diff --git a/.ansible-lint b/.ansible-lint index 040b3902..cb1f7423 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,7 +1,6 @@ # Vim filetype=yaml --- offline: false -#requirements: ansible/execution_environment/requirements.yml exclude_paths: - .cache/ @@ -9,6 +8,8 @@ exclude_paths: - charts/ - common/ - tests/ + - requirements.yml + - values-* # warn_list: # - yaml diff --git a/.flake8 b/.flake8 new file mode 100644 index 00000000..8159765a --- /dev/null +++ b/.flake8 @@ -0,0 +1,3 @@ +[flake8] +# match black default +max-line-length = 88 \ No newline at end of file diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index c2b2981b..2b549c9d 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -11,7 +11,5 @@ jobs: - uses: actions/checkout@v4 - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@v6 - # Let's point it to the path - with: - path: "ansible/" + uses: ansible/ansible-lint@06f616d6e86e9ce4c74393318d1cbb2d016af413 + # Let's point it to the path \ No newline at end of file diff --git a/.github/workflows/jsonschema.yaml b/.github/workflows/jsonschema.yaml index 75a161ae..1002238e 100644 --- a/.github/workflows/jsonschema.yaml +++ b/.github/workflows/jsonschema.yaml @@ -1,41 +1,19 @@ --- name: Verify json schema -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# on: [push, pull_request] -############### -# Set the Job # -############### jobs: jsonschema_tests: - # Name the Job name: Json Schema tests strategy: matrix: python-version: [3.11] - # Set the agent to run on runs-on: ubuntu-latest - ################## - # Load all steps # - ################## steps: - ########################## - # Checkout the code base # - ########################## - name: Checkout Code uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 @@ -54,19 +32,19 @@ jobs: - name: Verify secrets json schema against templates run: | - # check-jsonschema needs .yaml as an extension cp ./values-secret.yaml.template ./values-secret.yaml - check-jsonschema --schemafile ./common/ansible/roles/vault_utils/values-secrets.v2.schema.json values-secret.yaml + check-jsonschema --fill-defaults --schemafile https://raw.githubusercontent.com/validatedpatterns/rhvp.cluster_utils/refs/heads/main/roles/vault_utils/values-secrets.v2.schema.json values-secret.yaml rm -f ./values-secret.yaml - name: Verify ClusterGroup values.schema.json against values-*yaml files run: | - set -e; for i in values-hub.yaml values-group-one.yaml; do + set -e + find . -maxdepth 1 -type f -name "values-*.yaml" ! -name "values-global.yaml" -print0 | while IFS= read -r -d '' i; + do echo "$i" # disable shellcheck of single quotes in yq # shellcheck disable=2016 yq eval-all '. as $item ireduce ({}; . * $item )' values-global.yaml "$i" > tmp.yaml - check-jsonschema --schemafile ./common/clustergroup/values.schema.json tmp.yaml + check-jsonschema --fill-defaults --schemafile https://raw.githubusercontent.com/validatedpatterns/clustergroup-chart/refs/heads/main/values.schema.json tmp.yaml rm -f tmp.yaml - done - + done \ No newline at end of file diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml deleted file mode 100644 index 83f60b6d..00000000 --- a/.github/workflows/linter.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -name: Unit tests - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: [push, pull_request] - -############### -# Set the Job # -############### -jobs: - build: - # Name the Job - name: Unit Test Code Base - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - name: Setup helm - uses: azure/setup-helm@v4 - with: - version: 'v3.14.0' - id: install - - ################################ - # Run Linter against code base # - ################################ - # - name: Lint Code Base - # uses: github/super-linter@v4 - # env: - # VALIDATE_ALL_CODEBASE: false - # DEFAULT_BRANCH: main - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run make test - run: | - make test - - - name: Run make helmlint - run: | - make helmlint - - # Disable kubeconform for the time being - # - name: Run make helm kubeconform - # run: | - # curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz - # tar xf kubeconform-linux-amd64.tar.gz - # sudo mv -v kubeconform /usr/local/bin - # make kubeconform diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml index 55acbdb0..d275dcf8 100644 --- a/.github/workflows/superlinter.yml +++ b/.github/workflows/superlinter.yml @@ -21,7 +21,7 @@ jobs: # Run Linter against code base # ################################ - name: Lint Code Base - uses: github/super-linter/slim@v6 + uses: super-linter/super-linter/slim@v7 env: VALIDATE_ALL_CODEBASE: true DEFAULT_BRANCH: main @@ -31,11 +31,14 @@ jobs: VALIDATE_BASH: false VALIDATE_CHECKOV: false VALIDATE_JSCPD: false + VALIDATE_JSON_PRETTIER: false + VALIDATE_MARKDOWN_PRETTIER: false VALIDATE_KUBERNETES_KUBECONFORM: false VALIDATE_PYTHON_PYLINT: false VALIDATE_SHELL_SHFMT: false VALIDATE_YAML: false + VALIDATE_YAML_PRETTIER: false # VALIDATE_DOCKERFILE_HADOLINT: false # VALIDATE_MARKDOWN: false # VALIDATE_NATURAL_LANGUAGE: false - # VALIDATE_TEKTON: false + # VALIDATE_TEKTON: false \ No newline at end of file diff --git a/.gitignore b/.gitignore index 32dc120a..b17116db 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ azure-env.sh openshift-install node_modules .envrc +.ansible/ \ No newline at end of file diff --git a/.prettierrc b/.prettierrc new file mode 100644 index 00000000..c3481a75 --- /dev/null +++ b/.prettierrc @@ -0,0 +1,4 @@ +{ + "singleQuote": true, + "semi": false +} \ No newline at end of file diff --git a/.releaserc.yaml b/.releaserc.yaml index 85d0d667..7de8ac0a 100644 --- a/.releaserc.yaml +++ b/.releaserc.yaml @@ -1,7 +1,7 @@ branches: -- main + - main plugins: -- "@semantic-release/commit-analyzer" -- "@semantic-release/release-notes-generator" -- "@semantic-release/github" -- "@semantic-release/git" + - "@semantic-release/commit-analyzer" + - "@semantic-release/release-notes-generator" + - "@semantic-release/github" + - "@semantic-release/git" diff --git a/README.md b/README.md index 091c69a7..f9b62767 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,16 @@ # coco-pattern + This is a validated pattern for deploying confidential containers on OpenShift. -The target operating model has two clusters: +The target operating model has two clusters: - One in a "trusted" zone where the remote attestation, KMS and Key Broker infrastructure are deployed. -- A second where a subset of workloads are deployed in confidential containers +- A second where a subset of workloads are deployed in confidential containers. + +The current version of this application the confidential containers assumes deployment to Azure. -**For the current version of this application the confidential containers assumes deployment to Azure** +On the platform a sample workload is deployed: -On the platform a a sample workload is deployed - 1. Sample hello world applications to allow users to experiment with the policies for CoCo and the KBS (trustee). 2. A sample application `kbs-access` which presents secrets obtained from trustee to a web service. This is designed to allow users to test locked down environments. @@ -19,7 +20,6 @@ Future work includes: 2. Supporting multiple infrastructure providers 3. Supporting a more sophisticated workload such as confidential AI inference with protected GPUs. - ## Current constraints and assumptions - Only currently is known to work with `azure` as the provider of confidential vms via peer-pods. @@ -30,13 +30,16 @@ Future work includes: ## Major versions ### `2.*` + This is currently the `main` branch for the repository. Version 2.* of the pattern is currently constrained to support: + - (OpenShift Sandboxed Containers Operator) `1.9.*` - Trustee `0.3.*` This limits support to OpenShift 4.16 and higher. The pattern has been tested on Azure for two installation methods: + 1. Installing onto an ARO cluster 2. Self managed OpenShift install using the `openshift-install` CLI. @@ -44,42 +47,44 @@ The pattern has been tested on Azure for two installation methods: > You need an external CA signed certificate for to be added (e.g. with let's encrypt) to a self-managed install ### `1.0.0` + 1.0.0 supports OpenShift Sandboxed containers version `1.8.1` along with Trustee version `0.2.0`. The pattern has been tested on Azure for one installation method: -1. Self managed OpenShift install using the `openshift-install` CLI +1. Self managed OpenShift install using the `openshift-install` CLI +2. Installing on top of an existing Azure Red Hat OpenShift (ARO) cluster +## Validated pattern flavours -## validated pattern flavours -**Today the demo has one flavour**. +**Today the demo has one flavour**. A number are planned based on various different hub cluster-groups. -You can change between behaviour by configuring [`global.main.clusterGroupName`](https://validatedpatterns.io/learn/values-files/) key in the `values-global.yaml` file. - +You can change between behaviour by configuring [`global.main.clusterGroupName`](https://validatedpatterns.io/learn/values-files/) key in the `values-global.yaml` file. `values-simple.yaml`: or the `simple` cluster group is the default for the pattern. -It deploys a hello-openshift application 3 times: +It deploys a hello-openshift application 3 times: + - A standard pod - A kata container with peer-pods - A confidential kata-container ## Setup instructions - ### Default single cluster setup with `values-simple.yaml` The instructions here presume you have a cluster. See further down for provisioning instructions for a cluster. -#### Fork and Clone the GitHub repo +#### Fork and Clone the GitHub repository + 1. Following [standard validated patterns workflow](https://validatedpatterns.io/learn/workflow/) fork the repository and clone to your development environment which has `podman` and `git` 2. If using a particular version (e.g. `1.0.0`) checkout the correct tag. > [!TIP] -> Forking is essential as the validated pattern uses ArgoCD to reconcile it's state against your remote (forked) repository. - +> Forking is essential as the validated pattern uses ArgoCD to reconcile it's state against your remote (forked) repository. #### Configuring required secrets / parameters -The secrets here secure Trustee and the peer-pod vms. Mostly they are for demonstration purposes. + +The secrets here secure Trustee and the peer-pod vms. Mostly they are for demonstration purposes. This only has to be done once. 1. Run `sh scripts/gen-secrets.sh` @@ -87,17 +92,16 @@ This only has to be done once. > [!NOTE] > Once generated this script will not override secrets. Be careful when doing multiple tests. -#### Configuring let's encrypt. +#### Configuring let's encrypt > [!IMPORTANT] > Ensure you have password login available to the cluster. Let's encrypt will replace the API certificate in addition to the certificates to user with routes. - Trustee requires a trusted CA issued certificate. Let's Encrypt is included for environments without a trusted cert on OpenShift's routes. If you need a Let's Encrypt certificate to be issued the `letsencrypt` application configuration needs to be changed as below. + ```yaml - --- # Default configuration, safe for ARO letsencrypt: @@ -125,7 +129,8 @@ If you need a Let's Encrypt certificate to be issued the `letsencrypt` applicati > Configuration changes are only effective once committed and pushed to your remote repository. #### Installing onto a cluster -Once you configuration is pushed (if required) `./pattern.sh make install` to provision a cluster. + +Once you configuration is pushed (if required) `./pattern.sh make install` to provision a cluster. > [!TIP] > The branch and default origin you have checked-out in your local repository is used to determine what ArgoCD and the patterns operator should reconcile against. Typical choices are to use the main for your fork. @@ -135,28 +140,31 @@ Once you configuration is pushed (if required) `./pattern.sh make install` to pr ### Single cluster install on an OCP cluster on azure using Red Hat Demo Platform Red Hat a demo platform. This allows easy access for Red Hat associates and partners to ephemeral cloud resources. The pattern is known to work with this setup. + 1. Get the [openshift installer](https://console.redhat.com/openshift/downloads) 1. **NOTE: openshift installer must be updated regularly if you want to automatically provision the latest versions of OCP** 2. Get access to an [Azure Subscription Based Blank Open Environment](https://catalog.demo.redhat.com/catalog?category=Open_Environments&search=azure&item=babylon-catalog-prod%2Fazure-gpte.open-environment-azure-subscription.prod). -3. Import the required azure environmental variables (see coded block): - ``` - export GUID= - export CLIENT_ID= - export PASSWORD= - export TENANT= - export SUBSCRIPTION= - export RESOURCEGROUP= - ``` -1. Ensure Let's encrypt -1. Run the wrapper install script - 1. `bash ./rhdp/wrapper.sh azure-region-code` - 2. Where azure region code is `eastasia`, `useast2` etc. -1. You *should* be done - 1. You *may* need to recreate the hello world peer-pods depending on timeouts. +3. Import the required azure environmental variables (see code block below) +4. Ensure certificates are configured (via let's encrypt or do so manually) +5. Run the wrapper install script + 1. `bash ./rhdp/wrapper.sh azure-region-code` + 2. Where azure region code is `eastasia`, `useast2` etc. +6. You *should* be done + 1. You *may* need to recreate the hello world peer-pods depending on timeouts. + +```shell + export GUID= + export CLIENT_ID= + export PASSWORD= + export TENANT= + export SUBSCRIPTION= + export RESOURCEGROUP= +``` ### Single cluster install on plain old azure *not* using Red Hat Demo Platform -**NOTE: Don't use the default node sizes.. increase the node sizes such as below** +> [!TIP] +> Don't use the default node sizes.. increase the node sizes such as below 1. Login to console.redhat.com 2. Get the openshift installer @@ -164,18 +172,14 @@ Red Hat a demo platform. This allows easy access for Red Hat associates and part 4. `openshift-install create install-config` 1. Select azure 2. For Red Hatter's and partners using RHDP make sure you select the same region for your account that you selected in RHDP -5. Change worker machine type e.g. -```yaml - platform: - azure: - type: Standard_D8s_v5 -``` -1. `mkdir ./ocp-install && mv openshift-install.yaml ./ocp-install` -2. `openshift-install create cluster --dir=./ocp-install` -3. Once installed: - 1. Login to `oc` - 2. Configure Let's Encrypt (if required) - 3. `./pattern.sh make install` +5. Change worker machine type e.g. change `type: Standard_D4s_v5` to `type: Standard_D8s_v5` or similar based on your needs. +6. `mkdir ./ocp-install && mv openshift-install.yaml ./ocp-install` +7. `openshift-install create cluster --dir=./ocp-install` +8. Once installed: + 1. Login to `oc` + 2. Configure Let's Encrypt (if required) + 3. `./pattern.sh make install` ### Multi cluster setup + TBD diff --git a/ansible/azure-nat-gateway.yaml b/ansible/azure-nat-gateway.yaml index 6ff012c4..128c4e50 100644 --- a/ansible/azure-nat-gateway.yaml +++ b/ansible/azure-nat-gateway.yaml @@ -18,7 +18,7 @@ retries: 20 delay: 5 - - name: Get Azure credentials + - name: Get Azure configuration kubernetes.core.k8s_info: kind: ConfigMap namespace: openshift-cloud-controller-manager @@ -41,7 +41,7 @@ no_log: true - name: Create Public IP for NAT Gateway - azure_rm_publicipaddress: + azure.azcollection.azure_rm_publicipaddress: subscription_id: "{{ azure_subscription_id }}" tenant: "{{ azure_tenant_id }}" client_id: "{{ azure_client_id }}" @@ -52,7 +52,7 @@ allocation_method: "static" - name: Retrieve Public IP for NAT Gateway - azure_rm_publicipaddress_info: + azure.azcollection.azure_rm_publicipaddress_info: subscription_id: "{{ azure_subscription_id }}" tenant: "{{ azure_tenant_id }}" client_id: "{{ azure_client_id }}" @@ -86,4 +86,3 @@ name: "{{ azure_subnet }}" virtual_network_name: "{{ azure_vnet }}" nat_gateway: "{{ coco_nat_gateway_name }}" -... diff --git a/ansible/configure-issuer.yaml b/ansible/configure-issuer.yaml index 0c56ce55..d6a501d3 100644 --- a/ansible/configure-issuer.yaml +++ b/ansible/configure-issuer.yaml @@ -7,44 +7,43 @@ vars: kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" tasks: - - name: Get Azure credentials - kubernetes.core.k8s_info: - kind: Secret - namespace: openshift-cloud-controller-manager - name: azure-cloud-credentials - register: azure_credentials - retries: 20 - delay: 5 - - name: List DNS zones - azure.azcollection.azure_rm_dnszone_info: - #resource_group: "{{ azure_credentials['data']['re'] }}" # don't pass if - auth_source: "auto" - subscription_id: "{{ azure_credentials.resources[0]['data']['azure_subscription_id'] | b64decode }}" - client_id: "{{ azure_credentials.resources[0]['data']['azure_client_id'] | b64decode }}" - secret: "{{ azure_credentials.resources[0]['data']['azure_client_secret'] | b64decode }}" - tenant: "{{ azure_credentials.resources[0]['data']['azure_tenant_id'] | b64decode }}" - register: dns_zones - # FIXME: This assumes only one dns zone is present. we should be matching against available dns zones. - - name: Split the Path - set_fact: - path_parts: "{{ dns_zones.ansible_info.azure_dnszones[0].id.split('/') }}" - - name: Find the Resource Group Name - set_fact: - resource_group: "{{ path_parts[4] }}" - - name: Get hosted zone - set_fact: - hosted_zone: "{{ dns_zones.ansible_info.azure_dnszones[0].name }}" - - name: "Set k8s cm" - kubernetes.core.k8s: - api_version: v1 - kind: ConfigMap - resource_definition: - apiVersion: v1 + - name: Get Azure credentials + kubernetes.core.k8s_info: + kind: Secret + namespace: openshift-cloud-controller-manager + name: azure-cloud-credentials + register: azure_credentials + retries: 20 + delay: 5 + - name: List DNS zones + azure.azcollection.azure_rm_dnszone_info: + auth_source: "auto" + subscription_id: "{{ azure_credentials.resources[0]['data']['azure_subscription_id'] | b64decode }}" + client_id: "{{ azure_credentials.resources[0]['data']['azure_client_id'] | b64decode }}" + secret: "{{ azure_credentials.resources[0]['data']['azure_client_secret'] | b64decode }}" + tenant: "{{ azure_credentials.resources[0]['data']['azure_tenant_id'] | b64decode }}" + register: dns_zones + # FIXME: This assumes only one dns zone is present. we should be matching against available dns zones. + - name: Split the Path + ansible.builtin.set_fact: + path_parts: "{{ dns_zones.ansible_info.azure_dnszones[0].id.split('/') }}" + - name: Find the Resource Group Name + ansible.builtin.set_fact: + resource_group: "{{ path_parts[4] }}" + - name: Get hosted zone + ansible.builtin.set_fact: + hosted_zone: "{{ dns_zones.ansible_info.azure_dnszones[0].name }}" + - name: "Set k8s cm" + kubernetes.core.k8s: + api_version: v1 kind: ConfigMap - metadata: - name: dnsinfo - namespace: imperative - data: - resource_group: "{{ resource_group }}" - hosted_zone: "{{ hosted_zone }}" - state: present \ No newline at end of file + resource_definition: + apiVersion: v1 + kind: ConfigMap + metadata: + name: dnsinfo + namespace: imperative + data: + resource_group: "{{ resource_group }}" + hosted_zone: "{{ hosted_zone }}" + state: present diff --git a/ansible/install-deps.yaml b/ansible/install-deps.yaml index 51f22206..4c3b15ba 100644 --- a/ansible/install-deps.yaml +++ b/ansible/install-deps.yaml @@ -4,9 +4,11 @@ hosts: localhost gather_facts: false tasks: - - name: Install required collection - ansible.builtin.command: - cmd: ansible-galaxy collection install azure.azcollection - - name: Install a Python package - ansible.builtin.command: - cmd: pip install --user -r ~/.ansible/collections/ansible_collections/azure/azcollection/requirements.txt \ No newline at end of file + - name: Ensure collection is installed + community.general.ansible_galaxy_install: + type: collection + name: azure.azcollection + - name: Install a Python package + ansible.builtin.pip: + requirements: "~/.ansible/collections/ansible_collections/azure/azcollection/requirements.txt" + extra_args: --user diff --git a/charts/all/htpassword/Chart.yaml b/charts/all/htpassword/Chart.yaml deleted file mode 100644 index ea42e67c..00000000 --- a/charts/all/htpassword/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: htpassword -description: Simple config for basic password auth with OCP - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.0.1" diff --git a/charts/all/htpassword/README.md b/charts/all/htpassword/README.md deleted file mode 100644 index e7227b37..00000000 --- a/charts/all/htpassword/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# htpassword - -Set up a basic set of users on the hub cluster. -This is not for production use. - -1. Based on using the [template secrets file](../../../values-encrypted-control-planes.yaml.template) create a htpasswd file at `~/ocp.htpasswd`. -2. The htpasswd file can be cteated by following [these instructions for linux and/or macOS](https://docs.openshift.com/container-platform/4.14/authentication/identity_providers/configuring-htpasswd-identity-provider.html#identity-provider-creating-htpasswd-file-windows_configuring-htpasswd-identity-provider) -3. After users have logged in once - run `adminify.sh` to give ALL users cluster-admin. diff --git a/charts/all/htpassword/adminify.sh b/charts/all/htpassword/adminify.sh deleted file mode 100644 index e906e121..00000000 --- a/charts/all/htpassword/adminify.sh +++ /dev/null @@ -1,8 +0,0 @@ -# yes this is procedural for demo systems onlys - -HTPASSWD_FILE=${HOME}/ocp.htpasswd - -while IFS=':' read -r username _; do - # Use the 'username' variable here for further processing - oc adm policy add-cluster-role-to-user cluster-admin $username -done < "$HTPASSWD_FILE" diff --git a/charts/all/htpassword/templates/clusteradmins.yaml b/charts/all/htpassword/templates/clusteradmins.yaml deleted file mode 100644 index bcbd2d88..00000000 --- a/charts/all/htpassword/templates/clusteradmins.yaml +++ /dev/null @@ -1,17 +0,0 @@ - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: user-cluster-admin -subjects: -{{- range .Values.clusterAdmins }} -- kind: User - name: {{ . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} - -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/all/htpassword/templates/eso-htpasswd.yaml b/charts/all/htpassword/templates/eso-htpasswd.yaml deleted file mode 100644 index c9bb6049..00000000 --- a/charts/all/htpassword/templates/eso-htpasswd.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.useExternalSecrets }} ---- -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: htpass-user-secrets - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-wave: '-10' -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - target: - name: htpass-secret - template: - type: Opaque - dataFrom: - - extract: - key: {{ .Values.htpasswordCreds.key }} -{{- end }} diff --git a/charts/all/htpassword/templates/htpasswd.yaml b/charts/all/htpassword/templates/htpasswd.yaml deleted file mode 100644 index 02ca3796..00000000 --- a/charts/all/htpassword/templates/htpasswd.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: OAuth -metadata: - name: cluster -spec: - identityProviders: - - name: htpass - mappingMethod: claim - type: HTPasswd - htpasswd: - fileData: - name: htpass-secret \ No newline at end of file diff --git a/charts/all/htpassword/values.yaml b/charts/all/htpassword/values.yaml deleted file mode 100644 index 90604457..00000000 --- a/charts/all/htpassword/values.yaml +++ /dev/null @@ -1,15 +0,0 @@ - -# Reference the Hashicorp Vault backend for ESO -secretStore: - name: vault-backend - kind: ClusterSecretStore - -# Secret provisioned for the AWS Controller for Kubernetes - S3 -htpasswordCreds: - key: secret/data/global/htpasswd - -clusterAdmins: - - chris - -global: - useExternalSecrets: true diff --git a/charts/all/letsencrypt/README.md b/charts/all/letsencrypt/README.md index ef975f9a..b5449700 100644 --- a/charts/all/letsencrypt/README.md +++ b/charts/all/letsencrypt/README.md @@ -1,24 +1,20 @@ # letsencrypt -## Forked from https://github.com/validatedpatterns/letsencrypt-chart - +## Forked from [Validated patterns lets encrypt chart.](https://github.com/validatedpatterns/letsencrypt-chart) ## Design for Azure -Cert-manager needs the azure resource group for a zone in order to manage the DNS. + +Cert-manager needs the azure resource group for a zone in order to manage the DNS. Unfortunately this is a little tricky to get. -To get this running on azure two compromises have been made -1. The required information (managed_zone_name and managed_zone resource group) can be obtained via the ansible imperative framework. +To get this running on azure three compromises have been made: + +1. The required information (managed_zone_name and managed_zone resource group) can be obtained via the ansible imperative framework. 2. The imperative framework is limited terms of feedback / logging. Please test carefully. 3. If the credentials can see more than one managed zone there may be issues. It presumes one. - - - - - ![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) A Helm chart to add letsencrypt support to Validated Patterns. @@ -27,7 +23,7 @@ A Helm chart to add letsencrypt support to Validated Patterns. ## Maintainers -| Name | Email | Url | +| Name | Email | URL | | ---- | ------ | --- | | Validated Patterns Team | | | @@ -62,7 +58,7 @@ clusterGroup: | letsencrypt.certmanagerChannel | string | `"stable-v1"` | String the channel to install cert-manager from (Defaults to "stable-v1") | | letsencrypt.duration | string | `"168h0m0s"` | Duration of the requested letsencrypt certificates (Defaults to 168h0m0s) | | letsencrypt.email | string | `"test@example.com"` | String containing the email used when requesting certificates to letsencrypt (required) These two lines need tweaking for every deployment. @example.com emails will be rejected by letsencrypt | -| letsencrypt.nameservers | list | `["8.8.8.8:53","1.1.1.1:53"]` | List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) These two are needed because the DNS01 ACME solver needs outside DNS servers and won't really work with openshift's internal split-view DNS servers https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check | +| letsencrypt.nameservers | list | `["8.8.8.8:53","1.1.1.1:53"]` | List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) These two are needed because the DNS01 ACME solver needs outside DNS servers and won't really work with openshift's internal split-view DNS servers [see](https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check) | | letsencrypt.organizations | list | `["hybrid-cloud-patterns.io"]` | List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io]) | | letsencrypt.region | string | `"eu-central-1"` | String that defines the region used by the route53/dns01 resolver in cert-manager (required) | | letsencrypt.renewBefore | string | `"28h0m0s"` | How long before expiration date should the certs be renewed (Defaults to 28h0m0s) | diff --git a/charts/coco-supported/kbs-access/README.md b/charts/coco-supported/kbs-access/README.md index 39f51261..d8e52b7e 100644 --- a/charts/coco-supported/kbs-access/README.md +++ b/charts/coco-supported/kbs-access/README.md @@ -6,4 +6,4 @@ Using separate repository for build rather than integrated content is discourage The separate repository is because Coco (via the Kata guest components) must be served by an image registry using a TLS connection with a well known CA (as of today). -This chart will be updated as that position changes. \ No newline at end of file +This chart will be updated as that position changes. diff --git a/charts/hub/mcg/Chart.yaml b/charts/hub/mcg/Chart.yaml deleted file mode 100644 index e34280fe..00000000 --- a/charts/hub/mcg/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v2 -description: A Helm chart to deploy Multicloud object gateway *over* the default storage -name: mcg -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.1.0" diff --git a/charts/hub/mcg/templates/backing-store.yaml b/charts/hub/mcg/templates/backing-store.yaml deleted file mode 100644 index d6d66db2..00000000 --- a/charts/hub/mcg/templates/backing-store.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: noobaa.io/v1alpha1 -kind: BackingStore -metadata: - name: mcg-backingstore - namespace: openshift-storage - finalizers: - - noobaa.io/finalizer - labels: - app: noobaa -spec: -{{ if .Values.global.objectStorage.pvcStorage }} - pvPool: - numVolumes: {{ .Values.global.objectStorage.volumes }} - resources: - requests: - storage: {{ .Values.global.objectStorage.storagePool }} - storageClass: {{ .Values.global.objectStorage.backingStorageClass }} - type: pv-pool -{{ end }} - - diff --git a/charts/hub/mcg/templates/bucket-class.yaml b/charts/hub/mcg/templates/bucket-class.yaml deleted file mode 100644 index 3c05fa3e..00000000 --- a/charts/hub/mcg/templates/bucket-class.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: noobaa.io/v1alpha1 -kind: BucketClass -metadata: - name: default-bucket - namespace: openshift-storage - labels: - app: noobaa -spec: - placementPolicy: - tiers: - - backingStores: - - mcg-backingstore - placement: Spread \ No newline at end of file diff --git a/charts/hub/mcg/templates/storage-system.yaml b/charts/hub/mcg/templates/storage-system.yaml deleted file mode 100644 index c6d7dece..00000000 --- a/charts/hub/mcg/templates/storage-system.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: odf.openshift.io/v1alpha1 -kind: StorageSystem -metadata: - finalizers: - - storagesystem.odf.openshift.io - name: ocs-storagecluster-storagesystem - namespace: openshift-storage -spec: - kind: storagecluster.ocs.openshift.io/v1 - name: ocs-storagecluster - namespace: openshift-storage diff --git a/charts/hub/mcg/values.yaml b/charts/hub/mcg/values.yaml deleted file mode 100644 index 436685e3..00000000 --- a/charts/hub/mcg/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -global: - objectStorage: - # Whether or not to use PVC storage - pvcStorage: true - volumes: 3 - storagePool: 50Gi - backingStorageClass: "ocs-external-storagecluster-ceph-rbd" - # IF ODF exists we don't need to deploy an storage system - existingODF: true - odfStorageSystem: "ocs-external-storagecluster-storagesystem" diff --git a/charts/hub/science-project/Chart.yaml b/charts/hub/science-project/Chart.yaml deleted file mode 100644 index e5a97eb0..00000000 --- a/charts/hub/science-project/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v2 -description: Example helm chart for configuring a OpenShift AI project. To be replicated on both clusters. -name: test-dsp -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.0.0" diff --git a/charts/hub/science-project/templates/data-connection.yaml b/charts/hub/science-project/templates/data-connection.yaml deleted file mode 100644 index ccdaf20c..00000000 --- a/charts/hub/science-project/templates/data-connection.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: {{ .Values.dsp.name }}-data-connnection-eso - namespace: {{ .Values.dsp.name }} - annotations: - argocd.argoproj.io/sync-wave: '-10' -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - target: - name: aws-connection-noobaa - template: - type: Opaque - metadata: - annotations: - opendatahub.io/connection-type: s3 - openshift.io/display-name: aws-connection-noobaa - - labels: - opendatahub.io/dashboard: "true" - opendatahub.io/managed: "true" - data: - verify_ssl: "false" - type: s3 - AWS_ACCESS_KEY_ID: >- - {{ printf "{{ .AWS_ACCESS_KEY_ID | toString }}" }} - AWS_SECRET_ACCESS_KEY: >- - {{ printf "{{ .AWS_SECRET_ACCESS_KEY | toString }}" }} - AWS_DEFAULT_REGION: "" - AWS_S3_BUCKET: "{{ .Values.dsp.name }}-bucket" - AWS_S3_ENDPOINT: https://s3-openshift-storage.{{ .Values.global.hubClusterDomain }} - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - key: "secret/data/pushsecrets/{{ .Values.dsp.name }}-aws-key" - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - key: "secret/data/pushsecrets/{{ .Values.dsp.name }}-aws-key" - property: AWS_SECRET_ACCESS_KEY \ No newline at end of file diff --git a/charts/hub/science-project/templates/dsp.yaml b/charts/hub/science-project/templates/dsp.yaml deleted file mode 100644 index 386aa43a..00000000 --- a/charts/hub/science-project/templates/dsp.yaml +++ /dev/null @@ -1,10 +0,0 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: {{ .Values.dsp.name }} - labels: - opendatahub.io/dashboard: 'true' - annotations: - openshift.io/description: 'RHOAI llm demo project' - openshift.io/display-name: {{ .Values.dsp.name }} -spec: {} \ No newline at end of file diff --git a/charts/hub/science-project/templates/notebook.yaml b/charts/hub/science-project/templates/notebook.yaml deleted file mode 100644 index cd488eff..00000000 --- a/charts/hub/science-project/templates/notebook.yaml +++ /dev/null @@ -1,176 +0,0 @@ -apiVersion: kubeflow.org/v1 -kind: Notebook -metadata: - annotations: - notebooks.opendatahub.io/inject-oauth: "true" - notebooks.opendatahub.io/last-image-selection: s2i-generic-data-science-notebook:2024.1 - notebooks.opendatahub.io/last-size-selection: Small - notebooks.opendatahub.io/oauth-logout-url: https://rhods-dashboard-redhat-ods-applications.apps.coco.nbpjz.azure.redhatworkshops.io/projects/science-project?notebookLogout={{ .Values.dsp.name}}-book - opendatahub.io/accelerator-name: "" - opendatahub.io/image-display-name: Standard Data Science - opendatahub.io/username: kube:admin - openshift.io/description: "" - openshift.io/display-name: {{ .Values.dsp.name}}-book - labels: - app: {{ .Values.dsp.name}}-book - opendatahub.io/dashboard: "true" - opendatahub.io/odh-managed: "true" - opendatahub.io/user: kube-3aadmin - name: {{ .Values.dsp.name}}-book - namespace: science-project -spec: - template: - spec: - affinity: {} - containers: - - env: - - name: NOTEBOOK_ARGS - value: |- - --ServerApp.port=8888 - --ServerApp.token='' - --ServerApp.password='' - --ServerApp.base_url=/notebook/science-project/{{ .Values.dsp.name}}-book - --ServerApp.quit_button=False - --ServerApp.tornado_settings={"user":"kube-3aadmin","hub_host":"https://rhods-dashboard-redhat-ods-applications.apps.coco.nbpjz.azure.redhatworkshops.io","hub_prefix":"/projects/science-project"} - - name: JUPYTER_IMAGE - value: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/tensorflow:2024.1 - - name: PIP_CERT - value: /etc/pki/tls/custom-certs/ca-bundle.crt - - name: REQUESTS_CA_BUNDLE - value: /etc/pki/tls/custom-certs/ca-bundle.crt - - name: SSL_CERT_FILE - value: /etc/pki/tls/custom-certs/ca-bundle.crt - - name: PIPELINES_SSL_SA_CERTS - value: /etc/pki/tls/custom-certs/ca-bundle.crt - - name: GIT_SSL_CAINFO - value: /etc/pki/tls/custom-certs/ca-bundle.crt - envFrom: - - secretRef: - name: aws-connection-noobaa - image: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/tensorflow:2024.1 - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /notebook/science-project/{{ .Values.dsp.name}}-book/api - port: notebook-port - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - name: {{ .Values.dsp.name}}-book - ports: - - containerPort: 8888 - name: notebook-port - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /notebook/science-project/{{ .Values.dsp.name}}-book/api - port: notebook-port - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: "2" - memory: 8Gi - requests: - cpu: "1" - memory: 8Gi - volumeMounts: - - mountPath: /opt/app-root/src - name: {{ .Values.dsp.name}}-book - - mountPath: /dev/shm - name: shm - - mountPath: /etc/pki/tls/custom-certs/ca-bundle.crt - name: trusted-ca - readOnly: true - subPath: ca-bundle.crt - workingDir: /opt/app-root/src - - args: - - --provider=openshift - - --https-address=:8443 - - --http-address= - - --openshift-service-account={{ .Values.dsp.name}}-book - - --cookie-secret-file=/etc/oauth/config/cookie_secret - - --cookie-expire=24h0m0s - - --tls-cert=/etc/tls/private/tls.crt - - --tls-key=/etc/tls/private/tls.key - - --upstream=http://localhost:8888 - - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - --email-domain=* - - --skip-provider-button - - --openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org","resourceName":"{{ .Values.dsp.name}}-book","namespace":"$(NAMESPACE)"} - - --logout-url=https://rhods-dashboard-redhat-ods-applications.apps.coco.nbpjz.azure.redhatworkshops.io/projects/science-project?notebookLogout={{ .Values.dsp.name}}-book - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.redhat.io/openshift4/ose-oauth-proxy@sha256:4bef31eb993feb6f1096b51b4876c65a6fb1f4401fee97fa4f4542b6b7c9bc46 - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /oauth/healthz - port: oauth-proxy - scheme: HTTPS - initialDelaySeconds: 30 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - name: oauth-proxy - ports: - - containerPort: 8443 - name: oauth-proxy - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /oauth/healthz - port: oauth-proxy - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 100m - memory: 64Mi - requests: - cpu: 100m - memory: 64Mi - volumeMounts: - - mountPath: /etc/oauth/config - name: oauth-config - - mountPath: /etc/tls/private - name: tls-certificates - enableServiceLinks: false - serviceAccountName: {{ .Values.dsp.name}}-book - volumes: - - name: {{ .Values.dsp.name}}-book - persistentVolumeClaim: - claimName: {{ .Values.dsp.name}}-book - - emptyDir: - medium: Memory - name: shm - - configMap: - items: - - key: ca-bundle.crt - path: ca-bundle.crt - name: workbench-trusted-ca-bundle - optional: true - name: trusted-ca - - name: oauth-config - secret: - defaultMode: 420 - secretName: {{ .Values.dsp.name}}-book-oauth-config - - name: tls-certificates - secret: - defaultMode: 420 - secretName: {{ .Values.dsp.name}}-book-tls diff --git a/charts/hub/science-project/templates/obc.yaml b/charts/hub/science-project/templates/obc.yaml deleted file mode 100644 index d6d93220..00000000 --- a/charts/hub/science-project/templates/obc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if .Values.clusterGroup.isHubCluster }} -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - finalizers: - - objectbucket.io/finalizer - name: {{ .Values.dsp.name }}-obc-2 - namespace: {{ .Values.dsp.name }} -spec: - #generateBucketName: {{ .Values.dsp.name }} - bucketName: {{ .Values.dsp.name }}-bucket - storageClassName: openshift-storage.noobaa.io - additionalConfig: - bucketclass: default-bucket -{{ end }} - diff --git a/charts/hub/science-project/templates/push-secret.yaml b/charts/hub/science-project/templates/push-secret.yaml deleted file mode 100644 index 19086192..00000000 --- a/charts/hub/science-project/templates/push-secret.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if .Values.dsp.pushSecret }} -apiVersion: external-secrets.io/v1alpha1 -kind: PushSecret -metadata: - name: pushsecret # Customisable - namespace: {{ .Values.dsp.name }} # Same of the SecretStores -spec: - updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync - deletionPolicy: Delete # the provider' secret will be deleted if the PushSecret is deleted - refreshInterval: 10s # Refresh interval for which push secret will reconcile - secretStoreRefs: # A list of secret stores to push secrets to - - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - selector: - secret: - name: "{{ .Values.dsp.name }}-obc-2" # Source Kubernetes secret to be pushed - data: - - match: - secretKey: AWS_SECRET_ACCESS_KEY # Source Kubernetes secret key to be pushed - remoteRef: - remoteKey: "pushsecrets/{{ .Values.dsp.name }}-aws-key" - property: AWS_SECRET_ACCESS_KEY # Remote reference (where the secret is going to be pushed - - match: - secretKey: AWS_ACCESS_KEY_ID # Source Kubernetes secret key to be pushed - remoteRef: - remoteKey: "pushsecrets/{{ .Values.dsp.name }}-aws-key" - property: AWS_ACCESS_KEY_ID # Remote reference (where the secret is going to be pushed -{{ end }} \ No newline at end of file diff --git a/charts/hub/science-project/templates/pvc.yaml b/charts/hub/science-project/templates/pvc.yaml deleted file mode 100644 index f8ecbdca..00000000 --- a/charts/hub/science-project/templates/pvc.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - annotations: - openshift.io/description: "" - openshift.io/display-name: 'foo' - labels: - opendatahub.io/dashboard: "true" - name: {{ .Values.dsp.name}}-book - namespace: science-project -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 20Gi - volumeMode: Filesystem \ No newline at end of file diff --git a/charts/hub/science-project/values.yaml b/charts/hub/science-project/values.yaml deleted file mode 100644 index b8e0d9c9..00000000 --- a/charts/hub/science-project/values.yaml +++ /dev/null @@ -1,17 +0,0 @@ - -secretStore: - name: vault-backend - kind: ClusterSecretStore - -# Secret provisioned for the AWS Controller for Kubernetes - S3 -# Begin global parameters - - -dsp: - name: science-project - description: "My science project" - notebookStorage: '20Gi' - pushSecret: true - -# https://github.com/openshift-ai-examples/openshift-ai-examples/blob/main/openshift-ai-deploy-llm/manifests/3-notebook-template.yaml - diff --git a/charts/hub/trustee/templates/kbs-subs.yaml b/charts/hub/trustee/templates/kbs-subs.yaml deleted file mode 100644 index c4996ce9..00000000 --- a/charts/hub/trustee/templates/kbs-subs.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# not working right now. -# apiVersion: operators.coreos.com/v1alpha1 -# kind: Subscription -# metadata: -# name: kbs-operator -# namespace: kbs-operator-system -# spec: -# channel: alpha -# installPlanApproval: Automatic -# name: trustee-operator -# source: kbs-operator-catalog -# sourceNamespace: openshift-marketplace -# startingCSV: trustee-operator.v0.1.0 ---- -# apiVersion: operators.coreos.com/v1alpha1 -# kind: Subscription -# metadata: -# name: trustee-operator -# namespace: trustee-operator-system -# spec: -# channel: stable -# installPlanApproval: Automatic -# name: trustee-operator -# source: trustee-operator-catalog -# sourceNamespace: trustee-operator-system -# startingCSV: trustee-operator.v0.1.0 \ No newline at end of file diff --git a/clean-azure-install.sh b/clean-azure-install.sh deleted file mode 100644 index f00171a7..00000000 --- a/clean-azure-install.sh +++ /dev/null @@ -1,8 +0,0 @@ -# Full cleanup -rm -rf ~/.azure - -rm -rf .openshift* -rm -rf openshift-install/ - - -mv install-config.yaml install-config.yaml.old \ No newline at end of file diff --git a/commitlint.config.js b/commitlint.config.js index 3347cb96..4fedde6d 100644 --- a/commitlint.config.js +++ b/commitlint.config.js @@ -1 +1 @@ -module.exports = {extends: ['@commitlint/config-conventional']}; +module.exports = { extends: ['@commitlint/config-conventional'] } diff --git a/common/Makefile b/common/Makefile index 18c4d0c2..2db61185 100644 --- a/common/Makefile +++ b/common/Makefile @@ -4,6 +4,14 @@ ifneq ($(origin TARGET_SITE), undefined) TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE) endif +# Set this to true if you want to skip any origin validation +DISABLE_VALIDATE_ORIGIN ?= false +ifeq ($(DISABLE_VALIDATE_ORIGIN),true) + VALIDATE_ORIGIN := +else + VALIDATE_ORIGIN := validate-origin +endif + # This variable can be set in order to pass additional helm arguments from the # the command line. I.e. we can set things without having to tweak values files EXTRA_HELM_OPTS ?= @@ -17,15 +25,16 @@ EXTRA_PLAYBOOK_OPTS ?= # INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248,registry-proxy.engineering.redhat.com/rh-osbs/iib:394249 INDEX_IMAGES ?= -# This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL -# This is because we expect to use tokens for repo authentication as opposed to SSH keys -TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e 's/.*URL:[[:space:]]*//' -e 's%^git@%%' -e 's%^https://%%' -e 's%:%/%' -e 's%^%https://%') # git branch --show-current is also available as of git 2.22, but we will use this for compatibility TARGET_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD) #default to the branch remote TARGET_ORIGIN ?= $(shell git config branch.$(TARGET_BRANCH).remote) +# This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL +# This is because we expect to use tokens for repo authentication as opposed to SSH keys +TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e 's/.*URL:[[:space:]]*//' -e 's%^git@%%' -e 's%^https://%%' -e 's%:%/%' -e 's%^%https://%') + UUID_FILE ?= ~/.config/validated-patterns/pattern-uuid UUID_HELM_OPTS ?= @@ -73,7 +82,7 @@ preview-%: @common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH) .PHONY: operator-deploy -operator-deploy operator-upgrade: validate-prereq validate-origin validate-cluster ## runs helm install +operator-deploy operator-upgrade: validate-prereq $(VALIDATE_ORIGIN) validate-cluster ## runs helm install @common/scripts/deploy-pattern.sh $(NAME) $(PATTERN_INSTALL_CHART) $(HELM_OPTS) .PHONY: uninstall diff --git a/common/scripts/argocd-login.sh b/common/scripts/argocd-login.sh new file mode 100755 index 00000000..99512c57 --- /dev/null +++ b/common/scripts/argocd-login.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +## Login to validated patterns argocd instances + +# Detect Argo CD namespaces +ARGOCD_NAMESPACES=$(oc get argoCD -A -o jsonpath='{.items[*].metadata.namespace}') +if [ -z "$ARGOCD_NAMESPACES" ]; then + echo "Error: No Argo CD instances found in the cluster." + exit 1 +fi + +# Split the namespaces into an array +NAMESPACES=($ARGOCD_NAMESPACES) + +# Check if there are at least two Argo CD instances +if [ ${#NAMESPACES[@]} -lt 2 ]; then + echo "Error: Less than two Argo CD instances found. Found instances in namespaces: $ARGOCD_NAMESPACES" + exit 1 +fi + + +for NAMESPACE in ${NAMESPACES[@]}; do + # get the instance name + ARGOCD_INSTANCE=$(oc get argocd -n "$NAMESPACE" -o jsonpath='{.items[0].metadata.name}') # assume only one per NS + SERVER_URL=$(oc get route "$ARGOCD_INSTANCE"-server -n "$NAMESPACE" -o jsonpath='{.status.ingress[0].host}') + PASSWORD=$(oc get secret "$ARGOCD_INSTANCE"-cluster -n "$NAMESPACE" -o jsonpath='{.data.admin\.password}' | base64 -d) + echo $PASSWORD + argocd login --skip-test-tls --insecure --grpc-web "$SERVER_URL" --username "admin" --password "$PASSWORD" + if [ "$?" -ne 0 ]; then + echo "Login to Argo CD ${SERVER_URL} failed. Exiting." + exit 1 + fi + +done diff --git a/common/scripts/pattern-util.sh b/common/scripts/pattern-util.sh index 8258d469..ff6b2bbb 100755 --- a/common/scripts/pattern-util.sh +++ b/common/scripts/pattern-util.sh @@ -96,6 +96,7 @@ podman run -it --rm --pull=newer \ -e KUBECONFIG \ -e PATTERN_INSTALL_CHART \ -e PATTERN_DISCONNECTED_HOME \ + -e DISABLE_VALIDATE_ORIGIN \ -e K8S_AUTH_HOST \ -e K8S_AUTH_VERIFY_SSL \ -e K8S_AUTH_SSL_CA_CERT \ diff --git a/get-pull-secrets.sh b/get-pull-secrets.sh deleted file mode 100644 index e3b7d5ca..00000000 --- a/get-pull-secrets.sh +++ /dev/null @@ -1 +0,0 @@ -oc get -n openshift-config secret/pull-secret -o json | jq -r '.data.".dockerconfigjson"' | base64 -d | jq "." > pull-secret-pretty.json diff --git a/requirements.yml b/requirements.yml index 10bd4f92..858032f2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,2 +1,5 @@ collections: -- azure.azcollection + - azure.azcollection + # Modules installed by default in the utility container, required for linting + - community.general + - kubernetes.core diff --git a/rhdp/README.md b/rhdp/README.md index dcb27195..b4336646 100644 --- a/rhdp/README.md +++ b/rhdp/README.md @@ -9,8 +9,5 @@ The scripts in this directory help users of that platform automate deployments. 2. Download the credentials 3. Load the credentials into your environment (e.g. using `direnv`) 4. Launch the wrapper script from the repository root directory: - 1. `bash ./rhdp/wrapper.sh eastasia` - 2. The wrapper script **requires** an azure region code this code SHOULD be the same as what was selected in RHDP - - - + 1. `bash ./rhdp/wrapper.sh eastasia` + 2. The wrapper script **requires** an azure region code this code SHOULD be the same as what was selected in RHDP. diff --git a/rhdp/rhdp-cluster-define.py b/rhdp/rhdp-cluster-define.py index e9dc4a94..6b7c3fb2 100644 --- a/rhdp/rhdp-cluster-define.py +++ b/rhdp/rhdp-cluster-define.py @@ -49,7 +49,7 @@ def setup_install( pull_secret = pull_secret_path.expanduser().read_text() rhdp_dir = pattern_dir / "rhdp" jinja_env = Environment( - loader=FileSystemLoader(searchpath= rhdp_dir), autoescape=select_autoescape() + loader=FileSystemLoader(searchpath=rhdp_dir), autoescape=select_autoescape() ) config_template = jinja_env.get_template("install-config.yaml.j2") output_text = config_template.render( @@ -86,7 +86,8 @@ def print(): def run(region: Annotated[str, typer.Argument(help="Azure region code")]): """ - Region flag requires an azure region key which can be (authoritatively) requested with: "az account list-locations -o table". + Region flag requires an azure region key which can be (authoritatively) + requested with: "az account list-locations -o table". """ validate_dir() cleanup(pathlib.Path.cwd()) diff --git a/rhdp/wrapper.sh b/rhdp/wrapper.sh old mode 100644 new mode 100755 index 0df76df7..4304157b --- a/rhdp/wrapper.sh +++ b/rhdp/wrapper.sh @@ -66,7 +66,7 @@ fi echo "---------------------" echo "defining cluster" echo "---------------------" -python3 rhdp/rhdp-cluster-define.py ${AZUREREGION} +python rhdp/rhdp-cluster-define.py ${AZUREREGION} echo "---------------------" echo "cluster defined" echo "---------------------" diff --git a/scripts/gen-secrets.sh b/scripts/gen-secrets.sh old mode 100644 new mode 100755 index df16e194..25c4713a --- a/scripts/gen-secrets.sh +++ b/scripts/gen-secrets.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash echo "Creating secrets as required" echo diff --git a/values-ai.yaml b/values-ai.yaml deleted file mode 100644 index afbc5397..00000000 --- a/values-ai.yaml +++ /dev/null @@ -1,279 +0,0 @@ -# This is currently configured as an 'all in one' deployment in one cluster. -# This is to demo openshift ai functionality with confidential containers. - -clusterGroup: - name: ai - isHubCluster: true - namespaces: - - open-cluster-management - - vault - - golang-external-secrets - - openshift-sandboxed-containers-operator - - trustee-operator-system - - hello-openshift - - cert-manager-operator - - cert-manager - - letsencrypt - - # AI stuff - - redhat-ods-operator - - openshift-pipelines - - openshift-storage - - openshift-nfd - - nvidia-gpu-operator - - openshift-serverless - - knative-serving - - subscriptions: - # ACM is kept anticipating - acm: - name: advanced-cluster-management - namespace: open-cluster-management - channel: release-2.11 - - sandbox: - name: sandboxed-containers-operator - namespace: openshift-sandboxed-containers-operator - channel: stable - version: "1.7.0" # ask for latest - - trustee: - name: trustee-operator - namespace: trustee-operator-system - source: redhat-operators - channel: stable - rhoai: - name: rhods-operator - # Fast is required for 2.9.0 - channel: fast - version: "2.13.0" # ensure we get the latest - namespace: openshift-operators - - openshift-pipelines: - name: openshift-pipelines-operator-rh - namespace: openshift-operators - - odf: - name: odf-operator - namespace: openshift-storage - - serverless: - channel: stable - name: serverless-operator - - servicemesh: - channel: stable - namespace: openshift-operators - name: servicemeshoperator - - cert-manager: - name: openshift-cert-manager-operator - namespace: cert-manager-operator - channel: stable-v1 - - projects: - - hub - - vault - - trustee - - auth - - golang-external-secrets - - sandbox - - openshift-storage - - science-project - - hello-openshift - # Explicitly mention the cluster-state based overrides we plan to use for this pattern. - # We can use self-referential variables because the chart calls the tpl function with these variables defined - sharedValueFiles: - - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml' - applications: - acm: - name: acm - namespace: open-cluster-management - project: hub - chart: acm - chartVersion: 0.1.* - ignoreDifferences: - - group: internal.open-cluster-management.io - kind: ManagedClusterInfo - jsonPointers: - - /spec/loggingCA - - vault: - name: vault - namespace: vault - project: vault - chart: hashicorp-vault - chartVersion: 0.1.* - - secrets-operator: - name: golang-external-secrets - namespace: golang-external-secrets - project: golang-external-secrets - chart: golang-external-secrets - chartVersion: 0.1.* - - trustee: - name: trustee - namespace: kbs-operator-system #upstream config - project: trustee - path: charts/hub/trustee - - sandbox: - name: sandbox - namespace: openshift-sandboxed-containers-operator #upstream config - project: sandbox - path: charts/all/sandbox - ignoreDifferences: - - group: "" - name: peer-pods-cm - kind: ConfigMap - jsonPointers: - - /data/AZURE_IMAGE_ID # Required so the vm image doesn't get nuked. - - letsencrypt: - name: letsencrypt - namespace: letsencrypt - project: default - path: charts/all/letsencrypt - - hello-openshift: - name: hello-openshift - namespace: hello-openshift - project: hello-openshift - path: charts/coco-supported/hello-openshift - ## AI STUFF Beneath here - - htpassword: - name: htpassword - namespace: openshift-config - project: auth - path: charts/all/htpassword - - mcg: - name: mcg - namespace: openshift-storage - project: openshift-storage - path: charts/hub/mcg - - rhoai: - name: rhoai - namespace: redhat-ods-operator - project: hub - path: charts/all/rhoai - - science-project: - name: science-project - namespace: default # creates a project - project: science-project - path: charts/hub/science-project - # chartVersion: 0.1.* - # sources: - # sources: - # - ref: patternref - # repoURL: https://github.com/foo/multicloud-gitops - # targetRevision: test2 - # - chart: acm - # repoURL: https://charts.validatedpatterns.io/ # default - # targetRevision: 0.1.* - - - imperative: - # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm - # The default schedule is every 10 minutes: imperative.schedule - # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds - # imagePullPolicy is set to always: imperative.imagePullPolicy - # For additional overrides that apply to the jobs, please refer to - # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations - jobs: - - name: hello-world - # ansible playbook to be run - playbook: common/ansible/playbooks/hello-world/hello-world.yaml - # per playbook timeout in seconds - timeout: 234 - # verbosity: "-v" - managedClusterGroups: - exampleRegion: - name: group-one - acmlabels: - - name: clusterGroup - value: group-one - helmOverrides: - - name: clusterGroup.isHubCluster - value: false - # Before enabling cluster provisioning, ensure AWS and/or Azure - # credentials and OCP pull secrets are defined in Vault. - # See values-secret.yaml.template - # - #clusterPools: - # exampleAWSPool: - # name: aws-ap - # openshiftVersion: 4.10.18 - # baseDomain: blueprints.rhecoeng.com - # platform: - # aws: - # region: ap-southeast-2 - # clusters: - # - One - # - # exampleAzurePool: - # name: azure-us - # openshiftVersion: 4.10.18 - # baseDomain: blueprints.rhecoeng.com - # platform: - # azure: - # baseDomainResourceGroupName: dojo-dns-zones - # region: eastus - # clusters: - # - Two - # - Three - # To have apps in multiple flavors, use namespaces and use helm overrides as appropriate - # - # pipelines: - # name: pipelines - # namespace: production - # project: datacenter - # path: applications/pipeline - # repoURL: https://github.com/you/applications.git - # targetRevision: stable - # overrides: - # - name: myparam - # value: myparam - # - # pipelines_staging: - # - name: pipelines - # namespace: staging - # project: datacenter - # path: applications/pipeline - # repoURL: https://github.com/you/applications.git - # targetRevision: main - # - # Additional applications - # Be sure to include additional resources your apps will require - # +X machines - # +Y RAM - # +Z CPU - # vendor-app: - # name: vendor-app - # namespace: default - # project: vendor - # path: path/to/myapp - # repoURL: https://github.com/vendor/applications.git - # targetRevision: main - - # managedSites: - # factory: - # name: factory - # # repoURL: https://github.com/dagger-refuse-cool/manuela-factory.git - # targetRevision: main - # path: applications/factory - # helmOverrides: - # - name: site.isHubCluster - # value: false - # clusterSelector: - # matchExpressions: - # - key: vendor - # operator: In - # values: - # - OpenShift - - diff --git a/values-global.yaml b/values-global.yaml index 4dcecd0c..91306c45 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -10,18 +10,6 @@ global: azure: enabled: true defaultVMFlavour: "Standard_DC2as_v5" - - # this is required for object storage using OCP AI - objectStorage: - # Whether or not to use PVC storage - pvcStorage: true - replicas: 3 - storagePool: 50Gi - backingStorageClass: "" - # IF ODF exists we don't need to deploy an storage system - existingODF: false - odfStorageSystem: "ocs-external-storagecluster-storagesystem" - main: # WARNING # This default configuration uses a single cluster on azure. diff --git a/values-secret.yaml.template b/values-secret.yaml.template index 6679c7cd..dab43629 100644 --- a/values-secret.yaml.template +++ b/values-secret.yaml.template @@ -22,7 +22,6 @@ secrets: - name: osc path: ~/.coco-pattern/security-policy-config.json - - name: kbsPublicKey vaultPrefixes: - hub @@ -44,12 +43,15 @@ secrets: - name: key1 value: '' onMissingValue: generate + vaultPolicy: validatedPatternDefaultPolicy - name: key2 value: '' onMissingValue: generate + vaultPolicy: validatedPatternDefaultPolicy - name: key3 value: '' onMissingValue: generate + vaultPolicy: validatedPatternDefaultPolicy - name: passphrase vaultPrefixes: @@ -57,4 +59,5 @@ secrets: fields: - name: passphrase value: '' - onMissingValue: generate \ No newline at end of file + onMissingValue: generate + vaultPolicy: validatedPatternDefaultPolicy diff --git a/values-simple.yaml b/values-simple.yaml index f25bc61f..ad2a1b41 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -15,8 +15,6 @@ clusterGroup: - letsencrypt - kbs-access - encrypted-storage - - experiment - subscriptions: # ACM is kept anticipating acm: