[minor] Allow DRO to be exposed through a route in gitops

cluster-applications/030-ibm-cis-cert-manager/templates/00-1-ibm-cis-webhook_rbac.yml → cluster-applications/020-ibm-cis-cert-manager/templates/00-1-ibm-cis-webhook_rbac.yml

@@ -10,7 +10,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "030"
+    argocd.argoproj.io/sync-wave: "020"
   name: "cert-manager-webhook-ibm-cis"
   namespace: "{{ $cert_manager_namespace }}"
   labels:
@@ -27,7 +27,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "031"
+    argocd.argoproj.io/sync-wave: "021"
   namespace: "{{ $cert_manager_namespace }}"
   name: "cert-manager-webhook-ibm-cis"
   labels:
@@ -51,7 +51,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "030"
+    argocd.argoproj.io/sync-wave: "020"
   name: "cert-manager-webhook-ibm-cis"
   namespace: "{{ $cert_manager_namespace }}"
   labels:
@@ -75,7 +75,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "031"
+    argocd.argoproj.io/sync-wave: "021"
   name: "cert-manager-webhook-ibm-cis:webhook-authentication-reader"
   namespace: kube-system
   labels:
@@ -100,7 +100,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "031"
+    argocd.argoproj.io/sync-wave: "021"
   name: "cert-manager-webhook-ibm-cis:auth-delegator"
   labels:
     app: "cert-manager-webhook-ibm-cis"
@@ -123,7 +123,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "030"
+    argocd.argoproj.io/sync-wave: "020"
   name: "cert-manager-webhook-ibm-cis:domain-solver"
   labels:
     app: "cert-manager-webhook-ibm-cis"
@@ -143,7 +143,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "031"
+    argocd.argoproj.io/sync-wave: "021"
   name: "cert-manager-webhook-ibm-cis:domain-solver"
   labels:
     app: "cert-manager-webhook-ibm-cis"
@@ -165,7 +165,7 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "031"
+    argocd.argoproj.io/sync-wave: "021"
   labels:
     app: "cert-manager-webhook-ibm-cis"
   name: 'system:openshift:scc:anyuid'

cluster-applications/030-ibm-cis-cert-manager/templates/00-2-ibm-cis-webhook_pki.yml → cluster-applications/020-ibm-cis-cert-manager/templates/00-2-ibm-cis-webhook_pki.yml

@@ -9,7 +9,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "032"
+    argocd.argoproj.io/sync-wave: "022"
   name: "cert-manager-webhook-ibm-cis-self-signed-issuer"
   namespace: "{{ $cert_manager_namespace }}"
   labels:
@@ -26,7 +26,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "033"
+    argocd.argoproj.io/sync-wave: "023"
   name: "cert-manager-webhook-ibm-cis-root-ca-certificate"
   namespace: "{{ $cert_manager_namespace }}"
   labels:
@@ -48,7 +48,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "033"
+    argocd.argoproj.io/sync-wave: "023"
   name: "cert-manager-webhook-ibm-cis-root-ca-issuer"
   namespace: "{{ $cert_manager_namespace }}"
   labels:
@@ -66,7 +66,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "034"
+    argocd.argoproj.io/sync-wave: "024"
   name: "cert-manager-webhook-ibm-cis-serving-cert"
   namespace: "{{ $cert_manager_namespace }}"
   labels:

cluster-applications/030-ibm-cis-cert-manager/templates/00-3-ibm-cis-webhook_deployment.yml → cluster-applications/020-ibm-cis-cert-manager/templates/00-3-ibm-cis-webhook_deployment.yml

@@ -13,7 +13,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "035"
+    argocd.argoproj.io/sync-wave: "025"
   name: "cert-manager-webhook-ibm-cis"
   namespace: "{{ $cert_manager_namespace }}"
   labels:

cluster-applications/030-ibm-cis-cert-manager/templates/00-4-ibm-cis-webhook_apiservice.yml → cluster-applications/020-ibm-cis-cert-manager/templates/00-4-ibm-cis-webhook_apiservice.yml

@@ -8,7 +8,7 @@ apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "036"
+    argocd.argoproj.io/sync-wave: "026"
     cert-manager.io/inject-ca-from: "{{ $cert_manager_namespace }}/cert-manager-webhook-ibm-cis-serving-cert"
   name: "v1alpha1.{{ $cis_apiservice_group_name }}"
   namespace: "{{ $cert_manager_namespace }}"

cluster-applications/030-ibm-cis-cert-manager/templates/00-5-ibm-cis-webhook_service.yml → cluster-applications/020-ibm-cis-cert-manager/templates/00-5-ibm-cis-webhook_service.yml

@@ -9,7 +9,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "036"
+    argocd.argoproj.io/sync-wave: "026"
   name: "cert-manager-webhook-ibm-cis"
   namespace: "{{ $cert_manager_namespace }}"
   labels:

cluster-applications/030-ibm-cis-cert-manager/templates/00-6-ibm-cis-webhook_cis-apikey-secret.yml → cluster-applications/020-ibm-cis-cert-manager/templates/00-6-ibm-cis-webhook_cis-apikey-secret.yml

@@ -7,7 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "030"
+    argocd.argoproj.io/sync-wave: "020"
   name: cis-api-key
   namespace: "{{ $cert_manager_namespace }}"
 {{- if .Values.custom_labels }}

cluster-applications/030-ibm-cis-cert-manager/templates/00-7-ibm-cis-webhook_cis-proxy-route.yml → cluster-applications/020-ibm-cis-cert-manager/templates/00-7-ibm-cis-webhook_cis-proxy-route.yml

@@ -8,7 +8,7 @@ kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "038"
+    argocd.argoproj.io/sync-wave: "028"
   name: cis-proxy-route
   namespace: "{{ $cert_manager_namespace }}"
 {{- if .Values.custom_labels }}

cluster-applications/020-ibm-dro/templates/01-dro_OperatorGroup.yaml → cluster-applications/030-ibm-dro/templates/01-dro_OperatorGroup.yaml

@@ -5,7 +5,7 @@ metadata:
   name: ibm-mas-operator-group
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "021"
+    argocd.argoproj.io/sync-wave: "031"
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}

cluster-applications/020-ibm-dro/templates/02-dro-pull_Secret.yaml → cluster-applications/030-ibm-dro/templates/02-dro-pull_Secret.yaml

@@ -5,7 +5,7 @@ metadata:
   name: redhat-marketplace-pull-secret
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "021"
+    argocd.argoproj.io/sync-wave: "031"
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}

cluster-applications/020-ibm-dro/templates/03-imo_Subscription.yaml → cluster-applications/030-ibm-dro/templates/03-imo_Subscription.yaml

@@ -5,7 +5,7 @@ metadata:
   name: ibm-metrics-operator
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "022"
+    argocd.argoproj.io/sync-wave: "032"
   labels:
     app.kubernetes.io/name: imo
 {{- if .Values.custom_labels }}

cluster-applications/020-ibm-dro/templates/04-dro_Subscription.yaml → cluster-applications/030-ibm-dro/templates/04-dro_Subscription.yaml

@@ -5,7 +5,7 @@ metadata:
   name: ibm-data-reporter-operator
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "022"
+    argocd.argoproj.io/sync-wave: "032"
   labels:
     app.kubernetes.io/name: dro
 {{- if .Values.custom_labels }}

cluster-applications/020-ibm-dro/templates/06-marketplaceconfig_Marketplaceconfig.yaml → cluster-applications/030-ibm-dro/templates/06-marketplaceconfig_Marketplaceconfig.yaml

@@ -4,7 +4,7 @@ metadata:
   name: marketplaceconfig
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "024"
+    argocd.argoproj.io/sync-wave: "034"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 {{- if .Values.custom_labels }}
   labels:

cluster-applications/020-ibm-dro/templates/07-dro_rbac.yaml → cluster-applications/030-ibm-dro/templates/07-dro_rbac.yaml

@@ -6,7 +6,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: metric-state-view-binding
   annotations:
-    argocd.argoproj.io/sync-wave: "025"
+    argocd.argoproj.io/sync-wave: "035"
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
@@ -34,7 +34,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: reporter-cluster-monitoring-binding
   annotations:
-    argocd.argoproj.io/sync-wave: "025"
+    argocd.argoproj.io/sync-wave: "035"
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
@@ -62,7 +62,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: manager-cluster-monitoring-binding
   annotations:
-    argocd.argoproj.io/sync-wave: "025"
+    argocd.argoproj.io/sync-wave: "035"
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}

cluster-applications/020-ibm-dro/templates/08-postsync-update-sm_Job.yaml → cluster-applications/030-ibm-dro/templates/08-postsync-update-sm_Job.yaml

@@ -26,7 +26,7 @@ Increment this value whenever you make a change to an immutable field of the Job
 E.g. passing in a new environment variable.
 Included in $_job_hash (see below).
 */}}
-{{- $_job_version := "v3" }}
+{{- $_job_version := "v4" }}
 
 {{- /*
 10 char hash appended to the job name taking into account $_job_config_values, $_job_version and $_cli_image_digest
@@ -102,7 +102,7 @@ metadata:
   name: {{ $role_name }}
   namespace: {{ $ns }}
   annotations:
-    argocd.argoproj.io/sync-wave: "026"
+    argocd.argoproj.io/sync-wave: "036"
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
@@ -112,8 +112,10 @@ rules:
       - get
     apiGroups:
       - route.openshift.io
+      - cert-manager.io
     resources:
       - routes
+      - certificates
 
 
 ---
@@ -123,7 +125,7 @@ metadata:
   name: {{ $rb_name }}
   namespace: {{ $ns }}
   annotations:
-    argocd.argoproj.io/sync-wave: "027"
+    argocd.argoproj.io/sync-wave: "037"
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
@@ -144,7 +146,7 @@ metadata:
   name: {{ $_job_name }}
   namespace: {{ $ns }}
   annotations:
-    argocd.argoproj.io/sync-wave: "028"
+    argocd.argoproj.io/sync-wave: "038"
   labels:
     mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }}
 {{- if .Values.custom_labels }}
@@ -181,11 +183,15 @@ spec:
             # Hard-coded for now:
             - name: AVP_TYPE
               value: "aws"
+            - name: DRO_PUBLIC_DOMAIN
+              value: {{ .Values.dro_public_domain }}
           volumeMounts:
             - name: aws
               mountPath: /etc/mas/creds/aws
             - name: ibm-data-reporter-operator-api-token
               mountPath: /etc/mas/creds/ibm-data-reporter-operator-api-token
+            - name: dro-tls-secret
+              mountPath: /etc/mas/creds/dro-tls-secret
           command:
             - /bin/sh
             - -c
@@ -252,6 +258,25 @@ spec:
                 exit 1
               fi
 
+              if [[ -n "${DRO_PUBLIC_DOMAIN}" ]]; then
+                wait_for_resource "certificate" "dro-client-certificate" "${DRO_NAMESPACE}"
+                export DRO_CLIENT_TLS_CA_CRT=$(cat /etc/mas/creds/dro-tls-secret/ca.crt | base64 -w0)
+                if [[ -z "${DRO_CLIENT_TLS_CA_CRT}" ]]; then
+                  echo "Failed to fetch ca.crt"
+                  exit 1
+                fi
+                export DRO_CLIENT_TLS_TLS_CRT=$(cat /etc/mas/creds/dro-tls-secret/tls.crt | base64 -w0)
+                if [[ -z "${DRO_CLIENT_TLS_TLS_CRT}" ]]; then
+                  echo "Failed to fetch tls.crt"
+                  exit 1
+                fi
+                export DRO_CLIENT_TLS_TLS_KEY=$(cat /etc/mas/creds/dro-tls-secret/tls.key | base64 -w0)
+                if [[ -z "${DRO_CLIENT_TLS_TLS_KEY}" ]]; then
+                  echo "Failed to fetch tls.key"
+                  exit 1
+                fi
+              fi
+
 
               # aws configure set aws_access_key_id $SM_AWS_ACCESS_KEY_ID
               # aws configure set aws_secret_access_key $SM_AWS_SECRET_ACCESS_KEY
@@ -263,7 +288,7 @@ spec:
               # aws secretsmanager create-secret --name ${SECRET_NAME} --secret-string "${SECRET_VALUE}"
               SECRET_NAME_DRO=${ACCOUNT_ID}/${CLUSTER_ID}/dro
               TAGS="[{\"Key\": \"source\", \"Value\": \"postsync-ibm-dro-update-sm-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"cluster\", \"Value\": \"${CLUSTER_ID}\"}]"
-              sm_update_secret $SECRET_NAME_DRO "{\"dro_api_token\": \"$DRO_API_TOKEN\", \"dro_url\": \"$DRO_URL\" }" "${TAGS}"
+              sm_update_secret $SECRET_NAME_DRO "{\"dro_api_token\": \"$DRO_API_TOKEN\", \"dro_url\": \"$DRO_URL\", \"dro_client_tls_ca_crt_b64\": \"$DRO_CLIENT_TLS_CA_CRT\", \"dro_client_tls_tls_crt_b64\": \"$DRO_CLIENT_TLS_TLS_CRT\", \"dro_client_tls_tls_key_b64\": \"$DRO_CLIENT_TLS_TLS_KEY\" }" "${TAGS}"
 
 
       restartPolicy: Never
@@ -282,6 +307,11 @@ spec:
             secretName: ibm-data-reporter-operator-api-token
             defaultMode: 420
             optional: false
+        - name: dro-tls-secret
+          secret:
+            secretName: dro-tls-secret
+            defaultMode: 420
+            optional: false
   backoffLimit: 4
 {{- end }}
 

cluster-applications/020-ibm-dro/templates/09-dro-cmm_Secret.yaml → cluster-applications/030-ibm-dro/templates/09-dro-cmm_Secret.yaml

@@ -7,7 +7,7 @@ metadata:
   name: dest-header-map-secret
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "029"
+    argocd.argoproj.io/sync-wave: "039"
 type: Opaque
 stringData:
   accept: application/json
@@ -18,7 +18,7 @@ metadata:
   name: auth-header-map-secret
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "029"
+    argocd.argoproj.io/sync-wave: "039"
 type: Opaque
 stringData:
   accept: application/json
@@ -30,7 +30,7 @@ metadata:
   name: auth-body-data-secret
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "029"
+    argocd.argoproj.io/sync-wave: "039"
 type: Opaque
 stringData:
   bodydata: |

cluster-applications/020-ibm-dro/templates/10-dro-cmm_ConfigMap.yaml → cluster-applications/030-ibm-dro/templates/10-dro-cmm_ConfigMap.yaml

@@ -7,7 +7,7 @@ metadata:
   name: kazaam-configmap
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "029"
+    argocd.argoproj.io/sync-wave: "039"
 data:
   kazaam.json: |
     [

cluster-applications/020-ibm-dro/templates/11-dro-cmm_DataReporterConfig.yaml → cluster-applications/030-ibm-dro/templates/11-dro-cmm_DataReporterConfig.yaml

@@ -7,7 +7,7 @@ metadata:
   name: datareporterconfig
   namespace: "{{ .Values.dro_namespace }}"
   annotations:
-    argocd.argoproj.io/sync-wave: "030"
+    argocd.argoproj.io/sync-wave: "040"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   confirmDelivery: false