feat: Add Capsule templates to deploy EDP with Capsule isolation (#31)

Change-Id: I59cbdbb8d9626cdc94f8f9a3f2b78295f3f6ed05

add-ons/capsule-tenant/README.md

@@ -0,0 +1,16 @@
+# Enable EDP Capsule Tenant Provisioning
+
+To enable EDP deployment under Capsule tenant management, follow these steps:
+
+1. **Verify Capsule User Groups:**
+   Ensure that the default [capsuleUserGroups](../capsule/values.yaml) in Capsule include the necessary users for provisioning the EDP namespace.
+2. **Deploy Capsule:**
+   Deploy Capsule using the [values.yaml](../../chart/values.yaml) file under the `capsule` section.
+3. **Capsule Tenant Configuration:**
+   When creating a namespace for EDP deployment under the Capsule tenant, make sure that the users responsible for provisioning the namespace - Tenant Owner is declared in [edp-tenant](edp-tenant.yaml).
+4. **Deploy Capsule Tenant:**
+   Deploy `capsule-tenant` using the [values.yaml](../../chart/values.yaml) file under the `capsule-tenant` section.
+5. **Create EDP Namespace:**
+   Create a namespace for EDP deployment under the Capsule [Tenant Owner](edp-tenant.yaml).
+6. **Deploy EDP:**
+   Deploy EDP using [values.yaml](../../chart/values.yaml) file under the `edp` section.

add-ons/capsule-tenant/edp-tenant.yaml

@@ -0,0 +1,19 @@
+apiVersion: capsule.clastix.io/v1beta2
+kind: Tenant
+metadata:
+  name: edp
+spec:
+  owners:
+    # uncomment if Argo CD manage main EDP tenant
+    # - clusterRoles:
+    #     - admin
+    #     - capsule-namespace-deleter
+    #   kind: ServiceAccount
+    #   name: system:serviceaccount:argocd:argocd-application-controller
+    #
+    # uncomment if edp-oidc-admins group manage main EDP tenant
+    # - clusterRoles:
+    #     - admin
+    #     - capsule-namespace-deleter
+    #   kind: Group
+    #   name: edp-oidc-admins

add-ons/capsule/README.md

@@ -14,6 +14,11 @@ A Helm chart for capsule
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| capsule.manager.resources.limits.memory | string | `"256Mi"` |  |
+| capsule.manager.options.capsuleUserGroups[0] | string | `"capsule.clastix.io"` |  |
+| capsule.manager.options.capsuleUserGroups[1] | string | `"system:serviceaccounts:edp"` |  |
+| capsule.manager.resources.limits.cpu | string | `"500m"` |  |
+| capsule.manager.resources.limits.memory | string | `"512Mi"` |  |
+| capsule.manager.resources.requests.cpu | string | `"200m"` |  |
+| capsule.manager.resources.requests.memory | string | `"128Mi"` |  |
 | capsule.tolerations[0].operator | string | `"Exists"` |  |
 

add-ons/capsule/values.yaml

@@ -1,9 +1,24 @@
 capsule :
   manager:
+    options:
+      # enable capsule for EDP tenant and cd-pipeline-operator
+      # NOTE: Capsule cannot manage cluster system namespaces
+      capsuleUserGroups:
+        - capsule.clastix.io
+        # uncomment if Argo CD manage main EDP tenant
+        # - system:serviceaccounts:argocd
+        # enable for cd-pipeline-operator https://github.com/epam/edp-cd-pipeline-operator/blob/release/2.17/deploy-templates/values.yaml#L10
+        - system:serviceaccounts:edp
+        # uncomment if edp-oidc-admins group manage main EDP tenant https://epam.github.io/edp-install/operator-guide/edp-access-model
+        # - edp-oidc-admins
+
     resources:
-# Max memory limit needed for the pod initialization process
       limits:
-        memory: 256Mi
+        cpu: 500m
+        memory: 512Mi
+      requests:
+        cpu: 200m
+        memory: 128Mi
 
 # This parameter is responsible for ensuring that the pod can cope with
 # any existing taint on a node, without taking into account the taint's

add-ons/edp/README.md

@@ -19,7 +19,7 @@ A Helm chart for EDP Install
 | edp-install.edp-headlamp.config.oidc.clientID | string | `"shared"` |  |
 | edp-install.edp-headlamp.config.oidc.enabled | bool | `true` |  |
 | edp-install.edp-headlamp.config.oidc.keycloakUrl | string | `"https://keycloak.example.com"` |  |
-| edp-install.edp-tekton.gitlab.host | string | `"github.com"` |  |
+| edp-install.edp-tekton.github.host | string | `"github.com"` |  |
 | edp-install.externalSecrets.enabled | bool | `true` |  |
 | edp-install.externalSecrets.manageEDPInstallSecrets | bool | `true` |  |
 | edp-install.externalSecrets.manageEDPInstallSecretsName | string | `"/edp/deploy-secrets"` |  |
@@ -28,7 +28,6 @@ A Helm chart for EDP Install
 | edp-install.global.dockerRegistry.space | string | `"edp"` |  |
 | edp-install.global.dockerRegistry.type | string | `"harbor"` |  |
 | edp-install.global.dockerRegistry.url | string | `"registry.example.com"` |  |
-| edp-install.global.edpName | string | `"edp"` |  |
 | edp-install.global.gitProvider | string | `"github"` |  |
 | edp-install.global.platform | string | `"kubernetes"` |  |
 | edp-install.sso.admins[0] | string | `"john@example.com"` |  |
@@ -37,3 +36,4 @@ A Helm chart for EDP Install
 | edp-install.sso.developers[1] | string | `"mike@example.com"` |  |
 | edp-install.sso.enabled | bool | `true` |  |
 | edp-install.sso.keycloakUrl | string | `"https://keycloak.example.com"` |  |
+

add-ons/harbor-ha/README.md

@@ -16,10 +16,11 @@ A Helm chart for Harbor with HA
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| harbor.core.configureUserSettings | string | `"{\n  \"auth_mode\": \"oidc_auth\",\n  \"oidc_name\": \"keycloak\",\n  \"oidc_endpoint\": \"https://keycloak.example.com/auth/realms/shared\",\n  \"oidc_client_id\": \"harbor\",\n  \"oidc_client_secret\": \"YOURSECRET\",\n  \"oidc_groups_claim\": \"roles\",\n  \"oidc_admin_group\": \"administrator\",\n  \"oidc_scope\": \"openid,email,profile,roles\",\n  \"oidc_auto_onboard\": \"true\",\n  \"oidc_user_claim\": \"preferred_username\"\n}\n"` |  |
 | harbor.core.replicas | int | `2` |  |
 | harbor.core.resources.requests.cpu | float | `0.05` |  |
 | harbor.core.resources.requests.memory | string | `"150Mi"` |  |
-| harbor.core.xsrfKey | string | `"Au28zg8c0hrnn07M1aK2aHpLeFHv7QgE"` |  |
+| harbor.core.xsrfKey | string | `"somekey"` |  |
 | harbor.database.external.existingSecret | string | `"postgresql-pguser-harbor"` |  |
 | harbor.database.external.host | string | `"postgresql-primary.harbor.svc"` |  |
 | harbor.database.external.port | string | `"5432"` |  |
@@ -68,7 +69,7 @@ A Helm chart for Harbor with HA
 | minio.ingress.enabled | bool | `true` |  |
 | minio.ingress.hostname | string | `"minio-harbor.example.com"` |  |
 | minio.mode | string | `"distributed"` |  |
-| minio.persistence.size | string | `"15Gi"` |  |
+| minio.persistence.size | string | `"10Gi"` |  |
 | minio.provisioning.buckets[0].name | string | `"harbor"` |  |
 | minio.provisioning.enabled | bool | `true` |  |
 | minio.provisioning.policies[0].name | string | `"harbor"` |  |
@@ -91,3 +92,4 @@ A Helm chart for Harbor with HA
 | redis.replica.resources.requests.cpu | string | `"50m"` |  |
 | redis.replica.resources.requests.memory | string | `"100Mi"` |  |
 | redis.sentinel.enabled | bool | `true` |  |
+

add-ons/keycloak/README.md

@@ -20,12 +20,12 @@ A Helm chart for Keycloak
 | keycloakx.autoscaling.behavior.scaleDown.stabilizationWindowSeconds | int | `300` |  |
 | keycloakx.autoscaling.enabled | bool | `true` |  |
 | keycloakx.autoscaling.labels | object | `{}` |  |
-| keycloakx.autoscaling.maxReplicas | int | `5` |  |
+| keycloakx.autoscaling.maxReplicas | int | `3` |  |
 | keycloakx.autoscaling.metrics[0].resource.name | string | `"cpu"` |  |
 | keycloakx.autoscaling.metrics[0].resource.target.averageUtilization | int | `80` |  |
 | keycloakx.autoscaling.metrics[0].resource.target.type | string | `"Utilization"` |  |
 | keycloakx.autoscaling.metrics[0].type | string | `"Resource"` |  |
-| keycloakx.autoscaling.minReplicas | int | `3` |  |
+| keycloakx.autoscaling.minReplicas | int | `1` |  |
 | keycloakx.command[0] | string | `"/opt/keycloak/bin/kc.sh"` |  |
 | keycloakx.command[10] | string | `"--import-realm"` |  |
 | keycloakx.command[1] | string | `"--verbose"` |  |
@@ -39,9 +39,9 @@ A Helm chart for Keycloak
 | keycloakx.command[9] | string | `"--spi-events-listener-jboss-logging-error-level=warn"` |  |
 | keycloakx.database.database | string | `"keycloak"` |  |
 | keycloakx.database.existingSecret | string | `"keycloak-postgresql"` |  |
-| keycloakx.database.hostname | string | `"db-host"` |  |
+| keycloakx.database.hostname | string | `"postgresql"` |  |
 | keycloakx.database.port | int | `5432` |  |
-| keycloakx.database.username | string | `"user_name"` |  |
+| keycloakx.database.username | string | `"admin"` |  |
 | keycloakx.database.vendor | string | `"postgres"` |  |
 | keycloakx.dbchecker.enabled | bool | `true` |  |
 | keycloakx.extraEnv | string | `"- name: KC_PROXY\n  value: \"passthrough\"\n- name: KEYCLOAK_ADMIN\n  valueFrom:\n    secretKeyRef:\n      name: keycloak-admin-creds\n      key: username\n- name: KEYCLOAK_ADMIN_PASSWORD\n  valueFrom:\n    secretKeyRef:\n      name: keycloak-admin-creds\n      key: password\n- name: JAVA_OPTS_APPEND\n  value: >-\n    -XX:+UseContainerSupport\n    -XX:MaxRAMPercentage=50.0\n    -Djava.awt.headless=true\n    -Djgroups.dns.query={{ include \"keycloak.fullname\" . }}-headless\n"` |  |

add-ons/nexus/README.md

@@ -45,3 +45,4 @@ A Helm chart for Nexus
 | oauth2-proxy.enabled | bool | `false` |  |
 | oauth2-proxy.ingress.enabled | bool | `true` |  |
 | oauth2-proxy.ingress.hosts[0] | string | `"nexus.example.com"` |  |
+

chart/README.md

@@ -25,6 +25,7 @@ EDP Cluster Addons that extend the Kubernetes Cluster Functionality
 | argo-cd.createNamespace | bool | `false` | whether to create the namespace or not |
 | aws-efs-csi-driver | object | `{"enable":false}` | AWS EFS CSI Driver |
 | capsule | object | `{"createNamespace":false,"enable":false}` | Capsule |
+| capsule-tenant | object | `{"enable":false}` | Capsule Tenant |
 | capsule.createNamespace | bool | `false` | whether to create the namespace or not |
 | certmanager | object | `{"createNamespace":false,"enable":false}` | Cert Manager |
 | certmanager.createNamespace | bool | `false` | whether to create the namespace or not |
@@ -82,3 +83,4 @@ EDP Cluster Addons that extend the Kubernetes Cluster Functionality
 | vault-okd.enable | bool | `false` |  |
 | vault.createNamespace | bool | `false` |  |
 | vault.enable | bool | `false` |  |
+

chart/templates/capsule-tenant.yaml

@@ -0,0 +1,27 @@
+{{- if and (index .Values "capsule-tenant") (index .Values "capsule-tenant" "enable") -}}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Values.destinationServer}}-capsule-tenant
+  namespace: {{ .Values.argoNamespace | default "argocd" }}
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: {{ .Values.argoProject | default "default" }}
+  source:
+    repoURL: {{ .Values.repoUrl }}
+    path: add-ons/capsule-tenant
+    targetRevision: {{ .Values.targetRevision }}
+  destination:
+    name: {{ .Values.destinationServer | default "in-cluster" }}
+    namespace: capsule-system
+  syncPolicy:
+    automated:
+      prune: true
+    retry:
+      limit: 1
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 1m
+{{- end -}}

chart/values.yaml

@@ -16,6 +16,10 @@ capsule:
   createNamespace: false
   enable: false
 
+# -- Capsule Tenant
+capsule-tenant:
+  enable: false
+
 # -- Cert Manager
 certmanager:
   # -- whether to create the namespace or not