diff --git a/docs/SYNC-WAVE-INVENTORY.md b/docs/SYNC-WAVE-INVENTORY.md index e2a47083..a7c7a455 100644 --- a/docs/SYNC-WAVE-INVENTORY.md +++ b/docs/SYNC-WAVE-INVENTORY.md @@ -23,11 +23,12 @@ Every sync-wave in the repository, in order. **App** = hub-level Argo CD Applica | 26 | └ ztvp-certificates | chart | distribution-policy (3 resources) | | 26 | └ openshift-storage | ns | Namespace + OperatorGroup | | 26 | └ rhtpa-operator | ns | Namespace + OperatorGroup | +| 26 | └ external-secrets-operator | ns | Namespace + OperatorGroup | | 27 | └ odf | sub | ODF operator install | | 27 | └ rhtpa-operator | sub | RHTPA operator install | +| 27 | └ external-secrets | sub | External Secrets Operator install | | 28 | └ quay-operator | sub | Quay operator install | | 29 | └ rhtas-operator | sub | RHTAS operator install | -| 30 | golang-external-secrets | **App** | | | 30 | zero-trust-workload-identity-manager | **App** | | | 31 | └ rhtpa-operator | chart | ingress-ca-job (SA, Role, RoleBinding, ConfigMap, Job) | | 32 | └ rhtpa-operator | chart | operator-rolebinding (2 bindings) | @@ -101,7 +102,8 @@ Every sync-wave in the repository, in order. **App** = hub-level Argo CD Applica | rhtpa-operator (subscription) | -4 | 27 | After OperatorGroup (26) | | quay-operator (subscription) | -3 | 28 | After ODF operator | | rhtas-operator (subscription) | -2 | 29 | After Quay operator | -| golang-external-secrets | — | 30 | After Vault (newly added) | +| external-secrets-operator (OperatorGroup) | — | 26 | Before operator subscription (newly added) | +| external-secrets (subscription) | — | 27 | After OperatorGroup (26) (newly added) | | zero-trust-workload-identity-manager | — | 30 | After Vault/certs (newly added) | | quay-enterprise (namespace) | 1 | 32 | Before NooBaa and Quay components | | trusted-artifact-signer (namespace) | 1 | 32 | Auto-created by RHTAS operator | @@ -278,3 +280,4 @@ Resources without an explicit sync-wave default to wave 0. These include: pipeli - Template waves are resolved **locally within each app sync**, not globally. A template wave of 32 inside acs-central (app wave 41) does not conflict with a template wave of 32 inside noobaa-mcg (app wave 36); they run independently. - Sync waves control **Application creation order**, not readiness. A later wave means the Application resource is submitted to the hub later, but the earlier app's pods may not be fully running yet. For hard readiness gates, use Argo CD health checks or resource hooks. - **Externalized charts**: Five charts (certmanager, compliance-scanning, keycloak/RHBK, quay-registry, ZTWIM) are maintained in standalone repositories. Their resource-level sync-wave annotations are managed there and pinned via `chartVersion` in `values-hub.yaml`. Application-level sync-waves remain in this repository. +- **External Secrets Operator**: The ESO webhook must be ready before applications with ExternalSecret resources sync. The `rh-keycloak` application now includes `SkipDryRunOnMissingResource=true` to allow sync even if the ESO webhook is temporarily unavailable during initial deployment. An Argo CD health check for `ExternalSecret` resources tracks their Ready condition. diff --git a/values-hub.yaml b/values-hub.yaml index 13a3490d..9729095b 100644 --- a/values-hub.yaml +++ b/values-hub.yaml @@ -57,6 +57,8 @@ clusterGroup: external-secrets-operator: operatorGroup: true targetNamespaces: [] + annotations: + argocd.argoproj.io/sync-wave: "26" # Create before operator subscription external-secrets: keycloak-system: operatorGroup: true @@ -121,6 +123,8 @@ clusterGroup: name: openshift-external-secrets-operator namespace: external-secrets-operator channel: stable-v1 + annotations: + argocd.argoproj.io/sync-wave: "27" # Install after OperatorGroup (26) cert-manager: name: openshift-cert-manager-operator namespace: cert-manager-operator @@ -448,6 +452,8 @@ clusterGroup: - /overrides/values-keycloak-network-policy.yaml annotations: argocd.argoproj.io/sync-wave: "35" + syncOptions: + - SkipDryRunOnMissingResource=true # Allow sync even if ESO webhook is temporarily unavailable # SPIFFE Identity Provider is enabled by default in the rhbk subchart. # Override issuer/jwksUrl only if auto-generated values from cluster domain are not suitable. # Note: overrides must use the rhbk. prefix to reach the subchart. @@ -688,6 +694,40 @@ clusterGroup: return hs group: k8s.keycloak.org kind: KeycloakRealmImport + - check: | + local hs = {} + hs.status = "Progressing" + hs.message = "Waiting for ExternalSecret to sync" + if obj.status ~= nil and obj.status.conditions ~= nil then + for i, condition in ipairs(obj.status.conditions) do + if condition.type == "Ready" and condition.status == "True" then + hs.status = "Healthy" + hs.message = condition.message or "Secret synced" + return hs + end + if condition.type == "Ready" and condition.status == "False" then + hs.status = "Degraded" + hs.message = condition.message or "Secret sync failed" + return hs + end + end + end + return hs + group: external-secrets.io + kind: ExternalSecret + - check: | + local hs = {} + hs.status = "Progressing" + hs.message = "Waiting for application status" + if obj.status ~= nil and obj.status.health ~= nil then + hs.status = obj.status.health.status + if obj.status.health.message ~= nil then + hs.message = obj.status.health.message + end + end + return hs + group: argoproj.io + kind: Application resourceExclusions: | - apiGroups: - internal.open-cluster-management.io