Add mirror helm chart and repo certificates (#730)

NimRegev · web-flow · commit a7e5ddc72e39 · 2023-06-15T10:44:06.000+03:00
* Add mirror helm chart and repo certificates

* Update on-prem-gitops-runtime-install.md

Changed link to repo certificate example; added related articles

* Update on-prem-gitops-runtime-install.md

Added to mirroring section that it is required post install and reason

* Update on-prem-gitops-runtime-install.md

Rewrote mirror section and added value of configuring as argo app
diff --git a/_docs/installation/gitops/on-prem-gitops-runtime-install.md b/_docs/installation/gitops/on-prem-gitops-runtime-install.md
@@ -53,19 +53,41 @@ global:
     ingress:                                   # on-prem supports only ingress-based
       enabled: true
       hosts:
-      - codefresh.ingress-host.com   ## required, should be identical to codefresh.url
+      - codefresh.ingress-host.com   ## required, replace with host used to access the runtime without `https://`
 
 app-proxy:
   config:
-    cors: https://codefresh-onprem.com  ## required, replace with host used to access runtime
+    cors: https://codefresh-onprem.com  ## required, must be identical to platform URL
 ```
 
+## Mirroring Helm chart in on-premises/air-gapped environments
+_After installing the GitOps On-premises Runtime_ in on-premises or air-gapped environments, you can manage it as an Argo Application to establish GitOps as the single source of truth for the Runtime. You can monitor the health and synchronization statuses of your Runtime components.  
+
+To manage the on-premises GitOps Runtime as an Argo Application, you need to:
+* **Mirror** the Helm chart to a repository that can be accessed by `app-proxy`
+* **Set an environment variable** in the `values` file in `.values.app-proxy` to reference the mirrored Helm repository, as shown in the example below.
+
+{% highlight yaml %}
+{% raw %}
+...
+app-proxy:
+  env:
+    HELM_REPOSITORY: https://codefresh-airgapped-helm-repo.s3.amazonaws.com/gitops-runtime
+...
+{% endraw %}
+{% endhighlight %}
+
+
+
 ## Image overrides for private registries
 If you use private registries, you need to override specific image values for the different subcharts and container images.
+
 We have a utility to help override image values for GitOps Runtimes. The utility creates values files that match the structure of the subcharts, allowing you to easily replace image registries. During chart installation, you can provide these values files to override the images, as needed.
 For more details, see [ArtifactHub](https://artifacthub.io/packages/helm/codefresh-gitops-runtime/gitops-runtime#using-with-private-registries---helper-utility){:target="\_blank"}.
 
 
+
+
 ## Argo project CRDs
 If you already have Argo project CRDs on your cluster, do one of the following:
 * Handle Argo projects CRDs outside of the chart (see [Argo's readme on Helm charts](https://github.com/argoproj/argo-helm/blob/main/README.md){:target="\_blank"})  
@@ -87,13 +109,12 @@ kubectl label --overwrite crds $(kubectl get crd | grep argoproj.io | awk '{prin
 kubectl annotate --overwrite crds $(kubectl get crd | grep argoproj.io | awk '{print $1}' | xargs) meta.helm.sh/release-name=$RELEASE
 kubectl annotate --overwrite crds $(kubectl get crd | grep argoproj.io | awk '{print $1}' | xargs) meta.helm.sh/release-namespace=$NAMESPACE
 ```
+## Custom certificates for on-premises installations
+For on-premises installations, you may need to configure custom platform and repository certificates:  
+* **Platform** certificates are required for GitOps Runtimes to communicate with the Codefresh platform. 
+* **Repository** certificates are required to authenticate users to on-premises Git servers. 
 
-## Ingress controller configuration 
-Ingress-based on-premises GitOps Runtimes require an ingress controller to be configured before the installation. For details, see [Ingress controller configuration]({{site.baseurl}}/docs/installation/gitops/hybrid-gitops-helm-installation/#ingress-controller-configuration).
-Depending on the ingress controller used, you may need post-installation configuration as well.
-
-## Platform certificates for on-premises installations
-Configure platform certificates, required for GitOps Runtimes to communicate with the Codefresh on-premises platform. 
+### Platform certificates
 
 1. Get your certificate:
 
@@ -129,3 +150,28 @@ global:
             -----END CERTIFICATE-----
 ```
 
+
+### Repository certificates 
+Add repository certificates to your Codefresh `values` file, in `.values.argo-cd`. These values are used by the argo-cd Codefresh deploys. 
+For details on adding repository certificates, see this [section](https://github.com/codefresh-io/argo-helm/blob/argo-cd-5.29.2-cap-CR-18430/charts/argo-cd/values.yaml#LL336C7-L336C7){:target="\_blank"}.
+
+
+```yaml
+argo-cd:
+  configs:
+    tls:
+      certificates:
+        server.example.com: |
+          -----BEGIN CERTIFICATE-----
+          ...
+          -----END CERTIFICATE-----
+```
+
+## Ingress controller configuration 
+Ingress-based on-premises GitOps Runtimes require an ingress controller to be configured before the installation. For details, see [Ingress controller configuration]({{site.baseurl}}/docs/installation/gitops/hybrid-gitops-helm-installation/#ingress-controller-configuration).
+Depending on the ingress controller used, you may need post-installation configuration as well.
+
+
+## Related articles
+[Managing and monitoring GitOps Runtimes]({{site.baseurl}}/docs/installation/gitops/monitor-manage-runtimes/)  
+[On-premises platform architecture]({{site.baseurl}}/docs/installation/runtime-architecture/#gitops-architecture)  
