From 8941a0d854c1a82f0a24ecfa6587caac595006e0 Mon Sep 17 00:00:00 2001 From: Steven Hardy Date: Tue, 31 Jan 2023 16:26:50 +0000 Subject: [PATCH] manifest: remove outdated manifests In the community call we agreed to remove these and go ahead with updating the helm-charts repo instead (which contains similar manifests which are templated) --- manifest/OWNERS | 6 - manifest/etcd.yaml | 201 ------------------------ manifest/issuer.yaml | 6 - manifest/kcp-front-proxy.yaml | 258 ------------------------------- manifest/kcp.yaml | 282 ---------------------------------- manifest/kustomization.yaml | 7 - 6 files changed, 760 deletions(-) delete mode 100644 manifest/OWNERS delete mode 100644 manifest/etcd.yaml delete mode 100644 manifest/issuer.yaml delete mode 100644 manifest/kcp-front-proxy.yaml delete mode 100644 manifest/kcp.yaml delete mode 100644 manifest/kustomization.yaml diff --git a/manifest/OWNERS b/manifest/OWNERS deleted file mode 100644 index a7650ced0d7..00000000000 --- a/manifest/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -approvers: -- ncdc -- sttts -- kylape -reviewers: -- csams diff --git a/manifest/etcd.yaml b/manifest/etcd.yaml deleted file mode 100644 index ad6e8a6b366..00000000000 --- a/manifest/etcd.yaml +++ /dev/null @@ -1,201 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: etcd-client-ca -spec: - isCA: true - commonName: etcd-client-bootstrap - secretName: etcd-client-bootstrap-secret - privateKey: - algorithm: RSA - size: 2048 - issuerRef: - name: kcp-pki-bootstrap - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: etcd-peer-ca -spec: - isCA: true - commonName: etcd-peer-bootstrap - secretName: etcd-peer-bootstrap-secret - privateKey: - algorithm: RSA - size: 2048 - issuerRef: - name: kcp-pki-bootstrap - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: etcd-client-issuer -spec: - ca: - secretName: etcd-client-bootstrap-secret ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: etcd-peer-issuer -spec: - ca: - secretName: etcd-peer-bootstrap-secret ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: etcd -spec: - secretName: etcd-cert - duration: 2160h0m0s # 90d - renewBefore: 360h0m0s # 15d - subject: - organizations: - - redhat - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - etcd - - etcd-0 - - etcd-1 - - etcd-2 - - etcd-0.etcd - - etcd-1.etcd - - etcd-2.etcd - ipAddresses: - - 0.0.0.0 - issuerRef: - name: etcd-client-issuer ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: etcd-peer -spec: - secretName: etcd-peer-cert - duration: 2160h0m0s # 90d - renewBefore: 360h0m0s # 15d - subject: - organizations: - - redhat - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - etcd-0.etcd - - etcd-1.etcd - - etcd-2.etcd - - etcd-0 - - etcd-1 - - etcd-2 - ipAddresses: - - 0.0.0.0 - issuerRef: - name: etcd-peer-issuer ---- -apiVersion: v1 -kind: Service -metadata: - name: etcd -spec: - clusterIP: None - ports: - - port: 2379 - name: client - - port: 2380 - name: peer - selector: - app: etcd ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: etcd - labels: - app: etcd -spec: - serviceName: etcd - selector: - matchLabels: - app: etcd - replicas: 3 - template: - metadata: - name: etcd - labels: - app: etcd - spec: - containers: - - name: etcd - image: quay.io/coreos/etcd:v3.5.2 - ports: - - containerPort: 2379 - name: client - - containerPort: 2380 - name: peer - volumeMounts: - - name: etcd-data - mountPath: /var/run/etcd - - name: peer-certs - mountPath: /etc/etcd/tls/peer - - name: server-certs - mountPath: /etc/etcd/tls/server - resources: - limits: - cpu: '1' - memory: 2Gi - requests: - cpu: 500m - memory: 1Gi - command: - - /bin/sh - - -c - - | - PEERS="etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380" - exec etcd --name ${HOSTNAME} \ - --listen-peer-urls https://0.0.0.0:2380 \ - --initial-advertise-peer-urls https://${HOSTNAME}:2380 \ - --listen-client-urls https://0.0.0.0:2379 \ - --advertise-client-urls https://${HOSTNAME}:2379 \ - --initial-cluster-token etcd-cluster-1 \ - --initial-cluster ${PEERS} \ - --initial-cluster-state new \ - --data-dir /var/run/etcd/default.etcd \ - --peer-client-cert-auth=true \ - --peer-cert-file=/etc/etcd/tls/peer/tls.crt \ - --peer-key-file=/etc/etcd/tls/peer/tls.key \ - --peer-trusted-ca-file=/etc/etcd/tls/peer/ca.crt \ - --client-cert-auth=true \ - --cert-file=/etc/etcd/tls/server/tls.crt \ - --key-file=/etc/etcd/tls/server/tls.key \ - --trusted-ca-file=/etc/etcd/tls/server/ca.crt - volumes: - - name: peer-certs - secret: - secretName: etcd-peer-cert - - name: server-certs - secret: - secretName: etcd-cert - volumeClaimTemplates: - - metadata: - name: etcd-data - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 8Gi diff --git a/manifest/issuer.yaml b/manifest/issuer.yaml deleted file mode 100644 index 9ed6e91407d..00000000000 --- a/manifest/issuer.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: kcp-pki-bootstrap -spec: - selfSigned: {} diff --git a/manifest/kcp-front-proxy.yaml b/manifest/kcp-front-proxy.yaml deleted file mode 100644 index aa38699fdbb..00000000000 --- a/manifest/kcp-front-proxy.yaml +++ /dev/null @@ -1,258 +0,0 @@ ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: kcp-front-proxy -spec: - host: kcp - port: - targetPort: 8443 - tls: - termination: passthrough - to: - kind: Service - name: kcp-front-proxy - weight: 100 - wildcardPolicy: None ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: kcp-front-proxy-issuer -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: kcp-front-proxy-issuer-account-key - solvers: - - http01: - ingress: - serviceType: ClusterIP ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kcp-front-proxy -spec: - secretName: kcp-front-proxy-cert - duration: 2160h0m0s # 90d - renewBefore: 360h0m0s # 15d - subject: - organizations: - - redhat - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - dnsNames: - - "kcp" - issuerRef: - name: kcp-front-proxy-issuer ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kcp-client-ca -spec: - isCA: true - commonName: kcp-client-ca - secretName: kcp-client-ca - privateKey: - algorithm: RSA - size: 2048 - issuerRef: - name: kcp-pki-bootstrap - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: kcp-client-issuer -spec: - ca: - secretName: kcp-client-ca ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kcp-front-proxy-kcp-client-cert -spec: - secretName: kcp-front-proxy-kcp-client-cert - duration: 2160h0m0s # 90d - renewBefore: 360h0m0s # 15d - subject: - organizations: - - redhat - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - client auth - dnsNames: - - "kcp-front-proxy" - issuerRef: - name: kcp-requestheader-client-issuer ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kcp-front-proxy-virtual-workspaces-client-cert -spec: - secretName: kcp-front-proxy-virtual-workspaces-client-cert - duration: 2160h0m0s # 90d - renewBefore: 360h0m0s # 15d - subject: - organizations: - - redhat - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - client auth - dnsNames: - - "kcp-front-proxy" - issuerRef: - name: kcp-requestheader-client-issuer ---- -apiVersion: v1 -kind: Service -metadata: - name: kcp-front-proxy -spec: - ports: - - protocol: TCP - name: kcp-front-proxy - port: 8443 - targetPort: 8443 - selector: - app: kcp-front-proxy ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: kcp-front-proxy-config -data: - path-mapping.yaml: | - - path: /services/ - backend: https://kcp:6444 - backend_server_ca: /etc/virtual-workspaces/tls/ca.crt - proxy_client_cert: /etc/kcp-front-proxy/requestheader-client/tls/virtual-workspaces/tls.crt - proxy_client_key: /etc/kcp-front-proxy/requestheader-client/tls/virtual-workspaces/tls.key - - path: / - backend: https://kcp:6443 - backend_server_ca: /etc/kcp/tls/ca.crt - proxy_client_cert: /etc/kcp-front-proxy/requestheader-client/tls/kcp/tls.crt - proxy_client_key: /etc/kcp-front-proxy/requestheader-client/tls/kcp/tls.key ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kcp-front-proxy - labels: - app: kcp-front-proxy -spec: - replicas: 1 - selector: - matchLabels: - app: kcp-front-proxy - strategy: - type: Recreate - template: - metadata: - labels: - app: kcp-front-proxy - spec: - containers: - - name: kcp-front-proxy - image: ghcr.io/kcp-dev/kcp:latest - ports: - - containerPort: 8443 - command: - - /kcp-front-proxy - args: - - --secure-port=8443 - - --tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key - - --tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt - - --client-ca-file=/etc/kcp-front-proxy/client/tls/ca.crt - - --mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml - - --v=6 - livenessProbe: - failureThreshold: 3 - httpGet: - path: livez - port: 8443 - scheme: HTTPS - initialDelaySeconds: 45 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: readyz - port: 8443 - scheme: HTTPS - volumeMounts: - - name: kcp-front-proxy-cert - mountPath: /etc/kcp-front-proxy/tls - - name: kcp-front-proxy-config - mountPath: /etc/kcp-front-proxy/config - - name: kcp-client-ca - mountPath: /etc/kcp-front-proxy/client/tls - - name: kcp-ca - mountPath: /etc/kcp/tls - - name: kcp-virtual-workspaces-ca - mountPath: /etc/virtual-workspaces/tls - - name: kcp-front-proxy-kcp-client-cert - mountPath: /etc/kcp-front-proxy/requestheader-client/tls/kcp - - name: kcp-front-proxy-virtual-workspaces-client-cert - mountPath: /etc/kcp-front-proxy/requestheader-client/tls/virtual-workspaces - volumes: - - name: kcp-front-proxy-cert - secret: - secretName: kcp-front-proxy-cert - - name: kcp-client-ca - secret: - secretName: kcp-client-ca - items: - - key: ca.crt - path: ca.crt - - name: kcp-ca - secret: - secretName: kcp-cert - items: - - key: ca.crt - path: ca.crt - - name: kcp-virtual-workspaces-ca - secret: - secretName: kcp-virtual-workspaces-cert - items: - - key: ca.crt - path: ca.crt - - name: kcp-front-proxy-kcp-client-cert - secret: - secretName: kcp-front-proxy-kcp-client-cert - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - name: kcp-front-proxy-virtual-workspaces-client-cert - secret: - secretName: kcp-front-proxy-virtual-workspaces-client-cert - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - name: kcp-front-proxy-config - configMap: - name: kcp-front-proxy-config - items: - - key: "path-mapping.yaml" - path: "path-mapping.yaml" diff --git a/manifest/kcp.yaml b/manifest/kcp.yaml deleted file mode 100644 index c3cdeae5177..00000000000 --- a/manifest/kcp.yaml +++ /dev/null @@ -1,282 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: kcp -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - storageClassName: gp2 - volumeMode: Filesystem ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kcp-virtual-workspaces -spec: - secretName: kcp-virtual-workspaces-cert - duration: 2160h0m0s # 90d - renewBefore: 360h0m0s # 15d - subject: - organizations: - - redhat - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - dnsNames: - - kcp - - localhost - - "*.openshiftapps.com" - issuerRef: - name: kcp-server-issuer ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kcp-ca -spec: - isCA: true - commonName: kcp-ca - secretName: kcp-ca - privateKey: - algorithm: RSA - size: 2048 - issuerRef: - name: kcp-pki-bootstrap - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kcp-requestheader-client-ca -spec: - isCA: true - commonName: kcp-requestheader-client-ca - secretName: kcp-requestheader-client-ca - privateKey: - algorithm: RSA - size: 2048 - issuerRef: - name: kcp-pki-bootstrap - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: kcp-server-issuer -spec: - ca: - secretName: kcp-ca ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: kcp-requestheader-client-issuer -spec: - ca: - secretName: kcp-requestheader-client-ca ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kcp -spec: - secretName: kcp-cert - duration: 2160h0m0s # 90d - renewBefore: 360h0m0s # 15d - subject: - organizations: - - redhat - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - dnsNames: - - kcp - - localhost - - "*.openshiftapps.com" - issuerRef: - name: kcp-server-issuer ---- -apiVersion: v1 -kind: Service -metadata: - name: kcp -spec: - ports: - - protocol: TCP - name: kcp - port: 6443 - targetPort: 6443 - - protocol: TCP - name: virtual-workspaces - port: 6444 - targetPort: 6444 - selector: - app: kcp ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kcp - labels: - app: kcp -spec: - replicas: 1 - selector: - matchLabels: - app: kcp - strategy: - type: Recreate - template: - metadata: - labels: - app: kcp - spec: - containers: - - name: kcp - image: ghcr.io/kcp-dev/kcp:latest - ports: - - containerPort: 6443 - command: - - /kcp - args: - - start - - --etcd-servers=https://etcd:2379 - - --etcd-keyfile=/etc/etcd/tls/server/tls.key - - --etcd-certfile=/etc/etcd/tls/server/tls.crt - - --etcd-cafile=/etc/etcd/tls/server/ca.crt - - --tls-private-key-file=/etc/kcp/tls/server/tls.key - - --tls-cert-file=/etc/kcp/tls/server/tls.crt - - --requestheader-client-ca-file=/etc/kcp/tls/requestheader-client/ca.crt - - --requestheader-username-headers=X-Remote-User - - --requestheader-group-headers=X-Remote-Group - - --root-directory=/etc/kcp/config - - --run-virtual-workspaces=false - - --virtual-workspace-address=https://$(EXTERNAL_HOSTNAME) - - --external-hostname=$(EXTERNAL_HOSTNAME):443 - - --oidc-issuer-url=https://sso.redhat.com/auth/realms/redhat-external - - --oidc-client-id=rhoas-cli-prod - - --oidc-groups-claim=org_id - - --oidc-username-claim=preferred_username - - "--oidc-username-prefix=rh-sso:" - - "--oidc-groups-prefix=rh-sso:" - - --v=2 - env: - - name: EXTERNAL_HOSTNAME - value: kcp - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: requests.memory - livenessProbe: - failureThreshold: 3 - httpGet: - path: livez - port: 6443 - scheme: HTTPS - initialDelaySeconds: 45 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: readyz - port: 6443 - scheme: HTTPS - resources: - limits: - cpu: '2' - memory: 2Gi - requests: - cpu: '1' - memory: 1Gi - volumeMounts: - - name: etcd-certs - mountPath: /etc/etcd/tls/server - - name: kcp-certs - mountPath: /etc/kcp/tls/server - - name: kcp-requestheader-client-ca - mountPath: /etc/kcp/tls/requestheader-client - - name: kubeconfig - mountPath: /etc/kcp/config - - name: virtual-workspaces - image: ghcr.io/kcp-dev/kcp:latest - ports: - - containerPort: 6444 - command: - - sh - - -c - - > - cat /etc/kcp/config/admin.kubeconfig | sed -e 's;://\([^/]*\);://localhost:6443;' > /etc/kcp/config/localhost.kubeconfig && - /virtual-workspaces - workspaces - --kubeconfig=/etc/kcp/config/localhost.kubeconfig - --authentication-kubeconfig=/etc/kcp/config/localhost.kubeconfig - --authentication-skip-lookup - --tls-private-key-file=/etc/kcp/tls/server/tls.key - --tls-cert-file=/etc/kcp/tls/server/tls.crt - --requestheader-client-ca-file=/etc/kcp/tls/requestheader-client/ca.crt - --requestheader-username-headers=X-Remote-User - --requestheader-group-headers=X-Remote-Group - --secure-port=6444 - livenessProbe: - failureThreshold: 3 - httpGet: - path: livez - port: 6444 - scheme: HTTPS - initialDelaySeconds: 45 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: readyz - port: 6444 - scheme: HTTPS - resources: - limits: - cpu: 200m - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - volumeMounts: - - name: virtual-workspaces-certs - mountPath: /etc/kcp/tls/server - - name: kcp-requestheader-client-ca - mountPath: /etc/kcp/tls/requestheader-client - - name: kubeconfig - mountPath: /etc/kcp/config - volumes: - - name: etcd-certs - secret: - secretName: etcd-cert - - name: kcp-certs - secret: - secretName: kcp-cert - - name: virtual-workspaces-certs - secret: - secretName: kcp-virtual-workspaces-cert - - name: kcp-requestheader-client-ca - secret: - secretName: kcp-requestheader-client-ca - items: - - key: ca.crt - path: ca.crt - - name: kubeconfig - persistentVolumeClaim: - claimName: kcp diff --git a/manifest/kustomization.yaml b/manifest/kustomization.yaml deleted file mode 100644 index 0a16976fdd5..00000000000 --- a/manifest/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- etcd.yaml -- issuer.yaml -- kcp.yaml -- kcp-front-proxy.yaml