Orchestrator chart merged to rhdh

Author: elai-shalev

charts/backstage/README.md

@@ -191,6 +191,23 @@ Kubernetes: `>= 1.25.0-0`
 | global.dynamic.includes[0] | List of dynamic plugins included inside the `janus-idp/backstage-showcase` container image, some of which are disabled by default. This file ONLY works with the `janus-idp/backstage-showcase` container image. | string | `"dynamic-plugins.default.yaml"` |
 | global.dynamic.plugins | List of dynamic plugins, possibly overriding the plugins listed in `includes` files. Every item defines the plugin `package` as a [NPM package spec](https://docs.npmjs.com/cli/v10/using-npm/package-spec), an optional `pluginConfig` with plugin-specific backstage configuration, and an optional `disabled` flag to disable/enable a plugin listed in `includes` files. It also includes an `integrity` field that is used to verify the plugin package [integrity](https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description). | list | `[]` |
 | global.host | Custom hostname shorthand, overrides `global.clusterRouterBase`, `upstream.ingress.host`, `route.host`, and url values in `upstream.backstage.appConfig`. | string | `""` |
+| orchestrator.enabled |  | bool | `true` |
+| orchestrator.orchestrator.sonataflowPlatform.eventing.broker.name |  | string | `""` |
+| orchestrator.orchestrator.sonataflowPlatform.eventing.broker.namespace |  | string | `""` |
+| orchestrator.orchestrator.sonataflowPlatform.monitoring.enabled |  | bool | `true` |
+| orchestrator.orchestrator.sonataflowPlatform.resources.limits.cpu |  | string | `"500m"` |
+| orchestrator.orchestrator.sonataflowPlatform.resources.limits.memory |  | string | `"1Gi"` |
+| orchestrator.orchestrator.sonataflowPlatform.resources.requests.cpu |  | string | `"250m"` |
+| orchestrator.orchestrator.sonataflowPlatform.resources.requests.memory |  | string | `"64Mi"` |
+| orchestrator.postgres.authSecret.name |  | string | `"sonataflow-psql-postgresql"` |
+| orchestrator.postgres.authSecret.passwordKey |  | string | `"postgres-password"` |
+| orchestrator.postgres.authSecret.userKey |  | string | `"postgres-username"` |
+| orchestrator.postgres.database |  | string | `"sonataflow"` |
+| orchestrator.postgres.serviceName |  | string | `"sonataflow-psql-postgresql"` |
+| orchestrator.postgres.serviceNamespace |  | string | `""` |
+| orchestrator.rhdhPlugins.npmRegistry |  | string | `""` |
+| orchestrator.serverlessLogicOperator.enabled |  | bool | `true` |
+| orchestrator.serverlessOperator.enabled |  | bool | `true` |
 | route | OpenShift Route parameters | object | `{"annotations":{},"enabled":true,"host":"{{ .Values.global.host }}","path":"/","tls":{"caCertificate":"","certificate":"","destinationCACertificate":"","enabled":true,"insecureEdgeTerminationPolicy":"Redirect","key":"","termination":"edge"},"wildcardPolicy":"None"}` |
 | route.annotations | Route specific annotations | object | `{}` |
 | route.enabled | Enable the creation of the route resource | bool | `true` |

charts/backstage/templates/_helpers.tpl

@@ -48,3 +48,55 @@ Referenced from: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/
         {{- printf "%s" (include "common.names.fullname" .) -}}
     {{- end -}}
 {{- end -}}
+
+{{/* Helepr functions */}}
+
+{{- define "unmanaged-resource-exists" -}}
+    {{- $api := index . 0 -}}
+    {{- $kind := index . 1 -}}
+    {{- $namespace := index . 2 -}}
+    {{- $name := index . 3 -}}
+    {{- $releaseName := index . 4 -}}
+    {{- $apiCapabilities := index . 5 -}}
+    {{- $unmanagedSubscriptionExists := "true" -}}
+    {{- if $apiCapabilities.Has (printf "%s/%s" $api $kind) }}
+        {{- $existingOperator := lookup $api $kind $namespace $name -}}
+        {{- if empty $existingOperator -}}
+            {{- "false" -}}
+        {{- else -}}
+            {{- $isManagedResource := include "is-managed-resource" (list $existingOperator $releaseName) -}}
+            {{- if eq $isManagedResource "true" -}}
+                {{- "false" -}}
+            {{- else -}}
+                {{- "true" -}}
+            {{- end -}}
+        {{- end -}}
+    {{- else -}}
+        {{- "false" -}}
+    {{- end -}}
+{{- end -}}
+
+{{- define "is-managed-resource" -}}
+    {{- $resource := index . 0 -}}
+    {{- $releaseName := index . 1 -}}
+    {{- $resourceReleaseName := dig "metadata" "annotations" (dict "meta.helm.sh/release-name" "NA") $resource -}}
+    {{- if eq (get $resourceReleaseName "meta.helm.sh/release-name") $releaseName -}}
+        {{- "true" -}}
+    {{- else -}}
+        {{- "false" -}}
+    {{- end -}}
+{{- end -}}
+
+{{- define "cluster.domain" -}}
+    {{- if .Capabilities.APIVersions.Has "config.openshift.io/v1/Ingress" -}}
+        {{- $cluster := (lookup "config.openshift.io/v1" "Ingress" "" "cluster") -}}
+        {{- if and (hasKey $cluster "spec") (hasKey $cluster.spec "domain") -}}
+            {{- printf "%s" $cluster.spec.domain -}}
+        {{- else -}}
+            {{ fail "Unable to obtain cluster domain, OCP Ingress Resource is missing the `spec.domain` field." }}
+        {{- end }}
+    {{- else -}}
+        {{ fail "Unable to obtain cluster domain, config.openshift.io/v1/Ingress is missing" }}
+    {{- end -}}
+{{- end -}}
+

charts/backstage/templates/dynamic-plugins-configmap.yaml

@@ -3,6 +3,92 @@ kind: ConfigMap
 metadata:
   name: {{ printf "%s-dynamic-plugins" .Release.Name }}
 data:
+  {{- $dynamic := .Values.global.dynamic }}
+  {{- $plugins := .Values.global.dynamic.plugins }}
   dynamic-plugins.yaml: |
-    {{- include "common.tplvalues.render" ( dict "value"
-    .Values.global.dynamic "context" $) | nindent 4 }}
+    {{- if .Values.orchestrator.enabled }}
+      {{- $orchestratorPlugins := include "orchestrator.plugins" . | fromYaml }} 
+      {{- range $orchestratorPlugins.plugins }} 
+        {{- $plugins = append $plugins . }} 
+      {{- end }}
+    {{- $dynamic = merge $dynamic (dict "plugins" $plugins) }}
+    {{- end }}
+  {{- include "common.tplvalues.render" (dict "value" $dynamic "context" $) | nindent 4 }}
+  
+{{- if .Values.orchestrator.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dynamic-plugins-npmrc
+  namespace: {{ .Release.Namespace | quote }}
+type: Opaque
+stringData:
+  .npmrc: |
+    registry={{ .Values.orchestrator.rhdhPlugins.npmRegistry }}
+{{- end }}
+---
+{{- define "orchestrator.plugins" }}
+plugins:
+- disabled: false
+  package: "{{ include "orchestrator.plugins.config" . | fromYaml | dig "orchestratorPlugins" "scope" }}/{{ include "orchestrator.plugins.config" . | fromYaml | dig "orchestratorPlugins" "orchestratorBackend" "package" }}"
+  integrity: "{{ include "orchestrator.plugins.config" . | fromYaml | dig "orchestratorPlugins" "orchestratorBackend" "integrity" }}"
+  pluginConfig:
+    orchestrator:
+      dataIndexService:
+        url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}
+- disabled: false
+  package: "{{ include "orchestrator.plugins.config" . | fromYaml | dig "orchestratorPlugins" "scope" }}/{{ include "orchestrator.plugins.config" . | fromYaml | dig "orchestratorPlugins" "orchestrator" "package" }}"
+  integrity: "{{ include "orchestrator.plugins.config" . | fromYaml | dig "orchestratorPlugins" "orchestrator" "integrity" }}"
+  pluginConfig:
+    dynamicPlugins:
+      frontend:
+        red-hat-developer-hub.backstage-plugin-orchestrator:
+          appIcons:
+            - importName: OrchestratorIcon
+              module: OrchestratorPlugin
+              name: orchestratorIcon
+          dynamicRoutes:
+            - importName: OrchestratorPage
+              menuItem:
+                icon: orchestratorIcon
+                text: Orchestrator
+              module: OrchestratorPlugin
+              path: /orchestrator
+- disabled: true
+  package: ./dynamic-plugins/dist/backstage-plugin-notifications
+  pluginConfig:
+    dynamicPlugins:
+      frontend:
+        backstage.plugin-notifications:
+          dynamicRoutes:
+            - importName: NotificationsPage
+              menuItem:
+                config:
+                  props:
+                    titleCounterEnabled: true
+                    webNotificationsEnabled: false
+                importName: NotificationsSidebarItem
+              path: /notifications
+- disabled: true
+  package: ./dynamic-plugins/dist/backstage-plugin-signals
+  pluginConfig:
+    dynamicPlugins:
+      frontend:
+        backstage.plugin-signals: {}
+- disabled: true
+  package: ./dynamic-plugins/dist/backstage-plugin-notifications-backend-dynamic
+- disabled: true
+  package: ./dynamic-plugins/dist/backstage-plugin-signals-backend-dynamic
+{{- end }}
+---
+{{- define "orchestrator.plugins.config" }}
+orchestratorPlugins: 
+    scope: "https://github.com/rhdhorchestrator/orchestrator-plugins-internal-release/releases/download/1.4.0"
+    orchestrator:
+      package: "backstage-plugin-orchestrator-1.4.0.tgz"
+      integrity: sha512-2yasbfBZ3iKntArIfK+hk9tvv4b/dy9+WKXOcWIotqkI1gv+Nhvy+m55KAUWi2vmfM0rj3EoG6YP+3Zajn1KyA==
+    orchestratorBackend:
+      package: "backstage-plugin-orchestrator-backend-dynamic-1.4.0.tgz"
+      integrity: sha512-2aOHDLFrGMAtyHFiyGZwVBZ9Op+TmKYUwfZxwoaGJ1s6JSy/0qgqineEEE0K3dn/f17XBUj+H1dwa5Al598Ugw==
+{{- end }}

charts/backstage/templates/knatives.yaml

@@ -0,0 +1,32 @@
+{{- if and .Values.orchestrator.enabled .Values.orchestrator.serverlessOperator.enabled }}
+  {{- $knativeServing := lookup "operator.knative.dev/v1beta1" "KnativeServing" "knative-serving" "knative-serving" }}
+  {{- if not $knativeServing }}
+---
+apiVersion: operator.knative.dev/v1beta1
+kind: KnativeServing
+metadata:
+  name: knative-serving
+  namespace: knative-serving
+  annotations:
+    "meta.helm.sh/release-name": {{ .Release.Name }}
+spec:
+  controller-custom-certs:
+    name: ""
+    type: ""
+  registry: {}
+  {{- end }}
+
+  {{- $knativeEventing := lookup "operator.knative.dev/v1beta1" "KnativeEventing" "knative-eventing" "knative-eventing" }}
+  {{- if not $knativeEventing }}
+---
+apiVersion: operator.knative.dev/v1beta1
+kind: KnativeEventing
+metadata:
+  name: knative-eventing
+  namespace: knative-eventing
+  annotations:
+    "meta.helm.sh/release-name": {{ .Release.Name }}
+spec:
+  Registry: {}
+  {{- end }}
+{{- end }}

charts/backstage/templates/network-policies.yaml

@@ -0,0 +1,74 @@
+{{- if .Values.orchestrator.serverlessLogicOperator.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-knative-to-sonataflow-and-workflows
+  # Sonataflow and Workflows are using the RHDH target namespace.
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            # Allow knative events to be delivered to workflows.
+            kubernetes.io/metadata.name: knative-eventing
+      - namespaceSelector:
+          matchLabels:
+            # Allow auxiliary knative function for workflow (such as m2k-save-transformation)
+            kubernetes.io/metadata.name: knative-serving
+---
+# NetworkPolicy to unblock incoming traffic to the namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-external-communication
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            # Allow knative events to be delivered to workflows.
+            kubernetes.io/metadata.name: openshift-ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-intra-network
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  # Apply this policy to all pods in the namespace
+  podSelector: {}
+  # Specify policy type as 'Ingress' to control incoming traffic rules
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      # Allow ingress from any pod within the same namespace
+      - podSelector: {}
+
+
+{{- end }}
+---
+{{- if .Values.orchestrator.orchestrator.sonataflowPlatform.monitoring.enabled }}
+# NetworkPolicy to allow openshift-user-workload-monitoring pods to access all pods within the workflow's namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-monitoring-to-sonataflow-and-workflows
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  # Apply this policy to all pods in the namespace
+  podSelector: {}
+  # Specify policy type as 'Ingress' to control incoming traffic rules
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            # Allow openshift-user-workload-monitoring pods to access the workflow.
+            kubernetes.io/metadata.name: openshift-user-workload-monitoring
+{{- end }}

charts/backstage/templates/sonataflows.yaml

@@ -0,0 +1,65 @@
+{{- if and .Values.orchestrator.enabled .Values.orchestrator.serverlessLogicOperator.enabled }}
+{{- $workflowNamespace := .Release.Namespace }}
+---
+apiVersion: sonataflow.org/v1alpha08
+kind: SonataFlowPlatform
+metadata:
+  name: sonataflow-platform
+  namespace: {{ $workflowNamespace }}
+  annotations:
+    "meta.helm.sh/release-name": {{ .Release.Name}}
+spec:
+  monitoring:
+    enabled: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.monitoring.enabled }}
+  build:
+    template:
+      resources:
+        requests:
+          memory: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.resources.requests.memory }}
+          cpu: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.resources.requests.cpu }}
+        limits:
+          memory: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.resources.limits.memory }}
+          cpu: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.resources.limits.cpu }}
+  {{- if (and (.Values.orchestrator.orchestrator.sonataflowPlatform.eventing.broker.name) (.Values.orchestrator.orchestrator.sonataflowPlatform.eventing.broker.namespace)) }}
+  eventing:
+    broker:
+      ref:
+        apiVersion: eventing.knative.dev/v1
+        kind: Broker
+        name: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.eventing.broker.name }}
+        namespace: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.eventing.broker.namespace }}
+  {{- end }}
+  services:
+    dataIndex:
+      enabled: true
+      persistence:
+        postgresql:
+          secretRef:
+            name: {{ .Values.orchestrator.postgres.authSecret.name }}
+            userKey: {{ .Values.orchestrator.postgres.authSecret.userKey }}
+            passwordKey: {{ .Values.orchestrator.postgres.authSecret.passwordKey }}
+          serviceRef:
+            name: {{ .Values.orchestrator.postgres.serviceName }}
+            namespace: {{ .Values.orchestrator.postgres.serviceNamespace }}
+      {{- if .Values.orchestrator.orchestrator.sonataflowPlatform.dataIndexImage }}
+      podTemplate:
+        container:
+          image: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.dataIndexImage }}
+      {{- end }}
+    jobService:
+      enabled: true
+      persistence:
+        postgresql:
+          secretRef:
+            name: {{ .Values.orchestrator.postgres.authSecret.name }}
+            userKey: {{ .Values.orchestrator.postgres.authSecret.userKey }}
+            passwordKey: {{ .Values.orchestrator.postgres.authSecret.passwordKey }}
+          serviceRef:
+            name: {{ .Values.orchestrator.postgres.serviceName }}
+            namespace: {{ .Values.orchestrator.postgres.serviceNamespace }}
+      {{- if .Values.orchestrator.orchestrator.sonataflowPlatform.jobServiceImage }}
+      podTemplate:
+        container:
+          image: {{ .Values.orchestrator.orchestrator.sonataflowPlatform.jobServiceImage }}
+      {{- end }}
+{{- end }}