feat: submariner deployment for remote nodes to join a hybrid federations

.gitignore

@@ -3,7 +3,7 @@ _*/
 
 ### Helm ###
 # Chart dependencies
-**/charts/*.tgz
+charts/
 
 ### JetBrains+all ###
 # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider

README.md

@@ -206,6 +206,39 @@ graph TD
 - `argocd` CLI installed (optional but recommended)
 - SSH access to the repository configured in Argo CD
 
+### 🔐 Remote Access (VPN/SSH)
+
+If you are not on the same network as the cluster, you need to tunnel your traffic.
+
+#### Option A: SOCKS Proxy (Recommended for `kubectl`)
+This routes all your traffic through the jump host.
+
+1. **Open Tunnel**:
+   ```bash
+   ssh -D 1080 -C -q -N <user>@<jump-host>
+   ```
+2. **Configure Environment**:
+   ```bash
+   export HTTPS_PROXY=socks5://127.0.0.1:1080
+   ```
+
+#### Option B: Port Forward + Hosts (Recommended for `argocd` CLI / UI)
+This tricks your local machine into thinking `localhost` is the remote server, while preserving the hostname for Ingress routing.
+
+1. **Update `/etc/hosts`**:
+   ```bash
+   # Add this line
+   127.0.0.1 argocd.mip-tds.chuv.cscs.ch
+   ```
+2. **Open Tunnel (Sudo required for port 443)**:
+   ```bash
+   sudo ssh -L 443:argocd.mip-tds.chuv.cscs.ch:443 <user>@<jump-host>
+   ```
+3. **Login**:
+   ```bash
+   argocd login argocd.mip-tds.chuv.cscs.ch:443 --insecure --grpc-web
+   ```
+
 ### Initial secrets:
 
 The following secrets must exist in the cluster before or after running this repository's setup scripts. If you run it after, creation will hang until these are present.
@@ -288,6 +321,7 @@ argocd repo add [email protected]:NeuroTech-Platform/mip-deployments.git \
   --name mip-infra
 
 kubectl apply -f base/mip-infrastructure/rbac/nginx-public-rbac.yaml
+kubectl apply -f base/mip-infrastructure/rbac/submariner-rbac.yaml
 ```
 
 

argo-setup/README.md

@@ -44,9 +44,9 @@ ARGOCD_HOST=argocd.example.com #YOUR SUBDOMAIN HERE
 # Replace placeholder hostname in all patch files
 cd argo-setup
 # BSD-Style
-find . -type f -exec sed -i '' "s/argocd.example.com/$ARGOCD_HOST/g" {} +
+LC_ALL=C find . -type f -not -path '*/.git/*' -exec sed -i '' "s/argocd.example.com/$ARGOCD_HOST/g" {} +
 # GNU-Style
-find . -type f -exec sed -i "s/argocd.example.com/$ARGOCD_HOST/g" {} +
+LC_ALL=C find . -type f -not -path '*/.git/*' -exec sed -i "s/argocd.example.com/$ARGOCD_HOST/g" {} +
 
 # Resolve latest 3.0 version (or pin to specific version)
 export ARGOCD_SERIES=v3.0
@@ -58,6 +58,9 @@ export ARGOCD_VER=$(curl -s https://api.github.com/repos/argoproj/argo-cd/releas
 echo "Resolved latest 3.0 tag: $ARGOCD_VER"
 
 # Update kustomization.yaml with resolved version
+# BSD-Style
+sed -i '' "s|/v[0-9.]*/manifests/ha/install.yaml|/${ARGOCD_VER}/manifests/ha/install.yaml|g" patches/kustomization.yaml
+# GNU-Style
 sed -i "s|/v[0-9.]*/manifests/ha/install.yaml|/${ARGOCD_VER}/manifests/ha/install.yaml|g" patches/kustomization.yaml
 
 # 1. Namespace

argo-setup/patches/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd-mip-team
 # Base: upstream HA manifest (resolved tag)
 resources:
-  - https://raw.githubusercontent.com/argoproj/argo-cd/v3.0.11/manifests/ha/install.yaml
+  - https://raw.githubusercontent.com/argoproj/argo-cd/v3.0.20/manifests/ha/install.yaml
   - patch-argocd-ingress.yaml
 patchesStrategicMerge:
   - patch-argocd-application-controller-clusterrole.yaml

argo-setup/patches/patch-argocd-application-controller-clusterrole.yaml

@@ -36,15 +36,9 @@ rules:
   - apiGroups: [monitoring.coreos.com]
     resources: [prometheusrules, servicemonitors]
     verbs: [create, delete, patch, update]
-  - apiGroups: [cert-manager.io]
-    resources: [clusterissuers]
-    verbs: [create, delete, patch, update]
   - apiGroups: [networking.k8s.io]
     resources: [ingresses, networkpolicies, ingressclasses]
     verbs: [get, list, watch, create, update, patch, delete]
-  - apiGroups: [rbac.authorization.k8s.io]
-    resources: [clusterrolebindings, clusterroles, rolebindings, roles]
-    verbs: [create, delete, patch, update]
   - apiGroups: ['']
     resources:
       - configmaps
@@ -61,3 +55,49 @@ rules:
   - apiGroups: ['']
     resources: [pods]
     verbs: [create, delete, patch, update]  # in the future, only delete but at the moment we still have standalone pods
+
+  # Rule 4: Submariner requirements
+  # The controller needs these permissions to grant them to Submariner components
+  - apiGroups: [operator.openshift.io]
+    resources: [dnses]
+    verbs: [get, list, watch, update]
+  - apiGroups: [config.openshift.io]
+    resources: [networks]
+    verbs: [get, list]
+  - apiGroups: [projectcalico.org]
+    resources: [ippools]
+    verbs: [create, delete, update, deletecollection]
+  - apiGroups: [submariner.io]
+    resources:
+      - clusters
+      - endpoints
+      - gateways
+      - clusterglobalegressips
+      - globalegressips
+      - globalingressips
+      - submariners
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups: [submariner.io]
+    resources:
+      - clusterglobalegressips/status
+      - globalegressips/status
+      - globalingressips/status
+    verbs: [create, delete, deletecollection, update]
+  - apiGroups: [network.openshift.io]
+    resources: [service/externalips]
+    verbs: [create, delete]
+  - apiGroups: ['']
+    resources: [nodes]
+    verbs: [get, list, watch, update]
+# Add if we ever use GlobalNet
+#  - apiGroups: ['']
+#    resources: [endpoints]
+#    verbs: [get, list, watch, create, update, delete, patch]

argo-setup/patches/patch-argocd-cm.yaml

@@ -12,3 +12,4 @@ data:
   application.instanceLabelKey: argocd.argoproj.io/instanceTracking
   installationID: mip-team-argo-cd
   resource.respectRBAC: normal
+  kustomize.buildOptions: --enable-helm

base/argo-projects.yaml

@@ -23,6 +23,8 @@ spec:
             fileName: mip-common
           - projectName: mip-argo-project-security
             fileName: mip-security
+          - projectName: mip-argo-project-submariner
+            fileName: submariner
   goTemplate: true
   template:
     metadata:

base/mip-infrastructure/mip-infrastructure.yaml

@@ -36,6 +36,7 @@ spec:
                 - path: common/datacatalog
                 - path: common/nginx-ingress
                 - path: common/security
+                - path: common/submariner
           - list:
               elements:
                 - cluster: https://kubernetes.default.svc