diff --git a/README.md b/README.md index f648b16..9a38e78 100644 --- a/README.md +++ b/README.md @@ -1,128 +1,189 @@ -# rhoso-gitops +# Deploying and managing Red Hat OpenStack Services on OpenShift with GitOps -An implementation of Red Hat GitOps (GitOps, ArgoCD) for managing the +This repository contains an implementation of Red Hat GitOps (GitOps, ArgoCD) for managing the deployment of Red Hat OpenStack Services on OpenShift (RHOSO). -**WARNING**: _Contents of this repository are a work in progress and not yet -ready for usage in a production environment. The organization or contents of -this repository may change drastically at any time._ - -## Repository Layout +**WARNING**: _This repository is provided as a Developer Preview for testing environments only, +before all features have been implemented and tested. Therefore, some functionality may be absent, +incomplete, or not work as expected, and is subject to change until the official release. +Red Hat encourages customers to use the Developer Preview release to provide feedback._ -* `applications/` - * contains the base GitOps Operator (ArgoCD) Application manifests for - ArgoCD to manage push-install from the hub cluster to the managed cluster -* `base/` - * contains base deployment knowledge not (yet) contained in the validated - architectures repository in support of OpenStack deployments with RHOSO -* `orchestration/` (deprecated) - * contains the configuration to deploy for OpenShift GitOps (ArgoCD) - for cluster-scoped management on both the hub cluster and managed cluster +## Prerequisites: Use pinned resources -## Deployment +In your `kustomization.yaml` and related resources, make sure to use +a fixed reference `?ref=VALUE`, where `VALUE` is a hash or a tag. -Manifests are managed with _kustomize_ (https://kustomize.io/) and can be -applied directly with `oc apply -k `. +## Deploy the OpenShift GitOps Operator -Expected order of operations is: +### Option 1: Deploy automatically with the included helper playbook +We provide a light playbook to facilitate the operator deployment and +subsequent ArgoCD instance configuration. -* (optional) Deploy Red Hat Advanced Cluster Manager (RHACM) and configure it - so deployment of OpenShift clusters is possible (the hub cluster). -* Deploy ArgoCD to the hub cluster or unmanaged cluster. - * Use the `base/initialize/gitops/` directory to deploy Red Hat OpenShift - GitOps and the initial ArgoCD deployment. -* Create the base Applications from `applications/` to the hub or unmanaged cluster. -* Create your [environments](https://github.com/openstack-gitops/environments) - in a private repository for deployment. -* Deploy `environments/`. +[Read the playbook documentation](./openshift-gitops.deploy/README.md). -### Bootstrap Red Hat GitOps +### Option 2: Deploy manually with `oc apply` commands +1. Create the namespace, operatorgroup and subscription: + ```shell + oc apply -k openshift-gitops.deploy/subscribe + ``` +1. Ensure that the namespace is present: + ```shell + oc get namespace openshift-gitops + ``` +1. Configure the RBAC and ArgoCD instance: + ```shell + oc apply -k openshift-gitops.deploy/enable + ``` +1. Ensure that the ArgoCD instance is running: + ```shell + oc -n openshift-gitops get argocd/openshift-gitops + ``` -You must first install Red Hat GitOps (GitOps) to provide the automation system -for deploying RHOSO. Installation of GitOps can be done on a hub cluster or an -unmanaged cluster. If installed on the hub cluster, you can use a GitOps -Application to deploy GitOps on the managed cluster. If you are not using a hub -cluster, then installation of GitOps on the unmanaged cluster must done first. +## Deploy the Vault Secrets Operator (VSO) -_Prerequisites_ +HashiCorp Vault is used to store secrets, and VaultStaticSecret are used to +pull those secrets into OCP. -* You have installed Ansible on the workstation. -* You have installed the Ansible collection `kubernetes.core.k8s`. -* You have installed Kustomize on the workstation. -* You have logged into the OpenShift cluster as the kubeadmin user you want GitOps to be deployed to. +**Procedure** +1. Create the subscription using ArgoCD: + ```shell + oc apply -f applications/vault-secrets-operator.yaml + ``` -_Procedure_ +**Links** +* [Learn more about VSO](https://developer.hashicorp.com/vault/docs/deploy/kubernetes/vso). +* [VSO on catalog.redhat.com](https://catalog.redhat.com/en/software/containers/hashicorp/vault-secrets-operator-bundle/64ddcd189d40d16b88133fd8) -Use the `deployment.playbook` script to automate the installation of Red Hat GitOps with Ansible and Kustomize. +## ArgoCD orchestration principles -* Login to the OpenShift cluster as the kubeadmin user from the workstation. -* Install the Red Hat GitOps Operator and deploy an ArgoCD instance with the `deployment.playbook` script: - ``` - $ ./base/initialize/gitops/deployment.playbook - ``` -Alternatively, deploy Red Hat GitOps and ArgoCD with Kustomize directly in stages. +### Sync-waves -* Login to the OpenShift cluster as the kubeadmin user from the workstation. -* Install the Red Hat GitOps Operator: - ``` - $ oc create --save-config -k base/initialize/gitops/subscribe - ``` -* Validate the Subscription has been completed. The subscription status should return: - ``` - $ oc get subscription.operators.coreos.com/openshift-gitops-operator \ - --namespace openshift-gitops-operator -ojsonpath='{.status.state}' - ``` -* When the value returned is `AtLastKnown`, then continue by deploying and ArgoCD instance. +We’re using sync-waves annotations for specific jobs and actions. -* Create the ArgoCD instance: - ``` - $ oc create --save-config -k base/initialize/gitops/enable - ``` +The range -20;20 is reserved. -### Set up Red Hat Advanced Cluster Management for GitOps +### Healthchecks -When using Red Hat Advanced Cluster Management (RHACM) to support GitOps -Applications for managed clusters, we will configure the hub cluster in -preparation for using GitOps to support managed cluster configuration. +TBD -If you are using GitOps on an unmanaged cluster without RHACM, then this will -be unnecessary. +## Application responsibilities and content -_Prerequisites_ +### openstack-operator -* You have installed and setup RHACM (hub cluster) for your hardware - environment that will host the managed OpenShift deployment. -* You are logged into the hub cluster as the kubeadmin user. -* You have installed Red Hat GitOps. +#### Purpose -_Procedure_ +Installs the foundational OpenStack operators required for the deployment. Covers [Installation Documentation Chapter 1](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_installing-and-preparing-the-openstack-operator) and part of [Installation Documentation Chapter 2](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_preparing-rhocp-for-rhoso#proc_creating-the-openstack-namespace_preparing) -* Setup RHACM for RHOSO cluster deployments and placements with GitOps: - ``` - oc apply -k base/cluster/hub/advanced-cluster-managment/ - ``` -* Add your cluster and place it in the `rhoso` ClusterSet +#### Key resources -## Accessing the user interface for OpenShift GitOps +* **Namespaces:** `openstack`, `openstack-operators` +* **Operator Subscription:** OpenStack operator from Red Hat CDN +* **RBAC:** Install plan approver service account and roles +* **Job:** `approve-openstack-installplan` to "imperatively" accept the `install_plan` created by `OLM` and wait for its completion. -You can view progress and management of the Applications by looking up the host -address with `oc`. +### openstack-operator-cr -_Procedure_ - -* Look up the host address of the OpenShift GitOps user interface: - ``` - $ oc get route/openshift-gitops-server -nopenshift-gitops -ojsonpath='{.spec.host}' - ``` +#### Purpose -## Deploy Prerequisites +Creates the main OpenStack custom resource that defines the overall OpenStack deployment configuration. Covers [Installation Documentation Chapter 1](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_installing-and-preparing-the-openstack-operator). -Deploy the prerequisites for deployment of a RHOSO environment by creating the -`openstack-prerequisites` GitOps Application. +#### Key resources -_Procedure_ +* **OpenStack CR:** Primary configuration object in `openstack-operators` namespace -* Create the `openstack-prerequisites` GitOps Application: -``` -$ oc create --save-config -k applications/base/prerequisites -``` +### openstack-networks + +#### Purpose + +Create underlying networks for controlplane and dataplane. Covers [Installation Documentation Chapter 3](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_preparing-rhoso-networks_preparing). + +#### Key resources + +* [3.2.1. Preparing RHOCP with isolated network interfaces](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html-single/deploying_red_hat_openstack_services_on_openshift/index#proc_preparing-RHOCP-with-isolated-network-interfaces_preparing_networks): for `NodeNetworkConfigurationPolicies` resources +* [3.2.2. Attaching service pods to the isolated networks](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html-single/deploying_red_hat_openstack_services_on_openshift/index#proc_attaching-service-pods-to-the-isolated-networks_preparing_networks): for `NetworkAttachmentDefinitions` resources +* [3.2.3. Preparing RHOCP for RHOSO network VIPS](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html-single/deploying_red_hat_openstack_services_on_openshift/index#proc_preparing-RHOCP-for-RHOSO-network-VIPs_preparing_networks) for `L2Advertisements` and `IPAdrressPool` resources +* [3.3. CREATING THE DATA PLANE NETWORK](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html-single/deploying_red_hat_openstack_services_on_openshift/index#proc_creating-the-data-plane-network_preparing_networks): for `NetConfig` resources + +### openstack-controlplane + +#### Purpose + +Deploys and configures `OpenStackControlPlane` resource. Covers [Installation Documentation Chapter 4](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_creating-the-control-plane) + +#### Key resources + +* `OpenStackControlPlane` + +### openstack-dataplane + +#### Purpose + +Deploys and configures the OpenStack data plane nodes. Covers [Installation Documentation Chapter 5](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_creating-the-data-plane) + +#### Key resources + +* `OpenStackDataPlaneNodeSet` +* `OpenStackDataPlaneDeployment` + +## What’s NOT covered by ArgoCD applications yet + +### Dependencies installation + +Dependencies such as `MetalLB`, `NMState` and `Cert-Manager` are not deployed nor managed using ArgoCD Application yet. + +### Secret management and creation + +Secrets are to be stored within a secure service, such as HashiCorp Vault, and never in Git. Our main focus for now is on the RHOSO application slicing, we will provide an ArgoCD Application definition later. + +## Consume proposed components + +### Base controlplane + +Provides the base for IPAddressPool, L2Advertisement, NetworkAttachementDefinition, +NetConfig NodeNetworkConfigurationPolicy and OpenStackControlPlane on a 3-master OCP cluster. + +The CR are extracted from the +[RHOSO official documentation](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_creating-the-control-plane) + +### Base dataplane + +Provides the base for the OpenStackDataplaneNodeSet and OpenStackDataPlaneDeployment. + +The CRs are extracted from the +[RHOSO official documentation](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_creating-the-data-plane) + +### ArgoCD sync-wave annotation +These annotations enable ArgoCD to determine the order that resources are created for the whole RHOSO cloud. +[Learn more about sync-waves](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-waves/) + +**Example usage** +1. Directly within the Application definition: + ```yaml + apiVersion: argoproj.io/v1alpha1 + kind: Application + metadata: + # [...] + spec: + project: "default" + source: + repoURL: "..." + targetRevision: "..." + path: "..." + kustomize: + components: + - https://github.com/openstack-gitops/rhoso-gitops/components/argocd/annotations?ref=TAG + ``` +1. From within an overlay or base: + ```yaml + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + components: + - https://github.com/openstack-gitops/rhoso-gitops/components/argocd/annotations?ref=TAG + # [...] + ``` + +## External resources + +1. [Official RHOSO documentation](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0) +1. [Official openshift-gitops documentation](https://www.redhat.com/en/technologies/cloud-computing/openshift/gitops) +1. [Official ArgoCD documentation](https://argo-cd.readthedocs.io/en/stable/) diff --git a/applications/README.md b/applications/README.md deleted file mode 100644 index 4fadd55..0000000 --- a/applications/README.md +++ /dev/null @@ -1,20 +0,0 @@ -# OpenShift GitOps Applications - -Contains Application manifests for OpenShift GitOps to deploy Operators in -support of a Red Hat OpenStack Services on OpenShift (RHOSO). - -Environment deployment examples are available at -https://github.com/openstack-gitops/environments. - -There are two bases you can use: - -* **va-base**: for [Validated - Architecture](https://github.com/openstack-k8s-operators/architecture) based - deployments -* **base**: for standard deployments - -Applications in _va-base_ will use the Validated Architectures base to deploy -OpenStack Operators from a custom catalog source using an upstream index image. - -Applications in _base_ will attempt to deploy primarily from the Red Hat -Operators and Certified Operators catalog sources. diff --git a/applications/base/gitops/README.md b/applications/base/gitops/README.md deleted file mode 100644 index c8a3e1f..0000000 --- a/applications/base/gitops/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Application GitOps - -For use when GitOps is already available on a cluster, such as a hub cluster, -and you want to deploy GitOps to a managed cluster. diff --git a/applications/base/gitops/application-gitops.yaml b/applications/base/gitops/application-gitops.yaml deleted file mode 100644 index 4772fc1..0000000 --- a/applications/base/gitops/application-gitops.yaml +++ /dev/null @@ -1,58 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "-30" - name: subscribe-gitops - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - server: https://kubernetes.default.svc - project: default - source: - path: base/initialize/gitops/subscribe - repoURL: https://github.com/openstack-gitops/rhoso-gitops.git - targetRevision: HEAD - kustomize: - patches: - - target: - kind: Namespace - patch: |- - - op: add - path: /metadata/labels - value: - argocd.argoproj.io/managed-by: openshift-gitops - syncPolicy: - automated: {} ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "-20" - name: enable-gitops - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - server: https://kubernetes.default.svc - project: default - source: - path: base/initialize/gitops/enable - repoURL: https://github.com/openstack-gitops/rhoso-gitops.git - targetRevision: HEAD - kustomize: - patches: - - target: - kind: Namespace - patch: |- - - op: add - path: /metadata/labels - value: - argocd.argoproj.io/managed-by: openshift-gitops - syncPolicy: - automated: {} diff --git a/applications/base/gitops/kustomization.yaml b/applications/base/gitops/kustomization.yaml deleted file mode 100644 index 1892ab5..0000000 --- a/applications/base/gitops/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - application-gitops.yaml diff --git a/applications/base/openstack-operator/kustomization.yaml b/applications/base/openstack-operator/kustomization.yaml deleted file mode 100644 index 9652924..0000000 --- a/applications/base/openstack-operator/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - application-openstack-operator.yaml diff --git a/applications/base/prerequisites/README.md b/applications/base/prerequisites/README.md deleted file mode 100644 index 515e801..0000000 --- a/applications/base/prerequisites/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Application Prerequisites - -Installation of prerequisite Operators for a Red Hat OpenStack Services on -OpenShift (RHOSO) deployment. diff --git a/applications/base/prerequisites/application-prerequisites.yaml b/applications/base/prerequisites/application-prerequisites.yaml deleted file mode 100644 index 8a14635..0000000 --- a/applications/base/prerequisites/application-prerequisites.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "-10" - finalizers: - - resources-finalizer.argocd.argoproj.io - name: openstack-prerequisites - namespace: openshift-gitops -spec: - destination: - server: https://kubernetes.default.svc - project: default - source: - kustomize: - patches: - - patch: |- - - op: add - path: /metadata/labels - value: - argocd.argoproj.io/managed-by: openshift-gitops - target: - kind: Namespace - path: base/cluster/managed/prerequisites/ - repoURL: https://github.com/openstack-gitops/rhoso-gitops.git - targetRevision: HEAD - syncPolicy: - automated: {} diff --git a/applications/base/prerequisites/kustomization.yaml b/applications/base/prerequisites/kustomization.yaml deleted file mode 100644 index 454b385..0000000 --- a/applications/base/prerequisites/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - application-prerequisites.yaml diff --git a/applications/va-base/README.md b/applications/va-base/README.md deleted file mode 100644 index da6d56f..0000000 --- a/applications/va-base/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Validated Architecture (VA) Base Applications - -These base Applications are for deployments where installation is being managed -through a hub cluster such as Red Hat Advanced Cluster Management. These -Applications are intended to be used as a push application to get the initial -setup onto a managed cluster. - -The Applications in this base location make use of Validated Architectures -(https://github.com/openstack-k8s-operators/architecture) and are intended for -use in upstream deployment testing. diff --git a/applications/va-base/metallb/application-metallb.yaml b/applications/va-base/metallb/application-metallb.yaml deleted file mode 100644 index e14ff65..0000000 --- a/applications/va-base/metallb/application-metallb.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "2" - name: common-metallb - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - server: https://kubernetes.default.svc - project: default - source: - path: examples/common/metallb - repoURL: https://github.com/openstack-k8s-operators/architecture - targetRevision: HEAD - kustomize: - patches: - - target: - kind: Namespace - patch: |- - - op: add - path: /metadata/labels - value: - argocd.argoproj.io/managed-by: openshift-gitops - syncPolicy: - automated: {} diff --git a/applications/va-base/metallb/kustomization.yaml b/applications/va-base/metallb/kustomization.yaml deleted file mode 100644 index c47b95d..0000000 --- a/applications/va-base/metallb/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - application-metallb.yaml diff --git a/applications/va-base/nmstate/application-nmstate.yaml b/applications/va-base/nmstate/application-nmstate.yaml deleted file mode 100644 index 7f986c4..0000000 --- a/applications/va-base/nmstate/application-nmstate.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "3" - name: common-nmstate - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - server: https://kubernetes.default.svc - project: default - source: - path: examples/common/nmstate - repoURL: https://github.com/openstack-k8s-operators/architecture - targetRevision: HEAD - kustomize: - patches: - - target: - kind: Namespace - patch: |- - - op: add - path: /metadata/labels - value: - argocd.argoproj.io/managed-by: openshift-gitops - syncPolicy: - automated: {} diff --git a/applications/va-base/nmstate/kustomization.yaml b/applications/va-base/nmstate/kustomization.yaml deleted file mode 100644 index 428ed66..0000000 --- a/applications/va-base/nmstate/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - application-nmstate.yaml diff --git a/applications/va-base/olm/application-olm.yaml b/applications/va-base/olm/application-olm.yaml deleted file mode 100644 index 47c7fe4..0000000 --- a/applications/va-base/olm/application-olm.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: common-olm - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - server: https://kubernetes.default.svc - project: default - source: - path: examples/common/olm - repoURL: https://github.com/openstack-k8s-operators/architecture - targetRevision: HEAD - kustomize: - patches: - - target: - kind: Namespace - patch: |- - - op: add - path: /metadata/labels - value: - argocd.argoproj.io/managed-by: openshift-gitops - syncPolicy: - automated: {} diff --git a/applications/va-base/olm/kustomization.yaml b/applications/va-base/olm/kustomization.yaml deleted file mode 100644 index 3e1df29..0000000 --- a/applications/va-base/olm/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - application-olm.yaml diff --git a/applications/va-base/openstack-common/README.md b/applications/va-base/openstack-common/README.md deleted file mode 100644 index 9f7ff71..0000000 --- a/applications/va-base/openstack-common/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# openstack-common Application - -Deploy the common OpenStack components in order to deploy the OpenStack Operators. - -**NOTE:** Installation will be done via the [Validated -Architecture](https://github.com/openstack-k8s-operators/architecture) -repository, which installs the upstream OpenStack Operator CatalogSource and -Subscription by default. If you are looking to install from the Red Hat -Operators CatalogSource instead (production build of OpenStack Operators) then -see [base/prerequisites](base/prerequisites) - -_Procedure_ - -* Create the _openstack-common_ Application in OpenShift GitOps: - ``` - $ oc create -f . - ``` diff --git a/applications/va-base/openstack-common/application-openstack-common.yaml b/applications/va-base/openstack-common/application-openstack-common.yaml deleted file mode 100644 index a3c6091..0000000 --- a/applications/va-base/openstack-common/application-openstack-common.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: openstack-common - namespace: openshift-gitops -spec: - destination: - server: https://kubernetes.default.svc - project: default - source: - path: applications/va-base/openstack-common/common - repoURL: https://github.com/openstack-gitops/rhoso-gitops.git - targetRevision: HEAD - syncPolicy: - automated: {} diff --git a/applications/va-base/openstack-common/common/kustomization.yaml b/applications/va-base/openstack-common/common/kustomization.yaml deleted file mode 100644 index 9a69217..0000000 --- a/applications/va-base/openstack-common/common/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../metallb - - ../../nmstate - - ../../olm diff --git a/applications/va-base/openstack-common/kustomization.yaml b/applications/va-base/openstack-common/kustomization.yaml deleted file mode 100644 index 62f8a8e..0000000 --- a/applications/va-base/openstack-common/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - application-openstack-common.yaml diff --git a/applications/base/openstack-operator/application-openstack-operator.yaml b/applications/vault-secrets-operator.yaml similarity index 53% rename from applications/base/openstack-operator/application-openstack-operator.yaml rename to applications/vault-secrets-operator.yaml index 93717e8..bbb2409 100644 --- a/applications/base/openstack-operator/application-openstack-operator.yaml +++ b/applications/vault-secrets-operator.yaml @@ -5,8 +5,8 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "-10" finalizers: - - resources-finalizer.argocd.argoproj.io - name: openstack-operator + - resources-finalizer.argocd.argoproj.io/foreground + name: subscribe-vault-secrets-operator namespace: openshift-gitops spec: destination: @@ -14,15 +14,9 @@ spec: project: default source: kustomize: - patches: - - patch: |- - - op: add - path: /metadata/labels - value: - argocd.argoproj.io/managed-by: openshift-gitops - target: - kind: Namespace - path: base/cluster/managed/openstack-operator + components: + - https://github.com/openstack-gitops/rhoso-gitops/components/argocd/annotations + path: resources/vault-secrets-operator repoURL: https://github.com/openstack-gitops/rhoso-gitops.git targetRevision: HEAD syncPolicy: diff --git a/base/.gitignore b/base/.gitignore deleted file mode 100644 index c3861cc..0000000 --- a/base/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -.venv -initialize/gitops/.venv diff --git a/base/README.md b/base/README.md deleted file mode 100644 index b1dfb52..0000000 --- a/base/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# Base Manifests - -The base manifests that are used for building out a GitOps-orchestrated Red Hat -OpenStack on OpenShift (RHOSO) deployment. - -## Initialization - -Initialize the cluster with GitOps. - -_Procedure_ - -* Login to your OpenShift cluster as an administrative user. -* diff --git a/base/cluster/common/baremetal-operator/enable/provisioning.yaml b/base/cluster/common/baremetal-operator/enable/provisioning.yaml deleted file mode 100644 index fc7a119..0000000 --- a/base/cluster/common/baremetal-operator/enable/provisioning.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: metal3.io/v1alpha1 -kind: Provisioning -metadata: - finalizers: - - provisioning.metal3.io - name: provisioning-configuration -spec: - disableVirtualMediaTLS: true - preProvisioningOSDownloadURLs: {} - provisioningNetwork: Disabled - watchAllNamespaces: true diff --git a/base/cluster/common/baremetal-operator/kustomization.yaml b/base/cluster/common/baremetal-operator/kustomization.yaml deleted file mode 100644 index 85adeb9..0000000 --- a/base/cluster/common/baremetal-operator/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - enable/provisioning.yaml diff --git a/base/cluster/common/console/console.yaml b/base/cluster/common/console/console.yaml deleted file mode 100644 index 07a2889..0000000 --- a/base/cluster/common/console/console.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: operator.openshift.io/v1 -kind: Console -metadata: - name: cluster -spec: - plugins: - - monitoring-plugin diff --git a/base/cluster/common/console/kustomization.yaml b/base/cluster/common/console/kustomization.yaml deleted file mode 100644 index 119a364..0000000 --- a/base/cluster/common/console/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - console.yaml diff --git a/base/cluster/common/external-secrets-operator/README.md b/base/cluster/common/external-secrets-operator/README.md deleted file mode 100644 index 9b38962..0000000 --- a/base/cluster/common/external-secrets-operator/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# External Secrets Operator - -More information about the External Secrets Operator is available at -https://external-secrets.io/latest/. - -Deployment of the Operator is done with `kustomize` and the deployment is -assumed to be managed by GitOps. diff --git a/base/cluster/common/external-secrets-operator/enable/operatorconfig.yaml b/base/cluster/common/external-secrets-operator/enable/operatorconfig.yaml deleted file mode 100644 index c75fb0c..0000000 --- a/base/cluster/common/external-secrets-operator/enable/operatorconfig.yaml +++ /dev/null @@ -1,120 +0,0 @@ ---- -apiVersion: operator.external-secrets.io/v1alpha1 -kind: OperatorConfig -metadata: - annotations: - operator-sdk/primary-resource: /externalsecret-validate - operator-sdk/primary-resource-type: ValidatingWebhookConfiguration.admissionregistration.k8s.io - finalizers: - - helm.sdk.operatorframework.io/uninstall-release - name: sample - namespace: openshift-operators -spec: - affinity: {} - certController: - affinity: {} - create: true - deploymentAnnotations: {} - extraArgs: {} - extraEnv: [] - fullnameOverride: "" - image: - pullPolicy: IfNotPresent - repository: ghcr.io/external-secrets/external-secrets - tag: "" - imagePullSecrets: [] - nameOverride: "" - nodeSelector: {} - podAnnotations: {} - podLabels: {} - podSecurityContext: {} - priorityClassName: "" - prometheus: - enabled: false - service: - port: 8080 - rbac: - create: true - requeueInterval: 5m - resources: {} - securityContext: {} - serviceAccount: - annotations: {} - create: true - name: "" - tolerations: [] - concurrent: 1 - controllerClass: "" - crds: - createClusterExternalSecret: true - createClusterSecretStore: true - createOperator: true - deploymentAnnotations: {} - extraArgs: {} - extraEnv: [] - fullnameOverride: "" - image: - pullPolicy: IfNotPresent - repository: ghcr.io/external-secrets/external-secrets - tag: "" - imagePullSecrets: [] - installCRDs: false - leaderElect: false - nameOverride: "" - nodeSelector: {} - podAnnotations: {} - podLabels: {} - podSecurityContext: {} - priorityClassName: "" - processClusterExternalSecret: true - processClusterStore: true - prometheus: - enabled: false - service: - port: 8080 - rbac: - create: true - replicaCount: 1 - resources: {} - scopedNamespace: "" - scopedRBAC: false - securityContext: {} - serviceAccount: - annotations: {} - create: true - name: "" - tolerations: [] - webhook: - affinity: {} - certCheckInterval: 5m - certDir: /tmp/certs - create: true - deploymentAnnotations: {} - extraArgs: {} - extraEnv: [] - fullnameOverride: "" - image: - pullPolicy: IfNotPresent - repository: ghcr.io/external-secrets/external-secrets - tag: "" - imagePullSecrets: [] - nameOverride: "" - nodeSelector: {} - podAnnotations: {} - podLabels: {} - podSecurityContext: {} - priorityClassName: "" - prometheus: - enabled: false - service: - port: 8080 - rbac: - create: true - replicaCount: 1 - resources: {} - securityContext: {} - serviceAccount: - annotations: {} - create: true - name: "" - tolerations: [] diff --git a/base/cluster/common/external-secrets-operator/kustomization.yaml b/base/cluster/common/external-secrets-operator/kustomization.yaml deleted file mode 100644 index 968925a..0000000 --- a/base/cluster/common/external-secrets-operator/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -# managed with ArgoCD using sync-waves to control order of deployment -resources: - - subscribe/subscription.yaml - - enable/operatorconfig.yaml diff --git a/base/cluster/common/external-secrets-operator/subscribe/subscription.yaml b/base/cluster/common/external-secrets-operator/subscribe/subscription.yaml deleted file mode 100644 index 12261f9..0000000 --- a/base/cluster/common/external-secrets-operator/subscribe/subscription.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - labels: - operators.coreos.com/external-secrets-operator.openshift-operators: "" - name: external-secrets-operator - namespace: openshift-operators -spec: - channel: stable - installPlanApproval: Automatic - name: external-secrets-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/common/lvms-operator/README.md b/base/cluster/common/lvms-operator/README.md deleted file mode 100644 index bfd24b6..0000000 --- a/base/cluster/common/lvms-operator/README.md +++ /dev/null @@ -1,138 +0,0 @@ -# Deploy LVM Storage Operator - -A storage domain is required for the control plane, and the simplest interface -is the LVM Storage Operator. Use of the `lvms-operator` directory can be used -to subscribe to the LVM Storage Operator and deploy a default storage domain -for the control plane. - -## Using `lvms-operator` - -The deployment of LVM Storage Operator and the `LVMCluster` manifest will -require environment specific configuration to be created. For more information -about the LVM Storage Operator, see [Persistent storage using Logical Volume -Manager -Storage](https://docs.openshift.com/container-platform/4.16/storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.html) -in the OpenShift Storage guide. - -### Identify disks by path - -You can identify the disk paths available on a node by listing them in `/dev/disk/by-path` on the nodes: - -_Procedure_ - -* Login to the node: - ``` - $ oc debug node/ - ``` - -* Run `chroot`: - ``` - sh-5.1# chroot /host - ``` - -* List the available disks by path: - ``` - sh-5.1# ls /dev/disk/by-path - pci-0000:00:1f.2-ata-6 pci-0000:01:00.0-scsi-0:0:0:0 pci-0000:01:00.0-scsi-0:0:1:0-part1 pci-0000:01:00.0-scsi-0:0:1:0-part3 - pci-0000:00:1f.2-ata-6.0 pci-0000:01:00.0-scsi-0:0:1:0 pci-0000:01:00.0-scsi-0:0:1:0-part2 pci-0000:01:00.0-scsi-0:0:1:0-part4 - ``` - -### Create kustomization - -To extend the default manifests for LVM Storage Operator installation with GitOps, create the confirmation and patch for your environment. - -_Prerequisites_ - -* identify the valid disk paths that LVM Storage Operator can use -* `kustomize` binary is available for local build testing - -_Procedure_ - -* Create a directory for the `lvms-operator` configuration in your private git repo, such as `base/storage/` - ``` - $ mkdir -p base/storage - ``` - -* Create a patch file, such as `patch_lvmcluster_default.yaml` that contains the disks by path references: - ``` - $ cat > base/storage/patch_lvmcluster_default.yaml < base/storage/kustomization.yaml <` with the path of your private Git repository, for example, https://gitlab.private/rhoso-gitops/environments - ``` - $ cat > application-lvms-operator.yaml < - targetRevision: HEAD - syncPolicy: - automated: {} - EOF - ``` diff --git a/base/cluster/common/lvms-operator/enable/kustomization.yaml b/base/cluster/common/lvms-operator/enable/kustomization.yaml deleted file mode 100644 index 6229585..0000000 --- a/base/cluster/common/lvms-operator/enable/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - lvmcluster.yaml diff --git a/base/cluster/common/lvms-operator/enable/lvmcluster.yaml b/base/cluster/common/lvms-operator/enable/lvmcluster.yaml deleted file mode 100644 index 1c66702..0000000 --- a/base/cluster/common/lvms-operator/enable/lvmcluster.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: lvm.topolvm.io/v1alpha1 -kind: LVMCluster -metadata: - annotations: - finalizers: - - lvmcluster.topolvm.io - name: lvmcluster-default - namespace: openshift-storage -spec: - storage: - deviceClasses: - - fstype: xfs - name: vg1 - thinPoolConfig: - name: thin-pool-1 - overprovisionRatio: 10 - sizePercent: 90 diff --git a/base/cluster/common/lvms-operator/kustomization.yaml b/base/cluster/common/lvms-operator/kustomization.yaml deleted file mode 100644 index 24aee9e..0000000 --- a/base/cluster/common/lvms-operator/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -# managed with ArgoCD using sync-waves to control order of deployment -resources: - - subscribe - - enable diff --git a/base/cluster/common/lvms-operator/subscribe/namespace.yaml b/base/cluster/common/lvms-operator/subscribe/namespace.yaml deleted file mode 100644 index fb17eb9..0000000 --- a/base/cluster/common/lvms-operator/subscribe/namespace.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - openshift.io/sa.scc.mcs: s0:c27,c14 - openshift.io/sa.scc.supplemental-groups: 1000730000/10000 - openshift.io/sa.scc.uid-range: 1000730000/10000 - workload.openshift.io/allowed: management - labels: - kubernetes.io/metadata.name: openshift-storage - openshift.io/cluster-monitoring: "true" - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/audit-version: v1.24 - pod-security.kubernetes.io/warn: privileged - pod-security.kubernetes.io/warn-version: v1.24 - security.openshift.io/scc.podSecurityLabelSync: "true" - name: openshift-storage diff --git a/base/cluster/common/lvms-operator/subscribe/operatorgroup.yaml b/base/cluster/common/lvms-operator/subscribe/operatorgroup.yaml deleted file mode 100644 index c9eb908..0000000 --- a/base/cluster/common/lvms-operator/subscribe/operatorgroup.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -items: - - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: openshift-storage - namespace: openshift-storage - spec: - targetNamespaces: - - openshift-storage - upgradeStrategy: Default -kind: List -metadata: - resourceVersion: "" diff --git a/base/cluster/common/lvms-operator/subscribe/subscription.yaml b/base/cluster/common/lvms-operator/subscribe/subscription.yaml deleted file mode 100644 index 5ce6b04..0000000 --- a/base/cluster/common/lvms-operator/subscribe/subscription.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - labels: - operators.coreos.com/lvms-operator.openshift-storage: '' - name: lvms-operator - namespace: openshift-storage -spec: - installPlanApproval: Automatic - name: lvms-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/common/network/README.md b/base/cluster/common/network/README.md deleted file mode 100644 index da3e94e..0000000 --- a/base/cluster/common/network/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# network base - -Enables global IP forwarding ability in OVN. For use with Red Hat OpenStack -Services on OpenShift (RHOSO). diff --git a/base/cluster/common/network/kustomization.yaml b/base/cluster/common/network/kustomization.yaml deleted file mode 100644 index e596341..0000000 --- a/base/cluster/common/network/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - network.yaml diff --git a/base/cluster/common/network/network.yaml b/base/cluster/common/network/network.yaml deleted file mode 100644 index 154d9fd..0000000 --- a/base/cluster/common/network/network.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: operator.openshift.io/v1 -kind: Network -metadata: - annotations: - argocd.argoproj.io/sync-options: Prune=false - name: cluster -spec: - defaultNetwork: - ovnKubernetesConfig: - gatewayConfig: - ipForwarding: Global diff --git a/base/cluster/common/ntp/kustomization.yaml b/base/cluster/common/ntp/kustomization.yaml deleted file mode 100644 index e57d06a..0000000 --- a/base/cluster/common/ntp/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - machineconfig-ntp.yaml diff --git a/base/cluster/common/ntp/machineconfig-ntp.yaml b/base/cluster/common/ntp/machineconfig-ntp.yaml deleted file mode 100644 index 05dc06d..0000000 --- a/base/cluster/common/ntp/machineconfig-ntp.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - labels: - machineconfiguration.openshift.io/role: master - name: 99-masters-chrony-configuration -spec: - config: - ignition: - config: {} - security: - tls: {} - timeouts: {} - version: 2.2.0 - networkd: {} - passwd: {} - storage: - files: - - contents: - source: data:text/plain;charset=utf-8;base64,c2VydmVyIGNsb2NrLnJlZGhhdC5jb20gaWJ1cnN0CmRyaWZ0ZmlsZSAvdmFyL2xpYi9jaHJvbnkvZHJpZnQKbWFrZXN0ZXAgMS4wIDMKcnRjc3luYwpsb2dkaXIgL3Zhci9sb2cvY2hyb255Cg== - verification: {} - filesystem: root - mode: 420 - path: /etc/chrony.conf - osImageURL: "" ---- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - labels: - machineconfiguration.openshift.io/role: worker - name: 99-workers-chrony-configuration -spec: - config: - ignition: - config: {} - security: - tls: {} - timeouts: {} - version: 2.2.0 - networkd: {} - passwd: {} - storage: - files: - - contents: - source: data:text/plain;charset=utf-8;base64,c2VydmVyIGNsb2NrLnJlZGhhdC5jb20gaWJ1cnN0CmRyaWZ0ZmlsZSAvdmFyL2xpYi9jaHJvbnkvZHJpZnQKbWFrZXN0ZXAgMS4wIDMKcnRjc3luYwpsb2dkaXIgL3Zhci9sb2cvY2hyb255Cg== - verification: {} - filesystem: root - mode: 420 - path: /etc/chrony.conf - osImageURL: "" diff --git a/base/cluster/hub/advanced-cluster-management/README.md b/base/cluster/hub/advanced-cluster-management/README.md deleted file mode 100644 index 0094072..0000000 --- a/base/cluster/hub/advanced-cluster-management/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Advanced Cluster Management - -Deployment of Advanced Cluster Management (ACM) to result in a hub cluster. -Assumed to be deployed and managed by GitOps using ArgoCD. diff --git a/base/cluster/hub/advanced-cluster-management/kustomization.yaml b/base/cluster/hub/advanced-cluster-management/kustomization.yaml deleted file mode 100644 index bb8a83d..0000000 --- a/base/cluster/hub/advanced-cluster-management/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - subscribe/namespace.yaml - - subscribe/operatorgroup.yaml - - subscribe/subscription.yaml - - namespace-credentials.yaml - - ../../common/baremetal-operator diff --git a/base/cluster/hub/advanced-cluster-management/namespace-credentials.yaml b/base/cluster/hub/advanced-cluster-management/namespace-credentials.yaml deleted file mode 100644 index 4e63500..0000000 --- a/base/cluster/hub/advanced-cluster-management/namespace-credentials.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - openshift.io/description: Credentials storage project for ACM - openshift.io/display-name: "" - openshift.io/requester: kube:admin - openshift.io/sa.scc.mcs: s0:c29,c24 - openshift.io/sa.scc.supplemental-groups: 1000860000/10000 - openshift.io/sa.scc.uid-range: 1000860000/10000 - labels: - kubernetes.io/metadata.name: open-cluster-management-credentials - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/audit-version: v1.24 - pod-security.kubernetes.io/warn: restricted - pod-security.kubernetes.io/warn-version: v1.24 - name: open-cluster-management-credentials -spec: - finalizers: - - kubernetes diff --git a/base/cluster/hub/advanced-cluster-management/subscribe/namespace.yaml b/base/cluster/hub/advanced-cluster-management/subscribe/namespace.yaml deleted file mode 100644 index 8502850..0000000 --- a/base/cluster/hub/advanced-cluster-management/subscribe/namespace.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - openshift.io/sa.scc.mcs: s0:c27,c14 - openshift.io/sa.scc.supplemental-groups: 1000730000/10000 - openshift.io/sa.scc.uid-range: 1000730000/10000 - labels: - kubernetes.io/metadata.name: open-cluster-management - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/audit-version: v1.24 - pod-security.kubernetes.io/warn: restricted - pod-security.kubernetes.io/warn-version: v1.24 - name: open-cluster-management -spec: - finalizers: - - kubernetes diff --git a/base/cluster/hub/advanced-cluster-management/subscribe/operatorgroup.yaml b/base/cluster/hub/advanced-cluster-management/subscribe/operatorgroup.yaml deleted file mode 100644 index 80f08d0..0000000 --- a/base/cluster/hub/advanced-cluster-management/subscribe/operatorgroup.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - annotations: - olm.providedAPIs: MultiClusterHub.v1.operator.open-cluster-management.io - generateName: open-cluster-management- - name: open-cluster-management - namespace: open-cluster-management -spec: - targetNamespaces: - - open-cluster-management - upgradeStrategy: Default diff --git a/base/cluster/hub/advanced-cluster-management/subscribe/subscription.yaml b/base/cluster/hub/advanced-cluster-management/subscribe/subscription.yaml deleted file mode 100644 index 4bf1c5d..0000000 --- a/base/cluster/hub/advanced-cluster-management/subscribe/subscription.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - labels: - operators.coreos.com/advanced-cluster-management.open-cluster-management: "" - name: advanced-cluster-management - namespace: open-cluster-management -spec: - channel: release-2.12 - installPlanApproval: Automatic - name: advanced-cluster-management - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/hub/ansible-automation-platform/kustomization.yaml b/base/cluster/hub/ansible-automation-platform/kustomization.yaml deleted file mode 100644 index 76197cb..0000000 --- a/base/cluster/hub/ansible-automation-platform/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - operatorgroup.yaml - - subscription.yaml diff --git a/base/cluster/hub/ansible-automation-platform/namespace.yaml b/base/cluster/hub/ansible-automation-platform/namespace.yaml deleted file mode 100644 index 6e01524..0000000 --- a/base/cluster/hub/ansible-automation-platform/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - kubernetes.io/metadata.name: aap - name: aap -spec: - finalizers: - - kubernetes diff --git a/base/cluster/hub/ansible-automation-platform/operatorgroup.yaml b/base/cluster/hub/ansible-automation-platform/operatorgroup.yaml deleted file mode 100644 index d79e4dc..0000000 --- a/base/cluster/hub/ansible-automation-platform/operatorgroup.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - annotations: - olm.providedAPIs: AnsibleAutomationPlatform.v1alpha1.aap.ansible.com,AnsibleAutomationPlatformBackup.v1alpha1.aap.ansible.com,AnsibleAutomationPlatformRestore.v1alpha1.aap.ansible.com,AnsibleCredential.v1alpha1.tower.ansible.com,AnsibleInstanceGroup.v1alpha1.tower.ansible.com,AnsibleInventory.v1alpha1.tower.ansible.com,AnsibleJob.v1alpha1.tower.ansible.com,AnsibleLightspeed.v1alpha1.lightspeed.ansible.com,AnsibleProject.v1alpha1.tower.ansible.com,AnsibleSchedule.v1alpha1.tower.ansible.com,AnsibleWorkflow.v1alpha1.tower.ansible.com,AutomationController.v1beta1.automationcontroller.ansible.com,AutomationControllerBackup.v1beta1.automationcontroller.ansible.com,AutomationControllerMeshIngress.v1alpha1.automationcontroller.ansible.com,AutomationControllerRestore.v1beta1.automationcontroller.ansible.com,AutomationHub.v1beta1.automationhub.ansible.com,AutomationHubBackup.v1beta1.automationhub.ansible.com,AutomationHubRestore.v1beta1.automationhub.ansible.com,EDA.v1alpha1.eda.ansible.com,EDABackup.v1alpha1.eda.ansible.com,EDARestore.v1alpha1.eda.ansible.com,JobTemplate.v1alpha1.tower.ansible.com,WorkflowTemplate.v1alpha1.tower.ansible.com # yamllint disable-line rule:line-length - name: aap - namespace: aap -spec: - upgradeStrategy: Default diff --git a/base/cluster/hub/ansible-automation-platform/subscription.yaml b/base/cluster/hub/ansible-automation-platform/subscription.yaml deleted file mode 100644 index 803eba2..0000000 --- a/base/cluster/hub/ansible-automation-platform/subscription.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - labels: - operators.coreos.com/ansible-automation-platform-operator.aap: "" - name: ansible-automation-platform-operator - namespace: aap -spec: - channel: stable-2.5-cluster-scoped - installPlanApproval: Automatic - name: ansible-automation-platform-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/hub/multicluster-engine/enable/multiclusterhub.yaml b/base/cluster/hub/multicluster-engine/enable/multiclusterhub.yaml deleted file mode 100644 index 46a47db..0000000 --- a/base/cluster/hub/multicluster-engine/enable/multiclusterhub.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: multicluster.openshift.io/v1 -kind: MultiClusterEngine -metadata: - finalizers: - - finalizer.multicluster.openshift.io - labels: - installer.name: multiclusterhub - installer.namespace: open-cluster-management - multiclusterhubs.operator.open-cluster-management.io/managed-by: "true" - name: multiclusterengine -spec: - availabilityConfig: Basic - overrides: - components: - - enabled: true - name: local-cluster - - enabled: true - name: assisted-service - - enabled: true - name: cluster-lifecycle - - enabled: true - name: cluster-manager - - enabled: true - name: discovery - - enabled: true - name: hive - - enabled: true - name: server-foundation - - enabled: true - name: cluster-proxy-addon - - enabled: true - name: hypershift-local-hosting - - enabled: true - name: hypershift - - enabled: true - name: managedserviceaccount - - enabled: false - name: image-based-install-operator-preview - - enabled: true - name: console-mce - targetNamespace: multicluster-engine - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/infra - operator: Exists diff --git a/base/cluster/hub/multicluster-engine/kustomization.yaml b/base/cluster/hub/multicluster-engine/kustomization.yaml deleted file mode 100644 index b0be88f..0000000 --- a/base/cluster/hub/multicluster-engine/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - subscribe/namespace.yaml - - subscribe/operatorgroup.yaml - - subscribe/subscription.yaml - - enable/multiclusterhub.yaml diff --git a/base/cluster/hub/multicluster-engine/subscribe/namespace.yaml b/base/cluster/hub/multicluster-engine/subscribe/namespace.yaml deleted file mode 100644 index 21c5f9c..0000000 --- a/base/cluster/hub/multicluster-engine/subscribe/namespace.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - openshift.io/sa.scc.mcs: s0:c27,c19 - openshift.io/sa.scc.supplemental-groups: 1000740000/10000 - openshift.io/sa.scc.uid-range: 1000740000/10000 - labels: - kubernetes.io/metadata.name: multicluster-engine - openshift.io/cluster-monitoring: "true" - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/audit-version: v1.24 - pod-security.kubernetes.io/warn: restricted - pod-security.kubernetes.io/warn-version: v1.24 - name: multicluster-engine -spec: - finalizers: - - kubernetes diff --git a/base/cluster/hub/multicluster-engine/subscribe/operatorgroup.yaml b/base/cluster/hub/multicluster-engine/subscribe/operatorgroup.yaml deleted file mode 100644 index ab5cbba..0000000 --- a/base/cluster/hub/multicluster-engine/subscribe/operatorgroup.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - annotations: - olm.providedAPIs: MultiClusterEngine.v1.multicluster.openshift.io - name: default - namespace: multicluster-engine -spec: - targetNamespaces: - - multicluster-engine - upgradeStrategy: Default diff --git a/base/cluster/hub/multicluster-engine/subscribe/subscription.yaml b/base/cluster/hub/multicluster-engine/subscribe/subscription.yaml deleted file mode 100644 index f0d2588..0000000 --- a/base/cluster/hub/multicluster-engine/subscribe/subscription.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - labels: - installer.name: multiclusterhub - installer.namespace: open-cluster-management - multiclusterhubs.operator.open-cluster-management.io/managed-by: "true" - operators.coreos.com/multicluster-engine.multicluster-engine: "" - name: multicluster-engine - namespace: multicluster-engine -spec: - channel: stable-2.7 - config: {} - installPlanApproval: Automatic - name: multicluster-engine - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/managed/openstack-operator/kustomization.yaml b/base/cluster/managed/openstack-operator/kustomization.yaml deleted file mode 100644 index 2f645a9..0000000 --- a/base/cluster/managed/openstack-operator/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - subscribe/namespace.yaml - - subscribe/operatorgroup.yaml - - subscribe/subscription.yaml diff --git a/base/cluster/managed/openstack-operator/subscribe/namespace.yaml b/base/cluster/managed/openstack-operator/subscribe/namespace.yaml deleted file mode 100644 index 232b14e..0000000 --- a/base/cluster/managed/openstack-operator/subscribe/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - openshift.io/cluster-monitoring: "true" - name: openstack-operators diff --git a/base/cluster/managed/openstack-operator/subscribe/operatorgroup.yaml b/base/cluster/managed/openstack-operator/subscribe/operatorgroup.yaml deleted file mode 100644 index 0032e8e..0000000 --- a/base/cluster/managed/openstack-operator/subscribe/operatorgroup.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -items: - - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: openstack-operators - namespace: openstack-operators - spec: - upgradeStrategy: Default -kind: List -metadata: - resourceVersion: "" diff --git a/base/cluster/managed/openstack-operator/subscribe/subscription.yaml b/base/cluster/managed/openstack-operator/subscribe/subscription.yaml deleted file mode 100644 index 18164ab..0000000 --- a/base/cluster/managed/openstack-operator/subscribe/subscription.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - labels: - operators.coreos.com/openstack-operator.openstack-operators: '' - name: openstack-operator - namespace: openstack-operators -spec: - channel: stable-v1.0 - installPlanApproval: Automatic - name: openstack-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/managed/prerequisites/README.md b/base/cluster/managed/prerequisites/README.md deleted file mode 100644 index c9164b0..0000000 --- a/base/cluster/managed/prerequisites/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Prerequisites - -Contains the prerequisite Operators that need to be installed on the OpenShift -cluster prior to install of OpenStack Operator. - -Provides the prerequisite Operators as documented at -[Prerequisites](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_installing-and-preparing-the-operators#prerequisites) -in the _Red Hat OpenStack on OpenShift Deployment guide_. - -Also creates the `openstack` namespace for deployment of objects related to -RHOSO. - -The following Operators will be installed and enabled: - -- NMstate Operator -- MetalLB Operator -- Certificate Manager Operator -- Cluster Observability Operator diff --git a/base/cluster/managed/prerequisites/cert-manager-operator/kustomization.yaml b/base/cluster/managed/prerequisites/cert-manager-operator/kustomization.yaml deleted file mode 100644 index 76197cb..0000000 --- a/base/cluster/managed/prerequisites/cert-manager-operator/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - operatorgroup.yaml - - subscription.yaml diff --git a/base/cluster/managed/prerequisites/cert-manager-operator/namespace.yaml b/base/cluster/managed/prerequisites/cert-manager-operator/namespace.yaml deleted file mode 100644 index 5614f38..0000000 --- a/base/cluster/managed/prerequisites/cert-manager-operator/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator diff --git a/base/cluster/managed/prerequisites/cert-manager-operator/operatorgroup.yaml b/base/cluster/managed/prerequisites/cert-manager-operator/operatorgroup.yaml deleted file mode 100644 index 455af36..0000000 --- a/base/cluster/managed/prerequisites/cert-manager-operator/operatorgroup.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator diff --git a/base/cluster/managed/prerequisites/cert-manager-operator/subscription.yaml b/base/cluster/managed/prerequisites/cert-manager-operator/subscription.yaml deleted file mode 100644 index ee67a34..0000000 --- a/base/cluster/managed/prerequisites/cert-manager-operator/subscription.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: stable-v1 - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/managed/prerequisites/cluster-observability-operator/kustomization.yaml b/base/cluster/managed/prerequisites/cluster-observability-operator/kustomization.yaml deleted file mode 100644 index 77080dd..0000000 --- a/base/cluster/managed/prerequisites/cluster-observability-operator/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - subscription.yaml diff --git a/base/cluster/managed/prerequisites/cluster-observability-operator/subscription.yaml b/base/cluster/managed/prerequisites/cluster-observability-operator/subscription.yaml deleted file mode 100644 index 629fd38..0000000 --- a/base/cluster/managed/prerequisites/cluster-observability-operator/subscription.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: cluster-observability-operator - namespace: openshift-operators -spec: - channel: stable - installPlanApproval: Automatic - name: cluster-observability-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/managed/prerequisites/kustomization.yaml b/base/cluster/managed/prerequisites/kustomization.yaml deleted file mode 100644 index 4a22250..0000000 --- a/base/cluster/managed/prerequisites/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - nmstate-operator - - cert-manager-operator - - metallb-operator - - cluster-observability-operator - - namespace-openstack.yaml -components: - - ../../../initialize/gitops/components/annotations diff --git a/base/cluster/managed/prerequisites/metallb-operator/kustomization.yaml b/base/cluster/managed/prerequisites/metallb-operator/kustomization.yaml deleted file mode 100644 index e9315c0..0000000 --- a/base/cluster/managed/prerequisites/metallb-operator/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - operatorgroup.yaml - - subscription.yaml - - metallb.yaml diff --git a/base/cluster/managed/prerequisites/metallb-operator/metallb.yaml b/base/cluster/managed/prerequisites/metallb-operator/metallb.yaml deleted file mode 100644 index d261858..0000000 --- a/base/cluster/managed/prerequisites/metallb-operator/metallb.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: metallb.io/v1beta1 -kind: MetalLB -metadata: - name: metallb - namespace: metallb-system -spec: - nodeSelector: - node-role.kubernetes.io/worker: "" diff --git a/base/cluster/managed/prerequisites/metallb-operator/namespace.yaml b/base/cluster/managed/prerequisites/metallb-operator/namespace.yaml deleted file mode 100644 index 928cb91..0000000 --- a/base/cluster/managed/prerequisites/metallb-operator/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: metallb-system diff --git a/base/cluster/managed/prerequisites/metallb-operator/operatorgroup.yaml b/base/cluster/managed/prerequisites/metallb-operator/operatorgroup.yaml deleted file mode 100644 index 838e473..0000000 --- a/base/cluster/managed/prerequisites/metallb-operator/operatorgroup.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: metallb-operator - namespace: metallb-system diff --git a/base/cluster/managed/prerequisites/metallb-operator/subscription.yaml b/base/cluster/managed/prerequisites/metallb-operator/subscription.yaml deleted file mode 100644 index 13eac68..0000000 --- a/base/cluster/managed/prerequisites/metallb-operator/subscription.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: metallb-operator - namespace: metallb-system -spec: - channel: stable - name: metallb-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/cluster/managed/prerequisites/namespace-openstack.yaml b/base/cluster/managed/prerequisites/namespace-openstack.yaml deleted file mode 100644 index fa14047..0000000 --- a/base/cluster/managed/prerequisites/namespace-openstack.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: openstack - labels: - pod-security.kubernetes.io/enforce: privileged - security.openshift.io/scc.podSecurityLabelSync: "false" diff --git a/base/cluster/managed/prerequisites/nmstate-operator/kustomization.yaml b/base/cluster/managed/prerequisites/nmstate-operator/kustomization.yaml deleted file mode 100644 index e311885..0000000 --- a/base/cluster/managed/prerequisites/nmstate-operator/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - operatorgroup.yaml - - subscription.yaml - - nmstate.yaml diff --git a/base/cluster/managed/prerequisites/nmstate-operator/namespace.yaml b/base/cluster/managed/prerequisites/nmstate-operator/namespace.yaml deleted file mode 100644 index 6de3fac..0000000 --- a/base/cluster/managed/prerequisites/nmstate-operator/namespace.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - kubernetes.io/metadata.name: openshift-nmstate - name: openshift-nmstate - name: openshift-nmstate -spec: - finalizers: - - kubernetes diff --git a/base/cluster/managed/prerequisites/nmstate-operator/nmstate.yaml b/base/cluster/managed/prerequisites/nmstate-operator/nmstate.yaml deleted file mode 100644 index 7a648e7..0000000 --- a/base/cluster/managed/prerequisites/nmstate-operator/nmstate.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: nmstate.io/v1 -kind: NMState -metadata: - name: nmstate diff --git a/base/cluster/managed/prerequisites/nmstate-operator/operatorgroup.yaml b/base/cluster/managed/prerequisites/nmstate-operator/operatorgroup.yaml deleted file mode 100644 index b781f8b..0000000 --- a/base/cluster/managed/prerequisites/nmstate-operator/operatorgroup.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - annotations: - olm.providedAPIs: NMState.v1.nmstate.io - name: openshift-nmstate - namespace: openshift-nmstate -spec: - targetNamespaces: - - openshift-nmstate diff --git a/base/cluster/managed/prerequisites/nmstate-operator/subscription.yaml b/base/cluster/managed/prerequisites/nmstate-operator/subscription.yaml deleted file mode 100644 index f77b214..0000000 --- a/base/cluster/managed/prerequisites/nmstate-operator/subscription.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - labels: - operators.coreos.com/kubernetes-nmstate-operator.openshift-nmstate: "" - name: kubernetes-nmstate-operator - namespace: openshift-nmstate -spec: - channel: stable - installPlanApproval: Automatic - name: kubernetes-nmstate-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/base/initialize/gitops/subscribe/kustomization.yaml b/base/initialize/gitops/subscribe/kustomization.yaml deleted file mode 100644 index 76197cb..0000000 --- a/base/initialize/gitops/subscribe/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - operatorgroup.yaml - - subscription.yaml diff --git a/base/initialize/gitops/components/annotations/kustomization.yaml b/components/argocd/annotations/kustomization.yaml similarity index 100% rename from base/initialize/gitops/components/annotations/kustomization.yaml rename to components/argocd/annotations/kustomization.yaml diff --git a/components/rhoso/controlplane/controlplane/kustomization.yaml b/components/rhoso/controlplane/controlplane/kustomization.yaml new file mode 100644 index 0000000..7b18356 --- /dev/null +++ b/components/rhoso/controlplane/controlplane/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - openstack-controlplane.yaml diff --git a/components/rhoso/controlplane/controlplane/openstack-controlplane.yaml b/components/rhoso/controlplane/controlplane/openstack-controlplane.yaml new file mode 100644 index 0000000..4a017b2 --- /dev/null +++ b/components/rhoso/controlplane/controlplane/openstack-controlplane.yaml @@ -0,0 +1,313 @@ +# source documentation: https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_creating-the-control-plane#ref_example-OpenStackControlPlane-CR_controlplane +--- +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack-control-plane + namespace: openstack +spec: + secret: osp-secret + storageClass: your-RHOCP-storage-class + cinder: + apiOverride: + route: {} + template: + databaseInstance: openstack + secret: osp-secret + cinderAPI: + replicas: 3 + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + cinderScheduler: + replicas: 1 + cinderBackup: + networkAttachments: + - storage + replicas: 0 # backend needs to be configured to activate the service + cinderVolumes: + volume1: + networkAttachments: + - storage + replicas: 0 # backend needs to be configured to activate the service + nova: + apiOverride: + route: {} + template: + apiServiceTemplate: + replicas: 3 + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + metadataServiceTemplate: + replicas: 3 + override: + service: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + schedulerServiceTemplate: + replicas: 3 + cellTemplates: + cell0: + cellDatabaseAccount: nova-cell0 + cellDatabaseInstance: openstack + cellMessageBusInstance: rabbitmq + hasAPIAccess: true + cell1: + cellDatabaseAccount: nova-cell1 + cellDatabaseInstance: openstack-cell1 + cellMessageBusInstance: rabbitmq-cell1 + noVNCProxyServiceTemplate: + enabled: true + networkAttachments: + - ctlplane + hasAPIAccess: true + secret: osp-secret + dns: + template: + options: + - key: server + values: + - 192.168.122.1 + - key: server + values: + - 192.168.122.2 + override: + service: + metadata: + annotations: + metallb.universe.tf/address-pool: ctlplane + metallb.universe.tf/allow-shared-ip: ctlplane + metallb.universe.tf/loadBalancerIPs: 192.168.122.80 + spec: + type: LoadBalancer + replicas: 2 + galera: + templates: + openstack: + storageRequest: 5000M + secret: osp-secret + replicas: 3 + openstack-cell1: + storageRequest: 5000M + secret: osp-secret + replicas: 3 + keystone: + apiOverride: + route: {} + template: + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + databaseInstance: openstack + secret: osp-secret + replicas: 3 + glance: + apiOverrides: + default: + route: {} + template: + databaseInstance: openstack + storage: + storageRequest: 10G + secret: osp-secret + keystoneEndpoint: default + glanceAPIs: + default: + type: single + replicas: 1 + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + networkAttachments: + - storage + barbican: + apiOverride: + route: {} + template: + databaseInstance: openstack + secret: osp-secret + barbicanAPI: + replicas: 3 + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + barbicanWorker: + replicas: 3 + barbicanKeystoneListener: + replicas: 1 + memcached: + templates: + memcached: + replicas: 3 + neutron: + apiOverride: + route: {} + template: + replicas: 3 + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + databaseInstance: openstack + secret: osp-secret + networkAttachments: + - internalapi + swift: + enabled: true + proxyOverride: + route: {} + template: + swiftProxy: + networkAttachments: + - storage + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + replicas: 1 + swiftRing: + ringReplicas: 1 + swiftStorage: + networkAttachments: + - storage + replicas: 1 + storageRequest: 10Gi + ovn: + template: + ovnDBCluster: + ovndbcluster-nb: + replicas: 3 + dbType: NB + storageRequest: 10G + networkAttachment: internalapi + ovndbcluster-sb: + replicas: 3 + dbType: SB + storageRequest: 10G + networkAttachment: internalapi + ovnNorthd: {} + placement: + apiOverride: + route: {} + template: + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.80 + spec: + type: LoadBalancer + databaseInstance: openstack + replicas: 3 + secret: osp-secret + rabbitmq: + templates: + rabbitmq: + replicas: 3 + override: + service: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.85 + spec: + type: LoadBalancer + rabbitmq-cell1: + replicas: 3 + override: + service: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/loadBalancerIPs: 172.17.0.86 + spec: + type: LoadBalancer + telemetry: + enabled: true + template: + metricStorage: + enabled: true + dashboardsEnabled: true + dataplaneNetwork: ctlplane + networkAttachments: + - ctlplane + monitoringStack: + alertingEnabled: true + scrapeInterval: 30s + storage: + strategy: persistent + retention: 24h + persistent: + pvcStorageRequest: 20G + autoscaling: + enabled: false + aodh: + databaseAccount: aodh + databaseInstance: openstack + passwordSelector: + aodhService: AodhPassword + rabbitMqClusterName: rabbitmq + serviceUser: aodh + secret: osp-secret + heatInstance: heat + ceilometer: + enabled: true + secret: osp-secret + logging: + enabled: false diff --git a/components/rhoso/controlplane/kustomization.yaml b/components/rhoso/controlplane/kustomization.yaml new file mode 100644 index 0000000..d7a7dd5 --- /dev/null +++ b/components/rhoso/controlplane/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +components: + - ./networking + - ./controlplane diff --git a/components/rhoso/controlplane/networking/kustomization.yaml b/components/rhoso/controlplane/networking/kustomization.yaml new file mode 100644 index 0000000..91f13d6 --- /dev/null +++ b/components/rhoso/controlplane/networking/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - openstack-ipaddresspools.yaml + - openstack-l2advertisement.yaml + - openstack-net-attach-def.yaml + - openstack-netconfig.yaml + - openstack-nncp.yaml diff --git a/components/rhoso/controlplane/networking/openstack-ipaddresspools.yaml b/components/rhoso/controlplane/networking/openstack-ipaddresspools.yaml new file mode 100644 index 0000000..920d521 --- /dev/null +++ b/components/rhoso/controlplane/networking/openstack-ipaddresspools.yaml @@ -0,0 +1,46 @@ +# source documentation: +# https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_preparing-rhoso-networks_preparing#proc_preparing-RHOCP-for-RHOSO-network-VIPs_preparing_networks +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: internalapi + namespace: metallb-system +spec: + addresses: + - 172.17.0.80-172.17.0.90 + autoAssign: true + avoidBuggyIPs: false +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + namespace: metallb-system + name: ctlplane +spec: + addresses: + - 192.168.122.80-192.168.122.90 + autoAssign: true + avoidBuggyIPs: false +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + namespace: metallb-system + name: storage +spec: + addresses: + - 172.18.0.80-172.18.0.90 + autoAssign: true + avoidBuggyIPs: false +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + namespace: metallb-system + name: tenant +spec: + addresses: + - 172.19.0.80-172.19.0.90 + autoAssign: true + avoidBuggyIPs: false diff --git a/components/rhoso/controlplane/networking/openstack-l2advertisement.yaml b/components/rhoso/controlplane/networking/openstack-l2advertisement.yaml new file mode 100644 index 0000000..1102262 --- /dev/null +++ b/components/rhoso/controlplane/networking/openstack-l2advertisement.yaml @@ -0,0 +1,46 @@ +# source documentation: +# https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_preparing-rhoso-networks_preparing#proc_preparing-RHOCP-for-RHOSO-network-VIPs_preparing_networks +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: internalapi + namespace: metallb-system +spec: + ipAddressPools: + - internalapi + interfaces: + - internalapi +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: ctlplane + namespace: metallb-system +spec: + ipAddressPools: + - ctlplane + interfaces: + - enp6s0 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: storage + namespace: metallb-system +spec: + ipAddressPools: + - storage + interfaces: + - storage +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: tenant + namespace: metallb-system +spec: + ipAddressPools: + - tenant + interfaces: + - tenant diff --git a/components/rhoso/controlplane/networking/openstack-net-attach-def.yaml b/components/rhoso/controlplane/networking/openstack-net-attach-def.yaml new file mode 100644 index 0000000..824751a --- /dev/null +++ b/components/rhoso/controlplane/networking/openstack-net-attach-def.yaml @@ -0,0 +1,83 @@ +# source documentation: +# https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/ +# deploying_red_hat_openstack_services_on_openshift/assembly_preparing-rhoso-networks_preparing#proc_attaching-service-pods-to-the-isolated-networks_preparing_networks +--- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: internalapi + namespace: openstack +spec: + config: |- + { + "cniVersion": "0.3.1", + "name": "internalapi", + "type": "macvlan", + "master": "internalapi", + "ipam": { + "type": "whereabouts", + "range": "172.17.0.0/24", + "range_start": "172.17.0.30", + "range_end": "172.17.0.70" + } + } +--- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: ctlplane + namespace: openstack +spec: + config: |- + { + "cniVersion": "0.3.1", + "name": "ctlplane", + "type": "macvlan", + "master": "enp6s0", + "ipam": { + "type": "whereabouts", + "range": "192.168.122.0/24", + "range_start": "192.168.122.30", + "range_end": "192.168.122.70" + } + } +--- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: storage + namespace: openstack +spec: + config: |- + { + "cniVersion": "0.3.1", + "name": "storage", + "type": "macvlan", + "master": "storage", + "ipam": { + "type": "whereabouts", + "range": "172.18.0.0/24", + "range_start": "172.18.0.30", + "range_end": "172.18.0.70" + } + } +--- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: tenant + namespace: openstack +spec: + config: |- + { + "cniVersion": "0.3.1", + "name": "tenant", + "type": "macvlan", + "master": "tenant", + "ipam": { + "type": "whereabouts", + "range": "172.19.0.0/24", + "range_start": "172.19.0.30", + "range_end": "172.19.0.70" + } + } diff --git a/components/rhoso/controlplane/networking/openstack-netconfig.yaml b/components/rhoso/controlplane/networking/openstack-netconfig.yaml new file mode 100644 index 0000000..6bc6a37 --- /dev/null +++ b/components/rhoso/controlplane/networking/openstack-netconfig.yaml @@ -0,0 +1,60 @@ +# source documentation: +# https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_preparing-rhoso-networks_preparing#proc_creating-the-data-plane-network_preparing_networks +--- +apiVersion: network.openstack.org/v1beta1 +kind: NetConfig +metadata: + name: openstacknetconfig + namespace: openstack +spec: + networks: + - name: CtlPlane + dnsDomain: ctlplane.example.com + subnets: + - name: subnet1 + allocationRanges: + - end: 192.168.122.120 + start: 192.168.122.100 + - end: 192.168.122.200 + start: 192.168.122.150 + cidr: 192.168.122.0/24 + gateway: 192.168.122.1 + - name: InternalApi + dnsDomain: internalapi.example.com + subnets: + - name: subnet1 + allocationRanges: + - end: 172.17.0.250 + start: 172.17.0.100 + excludeAddresses: + - 172.17.0.10 + - 172.17.0.12 + cidr: 172.17.0.0/24 + vlan: 20 + - name: External + dnsDomain: external.example.com + subnets: + - name: subnet1 + allocationRanges: + - end: 10.0.0.250 + start: 10.0.0.100 + cidr: 10.0.0.0/24 + gateway: 10.0.0.1 + - name: Storage + dnsDomain: storage.example.com + subnets: + - name: subnet1 + allocationRanges: + - end: 172.18.0.250 + start: 172.18.0.100 + cidr: 172.18.0.0/24 + vlan: 21 + - name: Tenant + dnsDomain: tenant.example.com + subnets: + - name: subnet1 + allocationRanges: + - end: 172.19.0.250 + start: 172.19.0.100 + cidr: 172.19.0.0/24 + vlan: 22 diff --git a/components/rhoso/controlplane/networking/openstack-nncp.yaml b/components/rhoso/controlplane/networking/openstack-nncp.yaml new file mode 100644 index 0000000..140c4c4 --- /dev/null +++ b/components/rhoso/controlplane/networking/openstack-nncp.yaml @@ -0,0 +1,220 @@ +# source documentation: +# https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/ +# deploying_red_hat_openstack_services_on_openshift/assembly_preparing-rhoso-networks_preparing#proc_preparing-RHOCP-with-isolated-network-interfaces_preparing_networks +# NOTE: slightly modified to result in 3 nodes being configured. The documentation only provides a single NNCP object. +--- +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: osp-enp6s0-worker-0 +spec: + desiredState: + interfaces: + - description: internalapi vlan interface + ipv4: + address: + - ip: 172.17.0.10 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: internalapi + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 20 + reorder-headers: true + - description: storage vlan interface + ipv4: + address: + - ip: 172.18.0.10 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: storage + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 21 + reorder-headers: true + - description: tenant vlan interface + ipv4: + address: + - ip: 172.19.0.10 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: tenant + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 22 + reorder-headers: true + - description: Configuring enp6s0 + ipv4: + address: + - ip: 192.168.122.10 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + mtu: 1500 + name: enp6s0 + state: up + type: ethernet + nodeSelector: + kubernetes.io/hostname: worker-0 + node-role.kubernetes.io/worker: "" +--- +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: osp-enp6s0-worker-1 +spec: + desiredState: + interfaces: + - description: internalapi vlan interface + ipv4: + address: + - ip: 172.17.0.11 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: internalapi + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 20 + reorder-headers: true + - description: storage vlan interface + ipv4: + address: + - ip: 172.18.0.11 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: storage + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 21 + reorder-headers: true + - description: tenant vlan interface + ipv4: + address: + - ip: 172.19.0.11 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: tenant + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 22 + reorder-headers: true + - description: Configuring enp6s0 + ipv4: + address: + - ip: 192.168.122.11 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + mtu: 1500 + name: enp6s0 + state: up + type: ethernet + nodeSelector: + kubernetes.io/hostname: worker-1 + node-role.kubernetes.io/worker: "" +--- +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: osp-enp6s0-worker-2 +spec: + desiredState: + interfaces: + - description: internalapi vlan interface + ipv4: + address: + - ip: 172.17.0.12 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: internalapi + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 20 + reorder-headers: true + - description: storage vlan interface + ipv4: + address: + - ip: 172.18.0.12 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: storage + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 21 + reorder-headers: true + - description: tenant vlan interface + ipv4: + address: + - ip: 172.19.0.12 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + name: tenant + state: up + type: vlan + vlan: + base-iface: enp6s0 + id: 22 + reorder-headers: true + - description: Configuring enp6s0 + ipv4: + address: + - ip: 192.168.122.12 + prefix-length: 24 + enabled: true + dhcp: false + ipv6: + enabled: false + mtu: 1500 + name: enp6s0 + state: up + type: ethernet + nodeSelector: + kubernetes.io/hostname: worker-2 + node-role.kubernetes.io/worker: "" diff --git a/components/rhoso/controlplane/services/watcher/kustomization.yaml b/components/rhoso/controlplane/services/watcher/kustomization.yaml new file mode 100644 index 0000000..e41b084 --- /dev/null +++ b/components/rhoso/controlplane/services/watcher/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +patches: + - path: service.yaml + target: + kind: OpenStackControlPlane diff --git a/components/rhoso/controlplane/services/watcher/service.yaml b/components/rhoso/controlplane/services/watcher/service.yaml new file mode 100644 index 0000000..e6302c7 --- /dev/null +++ b/components/rhoso/controlplane/services/watcher/service.yaml @@ -0,0 +1,16 @@ +--- +# https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html-single/optimizing_infrastructure_resource_utilization/index#deploy-optimize-exist-control-plane_deploy-optmz +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack-control-plane +spec: + watcher: + enabled: true + template: + decisionengineServiceTemplate: + customServiceConfig: |- + [watcher_cluster_data_model_collectors.compute] + period = 60 + [watcher_cluster_data_model_collectors.storage] + period = 60 diff --git a/components/rhoso/dataplane/deployment/dataplane-deployment.yaml b/components/rhoso/dataplane/deployment/dataplane-deployment.yaml new file mode 100644 index 0000000..5044283 --- /dev/null +++ b/components/rhoso/dataplane/deployment/dataplane-deployment.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: dataplane.openstack.org/v1beta1 +kind: OpenStackDataPlaneDeployment +metadata: + name: dp-deploy-01 + namespace: openstack +spec: + nodeSets: + - example-nodeset diff --git a/components/rhoso/dataplane/deployment/kustomization.yaml b/components/rhoso/dataplane/deployment/kustomization.yaml new file mode 100644 index 0000000..740d12f --- /dev/null +++ b/components/rhoso/dataplane/deployment/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: + - dataplane-deployment.yaml diff --git a/components/rhoso/dataplane/kustomization.yaml b/components/rhoso/dataplane/kustomization.yaml new file mode 100644 index 0000000..9e7c2b2 --- /dev/null +++ b/components/rhoso/dataplane/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +components: + - ./nodeset + - ./deployment diff --git a/components/rhoso/dataplane/nodeset/kustomization.yaml b/components/rhoso/dataplane/nodeset/kustomization.yaml new file mode 100644 index 0000000..0532ecd --- /dev/null +++ b/components/rhoso/dataplane/nodeset/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: + - nodeset.yaml diff --git a/components/rhoso/dataplane/nodeset/nodeset.yaml b/components/rhoso/dataplane/nodeset/nodeset.yaml new file mode 100644 index 0000000..841feb7 --- /dev/null +++ b/components/rhoso/dataplane/nodeset/nodeset.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: dataplane.openstack.org/v1beta1 +kind: OpenStackDataPlaneNodeSet +metadata: + name: example-nodeset + namespace: openstack +spec: + env: + - name: ANSIBLE_FORCE_COLOR + value: "True" + networkAttachments: + - ctlplane + preProvisioned: true + nodeTemplate: + ansibleSSHPrivateKeySecret: dataplane-ansible-ssh-private-key-secret + managementNetwork: ctlplane + ansible: + ansibleUser: cloud-admin + ansiblePort: 22 + ansibleVarsFrom: + - secretRef: + name: subscription-manager + - secretRef: + name: redhat-registry + ansibleVars: + edpm_bootstrap_command: "" + rhc_release: 9.4 + rhc_repositories: + - {name: "*", state: disabled} + - {name: "rhel-9-for-x86_64-baseos-eus-rpms", state: enabled} + - {name: "rhel-9-for-x86_64-appstream-eus-rpms", state: enabled} + - {name: "rhel-9-for-x86_64-highavailability-eus-rpms", state: enabled} + - {name: "fast-datapath-for-rhel-9-x86_64-rpms", state: enabled} + - {name: "rhoso-18.0-for-rhel-9-x86_64-rpms", state: enabled} + - {name: "rhceph-7-tools-for-rhel-9-x86_64-rpms", state: enabled} + edpm_bootstrap_release_version_package: [] + edpm_network_config_os_net_config_mappings: {} + neutron_physical_bridge_name: br-ex + neutron_public_interface_name: eth0 + ctlplane_dns_nameservers: + - 192.168.122.80 + edpm_network_config_template: |- + --- + {% set mtu_list = [ctlplane_mtu] %} + {% for network in nodeset_networks %} + {{ mtu_list.append(lookup('vars', networks_lower[network] ~ '_mtu')) }} + {%- endfor %} + {% set min_viable_mtu = mtu_list | max %} + network_config: + - type: ovs_bridge + name: {{ neutron_physical_bridge_name }} + mtu: {{ min_viable_mtu }} + use_dhcp: false + dns_servers: {{ ctlplane_dns_nameservers }} + domain: {{ dns_search_domains }} + addresses: + - ip_netmask: {{ ctlplane_ip }}/{{ ctlplane_cidr }} + routes: {{ ctlplane_host_routes }} + members: + - type: interface + name: nic1 + mtu: {{ min_viable_mtu }} + # force the MAC address of the bridge to this interface + primary: true + {% for network in nodeset_networks %} + - type: vlan + mtu: {{ lookup('vars', networks_lower[network] ~ '_mtu') }} + vlan_id: {{ lookup('vars', networks_lower[network] ~ '_vlan_id') }} + addresses: + - ip_netmask: + {{ lookup('vars', networks_lower[network] ~ '_ip') }}/{{ lookup('vars', networks_lower[network] ~ '_cidr') }} + routes: {{ lookup('vars', networks_lower[network] ~ '_host_routes') }} + {% endfor %} + nodes: {} diff --git a/containerfile/README.md b/containerfile/README.md deleted file mode 100644 index 82eca62..0000000 --- a/containerfile/README.md +++ /dev/null @@ -1,76 +0,0 @@ -# Using containerized client interfaces - -Provides a containerized environment to run client commands, including `oc` and `ansible`. - -## Creating the container image - -### Prerequisite - -You must have a valid account to access `registry.redhat.io`. - -### Build - -Using buildah or podman, run the following commands from the root of -the repository: - -```Bash -$ buildah bud -t rhoso-gitops:latest -f containerfile/oc-client . -$ podman build -t rhoso-gitops:latest -f containerfile/oc-client . -``` - -## Using the container image - -Use `podman` to connect to the the container image and access the clients: - -```Bash -$ podman run --rm -ti \ - -v $HOME/.kube:/root/.kube \ - --security-opt label=disable \ - rhoso-gitops:latest bash -``` - -To access Ansible, source the activation file to load the Python virtual environment: - -```Bash -# source .ansible/bin/activate -``` - -The current repository is copied into the container, and is available in -/root/rhoso-gitops. - -Alternatively, you can bind-mount the repository from your workstation for testing purposes: - -```Bash -$ podman run --rm -ti \ - -v $HOME/.kube:/root/.kube \ - -v /path/to/local/rhoso-gitops:/root/rhoso-gitops \ - --security-opt label=disable \ - rhoso-gitops:latest bash -``` - -## Updating `oc` binary - -To update `oc` binary, you can download the wanted version from your OpenShift cluster, -then bind-mount it in the container: - -```Bash -$ podman run --rm -ti \ - -v $HOME/.kube:/root/.kube \ - -v /path/to/local/oc:/usr/bin/oc \ - --security-opt label=disable \ - rhoso-gitops:latest bash -``` - -## Getting `helm` in the container - -Download [helm](https://github.com/helm/helm/releases) binary, follow the -[installation documentation](https://helm.sh/docs/intro/install/) and bind-mount it in the -container: - -```Bash -$ podman run --rm -ti \ - -v $HOME/.kube:/root/.kube \ - -v /path/to/local/helm:/usr/bin/helm \ - --security-opt label=disable \ - rhoso-gitops:latest bash -``` diff --git a/containerfile/oc-client b/containerfile/oc-client deleted file mode 100644 index b4c5c70..0000000 --- a/containerfile/oc-client +++ /dev/null @@ -1,16 +0,0 @@ -# Requires a valid authentication for -# registry.redhat.io -FROM registry.redhat.io/openshift4/ose-cli:latest - -RUN dnf install -y python3.12 git-core && dnf clean all -RUN update-alternatives --set python /usr/bin/python3.12 && \ - update-alternatives --set python3 /usr/bin/python3.12 - -RUN python3 -m venv ~/.ansible - -WORKDIR /root - -COPY ./ ./rhoso-gitops -RUN ~/.ansible/bin/pip install --upgrade pip -RUN ~/.ansible/bin/pip install -r ./rhoso-gitops/requirements.txt -RUN ~/.ansible/bin/ansible-galaxy install -r ./rhoso-gitops/requirements.yml diff --git a/docs/managing-secrets-with-vault.md b/docs/managing-secrets-with-vault.md deleted file mode 100644 index ccdca9e..0000000 --- a/docs/managing-secrets-with-vault.md +++ /dev/null @@ -1,215 +0,0 @@ -# Managing Secrets With Vault - -When [Providing secure access to Red Hat OpenStack Services on OpenShift -services](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/deploying_red_hat_openstack_services_on_openshift/assembly_preparing-rhocp-for-rhoso#proc_providing-secure-access-to-the-RHOSO-services_preparing) -it's necessary to populate a `Secret` with contents used for authentication. - -Manging `Secret` contents when using GitOps requires extra considerations, as -the sensitive data that exists in the Secret itself cannot be commited to a git -repository. - -Use of HashiCorp Vault allows for storage of the sensitive contents separate of -the creation of the Secret objects required for OpenStack provisioning. Use of -the Vault Secrets Operator makes taking the sensitive data stored in Vault and -writes it to a Kubernetes native Secret. - -## Deploying Vault - -Deployment of Vault is done with Helm, and then configuration of Vault itself -is done within the `vault-0` pod with the `vault` CLI command. The deployment -shown is not a production capable deployment of Vault. For more information -about deploying Vault on Kubernetes for production, see [Vault on Kubernetes -deployment -guide](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide). - -_Prerequisites_ - -* You're logged into the OpenShift Container Platform as a cluster adminstrator. -* You've installed `helm` version 3.15 or later. - -_Procedure_ - -* Add the Hashicorp Helm repository: - ```bash - $ helm repo add hashicorp https://helm.releases.hashicorp.com - ``` -* Update all repositories: - ```bash - $ helm repo update - ``` -* Install Hashicorp Vault: - * Create a project for Vault: - ```bash - $ oc new-project vault - ``` - * Grant privileged access to the `vault` service: - ```bash - $ oc adm policy add-scc-to-user privileged -z vault -n vault - ``` - * Deploy HashiCorp Vault with Helm: - ```bash - $ helm install vault hashicorp/vault --namespace=vault \ - --set "server.dev.enabled=true" \ - --set "injector.enabled=false" \ - --set "global.openshift=true" - ``` - -_Additional Information_ - -* [Vault installation to Red Hat OpenShift via Helm](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-openshift). -* [Mounting secrets from HashiCorp Vault](https://docs.openshift.com/container-platform/4.16/nodes/pods/nodes-pods-secrets-store.html#secrets-store-vault_nodes-pods-secrets-store) in the OpenShift Providing sensitive data to pods by using an external secrets store guide. - -## Enabling Vault Access - -Configure Vault to use Kubernetes authentication and a policy for OpenStack usage. - -### Configuring Vault to use Kubernetes Authentication - -These instructions match those documented at [Mounting secrets from HashiCorp -Vault](https://docs.openshift.com/container-platform/4.16/nodes/pods/nodes-pods-secrets-store.html#secrets-store-vault_nodes-pods-secrets-store) -in the OpenShift guide at procedure step 5 with minor modifications to enable -Vault specifically for the `openstack` namespace. - -_Procedure_ - -* Enable the Kubernetes authentication method: - ```bash - $ oc exec vault-0 --namespace=vault -- vault auth enable kubernetes - ``` -* Configure the Kubernetes authentication method: - * Set the token reviewer as an environment variable by running the following command: - ```bash - $ TOKEN_REVIEWER_JWT="$(oc exec vault-0 --namespace=vault -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)" - ``` - * Set the Kubernetes service IP address as an environment variable by running the following command: - ```bash - $ KUBERNETES_SERVICE_IP="$(oc get svc --namespace=default kubernetes -o go-template="{{ .spec.clusterIP }}")" - ``` - * Update the Kubernetes auth method by running the following command: - ```bash - $ oc exec -i vault-0 --namespace=vault -- vault write auth/kubernetes/config \ - issuer="https://kubernetes.default.svc.cluster.local" \ - token_reviewer_jwt="${TOKEN_REVIEWER_JWT}" \ - kubernetes_host="https://${KUBERNETES_SERVICE_IP}:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - ``` -* Create a policy for OpenStack: - ```bash - $ oc exec -i vault-0 --namespace=vault -- vault policy write openstack - <