feat: global constraints (#469)

Author: mikhail-klimko

charts/gitops-runtime/Chart.yaml

@@ -20,26 +20,26 @@ dependencies:
   version: 7.8.23-3-cap-v2.14.9-2025-04-23-4de04dd8
 - name: argo-events
   repository: https://codefresh-io.github.io/argo-helm
-  version: 2.4.7-1-cap-CR-28072
+  version: 2.4.7-2-cap-CR-28072
 - name: argo-workflows
   repository: https://codefresh-io.github.io/argo-helm
-  version: 0.45.2-v3.6.4-cap-CR-27392
+  version: 0.45.4-v3.6.4-cap-CR-27392
   condition: argo-workflows.enabled
 - name: argo-rollouts
   repository: https://codefresh-io.github.io/argo-helm
-  version: 2.37.3-3-v1.7.2-cap-CR-28008
+  version: 2.37.3-4-v1.7.2-cap-CR-28008
   condition: argo-rollouts.enabled
 - name: sealed-secrets
   repository: https://bitnami-labs.github.io/sealed-secrets/
   version: 2.17.2
 - name: codefresh-tunnel-client
   repository: oci://quay.io/codefresh/charts
-  version: 0.1.19
+  version: 0.1.21
   alias: tunnel-client
   condition: tunnel-client.enabled
 - name: codefresh-gitops-operator
   repository: oci://quay.io/codefresh/charts
-  version: 0.5.5
+  version: 0.7.0
   alias: gitops-operator
   condition: gitops-operator.enabled
 - name: garage
@@ -49,4 +49,4 @@ dependencies:
   condition: garage-workflows-artifact-storage.enabled
 - name: cf-argocd-extras
   repository: oci://quay.io/codefresh/charts
-  version: 0.3.20
+  version: 0.3.21

charts/gitops-runtime/templates/_components/cap-app-proxy/_deployment.yaml

@@ -84,15 +84,15 @@ spec:
         - mountPath: /app/config/all
           name: all-certs
           readOnly: true
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8}}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with .Values.tolerations | default .Values.global.tolerations}}
       tolerations:
         {{- toYaml . | nindent 6 }}
       {{- end }}

charts/gitops-runtime/templates/_components/event-reporters/rollout-reporter/_event-source.yaml

@@ -48,15 +48,15 @@ spec:
       {{- end }}
     serviceAccountName: {{ include "event-reporters.rollout-reporter.serviceAccountName" .}}
     tolerations:
-    {{- with .Values.rollout.eventSource.tolerations }}
+    {{- with .Values.rollout.eventSource.tolerations | default .Values.global.tolerations }}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
     nodeSelector:
-    {{- with .Values.rollout.eventSource.nodeSelector }}
+    {{- with .Values.rollout.eventSource.nodeSelector | default .Values.global.nodeSelector }}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
     affinity:
-    {{- with .Values.rollout.eventSource.affinity }}
+    {{- with .Values.affinity }}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
-{{- end }}
+{{- end }}

charts/gitops-runtime/templates/_components/event-reporters/rollout-reporter/_sensor.yaml

@@ -28,15 +28,15 @@ spec:
         {{- . | toYaml | nindent 8 }}
       {{- end }}
     tolerations:
-    {{- with .Values.rollout.sensor.tolerations }}
+    {{- with .Values.rollout.sensor.tolerations | default .Values.global.tolerations }}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
     nodeSelector:
-    {{- with .Values.rollout.sensor.nodeSelector }}
+    {{- with .Values.rollout.sensor.nodeSelector | default .Values.global.nodeSelector}}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
     affinity:
-    {{- with .Values.rollout.sensor.affinity }}
+    {{- with .Values.affinity }}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
   triggers:

charts/gitops-runtime/templates/_components/event-reporters/workflow-reporter/_event-source.yaml

@@ -29,15 +29,15 @@ spec:
       {{- end }}
     serviceAccountName: {{ include "event-reporters.workflow-reporter.serviceAccountName" .}}
     tolerations:
-    {{- with .Values.workflow.eventSource.tolerations }}
+    {{- with .Values.workflow.eventSource.tolerations | default .Values.global.tolerations }}
       {{- toYaml . | nindent 6 }}
     {{- end }}
     nodeSelector:
-    {{- with .Values.workflow.eventSource.nodeSelector }}
+    {{- with .Values.workflow.eventSource.nodeSelector | default .Values.global.nodeSelector }}
       {{- toYaml . | nindent 6 }}
     {{- end }}
     affinity:
-    {{- with .Values.workflow.eventSource.affinity }}
+    {{- with .Values.affinity }}
       {{- toYaml . | nindent 6 }}
     {{- end }}
-{{- end }}
+{{- end }}

charts/gitops-runtime/templates/_components/event-reporters/workflow-reporter/_sensor.yaml

@@ -22,15 +22,15 @@ spec:
         {{- . | toYaml | nindent 8 }}
       {{- end }}
     tolerations:
-    {{- with .Values.workflow.sensor.tolerations }}
+    {{- with .Values.workflow.sensor.tolerations | default .Values.global.tolerations}}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
     nodeSelector:
-    {{- with .Values.workflow.sensor.nodeSelector }}
+    {{- with .Values.workflow.sensor.nodeSelector | default .Values.global.nodeSelector }}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
     affinity:
-    {{- with .Values.workflow.sensor.affinity }}
+    {{- with .Values.affinity }}
       {{- . | toYaml | nindent 6 }}
     {{- end }}
   triggers:

charts/gitops-runtime/templates/_components/internal-router/_deployment.yaml

@@ -70,16 +70,16 @@ spec:
               path: default.conf.template
       - name: log
         emptyDir: { }
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with .Values.tolerations | default .Values.global.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}

charts/gitops-runtime/templates/app-proxy/_app-proxy-volumes.yaml

@@ -1,6 +1,6 @@
 {{- define "codefresh-gitops-runtime.app-proxy.extra-volumes" }}
 extraVolumes:
-  {{- if or .Values.global.codefresh.tls.caCerts.secret.create .Values.global.codefresh.tls.caCerts.secretKeyRef}}
+  {{- if or .Values.global.codefresh.tls.caCerts.secret.create .Values.global.codefresh.tls.caCerts.secretKeyRef }}
   - name: codefresh-tls-certs
     secret:
       secretName: {{ .Values.global.codefresh.tls.caCerts.secret.create | ternary "codefresh-tls-certs" .Values.global.codefresh.tls.caCerts.secretKeyRef.name }}
@@ -11,7 +11,7 @@ extraVolumes:
 
 {{- define "codefresh-gitops-runtime.app-proxy.init.extra-volume-mounts" }}
 extraVolumeMounts:
-  {{- if or .Values.global.codefresh.tls.caCerts.secret.create .Values.global.codefresh.tls.caCerts.secretKeyRef}}
+  {{- if or .Values.global.codefresh.tls.caCerts.secret.create .Values.global.codefresh.tls.caCerts.secretKeyRef }}
   - mountPath: /app/config/codefresh-tls-certs
     name: codefresh-tls-certs
     readOnly: true

charts/gitops-runtime/templates/app-proxy/deployment.yaml

@@ -1,4 +1,5 @@
 {{- $appProxyContext := deepCopy . }}
+
 {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }}
 {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }}
 {{- $_ := set $appProxyContext.Values "argo-cd" (get .Values "argo-cd") }}

charts/gitops-runtime/templates/eventbus/codefresh-eventbus.yaml

@@ -11,6 +11,10 @@
 {{- if hasKey $eventBusSpec "annotations" }}
 {{- $eventBusSpec = unset $eventBusSpec "annotations" }}
 {{- end }}
+
+{{- $_ := set $eventBusSpec.nats.native "nodeSelector" ($eventBusSpec.nats.native.nodeSelector | default .Values.global.nodeSelector) }}
+{{- $_ := set $eventBusSpec.nats.native "tolerations" ($eventBusSpec.nats.native.tolerations | default .Values.global.tolerations) }}
+
 apiVersion: argoproj.io/v1alpha1
 kind: EventBus
 metadata:
@@ -21,4 +25,4 @@ metadata:
     app.kubernetes.io/part-of: argo-events
     codefresh.io/internal: "true"
 spec:
-  {{- $eventBusSpec | toYaml | nindent 2}}
+  {{- $eventBusSpec | toYaml | nindent 2}}

charts/gitops-runtime/templates/gitops-operator.yaml

@@ -3,33 +3,6 @@
 {{- if index (get .Values "gitops-operator") "libraryMode" }}
   {{- $gitopsOperatorContext := (deepCopy (index .Subcharts "gitops-operator"))}}
 
-  {{- if and (index .Subcharts "argo-cd") }}
-
-    {{- $argoCDImageDict := index .Subcharts "argo-cd" "Values" "global" "image" }}
-    {{- if not $argoCDImageDict.tag }}
-      {{- $_ := set $argoCDImageDict "tag" (get .Subcharts "argo-cd").Chart.AppVersion }}
-    {{- end }}
-
-    {{/* Set ArgoCD image */}}
-    {{- if not (index .Values "gitops-operator" "argoCdNotifications" "imageOverride") }}
-      {{- $_ := set $gitopsOperatorContext.Values.argoCdNotifications.image "repository" $argoCDImageDict.repository }}
-      {{- $_ := set $gitopsOperatorContext.Values.argoCdNotifications.image "tag" $argoCDImageDict.tag }}
-    {{- end }}
-
-  {{- else if and (index .Values "global" "external-argo-cd" "server" "image") }}
-
-    {{ $argoCDImageDict := (index .Values "global" "external-argo-cd" "server" "image") }}
-
-    {{/* Set ArgoCD image */}}
-    {{- if not (index .Values "gitops-operator" "argoCdNotifications" "imageOverride") }}
-      {{- $_ := set $gitopsOperatorContext.Values.argoCdNotifications.image "repository" (required "ArgoCD is not enabled and .Values.global.external-argo-cd.server.image is not set" $argoCDImageDict.repository) }}
-      {{- $_ := set $gitopsOperatorContext.Values.argoCdNotifications.image "tag" (required "ArgoCD is not enabled and .Values.global.external-argo-cd.server.tag is not set" $argoCDImageDict.tag) }}
-    {{- end }}
-
-  {{- else }}
-      {{- fail "ArgoCD is not enabled and .Values.global.external-argo-cd.server.image is not set"  }}
-  {{- end }}
-
   {{- if and (not (index .Values "argo-cd" "enabled")) }}
 
     {{- if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") }}
@@ -45,10 +18,6 @@
     {{- end }}
   {{- end }}
 
-  {{/* Set repo server service and port */}}
-  {{- $_ := set $gitopsOperatorContext.Values.argoCdNotifications.argocd.repoServer "fullname" (include "codefresh-gitops-runtime.argocd.reposerver.servicename" . ) }}
-  {{- $_ := set $gitopsOperatorContext.Values.argoCdNotifications.argocd.repoServer "port" (include "codefresh-gitops-runtime.argocd.reposerver.serviceport" . ) }}
-
   {{/* Set argo-cd-server service and port */}}
   {{ if not (index .Values "gitops-operator").env.ARGO_CD_URL }}
     {{- $_ := set $gitopsOperatorContext.Values.env "ARGO_CD_URL" (include "codefresh-gitops-runtime.argocd.server.no-protocol-url" . ) }}

charts/gitops-runtime/templates/hooks/pre-install/validate-usage.yaml

@@ -37,7 +37,7 @@ spec:
             fieldRef:
               fieldPath: metadata.namespace
         command: ["sh", "-c"]
-        args: 
+        args:
         - |
           cf account validate-usage --fail-condition=reached --subject=clusters --values /job_tmp/values.yaml --namespace ${NAMESPACE} --hook --log-level debug
         volumeMounts:
@@ -47,4 +47,13 @@ spec:
         - name: validate-usage-volume
           configMap:
             name: validate-usage-config
+      {{- with .Values.installer.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.installer.tolerations | default .Values.global.tolerations}}
+      tolerations: {{ toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.installer.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}

charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml

@@ -174,5 +174,14 @@ spec:
       volumes:
       - name: customized-values
         configMap:
-          name: validate-values-config  
+          name: validate-values-config
+      {{- with .Values.installer.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.installer.tolerations | default .Values.global.tolerations}}
+      tolerations: {{ toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.installer.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}

charts/gitops-runtime/templates/hooks/pre-uninstall/cleanup-resources.yaml

@@ -16,9 +16,18 @@ spec:
         image: "{{ .Values.installer.image.repository }}:{{ .Values.installer.image.tag | default .Chart.Version }}"
         imagePullPolicy: {{ .Values.installer.image.pullPolicy }}
         command: ["sh", "-c"]
-        args: 
+        args:
         - |
           kubectl patch EventBus $(kubectl get eventbus -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge && \
           kubectl patch Eventsource $(kubectl get EventSource -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge && \
           kubectl patch Sensor $(kubectl get Sensor -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge ;
           return 0
+      {{- with .Values.installer.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.installer.tolerations | default .Values.global.tolerations}}
+      tolerations: {{ toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.installer.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}

charts/gitops-runtime/templates/hooks/pre-uninstall/delete-runtime-from-platform.yaml

@@ -4,6 +4,7 @@
   {{- $customCASecretName = .Values.global.codefresh.tls.caCerts.secret.create | ternary "codefresh-tls-certs" .Values.global.codefresh.tls.caCerts.secretKeyRef.name }}
   {{- $customCASecretKey = .Values.global.codefresh.tls.caCerts.secret.create | ternary (default "ca-bundle.crt" .Values.global.codefresh.tls.caCerts.secret.key) .Values.global.codefresh.tls.caCerts.secretKeyRef.key }}
 {{- end }}
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -38,7 +39,7 @@ spec:
           readOnly: true
 {{- end }}
         command: ["sh", "-c"]
-        args: 
+        args:
         - |
           if [ ! -z "$USER_TOKEN" ]; then
             curl ${PLATFORM_URL}/2.0/api/graphql -H "Authorization: ${USER_TOKEN}" -H "Content-Type: application/json" -d "{\"query\": \"mutation deleteRuntime(\$name: String"'!'") {\n  deleteRuntime(name: \$name) }\",\"variables\": {\"name\": \"${RUNTIME_NAME}\"}}"
@@ -54,3 +55,12 @@ spec:
           defaultMode: 420
           optional: true
 {{- end }}
+      {{- with .Values.installer.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.installer.tolerations | default .Values.global.tolerations}}
+      tolerations: {{ toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.installer.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}

charts/gitops-runtime/templates/ingress.yaml

@@ -18,6 +18,9 @@ metadata:
   name: codefresh-gitops-runtime
   labels:
     {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }}
+  {{- with .Values.global.runtime.ingress.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   {{- with .Values.global.runtime.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -63,6 +66,6 @@ spec:
               port:
                 number: 80
           path: /app-proxy
-          pathType: Prefix  
+          pathType: Prefix
     {{- end }}
-{{- end }}
+{{- end }}