diff --git a/README.md b/README.md index f9b62767..67a67879 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,27 @@ Future work includes: ## Major versions +### `3.*` + +Version `3.*` of the pattern is currently constrained to support the general availability releases of coco. + +- (OpenShift Sandboxed Containers Operator) `1.10.*` and above +- Trustee `0.4.*` + +This limits support to OpenShift 4.16 and higher. + +The pattern has been tested on Azure for two installation methods: + +1. Installing onto an ARO cluster +2. Self managed OpenShift install using the `openshift-install` CLI. + +#### Known limitations + +[Additional configuration](https://issues.redhat.com/browse/KATA-4107) is required to pull secrets from authenticated registries. + ### `2.*` -This is currently the `main` branch for the repository. Version 2.* of the pattern is currently constrained to support: +Version `2.*` of the pattern is currently constrained to support: - (OpenShift Sandboxed Containers Operator) `1.9.*` - Trustee `0.3.*` diff --git a/ansible/init-data-gzipper.yaml b/ansible/init-data-gzipper.yaml new file mode 100644 index 00000000..c0ac9584 --- /dev/null +++ b/ansible/init-data-gzipper.yaml @@ -0,0 +1,51 @@ +- name: Collect AWS facts and set secrurity group policies + become: false + connection: local + hosts: localhost + gather_facts: false + vars: + kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" + cluster_platform: "{{ global.clusterPlatform | default('none') | lower }}" + hub_domain: "{{ global.hubClusterDomain | default('none') | lower}}" + template_src: "initdata-default.toml.tpl" + tasks: + - name: Create temporary working directory + ansible.builtin.tempfile: + state: directory + suffix: initdata + register: tmpdir + + - name: Define temp file paths + ansible.builtin.set_fact: + rendered_path: "{{ tmpdir.path }}/rendered.toml" + gz_path: "{{ tmpdir.path }}/rendered.toml.gz" + + - name: Render template to temp file + ansible.builtin.template: + src: "{{ template_src }}" + dest: "{{ rendered_path }}" + mode: "0600" + + + - name: Gzip the rendered content + ansible.builtin.shell: | + gzip -c "{{ rendered_path }}" > "{{ gz_path }}" + changed_when: true + + - name: Read gzip as base64 + ansible.builtin.slurp: + path: "{{ gz_path }}" + register: gz_slurped + + - name: Create/update ConfigMap with gzipped+base64 content + kubernetes.core.k8s: + kubeconfig: "{{ kubeconfig | default(omit) }}" + state: present + definition: + apiVersion: v1 + kind: ConfigMap + metadata: + name: "initdata" + namespace: "imperative" + data: + INITDATA: "{{ gz_slurped.content }}" diff --git a/charts/coco-supported/sandbox/initdata.toml.tpl b/ansible/initdata-default.toml.tpl similarity index 50% rename from charts/coco-supported/sandbox/initdata.toml.tpl rename to ansible/initdata-default.toml.tpl index 56796c13..271e3483 100644 --- a/charts/coco-supported/sandbox/initdata.toml.tpl +++ b/ansible/initdata-default.toml.tpl @@ -5,10 +5,10 @@ version = "0.1.0" "aa.toml" = ''' [token_configs] [token_configs.coco_as] -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +url = "https://kbs-trustee-operator-system.{{ hub_domain }}" [token_configs.kbs] -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +url = "https://kbs-trustee-operator-system.{{ hub_domain }}" ''' "cdh.toml" = ''' @@ -17,5 +17,5 @@ credentials = [] [kbc] name = "cc_kbc" -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +url = "https://kbs-trustee-operator-system.{{ hub_domain }}" ''' diff --git a/ansible/install-deps.yaml b/ansible/install-deps.yaml index 4c3b15ba..8a927b90 100644 --- a/ansible/install-deps.yaml +++ b/ansible/install-deps.yaml @@ -8,6 +8,10 @@ community.general.ansible_galaxy_install: type: collection name: azure.azcollection + - name: Ensure community.crypto collection is installed + community.general.ansible_galaxy_install: + type: collection + name: community.crypto - name: Install a Python package ansible.builtin.pip: requirements: "~/.ansible/collections/ansible_collections/azure/azcollection/requirements.txt" diff --git a/charts/coco-supported/kbs-access/templates/secure-pod.yaml b/charts/coco-supported/kbs-access/templates/secure-pod.yaml index f8f32fd7..663408bd 100644 --- a/charts/coco-supported/kbs-access/templates/secure-pod.yaml +++ b/charts/coco-supported/kbs-access/templates/secure-pod.yaml @@ -21,17 +21,11 @@ spec: name: kbsref initContainers: - name: curl - image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed + image: registry.access.redhat.com/ubi9/ubi:latest # Lightweight image with curl installed command: ['sh', '-c', 'curl -s http://127.0.0.1:8006/cdh/resource/default/kbsres1/key3 > /output/kbsres1.txt'] volumeMounts: - name: output-volume mountPath: /output - # - name: hi - # image: registry.redhat.io/ubi9/ubi:latest # Lightweight image with curl installed - # command: ['sh', '-c', 'echo "hi" > /output/kbsres1.txt'] - # volumeMounts: - # - name: output-volume - # mountPath: /output volumes: - name: output-volume emptyDir: {} diff --git a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml b/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml index 38910397..0fde7a10 100644 --- a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml +++ b/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml @@ -37,7 +37,8 @@ spec: AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}' DISABLECVM: "false" PROXY_TIMEOUT: "5m" - INITDATA: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}' + INITDATA: '{{ `{{if (lookup "v1" "ConfigMap" "imperative" "initdata").metadata.name }}{{ fromConfigMap "imperative" "initdata" "INITDATA" }}{{ else }}{{ end }}` }}' + --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding diff --git a/charts/coco-supported/sandbox/values.yaml b/charts/coco-supported/sandbox/values.yaml index 4d41d6d9..ad2f7c1d 100644 --- a/charts/coco-supported/sandbox/values.yaml +++ b/charts/coco-supported/sandbox/values.yaml @@ -1,11 +1,6 @@ global: cocoUpstream: true cocoConverged: true - azure: - clusterResGroup: '' - clusterSubnet: '' - clusterNSG: '' - clusterRegion: '' secretStore: name: vault-backend diff --git a/values-global.yaml b/values-global.yaml index 91306c45..84790c7e 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -4,6 +4,7 @@ global: useCSV: false syncPolicy: Automatic installPlanApproval: Automatic + autoApproveManualInstallPlans: true # This defines whether or not to use upstream resources for CoCo. # Defines whether or not the hub cluster can be used for confidential containers coco: diff --git a/values-simple.yaml b/values-simple.yaml index ad2a1b41..e6f87fb9 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -20,20 +20,23 @@ clusterGroup: acm: name: advanced-cluster-management namespace: open-cluster-management - channel: release-2.12 - + channel: release-2.13 sandbox: name: sandboxed-containers-operator namespace: openshift-sandboxed-containers-operator + source: redhat-operators channel: stable - version: "1.9.*" # 1.9.* matches with trustee 0.3.* + installPlanApproval: Manual + csv: sandboxed-containers-operator.v1.10.1 trustee: name: trustee-operator namespace: trustee-operator-system source: redhat-operators channel: stable - version: "0.3.*" + installPlanApproval: Manual + csv: trustee-operator.v0.4.1 + cert-manager: name: openshift-cert-manager-operator namespace: cert-manager-operator @@ -128,6 +131,10 @@ clusterGroup: playbook: ansible/azure-nat-gateway.yaml verbosity: -vvv timeout: 3600 + - name: init-data-gzipper + playbook: ansible/init-data-gzipper.yaml + verbosity: -vvv + timeout: 3600 managedClusterGroups: exampleRegion: name: group-one