convert cs deployment to helm chart #922
Conversation
tony-schndr
force-pushed
the
cluster-service-helm-chart
branch
2 times, most recently
from
090ef00 to
bc89279
Compare
|
Please rebase pull request. |
cluster-service/deploy/helm/templates/azure-runtime-config.configmap.yaml
Outdated
Show resolved
Hide resolved
tony-schndr
force-pushed
the
cluster-service-helm-chart
branch
2 times, most recently
from
6c9d7e3 to
a7643b7
Compare
|
Please rebase pull request. |
tony-schndr
force-pushed
the
cluster-service-helm-chart
branch
from
a7643b7 to
15c3c9c
Compare
tony-schndr
force-pushed
the
cluster-service-helm-chart
branch
7 times, most recently
from
88cef58 to
0fb42dc
Compare
tony-schndr
requested review from
bennerv,
geoberle,
janboll,
weinong,
whober0521,
jharrington22,
SudoBrendan,
UlrichSchlueter and
zgalor
as code owners
tony-schndr
force-pushed
the
cluster-service-helm-chart
branch
from
2f2a25e to
fbff667
Compare
tony-schndr
force-pushed
the
cluster-service-helm-chart
branch
3 times, most recently
from
40a0dcf to
9f209f5
Compare
tony-schndr
force-pushed
the
cluster-service-helm-chart
branch
from
9f209f5 to
86c3852
Compare
| azureOperatorsManagedIdentitiesConfig: | | ||
| controlPlaneOperatorsIdentities: | ||
| cloud-controller-manager: | ||
| minOpenShiftVersion: 4.17 |
There was a problem hiding this comment.
Will this differ from Env to Env? Or will this see progressive updates? Just asking, cause this large key might make the config harder to read then (especially when thinking about later rollouts with more envs).
There was a problem hiding this comment.
It will differ from env to env and it may see updates if CS needs to add an identity.. I don't like it but I was having a hard time templatizing this object and making it work nice with config.mk. The problem I hit was that templatize was not creating a valid multi line string in the config.mk. To work around this I treat it as a string and base64 encode it so that it becomes a single line in config.mk and decode it in the helm template.
|
|
||
| DEVOPS_MSI_ID ?= {{ .aroDevopsMsiId }} | ||
|
|
||
| # MGMT CLUSTER KVs | ||
| MGMT_RESOURCEGROUP ?= {{ .mgmt.rg }} | ||
| CX_SECRETS_KV_NAME ?= {{ .cxKeyVault.name }} | ||
| CX_MI_KV_NAME ?= {{ .msiKeyVault.name }} | ||
|
|
||
| AZURE_OPERATORS_MANAGED_IDENTITIES_CONFIG ?= {{ .clusterService.azureOperatorsManagedIdentitiesConfig | b64enc }} |
There was a problem hiding this comment.
i'm not sure how well this will translate to EV2 env vars.
but let's not block this PR because of that. we can revisite later when we deploy CS to INT.
btw. this has nothing to do with the translation to helm. we would have faced the same issue with oc templates.
| databasePort: "5432" | ||
|
|
||
| # The name of the managed identities data plane audience resource. | ||
| managedIdentitiesDataPlaneAudienceResource: "https://dummy.org" |
There was a problem hiding this comment.
One constraint we've to take onto account regarding this field's value is that we cannot check it in code for higher envs (stage/prod). So when we get to those envs, please make sure that this is not checked in. @tony-schndr
There was a problem hiding this comment.
What should the values for those environments be?
There was a problem hiding this comment.
We don't know yet, but whatever the value of them, they shouldn't be checked in any repo.
There was a problem hiding this comment.
To be specific,
The dev and int envs value can be any dummy https url; this can be checked in the repo.
For stage and prod envs, these will be real value of the msi dataplane. They can't be checked in any repo.
| # TODO: This parameter isn't currently used, but kept to avoid failures in the | ||
| # execution of saasherder. It will be removed once the version of the service | ||
| # that doesn't use it is deployed to all environments. | ||
| debugPort: "" |
| # Duration since cluster creation after which the first notification for stale cluster should be sent. | ||
| firstStaleClusterNotification: "24h" # 1 day | ||
|
|
||
| # Duration since cluster creation after which the second notification for stale cluster should be sent. | ||
| secondStaleClusterNotification: "600h" # 25 days | ||
|
|
||
| # Duration after which a stale cluster can be cleaned up. | ||
| staleClusterAutocleanupWindow: "720h" # 30 days |
There was a problem hiding this comment.
These don't apply to aro-hcp.
They can be deleted.
| # Period between executions of day-1 machine pool migration worker. Useful time units are "m" or "h". | ||
| machinePoolMigrationWorkerPeriod: "1h" | ||
|
|
||
| # The name of the DNS base domain for creating a user defined domains. | ||
| # Note: this is defaulted to a commercial value. This should be overriden in fedramp app-interface | ||
| userDefinedDnsBaseDomain: "i1.devshift.org" |
There was a problem hiding this comment.
These two values don't apply in aro-hcp
| - --gateway-url={{ .Values.gatewayURL }} | ||
| - --client-id=@/secrets/service/client.id | ||
| - --client-secret=@/secrets/service/client.secret | ||
| - --client-scopes={{ .Values.clientScopes }} | ||
| - --user-defined-dns-base-domain={{ .Values.userDefinedDnsBaseDomain }} | ||
| - --jwks-url={{ .Values.jwksUrl }} | ||
| - --jwks-file=/configs/authentication/jwks.json | ||
| - --acl-file=/configs/authentication/acl.yml | ||
| - --token-url={{ .Values.tokenUrl }} | ||
| - --insecure={{ .Values.insecure }} |
There was a problem hiding this comment.
These flags are perhaps not needed for aro-hcp.
We can clean up later.
| - serve | ||
| - --log-level={{ .Values.logLevel }} | ||
| - --namespace={{ .Release.Namespace }} | ||
| - --runtime-mode={{ .Values.runtimeMode }} |
There was a problem hiding this comment.
We could hardcode the mode here as we are in the context of aro-hcp.
| - --runtime-mode={{ .Values.runtimeMode }} | |
| - --runtime-mode=aro-hcp |
| - --default-expiration={{ .Values.defaultExpiration }} | ||
| - --maximum-expiration={{ .Values.maximumExpiration }} |
There was a problem hiding this comment.
| - --default-expiration={{ .Values.defaultExpiration }} | |
| - --maximum-expiration={{ .Values.maximumExpiration }} |
Probably not applicable for aro-hcp, but we can cleanup later on.
| - --backplane-url={{ .Values.backplaneURL }} | ||
| - --provision-shards-config=/secrets/shards/config | ||
| - --proxy-config-file=/configs/proxy/config.yaml | ||
| - --aws-sts-policy-directory=/configs/policies |
There was a problem hiding this comment.
This flag isn't applicable for aro-hcp.
We can clean up later;
At the moment if we don't define it, CS starts normally but we'll get a
2024-12-12T15:00:50Z ERROR loader/aws_sts_policy_loader.go:50 [opid='dc2b7851-64e2-4869-b48a-d4a21c5a407a'] Got error while trying to load policies: open : no such file or directory
gitlab.cee.redhat.com/service/uhc-clusters-service/pkg/aws/loader.(*AWSPolicyLoader).run
/cs/pkg/aws/loader/aws_sts_policy_loader.go:50
gitlab.cee.redhat.com/service/uhc-clusters-service/pkg/aws/loader.(*AWSPolicyLoader).Start
cs/pkg/aws/loader/aws_sts_policy_loader.go:43
gitlab.cee.redhat.com/service/uhc-clusters-service/cmd/clusters-service/servecmd.runServ
error message at start time, which can be confusing.
| clientScopes: "openid" | ||
|
|
||
| # Environment associated with this instance. | ||
| environment: "aro-hcp-dev" |
There was a problem hiding this comment.
@geoberle @tony-schndr A note on the environment name.
It shouldn't be longer than 10 chars.
Otherwise, it breaks the cluster's base domain prefix limit.
For example "aro-hcp-dev" is 11 chars, this means that the cluster's base domain prefix can't be longer than 14 chars while CS allows for it to be <= 15 chars.
There was a problem hiding this comment.
Also worth noting that, this field is immutable and it is used in multiple other places that are critical to CS.
To change it, it implies re-creating the env with a new name.
There was a problem hiding this comment.
I will address this in a followup. We can enforce the length in the config json schema.
What this PR does
Fixes https://issues.redhat.com/browse/ARO-11949, https://issues.redhat.com/browse/ARO-12801, & https://issues.redhat.com/browse/ARO-13258
Jira:
Link to demo recording:
Special notes for your reviewer