

@@ -0,0 +1,4 @@
+- name: helmSecrets
+  generate:
+    command: ["/bin/sh", "-c"]
+    args: ["helm secrets template $VALUES_FILES . | sed '/^removed/d'"]

argocd/overlays/rosa/configs/argo_cm/envs

@@ -0,0 +1,5 @@
+admin.enabled=true
+url=https://argocd.rosa.cloud
+users.anonymous.enabled=false
+statusbadge.enabled=true
+accounts.backstage=apiKey

argocd/overlays/rosa/configs/argo_cm/globalProjects

@@ -0,0 +1,7 @@
+- labelSelector:
+    matchExpressions:
+      - key: project-template
+        operator: In
+        values:
+          - global
+  projectName: global-project

argocd/overlays/rosa/configs/argo_cm/resource.exclusions

@@ -0,0 +1,13 @@
+- apiGroups:
+  - "tekton.dev"
+  kinds:
+  - "PipelineRun"
+  - "TaskRun"
+  clusters:
+  - "*"
+- apiGroups:
+  - "internal.open-cluster-management.io"
+  kinds:
+  - "ManagedClusterInfo"
+  clusters:
+  - "*"

argocd/overlays/rosa/configs/argo_rbac_cm/policy.csv

@@ -0,0 +1,26 @@
+# Define a standard user template that has read access to argocd resources
+p, role:standard-user, certificates, get, *, allow
+p, role:standard-user, clusters, get, *, allow
+p, role:standard-user, repositories, get, *, allow
+p, role:standard-user, projects, get, *, allow
+p, role:standard-user, accounts, get, *, allow
+p, role:standard-user, gpgkeys, get, *, allow
+
+# Give Openshift group (argocd-admins) the argocd admin role with unrestricted argocd access
+g, argocd-admins, role:admin
+
+# Give Openshift group (argocd-readonly) the argocd admin readonly for read access
+# to all resources.
+g, argocd-readonly, role:readonly
+
+# Give read access to argocd resources for standard users
+g, thoth, role:standard-user
+g, data-science, role:standard-user
+g, lab-cicd, role:standard-user
+g, apicurio, role:standard-user
+g, sre, role:standard-user
+g, fybrik, role:standard-user
+g, tremor-demo, role:standard-user
+g, copilot-ops, role:standard-user
+g, backstage, role:readonly
+g, kepler-admins, role:standard-user

argocd/overlays/rosa/configs/argo_rbac_cm/policy.default

@@ -0,0 +1 @@
+role:readonly-public

argocd/overlays/rosa/externalsecrets/auth/argocd-dex-server-oauth-token.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-dex-server-oauth-token
+spec:
+  secretStoreRef:
+    name: opf-vault-store
+    kind: SecretStore
+  target:
+    name: argocd-dex-server-oauth-token
+    template:
+      engineVersion: v2
+      metadata:
+        annotations:
+          kubernetes.io/service-account.name: argocd-dex-server
+  dataFrom:
+    - extract:
+        key: moc/infra/argocd/argocd-dex-server-oauth-token

argocd/overlays/rosa/externalsecrets/auth/argocd-secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-secret
+spec:
+  secretStoreRef:
+    name: opf-vault-store
+    kind: SecretStore
+  target:
+    name: argocd-secret
+  dataFrom:
+    - extract:
+        key: moc/infra/argocd/argocd-secret

argocd/overlays/rosa/externalsecrets/auth/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - argocd-dex-server-oauth-token.yaml
+  - argocd-secret.yaml

argocd/overlays/rosa/externalsecrets/clusters/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - rosa.yaml