feat: Distinct CS namespace for Cloud Paks

Signed-off-by: Denilson Nastacio <[email protected]>

README.md

@@ -6,6 +6,7 @@
   - [Contents](#contents)
   - [Overview](#overview)
     - [IBM Cloud Paks](#ibm-cloud-paks)
+    - [Shared cluster](#shared-cluster)
     - [GitOps](#gitops)
     - [Governance Policies](#governance-policies)
   - [Storage](#storage)
@@ -37,8 +38,14 @@ Supported versions:
 | Cloud Pak for Business Automation | [22.0.2](https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/22.0.2) | Multi-pattern starter deployment |
 | Cloud Pak for Data | [4.6.5](https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=overview) | Online, specialized installation |
 | Cloud Pak for Integration | [2022.4](https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.4) | Online installation |
-| Cloud Pak for Security | [1.10](https://www.ibm.com/docs/en/cloud-paks/cp-security/1.10) | Online installation |
-| Cloud Pak for Watson AIOps | [3.7.0](https://www.ibm.com/docs/en/cloud-paks/cloud-pak-watson-aiops/3.7.0) | Online Installation |
+| Cloud Pak for Security | [1.10.12](https://www.ibm.com/docs/en/cloud-paks/cp-security/1.10) | Online installation |
+| Cloud Pak for Watson AIOps | [3.7.1](https://www.ibm.com/docs/en/cloud-paks/cloud-pak-watson-aiops/3.7.1) | Online Installation |
+
+### Shared cluster
+
+All Cloud Paks are deployed using dedicated automation foundation instances.
+
+At the root of this configuration, lies a pre-synchronization hook inside the `cp-shared` application, which creates a default "common-service-maps" ConfigMap under the `kube-public` namespace, according to the instructions listed under <https://www.ibm.com/docs/en/cloud-paks/1.0?topic=cfs-installing-cloud-pak-foundational-services-in-multiple-namespaces>
 
 ### GitOps
 

config/argocd-cloudpaks/cp-shared/Chart.yaml

@@ -16,9 +16,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: "1.2.0"
+appVersion: "1.3.0"

config/argocd-cloudpaks/cp-shared/templates/0021-cloudpaks-cluster-role.yaml

@@ -10,3 +10,6 @@ rules:
   - apiGroups: ["config.openshift.io"]
     resources: ["infrastructures", "ingresses"]
     verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["*"]

config/argocd-cloudpaks/cp-shared/templates/0050-sync-common-service-maps.yaml

@@ -0,0 +1,64 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: sync-common-service-maps
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/sync-wave: "50"
+  namespace: openshift-gitops
+spec:
+  template:
+    spec:
+      containers:
+        - name: config
+          image: quay.io/openshift/origin-cli:latest
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ARGOCD_NAMESPACE
+              value: "openshift-gitops"
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -eou pipefail
+              set -x
+
+              # https://www.ibm.com/docs/en/cloud-paks/1.0?topic=cfs-installing-cloud-pak-foundational-services-in-multiple-namespaces#cli
+              if ! oc get ConfigMap common-service-maps -n kube-public 2>/dev/null
+              then
+                echo "INFO: ConfigMap common-service-maps needs to be created."
+                cat <<EOF | oc apply -f -
+              apiVersion: v1
+              kind: ConfigMap
+              metadata:
+                name: common-service-maps
+                namespace: kube-public
+              data:
+                common-service-maps.yaml: |
+                  controlNamespace: cs-control
+                  namespaceMapping:
+                  - map-to-common-service-namespace: {{.Values.namespace_mapping.cp4a}}
+                    requested-from-namespace:
+                    - {{.Values.namespace_mapping.cp4a}}
+                  - map-to-common-service-namespace: {{.Values.namespace_mapping.cp4d}}
+                    requested-from-namespace:
+                    - {{.Values.namespace_mapping.cp4d}}
+                  - map-to-common-service-namespace: {{.Values.namespace_mapping.cp4i}}
+                    requested-from-namespace:
+                    - {{.Values.namespace_mapping.cp4i}}
+                  - map-to-common-service-namespace: {{.Values.namespace_mapping.cp4s}}-cs
+                    requested-from-namespace:
+                    - {{.Values.namespace_mapping.cp4s}}
+                  - map-to-common-service-namespace: {{.Values.namespace_mapping.cp4waiops}}
+                    requested-from-namespace:
+                    - {{.Values.namespace_mapping.cp4waiops}}
+                    - {{.Values.namespace_mapping.cp4waiops}}-emgr
+              EOF
+              else
+                echo "INFO: ConfigMap common-service-maps already exists."
+              fi
+      restartPolicy: Never
+
+      serviceAccountName: {{.Values.serviceaccount.ibm_cloudpaks_installer}}
+  backoffLimit: 2

config/argocd-cloudpaks/cp-shared/values.yaml

@@ -7,6 +7,12 @@ serviceaccount:
 metadata:
   argocd_app_namespace: ibm-cloudpaks
   argocd_namespace: openshift-gitops
+namespace_mapping:
+  cp4a: cp4a
+  cp4d: cp4d
+  cp4i: cp4i
+  cp4s: cp4s
+  cp4waiops: cp4waiops
 online_catalog_source_priority: -1
 storageclass:
   rwo:

config/argocd-cloudpaks/cp4a/values.yaml

@@ -4,7 +4,7 @@ targetRevision: main
 serviceaccount:
   argocd_application_controller: openshift-gitops-argocd-application-controller
 metadata:
-  argocd_app_namespace: ibm-cloudpaks
+  argocd_app_namespace: cp4a
   argocd_namespace: openshift-gitops
 spec:
   shared_configuration:

config/argocd-cloudpaks/cp4d/Chart.yaml

@@ -16,9 +16,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.2
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: "1.2.2"
+appVersion: "1.4.0"

config/argocd-cloudpaks/cp4d/templates/0010-argocd-role-binding-admin.yaml

@@ -11,9 +11,6 @@ roleRef:
   kind: ClusterRole
   name: cluster-admin
 subjects:
-  - kind: ServiceAccount
-    name: default
-    namespace: ibm-common-services
   - kind: ServiceAccount
     name: "{{.Values.serviceaccount.argocd_application_controller}}"
     namespace: "{{.Values.metadata.argocd_namespace}}"

config/argocd-cloudpaks/cp4d/values.yaml

@@ -4,10 +4,10 @@ targetRevision: main
 serviceaccount:
   argocd_application_controller: openshift-gitops-argocd-application-controller
 metadata:
-  argocd_app_namespace: cpd
+  argocd_app_namespace: cp4d
   argocd_namespace: openshift-gitops
-  common_services_namespace: ibm-common-services
-  operators_namespace: cpd-operators
+  common_services_namespace: cp4d
+  operators_namespace: cp4d
 
 # https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=information-determining-which-components-install
 components: cpfs,scheduler,cpd_platform,rstudio,wml,ws

config/argocd-cloudpaks/cp4i/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

config/argocd-cloudpaks/cp4i/values.yaml

@@ -5,7 +5,7 @@ serviceaccount:
   ibm_cloudpaks_installer: ibm-cp4i-installer
   argocd_application_controller: openshift-gitops-argocd-application-controller
 metadata:
-  argocd_app_namespace: ibm-cloudpaks
+  argocd_app_namespace: cp4i
   argocd_namespace: openshift-gitops
 storageclass:
   rwo: ocs-storagecluster-ceph-rbd

config/argocd-cloudpaks/cp4s/Chart.yaml

@@ -16,9 +16,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 1.9.1
+appVersion: 1.10.11

config/argocd-cloudpaks/cp4s/values.yaml

@@ -7,7 +7,7 @@ serviceaccount:
   argocd_application_controller: openshift-gitops-argocd-application-controller
   ibm_cloudpaks_installer: ibm-cloudpaks-installer
 metadata:
-  argocd_app_namespace: ibm-cloudpaks
+  argocd_app_namespace: cp4s
   argocd_namespace: openshift-gitops
 storageclass:
   rwo: ocs-storagecluster-ceph-rbd

config/argocd-cloudpaks/cp4waiops/Chart.yaml

@@ -16,9 +16,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: "0.13.0"
+appVersion: "0.14.0"

config/argocd-cloudpaks/cp4waiops/values.yaml

@@ -8,7 +8,7 @@ serviceaccount:
   argocd_application_controller: openshift-gitops-argocd-application-controller
   ibm_cloudpaks_installer: ibm-cloudpaks-installer
 metadata:
-  argocd_app_namespace: ibm-cloudpaks
+  argocd_app_namespace: cp4waiops
   argocd_namespace: openshift-gitops
 storageclass:
   rwo: ocs-storagecluster-ceph-rbd

config/cloudpaks/cp4d/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.1
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

config/cloudpaks/cp4d/templates/0000-operators-namespace.yaml

@@ -1,4 +1,4 @@
-{{ if not ( eq ( default "" .Values.metadata.operators_namespace ) "ibm-common-services" ) }}
+{{ if not ( or ( eq ( default "" .Values.metadata.operators_namespace ) "ibm-common-services" ) ( eq .Values.metadata.common_services_namespace .Values.metadata.operators_namespace ) ) }}
 ---
 apiVersion: v1
 kind: Namespace

config/cloudpaks/cp4d/values.yaml

@@ -5,8 +5,8 @@ serviceaccount:
 metadata:
   argocd_app_namespace: cpd
   argocd_namespace: openshift-gitops
-  common_services_namespace: ibm-common-services
-  operators_namespace: cpd-operators
+  common_services_namespace: "set in parent app"
+  operators_namespace: "set in parent app"
 
 # https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=information-determining-which-components-install
 components: "set in parent app"

config/cloudpaks/cp4s/Chart.yaml

@@ -16,9 +16,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.3.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 1.10.0
+appVersion: 1.10.12

config/cloudpaks/cp4s/templates/prereqs/001-cp4s-namespaces.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  creationTimestamp: null
+  name: {{.Values.metadata.argocd_app_namespace}}
+spec: {}
+status: {}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  creationTimestamp: null
+  name: "{{.Values.metadata.argocd_app_namespace}}-cs"
+spec: {}
+status: {}

config/cloudpaks/cp4s/templates/prereqs/020-cloudpaks-roles.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "21"
+  creationTimestamp: null
+  name: ibm-cp4s-role
+  namespace: "{{.Values.metadata.argocd_app_namespace}}"
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "21"
+  creationTimestamp: null
+  name: ibm-cp4s-role
+  namespace: "{{.Values.metadata.argocd_app_namespace}}-cs"
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]

config/cloudpaks/cp4s/templates/prereqs/030-cloudpaks-role-bindings.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "30"
+  creationTimestamp: null
+  name: ibm-cp4s-binding
+  namespace: "{{.Values.metadata.argocd_app_namespace}}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ibm-cp4s-role
+subjects:
+  - kind: ServiceAccount
+    name: "{{.Values.serviceaccount.ibm_cloudpaks_installer}}"
+    namespace: "{{.Values.metadata.argocd_namespace}}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "30"
+  creationTimestamp: null
+  name: ibm-cp4s-binding
+  namespace: "{{.Values.metadata.argocd_app_namespace}}-cs"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ibm-cp4s-role
+subjects:
+  - kind: ServiceAccount
+    name: "{{.Values.serviceaccount.ibm_cloudpaks_installer}}"
+    namespace: "{{.Values.metadata.argocd_namespace}}"

config/cloudpaks/cp4s/templates/prereqs/030-common-services-role-binding.yaml

@@ -3,7 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   annotations:
-    argocd.argoproj.io/sync-options: "Replace=true"
     argocd.argoproj.io/sync-wave: "30"
   creationTimestamp: null
   name: common-services-cp4s-binding