Merge pull request #11 from rh-mobb/foster/acm-stuff

foster-rh · web-flow · commit 2a470dcfcd7e · 2026-03-16T12:46:09.000+11:00
Foster/acm stuff
diff --git a/charts/app-of-apps-acm-team-onboarding/Chart.yaml b/charts/app-of-apps-acm-team-onboarding/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: app-of-apps-acm-team-onboarding
+description: Chart to onboard teams on an ACM hub with AppProjects, RBAC, and placement infrastructure for spoke deployment via ApplicationSets
+version: 0.1.0
+home: https://rh-mobb.github.io/validated-pattern-helm-charts/
+maintainers:
+  - name: rh-mobb
diff --git a/charts/app-of-apps-acm-team-onboarding/templates/appproject.yaml b/charts/app-of-apps-acm-team-onboarding/templates/appproject.yaml
@@ -0,0 +1,41 @@
+{{ range $app := .Values.applications }}
+{{ if $app.gitopsCreate }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-project
+  namespace: {{ $.Values.gitopsNamespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: "{{ $app.apmnum }}-{{ $app.appserviceNumber }} team project (ACM spoke deployment)"
+  sourceNamespaces:
+    - {{ $app.apmnum }}-{{ $app.appserviceNumber }}-team
+  sourceRepos:
+    {{- toYaml $app.appProject.repos | nindent 4 }}
+  clusterResourceWhitelist:
+    - group: ''
+      kind: Namespace
+  destinations:
+    {{- range $ns := $app.appProject.spokeNamespaces }}
+    - namespace: {{ $ns }}
+      server: 'https://kubernetes.default.svc'
+    {{- end }}
+  {{- if $app.appProject.destinations }}
+    {{- toYaml $app.appProject.destinations | nindent 4 }}
+  {{- end }}
+  roles:
+  {{- if $app.appProject.roles }}
+    {{- toYaml $app.appProject.roles | nindent 4 }}
+  {{- else }}
+    - name: team-appset-admin
+      description: "Allows {{ $app.appProject.adGroup }} to manage applications and applicationsets"
+      policies:
+        - "p, proj:{{ $app.apmnum }}-{{ $app.appserviceNumber }}-project:team-appset-admin, applications, *, {{ $app.apmnum }}-{{ $app.appserviceNumber }}-project/*, allow"
+        - "p, proj:{{ $app.apmnum }}-{{ $app.appserviceNumber }}-project:team-appset-admin, applicationsets, *, {{ $app.apmnum }}-{{ $app.appserviceNumber }}-project/*, allow"
+      groups:
+        - {{ $app.appProject.adGroup }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/app-of-apps-acm-team-onboarding/templates/clusterrolebinding.yaml b/charts/app-of-apps-acm-team-onboarding/templates/clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.gitopsNamespace }}-applicationset-placementdecision-reader
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: applicationset-placementdecision-reader
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.gitopsNamespace }}-applicationset-controller
+    namespace: {{ .Values.gitopsNamespace }}
diff --git a/charts/app-of-apps-acm-team-onboarding/templates/managedclusterset-binding.yaml b/charts/app-of-apps-acm-team-onboarding/templates/managedclusterset-binding.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  name: global
+  namespace: {{ .Values.gitopsNamespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterSet: global
diff --git a/charts/app-of-apps-acm-team-onboarding/templates/namespace.yaml b/charts/app-of-apps-acm-team-onboarding/templates/namespace.yaml
@@ -0,0 +1,18 @@
+{{ range $app := .Values.applications }}
+{{ if $app.gitopsCreate }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-team
+  labels:
+    argocd.argoproj.io/managed-by: {{ $.Values.gitopsNamespace }}
+    {{- if $app.labels }}
+    {{- toYaml $app.labels | nindent 4 }}
+    {{- end }}
+  {{- if $app.annotations }}
+  annotations:
+    {{- toYaml $app.annotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/app-of-apps-acm-team-onboarding/templates/placement.yaml b/charts/app-of-apps-acm-team-onboarding/templates/placement.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta1
+kind: Placement
+metadata:
+  name: all-spoke-clusters
+  namespace: {{ .Values.gitopsNamespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterSets:
+    - global
+  predicates:
+    - requiredClusterSelector:
+        labelSelector:
+          matchExpressions:
+            - key: acm
+              operator: In
+              values:
+                - spoke
+  decisionStrategy:
+    groupStrategy:
+      clustersPerDecisionGroup: 100
+      decisionGroups:
+        - groupName: spoke-clusters
+          groupClusterSelector:
+            labelSelector:
+              matchLabels: {}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: acm-placement
+  namespace: {{ .Values.gitopsNamespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+data:
+  apiVersion: cluster.open-cluster-management.io/v1beta1
+  kind: placementdecisions
+  statusListKey: decisions
+  matchKey: clusterName
diff --git a/charts/app-of-apps-acm-team-onboarding/templates/role.yaml b/charts/app-of-apps-acm-team-onboarding/templates/role.yaml
@@ -0,0 +1,45 @@
+{{ range $app := .Values.applications }}
+{{ if $app.gitopsCreate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-appset-admin
+  namespace: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-team
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applicationsets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applications
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-appset-admin
+  namespace: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-team
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-appset-admin
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: {{ $app.appProject.adGroup }}
+{{- end }}
+{{- end }}
diff --git a/charts/app-of-apps-acm-team-onboarding/values.yaml b/charts/app-of-apps-acm-team-onboarding/values.yaml
@@ -0,0 +1,15 @@
+gitopsNamespace: application-gitops
+
+# applications:
+#   - name: istio-demo
+#     apmnum: "istio"
+#     appserviceNumber: "demo"
+#     gitopsCreate: true
+#     appProject:
+#       adGroup: PFAUTHAD
+#       repos:
+#         - 'https://rh-mobb.github.io/validated-pattern-helm-charts'
+#         - 'https://github.com/rh-mobb/rosa-cluster-config.git'
+#       spokeNamespaces:
+#         - istio-system
+#         - istio-demo
diff --git a/charts/application-gitops/Chart.yaml b/charts/application-gitops/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: Chart to generate argocd apps
 name: application-gitops
-version: 1.5.0
+version: 1.5.1
 home: https://rh-mobb.github.io/validated-pattern-helm-charts/
 maintainers:
   - name: rh-mobb
diff --git a/charts/application-gitops/templates/argocd-crd.yaml b/charts/application-gitops/templates/argocd-crd.yaml
@@ -13,6 +13,14 @@ spec:
   - '*-team'
   - application-gitops
   applicationInstanceLabelKey: argocd.argoproj.io/instance
+  applicationSet:
+    resources:
+      limits:
+        cpu: '1'
+        memory: 512Mi
+      requests:
+        cpu: 250m
+        memory: 256Mi
   controller:
     processors: {}
     resources:
diff --git a/charts/cluster-bootstrap/Chart.yaml b/charts/cluster-bootstrap/Chart.yaml
@@ -8,4 +8,4 @@ dependencies:
   version: 1.4.0
 description: Chart to kick off gitops installation and bootstrapping of blue print
 name: cluster-bootstrap
-version: 0.5.7
+version: 0.5.8
diff --git a/charts/cluster-bootstrap/values.yaml b/charts/cluster-bootstrap/values.yaml
@@ -61,7 +61,7 @@ argocd:
     helmRepoUrl: https://rh-mobb.github.io/validated-pattern-helm-charts/
     chart: app-of-apps-application
     project: application-ns-project
-    targetRevision: 1.5.4
+    targetRevision: 1.5.5
     gitRepoUrl: https://github.com/rosa-hcp-dedicated-vpc/cluster-config.git
     adGroup: PFAUTHAD
     gitPathFile: /applications-ns.yaml
