[EPMDEDP-8257]: feat: Provision argocd client in Keycloak Enable

Introduce argocd.enabled flag which enables ArgoCD integration
with SSO

Signed-off-by: Sergiy Kulanov <[email protected]>
Change-Id: I947050cf8f964b6869c3b1c962a6d8949cd06607

Author: SergK

deploy-templates/README.md

@@ -10,8 +10,8 @@ A Helm chart for EDP Install
 
 | Name | Email | Url |
 | ---- | ------ | --- |
-| epmd-edp | [email protected] | https://solutionshub.epam.com/solution/epam-delivery-platform |
-| sergk |  | https://github.com/SergK |
+| epmd-edp | <[email protected]> | <https://solutionshub.epam.com/solution/epam-delivery-platform> |
+| sergk |  | <https://github.com/SergK> |
 
 ## Source Code
 
@@ -40,6 +40,8 @@ A Helm chart for EDP Install
 | EDPComponents | object | `{}` |  |
 | admin-console-operator.enabled | bool | `true` |  |
 | annotations | object | `{}` |  |
+| argocd.enabled | bool | `false` | Enable ArgoCD integration |
+| argocd.url | string | `""` (defaults to https://argocd.{{ .Values.global.dnsWildCard }}) | ArgoCD URL in format schema://URI |
 | awsRegion | string | `nil` |  |
 | cd-pipeline-operator.enabled | bool | `true` |  |
 | codebase-operator.enabled | bool | `true` |  |
@@ -93,4 +95,4 @@ A Helm chart for EDP Install
 | vcs.enabled | string | `"false"` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)
+Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)

deploy-templates/templates/argocd/keycloakclient.yaml

@@ -0,0 +1,14 @@
+{{- $argocdDefaultURL := printf "https://argocd.%s" .Values.global.dnsWildCard -}}
+{{- if .Values.argocd.enabled }}
+apiVersion: v1.edp.epam.com/v1alpha1
+kind: KeycloakClient
+metadata:
+  name: argocd
+spec:
+  advancedProtocolMappers: true
+  clientId: agocd
+  directAccess: true
+  public: false
+  targetRealm: {{ .Values.global.edpName }}-main
+  webUrl: "{{ .Values.argocd.url | default $argocdDefaultURL }}"
+{{- end }}

deploy-templates/templates/argocd/keycloakclientscope.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.argocd.enabled }}
+apiVersion: v1.edp.epam.com/v1alpha1
+kind: KeycloakClientScope
+metadata:
+  name: groups
+spec:
+  name: groups
+  realm: main
+  description: "Group Membership"
+  protocol: openid-connect
+  protocolMappers:
+    - name: groups
+      protocol: openid-connect
+      protocolMapper: "oidc-group-membership-mapper"
+      config:
+        "access.token.claim": "true"
+        "claim.name": "groups"
+        "full.path": "false"
+        "id.token.claim": "true"
+        "userinfo.token.claim": "true"
+{{- end }}

deploy-templates/templates/argocd/keycloakrealmgroup.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.argocd.enabled }}
+apiVersion: v1.edp.epam.com/v1alpha1
+kind: KeycloakRealmGroup
+metadata:
+  name: argocd-admins
+spec:
+  name: ArgoCDAdmins
+  realm: main
+{{- end }}

deploy-templates/values.yaml

@@ -40,6 +40,13 @@ global:
 # AWS Region, e.g. "eu-central-1"
 awsRegion:
 
+argocd:
+  # -- Enable ArgoCD integration
+  enabled: false
+  # -- ArgoCD URL in format schema://URI
+  # @default -- `""` (defaults to https://argocd.{{ .Values.global.dnsWildCard }})
+  url: ""
+
 perf:
   enabled: "false"
 

docs/operator-guide/install-argocd.md

@@ -0,0 +1,114 @@
+# Install Argo CD
+
+Inspect the prerequisites and the main steps to perform for enabling Argo CD in EDP.
+
+## Prerequisites
+
+* [Keycloak is installed](./install-keycloak.md)
+* [EDP is installed](./install-edp.md)
+* Kubectl version 1.18.0 is installed. Please refer to the [Kubernetes official website](https://v1-18.docs.kubernetes.io/docs/setup/release/notes/) for details.
+* [Helm](https://helm.sh) version 3.6.0 is installed. Please refer to the [Helm page](https://github.com/helm/helm/releases/tag/v3.6.0) on GitHub for details.
+
+## Installation
+
+Argo CD enablement for EDP consists of two major steps:
+
+* Argo CD integration with EDP (SSO enablement, codebase onboarding, etc.)
+* Argo CD installation
+
+### Integrate With EDP
+
+To enable Argo CD integration, ensure that the `argocd.enabled` flag [values.yaml](https://github.com/epam/edp-install/blob/master/deploy-templates/values.yaml) is set to `true`
+
+### Install With Helm
+
+Argo CD can be installed in many ways, please follow the [official documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/) for more details.
+
+Follow the steps below to install Argo CD using Helm:
+
+* Check out the *values.yaml* file sample of the Argo CD customization, which is based on `HA mode without autoscaling`:
+
+  <details>
+  <summary><b>View: values.yaml</b></summary>
+
+  ```yaml
+  redis-ha:
+    enabled: true
+
+  controller:
+    enableStatefulSet: true
+
+  server:
+    replicas: 2
+    extraArgs:
+      - "--insecure"
+    env:
+      - name: ARGOCD_API_SERVER_REPLICAS
+        value: '2'
+    ingress:
+      enabled: true
+      hosts:
+        - "argocd.{{ .Values.global.dnsWildCard }}"
+    config:
+      # required when SSO is enabled
+      url: "https://argocd.{{ .Values.global.dnsWildCard }}"
+      application.instanceLabelKey: argocd.argoproj.io/instance-edp
+      oidc.config: |
+        name: Keycloak
+        issuer: https://{{ .Values.global.keycloakEndpoint }}/auth/realms/{{ .Values.global.edpName }}-main
+        clientID: argocd
+        clientSecret: $oidc.keycloak.clientSecret
+        requestedScopes:
+          - openid
+          - profile
+          - email
+          - groups
+    rbacConfig:
+      # users may be still be able to login,
+      # but will see no apps, projects, etc...
+      policy.default: ''
+      scopes: '[groups]'
+      policy.csv: |
+        # default global admins
+        g, Argo CDAdmins, role:admin
+
+  configs:
+    secret:
+      extra:
+        oidc.keycloak.clientSecret: "REPLACE"
+
+  repoServer:
+    replicas: 2
+
+  # we use Keycloak so no DEX is required
+  dex:
+    enabled: false
+
+  # Disabled for multitenancy env with single instance deployment
+  applicationSet:
+    enabled: false
+  ```
+
+  </details>
+
+    Populate Argo CD values with the values from the EDP [values.yaml](https://github.com/epam/edp-install/blob/master/deploy-templates/values.yaml):
+
+  * .Values.global.dnsWildCard - EDP DNS WildCard
+  * .Values.global.keycloakEndpoint - Keycloak Hostname
+  * .Values.global.edpName - EDP name
+
+* Run installation
+
+  ```bash
+  kubectl create ns argocd
+  helm repo add argo https://argoproj.github.io/argo-helm
+  helm install argocd argo/argo-cd -f values.yaml
+  ```
+
+* Update `argocd-secret` secret (in argocd namespace) by providing correct keycloak client secret (`oidc.keycloak.clientSecret`) with value from the `keycloak-client-argocd-secret` secret in EDP namespace and restart the deployment:
+
+  ```bash
+  ARGOCD_CLIENT=$(kubectl -n <EDP_NAMESPACE> get secret keycloak-client-argocd-secret  -o jsonpath='{.data.clientSecret}')
+  kubectl -n argocd patch secret argocd-secret -p="{\"data\":{\"oidc.keycloak.clientSecret\": \"${ARGOCD_CLIENT}\"}}" -v=1
+  kubectl -n argocd rollout restart deployment argocd-server
+  ```

mkdocs.yml

@@ -89,6 +89,7 @@ nav:
         - Set Up Kubernetes: operator-guide/kubernetes-cluster-settings.md
         - Set Up OpenShift: operator-guide/openshift-cluster-settings.md
       - Install EDP: operator-guide/install-edp.md
+      - Install Argo CD: operator-guide/install-argocd.md
     - Configuration:
       - Add Other Code Language: operator-guide/add-other-code-language.md
       - Backup With Velero: