onprem: 2.1-alpha.1 pre-release (#1091)

Author: mikhail-klimko

.github/PULL_REQUEST_TEMPLATE.md

@@ -6,4 +6,4 @@
 
 ## CI
 
-To trigger `onprem-ci` pipeline add `/test` commend in your PR
+To trigger `onprem-ci` pipeline add `/test` comment in your PR

codefresh/.ci/values/cfapi-roles-hpa.yaml

@@ -1,33 +1,19 @@
+seed-e2e:
+  enabled: true
+
+secrets:
+  # default mongouri conn string for e2e
+  e2e-mongo-uri:
+    enabled: true
+    stringData:
+      mongo-uri: mongodb://cfuser:mTiXcU2wafr9@cf-mongodb:27017/codefresh
+
 ingress:
   enabled: true
   tls:
     enabled: true
     cert: ""  # placeholder for ${WEB_TLS_CERT}
     key: "" # placeholder for ${WEB_TLS_KEY}
-  services:
-    cfapi: null
-    cfapi-endpoints:
-      - /api/
-    cfapi-downloadlogmanager:
-      - /api/progress/download
-      - /api/public/progress/download
-    cfapi-admin:
-      - /api/admin/
-    cfapi-ws:
-      - /ws
-    cfapi-teams:
-      - /api/team
-    cfapi-kubernetes-endpoints:
-      - /api/kubernetes
-    cfapi-test-reporting:
-      - /api/testReporting
-    cfapi-kubernetesresourcemonitor:
-      - /api/k8s-monitor/
-    cfapi-environments:
-      - /api/environments-v2/argo/events
-    cfapi-gitops-resource-receiver:
-      - /api/gitops/resources
-      - /api/gitops/rollout
 
 global:
   appUrl: ""  # placeholder for ${CF_APP_HOST}

codefresh/.ci/values/classic-only.yaml

@@ -1,3 +1,13 @@
+seed-e2e:
+  enabled: true
+
+secrets:
+  # default mongouri conn string for e2e
+  e2e-mongo-uri:
+    enabled: true
+    stringData:
+      mongo-uri: mongodb://cfuser:mTiXcU2wafr9@cf-mongodb:27017/codefresh
+
 global:
   appUrl: ""  # placeholder for ${CF_APP_HOST}
   firebaseSecret: ""  # placeholder for ${FIREBASE_SECRET}

codefresh/.ci/values/defaults-hpa.yaml

@@ -1,6 +1,105 @@
+seed-e2e:
+  enabled: true
+
+# kinda external secrets
+secrets:
+  ext-mongo:
+    enabled: true
+    stringData:
+      mongodb-host: cf-mongodb:27017
+      mongodb-password: mTiXcU2wafr9
+      mongodb-user: cfuser
+      mongodb-root-user: root
+      mongodb-root-password: XT9nmM8dZD
+  ext-postgres:
+    enabled: true
+    stringData:
+      postgres-hostname: cf-postgresql
+      postgres-password: eC9arYka4ZbH
+      postgres-user: postgres
+  ext-redis:
+    enabled: true
+    stringData:
+      redis-url: cf-redis-master
+      redis-password: hoC9szf7NtrU
+  ext-rabbitmq:
+    enabled: true
+    stringData:
+      rabbitmq-hostname: cf-rabbitmq:5672
+      rabbitmq-password: cVz9ZdJKYm7u
+      rabbitmq-username: user
+  ext-firebase:
+    enabled: true
+    stringData:
+      firebase-url: "" # placeholder for ${FIRBASE_URL}
+      firebase-secret: ""  # placeholder for ${FIREBASE_SECRET}
+  e2e-mongo-uri:
+    enabled: true
+    stringData:
+      mongo-uri: mongodb://cfuser:mTiXcU2wafr9@cf-mongodb:27017/codefresh
+
+seed:
+  mongoSeedJob:
+    mongodbRootUserSecretKeyRef:
+      name: cf-codefresh-ext-mongo
+      key: mongodb-root-user
+    mongodbRootPasswordSecretKeyRef:
+      name: cf-codefresh-ext-mongo
+      key: mongodb-root-password
+
+  postgresSeedJob:
+    postgresUserSecretKeyRef:
+      name: cf-codefresh-ext-postgres
+      key: postgres-user
+    postgresPasswordSecretKeyRef:
+      name: cf-codefresh-ext-postgres
+      key: postgres-password
+
 global:
   appUrl: ""  # placeholder for ${CF_APP_HOST}
-  firebaseSecret: ""  # placeholder for ${FIREBASE_SECRET}
+  firebaseUrlSecretKeyRef:
+    name: cf-codefresh-ext-firebase
+    key: firebase-url
+  firebaseSecretSecretKeyRef:
+    name: cf-codefresh-ext-firebase
+    key: firebase-secret
+
+  mongodbUserSecretKeyRef:
+    name: cf-codefresh-ext-mongo
+    key: mongodb-user
+  mongodbPasswordSecretKeyRef:
+    name: cf-codefresh-ext-mongo
+    key: mongodb-password
+  mongodbHostSecretKeyRef:
+    name: cf-codefresh-ext-mongo
+    key: mongodb-host
+
+  postgresHostnameSecretKeyRef:
+    name: cf-codefresh-ext-postgres
+    key: postgres-hostname
+  postgresPasswordSecretKeyRef:
+    name: cf-codefresh-ext-postgres
+    key: postgres-password
+  postgresUserSecretKeyRef:
+    name: cf-codefresh-ext-postgres
+    key: postgres-user
+
+  rabbitmqHostnameSecretKeyRef:
+    name: cf-codefresh-ext-rabbitmq
+    key: rabbitmq-hostname
+  rabbitmqPasswordSecretKeyRef:
+    name: cf-codefresh-ext-rabbitmq
+    key: rabbitmq-password
+  rabbitmqUsernameSecretKeyRef:
+    name: cf-codefresh-ext-rabbitmq
+    key: rabbitmq-username
+
+  redisPasswordSecretKeyRef:
+    name: cf-codefresh-ext-redis
+    key: redis-password
+  redisUrlSecretKeyRef:
+    name: cf-codefresh-ext-redis
+    key: redis-url
 
 cfapi:
   hpa:
@@ -28,6 +127,10 @@ argo-platform:
     hpa:
       enabled: true
 
+  cron-executor:
+    hpa:
+      enabled: true
+
   event-handler:
     hpa:
       enabled: true
@@ -42,4 +145,4 @@ argo-platform:
 
   abac:
     hpa:
-      enabled: true
+      enabled: true

codefresh/.ci/values/mtls-mongodb-redis.yaml

@@ -7,10 +7,8 @@ global:
   firebaseSecret: ""  # placeholder for ${FIREBASE_SECRET}
 
   mongoURI: "mongodb://cf-mongodb:27017/?ssl=true&authMechanism=MONGODB-X509&authSource=$external"
-  runtimeMongoURI: "mongodb://cf-mongodb:27017/?ssl=true&authMechanism=MONGODB-X509&authSource=$external"
 
   redisUrl: cf-redis-master.codefresh.svc.cluster.local
-  runtimeRedisHost: cf-redis-master.codefresh.svc.cluster.local
 
   volumes:
     mongodb-tls:
@@ -35,6 +33,7 @@ global:
 
   env:
     # Mongo MTLS
+    MONGODB_SSL_ENABLED: true
     MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem
     RUNTIME_MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem
     RUNTIME_MONGO_TLS: "true"
@@ -73,12 +72,12 @@ mongodb:
         "gitops-dashboard-manager"
         "k8s-monitor"
         "pipeline-manager"
-        "platform-analytics"
+        "platform-analytics-postgres"
         "read-models"
         "runtime-environment-manager"
       )
 
-      mongosh "$MONGODB_ROOT_URI" --eval 'db.getSiblingDB("\$external").runCommand( { createUser: "CN=cfuser,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU", roles: [ { role: "readWrite", db: "test" }, { role: "userAdminAnyDatabase", db: "admin" }, { role: "readWrite", db: "codefresh" }, { role: "readWrite", db: "pipeline-manager" }, { role: "readWrite", db: "runtime-environment-manager" }, { role: "readWrite", db: "context-manager" }, { role: "readWrite", db: "cluster-providers" }, { role: "readWrite", db: "charts-manager" }, { role: "readWrite", db: "k8s-monitor" }, { role: "readWrite", db: "read-models" }, { role: "readWrite", db: "audit" } ], writeConcern: { w: "majority" , wtimeout: 5000 } } )'
+      mongosh "$MONGODB_ROOT_URI" --eval 'db.getSiblingDB("\$external").runCommand( { createUser: "CN=cfuser,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU", roles: [ { role: "readWrite", db: "test" }, { role: "userAdminAnyDatabase", db: "admin" }, { role: "readWrite", db: "codefresh" }, { role: "readWrite", db: "pipeline-manager" }, { role: "readWrite", db: "runtime-environment-manager" }, { role: "readWrite", db: "context-manager" }, { role: "readWrite", db: "cluster-providers" }, { role: "readWrite", db: "charts-manager" }, { role: "readWrite", db: "k8s-monitor" }, { role: "readWrite", db: "read-models" }, { role: "readWrite", db: "audit" }, { role: "readWrite", db: "platform-analytics-postgres" } ], writeConcern: { w: "majority" , wtimeout: 5000 } } )'
 
       for MONGODB_DATABASE in ${MONGODB_DATABASES[@]}; do
         mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB('${MONGODB_DATABASE}').createCollection('test')"
@@ -116,6 +115,3 @@ secrets:
     enabled: true
     data:
       ca.pem: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRvQ0ZDcUpqc3pFSVNVSDhUSU9hV1RmS0JxeVhFT01NQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CVXgKRXpBUkJnTlZCQU1UQ20xNVRXOXVaMjh0WTJFd0hoY05Nakl4TVRBeU1UZ3hNVE0yV2hjTk1qUXdNekUyTVRneApNVE0yV2pCV01Rc3dDUVlEVlFRR0V3SkJWVEVUTUJFR0ExVUVDQXdLVTI5dFpTMVRkR0YwWlRFaE1COEdBMVVFCkNnd1lTVzUwWlhKdVpYUWdWMmxrWjJsMGN5QlFkSGtnVEhSa01ROHdEUVlEVlFRRERBWmpablZ6WlhJd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERlk5T2E4bG5JMmtPaHBXZStScENQQ1BqSgpVbUFEUjUrUnVPRHpaSG5sdUsrd3ByTXkwcFB6RTJTblJXcHlXRHZNaVV6RGFhNUl6dWIySGZSVFNuRVgyTUliCnNkZkY1UGFJTmhnd0RiTFJRUEhXcE5Da1dCRFQvN0tiUnN0dmZVc0k0TllYenFnLys0U05qQWxDdi9rY0NRVUMKekhZc2NUZitta3JpYVNzOWZIemxWYWZWRWY5cUFWSGFlakhDWnd2NkoxTjAzS08yRjM0dmRXS1JPUEZVM00xaQpVWklSYTZoN0FQbGxmZmt1S0doS0t2R3hDRzJENFlLSGJ1WG0zeXBpYjk1QTUrUFA0MUJWeWc2ZnlpRWhXazNSCllSWGoybWZWd1JLeWYyQTE4L2pqS1NQVG1Eck51andTTnZ0cWp2WWdrV01LN2JrdHAxcHV5RVVNZlQyTkFnTUIKQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFSGlOczZjZnl2UjNqODQzSEFKamE4Q2xKalJFdlZ1TXBIUAp4Y1RuQzdaOEF2Z3dOVDFFczd1OTFhVExicThSeDBiblRPYTJzZU9nb2VKM0lyd0pTOVFTeEtOQWpha3lnY2Q5ClBzM2tURXZFTVNBVTlRRU83cXNTNjh1aFdRMXRXM29KaktObVVnVDA5QzBEcVpZWTlrV3BQZzJENmIrUm1FWDgKUmYyUncrRGpLRXlHYkpRenJtRmNYMVlDcUV0MkpMR1RiZkM4NHpnb25YTS90d201cFlXL3JpSTVBd2lNWXB6ZApWR1p0d0lpSi9ZVWNrZWkrNlpscDczZHpiMUw0RHEzVjY5Y29VejVBZHhpVlRBRHlCcW1wM1VQbnZadTBsOCtuClM5Y3dZbkdaOTZLM3ZwQzZHTk5GY1QrbXdiZ25qK2JMaHVVTDMrck52R3BSclpKei9lQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIFJTQSBQUklWQVRFIEtFWS0tLS0tCk1JSUVvd0lCQUFLQ0FRRUF4V1BUbXZKWnlOcERvYVZudmthUWp3ajR5VkpnQTBlZmtiamc4MlI1NWJpdnNLYXoKTXRLVDh4TmtwMFZxY2xnN3pJbE13Mm11U003bTloMzBVMHB4RjlqQ0c3SFh4ZVQyaURZWU1BMnkwVUR4MXFUUQpwRmdRMC8reW0wYkxiMzFMQ09EV0Y4Nm9QL3VFall3SlFyLzVIQWtGQXN4MkxIRTMvcHBLNG1rclBYeDg1VlduCjFSSC9hZ0ZSMm5veHdtY0wraWRUZE55anRoZCtMM1Zpa1RqeFZOek5ZbEdTRVd1b2V3RDVaWDM1TGlob1NpcngKc1FodGcrR0NoMjdsNXQ4cVltL2VRT2ZqeitOUVZjb09uOG9oSVZwTjBXRVY0OXBuMWNFU3NuOWdOZlA0NHlragowNWc2emJvOEVqYjdhbzcySUpGakN1MjVMYWRhYnNoRkRIMDlqUUlEQVFBQkFvSUJBR0piOFNqSDFRZXFBNE44Ckdhc09IS0M1MXNiekhsYmtETmFmYXJDK0E2UCtHTVlNKzBTNisvQm5YSU9ocW41YUMwcExySTIvanBKSFQzMmEKeFpIdmlWVlp0TGY2TWN3eDRNdFZNVTVZdFI5aW5sL1g5d085d256eGNIM0JsRVAxQ2p2ZFZiRzlUOGU2UEg0UQpKdGsxTWh2UFBzajdPM08vNHlnaW1HZ2tBZUQ3MUM3WUQ1RzAraC9jeTllYVRUUURUMFJ4ZEQ3dkE0d2g2MHhOCmgybTQxK0NyUFArTnNqM2FRNUNET09laUgyMk9UVmdEVllEb1RoUi9rRFdtNmg3eU55bEowMjM2SVk3WU5taEoKUzNWQURieXpJT0xhUWtBSWJmNVZBZ2JvRzZMaFhvN3hGdkQ3eHFKWENlRVlWOEZRV0UweEZJMkhKMFloaDhLNApSdXB3Q3AwQ2dZRUE3Q2t6bDZwRmgrNk1md3VHcnR0ZUY4UWVxQ1BuYXhWRmNpU2prZzMxd0swWTNyRXQ0UHM2CnJ5RkI2anVxVjBtNkE2M3FrdjdGcVdvNE9sM1U2aTB6aUpQMjJmMWFPWEtqdzRwYjl0bnRhRFBvOHV0dW5tQVAKaW4xWGUyR2s3S2p2emhrcjF0a0FtUXJBQUxiZEFEbi9GQjI1UWdOdmFSTytTbjZveUg4eGZ5TUNnWUVBMWZqVQpOZFBzQ1RJalpzcDdXUllreDhmL3prQjZhU3FlbkpPMjM3ZnlYVjJEVDFGWk8rMStxK1VHUkJRQXBzOVdwRGJICkJHMS9oTThyWlpTdW1BMkRxdTlobElFSDIwR3lIYVFLaC9JTUEvY0I2eGNHdk9OZVl6ajhWZHBCVmE4anYwd20KNFVVS3dsMEVkOHQreVdnVDB6THREN0UrR3RFaVY5UDIvaXBEODQ4Q2dZQVJQd2tIZ0dYSGdZSTlIT2hmQ0tJYwpkalFPNzJCTkQ2YWNxVlJRckRoUU05UG5IMlZNVXN4OFVaOXdyWjdJOVJkaWdXYnFDVFVDSkVHcThZTkUvcndPCnMwK0pwOWpZN1NoTWRXUTE2TUJQcGNyVFFxSTNhcWgzNHFOcTNUeWdFODQvYk5Nb3czd3BzUUZJakJJam5CaW0KclcwRUJ5QXh1a0ZoUzFLa0liWEpwUUtCZ0QrWTJNSXkvZW54ekJIbVJ1bEFxcWZ5cXZhTHRaYUNnMmc0ZzFkVgpYaVVnQVVKWEJIWEtiaWI3U0hSOW1YLzdDbDUrcFlLTVpTVjlTZ0hFUW15UlA3eFRzQ1lxZjhKTWNYdGI0WUZzCmtPT3d6QklxNHViTGthZGVMYW42MkFaMnF1SlY2UXgxcisvN0k3UFRlUmkxNVlhVmtWNWpxUGpoaGhxaXRydnUKcGduREFvR0JBTDlrUTdqV3FPTnB2Q2RtZFMwK0Voam5zcU1ta21ycWxhdEZjM2F2b0Jod3EyR0kxbWRNVDFmYwpHYjZIdlNsMWdDeG0vVGszMGpiZHI2eTJmWHl4UTdXc1FxWGNQRTZHYUFuWFE0d1l0ckZuY3BxTGR4Z0IzMmZmCkZEQ3p2bjRJZjBKUHAxdXNuZUpDclVpanlsTWhpcnBWSWdGUXY0cHdWV0g1T3JSeFVDS3cKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K"
-
-argo-platform:
-  enabled: false

codefresh/.ci/values/openshift.yaml

@@ -0,0 +1,90 @@
+global:
+  appUrl: ""  # placeholder for ${CF_APP_HOST}
+  firebaseSecret: ""  # placeholder for ${FIREBASE_SECRET}
+  dnsService: dns-default
+  dnsNamespace: openshift-dns
+  clusterDomain: cluster.local
+
+ingress:
+  enabled: true
+  ingressClassName: openshift-default
+  tls:
+    enabled: true
+    existingSecret: "{{ .Release.Name }}-codefresh-star-selfsigned"
+
+builder:
+  enabled: false
+
+cfapi:
+  podSecurityContext:
+    enabled: false
+
+cf-platform-analytics-platform:
+  redis:
+    master:
+      podSecurityContext:
+        enabled: false
+      containerSecurityContext:
+        enabled: false
+
+cfsign:
+  podSecurityContext:
+    enabled: false
+  initContainers:
+    volume-permissions:
+      enabled: false
+
+cfui:
+  podSecurityContext:
+    enabled: false
+
+internal-gateway:
+  podSecurityContext:
+    enabled: false
+
+helm-repo-manager:
+  chartmuseum:
+    securityContext:
+      enabled: false
+
+consul:
+  podSecurityContext:
+    enabled: false
+  containerSecurityContext:
+    enabled: false
+
+cronus:
+  podSecurityContext:
+    enabled: false
+
+ingress-nginx:
+  enabled: false
+
+mongodb:
+  podSecurityContext:
+    enabled: false
+  containerSecurityContext:
+    enabled: false
+
+postgresql:
+  primary:
+    podSecurityContext:
+      enabled: false
+    containerSecurityContext:
+      enabled: false
+
+redis:
+  master:
+    podSecurityContext:
+      enabled: false
+    containerSecurityContext:
+      enabled: false
+
+rabbitmq:
+  podSecurityContext:
+    enabled: false
+  containerSecurityContext:
+    enabled: false
+
+runner:
+  enabled: false