Merge commit 'fe564d72279f4ab061b961dd528623f0ed272667' as 'cluster-config'

This commit is contained in:
2025-03-30 15:46:16 -05:00
346 changed files with 11754 additions and 0 deletions

View File

@@ -0,0 +1,26 @@
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: admission-tls
namespace: stackrox
spec:
refreshInterval: 10s
secretStoreRefs:
- name: doppler-push-secret
kind: ClusterSecretStore
selector:
secret:
name: admission-control-tls
data:
- match:
secretKey: ca.pem
remoteRef:
remoteKey: ACS_ADMISSION_CONTROL_TLS_CA
- match:
secretKey: admission-control-cert.pem
remoteRef:
remoteKey: ACS_ADMISSION_CONTROL_TLS_CERT
- match:
secretKey: admission-control-key.pem
remoteRef:
remoteKey: ACS_ADMISSION_CONTROL_TLS_KEY

View File

@@ -0,0 +1,26 @@
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: collector-tls
namespace: stackrox
spec:
refreshInterval: 10s
secretStoreRefs:
- name: doppler-push-secret
kind: ClusterSecretStore
selector:
secret:
name: collector-tls
data:
- match:
secretKey: ca.pem
remoteRef:
remoteKey: ACS_COLLECTOR_TLS_CA
- match:
secretKey: collector-cert.pem
remoteRef:
remoteKey: ACS_COLLECTOR_TLS_CERT
- match:
secretKey: collector-key.pem
remoteRef:
remoteKey: ACS_COLLECTOR_TLS_KEY

View File

@@ -0,0 +1,31 @@
commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
resources:
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/aggregate/default
- admission-control-tls-push-secret.yaml
- collector-tls-push-secret.yaml
- sensor-tls-push-secret.yaml
patches:
- patch: |-
- op: replace
path: /spec/channel
value: 'rhacs-4.7'
target:
kind: Subscription
name: rhacs-operator
- patch: |-
- op: replace
path: /spec/perNode/collector/collection
value: EBPF
target:
kind: SecuredCluster
- patch: |-
- op: add
path: /spec/central/declarativeConfiguration
value:
secrets:
- name: declarative-configurations
target:
kind: Central

View File

@@ -0,0 +1,26 @@
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: sensor-tls
namespace: stackrox
spec:
refreshInterval: 10s
secretStoreRefs:
- name: doppler-push-secret
kind: ClusterSecretStore
selector:
secret:
name: sensor-tls
data:
- match:
secretKey: ca.pem
remoteRef:
remoteKey: ACS_SENSOR_TLS_CA
- match:
secretKey: sensor-cert.pem
remoteRef:
remoteKey: ACS_SENSOR_TLS_CERT
- match:
secretKey: sensor-key.pem
remoteRef:
remoteKey: ACS_SENSOR_TLS_KEY

View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: admission-control-tls
namespace: stackrox-secured-cluster-service
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: admission-control-tls
creationPolicy: Owner
data:
- secretKey: ca.pem
remoteRef:
key: ACS_ADMISSION_CONTROL_TLS_CA
- secretKey: admission-control-cert.pem
remoteRef:
key: ACS_ADMISSION_CONTROL_TLS_CERT
- secretKey: admission-control-key.pem
remoteRef:
key: ACS_ADMISSION_CONTROL_TLS_KEY

View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: collector-tls
namespace: stackrox-secured-cluster-service
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: collector-tls
creationPolicy: Owner
data:
- secretKey: ca.pem
remoteRef:
key: ACS_COLLECTOR_TLS_CA
- secretKey: collector-cert.pem
remoteRef:
key: ACS_COLLECTOR_TLS_CERT
- secretKey: collector-key.pem
remoteRef:
key: ACS_COLLECTOR_TLS_KEY

View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: sensor-tls
namespace: stackrox-secured-cluster-service
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: sensor-tls
creationPolicy: Owner
data:
- secretKey: ca.pem
remoteRef:
key: ACS_SENSOR_TLS_CA
- secretKey: sensor-cert.pem
remoteRef:
key: ACS_SENSOR_TLS_CERT
- secretKey: sensor-key.pem
remoteRef:
key: ACS_SENSOR_TLS_KEY

View File

@@ -0,0 +1,19 @@
# commonAnnotations:
# argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
resources:
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/operator/overlays/latest
- namespace.yaml
- acs-admission-control-tls-secret.yaml
- acs-sensor-tls-secret.yaml
- acs-collector-tls-secret.yaml
- secured-cluster.yaml
patches:
- patch: |-
- op: replace
path: /spec/channel
value: 'rhacs-4.7'
target:
kind: Subscription
name: rhacs-operator

View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: stackrox-secured-cluster-service

View File

@@ -0,0 +1,18 @@
kind: SecuredCluster
apiVersion: platform.stackrox.io/v1alpha1
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: stackrox-secured-cluster-services
namespace: stackrox-secured-cluster-service
spec:
clusterName: ${CLUSTER_NAME}
centralEndpoint: central-stackrox.apps.hub.ocplab.com:443
admissionControl:
contactImageScanners: ScanIfMissing
listenOnCreates: true
listenOnUpdates: true
timeoutSeconds: 6
scannerV4:
scannerComponent: Default

View File

@@ -0,0 +1,79 @@
apiVersion: batch/v1
kind: Job
metadata:
annotations:
argocd.argoproj.io/sync-wave: "10"
name: create-sso-auth-provider
namespace: stackrox
spec:
template:
spec:
containers:
- image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
env:
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: sso-secret
key: client-secret
- name: PASSWORD
valueFrom:
secretKeyRef:
name: central-htpasswd
key: password
- name: ISSUER
value: https://sso-sso.apps.home.ocplab.com/auth/realms/openshift
- name: DEFAULT_ROLE
value: Admin
command:
- /bin/bash
- -c
- |
#!/usr/bin/env bash
# Wait for central to be ready
attempt_counter=0
max_attempts=20
echo "Waiting for central to be available..."
until $(curl -k --output /dev/null --silent --head --fail https://central); do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts reached"
exit 1
fi
printf '.'
attempt_counter=$(($attempt_counter+1))
echo "Made attempt $attempt_counter, waiting..."
sleep 5
done
echo "Configuring SSO Provider"
echo "Test if SSO Provider already exists"
response=$(curl -k -u "admin:$PASSWORD" https://central/v1/authProviders?name=OpenShift | python3 -c "import sys, json; print(json.load(sys.stdin)['authProviders'], end = '')")
if [[ "$response" != "[]" ]] ; then
echo "OpenShift Provider already exists, exiting"
exit 0
fi
export DATA='{"name":"OpenShift","type":"oidc","uiEndpoint":"central-stackrox.apps.home.ocplab.com","enabled":true,"config":{"client_id":"stackrox","client_secret":"'${CLIENT_SECRET}'","issuer":"'$ISSUER'","mode":"post"},"validated":true,"extraUiEndpoints":[],"active":true}'
echo "Posting data: ${DATA}"
authid=$(curl -k -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/authProviders | python3 -c "import sys, json; print(json.load(sys.stdin)['id'], end = '')")
echo "Authentication Provider created with id ${authid}"
echo "Updating minimum role to Admin"
export DATA='{"previous_groups":[],"required_groups":[{"props":{"authProviderId":"'${authid}'"},"roleName":"'${DEFAULT_ROLE}'"}]}'
curl -k -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/groupsbatch
imagePullPolicy: Always
name: create-sso-auth-provider
dnsPolicy: ClusterFirst
restartPolicy: Never
serviceAccount: create-cluster-init
serviceAccountName: create-cluster-init
terminationGracePeriodSeconds: 30

View File

@@ -0,0 +1,18 @@
commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
resources:
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/operator/overlays/latest
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/instance/overlays/internal-registry-integration
- sso-sealed-secret.yaml
- create-sso-auth-provider-job.yaml
# Use Andrew's Pipeline to create Stackrox API Tokens in tenant namespaces
- github.com/pittar-gitops/gitops-mono-repo-admins/03-cluster-services/08-advanced-cluster-security/pipelines-and-secrets
patchesJson6902:
- path: patch-resources.yaml
target:
group: platform.stackrox.io
kind: Central
name: central
version: v1alpha1

View File

@@ -0,0 +1,22 @@
- op: add
path: /spec/central/resources
value:
limits:
memory: 2Gi
requests:
cpu: 500m
memory: 512Mi
- op: add
path: /spec/scanner/analyzer/resources
value:
limits:
memory: 1Gi
requests:
cpu: 250m
memory: 500Mi
- op: replace
path: /spec/scanner/analyzer/scaling/autoScaling
value: Disabled
- op: replace
path: /spec/scanner/analyzer/scaling/replicas
value: 2

View File

@@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: sso-secret
namespace: stackrox
spec:
encryptedData:
client-secret: AgCk7m6UEoCoLvvLbUW+lXnYxaZ9Hm520Xg9/h9KMifm9mqFnzfxdlPksgZ0SIyw446ThrpAd/x39K1Azm5tMgQwIn+DaTOaDS3NVrwQWnaTBFph5AJ8DbcAMKFfSZAddCCizPlfkB3kv7zL8EIbj9d59Qbn3/0mu4hgqN0I2kOptQwFXt+kYYChrJ13LwDVJ5/wxPCa1VKUQ/osSX9wrddRBn/UQLPpXtH8loePfjn+9/oMMq49S4oiN9AjNUzuLLQHmg0OmeRtH34lGAkFgWHjNboOUDsmDCb78olGKTDIzNJ/Xz6iFmszZm1bhj7IG/VtcGoxroC/eddp1chGq4M8pMYEQkON6vp1bzP6LY3x6PxLjFg0Yl1EPSMZXyONNWJ9pl4drPsJqnw0QqLQG172ucbpGy2CwiaZ4ZwPtp/JcPJCDVW2nwwJNyNodfS8DgUbTF+cHm3/W0Z5BWi5CQvXBMRF3a9LyIuRoFW9w5XNnqKQP0lP/8NKW1K5LmgpVuJSGNg6JEQyRSDnK7WAnfDReDTTTEoivjFFQ7uUJFP/RDYWiXvSE3hNYse331QO5DCATmyDPm36txFaKtfVy/TdVhU7gV07FHPQju7IqfoI9pkc0pQtFUUYB9nFamuHsvkO4brnAjIYuCl7SJeM8xK37xLO4KgbKm/ldqxb80eUScBH963Lk9+H4zgyJ5Wq04dDdnxWrBedXjY00UBbmJ4CVDoGL/24HHbi118ZFTa3N9AJDss=
template:
metadata:
name: sso-secret
namespace: stackrox
type: Opaque