ROX-20058: Use GCP secret manager + Helm for infra deployments

[tommartensen]

Changes

• Infra configuration and secrets were moved to GCP secret manager, which supports versioning, streaming of values into helm upgrade.
• Infra is now deployed via Helm.
• Helm and secrets utils are available through Make targets, which use the scripts in scripts/deploy.
• "deployment" & "environment" were simplified to "environment", which can be "development" or "production". Previous usages of "local" deployment have been replaced with check of the .Capabilities API to avoid provisioning non-existent K8s resources, and the testMode value, which can be set to disable telemetry.
• The "infra" namespace is now created with Helm instead of explicitly as a K8s resource

Misc

• PR GHA workflow: Is now synchronized, ie only one workflow per PR can run
• Deployment GHA workflow: The Slack channel ID was fixed
• Documentation was updated
• Argo Workflow server is now installed through a Helm chart and independent of the infra-server deployment

How I tested my changes

• PR workflow (build, PR cluster, e2e tests)
  • Port-forward to PR cluster, login through UI on https://localhost:8443
• Deployed to dev.infra.rox.systems with the fixed Deployment workflow (notification) and from my machine, following the DEPLOYMENT.md instructions.

Rollout on prod

1. make configuration-download on master

2. Replacing ".Values.deployment" with ".Values.environment" in chart/infra-server/configuration/production/{auth0.yaml, oidc.yaml}

3. make create-consolidated-values

4. Validate "oidc_yaml" contains ".Values.environment":

   yq \
       ".oidc_yaml" \
       "chart/infra-server/configuration/production-values-from-files.yaml" \
   | base64 --decode

5. Remove "auth0_yaml" (migrated to RHSSO), "google_calendar_credentials_json" (functionality removed), "gke__gke_credentials_json" (pre RH migration), all unused in chart.

6. Switch to tm/helm-charts branch.

7. ENVIRONMENT=production make secrets-upload

8. Validate new secret shows updated values: ./scripts/deploy/secrets.sh show production latest, selecting "oidc_yaml" shows the same output as (4).

9. Validate you're pointing to the correct cluster: kubectl config current-context.

10. Delete argo and infra namespaces and all secrets in default namespace (except default token). This is required to have a clean slate, otherwise conflicts with Helm unmanaged resources.

11. ENVIRONMENT=production make install-argo helm-deploy.

[ghost]

A single node development cluster (infra-pr-1015) was allocated in production infra for this PR.

CI will attempt to deploy us.gcr.io/stackrox-infra/infra-server:0.8.2-22-gce8e555ae1 to it.

🔌 You can connect to this cluster with:

gcloud container clusters get-credentials infra-pr-1015 --zone us-central1-a --project acs-team-temp-dev

🛠️ And pull infractl from the deployed dev infra-server with:

nohup kubectl -n infra port-forward svc/infra-server-service 8443:8443 &
make pull-infractl-from-dev-server

🚲 You can then use the dev infra instance e.g.:

bin/infractl -k -e localhost:8443 whoami

⚠️ Any clusters that you start using your dev infra instance should have a lifespan shorter then the development cluster instance. Otherwise they will not be destroyed when the dev infra instance ceases to exist when the development cluster is deleted. ⚠️

Further Development

☕ If you make changes, you can commit and push and CI will take care of updating the development cluster.

🚀 If you only modify configuration (chart/infra-server/configuration) or templates (chart/infra-server/{static,templates}), you can get a faster update with:

make install-local

Logs

Logs for the development infra depending on your @redhat.com authuser:

• authuser=0
• authuser=1
• authuser=2

Or:

kubectl -n infra logs -l app=infra-server --tail=1 -f

[gavin-stackrox]

Nice! Other than my questions around ManagedCert/Ingress, I think this PR is good to go

[gavin-stackrox]

Yay!

[gavin-stackrox]

Yay!

[gavin-stackrox]

Ugh. Re-organizing files makes review extra hard. Re-org should be a separate PR IMhO. But not going to hold this PR back for it.

[gavin-stackrox]

This is going to create the managedcertificate on infra PR instances with dev values. How will this affect the dev instance? If we are not sure, then best to avoid.

[tommartensen]

The managed certificate will be stuck in Provisioning state for infra PR instances, because the certificate challenge cannot be reached on the {{ .Values.hosts.primary }} or {{ .Values.hosts.secondary }}.

No impact on the dev cluster other than some failed requests from GCP.

[gavin-stackrox]

Whatabout using .Values.testMode to exclude them? I get that they are probably harmless but given that dependabot can create lots of dev instances I'd prefer to avoid any issues.

[tommartensen]

OK ce8e555