|
| 1 | +--- |
| 2 | +title:"Runtime values file validation" |
| 3 | +description:"Review how Codefresh GitOps validates Runtime's values file" |
| 4 | +toc:true |
| 5 | +--- |
| 6 | + |
| 7 | + |
| 8 | +##`values.yaml` file validation |
| 9 | +The Codefresh`values.yaml` file available[here](https://github.com/codefresh-io/gitops-runtime-helm/blob/main/charts/installation/gitops/){:target="\_blank"}, contains all the arguments you can configure, including optional ones. |
| 10 | + |
| 11 | +Before initiating the installation, Codefresh automatically validates the`values.yaml` file to verify that the supplied values are correct. |
| 12 | +A validation error will automatically terminate the installation. |
| 13 | + |
| 14 | +You can disable automated validation globally for all installation settings, or for only the ingress controller for example, and run validation manually. |
| 15 | + |
| 16 | +##Validated settings |
| 17 | +The table below lists the settings validated in the`values` file. |
| 18 | + |
| 19 | +{: .table .table-bordered .table-hover} |
| 20 | +|**Setting**|**Validation**| |
| 21 | +| --------------| --------------| |
| 22 | +|**userToken**|If explicitly defined, or defined as a`secretKeyRef` which exists in the current K8s context and the defined namespace.| |
| 23 | +|**Account permissions**|If the user has admin permissions for the account in which they are installing the runtime.| |
| 24 | +|**Runtime name**|If defined, and is unique to the account.| |
| 25 | +|**Access mode**|{::nomarkdown}<ul><li>For tunnel-based (the default), if <codeclass="highlighter-rouge">accountId</code> is defined, and matches the account of the <codeclass="highlighter-rouge">userToken</code> defined in the file.</li><li>For ingress-based, if the hosts array contains at least one entry that is a valid URL (successful HTTP GET).</li><li>If both tunnel-based and ingress-based access modes are disabled, if <codeclass="highlighter-rouge">runtime.ingressUrl</code> is defined.</li></ul>{:/}| |
| 26 | +|**gitCredentials**|{::nomarkdown}<ul><li>When defined, if includes a Git password either explicitly, or as a <codeclass="highlighter-rouge">secretKeyRef</code>, similar to <codeclass="highlighter-rouge">userToken</code>.</li><li>The password or token has the required permissions in the Git provider.</li></ul>{:/}| |
| 27 | + |
| 28 | +##Validation failures |
| 29 | +If validation failes, Codefresh terminates the installation with the error: |
| 30 | +`Job has reached the specified backoff limit` |
| 31 | + |
| 32 | +For detailed information on the reason for the validation failure, run: |
| 33 | +`kubectl logs jobs/validate-values -n ${NAMESPACE}` |
| 34 | +where: |
| 35 | +*`{NAMESPACE}` must be replaced with the namespace of the Hybrid GitOps Runtime. |
| 36 | + |
| 37 | +##Disable installation validation globally |
| 38 | +You may want to disable automated validation globally for specific scenarios, such as to address false-negatives. |
| 39 | + |
| 40 | +To disable validation globally, use either of these methods: |
| 41 | +* Add the`--set installer.skipValidation=true` flag to the Helm install command |
| 42 | +* Add`installer.skipValidation: true` to the`values.yaml` file |
| 43 | + |
| 44 | +#####In install command |
| 45 | +`--set installer.skipValidation=true` |
| 46 | + |
| 47 | +#####In values file |
| 48 | +{% highlight yaml %} |
| 49 | +{% raw %} |
| 50 | +... |
| 51 | +installer: skipValidation: true |
| 52 | +... |
| 53 | +{% endraw %} |
| 54 | +{% endhighlight %} |
| 55 | + |
| 56 | +##Disable ingress validation |
| 57 | +Ingress validation checks if the ingress URL exists and responds to web requests. |
| 58 | +During a GitOps Runtime installation, the ingress might not be active yet, causing DNS errors despite correct configuration. Disabling ingress validation allows the installation to proceed, assuming the ingress will work once the Runtime is fully operational. |
| 59 | + |
| 60 | +To disable only ingress validation, use either of these methods: |
| 61 | +* Add the`--set global.runtime.ingress.skipValidation=true` flag to the Helm install command |
| 62 | +* Add`global.runtime.ingress.skipValidation: true` to the`values.yaml` file. |
| 63 | + |
| 64 | +#####In install command |
| 65 | + |
| 66 | +`--set global.runtime.ingress.skipValidation=true` |
| 67 | + |
| 68 | +#####In values file |
| 69 | + |
| 70 | +{% highlight yaml %} |
| 71 | +{% raw %} |
| 72 | +... |
| 73 | +global: |
| 74 | + runtime: |
| 75 | + ingress: |
| 76 | + skipValidation: true |
| 77 | +... |
| 78 | +{% endraw %} |
| 79 | +{% endhighlight %} |
| 80 | + |
| 81 | +##Disable validation for custom/fine-grained Git tokens |
| 82 | +When using token with custom scopes, or GitHub's fine-grained tokens (currently not officially supported by Codefresh),_skip token validation_ to avoid validation failures during installation. |
| 83 | + |
| 84 | +Add the`skipGitPermissionValidation` flag to your`values.yaml` file: |
| 85 | + |
| 86 | +```yaml |
| 87 | +app-proxy: |
| 88 | +config: |
| 89 | +skipGitPermissionValidation:"true" |
| 90 | +``` |
| 91 | +
|
| 92 | +If you set this flag, make sure that: |
| 93 | +1. The Git user token defined for the GitOps Runtime (the token defined for`runtime-repo-creds-secret`), has read and write access to the Shared Configuration Repository. |
| 94 | +1. The Git user tokens for the different Git repositories associated with the Runtimes have read and write permissions to those Git repositories they expect to write to and read from. |
| 95 | +For details on using multiple `repo-creds` secrets, see [Argo CD Repositories](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories). |
| 96 | + |
| 97 | +For details on Git token usage, see [Git tokens]({{site.baseurl}}/docs/security/git-tokens/). |
| 98 | + |
| 99 | +## Manually validate values.yaml file |
| 100 | +To manually validate the values file, run: |
| 101 | +`cf helm validate --values <values_file> --namespace <namespace> --version <version>` |
| 102 | +where: |
| 103 | +* `<values_file>` is the name of the `values.yaml` file used by the Helm installation. |
| 104 | +* `<namespace>` is the namespace in which to install the Hybrid GitOps runtime, either the default `codefresh`, or the custom name you intend to use for the installation. The Namespace must conform to the naming conventions for Kubernetes objects. |
| 105 | +* `<version>` is the version of the runtime to install. |
| 106 | + |
| 107 | + |
| 108 | +## Install first GitOps Runtime in account |
| 109 | +If you are installing the first GitOps Runtime in your Codefresh account, follow the installation wizard for guided instructions. |
| 110 | + |