Add suggestions from review

projectsyn · Feb 23, 2024 · 6abe77a · 6abe77a
1 parent 52ca09e
commit 6abe77a
Show file tree

Hide file tree

Showing 17 changed files with 251 additions and 312 deletions.
diff --git a/class/argocd.yml b/class/argocd.yml
@@ -41,4 +41,4 @@ parameters:
       filters:
         - type: jsonnet
           path: ${_instance}//10_operator/
-          filter: postprocess/fix_crd.jsonnet
+          filter: postprocess/fix_manifests.jsonnet
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -85,6 +85,7 @@ parameters:
       gitlab-dev.syn.tools ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtv4stHQjApa7wkgvgo4dB52qLzI/zN2Us+89cQXXm0
     operator:
       migrate: false
+      conversion_webhook: false
       namespace: syn-argocd-operator
       images:
         argocd_operator: ${argocd:images:argocd_operator}

diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet
@@ -8,7 +8,14 @@ local params = inv.parameters.argocd;
 local common = import 'common.libsonnet';
 local isOpenshift = std.startsWith(params.distribution, 'openshift');
 
-local resync_string = if std.get(params, 'resync_seconds', 0) > 0 then std.format('%dm0s', std.mod(params.resync, 60)) else params.resync_time;
+local resync_string =
+  if std.get(params, 'resync_seconds', 0) > 0 then
+    std.trace(
+      'Parameter `resync_seconds` is deprecated. Please update your config to use `resync_time`',
+      std.format('%dm0s', std.mod(params.resync, 60)),
+    )
+  else
+    params.resync_time;
 
 local applicationController = {
   processors: {
@@ -299,7 +306,6 @@ local argocd(name) =
           |||,
         },
         {
-          // `ResourceCustomizations` is getting deprecated, however, the new `ResourceHealthChecks` does not currently expose the `health.lua.useOpenLibs` flag
           group: 'operators.coreos.com',
           kind: 'Subscription',
           check: |||
@@ -392,5 +398,5 @@ local webhook_certs = [
   // Manually adding certificate for conversion webhook
   // as the upstream kustomize is broken.
   // 2023/02/19 sfe
-  '../10_operator_webhook_certs': webhook_certs,
+  [if params.operator.conversion_webhook then '../10_operator_webhook_certs']: webhook_certs,
 }
diff --git a/component/operator.jsonnet b/component/operator.jsonnet
@@ -7,9 +7,9 @@ local params = inv.parameters.argocd.operator;
 local image = params.images.argocd_operator;
 local rbac = params.images.kube_rbac_proxy;
 
-local kustomize_input = params.kustomize_input {
+local kustomize_patch_scopens = if std.length(params.cluster_scope_namespaces) > 0 then {
   patches+: [
-    if std.length(params.cluster_scope_namespaces) > 0 then {
+    {
       patch: std.format(|||
         - op: add
           path: "/spec/template/spec/containers/1/env/-"
@@ -22,6 +22,10 @@ local kustomize_input = params.kustomize_input {
         name: 'argocd-operator-controller-manager',
       },
     },
+  ],
+} else {};
+local kustomize_patch_conversion = if params.conversion_webhook then {
+  patches+: [
     {
       patch: |||
         - op: add
@@ -36,7 +40,10 @@ local kustomize_input = params.kustomize_input {
       },
     },
   ],
-};
+} else {};
+local kustomize_input = params.kustomize_input
+                        + kustomize_patch_scopens
+                        + kustomize_patch_conversion;
 
 com.Kustomization(
   params.kustomization_url,

diff --git a/docs/modules/ROOT/pages/how-tos/upgrade-v7-v8.adoc b/docs/modules/ROOT/pages/how-tos/upgrade-v7-v8.adoc
@@ -0,0 +1,34 @@
+= Upgrade `component-argocd` from `v7.x` to `v8.x`
+
+== Migration to ArgoCD Operator
+
+As of component version 8, the ArgoCD operator uses a new api version `argoproj.io/v1beta1`.
+If there are other unmanaged ArgoCD deployed, you need to enable the conversion webhook.
+
+=== 1. Upgrade component-argocd with conversion webhook flag
+
+The first time you roll out component-argocd v6.x, set the following configuration in your hierarchy:
+
+[source,yaml]
+----
+parameters:
+  argocd:
+    operator:
+      conversion_webhook: true
+----
+
+Roll out the upgrade with this configuration, and wait until:
+* The ArgoCD operator deployment is rolled out.
+* All unmanaged ArgoCD CR are updated.
+[source,shell]
+----
+kubectl --as cluster-admin get argocds -A -ocustom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,API:.apiVersion'
+NAMESPACE          NAME               API
+openshift-gitops   openshift-gitops   argoproj.io/v1beta1
+syn                syn-argocd         argoproj.io/v1beta1
+----
+
+
+=== 2. Remove the migration flag to complete the migration
+
+After the first rollout of v8.x, the conversion webhook flag can be removed.
diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc
@@ -3,6 +3,7 @@
 .How-tos
 * xref:how-tos/upgrade-v3-v4.adoc[Upgrade from `v3.x` to `v4.x`]
 * xref:how-tos/upgrade-v5-v6.adoc[Upgrade from `v5.5.x` to `v6.x`]
+* xref:how-tos/upgrade-v7-v8.adoc[Upgrade from `v7.x` to `v8.x`]
 
 .References
 * xref:references/parameters.adoc[Parameters]
diff --git a/postprocess/fix_crd.jsonnet b/postprocess/fix_crd.jsonnet
diff --git a/postprocess/fix_manifests.jsonnet b/postprocess/fix_manifests.jsonnet
@@ -0,0 +1,30 @@
+local com = import 'lib/commodore.libjsonnet';
+
+local inv = com.inventory();
+local params = inv.parameters.argocd.operator;
+
+local file_apiext_argocd = com.yaml_load(std.extVar('output_path') + '/apiextensions.k8s.io_v1_customresourcedefinition_argocds.argoproj.io.yaml');
+local file_deployment = com.yaml_load(std.extVar('output_path') + '/apps_v1_deployment_syn-argocd-operator-controller-manager.yaml');
+
+{
+  'apiextensions.k8s.io_v1_customresourcedefinition_argocds.argoproj.io': file_apiext_argocd {
+    metadata+: {
+      creationTimestamp: null,
+      annotations+: {
+        [if params.conversion_webhook then 'cert-manager.io/inject-ca-from']: params.namespace + '/serving-cert',
+      },
+    },
+    spec+: {
+      [if !params.conversion_webhook then 'conversion']: { strategy: 'None' },
+    },
+  },
+  'apps_v1_deployment_syn-argocd-operator-controller-manager': file_deployment {
+    spec+: {
+      template+: {
+        spec+: {
+          volumes: [ { name: 'cert', emptyDir: {} } ],
+        },
+      },
+    },
+  },
+}
diff --git a/...ocd/10_operator/apiextensions.k8s.io_v1_customresourcedefinition_argocds.argoproj.io.yaml b/...ocd/10_operator/apiextensions.k8s.io_v1_customresourcedefinition_argocds.argoproj.io.yaml
@@ -2,22 +2,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: syn-argocd-operator/serving-cert
     controller-gen.kubebuilder.io/version: v0.6.1
   creationTimestamp: null
   name: argocds.argoproj.io
 spec:
   conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          name: syn-argocd-operator-webhook-service
-          namespace: syn-argocd-operator
-          path: /convert
-      conversionReviewVersions:
-        - v1alpha1
-        - v1beta1
+    strategy: None
   group: argoproj.io
   names:
     kind: ArgoCD

diff --git a/.../argocd/argocd/10_operator/apps_v1_deployment_syn-argocd-operator-controller-manager.yaml b/.../argocd/argocd/10_operator/apps_v1_deployment_syn-argocd-operator-controller-manager.yaml
@@ -16,66 +16,62 @@ spec:
         control-plane: argocd-operator
     spec:
       containers:
-      - args:
-        - --secure-listen-address=0.0.0.0:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=10
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-      - args:
-        - --health-probe-bind-address=:8081
-        - --metrics-bind-address=127.0.0.1:8080
-        - --leader-elect
-        command:
-        - /manager
-        env:
-        - name: WATCH_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.annotations['olm.targetNamespaces']
-        - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-          value: syn
-        - name: ENABLE_CONVERSION_WEBHOOK
-          value: "true"
-        image: quay.io/argoprojlabs/argocd-operator:v0.8.0
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 8081
-          initialDelaySeconds: 15
-          periodSeconds: 20
-        name: manager
-        ports:
-        - containerPort: 9443
-          name: webhook-server
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: 8081
-          initialDelaySeconds: 5
-          periodSeconds: 10
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-        volumeMounts:
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: cert
-          readOnly: true
+        - args:
+            - --secure-listen-address=0.0.0.0:8443
+            - --upstream=http://127.0.0.1:8080/
+            - --logtostderr=true
+            - --v=10
+          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          name: kube-rbac-proxy
+          ports:
+            - containerPort: 8443
+              name: https
+        - args:
+            - --health-probe-bind-address=:8081
+            - --metrics-bind-address=127.0.0.1:8080
+            - --leader-elect
+          command:
+            - /manager
+          env:
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.annotations['olm.targetNamespaces']
+            - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
+              value: syn
+          image: quay.io/argoprojlabs/argocd-operator:v0.8.0
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          name: manager
+          ports:
+            - containerPort: 9443
+              name: webhook-server
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+          volumeMounts:
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
       securityContext:
         runAsNonRoot: true
       serviceAccountName: syn-argocd-operator-controller-manager
       terminationGracePeriodSeconds: 10
       volumes:
-      - name: cert
-        secret:
-          defaultMode: 420
-          secretName: webhook-server-cert
+        - emptyDir: {}
+          name: cert
diff --git a/tests/golden/defaults/argocd/argocd/10_operator_webhook_certs.yaml b/tests/golden/defaults/argocd/argocd/10_operator_webhook_certs.yaml
diff --git a/...ocd/10_operator/apiextensions.k8s.io_v1_customresourcedefinition_argocds.argoproj.io.yaml b/...ocd/10_operator/apiextensions.k8s.io_v1_customresourcedefinition_argocds.argoproj.io.yaml
@@ -2,22 +2,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: syn-argocd-operator/serving-cert
     controller-gen.kubebuilder.io/version: v0.6.1
   creationTimestamp: null
   name: argocds.argoproj.io
 spec:
   conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          name: syn-argocd-operator-webhook-service
-          namespace: syn-argocd-operator
-          path: /convert
-      conversionReviewVersions:
-        - v1alpha1
-        - v1beta1
+    strategy: None
   group: argoproj.io
   names:
     kind: ArgoCD