ACM 2.12 / MCE 2.7 production release (#848)

MCE + policy prod release

Signed-off-by: Gerd Oberlechner <[email protected]>

Author: geoberle

acm/Makefile

@@ -3,17 +3,16 @@ DEPLOY_ENV ?= personal-dev
 $(shell ../templatize.sh $(DEPLOY_ENV) config.tmpl.mk config.mk)
 include config.mk
 
-MCE_OPERATOR_BUNDLE_IMAGE ?= quay.io/acm-d/mce-operator-bundle:v2.7.0-110
-REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io/acm-d-mce
-# once MCE 2.7 is released, we can find the official bundle image here
-# https://catalog.redhat.com/software/containers/multicluster-engine/mce-operator-bundle/6160406290fb938ecf6009c6
+MCE_OPERATOR_BUNDLE_IMAGE ?= registry.redhat.io/multicluster-engine/mce-operator-bundle:v2.7.0-116
+REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
 
 MCE_OPERATOR_BUNDLE_FILE = mce-operator-bundle.tgz
 HELM_BASE_DIR = deploy/helm
 MCE_CHART_DIR = ${HELM_BASE_DIR}/multicluster-engine
 MCE_CONFIG_DIR = ${HELM_BASE_DIR}/multicluster-engine-config
 MCE_NS = multicluster-engine
 POLICY_HELM_REPO = https://github.com/stolostron/mce-install-kube.git
+POLICY_HELM_REPO_BRANCH = release-2.12
 
 deploy:
 	@kubectl create namespace ${MCE_NS} --dry-run=client -o json | kubectl apply -f -
@@ -23,7 +22,8 @@ deploy:
 		--set imageRegistry=${REGISTRY}
 	helm upgrade --install --wait --wait-for-jobs \
 		mce-config ${MCE_CONFIG_DIR} \
-		--namespace ${MCE_NS}
+		--namespace ${MCE_NS} \
+		--set global.registryOverride=${REGISTRY}
 
 helm-chart:
 	@podman pull --arch amd64 ${MCE_OPERATOR_BUNDLE_IMAGE}
@@ -37,14 +37,11 @@ helm-chart:
 
 	@echo "Cloning remote mce-install-kube repository..."
 	TMP_DIR=$$(mktemp -d) && \
-	git clone ${POLICY_HELM_REPO} $$TMP_DIR && \
+	git clone --branch ${POLICY_HELM_REPO_BRANCH} ${POLICY_HELM_REPO} $$TMP_DIR && \
 	rm -rf ${MCE_CONFIG_DIR}/charts && \
 	mkdir -p ${MCE_CONFIG_DIR}/charts && \
 	cp -r $$TMP_DIR/policy ${MCE_CONFIG_DIR}/charts && \
 	rm -rf $$TMP_DIR
 	@echo "Helm chart imported successfully."
 
-import-chart:
-
-
 .PHONY: deploy helm-chart

acm/README.md

@@ -2,16 +2,26 @@
 
 This folder contains helm charts and automation to managed helm charts for the ACM components `MCE` and `policy`.
 
+## Structure
+
 Installation and configuration are split into two individual helm charts
 
-## multicluster-engine
+### multicluster-engine
 
 This helm chart installs the MCE operator. The chart is autogenerated from an OLM release-bundle of MCE by running `make helm-chart`. The resulting chart is then commited into the repository.
 
 To update MCE, change the `MCE_OPERATOR_BUNDLE_IMAGE` variable in the Makefile. If you are testing pre-releases from the `quay.io/acm-d` organization, make sure the `REGISTRY` env var in the Makefile is set to `${ARO_HCP_IMAGE_ACR}.azurecr.io/acm-d-mce`. For production releases set it to `${ARO_HCP_IMAGE_ACR}.azurecr.io` instead.
 
-## multicluster-engine-config
+### multicluster-engine-config
 
 This helm chart configures MCE and installs the `policy` component on top of it. The subchart for `policy` is imported into this repo by running `make helm-chart`. It can be found [in the ACM upstream Github org](https://github.com/stolostron/mce-install-kube) and is maintained by the ACM team.
 
 Updating `policy` needs to be done with care for now, since the content of the helm chart repo is not tagged. We are working on it.
+
+## Updating charts
+
+To update the `multicluster-engine` chart, lookup the desired install MCE OLM bundle on [https://catalog.redhat.com](https://catalog.redhat.com/software/containers/multicluster-engine/mce-operator-bundle/6160406290fb938ecf6009c6) and update the `MCE_OPERATOR_BUNDLE_IMAGE` variable in `Makefile`.
+
+To update the `multicluster-engine-config/policy` subchart, update the `POLICY_HELM_REPO_BRANCH` variable in the `Makefile` for the desired release.
+
+Run `make helm-chart` to update all charts. Review and commit all changes to the `deploy/helm` directory.

acm/deploy/helm/multicluster-engine-config/charts/policy/Chart.yaml

@@ -1,11 +1,11 @@
 apiVersion: v2
-appVersion: 2.12.0
-version: 2.12.0
+appVersion: v2.12.0
+version: v2.12.0
 description: A Helm chart for ACM addons
 name: policy
 
 dependencies:
 - name: grc
-  version: "2.12.0"
+  version: "v2.12.0"
 - name: cluster-lifecycle
-  version: "2.12.0"
+  version: "v2.12.0"

acm/deploy/helm/multicluster-engine-config/charts/policy/charts/cluster-lifecycle/Chart.yaml

@@ -2,8 +2,8 @@
 # Copyright Contributors to the Open Cluster Management project
 
 apiVersion: v2
-appVersion: 2.12.0
+appVersion: v2.12.0
 description: Helm chart for deploying the cluster lifecycle
 kubeVersion: ">=1.11.0-0"
 name: cluster-lifecycle
-version: 2.12.0
+version: v2.12.0

acm/deploy/helm/multicluster-engine-config/charts/policy/charts/cluster-lifecycle/templates/klusterlet-addon-deployment.yaml

@@ -79,7 +79,7 @@ spec:
       {{- end }}
       containers:
       - name: klusterlet-addon-controller
-        image: "{{ .Values.global.imageOverrides.klusterlet_addon_controller }}"
+        image: "{{ .Values.global.registryOverride}}/{{ .Values.global.imageOverrides.klusterlet_addon_controller }}"
         imagePullPolicy: {{ .Values.global.pullPolicy }}
         securityContext:
           allowPrivilegeEscalation: false

acm/deploy/helm/multicluster-engine-config/charts/policy/charts/grc/Chart.yaml

@@ -2,10 +2,10 @@
 # Copyright Contributors to the Open Cluster Management project
 
 apiVersion: v2
-appVersion: 2.12.0
+appVersion: v2.12.0
 description: A Helm chart for multicloud grc
 keywords:
   - acm
   - grc
 name: grc
-version: 2.12.0
+version: v2.12.0

acm/deploy/helm/multicluster-engine-config/charts/policy/charts/grc/templates/grc-policy-addon-controller.yaml

@@ -69,10 +69,10 @@ spec:
               apiVersion: v1
               fieldPath: metadata.name
         - name: CONFIG_POLICY_CONTROLLER_IMAGE
-          value: {{ .Values.global.imageOverrides.config_policy_controller }}
+          value: "{{ .Values.global.registryOverride}}/{{ .Values.global.imageOverrides.config_policy_controller }}"
         - name: GOVERNANCE_POLICY_FRAMEWORK_ADDON_IMAGE
-          value: {{ .Values.global.imageOverrides.governance_policy_framework_addon }}
-        image: {{ .Values.global.imageOverrides.governance_policy_addon_controller }}
+          value: "{{ .Values.global.registryOverride}}/{{ .Values.global.imageOverrides.governance_policy_framework_addon }}"
+        image: "{{ .Values.global.registryOverride}}/{{ .Values.global.imageOverrides.governance_policy_addon_controller }}"
         imagePullPolicy: IfNotPresent
         name: manager
         resources:

acm/deploy/helm/multicluster-engine-config/charts/policy/charts/grc/templates/grc-policy-propagator.yaml

@@ -81,7 +81,7 @@ spec:
               fieldPath: metadata.name
         - name: OPERATOR_NAME
           value: governance-policy-propagator
-        image: {{ .Values.global.imageOverrides.governance_policy_propagator }}
+        image: "{{ .Values.global.registryOverride}}/{{ .Values.global.imageOverrides.governance_policy_propagator }}"
         imagePullPolicy: IfNotPresent
         livenessProbe:
           exec:

acm/deploy/helm/multicluster-engine-config/charts/policy/charts/grc/values.yaml

@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Red Hat, Inc.
 
 global:
+  registryOverride: ""
   imageOverrides:
     governance_policy_propagator: ""
     governance_policy_addon_controller: ""

acm/deploy/helm/multicluster-engine-config/charts/policy/crds/policy.open-cluster-management.io_policyautomations.yaml

@@ -56,8 +56,8 @@ spec:
                     x-kubernetes-preserve-unknown-fields: true
                   jobTtl:
                     description: >-
-                      JobTTL sets the time to live for the Kubernetes AnsibleJob object after the Ansible job run has
-                      finished.
+                      JobTTL sets the time to live for the Kubernetes Job object after the Ansible job playbook run
+                      has finished.
                     type: integer
                   name:
                     description: Name of the Ansible Template to run in Ansible Automation
@@ -91,6 +91,7 @@ spec:
                 minimum: 0
                 type: integer
               eventHook:
+                default: noncompliant
                 description: >-
                   EventHook specifies the compliance state that initiates automation. This must be set to
                   "noncompliant".
@@ -116,7 +117,6 @@ spec:
                 type: string
             required:
             - automationDef
-            - eventHook
             - mode
             - policyRef
             type: object

acm/deploy/helm/multicluster-engine-config/charts/policy/values.yaml

@@ -1,18 +1,12 @@
 global:
+  registryOverride: "registry.redhat.io"
   imageOverrides:
-    # upstream images
-    governance_policy_propagator: "quay.io/stolostron/governance-policy-propagator:2.12.0-SNAPSHOT-2024-09-30-01-46-06"
-    governance_policy_addon_controller: "quay.io/stolostron/governance-policy-addon-controller:2.12.0-SNAPSHOT-2024-09-30-01-46-06"
-    config_policy_controller: "quay.io/stolostron/config-policy-controller:2.12.0-SNAPSHOT-2024-09-30-01-46-06"
-    governance_policy_framework_addon: "quay.io/stolostron/governance-policy-framework-addon:2.12.0-SNAPSHOT-2024-09-30-01-46-06"
-    klusterlet_addon_controller: "quay.io/stolostron/klusterlet-addon-controller:2.12.0-SNAPSHOT-2024-09-30-01-46-06"
+    governance_policy_propagator: "rhacm2/governance-policy-propagator-rhel9@sha256:f2fa1a7c7af6379eda44a691de57eb59dc8068aadb98504df7ef4a5e059a0cfa"
+    governance_policy_addon_controller: "rhacm2/acm-governance-policy-addon-controller-rhel9@sha256:7b2f432d7ea6b9eb9c4df6df88ae3d5bfc261a8d24a5146a04d3465a41d99e10"
+    config_policy_controller: "rhacm2/config-policy-controller-rhel9@sha256:bad96b2cd7efd604b3ef8092eb72c5a7d33b39732a1a8fe995aa197ead7a5d31"
+    governance_policy_framework_addon: "rhacm2/acm-governance-policy-framework-addon-rhel9@sha256:a5373e3aed5c8e0ac1427599c3801eccd3b4ff4bdc3f9c0cd7083ff3e34433b3"
+    klusterlet_addon_controller: "rhacm2/klusterlet-addon-controller-rhel9@sha256:f8188bc955dbc635031e765fb09015926eb350a7484e6c9f2e0af6020e02aa30"
 
-    # images in ACM 2.11.2
-    # governance_policy_propagator: "registry.redhat.io/rhacm2/governance-policy-propagator-rhel9@sha256:af848e7e31d8ec9b5ad1896a5d5ccc67f320a7740245c190ba8a76757984e65b"
-    # governance_policy_addon_controller: "registry.redhat.io/rhacm2/acm-governance-policy-addon-controller-rhel9@sha256:fc0708f0a6d5266fb544f41b61d9697d370c8c5e297e4e3f13de8656f9c2b049"
-    # config_policy_controller: "registry.redhat.io/rhacm2/config-policy-controller-rhel9@sha256:cecf914d7fb7759a4f512c1ec53a077dcb1c7e405c22a5bf6af1bf5878cf3c42"
-    # governance_policy_framework_addon: "registry.redhat.io/rhacm2/acm-governance-policy-framework-addon-rhel9@sha256:a4880f6e82d2b82606203ea855d0418bb29b3d4535f8bc7a9ef4074258c18674"
-    # klusterlet_addon_controller: "registry.redhat.io/rhacm2/klusterlet-addon-controller-rhel9@sha256:478e3e6cda0d74f43b0f05911d023344108a5cd79d57d5cc9f268ad064848a00"
   namespace: multicluster-engine
   pullSecret: open-cluster-management-image-pull-credentials
 

acm/deploy/helm/multicluster-engine-config/values.yaml

@@ -2,6 +2,9 @@ localCluster:
   kubeApiUrl: https://kubernetes.default.svc
   addonConfig:
     applicationManagerEnabled: false
-    certPolicyControllerEnabled: true
+    certPolicyControllerEnabled: false
     policyControllerEnabled: true
     searchCollectorEnabled: false
+
+global:
+  registryOverride: ""

acm/deploy/helm/multicluster-engine/Chart.yaml

@@ -7,6 +7,6 @@ keywords:
 - multiclusterengine
 name: multicluster-engine
 sources:
-- oci://quay.io/acm-d/mce-operator-bundle:v2.7.0-110
+- oci://registry.redhat.io/multicluster-engine/mce-operator-bundle:v2.7.0-116
 type: application
 version: 2.7.0