redhat-cop / gitops-catalog Goto Github PK

On my cluster the job to generate internal registration integrations doesn't work as the auto-generated interations it copies haven't been created yet. This is noted in the bash script where it waits for 3 minutes but on my cluster it isn't enough time. Ideally it should be getting the list of integrations and sleeping in a loop until the auto-generated ones show up.

This is a placeholder issue to remind me to modify this job to do this, I'm happy to do the work in the next couple of weeks.

1. Getting error:

$ oc apply -k https://github.com/redhat-cop/gitops-catalog/elastisearch-operator/overlays/stable
Error from server (NotFound): error when creating "https://github.com/redhat-cop/gitops-catalog/elastisearch-operator/overlays/stable": namespaces "openshift-operators-redhat" not found

Works if you change the namespace by removing "-redhat" from all the following files:

gitops-catalog/elastisearch-operator/overlays/stable/kustomization.yaml
gitops-catalog/elastisearch-operator//overlays/5.0/kustomization.yaml
gitops-catalog/elastisearch-operator//overlays/4.6/kustomization.yaml
gitops-catalog/elastisearch-operator//base/kustomization.yaml
gitops-catalog/elastisearch-operator//base/elastisearch-subscription.yaml

2. Also, suggest to rename the dir from "elastisearch" to "elasticsearch" (add the 'c')

Several PVC objects have a finalizer included in the object. Generally I keep all finalizers out of the object defenition and only allow k8s to apply the appropriate finalizers in order to prevent a finalizer that doesn't exist from preventing the deletion of the object.

Is there any advantage to keeping the finalizer in the object definition?

finalizers:
    - kubernetes.io/pvc-protection

Right now the maven pipelines task (https://github.com/redhat-cop/gitops-catalog/blob/main/openshift-pipelines-tasks/maven/base/maven-task.yaml#L8) is using a google image from the google registry, I would like to suggest we default this to a Red Hat image. I have been using the java:openjdk-11-ubi8 image in OpenShift and haven't experienced any issues.

Interestingly my m2-cache overlay is expecting this image to be used and does not work with the google image. So if you want to leave the google image as the default I need to either make the overlay work with it, patch the overlay to use the RH image or just remove the overlay completely.

@pittar and @sabre1041 thoughts?

The current base is https://github.com/redhat-cop/gitops-catalog/catalog/sealed-secrets-operator/overlays/default
While it should be https://github.com/redhat-cop/gitops-catalog/sealed-secrets-operator/overlays/default

Need to remove redundant "catalog" word in the kustomization file example

The kustomization file for the 4.7 overlay has this reference for a resource:

resources: - knative-kafka-instance.yaml

There is no file like that in the directory.

patchesJson6902 and patchesStrategicMerge have been depreciated in the v1beta1 API in kustomize v5.0.0 and should be replaced by patches.

Any references using these should be updated in the GitOps catalog.

OpenShift GitOps 1.10 depreciated the v1alpha1 API and it should be updated to v1beta1.

When applying the current OpenShift GitOps instance you get the following warning:

Warning: ArgoCD v1alpha1 version is deprecated and will be converted to v1beta1 automatically. Moving forward, please use v1beta1 as the ArgoCD API version.
Warning: resource argocds/openshift-gitops is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.
argocd.argoproj.io/openshift-gitops configured

The API version in the instance should be updated. Need to validate if anything else needs to change.

Based on this:

https://access.redhat.com/documentation/en-us/red_hat_openshift_gitops/1.10/html-single/release_notes/index#new-features-1-10-0_gitops-release-notes

I think that everything should be fine since we are already using spec.sso.dex instead of spec.dex.

@gnunn1 Do you know of anything else with this API change that we should be aware of?

Several buildconfigs have a status object in the definition that should be removed and instead should allow OCP to create that instead.

status:
  lastVersion: 0

As per part 2 of #55 , the main Elasticsearch operator folder is missing a c in its name.

@gnunn1 @sabre1041 , what's the best way to fix the folder name without breaking anyone's existing kustomizations?

Over in the helm-charts repo we now have a super charged version of the installplan-approver from this repository that does things even more robustly. makign sure to only approve the correct installplan for instance.

maybe we should depricate the installplan-approver here and/or at least cross link from here to the more advanced helm chart?

https://github.com/redhat-cop/helm-charts/tree/master/charts/operators-installer

thoughts?

In this script:
https://github.com/redhat-canada-gitops/catalog/blob/master/sealed-secrets-operator/scripts/get-sealed-secret-key.sh

You have:
oc get $(oc get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o name) -n sealed-secrets -o yaml > ~/.bitnami/sealed-secrets-secret.yaml

You can use the label in the outer command like this to get the same results:
oc get secret -l sealedsecrets.bitnami.com/sealed-secrets-key=active -n sealed-secrets -o yaml > ~/.bitnami/sealed-secrets-secret.yaml

The bases resource has been depreciated since v2.1.0 and should be combined/replaced with resources.

Any references using bases in the gitops catalog should be updated to utilize resources.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update actions/checkout digest to 692973e
• Update rojopolis/spellcheck-github-actions action to v0.38.0

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

I am looking at adding yamllint to the repo/github actions to enforce better formatting.

@pittar @gnunn1 any thoughts or opinions on adding this to the current configuration?

I also wanted to get your thoughts on a few of the settings that are the most common problems in the repo:

• Line Length: This is a likely disable. There are a lot of lines that are longer including some scripts. This is going to be very challenging to work around and is probably better to simply disable.
• --- at the start of files: I'm not a huge fan of this and would be happy to turn it off.
• New line at end of line: No objection for me on this one. I like it since it prevents weird merge issues if you add content to the end of a file.
• Wrong indentation: This seems to be two different issues. Some are actual indentation issues where objects are either 3 spaces instead of 2 or something else like that. The other issue is with list objects not indented under the parent. For example:

myList:
- name: myObject

instead of

myList:
  - name: myObject

The rest of the errors seem pretty minor but a count of all of the errors can be found below:

Add a catalog item for Minio

Incoming PR to remove the URL patch from the Ansible operator

There are currently two folders for devspaces that should be combined:

https://github.com/redhat-cop/gitops-catalog/tree/main/devspaces
https://github.com/redhat-cop/gitops-catalog/tree/main/openshift-dev-spaces

As the Elasticsearch Operator is deprecated and targeting removal, there will be an eventual need for manifests to install Lokistack.

PR incoming to update the ansible operator to stable-2.1 from pre-release and removing pre-release.

The namespace field in base/kustomization.yaml should be updated to match the namespace.yaml resource (cert-manager-operator).

https://github.com/redhat-cop/gitops-catalog/blob/main/cert-manager-operator/operator/base/kustomization.yaml

I believe the startingCSV field in the base/subscription.yaml is superfluous and may be removed.

olm.providedAPIs on OperatorGroup objects should be applied by OLM and should not be included in the object definition.

olm.providedAPIs

Example:

rhsso/rhsso-operator/base/rhsso-operatorgroup.yaml

this is just beauty/confusion... when reusing the sealed-secrets I get

W0502 18:15:57.469772  441936 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sealed-secrets-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sealed-secrets-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sealed-secrets-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sealed-secrets-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Installation AAP operator using the OpenShift console results in install to namespace "aap"

The kustomization here installs to "ansible-automation-platform" namespace.

Is there an established opinion about inconsistencies like this?

Personally I would like to strive to match the defaults. I can do a PR, but I am only just now testing this for the first time today.

./gitops-catalog/openshift-logging/instance/overlays/default/kustomization.yaml: value: 'https://kibana-openshift-logging.apps.mgnt.adetalhouet.rhtelco.io'

The nmstate resource here

• https://github.com/redhat-cop/gitops-catalog/blob/main/nmstate/instance/base/nmstate-nmstate.yaml

Has the following issues:

• It uses v1beta1 API which has been deprecated for v1. Observered warning when install to OCP 4.14.
• The spec has a node selector defined, but I'm not sure why. An empty dict should also work.

$ kustomize build 'https://github.com/redhat-cop/gitops-catalog/nmstate/aggregate/overlays/default?ref=main' | kfilt -k nmstate
---
apiVersion: nmstate.io/v1beta1
kind: NMState
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: nmstate
spec:
  nodeSelector:
    beta.kubernetes.io/arch: amd64

Operators may wish to have ODF provide storage for the internal registry. However 334027 invokes a job to enable the ODF console plug-in. This job depends on image-registry.openshift-image-registry.svc:5000/openshift/cli, which wouldn't be available until the registry is already configured.

It's possible that cluster operators are expected to have configured ephemeral storage for the registry, or to deploy a StorageCluster with in the same ArgoCD application that installs the operator. But the requirement isn't documented and may be unintentional.