feat: support deploying ZTVP from private git repositories#140
Open
minmzzhang wants to merge 4 commits into
Open
feat: support deploying ZTVP from private git repositories#140minmzzhang wants to merge 4 commits into
minmzzhang wants to merge 4 commits into
Conversation
Add bootstrap_secrets configuration to values-secret.yaml.template with two options for private repository access: - Option A: SSH deploy key authentication - Option B: HTTPS with Personal Access Token (PAT) Add docs/private-repos.md with step-by-step deployment instructions, verification steps, and troubleshooting guidance. The common Makefile already supports TOKEN_SECRET and TOKEN_NAMESPACE; this commit provides the pattern-level configuration and documentation. Signed-off-by: Min Zhang <minzhang@redhat.com>
The ArgoCD repo-server container does not have Git host SSH fingerprints in its known_hosts file, causing "knownhosts: key is unknown" errors. Add insecureIgnoreHostKey field to the SSH bootstrap_secrets template. Also document: - DISABLE_VALIDATE_ORIGIN for private repo pre-flight check - ACM temporary Degraded state during initial install (self-heals) - SSH known_hosts troubleshooting entry Signed-off-by: Min Zhang <minzhang@redhat.com>
When deploying from an internal Git host (e.g. gitlab.cee.redhat.com), users must add corporate CAs to proxy/cluster before install. Previously the ztvp-certificates job refused to overwrite a user-set trustedCA, leaving ACS Central unable to trust Keycloak via the ingress CA. Changes: - PHASE 8.5: include all extracted CAs (custom, additional, cluster) in the proxy CA bundle, not just ingress + service - PHASE 8.6: merge existing proxy CA ConfigMap content into ztvp-proxy-ca before taking over trustedCA management - docs/private-repos.md: document pre-install CA requirement and explain automatic merge behavior - values-secret.yaml.template: add ACM workaround bootstrap_secrets entry Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
requested review from
mlorenzofr,
p-rog and
sabre1041
and removed request for
mlorenzofr
The duplicate bootstrap_secrets entry targeting openshift-gitops is no longer needed. The VP operator (0.0.70+) copies credentials into vp-gitops and automatically sets global.vpArgoNamespace. The ACM chart 0.2.x reads that variable, so the private-repo policy resolves without any manual override or duplicate secret. - Remove second bootstrap_secrets entries (SSH and HTTPS workarounds) - Bump ACM chartVersion from 0.1.* to 0.2.* - Update docs/private-repos.md and values-secret.yaml.template comments Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
ztvp-private-repos
branch
from
dd8c6ab to
cb9264d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
bootstrap_secretsconfiguration tovalues-secret.yaml.templatefor both SSH and HTTPS/PAT authentication to private Git repositoriesdocs/private-repos.mdwith step-by-step deployment instructions, verification steps, and troubleshooting guideztvp-certificateschart to merge existing proxy CA ConfigMaps (e.g. corporate CAs added pre-install for internal GitLab) intoztvp-proxy-ca, ensuring workloads like ACS Central can trust both cluster-internal routes and external hosts without manual interventionKey features
insecureIgnoreHostKeyfor ArgoCD repo-server containerschartVersionfrom0.1.*to0.2.*so thevp-private-hub-policyreadsglobal.vpArgoNamespace(set automatically by the VP operator) instead of hardcodingopenshift-gitopscustom-carequirement for internal Git hosts, and the automatic merge intoztvp-proxy-capost-installDISABLE_VALIDATE_ORIGINsupport for skipping localgit ls-remotepre-flight checkTroubleshooting coverage
knownhosts: key is unknownx509: certificate signed by unknown authority(internal CAs)authorization failed(Reporter role +read_repositoryscope required)vp-private-hub-policy NonCompliant