ROX-26039: Create tenant argoCd app

[ludydoo]

Description

Adds the support for deploying tenant-resources through ArgoCD rather than the built-in tenant-resources chart. The CentralReconciler will

• Create an ArgoCD application if the flag is enabled for a tenant
• Delete the ArgoCD application if the flag is disabled (or do nothing)

Environment variables have been added that represent the default tenant-resources application source. Currently, it defaults to

Repo	github.com/stackrox/acscs-manifests
Path	tenant-resources
Ref	HEAD

Because this is an opt-in feature, at this point deploying this will have no consequence on the int/stage/prod environments.

The acscs-manifests repository is private. But ArgoCD should have access to it thanks to https://github.com/stackrox/acs-fleet-manager-aws-config/pull/257

A further step in the development of the feature is to enable the local development support for ArgoCD: https://github.com/stackrox/acs-fleet-manager/pull/2074/files

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
• Add secret to app-interface Vault or Secrets Manager if necessary
• RDS changes were e2e tested manually
• Check AWS limits are reasonable for changes provisioning new resources
• (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment

Test manual

TODO: Add manual testing efforts

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup
make verify lint binary test test/integration

[kovayur]

🔥

[openshift-ci]

New changes are detected. LGTM label has been removed.

[johannes94]

I don't like being the "Process-driven block a PR because of formal issues guy", but for a change like this, I'd expect more information in the PR description. For instance how you've tested the changes and also a functional description of what you expect / not expect to work after this PR.

[johannes94]

The naming of the Env variables compared to the field is inconsistent. The "DEFAULT" should be at the start of the variable name.

Looking at the other parts of this PR I wonder if we even need that "Default" prefix. Currently it's never set to a "non-default" value. Is that going to come with a future PR?

Other thing to mention is that even if we can override it on a per tenant basis, on the CentralReconciler and CentralReconcilerOptions struct it shouldn't be called Default* anymore if the override is applied on that level.

[ludydoo]

I named it default in the sense of it being the default if there are no per-tenant overrides. You are recommending dropping the DEFAULT here ?

[johannes94]

For this specific env variables I'd recommend to make the naming consistent. The default should be either a prefix or a suffix, for instance: Env Variable: TENANT_ARGOCD_APP_SOURCE_REF_DEFAULT should be field TenantArgoCdAppSourceRefDefault not DefaultTenantArgoCdAppSourceRef

For the CentralReconciler / CentralReconcilerOptions I don't see any logic for overriding that values on a per-tenant basis, so I'm questioning if this is going to be added in follow up PRs or if the "Default" prefix is unnecessary.

[ludydoo]

The ability to override the ArgoCD application source (repo/path/ref) will be added later

[ludydoo]

I'll rename the env var to be consistent

[johannes94]

nit: The method name was confusing me. I expected this function to send a GET requests to argoCd as opposed to creating the *argocd.Application object from a remoteCentral.

[johannes94]

In my understanding this part would execute on every reconciliation where remoteCentral.Spec.ArgoCd.Enabled != true, am I wrong here? If so could you explain why?

Maybe the function would be NOOP in that case but it would go through this code path.

[ludydoo]

Not every reconciliation, only if the hashSum has been changed.
This would run if

1. ArgoCD enabled for a tenant
2. Then ArgoCD disabled for a tenant

This would basically clean up the ArgoCD application

[johannes94]

Not every reconciliation, only if the hashSum has been changed.

True, forgot about that part.

Still I think this code path would run even if ArgoCD was never enabled for a tenant. Not only in the situation described above, which makes the statement of the comment wrong.

[ludydoo]

Ah I see what you mean. Will change to

This little part handles the case where we enable, then disable ArgoCD for a tenant

[ludydoo]

https://github.com/stackrox/acs-fleet-manager/pull/2074/files

You're right. After some thought, I believe it would make sense to merge both https://github.com/stackrox/acs-fleet-manager/pull/2074/files and this PR together. Otherwise it might break the local development setup (because argoCD CRDs would not be present). Though it is easier to review separately.

Edit: suspicion confirmed by the failing e2e test.

1 runtime.go:249] Unexpected error occurred rhacs-cs7r0jv6t49s7391gqdg/e2e-b8f0c67c874f629f: unable to delete ArgoCD application for central rhacs-cs7r0jv6t49s7391gqdg/e2e-b8f0c67c874f629f: getting ArgoCD application: no matches for kind "Application" in version "argoproj.io/v1alpha1"

[ludydoo]

/retest

[ludydoo]

/retest

[ludydoo]

/retest

[ludydoo]

/retest

[ludydoo]

/retest

[ludydoo]

/retest