From 36745a970a55bbb14a95ae2d8c79895be0e0493f Mon Sep 17 00:00:00 2001 From: Alex Corvin Date: Thu, 8 Feb 2024 10:24:23 -0500 Subject: [PATCH] Add applications and artifacts for new ArgoCD instance --- .../applications/dh-prod-monitoring.yaml | 20 ++ .../applications/dh-prod-superset.ocp4.yaml | 20 ++ .../dh-prod-telemetry-grafana.yaml | 47 ++++ .../applications/dh-prod-telemetry.yaml | 32 +++ .../dh-prod-trino-partition-updater.yaml | 20 ++ .../applications/dh-prod-trino.ocp4.yaml | 20 ++ .../dh-sandbox-telemetry-grafana.yaml | 47 ++++ .../s3-webserver-prod-application.yaml | 20 ++ .../superset-stage-application.yaml | 20 ++ bootstrap/argocd/argocd-serviceaccount.yml | 10 + .../argocd/argocd-tls-certs-cm-configmap.yaml | 60 ++++ .../argocd/internal-data-hub-appproject.yaml | 14 + .../argocd/internal-data-hub-argocd.yaml | 259 ++++++++++++++++++ ...erver-argocd-manager-admin-rolebinding.yml | 13 + ...stage-argocd-manager-admin-rolebinding.yml | 13 + .../namespaces/argocd-tenantnamespace.yaml | 9 + .../s3-webserver-prod-tenantnamespace.yaml | 9 + .../superset-stage-tenantnamespace.yaml | 9 + .../tenantegresses/argocd-tenantegress.yaml | 109 ++++++++ ...-hub-tenant-egress-admins-tenantgroup.yaml | 9 + 20 files changed, 760 insertions(+) create mode 100644 bootstrap/argocd/applications/dh-prod-monitoring.yaml create mode 100644 bootstrap/argocd/applications/dh-prod-superset.ocp4.yaml create mode 100644 bootstrap/argocd/applications/dh-prod-telemetry-grafana.yaml create mode 100644 bootstrap/argocd/applications/dh-prod-telemetry.yaml create mode 100644 bootstrap/argocd/applications/dh-prod-trino-partition-updater.yaml create mode 100644 bootstrap/argocd/applications/dh-prod-trino.ocp4.yaml create mode 100644 bootstrap/argocd/applications/dh-sandbox-telemetry-grafana.yaml create mode 100644 bootstrap/argocd/applications/s3-webserver-prod-application.yaml create mode 100644 bootstrap/argocd/applications/superset-stage-application.yaml create mode 100644 bootstrap/argocd/argocd-serviceaccount.yml create mode 100644 bootstrap/argocd/argocd-tls-certs-cm-configmap.yaml create mode 100644 bootstrap/argocd/internal-data-hub-appproject.yaml create mode 100644 bootstrap/argocd/internal-data-hub-argocd.yaml create mode 100644 bootstrap/argocd/rolebindings/s3-webserver-argocd-manager-admin-rolebinding.yml create mode 100644 bootstrap/argocd/rolebindings/superset-stage-argocd-manager-admin-rolebinding.yml create mode 100644 bootstrap/namespaces/argocd-tenantnamespace.yaml create mode 100644 bootstrap/namespaces/s3-webserver-prod-tenantnamespace.yaml create mode 100644 bootstrap/namespaces/superset-stage-tenantnamespace.yaml create mode 100644 bootstrap/tenantegresses/argocd-tenantegress.yaml create mode 100644 bootstrap/tenantgroups/internal-data-hub-tenant-egress-admins-tenantgroup.yaml diff --git a/bootstrap/argocd/applications/dh-prod-monitoring.yaml b/bootstrap/argocd/applications/dh-prod-monitoring.yaml new file mode 100644 index 00000000..321bfbb5 --- /dev/null +++ b/bootstrap/argocd/applications/dh-prod-monitoring.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dh-prod-monitoring + namespae: internal-data-hub-argocd +spec: + destination: + namespace: dh-prod-monitoring + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: monitoring/overlays/prod + repoURL: https://github.com/AICoE/internal-data-hub.git + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=false diff --git a/bootstrap/argocd/applications/dh-prod-superset.ocp4.yaml b/bootstrap/argocd/applications/dh-prod-superset.ocp4.yaml new file mode 100644 index 00000000..b0c03c8c --- /dev/null +++ b/bootstrap/argocd/applications/dh-prod-superset.ocp4.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ocp4.dh-prod-superset + namespace: internal-data-hub--argocd +spec: + destination: + namespace: dh-prod-superset + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: superset/overlays/prod + repoURL: https://github.com/AICoE/internal-data-hub.git + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=false diff --git a/bootstrap/argocd/applications/dh-prod-telemetry-grafana.yaml b/bootstrap/argocd/applications/dh-prod-telemetry-grafana.yaml new file mode 100644 index 00000000..c5ce87f1 --- /dev/null +++ b/bootstrap/argocd/applications/dh-prod-telemetry-grafana.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dh-prod-telemetry-grafana + namespace: internal-data-hub--argocd +spec: + destination: + namespace: dh-prod-telemetry-grafana + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: telemetry-grafana/overlays/prod + repoURL: https://github.com/AICoE/internal-data-hub.git + targetRevision: HEAD + syncPolicy: + syncOptions: + - Validate=false + automated: + prune: true + selfHeal: true + ignoreDifferences: + - kind: ServiceAccount + name: grafana + jsonPointers: + - /imagePullSecrets +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: telemetry-dashboards-prod + namespace: internal-data-hub--argocd +spec: + destination: + namespace: dh-prod-telemetry-grafana + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: overlays/prod + repoURL: https://gitlab.cee.redhat.com/data-hub/telemeter-ocp-dashboards.git + targetRevision: HEAD + syncPolicy: + syncOptions: + - Validate=false + automated: + prune: true + selfHeal: true diff --git a/bootstrap/argocd/applications/dh-prod-telemetry.yaml b/bootstrap/argocd/applications/dh-prod-telemetry.yaml new file mode 100644 index 00000000..257245b1 --- /dev/null +++ b/bootstrap/argocd/applications/dh-prod-telemetry.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dh-prod-telemetry + namespace: internal-data-hub--argocd +spec: + destination: + namespace: dh-prod-telemetry + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: overlays/prod + repoURL: https://gitlab.cee.redhat.com/data-hub/dh-telemetry.git + targetRevision: HEAD + syncPolicy: + syncOptions: + - Validate=false + automated: + prune: true + selfHeal: true + ignoreDifferences: + - kind: Deployment + group: apps + name: thanos-query + jsonPointers: + - /spec/template/spec/containers/2/image + - kind: Deployment + group: apps + name: thanos-replicate-custom-exporter + jsonPointers: + - /spec/template/spec/containers/0/image diff --git a/bootstrap/argocd/applications/dh-prod-trino-partition-updater.yaml b/bootstrap/argocd/applications/dh-prod-trino-partition-updater.yaml new file mode 100644 index 00000000..b1d61625 --- /dev/null +++ b/bootstrap/argocd/applications/dh-prod-trino-partition-updater.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dh-prod-trino-partition-updater + namespace: internal-data-hub--argocd +spec: + destination: + namespace: dh-prod-trino + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: trino-partition-updater/overlays/prod + repoURL: https://github.com/AICoE/internal-data-hub.git + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=false diff --git a/bootstrap/argocd/applications/dh-prod-trino.ocp4.yaml b/bootstrap/argocd/applications/dh-prod-trino.ocp4.yaml new file mode 100644 index 00000000..53673b30 --- /dev/null +++ b/bootstrap/argocd/applications/dh-prod-trino.ocp4.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ocp4.dh-prod-trino + namespace: internal-data-hub--argocd +spec: + destination: + namespace: dh-prod-trino + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: kfdefs/overlays/prod/dh-prod-trino + repoURL: https://github.com/AICoE/internal-data-hub.git + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=false diff --git a/bootstrap/argocd/applications/dh-sandbox-telemetry-grafana.yaml b/bootstrap/argocd/applications/dh-sandbox-telemetry-grafana.yaml new file mode 100644 index 00000000..c9033ff2 --- /dev/null +++ b/bootstrap/argocd/applications/dh-sandbox-telemetry-grafana.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dh-sandbox-telemetry-grafana + namespace: internal-data-hub--argocd +spec: + destination: + namespace: dh-sandbox-telemetry-grafana + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: telemetry-grafana/overlays/sandbox + repoURL: https://github.com/AICoE/internal-data-hub.git + targetRevision: HEAD + syncPolicy: + syncOptions: + - Validate=false + automated: + prune: true + selfHeal: true + ignoreDifferences: + - kind: ServiceAccount + name: grafana + jsonPointers: + - /imagePullSecrets +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: telemetry-dashboards-sandbox + namespace: internal-data-hub--argocd +spec: + destination: + namespace: dh-sandbox-telemetry-grafana + server: https://api.datahub-ocp4.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: overlays/sandbox + repoURL: https://gitlab.cee.redhat.com/data-hub/telemeter-ocp-dashboards.git + targetRevision: HEAD + syncPolicy: + syncOptions: + - Validate=false + automated: + prune: true + selfHeal: true diff --git a/bootstrap/argocd/applications/s3-webserver-prod-application.yaml b/bootstrap/argocd/applications/s3-webserver-prod-application.yaml new file mode 100644 index 00000000..85081cfc --- /dev/null +++ b/bootstrap/argocd/applications/s3-webserver-prod-application.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: s3-webserver-prod + namespace: internal-data-hub--argocd +spec: + destination: + namespace: internal-data-hub--s3-webserver-prod + server: https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: s3-webserver/overlays/prod + repoURL: 'https://github.com/AICoE/internal-data-hub.git' + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=false diff --git a/bootstrap/argocd/applications/superset-stage-application.yaml b/bootstrap/argocd/applications/superset-stage-application.yaml new file mode 100644 index 00000000..bdca8cc4 --- /dev/null +++ b/bootstrap/argocd/applications/superset-stage-application.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: superset-stage + namespace: internal-data-hub--argocd +spec: + destination: + namespace: internal-data-hub--superset-stage + server: https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + project: internal-data-hub + source: + path: superset/overlays/stage + repoURL: 'https://github.com/AICoE/internal-data-hub.git' + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=false diff --git a/bootstrap/argocd/argocd-serviceaccount.yml b/bootstrap/argocd/argocd-serviceaccount.yml new file mode 100644 index 00000000..301862d9 --- /dev/null +++ b/bootstrap/argocd/argocd-serviceaccount.yml @@ -0,0 +1,10 @@ +apiVersion: tenantaccess.paas.redhat.com/v1beta1 +kind: TenantServiceAccount +metadata: + name: argocd-manager + namespace: internal-data-hub--config +spec: + roles: + - namespace-admin + - tenant-admin + - tenant-egress-admin diff --git a/bootstrap/argocd/argocd-tls-certs-cm-configmap.yaml b/bootstrap/argocd/argocd-tls-certs-cm-configmap.yaml new file mode 100644 index 00000000..c7f4046e --- /dev/null +++ b/bootstrap/argocd/argocd-tls-certs-cm-configmap.yaml @@ -0,0 +1,60 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: argocd-tls-certs-cm + namespace: internal-data-hub--argocd + labels: + app.kubernetes.io/name: argocd-cm + app.kubernetes.io/part-of: argocd +data: + gitlab.cee.redhat.com: | + -----BEGIN CERTIFICATE----- + MIII+jCCB+KgAwIBAgIED/4UyTANBgkqhkiG9w0BAQsFADBBMRAwDgYDVQQKDAdS + ZWQgSGF0MQ0wCwYDVQQLDARwcm9kMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRo + b3JpdHkwHhcNMjMwODE3MTc1MjUwWhcNMjQwODExMTc1MjUwWjCBtTELMAkGA1UE + BhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdo + MRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMR8wHQYDVQQLDBZJbmZvcm1hdGlvbiBU + ZWNobm9sb2d5MSUwIwYJKoZIhvcNAQkBFhZpdC1hbG0tdGVhbUByZWRoYXQuY29t + MRswGQYDVQQDDBIqLnBhZ2VzLnJlZGhhdC5jb20wggIiMA0GCSqGSIb3DQEBAQUA + A4ICDwAwggIKAoICAQCu2ecznIyKgcSxkv12WnXOXSp3QfaKsnQg+wedw/rNLuWr + wUmQZo37VrT60Z6ipXw/WK2jz7gm014k1zjxzcMhSsLSU0AGSltkyL4FLrsQ/9pr + aqJLnjY8nMGW+hUzCqEuzVdRPeT69qiFjdkEIhfDn+5qTqi7dWLjubozyAU59QwT + A+L/HzHP/HQhhbjx1n2L3alLOQAM9Nrymj9+lzqzLIRAJwH+OOZAIg35h4RJxPWe + bjMAUQbWCfo5+iOIUrYEkO6+3PKYRw8O252mDyGrBpOvTrXwdKlUdPUmbcAIPMPg + fcP2O8lWEagJjNVDznw42YB0mpIdK8we102xqfAMGhUPpwYBmo7OHYlmfuC9yD8P + 8vyPs0QGHVMOoUqRVrFup5HZUWdCgywOzDOh/hE5uQJOVTttP54dDfM0w3eNFAwx + z8bDLj++N2x5S4q7gjAjibrJT2zfpFCc3lGV8c1Mbo5lijrmzDILGWRmesagL/8t + lDzsBnRhFAmFSUeKWbppbssemyoVVIaI4PwJsGt+0pVUbGfGEpRozl7iVQRBprrv + CKJTG2VaGOBoudcCUCL5dXI5Q5wzOgBVWW0dxJUauY9a5lR9h95WCJc2P5m34EdR + CZgsOUnapNic09j+iJfSrh6WslughUzlGpeyQy4Gt8urclwwW5ZkYGAlXZKjdQID + AQABo4IEgzCCBH8wHwYDVR0jBBgwFoAUe9oJ9Uld2ddcyTb4VdIbl54RL34wggPu + BgNVHREEggPlMIID4YISKi5wYWdlcy5yZWRoYXQuY29tgi9naXRsYWItcGFnZXMu + aG9zdHMucHJvZC51cHNoaWZ0LnJkdTIucmVkaGF0LmNvbYIzcmFpbHMtcHJvZC0x + LmdpdGwtMDAzLnByb2QudXMtZWFzdC0xLmF3cy5yZWRoYXQuY29tgjNyYWlscy1w + cm9kLTIuZ2l0bC0wMDMucHJvZC51cy1lYXN0LTEuYXdzLnJlZGhhdC5jb22CM3Jh + aWxzLXByb2QtMy5naXRsLTAwMy5wcm9kLnVzLWVhc3QtMS5hd3MucmVkaGF0LmNv + bYI3cmFpbHMtcHJvZC1nZW8tMS5naXRsLTAwMy5wcm9kLnVzLXdlc3QtMi5hd3Mu + cmVkaGF0LmNvbYI3cmFpbHMtcHJvZC1nZW8tMi5naXRsLTAwMy5wcm9kLnVzLXdl + c3QtMi5hd3MucmVkaGF0LmNvbYI3cmFpbHMtcHJvZC1nZW8tMy5naXRsLTAwMy5w + cm9kLnVzLXdlc3QtMi5hd3MucmVkaGF0LmNvbYIzcmFpbHMtcHJvZC00LmdpdGwt + MDAzLnByb2QudXMtZWFzdC0xLmF3cy5yZWRoYXQuY29tgjNyYWlscy1wcm9kLTUu + Z2l0bC0wMDMucHJvZC51cy1lYXN0LTEuYXdzLnJlZGhhdC5jb22CN3JhaWxzLXBy + b2QtZ2VvLTQuZ2l0bC0wMDMucHJvZC51cy13ZXN0LTIuYXdzLnJlZGhhdC5jb22C + N3JhaWxzLXByb2QtZ2VvLTUuZ2l0bC0wMDMucHJvZC51cy13ZXN0LTIuYXdzLnJl + ZGhhdC5jb22CRmludGVybmFsLXJhaWxzLXByb2QtZXh0ZXJuYWwtYWxiLTMwNjA5 + ODQzNy51cy1lYXN0LTEuZWxiLmFtYXpvbmF3cy5jb22CRHJhaWxzLXByb2QtZXh0 + ZXJuYWwtbmxiLTRkMDZkNmEzNjM1ZWJlOGIuZWxiLnVzLWVhc3QtMS5hbWF6b25h + d3MuY29tgkRyYWlscy1wcm9kLWV4dGVybmFsLW5sYi0zODEyOTg4MjY3Nzk0MDk4 + LmVsYi51cy13ZXN0LTIuYW1hem9uYXdzLmNvbYJHaW50ZXJuYWwtcmFpbHMtcHJv + ZC1leHRlcm5hbC1hbGItMTA1NDI0NjU3Ni51cy13ZXN0LTIuZWxiLmFtYXpvbmF3 + cy5jb22CH2dpdGxhYi1wcm9kLWVhc3QuY2VlLnJlZGhhdC5jb22CH2dpdGxhYi1w + cm9kLXdlc3QuY2VlLnJlZGhhdC5jb22CFWdpdGxhYi5jZWUucmVkaGF0LmNvbTA7 + BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9vY3NwLnJlZGhhdC5j + b20vY2Evb2NzcC8wDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMB + BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAQHVngMx0nfsDCLi2oklBrM6S + JOHs1lMG8JEhfiJhIIHjn6eRhX3Os2sJdPzZtUVjm3eaU77t4K0hZ+GrBTtpZgMF + 6Cq24lrn+SPoQNeLFDEOZqAbRr8qdeJHYuXGAjSSWZQ7fs2Wx9wwBYBLV5uOCLNS + otWnPN0EPE5mBbhP03DqPlljABzqAhDtAlVWxH+VH9OT+m9IJQ9fpzUvuI+/fMZ7 + 0tRrTtONVc4BUWPB5myeTdbdjjhte5MuDh/4VTK7S/mCEB4xrK/rAnPDB4YDqnhZ + eAlzymJqWenKaINP0QYDA0DtDB4YKiSqABPsS0UC6W/2d//sRQfohmFG4kq9GA== + -----END CERTIFICATE----- diff --git a/bootstrap/argocd/internal-data-hub-appproject.yaml b/bootstrap/argocd/internal-data-hub-appproject.yaml new file mode 100644 index 00000000..0ca0c221 --- /dev/null +++ b/bootstrap/argocd/internal-data-hub-appproject.yaml @@ -0,0 +1,14 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: internal-data-hub + namespace: internal-data-hub--argocd +spec: + clusterResourceWhitelist: + - group: "*" + kind: "*" + destinations: + - namespace: "*" + server: "*" + sourceRepos: + - "*" diff --git a/bootstrap/argocd/internal-data-hub-argocd.yaml b/bootstrap/argocd/internal-data-hub-argocd.yaml new file mode 100644 index 00000000..905f3770 --- /dev/null +++ b/bootstrap/argocd/internal-data-hub-argocd.yaml @@ -0,0 +1,259 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: internal-data-hub-argocd + namespace: internal-data-hub--argocd +spec: + extraConfig: + kustomize.buildOptions: "--enable-alpha-plugins" + controller: + resources: + limits: + cpu: 2000m + memory: 2048Mi + requests: + cpu: 250m + memory: 1024Mi + resourceInclusions: | + - apiGroups: + - '' + kinds: + - Binding + - ConfigMap + - Endpoints + - Event + - LimitRange + - PersistentVolumeClaim + - Pod + - ReplicationController + - ResourceQuota + - Secret + - ServiceAccount + - Service + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - apps + kinds: + - ControllerRevision + - Deployment + - StatefulSet + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - apps.openshift.io + kinds: + - DeploymentConfig + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - authorization.openshift.io + kinds: + - RoleBindingRestriction + - RoleBinding + - Role + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - build.openshift.io + kinds: + - BuildConfig + - Build + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - extensions + kinds: + - Deployment + - Ingress + - NetworkPolicy + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - image.openshift.io + kinds: + - ImageStreamImage + - ImageStreamMapping + - ImageStream + - ImageStreamTag + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - policy + kinds: + - PodDisruptionBudget + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - rbac.authorization.k8s.io + kinds: + - RoleBinding + - Role + - ClusterRoleBinding + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - route.openshift.io + kinds: + - Route + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - template.openshift.io + kinds: + - Template + - TemplateInstance + - Template + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - image.openshift.io + kinds: + - ImageStreamImage + - ImageStreamMapping + - ImageStream + - ImageStreamTag + - ImageTag + clusters: + - https://api.gpc.ocp-hub.prod.psi.redhat.com:6443 + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - monitoring.coreos.com + kinds: + - ServiceMonitor + - PrometheusRule + - PodMonitor + clusters: + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - triggers.tekton.dev + kinds: + - TriggerTemplate + - EventListener + clusters: + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + - apiGroups: + - tekton.dev + kinds: + - Task + - Pipeline + clusters: + - apiGroups: + - batch + kinds: + - CronJob + clusters: + - https://api.datahub-ocp4.prod.psi.redhat.com:6443 + ha: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + enabled: false + rbac: + defaultPolicy: "" + policy: | + g, system:cluster-admins, role:admin + g, data-hub-openshift-admins, role:admin + scopes: "[email, groups]" + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + env: + - name: GNUPGHOME + value: /.gnupg + - name: XDG_CONFIG_HOME + value: /.config + - name: SOPS_PGP_FP + value: EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E + volumes: + - name: custom-tools + emptyDir: {} + - name: gpghome + emptyDir: {} + - name: ksops-pgp-key + secret: + secretName: ksops-pgp-key + initContainers: + - name: install-ksops + image: quay.io/viaductoss/ksops:v3.0.2 + command: ["/bin/sh", "-c"] + env: + - name: GNUPGHOME + value: /.gnupg + args: + - 'echo "Installing KSOPS..."; cp ksops /custom-tools/; cp $GOPATH/bin/kustomize /custom-tools/; gpg --import /.config/sops/pgp/*; echo "Done.";' + volumeMounts: + - mountPath: /custom-tools + name: custom-tools + - mountPath: /.gnupg + name: gpghome + - mountPath: /.config/sops/pgp/private.key + name: ksops-pgp-key + subPath: private.key + volumeMounts: + - mountPath: /usr/local/bin/kustomize + name: custom-tools + subPath: kustomize + - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops + name: custom-tools + subPath: ksops + - mountPath: /.config/sops/pgp/private.key + name: ksops-pgp-key + subPath: private.key + - mountPath: /.gnupg + name: gpghome + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 250m + memory: 256Mi + server: + host: internal-data-hub-argocd.apps.int.gpc.ocp-hub.prod.psi.redhat.com + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + labels: + shard: internal + enabled: true + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect + sso: + dex: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + openShiftOAuth: true + provider: dex diff --git a/bootstrap/argocd/rolebindings/s3-webserver-argocd-manager-admin-rolebinding.yml b/bootstrap/argocd/rolebindings/s3-webserver-argocd-manager-admin-rolebinding.yml new file mode 100644 index 00000000..60f5e4dc --- /dev/null +++ b/bootstrap/argocd/rolebindings/s3-webserver-argocd-manager-admin-rolebinding.yml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: argocd-manager-admin + namespace: internal-data-hub--s3-webserver-prod +subjects: + - kind: ServiceAccount + name: tenantaccess-argocd-manager + namespace: internal-data-hub--config +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin diff --git a/bootstrap/argocd/rolebindings/superset-stage-argocd-manager-admin-rolebinding.yml b/bootstrap/argocd/rolebindings/superset-stage-argocd-manager-admin-rolebinding.yml new file mode 100644 index 00000000..f14f8b83 --- /dev/null +++ b/bootstrap/argocd/rolebindings/superset-stage-argocd-manager-admin-rolebinding.yml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: argocd-manager-admin + namespace: internal-data-hub--superset-stage +subjects: + - kind: ServiceAccount + name: tenantaccess-argocd-manager + namespace: internal-data-hub--config +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin diff --git a/bootstrap/namespaces/argocd-tenantnamespace.yaml b/bootstrap/namespaces/argocd-tenantnamespace.yaml new file mode 100644 index 00000000..8692a164 --- /dev/null +++ b/bootstrap/namespaces/argocd-tenantnamespace.yaml @@ -0,0 +1,9 @@ +apiVersion: tenant.paas.redhat.com/v1alpha1 +kind: TenantNamespace +metadata: + name: argocd + namespace: internal-data-hub--config +spec: + type: runtime + network: + security-zone: internal diff --git a/bootstrap/namespaces/s3-webserver-prod-tenantnamespace.yaml b/bootstrap/namespaces/s3-webserver-prod-tenantnamespace.yaml new file mode 100644 index 00000000..3e4786f8 --- /dev/null +++ b/bootstrap/namespaces/s3-webserver-prod-tenantnamespace.yaml @@ -0,0 +1,9 @@ +apiVersion: tenant.paas.redhat.com/v1alpha1 +kind: TenantNamespace +metadata: + name: s3-webserver-prod + namespace: internal-data-hub--config +spec: + type: runtime + network: + security-zone: internal diff --git a/bootstrap/namespaces/superset-stage-tenantnamespace.yaml b/bootstrap/namespaces/superset-stage-tenantnamespace.yaml new file mode 100644 index 00000000..fcc6aa35 --- /dev/null +++ b/bootstrap/namespaces/superset-stage-tenantnamespace.yaml @@ -0,0 +1,9 @@ +apiVersion: tenant.paas.redhat.com/v1alpha1 +kind: TenantNamespace +metadata: + name: superset-stage + namespace: internal-data-hub--config +spec: + type: runtime + network: + security-zone: internal diff --git a/bootstrap/tenantegresses/argocd-tenantegress.yaml b/bootstrap/tenantegresses/argocd-tenantegress.yaml new file mode 100644 index 00000000..cf45cbed --- /dev/null +++ b/bootstrap/tenantegresses/argocd-tenantegress.yaml @@ -0,0 +1,109 @@ +apiVersion: tenant.paas.redhat.com/v1alpha1 +kind: TenantEgress +metadata: + name: default + namespace: internal-data-hub--argocd +spec: + egress: + - to: + cidrSelector: 172.0.0.0/8 + type: Allow + - to: + cidrSelector: 10.0.0.0/9 + type: Allow + - to: + cidrSelector: 52.218.128.0/17 + type: Allow + - to: + cidrSelector: 52.92.128.0/17 + type: Allow + - to: + cidrSelector: 52.216.0.0/15 + type: Allow + - to: + dnsName: github.com + type: Allow + - to: + dnsName: registry.access.redhat.com + type: Allow + - to: + cidrSelector: 192.30.252.0/22 + type: Allow + - to: + cidrSelector: 185.199.108.0/22 + type: Allow + - to: + cidrSelector: 140.82.112.0/20 + type: Allow + - to: + cidrSelector: 143.55.64.0/20 + type: Allow + - to: + cidrSelector: 2a0a:a440::/29 + type: Allow + - to: + cidrSelector: 2606:50c0::/32 + type: Allow + - to: + cidrSelector: 20.201.28.151/32 + type: Allow + - to: + cidrSelector: 20.205.243.166/32 + type: Allow + - to: + cidrSelector: 20.87.245.0/32 + type: Allow + - to: + cidrSelector: 20.248.137.48/32 + type: Allow + - to: + cidrSelector: 20.207.73.82/32 + type: Allow + - to: + cidrSelector: 20.27.177.113/32 + type: Allow + - to: + cidrSelector: 20.200.245.247/32 + type: Allow + - to: + cidrSelector: 20.175.192.147/32 + type: Allow + - to: + cidrSelector: 20.233.83.145/32 + type: Allow + - to: + cidrSelector: 20.29.134.23/32 + type: Allow + - to: + cidrSelector: 20.201.28.152/32 + type: Allow + - to: + cidrSelector: 20.205.243.160/32 + type: Allow + - to: + cidrSelector: 20.87.245.4/32 + type: Allow + - to: + cidrSelector: 20.248.137.50/32 + type: Allow + - to: + cidrSelector: 20.207.73.83/32 + type: Allow + - to: + cidrSelector: 20.27.177.118/32 + type: Allow + - to: + cidrSelector: 20.200.245.248/32 + type: Allow + - to: + cidrSelector: 20.175.192.146/32 + type: Allow + - to: + cidrSelector: 20.233.83.149/32 + type: Allow + - to: + cidrSelector: 20.29.134.19/32 + type: Allow + - to: + cidrSelector: 0.0.0.0/0 + type: Deny diff --git a/bootstrap/tenantgroups/internal-data-hub-tenant-egress-admins-tenantgroup.yaml b/bootstrap/tenantgroups/internal-data-hub-tenant-egress-admins-tenantgroup.yaml new file mode 100644 index 00000000..c8292793 --- /dev/null +++ b/bootstrap/tenantgroups/internal-data-hub-tenant-egress-admins-tenantgroup.yaml @@ -0,0 +1,9 @@ +apiVersion: tenant.paas.redhat.com/v1 +kind: TenantGroup +metadata: + name: internal-data-hub-tenant-egress-admins + namespace: internal-data-hub--config +spec: + ldapDN: cn=data-hub-openshift-admins,ou=adhoc,ou=managedGroups,dc=redhat,dc=com + roles: + - tenant-egress-admin