diff --git a/.gitignore b/.gitignore index b17116db..afdac960 100644 --- a/.gitignore +++ b/.gitignore @@ -16,7 +16,8 @@ install-config.yaml azure-env.sh .openshift* .DS_Store -openshift-install +openshift-install* node_modules .envrc -.ansible/ \ No newline at end of file +.ansible/ +__pycache__/ \ No newline at end of file diff --git a/ansible/initdata-default.toml.tpl b/ansible/initdata-default.toml.tpl index df053f35..fccb7dee 100644 --- a/ansible/initdata-default.toml.tpl +++ b/ansible/initdata-default.toml.tpl @@ -25,3 +25,44 @@ kbs_cert = """ {{ trustee_cert }} """ ''' + +"policy.rego" = ''' +package agent_policy + +default AddARPNeighborsRequest := true +default AddSwapRequest := true +default CloseStdinRequest := true +default CopyFileRequest := true +default CreateContainerRequest := true +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetMetricsRequest := true +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := true +default ListRoutesRequest := true +default MemHotplugByProbeRequest := true +default OnlineCPUMemRequest := true +default PauseContainerRequest := true +default PullImageRequest := true +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := true +default ResumeContainerRequest := true +default SetGuestDateTimeRequest := true +default SetPolicyRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := true +default StatsContainerRequest := true +default StopTracingRequest := true +default TtyWinResizeRequest := true +default UpdateContainerRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := true +''' \ No newline at end of file diff --git a/charts/all/letsencrypt/values.yaml b/charts/all/letsencrypt/values.yaml index e1c3ef32..c7d97ae3 100644 --- a/charts/all/letsencrypt/values.yaml +++ b/charts/all/letsencrypt/values.yaml @@ -3,6 +3,8 @@ global: ## -- String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework localClusterDomain: "apps.example.com" + ## -- String defining the cluster platform: "Azure" or "AWS" (overridden by values-global.yaml) + clusterPlatform: "" # -- This section contains all the parameters for the letsencrypt chart in @@ -55,7 +57,7 @@ letsencrypt: azure: secretStoreKey: 'secret/data/global/azure' - +# Secret store configuration (overridden by values-global.yaml) secretStore: - name: vault-backend - kind: ClusterSecretStore + name: "" + kind: "" diff --git a/charts/coco-supported/hello-openshift/templates/_helpers.tpl b/charts/coco-supported/hello-openshift/templates/_helpers.tpl new file mode 100644 index 00000000..6082b80a --- /dev/null +++ b/charts/coco-supported/hello-openshift/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "hello-openshift.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "hello-openshift.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hello-openshift.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "hello-openshift.labels" -}} +helm.sh/chart: {{ include "hello-openshift.chart" . }} +{{ include "hello-openshift.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "hello-openshift.selectorLabels" -}} +app.kubernetes.io/name: {{ include "hello-openshift.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Determine runtime class name based on cluster platform +Returns "kata-remote" for Azure/AWS, "kata-cc" for other platforms +*/}} +{{- define "hello-openshift.runtimeClassName" -}} +{{- if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") -}} +kata-remote +{{- else -}} +kata-cc +{{- end -}} +{{- end }} diff --git a/charts/coco-supported/hello-openshift/templates/insecure-policy-pod.yaml b/charts/coco-supported/hello-openshift/templates/insecure-policy-pod.yaml index 149ca981..205a9350 100644 --- a/charts/coco-supported/hello-openshift/templates/insecure-policy-pod.yaml +++ b/charts/coco-supported/hello-openshift/templates/insecure-policy-pod.yaml @@ -7,7 +7,7 @@ metadata: annotations: io.katacontainers.config.agent.policy: '{{ tpl ( .Files.Get "insecure-policy.rego") . | b64enc }}' spec: - runtimeClassName: kata-remote + runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }} containers: - name: hello-openshift image: quay.io/openshift/origin-hello-openshift diff --git a/charts/coco-supported/hello-openshift/templates/secure-pod.yaml b/charts/coco-supported/hello-openshift/templates/secure-pod.yaml index f015fba5..28e26bf5 100644 --- a/charts/coco-supported/hello-openshift/templates/secure-pod.yaml +++ b/charts/coco-supported/hello-openshift/templates/secure-pod.yaml @@ -7,7 +7,7 @@ metadata: annotations: peerpods: "true" spec: - runtimeClassName: kata-remote + runtimeClassName: {{ include "hello-openshift.runtimeClassName" . }} containers: - name: hello-openshift image: quay.io/openshift/origin-hello-openshift diff --git a/charts/coco-supported/hello-openshift/templates/standard-pod.yaml b/charts/coco-supported/hello-openshift/templates/standard-pod.yaml index eb7b43b5..4a92a8a0 100644 --- a/charts/coco-supported/hello-openshift/templates/standard-pod.yaml +++ b/charts/coco-supported/hello-openshift/templates/standard-pod.yaml @@ -5,7 +5,6 @@ metadata: labels: app: standard spec: - runtimeClassName: {{ .Values.global.runtimeClass }} containers: - name: hello-openshift image: quay.io/openshift/origin-hello-openshift diff --git a/charts/coco-supported/hello-openshift/values.yaml b/charts/coco-supported/hello-openshift/values.yaml index 527f2f2c..c9dbbe0a 100644 --- a/charts/coco-supported/hello-openshift/values.yaml +++ b/charts/coco-supported/hello-openshift/values.yaml @@ -1,3 +1,6 @@ +# Chart-specific values +# Common values are inherited from values-global.yaml + +# Global values used by this chart (overridden by values-global.yaml) global: - coco: - runtimeClassName: kata-remote + clusterPlatform: "" # Cluster platform: "Azure" or "AWS" - determines runtime class diff --git a/charts/coco-supported/kbs-access/values.yaml b/charts/coco-supported/kbs-access/values.yaml index 527f2f2c..fdaa4d74 100644 --- a/charts/coco-supported/kbs-access/values.yaml +++ b/charts/coco-supported/kbs-access/values.yaml @@ -1,3 +1,7 @@ +# Chart-specific values +# Common values are inherited from values-global.yaml + +# Global values used by this chart (overridden by values-global.yaml) global: coco: - runtimeClassName: kata-remote + runtimeClassName: "" # Runtime class for confidential containers diff --git a/charts/coco-supported/sandbox/templates/kata-config.yaml b/charts/coco-supported/sandbox/templates/kata-config.yaml index 8f5c0ba4..2e398911 100644 --- a/charts/coco-supported/sandbox/templates/kata-config.yaml +++ b/charts/coco-supported/sandbox/templates/kata-config.yaml @@ -1,4 +1,3 @@ -{{ if .Values.sandbox.deploy }} apiVersion: kataconfiguration.openshift.io/v1 kind: KataConfig metadata: @@ -6,5 +5,4 @@ metadata: argocd.argoproj.io/sync-wave: "100" name: default-kata-config spec: - enablePeerPods: true -{{ end }} \ No newline at end of file + enablePeerPods: {{ if or (eq .Values.global.clusterPlatform "Azure") (eq .Values.global.clusterPlatform "AWS") }}true{{ else }}false{{ end }} \ No newline at end of file diff --git a/charts/coco-supported/sandbox/templates/ssh-key-eso.yaml b/charts/coco-supported/sandbox/templates/ssh-key-eso.yaml index c9f41db2..fac5466e 100644 --- a/charts/coco-supported/sandbox/templates/ssh-key-eso.yaml +++ b/charts/coco-supported/sandbox/templates/ssh-key-eso.yaml @@ -19,5 +19,4 @@ spec: dataFrom: - extract: key: {{ .Values.sandbox.sshKey }} - -{{ end }} \ No newline at end of file +{{- end }} \ No newline at end of file diff --git a/charts/coco-supported/sandbox/values.yaml b/charts/coco-supported/sandbox/values.yaml index ad2f7c1d..51130b76 100644 --- a/charts/coco-supported/sandbox/values.yaml +++ b/charts/coco-supported/sandbox/values.yaml @@ -1,18 +1,18 @@ +# Chart-specific values +# Common values are inherited from values-global.yaml + +# Global values used by this chart (overridden by values-global.yaml) global: - cocoUpstream: true - cocoConverged: true + clusterPlatform: "" # Cluster platform: "Azure" or "AWS" +# Secret store configuration (overridden by values-global.yaml) secretStore: - name: vault-backend - kind: ClusterSecretStore - - + name: "" + kind: "" +# Sandbox-specific configuration sandbox: - deploy: true sshKey: secret/data/global/sshKey - azure: true - peerpodsCreds: secret/data/global/azure # These variables today limit to one cluster # revise using imperative framework to infer from cluster vars # Strongly advised to override in values-global.yaml or values-{cluster-group}.yaml diff --git a/charts/hub/sandbox-policies/Chart.yaml b/charts/hub/sandbox-policies/Chart.yaml new file mode 100644 index 00000000..9baf60a2 --- /dev/null +++ b/charts/hub/sandbox-policies/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +description: Deploy and configure policies for sandboxed containers and propagate data from the hub cluster to the managed clusters. +keywords: +- pattern +name: sandbox-policies +version: 0.0.1 diff --git a/charts/hub/sandbox-policies/README.md b/charts/hub/sandbox-policies/README.md new file mode 100644 index 00000000..b99b39f8 --- /dev/null +++ b/charts/hub/sandbox-policies/README.md @@ -0,0 +1,3 @@ +# Sandboxed policies + +Configure and propagate the policies, in particular the initdata, from the 'hub' cluster to the spoke cluster. diff --git a/charts/hub/sandbox-policies/templates/hub-to-spoke-initdata-policy.yaml b/charts/hub/sandbox-policies/templates/hub-to-spoke-initdata-policy.yaml new file mode 100644 index 00000000..784429dc --- /dev/null +++ b/charts/hub/sandbox-policies/templates/hub-to-spoke-initdata-policy.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: hub-to-spoke-initdata-policy + namespace: imperative + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: hub-to-spoke-initdata-cp + namespace: imperative + spec: + remediationAction: enforce + severity: medium + namespaceSelector: + include: + - imperative + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: v1 + kind: ConfigMap + metadata: + name: initdata + namespace: imperative + data: + INITDATA: '{{ `{{hub fromConfigMap "imperative" "initdata" "INITDATA" hub}}` }}' + +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: hub-to-spoke-initdata-placement-binding + namespace: imperative + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: hub-to-spoke-initdata-placement-rule + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: hub-to-spoke-initdata-policy + kind: Policy + apiGroup: policy.open-cluster-management.io + +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: hub-to-spoke-initdata-placement-rule + namespace: imperative +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + # Only apply to spoke clusters (exclude local-cluster which is typically the hub) + - key: name + operator: NotIn + values: ["local-cluster"] \ No newline at end of file diff --git a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml b/charts/hub/sandbox-policies/templates/peer-pods-cm.yaml similarity index 90% rename from charts/coco-supported/sandbox/templates/peer-pods-cm.yaml rename to charts/hub/sandbox-policies/templates/peer-pods-cm.yaml index 0fde7a10..e4608fe6 100644 --- a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml +++ b/charts/hub/sandbox-policies/templates/peer-pods-cm.yaml @@ -1,4 +1,3 @@ -{{- if and .Values.sandbox.azure .Values.sandbox.deploy }} --- apiVersion: policy.open-cluster-management.io/v1 kind: Policy @@ -30,14 +29,14 @@ spec: VXLAN_PORT: "9000" AZURE_IMAGE_ID: '{{ `{{if (lookup "v1" "ConfigMap" "openshift-sandboxed-containers-operator" "peer-pods-cm").metadata.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "peer-pods-cm" "AZURE_IMAGE_ID" }}{{ else }}{{ end }}` }}' AZURE_INSTANCE_SIZE: "{{ .Values.global.coco.azure.defaultVMFlavour }}" - AZURE_INSTANCE_SIZES: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5" + AZURE_INSTANCE_SIZES: "{{ .Values.global.coco.azure.VMFlavours }}" AZURE_RESOURCE_GROUP: '{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetResourceGroup }}` }}' AZURE_REGION: '{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).location }}` }}' AZURE_SUBNET_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetResourceGroup }}` }}/providers/Microsoft.Network/virtualNetworks/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetName }}` }}/subnets/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subnetName }}` }}' AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}' DISABLECVM: "false" PROXY_TIMEOUT: "5m" - INITDATA: '{{ `{{if (lookup "v1" "ConfigMap" "imperative" "initdata").metadata.name }}{{ fromConfigMap "imperative" "initdata" "INITDATA" }}{{ else }}{{ end }}` }}' + INITDATA: '{{ `{{ fromConfigMap "imperative" "initdata" "INITDATA" }}` }}' --- apiVersion: policy.open-cluster-management.io/v1 @@ -67,4 +66,3 @@ spec: matchLabels: cloud: Azure --- -{{- end }} diff --git a/charts/hub/sandbox-policies/values.yaml b/charts/hub/sandbox-policies/values.yaml new file mode 100644 index 00000000..f78457ec --- /dev/null +++ b/charts/hub/sandbox-policies/values.yaml @@ -0,0 +1,11 @@ + +# Chart-specific values +# Common values are inherited from values-global.yaml + +# Global values used by this chart (overridden by values-global.yaml) +global: + clusterPlatform: "" # Cluster platform: "Azure" or "AWS" + coco: + azure: + defaultVMFlavour: "Standard_DC2as_v5" + VMFlavours: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5" \ No newline at end of file diff --git a/charts/hub/trustee/templates/kbs-passphrase-eso.yaml b/charts/hub/trustee/templates/dynamic-eso.yaml similarity index 54% rename from charts/hub/trustee/templates/kbs-passphrase-eso.yaml rename to charts/hub/trustee/templates/dynamic-eso.yaml index c6e116c3..be0c6639 100644 --- a/charts/hub/trustee/templates/kbs-passphrase-eso.yaml +++ b/charts/hub/trustee/templates/dynamic-eso.yaml @@ -1,23 +1,25 @@ {{- if ne .Values.global.secretStore.backend "none" }} +{{- range .Values.kbs.secretResources }} --- apiVersion: "external-secrets.io/v1beta1" kind: ExternalSecret metadata: annotations: argocd.argoproj.io/sync-wave: "1" - name: kbs-passphrase-eso - namespace: {{ .Values.kbs.deployNS }} + name: {{ .name }}-eso + namespace: trustee-operator-system spec: refreshInterval: 15s secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - data: + name: {{ $.Values.secretStore.name }} + kind: {{ $.Values.secretStore.kind }} target: - name: passphrase + name: {{ .name }} template: type: Opaque dataFrom: - extract: - key: {{ .Values.kbs.passphrase }} -{{- end }} \ No newline at end of file + key: {{ .key }} +{{- end }} +{{- end }} + diff --git a/charts/hub/trustee/templates/kbs-config-map.yaml b/charts/hub/trustee/templates/kbs-config-map.yaml index 5c033bfb..df4072a5 100644 --- a/charts/hub/trustee/templates/kbs-config-map.yaml +++ b/charts/hub/trustee/templates/kbs-config-map.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: kbs-config - namespace: {{ .Values.kbs.deployNS }} + namespace: trustee-operator-system data: kbs-config.toml: | [http_server] diff --git a/charts/hub/trustee/templates/kbs-operator-keys.yaml b/charts/hub/trustee/templates/kbs-operator-keys.yaml index ca55e22b..b7e60409 100644 --- a/charts/hub/trustee/templates/kbs-operator-keys.yaml +++ b/charts/hub/trustee/templates/kbs-operator-keys.yaml @@ -6,7 +6,7 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "1" name: kbs-auth-public-key-eso - namespace: {{ .Values.kbs.deployNS }} + namespace: trustee-operator-system spec: refreshInterval: 15s secretStoreRef: diff --git a/charts/hub/trustee/templates/kbs-route.yaml b/charts/hub/trustee/templates/kbs-route.yaml index 7f62e7f2..fb70395b 100644 --- a/charts/hub/trustee/templates/kbs-route.yaml +++ b/charts/hub/trustee/templates/kbs-route.yaml @@ -4,7 +4,7 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: name: kbs - namespace: {{ .Values.kbs.deployNS }} + namespace: trustee-operator-system spec: port: targetPort: 8080 diff --git a/charts/hub/trustee/templates/kbs.yaml b/charts/hub/trustee/templates/kbs.yaml index 7ede92a1..4623cc2c 100644 --- a/charts/hub/trustee/templates/kbs.yaml +++ b/charts/hub/trustee/templates/kbs.yaml @@ -2,13 +2,17 @@ apiVersion: confidentialcontainers.org/v1alpha1 kind: KbsConfig metadata: name: kbsconfig - namespace: {{ .Values.kbs.deployNS }} + namespace: trustee-operator-system spec: kbsConfigMapName: kbs-config kbsAuthSecretName: kbs-auth-public-key kbsDeploymentType: AllInOneDeployment kbsRvpsRefValuesConfigMapName: rvps-reference-values - kbsSecretResources: ["kbsres1", "passphrase", "security-policy"] + kbsSecretResources: + {{- range .Values.kbs.secretResources }} + - "{{ .name }}" + {{- end }} + - "security-policy" kbsHttpsKeySecretName: kbs-https-key kbsHttpsCertSecretName: kbs-https-certificate kbsResourcePolicyConfigMapName: resource-policy diff --git a/charts/hub/trustee/templates/kbsres1-eso.yaml b/charts/hub/trustee/templates/kbsres1-eso.yaml deleted file mode 100644 index 21bb9e42..00000000 --- a/charts/hub/trustee/templates/kbsres1-eso.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if ne .Values.global.secretStore.backend "none" }} ---- -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-wave: "1" - name: kbsres1-eso - namespace: {{ .Values.kbs.deployNS }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - data: - target: - name: kbsres1 - template: - type: Opaque - dataFrom: - - extract: - key: {{ .Values.kbs.kbsres1 }} -{{- end }} \ No newline at end of file diff --git a/charts/hub/trustee/templates/reference-values.yaml b/charts/hub/trustee/templates/reference-values.yaml index c625134a..7d62d19f 100644 --- a/charts/hub/trustee/templates/reference-values.yaml +++ b/charts/hub/trustee/templates/reference-values.yaml @@ -4,7 +4,7 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "1" name: rvps-reference-values - namespace: {{ .Values.kbs.deployNS }} + namespace: trustee-operator-system data: reference-values.json: | [ diff --git a/charts/hub/trustee/templates/resource-policy.yaml b/charts/hub/trustee/templates/resource-policy.yaml index 6cbed1bf..963e1666 100644 --- a/charts/hub/trustee/templates/resource-policy.yaml +++ b/charts/hub/trustee/templates/resource-policy.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: resource-policy - namespace: {{ .Values.kbs.deployNS }} + namespace: trustee-operator-system data: policy.rego: | package policy diff --git a/charts/hub/trustee/templates/securityPolicy-eso.yaml b/charts/hub/trustee/templates/securityPolicy-eso.yaml index ad3f0557..cb5ea7c0 100644 --- a/charts/hub/trustee/templates/securityPolicy-eso.yaml +++ b/charts/hub/trustee/templates/securityPolicy-eso.yaml @@ -6,7 +6,7 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "1" name: securitypolicy-eso - namespace: {{ .Values.kbs.deployNS }} + namespace: trustee-operator-system spec: refreshInterval: 15s secretStoreRef: diff --git a/charts/hub/trustee/templates/tls-cert-eso.yaml b/charts/hub/trustee/templates/tls-cert-eso.yaml index 2ddb1b2e..0e62533d 100644 --- a/charts/hub/trustee/templates/tls-cert-eso.yaml +++ b/charts/hub/trustee/templates/tls-cert-eso.yaml @@ -1,3 +1,4 @@ +{{- if ne .Values.global.secretStore.backend "none" }} --- apiVersion: "external-secrets.io/v1beta1" kind: ExternalSecret @@ -20,5 +21,4 @@ spec: remoteRef: key: 'secret/data/pushsecrets/kbs-tls-self-signed' property: certificate - - +{{- end }} diff --git a/charts/hub/trustee/templates/tls-key-eso.yaml b/charts/hub/trustee/templates/tls-key-eso.yaml index 8ec36cd2..308f9b03 100644 --- a/charts/hub/trustee/templates/tls-key-eso.yaml +++ b/charts/hub/trustee/templates/tls-key-eso.yaml @@ -1,3 +1,4 @@ +{{- if ne .Values.global.secretStore.backend "none" }} --- apiVersion: "external-secrets.io/v1beta1" kind: ExternalSecret @@ -20,5 +21,6 @@ spec: remoteRef: key: 'secret/data/pushsecrets/kbs-tls-self-signed' property: key +{{- end }} diff --git a/charts/hub/trustee/values.yaml b/charts/hub/trustee/values.yaml index 6d73f726..2cebc838 100644 --- a/charts/hub/trustee/values.yaml +++ b/charts/hub/trustee/values.yaml @@ -1,19 +1,32 @@ -global: - cocoUpstream: true +# Chart-specific values +# Common values are inherited from values-global.yaml + + +# Secret store configuration (overridden by values-global.yaml) secretStore: - name: vault-backend - kind: ClusterSecretStore + name: "" + kind: "" +# KBS (Key Broker Service) configuration kbs: # Do you do internal HTTPS for the KBS - deployNS: trustee-operator-system https: enabled: false certAuth: enabled: false + + # Static secret (remains unchanged) securityPolicy: secret/data/hub/securityPolicyConfig + + # Static TLS-related secrets (different structure, remain static) publicKey: secret/data/hub/kbsPublicKey privateKey: secret/data/global/kbsPrivateKey - kbsres1: secret/data/hub/kbsres1 - passphrase: secret/data/hub/passphrase + + # Dynamic secret resources list - add new secrets here + # Each entry generates an ESO and gets added to kbsSecretResources + secretResources: + - name: "kbsres1" + key: "secret/data/hub/kbsres1" + - name: "passphrase" + key: "secret/data/hub/passphrase" diff --git a/rhdp/README.md b/rhdp/README.md index b4336646..e5240b00 100644 --- a/rhdp/README.md +++ b/rhdp/README.md @@ -9,5 +9,16 @@ The scripts in this directory help users of that platform automate deployments. 2. Download the credentials 3. Load the credentials into your environment (e.g. using `direnv`) 4. Launch the wrapper script from the repository root directory: + +### Single Cluster Deployment + 1. `bash ./rhdp/wrapper.sh eastasia` 2. The wrapper script **requires** an azure region code this code SHOULD be the same as what was selected in RHDP. + +### Multi-Cluster Deployment (Hub and Spoke) + + 1. `bash ./rhdp/wrapper-multicluster.sh eastasia` + 2. This creates two clusters: `coco-hub` and `coco-spoke` in the same region + 3. The pattern is deployed only on the hub cluster + 4. Hub cluster kubeconfig: `./openshift-install-hub/auth/kubeconfig` + 5. Spoke cluster kubeconfig: `./openshift-install-spoke/auth/kubeconfig` diff --git a/rhdp/install-config.yaml.j2 b/rhdp/install-config.yaml.j2 index 28411a8a..3bf0e0dd 100644 --- a/rhdp/install-config.yaml.j2 +++ b/rhdp/install-config.yaml.j2 @@ -19,16 +19,16 @@ controlPlane: replicas: 3 metadata: creationTimestamp: null - name: coco + name: {{ cluster_name }} networking: clusterNetwork: - - cidr: 10.128.0.0/14 + - cidr: {{ cluster_network_cidr }} hostPrefix: 23 machineNetwork: - - cidr: 10.0.0.0/16 + - cidr: {{ machine_network_cidr }} networkType: OVNKubernetes serviceNetwork: - - 172.30.0.0/16 + - {{ service_network_cidr }} platform: azure: baseDomainResourceGroupName: {{ RESOURCEGROUP }} diff --git a/rhdp/rhdp-cluster-define.py b/rhdp/rhdp-cluster-define.py index 6b7c3fb2..522c0bb3 100644 --- a/rhdp/rhdp-cluster-define.py +++ b/rhdp/rhdp-cluster-define.py @@ -5,6 +5,7 @@ import os import pathlib import shutil +from typing import Dict, List import typer from jinja2 import Environment, FileSystemLoader, select_autoescape @@ -12,15 +13,50 @@ from typing_extensions import Annotated -def cleanup(pattern_dir: pathlib.Path) -> None: - """Cleanup directory""" +def get_default_cluster_configs() -> List[Dict]: + """Get default cluster configurations""" + return [ + { + "name": "coco", + "directory": "openshift-install", + "cluster_network_cidr": "10.128.0.0/14", + "machine_network_cidr": "10.0.0.0/16", + "service_network_cidr": "172.30.0.0/16", + } + ] + + +def get_multicluster_configs() -> List[Dict]: + """Get multicluster configurations for hub and spoke""" + return [ + { + "name": "coco-hub", + "directory": "openshift-install-hub", + "cluster_network_cidr": "10.128.0.0/14", + "machine_network_cidr": "10.0.0.0/16", + "service_network_cidr": "172.30.0.0/16", + }, + { + "name": "coco-spoke", + "directory": "openshift-install-spoke", + "cluster_network_cidr": "10.132.0.0/14", + "machine_network_cidr": "10.4.0.0/16", + "service_network_cidr": "172.34.0.0/16", + }, + ] + + +def cleanup(pattern_dir: pathlib.Path, cluster_configs: List[Dict]) -> None: + """Cleanup directories for all clusters""" - install_dir = pattern_dir / "openshift-install" azure_dir = pathlib.Path.home() / ".azure" - if install_dir.exists() and install_dir.is_dir(): - shutil.rmtree(install_dir) - install_dir.mkdir() + for config in cluster_configs: + install_dir = pattern_dir / config["directory"] + if install_dir.exists() and install_dir.is_dir(): + shutil.rmtree(install_dir) + install_dir.mkdir() + if azure_dir.exists() and azure_dir.is_dir(): shutil.rmtree(azure_dir) @@ -36,15 +72,17 @@ def setup_install( region: str, pull_secret_path: pathlib.Path, ssh_key_path: pathlib.Path, + cluster_configs: List[Dict], ): - """create the install config file""" + """create the install config files for all clusters""" try: GUID = os.environ["GUID"] RESOURCEGROUP = os.environ["RESOURCEGROUP"] except KeyError as e: rprint("Unable to get azure environment details") raise e - # Read ssh_public_key + + # Read ssh_public_key and pull_secret ssh_key = ssh_key_path.expanduser().read_text() pull_secret = pull_secret_path.expanduser().read_text() rhdp_dir = pattern_dir / "rhdp" @@ -52,15 +90,23 @@ def setup_install( loader=FileSystemLoader(searchpath=rhdp_dir), autoescape=select_autoescape() ) config_template = jinja_env.get_template("install-config.yaml.j2") - output_text = config_template.render( - GUID=GUID, - RESOURCEGROUP=RESOURCEGROUP, - ssh_key=ssh_key, - pull_secret=pull_secret, - region=region, - ) - install_config = pattern_dir / "openshift-install/install-config.yaml" - install_config.write_text(output_text) + + # Create install config for each cluster + for config in cluster_configs: + rprint(f"Creating install config for cluster: {config['name']}") + output_text = config_template.render( + GUID=GUID, + RESOURCEGROUP=RESOURCEGROUP, + ssh_key=ssh_key, + pull_secret=pull_secret, + region=region, + cluster_name=config["name"], + cluster_network_cidr=config["cluster_network_cidr"], + machine_network_cidr=config["machine_network_cidr"], + service_network_cidr=config["service_network_cidr"], + ) + install_config = pattern_dir / config["directory"] / "install-config.yaml" + install_config.write_text(output_text) def write_azure_creds(): @@ -84,18 +130,36 @@ def print(): rprint("Run openshift install .") -def run(region: Annotated[str, typer.Argument(help="Azure region code")]): +def run( + region: Annotated[str, typer.Argument(help="Azure region code")], + multicluster: Annotated[ + bool, typer.Option("--multicluster", help="Deploy hub and spoke clusters") + ] = False, +): """ Region flag requires an azure region key which can be (authoritatively) requested with: "az account list-locations -o table". + + Use --multicluster flag to deploy both hub (coco-hub) and spoke (coco-spoke) + clusters. """ validate_dir() - cleanup(pathlib.Path.cwd()) + + # Choose cluster configurations based on multicluster flag + if multicluster: + cluster_configs = get_multicluster_configs() + rprint("Setting up multicluster deployment (hub and spoke)") + else: + cluster_configs = get_default_cluster_configs() + rprint("Setting up single cluster deployment") + + cleanup(pathlib.Path.cwd(), cluster_configs) setup_install( pathlib.Path.cwd(), region, pathlib.Path("~/pull-secret.json"), pathlib.Path("~/.ssh/id_rsa.pub"), + cluster_configs, ) write_azure_creds() diff --git a/rhdp/wrapper-cluster-only.sh b/rhdp/wrapper-cluster-only.sh new file mode 100755 index 00000000..f5454a72 --- /dev/null +++ b/rhdp/wrapper-cluster-only.sh @@ -0,0 +1,109 @@ + +#!/usr/bin/env bash +set -e + +# Function to detect available python binary +get_python_cmd() { + if command -v python &> /dev/null; then + echo "python" + elif command -v python3 &> /dev/null; then + echo "python3" + else + echo "ERROR: Neither python3 nor python is available" >&2 + exit 1 + fi +} + +if [ "$#" -ne 1 ]; then + echo "Error: Exactly one argument is required." + echo "Usage: $0 {azure-region-code}" + echo "Example: $0 eastasia" + exit 1 +fi +AZUREREGION=$1 + +echo "---------------------" +echo "Validating configuration" +echo "---------------------" + +# Check if values-global.yaml exists +if [ ! -f "values-global.yaml" ]; then + echo "ERROR: values-global.yaml file not found in current directory" + echo "Please run this script from the root directory of the project" + exit 1 +fi + + +# Extract clusterGroupName from values-global.yaml using yq +CLUSTER_GROUP_NAME=$(yq eval '.main.clusterGroupName' values-global.yaml) + + +echo "Check your cluster group name makes sense: clusterGroupName = $CLUSTER_GROUP_NAME" + +echo "Run from the root directory of the project" +echo "\n" +echo "Ensuring azure environment is installed" + +if [ ! -n "${GUID}" ]; then + echo "RHDP GUID environmental variable does not exist" + exit 1 +fi +if [ ! -n "${CLIENT_ID}" ]; then + echo "RHDP AZURE 'CLIENT_ID' environmental variable does not exist" + exit 1 +fi +if [ ! -n "${PASSWORD}" ]; then + echo "RHDP AZURE 'PASSWORD' environmental variable aka client secret does not exist" + exit 1 +fi +if [ ! -n "${TENANT}" ]; then + echo "RHDP AZURE 'TENANT' environmental variable does not exist" + exit 1 +fi +if [ ! -n "${SUBSCRIPTION}" ]; then + echo "RHDP AZURE 'SUBSCRIPTION' environmental variable does not exist" + exit 1 +fi +if [ ! -n "${RESOURCEGROUP}" ]; then + echo "RHDP AZURE 'RESOURCEGROUP' environmental variable does not exist" + exit 1 +fi + + +sleep 10 +echo "---------------------" +echo "Installing python dependencies" +echo "---------------------" +pip install -r rhdp/requirements.txt +echo "---------------------" +echo "requirements installed" +echo "---------------------" +sleep 5 + +if [ ! -f "${HOME}/pull-secret.json" ]; then + echo "A OpenShift pull secret is required at ~/pull-secret.json" + exit 1 +fi + +if [ ! -f "${HOME}/.ssh/id_rsa" ]; then + echo "An rsa ssh key is required at ~/.ssh/id_rsa" + echo "e.g. ssh-keygen -t rsa -b 4096" + echo "TBC: Update to support other key types" + exit 1 +fi + + +echo "---------------------" +echo "defining cluster" +echo "---------------------" +PYTHON_CMD=$(get_python_cmd) +$PYTHON_CMD rhdp/rhdp-cluster-define.py ${AZUREREGION} +echo "---------------------" +echo "cluster defined" +echo "---------------------" +sleep 10 +echo "---------------------" +echo "openshift-install" +echo "---------------------" +openshift-install create cluster --dir=./openshift-install +echo "openshift-install done" diff --git a/rhdp/wrapper-multicluster.sh b/rhdp/wrapper-multicluster.sh new file mode 100755 index 00000000..3ec459db --- /dev/null +++ b/rhdp/wrapper-multicluster.sh @@ -0,0 +1,190 @@ +#!/usr/bin/env bash +set -e + +# Function to detect available python binary +get_python_cmd() { + if command -v python &> /dev/null; then + echo "python" + elif command -v python3 &> /dev/null; then + echo "python3" + else + echo "ERROR: Neither python3 nor python is available" >&2 + exit 1 + fi +} + +if [ "$#" -ne 1 ]; then + echo "Error: Exactly one argument is required." + echo "Usage: $0 {azure-region-code}" + echo "Example: $0 eastasia" + exit 1 +fi +AZUREREGION=$1 + +echo "---------------------" +echo "Validating configuration" +echo "---------------------" + +# Check if values-global.yaml exists +if [ ! -f "values-global.yaml" ]; then + echo "ERROR: values-global.yaml file not found in current directory" + echo "Please run this script from the root directory of the project" + exit 1 +fi + +# Check if yq is available +if ! command -v yq &> /dev/null; then + echo "ERROR: yq is required but not installed" + echo "Please install yq: https://github.com/mikefarah/yq#install" + exit 1 +fi + +# Extract clusterGroupName from values-global.yaml using yq +CLUSTER_GROUP_NAME=$(yq eval '.main.clusterGroupName' values-global.yaml) + +if [ "$CLUSTER_GROUP_NAME" != "trusted-hub" ]; then + echo "ERROR: Incorrect clusterGroupName configuration" + echo "Expected: trusted-hub" + echo "Found: $CLUSTER_GROUP_NAME" + echo "" + echo "Please update values-global.yaml:" + echo " main:" + echo " clusterGroupName: trusted-hub" + exit 1 +fi + +echo "Configuration validation passed: clusterGroupName = $CLUSTER_GROUP_NAME" + +echo "Run from the root directory of the project" +echo "This will deploy two clusters: coco-hub and coco-spoke in the same region" +echo "" +echo "Ensuring azure environment is installed" + +if [ ! -n "${GUID}" ]; then + echo "RHDP GUID environmental variable does not exist" + exit 1 +fi +if [ ! -n "${CLIENT_ID}" ]; then + echo "RHDP AZURE 'CLIENT_ID' environmental variable does not exist" + exit 1 +fi +if [ ! -n "${PASSWORD}" ]; then + echo "RHDP AZURE 'PASSWORD' environmental variable aka client secret does not exist" + exit 1 +fi +if [ ! -n "${TENANT}" ]; then + echo "RHDP AZURE 'TENANT' environmental variable does not exist" + exit 1 +fi +if [ ! -n "${SUBSCRIPTION}" ]; then + echo "RHDP AZURE 'SUBSCRIPTION' environmental variable does not exist" + exit 1 +fi +if [ ! -n "${RESOURCEGROUP}" ]; then + echo "RHDP AZURE 'RESOURCEGROUP' environmental variable does not exist" + exit 1 +fi + +sleep 10 +echo "---------------------" +echo "Installing python dependencies" +echo "---------------------" +pip install -r rhdp/requirements.txt +echo "---------------------" +echo "requirements installed" +echo "---------------------" +sleep 5 + +if [ ! -f "${HOME}/pull-secret.json" ]; then + echo "A OpenShift pull secret is required at ~/pull-secret.json" + exit 1 +fi + +if [ ! -f "${HOME}/.ssh/id_rsa" ]; then + echo "An rsa ssh key is required at ~/.ssh/id_rsa" + echo "e.g. ssh-keygen -t rsa -b 4096" + echo "TBC: Update to support other key types" + exit 1 +fi + +echo "---------------------" +echo "defining both clusters (hub and spoke)" +echo "---------------------" +PYTHON_CMD=$(get_python_cmd) +$PYTHON_CMD rhdp/rhdp-cluster-define.py --multicluster ${AZUREREGION} +echo "---------------------" +echo "clusters defined" +echo "---------------------" +sleep 10 + +echo "---------------------" +echo "creating hub cluster first" +echo "---------------------" +openshift-install create cluster --dir=./openshift-install-hub --log-level=info +echo "hub cluster creation done" +echo "---------------------" + +echo "setting up secrets" +bash ./scripts/gen-secrets.sh + +echo "---------------------" +echo "starting pattern install on hub cluster" +echo "---------------------" +export KUBECONFIG="$(pwd)/openshift-install-hub/auth/kubeconfig" + +# Start pattern installation in background +./pattern.sh make install & +PATTERN_PID=$! +echo "Pattern installation started in background (PID: $PATTERN_PID)" + +echo "---------------------" +echo "creating spoke cluster (while pattern installs)" +echo "---------------------" +openshift-install create cluster --dir=./openshift-install-spoke --log-level=info & +SPOKE_PID=$! +echo "Spoke cluster creation started in background (PID: $SPOKE_PID)" + +# Wait for pattern installation to complete +echo "Waiting for pattern installation to complete..." +wait $PATTERN_PID +PATTERN_EXIT_CODE=$? + +if [ $PATTERN_EXIT_CODE -ne 0 ]; then + echo "ERROR: Pattern installation failed with exit code $PATTERN_EXIT_CODE" +else + echo "Pattern installation completed successfully!" +fi + +# Wait for spoke cluster to complete +echo "Waiting for spoke cluster creation to complete..." +wait $SPOKE_PID +SPOKE_EXIT_CODE=$? + +if [ $SPOKE_EXIT_CODE -ne 0 ]; then + echo "WARNING: Spoke cluster creation failed with exit code $SPOKE_EXIT_CODE" +else + echo "Spoke cluster creation completed successfully!" +fi + +echo "---------------------" +echo "Deployment Summary" +echo "---------------------" +echo "Hub cluster (coco-hub) kubeconfig: $(pwd)/openshift-install-hub/auth/kubeconfig" + +if [ $SPOKE_EXIT_CODE -eq 0 ]; then + echo "Spoke cluster (coco-spoke) kubeconfig: $(pwd)/openshift-install-spoke/auth/kubeconfig" + echo "Both clusters deployed successfully!" +else + echo "Spoke cluster (coco-spoke): FAILED (exit code: $SPOKE_EXIT_CODE)" + echo "Only hub cluster available" +fi + +if [ $PATTERN_EXIT_CODE -eq 0 ]; then + echo "Pattern: Successfully deployed to hub cluster" +else + echo "Pattern: FAILED to deploy (exit code: $PATTERN_EXIT_CODE)" +fi + +echo "---------------------" +echo "done" +echo "---------------------" \ No newline at end of file diff --git a/rhdp/wrapper.sh b/rhdp/wrapper.sh index 4304157b..5fbf6994 100755 --- a/rhdp/wrapper.sh +++ b/rhdp/wrapper.sh @@ -1,6 +1,18 @@ #!/usr/bin/env bash -set -e +set -e + +# Function to detect available python binary +get_python_cmd() { + if command -v python &> /dev/null; then + echo "python" + elif command -v python3 &> /dev/null; then + echo "python3" + else + echo "ERROR: Neither python3 nor python is available" >&2 + exit 1 + fi +} if [ "$#" -ne 1 ]; then echo "Error: Exactly one argument is required." @@ -10,6 +22,40 @@ if [ "$#" -ne 1 ]; then fi AZUREREGION=$1 +echo "---------------------" +echo "Validating configuration" +echo "---------------------" + +# Check if values-global.yaml exists +if [ ! -f "values-global.yaml" ]; then + echo "ERROR: values-global.yaml file not found in current directory" + echo "Please run this script from the root directory of the project" + exit 1 +fi + +# Check if yq is available +if ! command -v yq &> /dev/null; then + echo "ERROR: yq is required but not installed" + echo "Please install yq: https://github.com/mikefarah/yq#install" + exit 1 +fi + +# Extract clusterGroupName from values-global.yaml using yq +CLUSTER_GROUP_NAME=$(yq eval '.main.clusterGroupName' values-global.yaml) + +if [ "$CLUSTER_GROUP_NAME" != "simple" ]; then + echo "ERROR: Incorrect clusterGroupName configuration" + echo "Expected: simple" + echo "Found: $CLUSTER_GROUP_NAME" + echo "" + echo "Please update values-global.yaml:" + echo " main:" + echo " clusterGroupName: simple" + exit 1 +fi + +echo "Configuration validation passed: clusterGroupName = $CLUSTER_GROUP_NAME" + echo "Run from the root directory of the project" echo "\n" echo "Ensuring azure environment is installed" @@ -66,7 +112,8 @@ fi echo "---------------------" echo "defining cluster" echo "---------------------" -python rhdp/rhdp-cluster-define.py ${AZUREREGION} +PYTHON_CMD=$(get_python_cmd) +$PYTHON_CMD rhdp/rhdp-cluster-define.py ${AZUREREGION} echo "---------------------" echo "cluster defined" echo "---------------------" @@ -86,7 +133,7 @@ sleep 60 echo "---------------------" echo "pattern install" echo "---------------------" -export KUBECONFIG=`pwd`/openshift-install/auth/kubeconfig +export KUBECONFIG="$(pwd)/openshift-install/auth/kubeconfig" ./pattern.sh make install diff --git a/values-global.yaml b/values-global.yaml index 84790c7e..d1020b6e 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -9,8 +9,8 @@ global: # Defines whether or not the hub cluster can be used for confidential containers coco: azure: - enabled: true defaultVMFlavour: "Standard_DC2as_v5" + VMFlavours: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5" main: # WARNING # This default configuration uses a single cluster on azure. @@ -19,3 +19,8 @@ main: multiSourceConfig: enabled: true clusterGroupChartVersion: 0.9.* + +# Common secret store configuration used across multiple charts +secretStore: + name: vault-backend + kind: ClusterSecretStore diff --git a/values-simple.yaml b/values-simple.yaml index 7469a8ef..a1f42781 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -79,12 +79,16 @@ clusterGroup: namespace: trustee-operator-system #upstream config project: trustee path: charts/hub/trustee - sandbox: name: sandbox namespace: openshift-sandboxed-containers-operator #upstream config project: sandbox path: charts/coco-supported/sandbox + sandbox-policies: + name: sandbox-policies + namespace: openshift-sandboxed-containers-operator #upstream config + project: sandbox + path: charts/hub/sandbox-policies # Letsencrypt is not required anymore for trustee. # It's only here if you need it for your needs. @@ -138,13 +142,4 @@ clusterGroup: - name: init-data-gzipper playbook: ansible/init-data-gzipper.yaml verbosity: -vvv - timeout: 3600 - managedClusterGroups: - exampleRegion: - name: group-one - acmlabels: - - name: clusterGroup - value: group-one - helmOverrides: - - name: clusterGroup.isHubCluster - value: false + timeout: 3600 \ No newline at end of file diff --git a/values-trusted-hub.yaml b/values-trusted-hub.yaml new file mode 100644 index 00000000..2c5af766 --- /dev/null +++ b/values-trusted-hub.yaml @@ -0,0 +1,106 @@ +# This is currently configured as an 'all in one' deployment in one cluster. + +clusterGroup: + name: trusted-hub + isHubCluster: true + namespaces: + - open-cluster-management + - vault + - golang-external-secrets + - trustee-operator-system + - cert-manager-operator + - openshift-sandboxed-containers-operator + - cert-manager + subscriptions: + # ACM is kept anticipating + acm: + name: advanced-cluster-management + namespace: open-cluster-management + channel: release-2.13 + trustee: + name: trustee-operator + namespace: trustee-operator-system + source: redhat-operators + channel: stable + installPlanApproval: Manual + csv: trustee-operator.v0.4.1 + cert-manager: + name: openshift-cert-manager-operator + namespace: cert-manager-operator + channel: stable-v1 + + projects: + - hub + - vault + - trustee + - golang-external-secrets + - sandbox + - workloads + - default + # Explicitly mention the cluster-state based overrides we plan to use for this pattern. + # We can use self-referential variables because the chart calls the tpl function with these variables defined + sharedValueFiles: + - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml' + applications: + acm: + name: acm + namespace: open-cluster-management + project: hub + chart: acm + chartVersion: 0.1.* + + vault: + name: vault + namespace: vault + project: vault + chart: hashicorp-vault + chartVersion: 0.1.* + + secrets-operator: + name: golang-external-secrets + namespace: golang-external-secrets + project: golang-external-secrets + chart: golang-external-secrets + chartVersion: 0.1.* + + trustee: + name: trustee + namespace: trustee-operator-system #upstream config + project: trustee + path: charts/hub/trustee + sandbox-policies: + name: sandbox-policies + namespace: openshift-sandboxed-containers-operator #upstream config + project: sandbox + path: charts/hub/sandbox-policies + + + imperative: + # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm + # The default schedule is every 10 minutes: imperative.schedule + # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds + # imagePullPolicy is set to always: imperative.imagePullPolicy + # For additional overrides that apply to the jobs, please refer to + # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations + jobs: + - name: install-deps + playbook: ansible/install-deps.yaml + verbosity: -vvv + timeout: 3600 + - name: gen-certificate + playbook: ansible/gen-certificate.yaml + verbosity: -vvv + timeout: 3600 + - name: init-data-gzipper + playbook: ansible/init-data-gzipper.yaml + verbosity: -vvv + timeout: 3600 + managedClusterGroups: + untrusted-spoke: + name: untrusted-spoke + acmlabels: + - name: clusterGroup + value: untrusted-spoke + helmOverrides: + - name: clusterGroup.isHubCluster + value: false diff --git a/values-untrusted-spoke.yaml b/values-untrusted-spoke.yaml new file mode 100644 index 00000000..69b0b019 --- /dev/null +++ b/values-untrusted-spoke.yaml @@ -0,0 +1,80 @@ +# This is currently configured as an 'all in one' deployment in one cluster. + +clusterGroup: + name: untrusted-spoke + isHubCluster: false + namespaces: + - golang-external-secrets + - openshift-sandboxed-containers-operator + - hello-openshift + - kbs-access + - cert-manager-operator + subscriptions: + # ACM is kept anticipating + sandbox: + name: sandboxed-containers-operator + namespace: openshift-sandboxed-containers-operator + source: redhat-operators + channel: stable + installPlanApproval: Manual + csv: sandboxed-containers-operator.v1.10.1 + cert-manager: + name: openshift-cert-manager-operator + namespace: cert-manager-operator + channel: stable-v1 + + projects: + - hub + - vault + - trustee + - golang-external-secrets + - sandbox + - workloads + - default + # Explicitly mention the cluster-state based overrides we plan to use for this pattern. + # We can use self-referential variables because the chart calls the tpl function with these variables defined + sharedValueFiles: + - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml' + applications: + + secrets-operator: + name: golang-external-secrets + namespace: golang-external-secrets + project: golang-external-secrets + chart: golang-external-secrets + chartVersion: 0.1.* + + sandbox: + name: sandbox + namespace: openshift-sandboxed-containers-operator #upstream config + project: sandbox + path: charts/coco-supported/sandbox + + hello-openshift: + name: hello-openshift + namespace: hello-openshift + project: workloads + path: charts/coco-supported/hello-openshift + + kbs-access: + name: kbs-access + namespace: kbs-access + project: workloads + path: charts/coco-supported/kbs-access + + imperative: + # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm + # The default schedule is every 10 minutes: imperative.schedule + # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds + # imagePullPolicy is set to always: imperative.imagePullPolicy + # For additional overrides that apply to the jobs, please refer to + # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations + jobs: + - name: install-deps + playbook: ansible/install-deps.yaml + verbosity: -vvv + timeout: 3600 + - name: configure-azure-nat-gateway + playbook: ansible/azure-nat-gateway.yaml + verbosity: -vvv + timeout: 3600 \ No newline at end of file