feat: multi-runtime installation (#939) (#946)

* feat: support single-namespaced runtime installation (#617)

---------







* Support multi-runtime-installation

---------

Co-authored-by: mikhail-klimko <[email protected]>
Co-authored-by: Philip Kotliyakov <[email protected]>
Co-authored-by: Noam Gal <[email protected]>
Co-authored-by: cf-ci-bot-v2 <[email protected]>
Co-authored-by: ilia-medvedev-codefresh <[email protected]>

Author: 6 people

.github/workflows/component-test.yaml

@@ -68,6 +68,7 @@ jobs:
           helm repo add mockserver https://www.mock-server.com
 
 
+
       - name: Run KUTTL tests
         run: |
           cd tests/component-tests && ./../../bin/kuttl test --parallel 1 --start-kind=false --namespace e2e-test --config startup.yaml

charts/gitops-runtime/Chart.yaml

@@ -33,6 +33,7 @@ dependencies:
   - name: sealed-secrets
     repository: https://bitnami-labs.github.io/sealed-secrets/
     version: 2.17.2
+    condition: sealed-secrets.enabled
   - name: codefresh-tunnel-client
     repository: oci://quay.io/codefresh/charts
     version: 0.1.22

charts/gitops-runtime/README.md

@@ -31,6 +31,68 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/)
 ## Codefresh official documentation:
 Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/
 
+## Multi Runtime Installation
+You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace.
+To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below:
+```yaml
+global:
+  runtime:
+    singleNamespace: true
+sealed-secrets:
+  enabled: false
+argo-cd:
+  createClusterRoles: false
+  crds:
+    install: false
+  configs:
+    params:
+      application.namespaces: ''
+argo-events:
+  controller:
+    rbac:
+      namespaced: true
+argo-workflows:
+  crds:
+    install: false
+  singleNamespace: true
+  createAggregateRoles: false
+  controller:
+    clusterWorkflowTemplates:
+      enabled: false
+  server:
+    clusterWorkflowTemplates:
+      enabled: false
+argo-rollouts:
+  enabled: false
+tunnel-client:
+  enabled: false
+gitops-operator:
+  crds:
+    install: false
+```
+
+Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values:
+```yaml
+global:
+  runtime:
+    isConfigurationRuntime: true
+argo-cd:
+  crds:
+    install: true
+argo-workflows:
+  crds:
+    install: true
+argo-rollouts:
+  installCRDs: true
+gitops-operator:
+  crds:
+    install: true
+```
+
+> [!WARNING]
+> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`.
+> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported.
+
 ## Argo-workflows artifact and log storage
 Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration.
 If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values:
@@ -555,6 +617,7 @@ global:
 | event-reporters.cluster-event-reporter | object | `{}` |  |
 | event-reporters.runtime-event-reporter | object | `{}` |  |
 | gitops-operator.affinity | object | `{}` |  |
+| gitops-operator.config | object | `{"commitStatusPollingInterval":"10s","maxConcurrentReleases":100,"promotionWrapperTemplate":"","taskPollingInterval":"10s","workflowMonitorPollingInterval":"10s"}` | GitOps operator configuration |
 | gitops-operator.config.commitStatusPollingInterval | string | `"10s"` | Commit status polling interval |
 | gitops-operator.config.maxConcurrentReleases | int | `100` | Maximum number of concurrent releases being processed by the operator (this will not affect the number of releases being processed by the gitops runtime) |
 | gitops-operator.config.maxReconcileRetries | int | `10` | Maximum number of reconcile retries on promotion-related resources before failing a promotion task |
@@ -638,7 +701,7 @@ global:
 | global.runtime.ingressUrl | string | `""` | Explicit url for runtime ingress. Provide this value only if you don't want the chart to create and ingress (global.runtime.ingress.enabled=false) and tunnel-client is not used (tunnel-client.enabled=false) |
 | global.runtime.isConfigurationRuntime | bool | `false` | is the runtime set as a "configuration runtime". |
 | global.runtime.name | string | `nil` | Runtime name. Must be unique per platform account. |
-| global.runtime.singleNamespace | bool | `false` | Defines if runtime is namespace scoped. Required for running multiple runtimes in the same cluster |
+| global.runtime.singleNamespace | bool | `false` | Runtime single namespace mode. When true, runtime operates in single namespace scope. |
 | global.tolerations | list | `[]` | Global tolerations for all components |
 | installer | object | `{"affinity":{},"argoCdVersionCheck":{"argoServerLabels":{"app.kubernetes.io/component":"server","app.kubernetes.io/part-of":"argocd"}},"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/codefresh/gitops-runtime-installer","tag":""},"nodeSelector":{},"skipUsageValidation":false,"skipValidation":false,"tolerations":[]}` | Runtime installer used for running hooks and checks on the release |
 | installer.skipUsageValidation | bool | `false` | if set to true, pre-install hook will *not* run |

charts/gitops-runtime/README.md.gotmpl

@@ -31,6 +31,69 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/)
 ## Codefresh official documentation:
 Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/
 
+## Multi Runtime Installation
+You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace.
+To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below:
+```yaml
+global:
+  runtime:
+    singleNamespace: true
+sealed-secrets:
+  enabled: false
+argo-cd:
+  createClusterRoles: false
+  crds:
+    install: false
+  configs:
+    params:
+      application.namespaces: ''
+argo-events:
+  controller:
+    rbac:
+      namespaced: true
+argo-workflows:
+  crds:
+    install: false
+  singleNamespace: true
+  createAggregateRoles: false
+  controller:
+    clusterWorkflowTemplates:
+      enabled: false
+  server:
+    clusterWorkflowTemplates:
+      enabled: false
+argo-rollouts:
+  enabled: false
+tunnel-client:
+  enabled: false
+gitops-operator:
+  crds:
+    install: false
+```
+
+Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values:
+```yaml
+global:
+  runtime:
+    isConfigurationRuntime: true
+argo-cd:
+  crds:
+    install: true
+argo-workflows:
+  crds:
+    install: true
+argo-rollouts:
+  installCRDs: true
+gitops-operator:
+  crds:
+    install: true
+```
+
+> [!WARNING]
+> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`.
+> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported.
+
+
 ## Argo-workflows artifact and log storage
 Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration.
 If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values:

charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml

@@ -10,4 +10,5 @@
   {{ include "cap-app-proxy.resources.service" . }}
 ---
   {{ include "cap-app-proxy.resources.sa" .}}
-{{- end }}
+---
+{{- end }}

charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml

@@ -0,0 +1,11 @@
+{{- define "argo-cd.namespaced-rbac.all" }}
+{{- if (index .Values "global" "runtime").singleNamespace }}
+{{- include "argo-cd.namespaced-rbac.serviceaccount" . }}
+---
+{{- include "argo-cd.namespaced-rbac.secret" . }}
+---
+{{- include "argo-cd.namespaced-rbac.role" . }}
+---
+{{- include "argo-cd.namespaced-rbac.rolebinding" . }}
+{{- end }}
+{{- end }}

charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml

@@ -0,0 +1,17 @@
+{{- define "argo-cd.namespaced-rbac.role" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-namespaced-role
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }}
+    codefresh.io/component: argocd-namespaced-rbac
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+{{- end }}

charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml

@@ -0,0 +1,18 @@
+{{- define "argo-cd.namespaced-rbac.rolebinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-namespaced-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }}
+    codefresh.io/component: argocd-namespaced-rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-namespaced-role
+subjects:
+- kind: ServiceAccount
+  name: argocd-manager
+  namespace: {{ .Release.Namespace }}
+{{- end }} 

charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_secret.yaml

@@ -0,0 +1,9 @@
+{{- define "argo-cd.namespaced-rbac.secret" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-manager-long-lived-token
+  annotations:
+    kubernetes.io/service-account.name: argocd-manager
+type: kubernetes.io/service-account-token
+{{- end }}

charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml

@@ -0,0 +1,10 @@
+{{- define "argo-cd.namespaced-rbac.serviceaccount" }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }}
+    codefresh.io/component: argocd-namespaced-rbac
+{{- end }}