From 4c870356dab41631171b75c9a7540370da0ad805 Mon Sep 17 00:00:00 2001 From: Min Zhang Date: Fri, 20 Mar 2026 10:22:44 -0400 Subject: [PATCH 1/4] fix: offset all Argo CD sync-wave values by +31 to ensure positive waves The Validated Patterns operator now applies the Argo CD super-role (ClusterRole) later in the deployment lifecycle. Resources annotated with negative sync-wave values could attempt to sync before the role existed, causing failures. This adds +31 to every argocd.argoproj.io/sync-wave annotation across all charts, values-hub.yaml, and docs. Relative ordering is preserved; the smallest wave is now 1 (was -30). Inline comments referencing old wave numbers are updated to match. See docs/SYNC-WAVE-INVENTORY.md for a full old/current mapping table. Signed-off-by: Min Zhang --- .../templates/admin-password-secret.yaml | 2 +- charts/acs-central/templates/central-cr.yaml | 2 +- .../central-htpasswd-external-secret.yaml | 2 +- .../acs-central/templates/console-link.yaml | 2 +- .../templates/jobs/create-auth-provider.yaml | 2 +- .../jobs/create-cluster-init-bundle.yaml | 2 +- .../templates/jobs/create-htpasswd-field.yaml | 2 +- ...eycloak-client-secret-external-secret.yaml | 2 +- .../rbac/cluster-init-clusterrole.yaml | 2 +- .../rbac/cluster-init-clusterrolebinding.yaml | 2 +- .../templates/rbac/cluster-init-role.yaml | 2 +- .../rbac/cluster-init-rolebinding.yaml | 2 +- .../rbac/cluster-init-serviceaccount.yaml | 2 +- .../templates/secured-cluster-cr.yaml | 2 +- charts/noobaa-mcg/templates/bucket-class.yaml | 2 +- .../templates/default-backingstore.yaml | 2 +- .../noobaa-mcg/templates/noobaa-system.yaml | 2 +- charts/qtodo/templates/app-deployment.yaml | 2 +- charts/qtodo/templates/app-service.yaml | 2 +- .../qtodo/templates/postgresql-service.yaml | 2 +- .../templates/postgresql-statefulset.yaml | 2 +- .../templates/qtodo-truststore-config.yaml | 2 +- .../truststore-secret-external-secret.yaml | 2 +- .../rhtas-operator/templates/securesign.yaml | 2 +- .../templates/ingress-ca-job.yaml | 12 +- .../templates/object-bucket-claim.yaml | 2 +- .../templates/oidc-cli-secret.yaml | 2 +- .../templates/operator-readiness-check.yaml | 6 +- .../templates/operator-rolebinding.yaml | 4 +- .../templates/postgresql-external-secret.yaml | 2 +- .../templates/postgresql-service.yaml | 2 +- .../templates/postgresql-serviceaccount.yaml | 2 +- .../templates/postgresql-statefulset.yaml | 2 +- .../templates/s3-credentials-secret.yaml | 2 +- .../templates/spiffe-helper-config.yaml | 2 +- .../templates/trusted-profile-analyzer.yaml | 6 +- charts/supply-chain/templates/workspaces.yaml | 2 +- .../templates/ca-extraction-cronjob.yaml | 2 +- .../templates/ca-extraction-job-initial.yaml | 2 +- .../templates/configmap-script.yaml | 2 +- .../templates/distribution-policy.yaml | 6 +- .../templates/managedclusterset-binding.yaml | 2 +- charts/ztvp-certificates/templates/rbac.yaml | 14 +- docs/DEVELOPMENT.md | 2 +- docs/SYNC-WAVE-INVENTORY.md | 146 ++++++++++++++++++ values-hub.yaml | 38 ++--- 46 files changed, 227 insertions(+), 81 deletions(-) create mode 100644 docs/SYNC-WAVE-INVENTORY.md diff --git a/charts/acs-central/templates/admin-password-secret.yaml b/charts/acs-central/templates/admin-password-secret.yaml index 1d9c3d67..cc7ea336 100644 --- a/charts/acs-central/templates/admin-password-secret.yaml +++ b/charts/acs-central/templates/admin-password-secret.yaml @@ -7,7 +7,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "36" type: Opaque stringData: password: {{ .Values.central.adminPassword.password | default (randAlphaNum 32) | quote }} diff --git a/charts/acs-central/templates/central-cr.yaml b/charts/acs-central/templates/central-cr.yaml index 6d0b503e..6b91dac4 100644 --- a/charts/acs-central/templates/central-cr.yaml +++ b/charts/acs-central/templates/central-cr.yaml @@ -7,7 +7,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "10" + argocd.argoproj.io/sync-wave: "41" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: central: diff --git a/charts/acs-central/templates/central-htpasswd-external-secret.yaml b/charts/acs-central/templates/central-htpasswd-external-secret.yaml index f91c2718..78565afb 100644 --- a/charts/acs-central/templates/central-htpasswd-external-secret.yaml +++ b/charts/acs-central/templates/central-htpasswd-external-secret.yaml @@ -7,7 +7,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "36" spec: refreshInterval: 15s secretStoreRef: diff --git a/charts/acs-central/templates/console-link.yaml b/charts/acs-central/templates/console-link.yaml index 9c613435..3030fa41 100644 --- a/charts/acs-central/templates/console-link.yaml +++ b/charts/acs-central/templates/console-link.yaml @@ -6,7 +6,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "15" + argocd.argoproj.io/sync-wave: "46" spec: href: https://central-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }} location: ApplicationMenu diff --git a/charts/acs-central/templates/jobs/create-auth-provider.yaml b/charts/acs-central/templates/jobs/create-auth-provider.yaml index e35ae8ad..46af4787 100644 --- a/charts/acs-central/templates/jobs/create-auth-provider.yaml +++ b/charts/acs-central/templates/jobs/create-auth-provider.yaml @@ -7,7 +7,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "13" + argocd.argoproj.io/sync-wave: "44" spec: template: metadata: diff --git a/charts/acs-central/templates/jobs/create-cluster-init-bundle.yaml b/charts/acs-central/templates/jobs/create-cluster-init-bundle.yaml index aa3accae..b3def310 100644 --- a/charts/acs-central/templates/jobs/create-cluster-init-bundle.yaml +++ b/charts/acs-central/templates/jobs/create-cluster-init-bundle.yaml @@ -14,7 +14,7 @@ metadata: {{- include "acs-central.labels" . | nindent 4 }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "12" + argocd.argoproj.io/sync-wave: "43" spec: template: metadata: diff --git a/charts/acs-central/templates/jobs/create-htpasswd-field.yaml b/charts/acs-central/templates/jobs/create-htpasswd-field.yaml index e17a6e44..64377dce 100644 --- a/charts/acs-central/templates/jobs/create-htpasswd-field.yaml +++ b/charts/acs-central/templates/jobs/create-htpasswd-field.yaml @@ -7,7 +7,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "6" + argocd.argoproj.io/sync-wave: "37" spec: template: metadata: diff --git a/charts/acs-central/templates/keycloak-client-secret-external-secret.yaml b/charts/acs-central/templates/keycloak-client-secret-external-secret.yaml index 95c20680..b4bf367c 100644 --- a/charts/acs-central/templates/keycloak-client-secret-external-secret.yaml +++ b/charts/acs-central/templates/keycloak-client-secret-external-secret.yaml @@ -7,7 +7,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "36" spec: refreshInterval: 15s secretStoreRef: diff --git a/charts/acs-central/templates/rbac/cluster-init-clusterrole.yaml b/charts/acs-central/templates/rbac/cluster-init-clusterrole.yaml index d8d00206..daec73df 100644 --- a/charts/acs-central/templates/rbac/cluster-init-clusterrole.yaml +++ b/charts/acs-central/templates/rbac/cluster-init-clusterrole.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "32" rules: - apiGroups: ["console.openshift.io"] resources: ["consolelinks"] diff --git a/charts/acs-central/templates/rbac/cluster-init-clusterrolebinding.yaml b/charts/acs-central/templates/rbac/cluster-init-clusterrolebinding.yaml index 7b53f6b4..d05af3da 100644 --- a/charts/acs-central/templates/rbac/cluster-init-clusterrolebinding.yaml +++ b/charts/acs-central/templates/rbac/cluster-init-clusterrolebinding.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "32" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/acs-central/templates/rbac/cluster-init-role.yaml b/charts/acs-central/templates/rbac/cluster-init-role.yaml index 59cbef16..5355d0de 100644 --- a/charts/acs-central/templates/rbac/cluster-init-role.yaml +++ b/charts/acs-central/templates/rbac/cluster-init-role.yaml @@ -6,7 +6,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "32" rules: - apiGroups: - "" diff --git a/charts/acs-central/templates/rbac/cluster-init-rolebinding.yaml b/charts/acs-central/templates/rbac/cluster-init-rolebinding.yaml index 72190af6..1c36884e 100644 --- a/charts/acs-central/templates/rbac/cluster-init-rolebinding.yaml +++ b/charts/acs-central/templates/rbac/cluster-init-rolebinding.yaml @@ -6,7 +6,7 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "32" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/charts/acs-central/templates/rbac/cluster-init-serviceaccount.yaml b/charts/acs-central/templates/rbac/cluster-init-serviceaccount.yaml index c8d8c031..c945e46d 100644 --- a/charts/acs-central/templates/rbac/cluster-init-serviceaccount.yaml +++ b/charts/acs-central/templates/rbac/cluster-init-serviceaccount.yaml @@ -6,4 +6,4 @@ metadata: labels: {{- include "acs-central.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "1" \ No newline at end of file + argocd.argoproj.io/sync-wave: "32" \ No newline at end of file diff --git a/charts/acs-secured-cluster/templates/secured-cluster-cr.yaml b/charts/acs-secured-cluster/templates/secured-cluster-cr.yaml index abf479a5..8b8bbc82 100644 --- a/charts/acs-secured-cluster/templates/secured-cluster-cr.yaml +++ b/charts/acs-secured-cluster/templates/secured-cluster-cr.yaml @@ -6,7 +6,7 @@ metadata: labels: {{- include "acs-secured-cluster.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "15" + argocd.argoproj.io/sync-wave: "46" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: clusterName: {{ .Values.clusterName | default .Values.global.clusterName | quote }} diff --git a/charts/noobaa-mcg/templates/bucket-class.yaml b/charts/noobaa-mcg/templates/bucket-class.yaml index abc1d832..ac7e114f 100644 --- a/charts/noobaa-mcg/templates/bucket-class.yaml +++ b/charts/noobaa-mcg/templates/bucket-class.yaml @@ -5,7 +5,7 @@ metadata: name: {{ .Values.noobaa.bucketClass.name }} namespace: {{ .Values.noobaa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "3" # Layer 1: Create BucketClass + argocd.argoproj.io/sync-wave: "34" # Layer 1: Create BucketClass spec: placementPolicy: tiers: diff --git a/charts/noobaa-mcg/templates/default-backingstore.yaml b/charts/noobaa-mcg/templates/default-backingstore.yaml index 66169475..82ecb167 100644 --- a/charts/noobaa-mcg/templates/default-backingstore.yaml +++ b/charts/noobaa-mcg/templates/default-backingstore.yaml @@ -4,7 +4,7 @@ metadata: name: noobaa-default-backing-store namespace: {{ .Values.noobaa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "32" spec: type: pv-pool pvPool: diff --git a/charts/noobaa-mcg/templates/noobaa-system.yaml b/charts/noobaa-mcg/templates/noobaa-system.yaml index 05c70a5b..a8a1ff52 100644 --- a/charts/noobaa-mcg/templates/noobaa-system.yaml +++ b/charts/noobaa-mcg/templates/noobaa-system.yaml @@ -5,7 +5,7 @@ metadata: name: {{ .Values.noobaa.system.name }} namespace: {{ .Values.noobaa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "2" # Layer 1: Deploy NooBaa System + argocd.argoproj.io/sync-wave: "33" # Layer 1: Deploy NooBaa System spec: tolerations: - key: "node.ocs.openshift.io/storage" diff --git a/charts/qtodo/templates/app-deployment.yaml b/charts/qtodo/templates/app-deployment.yaml index 0da099c3..41dc0355 100644 --- a/charts/qtodo/templates/app-deployment.yaml +++ b/charts/qtodo/templates/app-deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - argocd.argoproj.io/sync-wave: '20' + argocd.argoproj.io/sync-wave: '51' labels: app: qtodo ztvp.io/uses-certificates: "true" diff --git a/charts/qtodo/templates/app-service.yaml b/charts/qtodo/templates/app-service.yaml index 2ff0888c..ecb46edb 100644 --- a/charts/qtodo/templates/app-service.yaml +++ b/charts/qtodo/templates/app-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - argocd.argoproj.io/sync-wave: '20' + argocd.argoproj.io/sync-wave: '51' labels: app: qtodo name: qtodo diff --git a/charts/qtodo/templates/postgresql-service.yaml b/charts/qtodo/templates/postgresql-service.yaml index bec98037..af348046 100644 --- a/charts/qtodo/templates/postgresql-service.yaml +++ b/charts/qtodo/templates/postgresql-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: annotations: - argocd.argoproj.io/sync-wave: '10' + argocd.argoproj.io/sync-wave: '41' labels: app: qtodo-db name: qtodo-db diff --git a/charts/qtodo/templates/postgresql-statefulset.yaml b/charts/qtodo/templates/postgresql-statefulset.yaml index 52e99db0..f93726f3 100644 --- a/charts/qtodo/templates/postgresql-statefulset.yaml +++ b/charts/qtodo/templates/postgresql-statefulset.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: annotations: - argocd.argoproj.io/sync-wave: '10' + argocd.argoproj.io/sync-wave: '41' labels: app: qtodo-db name: qtodo-db diff --git a/charts/qtodo/templates/qtodo-truststore-config.yaml b/charts/qtodo/templates/qtodo-truststore-config.yaml index 9678f9e4..42b15a83 100644 --- a/charts/qtodo/templates/qtodo-truststore-config.yaml +++ b/charts/qtodo/templates/qtodo-truststore-config.yaml @@ -6,7 +6,7 @@ metadata: name: qtodo-truststore-java namespace: qtodo annotations: - argocd.argoproj.io/sync-wave: '10' + argocd.argoproj.io/sync-wave: '41' labels: app: qtodo app.kubernetes.io/component: truststore-init diff --git a/charts/qtodo/templates/truststore-secret-external-secret.yaml b/charts/qtodo/templates/truststore-secret-external-secret.yaml index 7b641acd..2ba88006 100644 --- a/charts/qtodo/templates/truststore-secret-external-secret.yaml +++ b/charts/qtodo/templates/truststore-secret-external-secret.yaml @@ -5,7 +5,7 @@ metadata: name: qtodo-truststore-secret namespace: {{ .Release.Namespace }} annotations: - argocd.argoproj.io/sync-wave: '5' + argocd.argoproj.io/sync-wave: '36' spec: refreshInterval: 15s secretStoreRef: diff --git a/charts/rhtas-operator/templates/securesign.yaml b/charts/rhtas-operator/templates/securesign.yaml index c3a4e80a..4f55124e 100644 --- a/charts/rhtas-operator/templates/securesign.yaml +++ b/charts/rhtas-operator/templates/securesign.yaml @@ -8,7 +8,7 @@ metadata: labels: {{- include "rhtas-operator.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "15" # Deploy after namespace and operator + argocd.argoproj.io/sync-wave: "46" # Deploy after namespace and operator {{- if .Values.rhtas.monitoring.enabled }} rhtas.redhat.com/metrics: "true" {{- end }} diff --git a/charts/rhtpa-operator/templates/ingress-ca-job.yaml b/charts/rhtpa-operator/templates/ingress-ca-job.yaml index c81b7fde..d39163c0 100644 --- a/charts/rhtpa-operator/templates/ingress-ca-job.yaml +++ b/charts/rhtpa-operator/templates/ingress-ca-job.yaml @@ -6,7 +6,7 @@ metadata: name: rhtpa-ingress-ca-extractor namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "0" + argocd.argoproj.io/sync-wave: "31" argocd.argoproj.io/hook: PreSync --- apiVersion: rbac.authorization.k8s.io/v1 @@ -15,7 +15,7 @@ metadata: name: rhtpa-ingress-ca-extractor namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "0" + argocd.argoproj.io/sync-wave: "31" argocd.argoproj.io/hook: PreSync rules: - apiGroups: [""] @@ -28,7 +28,7 @@ metadata: name: rhtpa-ingress-ca-extractor namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "0" + argocd.argoproj.io/sync-wave: "31" argocd.argoproj.io/hook: PreSync roleRef: apiGroup: rbac.authorization.k8s.io @@ -44,7 +44,7 @@ kind: ClusterRole metadata: name: rhtpa-ingress-ca-reader annotations: - argocd.argoproj.io/sync-wave: "0" + argocd.argoproj.io/sync-wave: "31" argocd.argoproj.io/hook: PreSync rules: # Read ingress CA from router secret (default or custom) @@ -66,7 +66,7 @@ kind: ClusterRoleBinding metadata: name: rhtpa-ingress-ca-reader-{{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "0" + argocd.argoproj.io/sync-wave: "31" argocd.argoproj.io/hook: PreSync roleRef: apiGroup: rbac.authorization.k8s.io @@ -83,7 +83,7 @@ metadata: name: rhtpa-ingress-ca-extractor namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "2" + argocd.argoproj.io/sync-wave: "33" argocd.argoproj.io/hook: PreSync argocd.argoproj.io/hook-delete-policy: BeforeHookCreation spec: diff --git a/charts/rhtpa-operator/templates/object-bucket-claim.yaml b/charts/rhtpa-operator/templates/object-bucket-claim.yaml index 6a30ffaa..4586e2e5 100644 --- a/charts/rhtpa-operator/templates/object-bucket-claim.yaml +++ b/charts/rhtpa-operator/templates/object-bucket-claim.yaml @@ -6,7 +6,7 @@ metadata: name: {{ .Values.rhtpa.objectStorage.objectBucketClaim.name }} namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "5" # Create OBC after NooBaa system is ready + argocd.argoproj.io/sync-wave: "36" # Create OBC after NooBaa system is ready spec: generateBucketName: {{ .Values.rhtpa.objectStorage.objectBucketClaim.bucketName }} storageClassName: {{ .Values.rhtpa.objectStorage.objectBucketClaim.storageClass }} diff --git a/charts/rhtpa-operator/templates/oidc-cli-secret.yaml b/charts/rhtpa-operator/templates/oidc-cli-secret.yaml index 5f1255b0..01fb306a 100644 --- a/charts/rhtpa-operator/templates/oidc-cli-secret.yaml +++ b/charts/rhtpa-operator/templates/oidc-cli-secret.yaml @@ -8,7 +8,7 @@ metadata: labels: {{- include "rhtpa-operator.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "3" # Create before RHTPA CR + argocd.argoproj.io/sync-wave: "34" # Create before RHTPA CR spec: refreshInterval: 15s secretStoreRef: diff --git a/charts/rhtpa-operator/templates/operator-readiness-check.yaml b/charts/rhtpa-operator/templates/operator-readiness-check.yaml index 1c704cf2..059c0da7 100644 --- a/charts/rhtpa-operator/templates/operator-readiness-check.yaml +++ b/charts/rhtpa-operator/templates/operator-readiness-check.yaml @@ -10,7 +10,7 @@ metadata: labels: {{- include "rhtpa-operator.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "40" # Before CR creation (wave 50) + argocd.argoproj.io/sync-wave: "71" # Before CR creation (wave 81) policy.open-cluster-management.io/standards: NIST SP 800-53 policy.open-cluster-management.io/categories: CM Configuration Management policy.open-cluster-management.io/controls: CM-2 Baseline Configuration @@ -59,7 +59,7 @@ metadata: labels: {{- include "rhtpa-operator.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "40" + argocd.argoproj.io/sync-wave: "71" placementRef: name: placement-policy-rhtpa-operator-ready kind: PlacementRule @@ -77,7 +77,7 @@ metadata: labels: {{- include "rhtpa-operator.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "40" + argocd.argoproj.io/sync-wave: "71" spec: clusterConditions: - status: "True" diff --git a/charts/rhtpa-operator/templates/operator-rolebinding.yaml b/charts/rhtpa-operator/templates/operator-rolebinding.yaml index 3e234b0d..d4c369b2 100644 --- a/charts/rhtpa-operator/templates/operator-rolebinding.yaml +++ b/charts/rhtpa-operator/templates/operator-rolebinding.yaml @@ -6,7 +6,7 @@ metadata: name: rhtpa-operator-job-manager namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "1" # Create early, before CR + argocd.argoproj.io/sync-wave: "32" # Create early, before CR rules: - apiGroups: ["batch"] resources: ["jobs"] @@ -30,7 +30,7 @@ metadata: name: rhtpa-operator-job-manager namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "1" # Create early, before CR + argocd.argoproj.io/sync-wave: "32" # Create early, before CR roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/charts/rhtpa-operator/templates/postgresql-external-secret.yaml b/charts/rhtpa-operator/templates/postgresql-external-secret.yaml index fcb2b7b7..4c0007ca 100644 --- a/charts/rhtpa-operator/templates/postgresql-external-secret.yaml +++ b/charts/rhtpa-operator/templates/postgresql-external-secret.yaml @@ -6,7 +6,7 @@ metadata: name: rhtpa-db-secret namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: '5' + argocd.argoproj.io/sync-wave: '36' spec: refreshInterval: 15s secretStoreRef: diff --git a/charts/rhtpa-operator/templates/postgresql-service.yaml b/charts/rhtpa-operator/templates/postgresql-service.yaml index 593ade2c..c427b0a7 100644 --- a/charts/rhtpa-operator/templates/postgresql-service.yaml +++ b/charts/rhtpa-operator/templates/postgresql-service.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: Service metadata: annotations: - argocd.argoproj.io/sync-wave: '10' + argocd.argoproj.io/sync-wave: '41' labels: app: rhtpa-db name: rhtpa-db diff --git a/charts/rhtpa-operator/templates/postgresql-serviceaccount.yaml b/charts/rhtpa-operator/templates/postgresql-serviceaccount.yaml index 1d0ecc91..4eb0bc72 100644 --- a/charts/rhtpa-operator/templates/postgresql-serviceaccount.yaml +++ b/charts/rhtpa-operator/templates/postgresql-serviceaccount.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: annotations: - argocd.argoproj.io/sync-wave: '5' + argocd.argoproj.io/sync-wave: '36' name: rhtpa-db namespace: {{ .Values.rhtpa.namespace }} {{- end }} diff --git a/charts/rhtpa-operator/templates/postgresql-statefulset.yaml b/charts/rhtpa-operator/templates/postgresql-statefulset.yaml index b7b8ff79..02917889 100644 --- a/charts/rhtpa-operator/templates/postgresql-statefulset.yaml +++ b/charts/rhtpa-operator/templates/postgresql-statefulset.yaml @@ -4,7 +4,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: annotations: - argocd.argoproj.io/sync-wave: '10' + argocd.argoproj.io/sync-wave: '41' labels: app: rhtpa-db name: rhtpa-db diff --git a/charts/rhtpa-operator/templates/s3-credentials-secret.yaml b/charts/rhtpa-operator/templates/s3-credentials-secret.yaml index a4e95cbd..bc4cb2c0 100644 --- a/charts/rhtpa-operator/templates/s3-credentials-secret.yaml +++ b/charts/rhtpa-operator/templates/s3-credentials-secret.yaml @@ -9,7 +9,7 @@ metadata: name: rhtpa-s3-config namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "8" # After OBC is created + argocd.argoproj.io/sync-wave: "39" # After OBC is created data: # The OBC creates a secret with these keys automatically # AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, BUCKET_HOST, BUCKET_NAME, BUCKET_PORT diff --git a/charts/rhtpa-operator/templates/spiffe-helper-config.yaml b/charts/rhtpa-operator/templates/spiffe-helper-config.yaml index 0ad7529f..e7b61dcf 100644 --- a/charts/rhtpa-operator/templates/spiffe-helper-config.yaml +++ b/charts/rhtpa-operator/templates/spiffe-helper-config.yaml @@ -6,7 +6,7 @@ metadata: name: spiffe-helper-config namespace: {{ .Values.rhtpa.namespace }} annotations: - argocd.argoproj.io/sync-wave: "18" + argocd.argoproj.io/sync-wave: "49" data: config.hcl: | agent_address = "/spiffe-workload-api/spire-agent.sock" diff --git a/charts/rhtpa-operator/templates/trusted-profile-analyzer.yaml b/charts/rhtpa-operator/templates/trusted-profile-analyzer.yaml index abfdaabc..bfce55eb 100644 --- a/charts/rhtpa-operator/templates/trusted-profile-analyzer.yaml +++ b/charts/rhtpa-operator/templates/trusted-profile-analyzer.yaml @@ -8,7 +8,7 @@ metadata: labels: {{- include "rhtpa-operator.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "50" # Increased delay to ensure operator is fully ready + argocd.argoproj.io/sync-wave: "81" # Increased delay to ensure operator is fully ready argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true policy.open-cluster-management.io/standards: NIST SP 800-53 policy.open-cluster-management.io/categories: CM Configuration Management @@ -126,7 +126,7 @@ metadata: labels: {{- include "rhtpa-operator.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "20" + argocd.argoproj.io/sync-wave: "51" placementRef: name: placement-policy-rhtpa-trustedprofileanalyzer kind: PlacementRule @@ -144,7 +144,7 @@ metadata: labels: {{- include "rhtpa-operator.labels" . | nindent 4 }} annotations: - argocd.argoproj.io/sync-wave: "20" + argocd.argoproj.io/sync-wave: "51" spec: clusterConditions: - status: "True" diff --git a/charts/supply-chain/templates/workspaces.yaml b/charts/supply-chain/templates/workspaces.yaml index c38b8cb1..880eab6d 100644 --- a/charts/supply-chain/templates/workspaces.yaml +++ b/charts/supply-chain/templates/workspaces.yaml @@ -7,7 +7,7 @@ metadata: name: {{ .name }} namespace: {{ .namespace | default $.Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: '20' + argocd.argoproj.io/sync-wave: '51' labels: app.kubernetes.io/component: storage spec: diff --git a/charts/ztvp-certificates/templates/ca-extraction-cronjob.yaml b/charts/ztvp-certificates/templates/ca-extraction-cronjob.yaml index f18b2bd3..02224bb3 100644 --- a/charts/ztvp-certificates/templates/ca-extraction-cronjob.yaml +++ b/charts/ztvp-certificates/templates/ca-extraction-cronjob.yaml @@ -6,7 +6,7 @@ metadata: name: {{ include "ztvp-certificates.fullname" . }}-ca-extractor namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-8" + argocd.argoproj.io/sync-wave: "23" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} spec: diff --git a/charts/ztvp-certificates/templates/ca-extraction-job-initial.yaml b/charts/ztvp-certificates/templates/ca-extraction-job-initial.yaml index d867cfc7..3bee2efe 100644 --- a/charts/ztvp-certificates/templates/ca-extraction-job-initial.yaml +++ b/charts/ztvp-certificates/templates/ca-extraction-job-initial.yaml @@ -6,7 +6,7 @@ metadata: name: {{ include "ztvp-certificates.fullname" . }}-ca-extractor-initial namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-8" + argocd.argoproj.io/sync-wave: "23" # Run as regular sync resource (after RBAC at -9, before Policy at -5) # Using Prune=false prevents OutOfSync after TTL deletes the completed Job argocd.argoproj.io/sync-options: Prune=false diff --git a/charts/ztvp-certificates/templates/configmap-script.yaml b/charts/ztvp-certificates/templates/configmap-script.yaml index 802fda93..07399292 100644 --- a/charts/ztvp-certificates/templates/configmap-script.yaml +++ b/charts/ztvp-certificates/templates/configmap-script.yaml @@ -6,7 +6,7 @@ metadata: name: {{ include "ztvp-certificates.fullname" . }}-script namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-9" + argocd.argoproj.io/sync-wave: "22" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} app.kubernetes.io/component: extraction-script diff --git a/charts/ztvp-certificates/templates/distribution-policy.yaml b/charts/ztvp-certificates/templates/distribution-policy.yaml index a3f5a3c5..65673f11 100644 --- a/charts/ztvp-certificates/templates/distribution-policy.yaml +++ b/charts/ztvp-certificates/templates/distribution-policy.yaml @@ -6,7 +6,7 @@ metadata: name: ztvp-certificates-distribution namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-5" + argocd.argoproj.io/sync-wave: "26" policy.open-cluster-management.io/standards: NIST-CSF policy.open-cluster-management.io/categories: PR.DS Data Security policy.open-cluster-management.io/controls: PR.DS-2 Data-in-transit @@ -50,7 +50,7 @@ metadata: name: ztvp-certificates-distribution-binding namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-5" + argocd.argoproj.io/sync-wave: "26" bindingOverrides: remediationAction: enforce placementRef: @@ -68,7 +68,7 @@ metadata: name: ztvp-certificates-distribution-placement namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-5" + argocd.argoproj.io/sync-wave: "26" spec: predicates: - requiredClusterSelector: diff --git a/charts/ztvp-certificates/templates/managedclusterset-binding.yaml b/charts/ztvp-certificates/templates/managedclusterset-binding.yaml index 82ccf07f..1e7e67f2 100644 --- a/charts/ztvp-certificates/templates/managedclusterset-binding.yaml +++ b/charts/ztvp-certificates/templates/managedclusterset-binding.yaml @@ -7,7 +7,7 @@ metadata: name: default namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-6" + argocd.argoproj.io/sync-wave: "25" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} spec: diff --git a/charts/ztvp-certificates/templates/rbac.yaml b/charts/ztvp-certificates/templates/rbac.yaml index b4f118c3..e2ce3cbc 100644 --- a/charts/ztvp-certificates/templates/rbac.yaml +++ b/charts/ztvp-certificates/templates/rbac.yaml @@ -6,7 +6,7 @@ metadata: name: {{ include "ztvp-certificates.serviceAccountName" . }} namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-9" + argocd.argoproj.io/sync-wave: "22" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} --- @@ -16,7 +16,7 @@ metadata: name: {{ include "ztvp-certificates.serviceAccountName" . }} namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-9" + argocd.argoproj.io/sync-wave: "22" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} rules: @@ -30,7 +30,7 @@ metadata: name: {{ include "ztvp-certificates.serviceAccountName" . }} namespace: {{ .Values.global.namespace }} annotations: - argocd.argoproj.io/sync-wave: "-9" + argocd.argoproj.io/sync-wave: "22" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} roleRef: @@ -47,7 +47,7 @@ kind: ClusterRole metadata: name: {{ include "ztvp-certificates.fullname" . }}-ca-reader annotations: - argocd.argoproj.io/sync-wave: "-9" + argocd.argoproj.io/sync-wave: "22" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} rules: @@ -73,7 +73,7 @@ kind: ClusterRoleBinding metadata: name: {{ include "ztvp-certificates.fullname" . }}-ca-reader annotations: - argocd.argoproj.io/sync-wave: "-9" + argocd.argoproj.io/sync-wave: "22" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} roleRef: @@ -91,7 +91,7 @@ kind: ClusterRole metadata: name: {{ include "ztvp-certificates.fullname" . }}-rollout annotations: - argocd.argoproj.io/sync-wave: "-9" + argocd.argoproj.io/sync-wave: "22" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} rules: @@ -105,7 +105,7 @@ kind: ClusterRoleBinding metadata: name: {{ include "ztvp-certificates.fullname" . }}-rollout annotations: - argocd.argoproj.io/sync-wave: "-9" + argocd.argoproj.io/sync-wave: "22" labels: {{- include "ztvp-certificates.labels" . | nindent 4 }} roleRef: diff --git a/docs/DEVELOPMENT.md b/docs/DEVELOPMENT.md index 1e5497a1..969f82b7 100644 --- a/docs/DEVELOPMENT.md +++ b/docs/DEVELOPMENT.md @@ -63,7 +63,7 @@ If we want to save some space, we can add these overrides to the `noobaa-mcg` co project: hub path: charts/noobaa-mcg annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "36" overrides: - name: noobaa.dbSize value: 10Gi diff --git a/docs/SYNC-WAVE-INVENTORY.md b/docs/SYNC-WAVE-INVENTORY.md new file mode 100644 index 00000000..87bc4d15 --- /dev/null +++ b/docs/SYNC-WAVE-INVENTORY.md @@ -0,0 +1,146 @@ +# Argo CD Sync-Wave Inventory + +All `argocd.argoproj.io/sync-wave` assignments in `layered-zero-trust`. + +A +31 offset was applied to every value so that all waves are positive (>= 1), preserving the original relative ordering. This accommodates the Validated Patterns operator applying the Argo CD super-role later than before, which caused resources with negative sync waves to fail. + +## Application-level waves (`values-hub.yaml`) + +These control when each Argo CD Application syncs relative to other Applications. + +| Application | Old | Current | Comment | Active? | +| --- | ---: | ---: | --- | --- | +| compliance-scanning | -30 | 1 | Earliest app | yes | +| ztvp-certificates | -10 | 21 | Custom CA distribution | yes | +| openshift-storage (OperatorGroup) | -5 | 26 | Propagated to OperatorGroup | commented | +| rhtpa-operator (namespace) | -5 | 26 | Before operator subscription | commented | +| odf (subscription) | -4 | 27 | After OperatorGroup (26) | commented | +| rhtpa-operator (subscription) | -4 | 27 | After OperatorGroup (26) | commented | +| quay-operator (subscription) | -3 | 28 | After ODF operator | commented | +| rhtas-operator (subscription) | -2 | 29 | After Quay operator | commented | +| quay-enterprise (namespace) | 1 | 32 | Before NooBaa and Quay components | commented | +| trusted-artifact-signer (namespace) | 1 | 32 | Auto-created by RHTAS operator | commented | +| trusted-profile-analyzer (namespace) | 1 | 32 | Before RHTPA components | commented | +| noobaa-mcg | 5 | 36 | Deploy after core services | commented | +| acs-central | 10 | 41 | — | yes | +| quay-registry | 10 | 41 | Deploy after NooBaa | commented | +| trusted-profile-analyzer | 10 | 41 | Chart resources (OBC, DB, etc.) | commented | +| acs-secured-cluster | 15 | 46 | — | yes | +| trusted-artifact-signer | 15 | 46 | Deploy after dependencies | commented | + +## Chart-level waves (templates) + +These control resource ordering within a single Application's sync. + +### compliance-scanning (`charts/compliance-scanning/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| apiserver-encryption.yaml | -10 | 21 | +| pvc.yaml | -10 | 21 | +| scan-setting.yaml | -10 | 21 | +| scan-setting-binding.yaml | -10 | 21 | + +### ztvp-certificates (`charts/ztvp-certificates/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| rbac.yaml (7 resources) | -9 | 22 | +| configmap-script.yaml | -9 | 22 | +| ca-extraction-job-initial.yaml | -8 | 23 | +| ca-extraction-cronjob.yaml | -8 | 23 | +| managedclusterset-binding.yaml | -6 | 25 | +| distribution-policy.yaml (3 resources) | -5 | 26 | + +### rhtpa-operator (`charts/rhtpa-operator/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| ingress-ca-job.yaml (SA, Role, RoleBinding, ConfigMap, Job) | 0 | 31 | +| operator-rolebinding.yaml (2 bindings) | 1 | 32 | +| ingress-ca-job.yaml (completion Job) | 2 | 33 | +| oidc-cli-secret.yaml | 3 | 34 | +| postgresql-serviceaccount.yaml | 5 | 36 | +| postgresql-external-secret.yaml | 5 | 36 | +| object-bucket-claim.yaml | 5 | 36 | +| s3-credentials-secret.yaml | 8 | 39 | +| postgresql-statefulset.yaml | 10 | 41 | +| postgresql-service.yaml | 10 | 41 | +| spiffe-helper-config.yaml | 18 | 49 | +| trusted-profile-analyzer.yaml (supporting objects) | 20 | 51 | +| operator-readiness-check.yaml (SA, Role, Job) | 40 | 71 | +| trusted-profile-analyzer.yaml (Policy/CR) | 50 | 81 | + +### noobaa-mcg (`charts/noobaa-mcg/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| default-backingstore.yaml | 1 | 32 | +| noobaa-system.yaml | 2 | 33 | +| bucket-class.yaml | 3 | 34 | + +### keycloak (`charts/keycloak/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| keycloak.yaml | 5 | 36 | +| keycloak-realm-import.yaml | 10 | 41 | + +### quay-registry (`charts/quay-registry/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| object-bucket-claim.yaml | 5 | 36 | +| quay-s3-setup-serviceaccount.yaml (5 resources) | 6 | 37 | +| quay-config-bundle-secret.yaml | 7 | 38 | +| quay-s3-credentials-job.yaml | 8 | 39 | +| quay-registry.yaml | 10 | 41 | + +### acs-central (`charts/acs-central/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| rbac/* (SA, Role, ClusterRole, bindings) | 1 | 32 | +| admin-password-secret.yaml | 5 | 36 | +| central-htpasswd-external-secret.yaml | 5 | 36 | +| keycloak-client-secret-external-secret.yaml | 5 | 36 | +| create-htpasswd-field.yaml (Job) | 6 | 37 | +| central-cr.yaml | 10 | 41 | +| create-cluster-init-bundle.yaml (Job) | 12 | 43 | +| create-auth-provider.yaml (Job) | 13 | 44 | +| console-link.yaml | 15 | 46 | + +### acs-secured-cluster (`charts/acs-secured-cluster/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| secured-cluster-cr.yaml | 15 | 46 | + +### rhtas-operator (`charts/rhtas-operator/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| securesign.yaml | 15 | 46 | + +### qtodo (`charts/qtodo/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| truststore-secret-external-secret.yaml | 5 | 36 | +| postgresql-statefulset.yaml | 10 | 41 | +| postgresql-service.yaml | 10 | 41 | +| qtodo-truststore-config.yaml | 10 | 41 | +| app-deployment.yaml | 20 | 51 | +| app-service.yaml | 20 | 51 | + +### supply-chain (`charts/supply-chain/templates/`) + +| Resource | Old | Current | +| --- | ---: | ---: | +| workspaces.yaml | 20 | 51 | + +### docs/DEVELOPMENT.md (example snippet, not deployed) + +| Resource | Old | Current | +| --- | ---: | ---: | +| noobaa-mcg example | 5 | 36 | diff --git a/values-hub.yaml b/values-hub.yaml index 32b0f9b0..d4d80743 100644 --- a/values-hub.yaml +++ b/values-hub.yaml @@ -33,27 +33,27 @@ clusterGroup: # targetNamespace: openshift-storage # annotations: # openshift.io/cluster-monitoring: "true" - # argocd.argoproj.io/sync-wave: "-5" # Propagated to OperatorGroup by framework + # argocd.argoproj.io/sync-wave: "26" # Propagated to OperatorGroup by framework # - quay-enterprise: # annotations: - # argocd.argoproj.io/sync-wave: "1" # Create before NooBaa and all Quay components + # argocd.argoproj.io/sync-wave: "32" # Create before NooBaa and all Quay components # labels: # openshift.io/cluster-monitoring: "true" # RHTAS namespace (required when RHTAS application is enabled) # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE signing # - trusted-artifact-signer: # annotations: - # argocd.argoproj.io/sync-wave: "1" # Auto-created by RHTAS operator + # argocd.argoproj.io/sync-wave: "32" # Auto-created by RHTAS operator # labels: # openshift.io/cluster-monitoring: "true" # - rhtpa-operator: # operatorGroup: true # targetNamespace: rhtpa-operator # annotations: - # argocd.argoproj.io/sync-wave: "-5" # Create before operator subscription + # argocd.argoproj.io/sync-wave: "26" # Create before operator subscription # - trusted-profile-analyzer: # annotations: - # argocd.argoproj.io/sync-wave: "1" # Create before RHTPA components + # argocd.argoproj.io/sync-wave: "32" # Create before RHTPA components # labels: # openshift.io/cluster-monitoring: "true" - zero-trust-workload-identity-manager: @@ -121,13 +121,13 @@ clusterGroup: # namespace: openshift-storage # channel: stable-4.20 # annotations: - # argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5) + # argocd.argoproj.io/sync-wave: "27" # Install after OperatorGroup (26) # quay-operator: # name: quay-operator # namespace: openshift-operators # channel: stable-3.15 # annotations: - # argocd.argoproj.io/sync-wave: "-3" # Install after ODF operator + # argocd.argoproj.io/sync-wave: "28" # Install after ODF operator # RHTAS operator subscription (required when RHTAS application is enabled) # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE integration # rhtas-operator: @@ -135,7 +135,7 @@ clusterGroup: # namespace: openshift-operators # channel: stable # annotations: - # argocd.argoproj.io/sync-wave: "-2" # Install after Quay operator, before applications + # argocd.argoproj.io/sync-wave: "29" # Install after Quay operator, before applications # catalogSource: redhat-operators # RHTPA operator subscription # Channel: stable-v1.1 provides latest 1.1.x patch updates @@ -146,7 +146,7 @@ clusterGroup: # channel: stable-v1.1 # Use stable-v1.1 channel for 1.1.x updates # catalogSource: redhat-operators # annotations: - # argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5), before applications + # argocd.argoproj.io/sync-wave: "27" # Install after OperatorGroup (26), before applications projects: - hub # Explicitly mention the cluster-state based overrides we plan to use for this pattern. @@ -176,7 +176,7 @@ clusterGroup: project: hub path: charts/ztvp-certificates annotations: - argocd.argoproj.io/sync-wave: "-10" + argocd.argoproj.io/sync-wave: "21" # Ignore the ACM-replicated policy in local-cluster namespace # ACM automatically creates policy replicas with name pattern: . ignoreDifferences: @@ -255,7 +255,7 @@ clusterGroup: name: compliance-scanning namespace: openshift-compliance annotations: - argocd.argoproj.io/sync-wave: '-30' + argocd.argoproj.io/sync-wave: '1' project: hub chart: ocp-compliance-scanning chartVersion: 0.0.* @@ -337,7 +337,7 @@ clusterGroup: # project: hub # path: charts/noobaa-mcg # annotations: - # argocd.argoproj.io/sync-wave: "5" # Deploy after core services + # argocd.argoproj.io/sync-wave: "36" # Deploy after core services # Quay Container Registry (uses NooBaa for storage) # quay-registry: # name: quay-registry @@ -346,7 +346,7 @@ clusterGroup: # chart: quay # chartVersion: 0.1.* # annotations: - # argocd.argoproj.io/sync-wave: "10" # Deploy after NooBaa storage backend + # argocd.argoproj.io/sync-wave: "41" # Deploy after NooBaa storage backend # RHTAS with SPIFFE Integration # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE and Email issuers # Depends on: Vault, SPIRE, Keycloak (for Email OIDC issuer if used) @@ -356,7 +356,7 @@ clusterGroup: # project: hub # path: charts/rhtas-operator # annotations: - # argocd.argoproj.io/sync-wave: "15" # Deploy after dependencies + # argocd.argoproj.io/sync-wave: "46" # Deploy after dependencies # overrides: # # OIDC Issuer Configuration - Both can be enabled simultaneously # # Enable SPIFFE issuer for workload identity @@ -379,8 +379,8 @@ clusterGroup: # project: hub # path: charts/rhtpa-operator # annotations: - # argocd.argoproj.io/sync-wave: "10" # Create chart resources (OBC, DB, etc.) - # # Note: The TrustedProfileAnalyzer CR is created by ACM Policy at wave 50 + # argocd.argoproj.io/sync-wave: "41" # Create chart resources (OBC, DB, etc.) + # # Note: The TrustedProfileAnalyzer CR is created by ACM Policy at wave 81 # # to ensure the operator is fully ready (mitigates v1.1.0 initialization bug) # # Ignore differences to prevent OutOfSync status # ignoreDifferences: @@ -541,7 +541,7 @@ clusterGroup: jsonPointers: - /spec/scanner/scannerComponent annotations: - argocd.argoproj.io/sync-wave: "10" + argocd.argoproj.io/sync-wave: "41" # ACS Secured Cluster acs-secured-cluster: @@ -556,7 +556,7 @@ clusterGroup: - /values-global.yaml - /values-{{ .Values.global.pattern }}-hub.yaml annotations: - argocd.argoproj.io/sync-wave: "15" + argocd.argoproj.io/sync-wave: "46" # ACS Policies acs-policies: name: acs-policies @@ -564,7 +564,7 @@ clusterGroup: project: hub path: charts/acs-policies annotations: - argocd.argoproj.io/sync-wave: "20" + argocd.argoproj.io/sync-wave: "51" argoCD: resourceHealthChecks: - check: | From 20d89a2153d03a21d3f0b0dcee621eb7edc8091d Mon Sep 17 00:00:00 2001 From: Min Zhang Date: Fri, 20 Mar 2026 15:37:35 -0400 Subject: [PATCH 2/4] fix: add sync-wave annotations, MCO wait gate, and updated docs - Add explicit sync-wave to all active applications in values-hub.yaml - Add sync-wave 48 to commented supply-chain application - Wait for MachineConfigPool rollout before vault-config-jwt - Update SYNC-WAVE-INVENTORY with unified deployment timeline Signed-off-by: Min Zhang --- Makefile | 2 + docs/SYNC-WAVE-INVENTORY.md | 188 ++++++++++++++++++++++++++---------- values-hub.yaml | 18 ++++ 3 files changed, 157 insertions(+), 51 deletions(-) diff --git a/Makefile b/Makefile index 03566e46..b93e4672 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,8 @@ install: operator-deploy post-install ## installs the pattern and loads the secr .PHONY: post-install post-install: ## Post-install tasks make load-secrets + @echo "Waiting for MachineConfigPool rollout to complete..." + oc wait mcp/master --for=condition=Updated --timeout=600s make vault-config-jwt @echo "Done" diff --git a/docs/SYNC-WAVE-INVENTORY.md b/docs/SYNC-WAVE-INVENTORY.md index 87bc4d15..2f30d872 100644 --- a/docs/SYNC-WAVE-INVENTORY.md +++ b/docs/SYNC-WAVE-INVENTORY.md @@ -4,35 +4,114 @@ All `argocd.argoproj.io/sync-wave` assignments in `layered-zero-trust`. A +31 offset was applied to every value so that all waves are positive (>= 1), preserving the original relative ordering. This accommodates the Validated Patterns operator applying the Argo CD super-role later than before, which caused resources with negative sync waves to fail. +## Unified deployment timeline + +Every sync-wave in the repository, in order. **App** = hub-level Argo CD Application creation. **chart** = resource inside a chart (resolved locally within that app's sync). **sub** = operator Subscription. + +| Wave | Component | Scope | What | +| ---: | --- | --- | --- | +| 1 | compliance-scanning | **App** | Argo CD Application created on hub | +| 5 | acm | **App** | | +| 5 | rh-cert-manager | **App** | | +| 10 | acm-managed-clusters | **App** | | +| 21 | ztvp-certificates | **App** | | +| 21 | └ compliance-scanning | chart | apiserver-encryption, pvc, scan-setting, scan-setting-binding | +| 22 | └ ztvp-certificates | chart | RBAC (7 resources), configmap-script | +| 23 | └ ztvp-certificates | chart | ca-extraction-job-initial, ca-extraction-cronjob | +| 25 | vault | **App** | | +| 25 | └ ztvp-certificates | chart | managedclusterset-binding | +| 26 | └ ztvp-certificates | chart | distribution-policy (3 resources) | +| 26 | └ openshift-storage | ns | Namespace + OperatorGroup | +| 26 | └ rhtpa-operator | ns | Namespace + OperatorGroup | +| 27 | └ odf | sub | ODF operator install | +| 27 | └ rhtpa-operator | sub | RHTPA operator install | +| 28 | └ quay-operator | sub | Quay operator install | +| 29 | └ rhtas-operator | sub | RHTAS operator install | +| 30 | golang-external-secrets | **App** | | +| 30 | zero-trust-workload-identity-manager | **App** | | +| 31 | └ rhtpa-operator | chart | ingress-ca-job (SA, Role, RoleBinding, ConfigMap, Job) | +| 32 | └ rhtpa-operator | chart | operator-rolebinding (2 bindings) | +| 32 | └ noobaa-mcg | chart | default-backingstore | +| 32 | └ acs-central | chart | rbac/* (SA, Role, ClusterRole, bindings) | +| 32 | └ quay-enterprise | ns | Namespace | +| 32 | └ trusted-artifact-signer | ns | Namespace | +| 32 | └ trusted-profile-analyzer | ns | Namespace | +| 33 | └ rhtpa-operator | chart | ingress-ca-job (completion Job) | +| 33 | └ noobaa-mcg | chart | noobaa-system | +| 34 | └ rhtpa-operator | chart | oidc-cli-secret | +| 34 | └ noobaa-mcg | chart | bucket-class | +| 35 | rh-keycloak | **App** | | +| 36 | noobaa-mcg | **App** | | +| 36 | └ rhtpa-operator | chart | postgresql-serviceaccount, postgresql-external-secret, object-bucket-claim | +| 36 | └ keycloak | chart | keycloak.yaml (Keycloak CR) | +| 36 | └ quay-registry | chart | object-bucket-claim | +| 36 | └ acs-central | chart | admin-password-secret, central-htpasswd-external-secret, keycloak-client-secret-external-secret | +| 36 | └ qtodo | chart | truststore-secret-external-secret | +| 37 | └ quay-registry | chart | quay-s3-setup-serviceaccount (5 resources) | +| 37 | └ acs-central | chart | create-htpasswd-field (Job) | +| 38 | qtodo | **App** | | +| 38 | └ quay-registry | chart | quay-config-bundle-secret | +| 39 | └ rhtpa-operator | chart | s3-credentials-secret | +| 39 | └ quay-registry | chart | quay-s3-credentials-job | +| 41 | acs-central | **App** | | +| 41 | quay-registry | **App** | | +| 41 | trusted-profile-analyzer | **App** | | +| 41 | └ rhtpa-operator | chart | postgresql-statefulset, postgresql-service | +| 41 | └ keycloak | chart | keycloak-realm-import | +| 41 | └ quay-registry | chart | quay-registry (QuayRegistry CR) | +| 41 | └ acs-central | chart | central-cr (Central CR) | +| 41 | └ qtodo | chart | postgresql-statefulset, postgresql-service, qtodo-truststore-config | +| 43 | └ acs-central | chart | create-cluster-init-bundle (Job) | +| 44 | └ acs-central | chart | create-auth-provider (Job) | +| 46 | acs-secured-cluster | **App** | | +| 46 | trusted-artifact-signer | **App** | | +| 46 | └ acs-central | chart | console-link | +| 46 | └ acs-secured-cluster | chart | secured-cluster-cr | +| 46 | └ rhtas-operator | chart | securesign | +| 48 | supply-chain | **App** | | +| 49 | └ rhtpa-operator | chart | spiffe-helper-config | +| 51 | └ rhtpa-operator | chart | trusted-profile-analyzer (supporting objects) | +| 51 | └ qtodo | chart | app-deployment, app-service | +| 51 | └ supply-chain | chart | workspaces | +| 71 | └ rhtpa-operator | chart | operator-readiness-check (SA, Role, Job) | +| 81 | └ rhtpa-operator | chart | trusted-profile-analyzer (Policy/CR) | + ## Application-level waves (`values-hub.yaml`) -These control when each Argo CD Application syncs relative to other Applications. - -| Application | Old | Current | Comment | Active? | -| --- | ---: | ---: | --- | --- | -| compliance-scanning | -30 | 1 | Earliest app | yes | -| ztvp-certificates | -10 | 21 | Custom CA distribution | yes | -| openshift-storage (OperatorGroup) | -5 | 26 | Propagated to OperatorGroup | commented | -| rhtpa-operator (namespace) | -5 | 26 | Before operator subscription | commented | -| odf (subscription) | -4 | 27 | After OperatorGroup (26) | commented | -| rhtpa-operator (subscription) | -4 | 27 | After OperatorGroup (26) | commented | -| quay-operator (subscription) | -3 | 28 | After ODF operator | commented | -| rhtas-operator (subscription) | -2 | 29 | After Quay operator | commented | -| quay-enterprise (namespace) | 1 | 32 | Before NooBaa and Quay components | commented | -| trusted-artifact-signer (namespace) | 1 | 32 | Auto-created by RHTAS operator | commented | -| trusted-profile-analyzer (namespace) | 1 | 32 | Before RHTPA components | commented | -| noobaa-mcg | 5 | 36 | Deploy after core services | commented | -| acs-central | 10 | 41 | — | yes | -| quay-registry | 10 | 41 | Deploy after NooBaa | commented | -| trusted-profile-analyzer | 10 | 41 | Chart resources (OBC, DB, etc.) | commented | -| acs-secured-cluster | 15 | 46 | — | yes | -| trusted-artifact-signer | 15 | 46 | Deploy after dependencies | commented | +| Application | Old | Current | Comment | +| --- | ---: | ---: | --- | +| compliance-scanning | -30 | 1 | Earliest app | +| rh-cert-manager | — | 5 | Infrastructure, early (newly added) | +| acm | — | 5 | Infrastructure, early (newly added) | +| acm-managed-clusters | — | 10 | After ACM (newly added) | +| ztvp-certificates | -10 | 21 | Custom CA distribution | +| vault | — | 25 | Core secret store (newly added) | +| openshift-storage (OperatorGroup) | -5 | 26 | Propagated to OperatorGroup | +| rhtpa-operator (namespace) | -5 | 26 | Before operator subscription | +| odf (subscription) | -4 | 27 | After OperatorGroup (26) | +| rhtpa-operator (subscription) | -4 | 27 | After OperatorGroup (26) | +| quay-operator (subscription) | -3 | 28 | After ODF operator | +| rhtas-operator (subscription) | -2 | 29 | After Quay operator | +| golang-external-secrets | — | 30 | After Vault (newly added) | +| zero-trust-workload-identity-manager | — | 30 | After Vault/certs (newly added) | +| quay-enterprise (namespace) | 1 | 32 | Before NooBaa and Quay components | +| trusted-artifact-signer (namespace) | 1 | 32 | Auto-created by RHTAS operator | +| trusted-profile-analyzer (namespace) | 1 | 32 | Before RHTPA components | +| rh-keycloak | — | 35 | After ZTWIM for SPIFFE IdP (newly added) | +| noobaa-mcg | 5 | 36 | Deploy after core services | +| qtodo | — | 38 | After Keycloak, Vault (newly added) | +| acs-central | 10 | 41 | — | +| quay-registry | 10 | 41 | Deploy after NooBaa | +| trusted-profile-analyzer | 10 | 41 | Chart resources (OBC, DB, etc.) | +| acs-secured-cluster | 15 | 46 | — | +| trusted-artifact-signer | 15 | 46 | Deploy after dependencies | +| supply-chain | — | 48 | After RHTAS/ACS, before chart templates (newly added) | ## Chart-level waves (templates) -These control resource ordering within a single Application's sync. +These control resource ordering within a single Application's sync. Template waves are resolved locally within each app, not globally across all apps. -### compliance-scanning (`charts/compliance-scanning/templates/`) +### compliance-scanning (`charts/compliance-scanning/templates/`) — App wave: 1 | Resource | Old | Current | | --- | ---: | ---: | @@ -41,7 +120,7 @@ These control resource ordering within a single Application's sync. | scan-setting.yaml | -10 | 21 | | scan-setting-binding.yaml | -10 | 21 | -### ztvp-certificates (`charts/ztvp-certificates/templates/`) +### ztvp-certificates (`charts/ztvp-certificates/templates/`) — App wave: 21 | Resource | Old | Current | | --- | ---: | ---: | @@ -52,26 +131,7 @@ These control resource ordering within a single Application's sync. | managedclusterset-binding.yaml | -6 | 25 | | distribution-policy.yaml (3 resources) | -5 | 26 | -### rhtpa-operator (`charts/rhtpa-operator/templates/`) - -| Resource | Old | Current | -| --- | ---: | ---: | -| ingress-ca-job.yaml (SA, Role, RoleBinding, ConfigMap, Job) | 0 | 31 | -| operator-rolebinding.yaml (2 bindings) | 1 | 32 | -| ingress-ca-job.yaml (completion Job) | 2 | 33 | -| oidc-cli-secret.yaml | 3 | 34 | -| postgresql-serviceaccount.yaml | 5 | 36 | -| postgresql-external-secret.yaml | 5 | 36 | -| object-bucket-claim.yaml | 5 | 36 | -| s3-credentials-secret.yaml | 8 | 39 | -| postgresql-statefulset.yaml | 10 | 41 | -| postgresql-service.yaml | 10 | 41 | -| spiffe-helper-config.yaml | 18 | 49 | -| trusted-profile-analyzer.yaml (supporting objects) | 20 | 51 | -| operator-readiness-check.yaml (SA, Role, Job) | 40 | 71 | -| trusted-profile-analyzer.yaml (Policy/CR) | 50 | 81 | - -### noobaa-mcg (`charts/noobaa-mcg/templates/`) +### noobaa-mcg (`charts/noobaa-mcg/templates/`) — App wave: 36 | Resource | Old | Current | | --- | ---: | ---: | @@ -79,14 +139,14 @@ These control resource ordering within a single Application's sync. | noobaa-system.yaml | 2 | 33 | | bucket-class.yaml | 3 | 34 | -### keycloak (`charts/keycloak/templates/`) +### keycloak (`charts/keycloak/templates/`) — App wave: 35 | Resource | Old | Current | | --- | ---: | ---: | | keycloak.yaml | 5 | 36 | | keycloak-realm-import.yaml | 10 | 41 | -### quay-registry (`charts/quay-registry/templates/`) +### quay-registry (`charts/quay-registry/templates/`) — App wave: 41 | Resource | Old | Current | | --- | ---: | ---: | @@ -96,7 +156,7 @@ These control resource ordering within a single Application's sync. | quay-s3-credentials-job.yaml | 8 | 39 | | quay-registry.yaml | 10 | 41 | -### acs-central (`charts/acs-central/templates/`) +### acs-central (`charts/acs-central/templates/`) — App wave: 41 | Resource | Old | Current | | --- | ---: | ---: | @@ -110,19 +170,38 @@ These control resource ordering within a single Application's sync. | create-auth-provider.yaml (Job) | 13 | 44 | | console-link.yaml | 15 | 46 | -### acs-secured-cluster (`charts/acs-secured-cluster/templates/`) +### acs-secured-cluster (`charts/acs-secured-cluster/templates/`) — App wave: 46 | Resource | Old | Current | | --- | ---: | ---: | | secured-cluster-cr.yaml | 15 | 46 | -### rhtas-operator (`charts/rhtas-operator/templates/`) +### rhtas-operator (`charts/rhtas-operator/templates/`) — App wave: 46 | Resource | Old | Current | | --- | ---: | ---: | | securesign.yaml | 15 | 46 | -### qtodo (`charts/qtodo/templates/`) +### rhtpa-operator (`charts/rhtpa-operator/templates/`) — App wave: 41 + +| Resource | Old | Current | +| --- | ---: | ---: | +| ingress-ca-job.yaml (SA, Role, RoleBinding, ConfigMap, Job) | 0 | 31 | +| operator-rolebinding.yaml (2 bindings) | 1 | 32 | +| ingress-ca-job.yaml (completion Job) | 2 | 33 | +| oidc-cli-secret.yaml | 3 | 34 | +| postgresql-serviceaccount.yaml | 5 | 36 | +| postgresql-external-secret.yaml | 5 | 36 | +| object-bucket-claim.yaml | 5 | 36 | +| s3-credentials-secret.yaml | 8 | 39 | +| postgresql-statefulset.yaml | 10 | 41 | +| postgresql-service.yaml | 10 | 41 | +| spiffe-helper-config.yaml | 18 | 49 | +| trusted-profile-analyzer.yaml (supporting objects) | 20 | 51 | +| operator-readiness-check.yaml (SA, Role, Job) | 40 | 71 | +| trusted-profile-analyzer.yaml (Policy/CR) | 50 | 81 | + +### qtodo (`charts/qtodo/templates/`) — App wave: 38 | Resource | Old | Current | | --- | ---: | ---: | @@ -133,7 +212,7 @@ These control resource ordering within a single Application's sync. | app-deployment.yaml | 20 | 51 | | app-service.yaml | 20 | 51 | -### supply-chain (`charts/supply-chain/templates/`) +### supply-chain (`charts/supply-chain/templates/`) — App wave: 48 | Resource | Old | Current | | --- | ---: | ---: | @@ -144,3 +223,10 @@ These control resource ordering within a single Application's sync. | Resource | Old | Current | | --- | ---: | ---: | | noobaa-mcg example | 5 | 36 | + +## Notes + +- **"Old"** = value before the +31 offset. **"—"** = no sync-wave existed (defaulted to 0). +- **"Current"** = value after the +31 offset plus newly added application-level annotations. +- Template waves are resolved **locally within each app sync**, not globally. A template wave of 32 inside acs-central (app wave 41) does not conflict with a template wave of 32 inside noobaa-mcg (app wave 36); they run independently. +- Sync waves control **Application creation order**, not readiness. A later wave means the Application resource is submitted to the hub later, but the earlier app's pods may not be fully running yet. For hard readiness gates, use Argo CD health checks or resource hooks. diff --git a/values-hub.yaml b/values-hub.yaml index d4d80743..e2c5304d 100644 --- a/values-hub.yaml +++ b/values-hub.yaml @@ -232,6 +232,8 @@ clusterGroup: project: hub chart: acm chartVersion: 0.1.* + annotations: + argocd.argoproj.io/sync-wave: "5" ignoreDifferences: - group: internal.open-cluster-management.io kind: ManagedClusterInfo @@ -245,6 +247,8 @@ clusterGroup: name: acm-managed-clusters project: hub path: charts/acm-managed-clusters + annotations: + argocd.argoproj.io/sync-wave: "10" ignoreDifferences: - group: cluster.open-cluster-management.io kind: ManagedCluster @@ -271,6 +275,8 @@ clusterGroup: project: hub chart: hashicorp-vault chartVersion: 0.1.* + annotations: + argocd.argoproj.io/sync-wave: "25" # Custom Vault policies for least-privilege access # Each application gets access only to its specific secrets path # @@ -427,12 +433,16 @@ clusterGroup: project: hub chart: golang-external-secrets chartVersion: 0.1.* + annotations: + argocd.argoproj.io/sync-wave: "30" rh-keycloak: name: rh-keycloak namespace: keycloak-system project: hub chart: rhbk chartVersion: 0.0.* + annotations: + argocd.argoproj.io/sync-wave: "35" # SPIFFE Identity Provider is enabled by default in the chart. # Override issuer/jwksUrl only if auto-generated values from cluster domain are not suitable. # overrides: @@ -446,12 +456,16 @@ clusterGroup: project: hub chart: ocp-certmanager chartVersion: 0.2.* + annotations: + argocd.argoproj.io/sync-wave: "5" zero-trust-workload-identity-manager: name: zero-trust-workload-identity-manager namespace: zero-trust-workload-identity-manager project: hub chart: ztwim chartVersion: 0.1.* + annotations: + argocd.argoproj.io/sync-wave: "30" overrides: - name: spire.clusterName value: hub @@ -460,6 +474,8 @@ clusterGroup: namespace: qtodo project: hub path: charts/qtodo + annotations: + argocd.argoproj.io/sync-wave: "38" ignoreDifferences: - kind: ServiceAccount jqPathExpressions: @@ -492,6 +508,8 @@ clusterGroup: # name: supply-chain # project: hub # path: charts/supply-chain + # annotations: + # argocd.argoproj.io/sync-wave: "48" # ignoreDifferences: # - kind: ServiceAccount # jqPathExpressions: From cf31a448fded950d94361723f247d700e986c52f Mon Sep 17 00:00:00 2001 From: Min Zhang Date: Tue, 24 Mar 2026 10:23:53 -0400 Subject: [PATCH 3/4] fix: apply +31 sync-wave offset to values-coco-dev.yaml and unpin clustergroup chart Apply the same +31 sync-wave offset convention to values-coco-dev.yaml so all waves are positive, matching values-hub.yaml. Revert the temporary clusterGroupChartVersion pin (0.9.45 -> 0.9.*) since positive-only waves eliminate the issue that prompted it. Signed-off-by: Min Zhang --- docs/SYNC-WAVE-INVENTORY.md | 30 ++++++++++++++++++++++++++---- values-coco-dev.yaml | 20 ++++++++++---------- values-global.yaml | 3 +-- 3 files changed, 37 insertions(+), 16 deletions(-) diff --git a/docs/SYNC-WAVE-INVENTORY.md b/docs/SYNC-WAVE-INVENTORY.md index 2f30d872..d0708d5e 100644 --- a/docs/SYNC-WAVE-INVENTORY.md +++ b/docs/SYNC-WAVE-INVENTORY.md @@ -70,6 +70,7 @@ Every sync-wave in the repository, in order. **App** = hub-level Argo CD Applica | 46 | └ rhtas-operator | chart | securesign | | 48 | supply-chain | **App** | | | 49 | └ rhtpa-operator | chart | spiffe-helper-config | +| 51 | acs-policies | **App** | After ACS Central + Secured Cluster | | 51 | └ rhtpa-operator | chart | trusted-profile-analyzer (supporting objects) | | 51 | └ qtodo | chart | app-deployment, app-service | | 51 | └ supply-chain | chart | workspaces | @@ -106,12 +107,32 @@ Every sync-wave in the repository, in order. **App** = hub-level Argo CD Applica | acs-secured-cluster | 15 | 46 | — | | trusted-artifact-signer | 15 | 46 | Deploy after dependencies | | supply-chain | — | 48 | After RHTAS/ACS, before chart templates (newly added) | +| acs-policies | 20 | 51 | After ACS Central + Secured Cluster | + +## Application-level waves (`values-coco-dev.yaml`) + +The CoCo development configuration reuses several of the same components. Only the active `compliance-scanning` wave differs from the commented-out defaults; other entries are commented out but updated for consistency. + +| Application | Old | Current | Comment | +| --- | ---: | ---: | --- | +| compliance-scanning | -30 | 1 | Earliest app | +| openshift-storage (OperatorGroup) | -5 | 26 | Commented; propagated to OperatorGroup | +| quay-enterprise (namespace) | 1 | 32 | Commented; before NooBaa and Quay components | +| trusted-artifact-signer (namespace) | 1 | 32 | Commented; auto-created by RHTAS operator | +| odf (subscription) | -4 | 27 | Commented; after OperatorGroup (26) | +| quay-operator (subscription) | -3 | 28 | Commented; after ODF operator | +| rhtas-operator (subscription) | -2 | 29 | Commented; after Quay operator | +| noobaa-mcg | 5 | 36 | Commented; deploy after core services | +| quay-registry | 10 | 41 | Commented; deploy after NooBaa | +| trusted-artifact-signer | 15 | 46 | Commented; deploy after dependencies | ## Chart-level waves (templates) These control resource ordering within a single Application's sync. Template waves are resolved locally within each app, not globally across all apps. -### compliance-scanning (`charts/compliance-scanning/templates/`) — App wave: 1 +Charts marked **(external)** have been externalized to standalone repositories managed under [validatedpatterns](https://github.com/validatedpatterns). Their resource-level sync-wave annotations are maintained in those repos, not here. The tables below reflect the +31 offset values that each external chart should carry. + +### compliance-scanning — **(external)** `ocp-compliance-scanning-chart` v0.0.3 — App wave: 1 | Resource | Old | Current | | --- | ---: | ---: | @@ -139,14 +160,14 @@ These control resource ordering within a single Application's sync. Template wav | noobaa-system.yaml | 2 | 33 | | bucket-class.yaml | 3 | 34 | -### keycloak (`charts/keycloak/templates/`) — App wave: 35 +### keycloak — **(external)** `rhbk-chart` v0.0.4 — App wave: 35 | Resource | Old | Current | | --- | ---: | ---: | | keycloak.yaml | 5 | 36 | | keycloak-realm-import.yaml | 10 | 41 | -### quay-registry (`charts/quay-registry/templates/`) — App wave: 41 +### quay-registry — **(external)** `quay-chart` v0.1.3 — App wave: 41 | Resource | Old | Current | | --- | ---: | ---: | @@ -226,7 +247,8 @@ These control resource ordering within a single Application's sync. Template wav ## Notes -- **"Old"** = value before the +31 offset. **"—"** = no sync-wave existed (defaulted to 0). +- **"Old"** = value before the +31 offset. **"---"** = no sync-wave existed (defaulted to 0). - **"Current"** = value after the +31 offset plus newly added application-level annotations. - Template waves are resolved **locally within each app sync**, not globally. A template wave of 32 inside acs-central (app wave 41) does not conflict with a template wave of 32 inside noobaa-mcg (app wave 36); they run independently. - Sync waves control **Application creation order**, not readiness. A later wave means the Application resource is submitted to the hub later, but the earlier app's pods may not be fully running yet. For hard readiness gates, use Argo CD health checks or resource hooks. +- **Externalized charts**: Five charts (certmanager, compliance-scanning, keycloak/RHBK, quay-registry, ZTWIM) are maintained in standalone repositories. Their resource-level sync-wave annotations are managed there and pinned via `chartVersion` in `values-hub.yaml`. Application-level sync-waves remain in this repository. diff --git a/values-coco-dev.yaml b/values-coco-dev.yaml index 731b4a43..0bb69fea 100644 --- a/values-coco-dev.yaml +++ b/values-coco-dev.yaml @@ -56,17 +56,17 @@ clusterGroup: # targetNamespace: openshift-storage # annotations: # openshift.io/cluster-monitoring: "true" - # argocd.argoproj.io/sync-wave: "-5" # Propagated to OperatorGroup by framework + # argocd.argoproj.io/sync-wave: "26" # Propagated to OperatorGroup by framework # - quay-enterprise: # annotations: - # argocd.argoproj.io/sync-wave: "1" # Create before NooBaa and all Quay components + # argocd.argoproj.io/sync-wave: "32" # Create before NooBaa and all Quay components # labels: # openshift.io/cluster-monitoring: "true" # RHTAS namespace (required when RHTAS application is enabled) # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE signing # - trusted-artifact-signer: # annotations: - # argocd.argoproj.io/sync-wave: "1" # Auto-created by RHTAS operator + # argocd.argoproj.io/sync-wave: "32" # Auto-created by RHTAS operator # labels: # openshift.io/cluster-monitoring: "true" - zero-trust-workload-identity-manager: @@ -152,13 +152,13 @@ clusterGroup: # namespace: openshift-storage # channel: stable-4.19 # annotations: - # argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5) + # argocd.argoproj.io/sync-wave: "27" # Install after OperatorGroup (26) # quay-operator: # name: quay-operator # namespace: openshift-operators # channel: stable-3.15 # annotations: - # argocd.argoproj.io/sync-wave: "-3" # Install after ODF operator + # argocd.argoproj.io/sync-wave: "28" # Install after ODF operator # RHTAS operator subscription (required when RHTAS application is enabled) # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE integration # rhtas-operator: @@ -166,7 +166,7 @@ clusterGroup: # namespace: openshift-operators # channel: stable # annotations: - # argocd.argoproj.io/sync-wave: "-2" # Install after Quay operator, before applications + # argocd.argoproj.io/sync-wave: "29" # Install after Quay operator, before applications # catalogSource: redhat-operators projects: - hub @@ -220,7 +220,7 @@ clusterGroup: name: compliance-scanning namespace: openshift-compliance annotations: - argocd.argoproj.io/sync-wave: '-30' + argocd.argoproj.io/sync-wave: '1' project: hub path: charts/compliance-scanning vault: @@ -251,7 +251,7 @@ clusterGroup: # project: hub # path: charts/noobaa-mcg # annotations: - # argocd.argoproj.io/sync-wave: "5" # Deploy after core services + # argocd.argoproj.io/sync-wave: "36" # Deploy after core services # Quay Container Registry (uses NooBaa for storage) # quay-registry: # name: quay-registry @@ -259,7 +259,7 @@ clusterGroup: # project: hub # path: charts/quay-registry # annotations: - # argocd.argoproj.io/sync-wave: "10" # Deploy after NooBaa storage backend + # argocd.argoproj.io/sync-wave: "41" # Deploy after NooBaa storage backend # RHTAS with SPIFFE Integration # COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE and Email issuers # Depends on: Vault, SPIRE, Keycloak (for Email OIDC issuer if used) @@ -269,7 +269,7 @@ clusterGroup: # project: hub # path: charts/rhtas-operator # annotations: - # argocd.argoproj.io/sync-wave: "15" # Deploy after dependencies + # argocd.argoproj.io/sync-wave: "46" # Deploy after dependencies # overrides: # # OIDC Issuer Configuration - Both can be enabled simultaneously # # Enable SPIFFE issuer for workload identity diff --git a/values-global.yaml b/values-global.yaml index e24aeb12..c050c5fb 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -9,5 +9,4 @@ main: clusterGroupName: hub multiSourceConfig: enabled: true - # Pinned version to avoid issues introduced by https://github.com/validatedpatterns/clustergroup-chart/pull/103 - clusterGroupChartVersion: "0.9.45" + clusterGroupChartVersion: "0.9.*" From 20ffb69c5a804b1f4b523823622b806260b9ba28 Mon Sep 17 00:00:00 2001 From: Min Zhang Date: Thu, 2 Apr 2026 08:16:37 -0400 Subject: [PATCH 4/4] fix: externalize Helm chart references in values-coco-dev.yaml Replace local path references with externalized chart names to match values-hub.yaml: compliance-scanning, rh-cert-manager, ztwim, and commented-out rh-keycloak and quay-registry. Signed-off-by: Min Zhang --- values-coco-dev.yaml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/values-coco-dev.yaml b/values-coco-dev.yaml index 0bb69fea..70c956f0 100644 --- a/values-coco-dev.yaml +++ b/values-coco-dev.yaml @@ -222,7 +222,8 @@ clusterGroup: annotations: argocd.argoproj.io/sync-wave: '1' project: hub - path: charts/compliance-scanning + chart: ocp-compliance-scanning + chartVersion: 0.0.* vault: name: vault namespace: vault @@ -256,8 +257,9 @@ clusterGroup: # quay-registry: # name: quay-registry # namespace: quay-enterprise - # project: hub - # path: charts/quay-registry + # project: hub + # chart: quay + # chartVersion: 0.1.* # annotations: # argocd.argoproj.io/sync-wave: "41" # Deploy after NooBaa storage backend # RHTAS with SPIFFE Integration @@ -295,17 +297,20 @@ clusterGroup: # name: rh-keycloak # namespace: keycloak-system # project: hub - # path: charts/keycloak + # chart: rhbk + # chartVersion: 0.0.* rh-cert-manager: name: rh-cert-manager namespace: cert-manager-operator project: hub - path: charts/certmanager + chart: ocp-certmanager + chartVersion: 0.2.* zero-trust-workload-identity-manager: name: zero-trust-workload-identity-manager namespace: zero-trust-workload-identity-manager project: hub - path: charts/zero-trust-workload-identity-manager + chart: ztwim + chartVersion: 0.1.* overrides: - name: spire.clusterName value: hub