feat: with argocd

README.md

@@ -64,7 +64,7 @@ By default, the following will be provisioned:
 
 * Resource Definitions in Humanitec for:
   * Kubernetes Cluster
-* AWS IAM objects for using the Elastic Container Registry (ECR)
+* AWS IAM objects for using the Elastic Container Registry (ECR) and AWS Secrets Manager
 
 ### Prerequisites
 
@@ -77,7 +77,7 @@ By default, the following will be provisioned:
 
 The OpenShift Reference Architecture does not make any assumptions where your OpenShift platform runs. The cluster API server has to be publicly accessible.
 
-The Reference Architecture uses [AWS ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) to store container images and therefore requires an AWS account.
+The Reference Architecture uses [AWS ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) to store container images and [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) to store secrets and therefore requires an AWS account.
 
 ### Usage
 
@@ -200,6 +200,38 @@ Both portal solutions require a GitHub connection, which in turn needs:
 * Open the host in your browser.
 * Click the "Create" button and scaffold your first application.
 
+### Enable ArgoCD (optional)
+
+#### ArgoCD Prerequisites
+
+ArgoCD requires a GitHub connection, which in turn needs:
+
+* A GitHub organization and permission to create new repositories in it. Go to <https://github.com/account/organizations/new> to create a new org (the "Free" option is fine). Note: is has to be an organization, a free account is not sufficient.
+* Create a classic github personal access token with `repo`, `workflow`, `delete_repo` and `admin:org` scope [here](https://github.com/settings/tokens).
+* Set the `GITHUB_TOKEN` environment variable to your token.
+
+  ```shell
+  export GITHUB_TOKEN="my-github-token"
+  ```
+
+* Set the `GITHUB_ORG_ID` environment variable to your GitHub organization ID.
+
+  ```shell
+  export GITHUB_ORG_ID="my-github-org-id"
+  ```
+
+#### ArgoCD Usage
+
+* Enable `with_argocd` inside your `terraform.tfvars` and configure the additional variables that a required for ArgoCD.
+* Perform another `terraform apply`
+
+#### Verify ArgoCD setup
+
+* Run `kubectl -n argocd get routes`
+* Open the host in your browser.
+* Select "Log In Via OpenShift"
+* Deploy a Humanitec Application and within a minute you should see a new Application in ArgoCD being synced.
+
 ### Cleaning up
 
 Once you are finished with the reference architecture, you can remove all provisioned infrastructure and the resource definitions created in Humanitec with the following steps:
@@ -229,6 +261,7 @@ Once you are finished with the reference architecture, you can remove all provis
 | kubectl | ~> 2.0 |
 | kubernetes | ~> 2.30 |
 | random | ~> 3.5 |
+| time | ~> 0.11 |
 | tls | ~> 4.0 |
 
 ### Providers
@@ -242,8 +275,10 @@ Once you are finished with the reference architecture, you can remove all provis
 | Name | Source | Version |
 |------|--------|---------|
 | base | ./modules/base | n/a |
-| github | ./modules/github | n/a |
-| github\_app | ./modules/github-app | n/a |
+| cd\_argocd | ./modules/cd-argocd | n/a |
+| github | github.com/humanitec-architecture/reference-architecture-aws | v2024-06-11//modules/github |
+| github\_app | github.com/humanitec-architecture/shared-terraform-modules | v2024-06-10//modules/github-app |
+| humanitec\_k8s\_connection | ./modules/humanitec-k8s-connection | n/a |
 | portal\_backstage | ./modules/portal-backstage | n/a |
 | portal\_rhdh | ./modules/portal-rhdh | n/a |
 
@@ -265,8 +300,12 @@ Once you are finished with the reference architecture, you can remove all provis
 | kubeconfig | Path to your kubeconfig file | `string` | n/a | yes |
 | kubectx | The context to use from your kubeconfig to connect Terraform providers to the cluster | `string` | n/a | yes |
 | environment | Environment | `string` | `"development"` | no |
+| github\_manifests\_password | GitHub password  to pull & push manifests (required for ArgoCD) | `string` | `null` | no |
+| github\_manifests\_repo | GitHub repository for manifests (required for ArgoCD) | `string` | `"humanitec-app-manifests"` | no |
+| github\_manifests\_username | GitHub username to pull & push manifests (required for ArgoCD) | `string` | `null` | no |
 | github\_org\_id | GitHub org id (required for Backstage and RHDH) | `string` | `null` | no |
 | humanitec\_org\_id | Humanitec Organization ID | `string` | `null` | no |
+| with\_argocd | Deploy ArgoCD | `bool` | `false` | no |
 | with\_backstage | Deploy Backstage | `bool` | `false` | no |
 | with\_rhdh | Deploy Red Hat Developer Hub | `bool` | `false` | no |
 <!-- END_TF_DOCS -->

main.tf

@@ -3,7 +3,6 @@
 module "base" {
   source = "./modules/base"
 
-  apiserver      = var.apiserver
   environment    = var.environment
   basedomain     = var.basedomain
   aws_region     = var.aws_region
@@ -12,6 +11,32 @@ module "base" {
   humanitec_org_id = var.humanitec_org_id
 }
 
+# Connect Humanitec Platform Orchestrator and OpenShift
+
+module "humanitec_k8s_connection" {
+  count = var.with_argocd ? 0 : 1
+
+  source = "./modules/humanitec-k8s-connection"
+
+  apiserver   = var.apiserver
+  environment = var.environment
+  basedomain  = var.basedomain
+}
+
+# Deploy ArgoCD as Deployment Solution
+
+module "cd_argocd" {
+  count = var.with_argocd ? 1 : 0
+
+  source = "./modules/cd-argocd"
+
+  github_org_id             = var.github_org_id
+  github_manifests_repo     = var.github_manifests_repo
+  github_manifests_username = var.github_manifests_username
+  github_manifests_password = var.github_manifests_password
+  basedomain                = var.basedomain
+}
+
 # User used for scaffolding and deploying apps
 
 resource "humanitec_user" "deployer" {
@@ -33,7 +58,7 @@ resource "humanitec_service_user_token" "deployer" {
 module "github" {
   count = var.with_backstage || var.with_rhdh ? 1 : 0
 
-  source = "./modules/github"
+  source = "github.com/humanitec-architecture/reference-architecture-aws?ref=v2024-06-11//modules/github"
 
   humanitec_org_id                = var.humanitec_org_id
   humanitec_ci_service_user_token = humanitec_service_user_token.deployer[0].token
@@ -52,7 +77,7 @@ locals {
 module "github_app" {
   count = var.with_backstage || var.with_rhdh ? 1 : 0
 
-  source = "./modules/github-app"
+  source = "github.com/humanitec-architecture/shared-terraform-modules?ref=v2024-06-10//modules/github-app"
 
   credentials_file = "${path.module}/${local.github_app_credentials_file}"
 }
@@ -64,9 +89,10 @@ module "portal_backstage" {
 
   source = "./modules/portal-backstage"
 
-  humanitec_org_id                = var.humanitec_org_id
-  humanitec_ci_service_user_token = humanitec_service_user_token.deployer[0].token
-  humanitec_secret_store_id       = module.base.humanitec_secret_store_id
+  humanitec_org_id                        = var.humanitec_org_id
+  humanitec_ci_service_user_token         = humanitec_service_user_token.deployer[0].token
+  humanitec_secret_store_id               = module.base.humanitec_secret_store_id
+  humanitec_imagepullsecret_config_res_id = module.base.humanitec_imagepullsecret_config_res_id
 
   github_org_id            = var.github_org_id
   github_app_client_id     = module.github_app[0].client_id

modules/base/README.md

@@ -14,7 +14,7 @@ This module connects an existing Red Hat OpenShift cluster with Humanitec.
 | helm | ~> 2.13 |
 | humanitec | ~> 1.0 |
 | kubectl | ~> 2.0 |
-| kubernetes | ~> 2.30 |
+| kubernetes | ~> 2.0 |
 | random | ~> 3.5 |
 | tls | ~> 4.0 |
 
@@ -26,13 +26,14 @@ This module connects an existing Red Hat OpenShift cluster with Humanitec.
 | helm | ~> 2.13 |
 | humanitec | ~> 1.0 |
 | kubectl | ~> 2.0 |
-| kubernetes | ~> 2.30 |
+| kubernetes | ~> 2.0 |
 | tls | ~> 4.0 |
 
 ### Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| config\_imagepullsecret | github.com/humanitec-architecture/resource-packs-aws | v2024-06-14//humanitec-resource-defs/config/imagepullsecret |
 | default\_mysql | github.com/humanitec-architecture/resource-packs-in-cluster | v2024-06-07//humanitec-resource-defs/mysql/basic |
 | default\_postgres | github.com/humanitec-architecture/resource-packs-in-cluster | v2024-06-07//humanitec-resource-defs/postgres/basic |
 
@@ -51,29 +52,22 @@ This module connects an existing Red Hat OpenShift cluster with Humanitec.
 | [aws_secretsmanager_secret_version.ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [helm_release.humanitec_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [humanitec_key.operator_public_key](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/key) | resource |
-| [humanitec_resource_definition.default_config_regcred](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
 | [humanitec_resource_definition.default_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
-| [humanitec_resource_definition.k8s_cluster_driver](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
 | [humanitec_resource_definition.k8s_namespace](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
 | [humanitec_resource_definition.rhos_dns](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
 | [humanitec_resource_definition.rhos_ingress](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
-| [humanitec_resource_definition_criteria.default_config_regcred](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.default_config_imagepullsecret](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.default_mysql](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.default_postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.default_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.k8s_cluster_driver](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.k8s_namespace](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.rhos_dns](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.rhos_ingress](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_secretstore.main](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/secretstore) | resource |
 | [kubectl_manifest.humanitec_operator_secret_store](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
-| [kubernetes_cluster_role_binding_v1.humanitec_cluster_admin](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding_v1) | resource |
 | [kubernetes_namespace.humanitec_operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-| [kubernetes_namespace_v1.humanitec_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [kubernetes_secret.humanitec_operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.humanitec_operator_awssm_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
-| [kubernetes_secret_v1.humanitec_service_account](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
-| [kubernetes_service_account_v1.humanitec](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource |
 | [tls_private_key.operator_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.humanitec_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -82,18 +76,17 @@ This module connects an existing Red Hat OpenShift cluster with Humanitec.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| apiserver | The API server URL of your OpenShift cluster | `string` | n/a | yes |
 | aws\_account\_id | AWS Account (ID) | `string` | n/a | yes |
 | aws\_region | AWS region | `string` | n/a | yes |
 | basedomain | Base domain | `string` | n/a | yes |
 | humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
-| cluster\_res\_def\_name | Cluster Resource Definition Name | `string` | `"ref-arch"` | no |
 | environment | Environment | `string` | `"development"` | no |
 | humanitec\_secret\_store\_id | Humanitec Secret Store ID | `string` | `"ref-arch"` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
+| humanitec\_imagepullsecret\_config\_res\_id | Humanitec imagepullsecret config resource id |
 | humanitec\_secret\_store\_id | Humanitec secret store id |
 <!-- END_TF_DOCS -->

modules/base/humanitec-operator.tf

@@ -62,7 +62,7 @@ resource "helm_release" "humanitec_operator" {
 
   repository = "oci://ghcr.io/humanitec/charts"
   chart      = "humanitec-operator"
-  version    = "0.2.4"
+  version    = "0.2.5"
   wait       = true
   timeout    = 300