From 99b8a3465e9339c02f52fd1f014099f152df133f Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:05:53 +0300 Subject: [PATCH 01/20] add parsing of the new single namespace var to cm and env var --- .../cap-app-proxy/_all_resources.yaml | 2 ++ .../_components/cap-app-proxy/_config.yaml | 1 + .../cap-app-proxy/argo-cd/_all.yaml | 3 ++ .../cap-app-proxy/argo-cd/_role.yaml | 28 +++++++++++++++++++ .../cap-app-proxy/argo-cd/_rolebinding.yaml | 20 +++++++++++++ .../_main-container.yaml | 7 +++++ .../_components/gitops-operator/_env.yaml | 1 + .../gitops-operator/crds/_all.yaml | 2 ++ .../gitops-operator/rbac/_all.yaml | 2 ++ .../templates/codefresh-cm.yaml | 1 + charts/gitops-runtime/values.yaml | 2 ++ 11 files changed, 69 insertions(+) create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index 479914c4..ff455cf5 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -10,4 +10,6 @@ {{ include "cap-app-proxy.resources.service" . }} --- {{ include "cap-app-proxy.resources.sa" .}} +--- + {{ include "argo-cd.namespaced-rbac.all" . }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7751eb84..7160728f 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,6 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} +runtimeSingleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml new file mode 100644 index 00000000..1cc7a702 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -0,0 +1,3 @@ +{{- include "argo-cd.namespaced-rbac.role" . }} +--- +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml new file mode 100644 index 00000000..7a7a97ef --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -0,0 +1,28 @@ +{{- if .Values.app-proxy.singleNamespace }} +{{- define "argo-cd.namespaced-rbac.role" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argocd-namespaced-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +rules: +- apiGroups: [""] + resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets", "statefulsets", "daemonsets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml new file mode 100644 index 00000000..32a593f9 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.app-proxy.singleNamespace }} +{{- define "argo-cd.namespaced-rbac.rolebinding" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argocd-namespaced-rolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-namespaced-role +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml index f59f769e..b00b6afb 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml @@ -109,6 +109,12 @@ RUNTIME_NAME: configMapKeyRef: name: cap-app-proxy-cm key: runtimeName +RUNTIME_SINGLE_NAMESPACE: + valueFrom: + configMapKeyRef: + name: cap-app-proxy-cm + key: runtimeSingleNamespace + optional: true RUNTIME_TOKEN: valueFrom: secretKeyRef: @@ -210,6 +216,7 @@ IRW_JIRA_ENRICHMENT_TASK_IMAGE: name: cap-app-proxy-cm key: enrichmentJiraEnrichmentImage optional: true + NODE_EXTRA_CA_CERTS: /app/config/all/all.cer {{- if gt (int .Values.replicaCount) 1 }} LEADER_ID: diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index f2e10f74..113062c0 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,6 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} +RUNTIME_SINGLE_NAMESPACE: {{ .Values.app-proxy.singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 956c1b6f..22474c18 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,9 @@ --- {{- include "gitops-operator.crds.product" $context }} --- + {{- if not .Values.app-proxy.singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} + {{- end }} --- {{- include "gitops-operator.crds.promotion-policy" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index 8760f422..f0054a81 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,9 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- + {{- if not .Values.app-proxy.singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} + {{- end }} --- {{- include "gitops-operator.resources.rbac-operator" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index d070c4d6..17ecd277 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -15,4 +15,5 @@ data: ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} + singleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} version: {{ .Chart.AppVersion }} \ No newline at end of file diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 9035df0a..8acfd399 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -519,6 +519,8 @@ tunnel-client: #----------------------------------------------------------------------------------------------------------------------- app-proxy: replicaCount: 1 + # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. + singleNamespace: false # -- Image enrichment process configuration image-enrichment: # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well. From effb5b665bb18197c3e15fc0bdda702710a4fb24 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:25:28 +0300 Subject: [PATCH 02/20] fixed parsing --- .../templates/_components/cap-app-proxy/_config.yaml | 2 +- .../templates/_components/cap-app-proxy/argo-cd/_role.yaml | 2 +- .../_components/cap-app-proxy/argo-cd/_rolebinding.yaml | 2 +- .../templates/_components/gitops-operator/_env.yaml | 2 +- .../templates/_components/gitops-operator/rbac/_all.yaml | 2 +- charts/gitops-runtime/templates/codefresh-cm.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7160728f..5937d907 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,7 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} -runtimeSingleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} +runtimeSingleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml index 7a7a97ef..4249910a 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.app-proxy.singleNamespace }} +{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.role" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 32a593f9..9e505dea 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.app-proxy.singleNamespace }} +{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.rolebinding" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index 113062c0..1321e06c 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,7 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} -RUNTIME_SINGLE_NAMESPACE: {{ .Values.app-proxy.singleNamespace }} +RUNTIME_SINGLE_NAMESPACE: {{ (get .Values "app-proxy").singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index f0054a81..db0a7c7a 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,7 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- - {{- if not .Values.app-proxy.singleNamespace }} + {{- if not (get .Values "app-proxy").singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} {{- end }} --- diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index 17ecd277..3fba68b9 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -15,5 +15,5 @@ data: ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} - singleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} + singleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} version: {{ .Chart.AppVersion }} \ No newline at end of file From df2f07e9d4500667d944784c7705cd117a6ccaf7 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:29:50 +0300 Subject: [PATCH 03/20] minor parsing fix --- .../templates/_components/gitops-operator/crds/_all.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 22474c18..d7d598f9 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,7 @@ --- {{- include "gitops-operator.crds.product" $context }} --- - {{- if not .Values.app-proxy.singleNamespace }} + {{- if not (get .Values "app-proxy").singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} {{- end }} --- From 77089927a16903957743b805e8e5b7dea014f0f7 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:37:36 +0300 Subject: [PATCH 04/20] fixed conditional including of role and role binding --- .../templates/_components/cap-app-proxy/argo-cd/_all.yaml | 4 +++- .../templates/_components/cap-app-proxy/argo-cd/_role.yaml | 2 -- .../_components/cap-app-proxy/argo-cd/_rolebinding.yaml | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index 1cc7a702..1506617b 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -1,3 +1,5 @@ +{{- if (get .Values "app-proxy").singleNamespace }} {{- include "argo-cd.namespaced-rbac.role" . }} --- -{{- include "argo-cd.namespaced-rbac.rolebinding" . }} \ No newline at end of file +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml index 4249910a..9d138964 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -1,4 +1,3 @@ -{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.role" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -24,5 +23,4 @@ rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 9e505dea..7d320d7a 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -1,4 +1,3 @@ -{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.rolebinding" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -16,5 +15,4 @@ subjects: - kind: ServiceAccount name: default namespace: {{ .Release.Namespace }} -{{- end }} {{- end }} \ No newline at end of file From 3fa40524246e4366fd5003981d7be20626b0d7b4 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:42:05 +0300 Subject: [PATCH 05/20] added app-proxy context --- charts/gitops-runtime/templates/gitops-operator/deployment.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 81b56609..6038cbbc 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -5,6 +5,7 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} +{{- $_ := set $context.Values "app-proxy" (deepCopy (get .Values "app-proxy")) }} {{- if and (not (index .Values "argo-cd" "enabled")) }} {{- if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") }} From 370115e65cd181f6389fb1561f8140d2c9fda34f Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:50:52 +0300 Subject: [PATCH 06/20] fixed something --- .../templates/_components/cap-app-proxy/_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 5937d907..e615c50d 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,7 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} -runtimeSingleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} +runtimeSingleNamespace: {{ .Values.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} From f31c2230b24fb215bce7e37972b697eb02fcff1b Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 09:12:37 +0300 Subject: [PATCH 07/20] added argocd-manager service account --- .../_components/cap-app-proxy/argo-cd/_all.yaml | 2 ++ .../cap-app-proxy/argo-cd/_rolebinding.yaml | 2 +- .../cap-app-proxy/argo-cd/_serviceaccount.yaml | 10 ++++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index 1506617b..d731eade 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -1,4 +1,6 @@ {{- if (get .Values "app-proxy").singleNamespace }} +{{- include "argo-cd.namespaced-rbac.serviceaccount" . }} +--- {{- include "argo-cd.namespaced-rbac.role" . }} --- {{- include "argo-cd.namespaced-rbac.rolebinding" . }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 7d320d7a..28c52949 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -13,6 +13,6 @@ roleRef: name: argocd-namespaced-role subjects: - kind: ServiceAccount - name: default + name: argocd-manager namespace: {{ .Release.Namespace }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml new file mode 100644 index 00000000..1f94e491 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- define "argo-cd.namespaced-rbac.serviceaccount" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +{{- end }} From b08d29a65bf9bf8c0b912b42f6098dc2d1a28acb Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 11:04:57 +0300 Subject: [PATCH 08/20] feat: multi runtime install From 6dc0412121c7144c9c2bdd42c3f799938a53e0ce Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 17:26:20 +0300 Subject: [PATCH 09/20] feat: multi runtime install --- charts/gitops-runtime/Chart.yaml | 1 + .../cf-argocd-extras/event-reporter/_rbac.yaml | 12 ++++++++++++ .../_components/gitops-operator/_default_values.tpl | 3 +++ .../gitops-operator/promotion-template/_rbac.yaml | 6 +++--- .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 6 +++--- .../gitops-operator/rbac/_rbac_operator.yaml | 12 +++++++----- .../rbac/_restricted_git_source.rbac.yaml | 2 ++ charts/gitops-runtime/templates/_helpers.tpl | 7 +++++-- .../templates/app-proxy/workflows-crb.yaml | 4 ++-- charts/gitops-runtime/values.yaml | 5 ++++- 10 files changed, 42 insertions(+), 16 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 5592d2b0..2d9fbd31 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -32,6 +32,7 @@ dependencies: - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ version: 2.17.2 + condition: sealed-secrets.enabled - name: codefresh-tunnel-client repository: oci://quay.io/codefresh/charts version: 0.1.21 diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml index 64cd6d27..6049e633 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml @@ -11,6 +11,18 @@ {{/* Workaround to NOT change label selectors from previous runtime release when event-reporter was part of cf-argocd-extras Subchart */}} {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }} +{{/* Remove nonResourceURLs when RBAC is namespaced */}} +{{- $rules := $context.Values.rbac.rules }} +{{- if $context.Values.rbac.namespaced }} + {{- $rules = list }} + {{- range $context.Values.rbac.rules }} + {{- if not .nonResourceURLs }} + {{- $rules = append $rules . }} + {{- end }} + {{- end }} +{{- end }} +{{- $_ := set $context.Values.rbac "rules" $rules }} + {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }} {{- include $templateName $context }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl index dd552eb8..58ece965 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl @@ -14,6 +14,9 @@ global: replicaCount: 1 +# -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) +singleNamespace: false + # -- Codefresh gitops operator crds crds: # -- Whether or not to install CRDs diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 0f2d1f3e..812ae1dd 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -45,14 +45,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: promotion-template subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 4ec54d31..96f47030 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -22,14 +22,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 38df174b..26832600 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -26,6 +26,7 @@ rules: - patch - update - watch +{{- if not .Values.singleNamespace }} - apiGroups: - codefresh.io resources: @@ -52,6 +53,7 @@ rules: - get - patch - update +{{- end }} - apiGroups: - "" resources: @@ -72,14 +74,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator subjects: - kind: ServiceAccount @@ -87,14 +89,14 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: argo-edit subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml index be27879c..913d131d 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml @@ -1,5 +1,6 @@ {{- define "gitops-operator.resources.restricted-git-source-rbac" }} + {{- if not .Values.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -80,4 +81,5 @@ subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index 1b66f710..9f4b88af 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -431,11 +431,14 @@ Output comma separated list of installed runtime components */}} {{- define "codefresh-gitops-runtime.component-list"}} {{- $argoEvents := dict "name" "argo-events" "version" (get .Subcharts "argo-events").Chart.AppVersion }} - {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} {{- $internalRouter := dict "name" "internal-router" "version" .Chart.AppVersion }} {{- $appProxy := dict "name" "app-proxy" "version" (index (get .Values "app-proxy") "image" "tag") }} {{- $sourcesServer := dict "name" "sources-server" "version" (get .Values "cf-argocd-extras").sourcesServer.container.image.tag }} - {{- $comptList := list $argoEvents $appProxy $sealedSecrets $internalRouter $sourcesServer }} + {{- $comptList := list $argoEvents $appProxy $internalRouter $sourcesServer }} +{{- if and (index .Values "sealed-secrets" "enabled") }} + {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} + {{- $comptList = append $comptList $sealedSecrets }} +{{- end }} {{- if and (index .Values "argo-cd" "enabled") }} {{- $argoCD := dict "name" "argocd" "version" (get .Subcharts "argo-cd").Chart.AppVersion }} {{- $comptList = append $comptList $argoCD }} diff --git a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml index d3a0b4e2..35010bf0 100644 --- a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml +++ b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml @@ -4,12 +4,12 @@ {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }} {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ $appProxyContext.Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: cap-app-proxy-argo-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ $appProxyContext.Values.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 8acfd399..c369ad5c 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -713,6 +713,9 @@ gitops-operator: annotations: {} # -- Additional labels for gitops operator CRDs additionalLabels: {} + # -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) + singleNamespace: false + # -- GitOps operator configuration config: # -- Task polling interval taskPollingInterval: 10s @@ -724,8 +727,8 @@ gitops-operator: maxConcurrentReleases: 100 # -- An optional template for the promotion wrapper (empty default will use the embedded one) promotionWrapperTemplate: '' + # -- GitOps operator image image: - # -- defaults registry: quay.io repository: codefresh/codefresh-gitops-operator tag: v0.11.1 From c6aa9e23bc1a131e8b656db8aed9f69154a1d3bd Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 17:47:53 +0300 Subject: [PATCH 10/20] feat: multi runtime install --- charts/gitops-runtime/templates/gitops-operator/crds.yaml | 4 +++- .../gitops-runtime/templates/gitops-operator/deployment.yaml | 2 ++ .../templates/gitops-operator/promotion-operator.yaml | 4 +++- charts/gitops-runtime/templates/gitops-operator/rbac.yaml | 4 +++- .../templates/gitops-operator/serviceaccount.yaml | 4 ++++ 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/templates/gitops-operator/crds.yaml b/charts/gitops-runtime/templates/gitops-operator/crds.yaml index e78bb700..171bf6f0 100644 --- a/charts/gitops-runtime/templates/gitops-operator/crds.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/crds.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.crds" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.crds" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 6038cbbc..1124f109 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -1,3 +1,4 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -45,3 +46,4 @@ {{- end }} {{- include "gitops-operator.resources.deployment" $context }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml index 5eb7884c..78956245 100644 --- a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.promotion-template" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.promotion-template" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml index 41df10f0..96489708 100644 --- a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.rbac" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.rbac" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml index 022cf431..87517d1d 100644 --- a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml @@ -1,3 +1,5 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -7,3 +9,5 @@ {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} {{- include "gitops-operator.resources.sa" $context }} + +{{- end }} From 43a44af7f3f6d0cf8bd69ee11bb1c1dc75c15132 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 11:10:27 +0300 Subject: [PATCH 11/20] feat: multi runtime install --- .../promotion-template/_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_rbac_operator.yaml | 18 +++++++++--------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 812ae1dd..92d712d3 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: promotion-template + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} rules: - apiGroups: - "" @@ -45,15 +45,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: promotion-template + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: promotion-template + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.promotionTemplate.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 96f47030..9338fbde 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-proxy + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} rules: - apiGroups: - authentication.k8s.io @@ -22,15 +22,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-proxy + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: codefresh-gitops-operator-proxy + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 26832600..aee5c759 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} rules: - apiGroups: - "" @@ -74,29 +74,29 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: codefresh-gitops-operator + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-workflows + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: ClusterRole name: argo-edit subjects: - kind: ServiceAccount From 0176c17c9655709d626c3fc72dbf6fa62939b0c7 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 11:40:41 +0300 Subject: [PATCH 12/20] wip: Wed Jul 30 11:40:41 +03 2025 --- .../_components/gitops-operator/rbac/_rbac_operator.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index aee5c759..ffefcf58 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -89,15 +89,15 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-edit + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: {{ .Values.singleNamespace | ternary "argo-workflow-controller" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} From e5b8cfccd5cc2e3d0dd3ed8d3cab322e6a46f509 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 12:19:46 +0300 Subject: [PATCH 13/20] wip: Wed Jul 30 12:19:46 +03 2025 --- .../gitops-operator/rbac/_rbac_operator.yaml | 122 +++++++++++++++++- 1 file changed, 121 insertions(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index ffefcf58..75310814 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -71,6 +71,126 @@ rules: - get - list - watch +--- +{{- if .Values.singleNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowartifactgctasks + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -97,7 +217,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: {{ .Values.singleNamespace | ternary "argo-workflow-controller" "argo-edit" }} + name: {{ .Values.singleNamespace | ternary "argo-role" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} From 00bd9fb4a08440d7d5130808a1e471a15705f813 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Wed, 20 Aug 2025 13:38:03 +0300 Subject: [PATCH 14/20] feat: multi runtime install --- .../gitops-operator/promotion-template/_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_rbac_operator.yaml | 14 +++++++------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 92d712d3..812ae1dd 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} + name: promotion-template rules: - apiGroups: - "" @@ -45,15 +45,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} + name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: promotion-template subjects: - kind: ServiceAccount name: {{ include "gitops-operator.promotionTemplate.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 9338fbde..96f47030 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} + name: codefresh-gitops-operator-proxy rules: - apiGroups: - authentication.k8s.io @@ -22,15 +22,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} + name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 75310814..317b55a7 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} + name: codefresh-gitops-operator rules: - apiGroups: - "" @@ -194,15 +194,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} + name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: codefresh-gitops-operator subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} @@ -213,7 +213,7 @@ kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows" }} + name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} From 99e35761c1c6301e8877d04fe993c78237533cb5 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Mon, 25 Aug 2025 14:51:24 +0300 Subject: [PATCH 15/20] wip --- .../cap-app-proxy/_all_resources.yaml | 2 +- .../_components/cap-app-proxy/_config.yaml | 4 ++-- .../_components/cap-app-proxy/argo-cd/_all.yaml | 6 ++++-- .../_components/gitops-operator/_env.yaml | 4 ++-- .../_components/gitops-operator/crds/_all.yaml | 2 +- .../promotion-template/_rbac.yaml | 6 +++--- .../_components/gitops-operator/rbac/_all.yaml | 2 +- .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 6 +++--- .../gitops-operator/rbac/_rbac_operator.yaml | 16 ++++++++-------- .../rbac/_restricted_git_source.rbac.yaml | 2 +- .../templates/app-proxy/workflows-crb.yaml | 4 ++-- .../gitops-runtime/templates/codefresh-cm.yaml | 6 +++--- charts/gitops-runtime/values.yaml | 6 ++---- 13 files changed, 33 insertions(+), 33 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index ff455cf5..d60f456b 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -12,4 +12,4 @@ {{ include "cap-app-proxy.resources.sa" .}} --- {{ include "argo-cd.namespaced-rbac.all" . }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index e615c50d..0dd1059d 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -4,14 +4,14 @@ argoCdUsername: {{ .Values.config.argoCdUsername }} argoWorkflowsInsecure: {{ .Values.config.argoWorkflowsInsecure | quote }} argoWorkflowsUrl: {{ default "" .Values.config.argoWorkflowsUrl }} cors: {{ .Values.global.codefresh.url }} - {{- with .Values.config.clusterChunkSize }} + {{- with .Values.config.clusterChunkSize }} clusterChunkSize: {{ . | quote }} {{- end }} env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} -runtimeSingleNamespace: {{ .Values.singleNamespace | quote }} +runtimeSingleNamespace: {{ .Values.global.runtime.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index d731eade..75c737ad 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -1,7 +1,9 @@ -{{- if (get .Values "app-proxy").singleNamespace }} +{{- define "argo-cd.namespaced-rbac.all" }} +{{- if (index .Values "global" "runtime").singleNamespace }} {{- include "argo-cd.namespaced-rbac.serviceaccount" . }} --- {{- include "argo-cd.namespaced-rbac.role" . }} --- {{- include "argo-cd.namespaced-rbac.rolebinding" . }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index 1321e06c..93b22042 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,7 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} -RUNTIME_SINGLE_NAMESPACE: {{ (get .Values "app-proxy").singleNamespace }} +RUNTIME_SINGLE_NAMESPACE: {{ .Values.global.runtime.singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} @@ -37,7 +37,7 @@ NAMESPACE: valueFrom: fieldRef: fieldPath: metadata.namespace -RUNTIME_VERSION: +RUNTIME_VERSION: valueFrom: configMapKeyRef: name: codefresh-cm diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index d7d598f9..9aabfeef 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,7 @@ --- {{- include "gitops-operator.crds.product" $context }} --- - {{- if not (get .Values "app-proxy").singleNamespace }} + {{- if not (get .Values.global "runtime").singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} {{- end }} --- diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 812ae1dd..f41bc088 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -45,14 +45,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: promotion-template subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index db0a7c7a..0a0d6f33 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,7 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- - {{- if not (get .Values "app-proxy").singleNamespace }} + {{- if not (get .Values.global "runtime").singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} {{- end }} --- diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 96f47030..f9d687eb 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -22,14 +22,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 317b55a7..ed0234c4 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -26,7 +26,7 @@ rules: - patch - update - watch -{{- if not .Values.singleNamespace }} +{{- if not .Values.global.runtime.singleNamespace }} - apiGroups: - codefresh.io resources: @@ -72,7 +72,7 @@ rules: - list - watch --- -{{- if .Values.singleNamespace }} +{{- if .Values.global.runtime.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -194,14 +194,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator subjects: - kind: ServiceAccount @@ -209,15 +209,15 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ .Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: {{ .Values.singleNamespace | ternary "argo-role" "argo-edit" }} + kind: {{ .Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} + name: {{ .Values.global.runtime.singleNamespace | ternary "argo-role" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml index 913d131d..34c13029 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml @@ -1,6 +1,6 @@ {{- define "gitops-operator.resources.restricted-git-source-rbac" }} - {{- if not .Values.singleNamespace }} + {{- if not .Values.global.runtime.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml index 35010bf0..02b8dc3d 100644 --- a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml +++ b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml @@ -4,12 +4,12 @@ {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }} {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ $appProxyContext.Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: {{ $appProxyContext.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: cap-app-proxy-argo-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ $appProxyContext.Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: {{ $appProxyContext.Values.global.runtime.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index 3fba68b9..40fef25e 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -14,6 +14,6 @@ data: ingressClassName: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} - isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} - singleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} - version: {{ .Chart.AppVersion }} \ No newline at end of file + isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} + singleNamespace: {{ .Values.global.runtime.singleNamespace | quote }} + version: {{ .Chart.AppVersion }} diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index c369ad5c..284557c1 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -49,6 +49,8 @@ global: cluster: https://kubernetes.default.svc # -- Defines whether this is a Codefresh hosted runtime. Should not be changed. codefreshHosted: false + # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. + singleNamespace: true # -- Ingress settings ingress: # -- if set to true, the pre-install hook will validate the existance of appropriate values, but *will not* attempt to make a web request to the ingress host @@ -519,8 +521,6 @@ tunnel-client: #----------------------------------------------------------------------------------------------------------------------- app-proxy: replicaCount: 1 - # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. - singleNamespace: false # -- Image enrichment process configuration image-enrichment: # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well. @@ -713,8 +713,6 @@ gitops-operator: annotations: {} # -- Additional labels for gitops operator CRDs additionalLabels: {} - # -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) - singleNamespace: false # -- GitOps operator configuration config: # -- Task polling interval From 09faa34e9ffe4460afe2f5e9ab40d150668c43ee Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Mon, 25 Aug 2025 14:51:53 +0300 Subject: [PATCH 16/20] wip --- .../templates/app-proxy/argocd-namespaced-rbac.yaml | 1 + 1 file changed, 1 insertion(+) create mode 100644 charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml diff --git a/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml b/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml new file mode 100644 index 00000000..401556a0 --- /dev/null +++ b/charts/gitops-runtime/templates/app-proxy/argocd-namespaced-rbac.yaml @@ -0,0 +1 @@ +{{- include "argo-cd.namespaced-rbac.all" . }} From 70b4b0588dbd647cd788248cd12fbf3fb6bb1220 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Mon, 25 Aug 2025 14:57:10 +0300 Subject: [PATCH 17/20] wip --- charts/gitops-runtime/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 284557c1..dbba7c43 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -50,7 +50,7 @@ global: # -- Defines whether this is a Codefresh hosted runtime. Should not be changed. codefreshHosted: false # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. - singleNamespace: true + singleNamespace: false # -- Ingress settings ingress: # -- if set to true, the pre-install hook will validate the existance of appropriate values, but *will not* attempt to make a web request to the ingress host From 62807f644c0030f25cd522e543ee8360cc4947e4 Mon Sep 17 00:00:00 2001 From: shirtabachii Date: Mon, 25 Aug 2025 18:29:03 +0300 Subject: [PATCH 18/20] wip --- .../cap-app-proxy/argo-cd/_role.yaml | 23 ++++++------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml index 9d138964..9656aa3b 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -8,19 +8,10 @@ metadata: {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} codefresh.io/component: argocd-namespaced-rbac rules: -- apiGroups: [""] - resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets", "serviceaccounts"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["apps"] - resources: ["deployments", "replicasets", "statefulsets", "daemonsets"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["batch"] - resources: ["jobs", "cronjobs"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "networkpolicies"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -{{- end }} \ No newline at end of file +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +{{- end }} From 31c5308926cced397644d8e5010ffe5d85a87ff0 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Tue, 26 Aug 2025 09:54:33 +0300 Subject: [PATCH 19/20] added argocd-manager SA secret --- .../_components/cap-app-proxy/argo-cd/_all.yaml | 2 ++ .../_components/cap-app-proxy/argo-cd/_secret.yaml | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index 75c737ad..cf8716c7 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -2,6 +2,8 @@ {{- if (index .Values "global" "runtime").singleNamespace }} {{- include "argo-cd.namespaced-rbac.serviceaccount" . }} --- +{{- include "argo-cd.namespaced-rbac.secret" . }} +--- {{- include "argo-cd.namespaced-rbac.role" . }} --- {{- include "argo-cd.namespaced-rbac.rolebinding" . }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml new file mode 100644 index 00000000..63100462 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml @@ -0,0 +1,9 @@ +{{- define "argo-cd.namespaced-rbac.secret" }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-manager-long-lived-token + annotations: + kubernetes.io/service-account.name: argocd-manager +type: kubernetes.io/service-account-token +{{- end }} From 95c55da368c5d99fa80311da74b828ba8283d7a4 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Tue, 26 Aug 2025 18:23:03 +0300 Subject: [PATCH 20/20] removed duplicated include --- .../templates/_components/cap-app-proxy/_all_resources.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index d60f456b..3941e62c 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -11,5 +11,4 @@ --- {{ include "cap-app-proxy.resources.sa" .}} --- - {{ include "argo-cd.namespaced-rbac.all" . }} {{- end }}