Foster/acm stuff

charts/letsencrypt-clusterissuer/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: letsencrypt-clusterissuer
 description: Installs cert-manager operator and creates a Let's Encrypt ACME ClusterIssuer with DNS-01 Route 53 solver (uses IRSA, no static credentials)
-version: 1.0.4
+version: 1.0.5
 type: application
 home: https://rh-mobb.github.io/validated-pattern-helm-charts/
 icon: https://raw.githubusercontent.com/openshift/console/master/frontend/public/imgs/logos/openshift.svg

charts/letsencrypt-clusterissuer/templates/restart-certmanager-job.yaml

@@ -0,0 +1,70 @@
+{{- if .Values.certManagerRole }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-restart
+  namespace: cert-manager
+  annotations:
+    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-restart
+  namespace: cert-manager
+  annotations:
+    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-restart
+  namespace: cert-manager
+  annotations:
+    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-restart
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-restart
+    namespace: cert-manager
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-manager-restart
+  namespace: cert-manager
+  annotations:
+    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  backoffLimit: 3
+  template:
+    spec:
+      serviceAccountName: cert-manager-restart
+      restartPolicy: OnFailure
+      containers:
+        - name: restart
+          image: registry.redhat.io/openshift4/ose-cli:latest
+          command:
+            - /bin/sh
+            - -c
+            - |
+              echo "Restarting cert-manager deployment to pick up IRSA annotation..."
+              oc rollout restart deployment/cert-manager -n cert-manager
+              oc rollout status deployment/cert-manager -n cert-manager --timeout=120s
+              echo "cert-manager restarted successfully"
+{{- end }}

charts/network-observability-operator/Chart.yaml

@@ -4,7 +4,7 @@ description: Helm chart for deploying the Network Observability Operator with Lo
 icon: https://raw.githubusercontent.com/openshift/console/master/frontend/public/imgs/logos/openshift.svg
 home: https://rh-mobb.github.io/validated-pattern-helm-charts/
 type: application
-version: 2.1.3
+version: 2.1.4
 appVersion: "1.11"
 dependencies:
   - name: helper-status-checker

charts/network-observability-operator/templates/flowcollector.yaml

@@ -96,17 +96,10 @@ spec:
           insecureSkipVerify: false
           type: Disabled
     multiClusterDeployment: false
-    {{- if .Values.flowCollector.processor.filters }}
+    {{- if .Values.flowCollector.processor.filterNamespaces }}
     filters:
-      {{- range .Values.flowCollector.processor.filters }}
-      - query: {{ .query | quote }}
-        {{- if .outputTarget }}
-        outputTarget: {{ .outputTarget }}
-        {{- end }}
-        {{- if .sampling }}
-        sampling: {{ .sampling }}
-        {{- end }}
-      {{- end }}
+      - outputTarget: Loki
+        query: "{{ range $i, $ns := .Values.flowCollector.processor.filterNamespaces }}{{ if $i }} OR {{ end }}SrcK8S_Namespace=\"{{ $ns }}\" OR DstK8S_Namespace=\"{{ $ns }}\"{{ end }}"
     {{- end }}
   prometheus:
     querier:

charts/network-observability-operator/templates/subscription.yaml

@@ -1,48 +1,74 @@
-{{- range .Values.subscriptions }}
-{{- if .enabled }}
-{{- if .createNamespace }}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .namespace }}
+  name: openshift-netobserv-operator
   annotations:
     argocd.argoproj.io/sync-wave: "-1"
-{{- end }}
-{{- if .createOperatorGroup }}
 ---
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
-  name: {{ .name }}
-  namespace: {{ .namespace }}
+  name: netobserv-operator
+  namespace: openshift-netobserv-operator
   annotations:
     argocd.argoproj.io/sync-wave: "0"
 spec:
   upgradeStrategy: Default
-{{- end }}
 ---
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
-  name: {{ .name }}
-  namespace: {{ .namespace }}
+  name: netobserv-operator
+  namespace: openshift-netobserv-operator
   annotations:
     argocd.argoproj.io/sync-wave: "0"
 spec:
-  channel: {{ .channel }}
-  installPlanApproval: {{ .installPlanApproval }}
-  name: {{ .name }}
-  source: {{ .source }}
-  sourceNamespace: {{ .sourceNamespace }}
-  {{- if .startingCSV }}
-  startingCSV: {{ .startingCSV }}
+  channel: stable
+  installPlanApproval: Manual
+  name: netobserv-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  {{- if .Values.netobservOperator.startingCSV }}
+  startingCSV: {{ .Values.netobservOperator.startingCSV }}
   {{- end }}
-  {{- if .roleArn }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-operators-redhat
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: loki-operator
+  namespace: openshift-operators-redhat
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  upgradeStrategy: Default
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: loki-operator
+  namespace: openshift-operators-redhat
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  channel: stable-6.2
+  installPlanApproval: Manual
+  name: loki-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  {{- if .Values.lokiOperator.startingCSV }}
+  startingCSV: {{ .Values.lokiOperator.startingCSV }}
+  {{- end }}
+  {{- if .Values.lokiOperator.roleArn }}
   config:
     env:
       - name: ROLEARN
-        value: {{ .roleArn }}
+        value: {{ .Values.lokiOperator.roleArn }}
   {{- end }}
-{{- end }}
-{{- end }}

charts/network-observability-operator/values.yaml

@@ -1,27 +1,11 @@
 namespace: openshift-netobserv-operator
 
-subscriptions:
-  - name: netobserv-operator
-    namespace: openshift-netobserv-operator
-    channel: stable
-    installPlanApproval: Manual
-    source: redhat-operators
-    sourceNamespace: openshift-marketplace
-    startingCSV: ""
-    enabled: true
-    createNamespace: true
-    createOperatorGroup: true
-  - name: loki-operator
-    namespace: openshift-operators-redhat
-    channel: stable-6.2
-    installPlanApproval: Manual
-    source: redhat-operators
-    sourceNamespace: openshift-marketplace
-    startingCSV: loki-operator.v6.2.0
-    enabled: true
-    roleArn: ""
-    createNamespace: true
-    createOperatorGroup: true
+netobservOperator:
+  startingCSV: ""
+
+lokiOperator:
+  startingCSV: loki-operator.v6.2.0
+  roleArn: ""
 
 # Loki Stack configuration
 lokiStack:
@@ -126,10 +110,7 @@ flowCollector:
       requests:
         cpu: 100m
         memory: 100Mi
-    filters:
-      - outputTarget: Loki
-        query: >-
-          SrcK8S_Namespace="istio-demo" OR DstK8S_Namespace="istio-demo"
+    filterNamespaces: []
     advanced:
       conversationEndTimeout: 10s
       conversationHeartbeatInterval: 30s