Squashed 'cluster-config/' content from commit 654f2390
git-subtree-dir: cluster-config git-subtree-split: 654f23903bd1f9a27a4810bd289d165b6cfdbb0c
This commit is contained in:
38
components/3scale-operator/base/apimanager.yaml
Normal file
38
components/3scale-operator/base/apimanager.yaml
Normal file
@@ -0,0 +1,38 @@
|
||||
apiVersion: apps.3scale.net/v1alpha1
|
||||
kind: APIManager
|
||||
metadata:
|
||||
name: apimanager
|
||||
namespace: 3scale
|
||||
spec:
|
||||
resourceRequirementsEnabled: true
|
||||
wildcardDomain: 3scale.apps.home.ocplab.com
|
||||
system:
|
||||
database:
|
||||
postgresql:
|
||||
persistentVolumeClaim:
|
||||
storageClassName: iscsi
|
||||
redisPersistentVolumeClaim:
|
||||
storageClassName: iscsi
|
||||
fileStorage:
|
||||
persistentVolumeClaim:
|
||||
storageClassName: managed-nfs-storage
|
||||
redisResources:
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 4Gi
|
||||
backend:
|
||||
redisPersistentVolumeClaim:
|
||||
storageClassName: iscsi
|
||||
redisResources:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 4Gi
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 256Mi
|
||||
fileStorage:
|
||||
persistentVolumeClaim:
|
||||
storageClassName: managed-nfs-storage
|
||||
125
components/acs-config/base/declarative-config.yaml
Normal file
125
components/acs-config/base/declarative-config.yaml
Normal file
@@ -0,0 +1,125 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: declarative-configurations
|
||||
namespace: stackrox
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: doppler-cluster
|
||||
target:
|
||||
name: declarative-configurations
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
data:
|
||||
keycloak-auth.yaml: |
|
||||
name: keycloak
|
||||
minimumRole: None
|
||||
uiEndpoint: central-stackrox.${SUB_DOMAIN}:443
|
||||
oidc:
|
||||
issuer: https://keycloak.${SUB_DOMAIN}/realms/openshift
|
||||
mode: auto
|
||||
clientID: acs
|
||||
clientSecret: {{ .keycloak_client_secret }}
|
||||
disableOfflineAccessScope: true
|
||||
groups:
|
||||
- key: email
|
||||
value: admin@ocplab.com
|
||||
role: Admin
|
||||
- key: email
|
||||
value: clusteradmin@workshop-noreply.com
|
||||
role: Admin
|
||||
- key: email
|
||||
value: gnunn+user1@redhat.com
|
||||
role: Product Catalog Admins
|
||||
openshift-auth.yaml: |
|
||||
name: openshift
|
||||
uiEndpoint: central-stackrox.${SUB_DOMAIN}:443
|
||||
openshift:
|
||||
enable: true
|
||||
minimumRole: None
|
||||
groups:
|
||||
- key: name
|
||||
value: admin
|
||||
role: Admin
|
||||
- key: groups
|
||||
value: product-catalog-admins
|
||||
role: Product Catalog Admins
|
||||
product-catalog-access-scope.yaml: |
|
||||
name: product-catalog-admins
|
||||
description: Access rights for users that can manage Product Catalog namespaces
|
||||
rules:
|
||||
includedNamespaces:
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-dev
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-test
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-monitor
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-prod
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-cicd
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-gitops
|
||||
namespace-admin-permission-set.yaml: |
|
||||
name: Namespace Administrator
|
||||
description: A user that is an administrator of one or namespaces across various clusters
|
||||
resources:
|
||||
- resource: Access
|
||||
access: NO_ACCESS
|
||||
- resource: Administration
|
||||
access: NO_ACCESS
|
||||
- resource: Alert
|
||||
access: READ_ACCESS
|
||||
- resource: CVE
|
||||
access: READ_ACCESS
|
||||
- resource: Cluster
|
||||
access: READ_ACCESS
|
||||
- resource: Compliance
|
||||
access: READ_ACCESS
|
||||
- resource: Deployment
|
||||
access: READ_ACCESS
|
||||
- resource: DeploymentExtension
|
||||
access: READ_ACCESS
|
||||
- resource: Detection
|
||||
access: READ_ACCESS
|
||||
- resource: Image
|
||||
access: READ_ACCESS
|
||||
- resource: Integration
|
||||
access: NO_ACCESS
|
||||
- resource: K8sRole
|
||||
access: READ_ACCESS
|
||||
- resource: K8sRoleBinding
|
||||
access: READ_ACCESS
|
||||
- resource: K8sSubject
|
||||
access: READ_ACCESS
|
||||
- resource: Namespace
|
||||
access: READ_ACCESS
|
||||
- resource: NetworkGraph
|
||||
access: READ_ACCESS
|
||||
- resource: NetworkPolicy
|
||||
access: READ_ACCESS
|
||||
- resource: Node
|
||||
access: READ_ACCESS
|
||||
- resource: Secret
|
||||
access: READ_ACCESS
|
||||
- resource: ServiceAccount
|
||||
access: READ_ACCESS
|
||||
- resource: WatchedImage
|
||||
access: READ_WRITE_ACCESS
|
||||
- resource: VulnerabilityManagementApprovals
|
||||
access: READ_ACCESS
|
||||
- resource: VulnerabilityManagementRequests
|
||||
access: READ_WRITE_ACCESS
|
||||
product-catalog-roles.yaml: |
|
||||
name: Product Catalog Admins
|
||||
description: Administrators of product catalog namespaces
|
||||
permissionSet: Namespace Administrator
|
||||
accessScope: product-catalog-admins
|
||||
globalAccess: NO_ACCESS
|
||||
data:
|
||||
- secretKey: keycloak_client_secret
|
||||
remoteRef:
|
||||
key: ACS_KEYCLOAK_CLIENT_SECRET
|
||||
2
components/acs-config/base/kustomization.yaml
Normal file
2
components/acs-config/base/kustomization.yaml
Normal file
@@ -0,0 +1,2 @@
|
||||
resources:
|
||||
- declarative-config.yaml
|
||||
@@ -0,0 +1,26 @@
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: admission-tls
|
||||
namespace: stackrox
|
||||
spec:
|
||||
refreshInterval: 10s
|
||||
secretStoreRefs:
|
||||
- name: doppler-push-secret
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: admission-control-tls
|
||||
data:
|
||||
- match:
|
||||
secretKey: ca.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_ADMISSION_CONTROL_TLS_CA
|
||||
- match:
|
||||
secretKey: admission-control-cert.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_ADMISSION_CONTROL_TLS_CERT
|
||||
- match:
|
||||
secretKey: admission-control-key.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_ADMISSION_CONTROL_TLS_KEY
|
||||
@@ -0,0 +1,26 @@
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: collector-tls
|
||||
namespace: stackrox
|
||||
spec:
|
||||
refreshInterval: 10s
|
||||
secretStoreRefs:
|
||||
- name: doppler-push-secret
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: collector-tls
|
||||
data:
|
||||
- match:
|
||||
secretKey: ca.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_COLLECTOR_TLS_CA
|
||||
- match:
|
||||
secretKey: collector-cert.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_COLLECTOR_TLS_CERT
|
||||
- match:
|
||||
secretKey: collector-key.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_COLLECTOR_TLS_KEY
|
||||
@@ -0,0 +1,31 @@
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
|
||||
resources:
|
||||
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/aggregate/default
|
||||
- admission-control-tls-push-secret.yaml
|
||||
- collector-tls-push-secret.yaml
|
||||
- sensor-tls-push-secret.yaml
|
||||
|
||||
patches:
|
||||
- patch: |-
|
||||
- op: replace
|
||||
path: /spec/channel
|
||||
value: 'rhacs-4.7'
|
||||
target:
|
||||
kind: Subscription
|
||||
name: rhacs-operator
|
||||
- patch: |-
|
||||
- op: replace
|
||||
path: /spec/perNode/collector/collection
|
||||
value: EBPF
|
||||
target:
|
||||
kind: SecuredCluster
|
||||
- patch: |-
|
||||
- op: add
|
||||
path: /spec/central/declarativeConfiguration
|
||||
value:
|
||||
secrets:
|
||||
- name: declarative-configurations
|
||||
target:
|
||||
kind: Central
|
||||
@@ -0,0 +1,26 @@
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: sensor-tls
|
||||
namespace: stackrox
|
||||
spec:
|
||||
refreshInterval: 10s
|
||||
secretStoreRefs:
|
||||
- name: doppler-push-secret
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: sensor-tls
|
||||
data:
|
||||
- match:
|
||||
secretKey: ca.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_SENSOR_TLS_CA
|
||||
- match:
|
||||
secretKey: sensor-cert.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_SENSOR_TLS_CERT
|
||||
- match:
|
||||
secretKey: sensor-key.pem
|
||||
remoteRef:
|
||||
remoteKey: ACS_SENSOR_TLS_KEY
|
||||
@@ -0,0 +1,25 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
name: admission-control-tls
|
||||
namespace: stackrox-secured-cluster-service
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: doppler-cluster
|
||||
target:
|
||||
name: admission-control-tls
|
||||
creationPolicy: Owner
|
||||
data:
|
||||
- secretKey: ca.pem
|
||||
remoteRef:
|
||||
key: ACS_ADMISSION_CONTROL_TLS_CA
|
||||
- secretKey: admission-control-cert.pem
|
||||
remoteRef:
|
||||
key: ACS_ADMISSION_CONTROL_TLS_CERT
|
||||
- secretKey: admission-control-key.pem
|
||||
remoteRef:
|
||||
key: ACS_ADMISSION_CONTROL_TLS_KEY
|
||||
@@ -0,0 +1,25 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
name: collector-tls
|
||||
namespace: stackrox-secured-cluster-service
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: doppler-cluster
|
||||
target:
|
||||
name: collector-tls
|
||||
creationPolicy: Owner
|
||||
data:
|
||||
- secretKey: ca.pem
|
||||
remoteRef:
|
||||
key: ACS_COLLECTOR_TLS_CA
|
||||
- secretKey: collector-cert.pem
|
||||
remoteRef:
|
||||
key: ACS_COLLECTOR_TLS_CERT
|
||||
- secretKey: collector-key.pem
|
||||
remoteRef:
|
||||
key: ACS_COLLECTOR_TLS_KEY
|
||||
@@ -0,0 +1,25 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
name: sensor-tls
|
||||
namespace: stackrox-secured-cluster-service
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: doppler-cluster
|
||||
target:
|
||||
name: sensor-tls
|
||||
creationPolicy: Owner
|
||||
data:
|
||||
- secretKey: ca.pem
|
||||
remoteRef:
|
||||
key: ACS_SENSOR_TLS_CA
|
||||
- secretKey: sensor-cert.pem
|
||||
remoteRef:
|
||||
key: ACS_SENSOR_TLS_CERT
|
||||
- secretKey: sensor-key.pem
|
||||
remoteRef:
|
||||
key: ACS_SENSOR_TLS_KEY
|
||||
@@ -0,0 +1,19 @@
|
||||
# commonAnnotations:
|
||||
# argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
|
||||
resources:
|
||||
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/operator/overlays/latest
|
||||
- namespace.yaml
|
||||
- acs-admission-control-tls-secret.yaml
|
||||
- acs-sensor-tls-secret.yaml
|
||||
- acs-collector-tls-secret.yaml
|
||||
- secured-cluster.yaml
|
||||
|
||||
patches:
|
||||
- patch: |-
|
||||
- op: replace
|
||||
path: /spec/channel
|
||||
value: 'rhacs-4.7'
|
||||
target:
|
||||
kind: Subscription
|
||||
name: rhacs-operator
|
||||
@@ -0,0 +1,6 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
name: stackrox-secured-cluster-service
|
||||
@@ -0,0 +1,18 @@
|
||||
kind: SecuredCluster
|
||||
apiVersion: platform.stackrox.io/v1alpha1
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "5"
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: stackrox-secured-cluster-services
|
||||
namespace: stackrox-secured-cluster-service
|
||||
spec:
|
||||
clusterName: ${CLUSTER_NAME}
|
||||
centralEndpoint: central-stackrox.apps.hub.ocplab.com:443
|
||||
admissionControl:
|
||||
contactImageScanners: ScanIfMissing
|
||||
listenOnCreates: true
|
||||
listenOnUpdates: true
|
||||
timeoutSeconds: 6
|
||||
scannerV4:
|
||||
scannerComponent: Default
|
||||
@@ -0,0 +1,79 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "10"
|
||||
name: create-sso-auth-provider
|
||||
namespace: stackrox
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
|
||||
env:
|
||||
- name: CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: sso-secret
|
||||
key: client-secret
|
||||
- name: PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: central-htpasswd
|
||||
key: password
|
||||
- name: ISSUER
|
||||
value: https://sso-sso.apps.home.ocplab.com/auth/realms/openshift
|
||||
- name: DEFAULT_ROLE
|
||||
value: Admin
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Wait for central to be ready
|
||||
attempt_counter=0
|
||||
max_attempts=20
|
||||
echo "Waiting for central to be available..."
|
||||
until $(curl -k --output /dev/null --silent --head --fail https://central); do
|
||||
if [ ${attempt_counter} -eq ${max_attempts} ];then
|
||||
echo "Max attempts reached"
|
||||
exit 1
|
||||
fi
|
||||
printf '.'
|
||||
attempt_counter=$(($attempt_counter+1))
|
||||
echo "Made attempt $attempt_counter, waiting..."
|
||||
sleep 5
|
||||
done
|
||||
|
||||
echo "Configuring SSO Provider"
|
||||
|
||||
echo "Test if SSO Provider already exists"
|
||||
|
||||
response=$(curl -k -u "admin:$PASSWORD" https://central/v1/authProviders?name=OpenShift | python3 -c "import sys, json; print(json.load(sys.stdin)['authProviders'], end = '')")
|
||||
|
||||
if [[ "$response" != "[]" ]] ; then
|
||||
echo "OpenShift Provider already exists, exiting"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
export DATA='{"name":"OpenShift","type":"oidc","uiEndpoint":"central-stackrox.apps.home.ocplab.com","enabled":true,"config":{"client_id":"stackrox","client_secret":"'${CLIENT_SECRET}'","issuer":"'$ISSUER'","mode":"post"},"validated":true,"extraUiEndpoints":[],"active":true}'
|
||||
|
||||
echo "Posting data: ${DATA}"
|
||||
|
||||
authid=$(curl -k -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/authProviders | python3 -c "import sys, json; print(json.load(sys.stdin)['id'], end = '')")
|
||||
|
||||
echo "Authentication Provider created with id ${authid}"
|
||||
echo "Updating minimum role to Admin"
|
||||
|
||||
export DATA='{"previous_groups":[],"required_groups":[{"props":{"authProviderId":"'${authid}'"},"roleName":"'${DEFAULT_ROLE}'"}]}'
|
||||
|
||||
curl -k -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/groupsbatch
|
||||
|
||||
imagePullPolicy: Always
|
||||
name: create-sso-auth-provider
|
||||
dnsPolicy: ClusterFirst
|
||||
restartPolicy: Never
|
||||
serviceAccount: create-cluster-init
|
||||
serviceAccountName: create-cluster-init
|
||||
terminationGracePeriodSeconds: 30
|
||||
18
components/acs-operator/overlays/sso/kustomization.yaml
Normal file
18
components/acs-operator/overlays/sso/kustomization.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
|
||||
resources:
|
||||
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/operator/overlays/latest
|
||||
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/instance/overlays/internal-registry-integration
|
||||
- sso-sealed-secret.yaml
|
||||
- create-sso-auth-provider-job.yaml
|
||||
# Use Andrew's Pipeline to create Stackrox API Tokens in tenant namespaces
|
||||
- github.com/pittar-gitops/gitops-mono-repo-admins/03-cluster-services/08-advanced-cluster-security/pipelines-and-secrets
|
||||
|
||||
patchesJson6902:
|
||||
- path: patch-resources.yaml
|
||||
target:
|
||||
group: platform.stackrox.io
|
||||
kind: Central
|
||||
name: central
|
||||
version: v1alpha1
|
||||
22
components/acs-operator/overlays/sso/patch-resources.yaml
Normal file
22
components/acs-operator/overlays/sso/patch-resources.yaml
Normal file
@@ -0,0 +1,22 @@
|
||||
- op: add
|
||||
path: /spec/central/resources
|
||||
value:
|
||||
limits:
|
||||
memory: 2Gi
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
- op: add
|
||||
path: /spec/scanner/analyzer/resources
|
||||
value:
|
||||
limits:
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 250m
|
||||
memory: 500Mi
|
||||
- op: replace
|
||||
path: /spec/scanner/analyzer/scaling/autoScaling
|
||||
value: Disabled
|
||||
- op: replace
|
||||
path: /spec/scanner/analyzer/scaling/replicas
|
||||
value: 2
|
||||
15
components/acs-operator/overlays/sso/sso-sealed-secret.yaml
Normal file
15
components/acs-operator/overlays/sso/sso-sealed-secret.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
name: sso-secret
|
||||
namespace: stackrox
|
||||
spec:
|
||||
encryptedData:
|
||||
client-secret: AgCk7m6UEoCoLvvLbUW+lXnYxaZ9Hm520Xg9/h9KMifm9mqFnzfxdlPksgZ0SIyw446ThrpAd/x39K1Azm5tMgQwIn+DaTOaDS3NVrwQWnaTBFph5AJ8DbcAMKFfSZAddCCizPlfkB3kv7zL8EIbj9d59Qbn3/0mu4hgqN0I2kOptQwFXt+kYYChrJ13LwDVJ5/wxPCa1VKUQ/osSX9wrddRBn/UQLPpXtH8loePfjn+9/oMMq49S4oiN9AjNUzuLLQHmg0OmeRtH34lGAkFgWHjNboOUDsmDCb78olGKTDIzNJ/Xz6iFmszZm1bhj7IG/VtcGoxroC/eddp1chGq4M8pMYEQkON6vp1bzP6LY3x6PxLjFg0Yl1EPSMZXyONNWJ9pl4drPsJqnw0QqLQG172ucbpGy2CwiaZ4ZwPtp/JcPJCDVW2nwwJNyNodfS8DgUbTF+cHm3/W0Z5BWi5CQvXBMRF3a9LyIuRoFW9w5XNnqKQP0lP/8NKW1K5LmgpVuJSGNg6JEQyRSDnK7WAnfDReDTTTEoivjFFQ7uUJFP/RDYWiXvSE3hNYse331QO5DCATmyDPm36txFaKtfVy/TdVhU7gV07FHPQju7IqfoI9pkc0pQtFUUYB9nFamuHsvkO4brnAjIYuCl7SJeM8xK37xLO4KgbKm/ldqxb80eUScBH963Lk9+H4zgyJ5Wq04dDdnxWrBedXjY00UBbmJ4CVDoGL/24HHbi118ZFTa3N9AJDss=
|
||||
template:
|
||||
metadata:
|
||||
name: sso-secret
|
||||
namespace: stackrox
|
||||
type: Opaque
|
||||
7
components/acs-tokens/base/README.md
Normal file
7
components/acs-tokens/base/README.md
Normal file
@@ -0,0 +1,7 @@
|
||||
## Not being used at the moment, use at your own risk :)
|
||||
|
||||
Uses a post-sync hook to generate ACS tokens for various namespaces to consume. Useful when there is a need to integrate with ACS for image scanning, etc.
|
||||
|
||||
Namespaces can be passed in a comma-separated list via environment variables.
|
||||
|
||||
based on Andrew Pitt's tekton task here: https://github.com/pittar-gitops/gitops-mono-repo-admins/tree/main/03-cluster-services/08-advanced-cluster-security/pipelines-and-secrets
|
||||
6
components/acs-tokens/base/kustomization.yaml
Normal file
6
components/acs-tokens/base/kustomization.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
namespace: stackrox
|
||||
|
||||
resources:
|
||||
- postsync-create-roxsecrets-sa-rbac.yaml
|
||||
- postsync-create-roxsecrets-job.yaml
|
||||
- postsync-roxsecret-namespaces.yaml
|
||||
@@ -0,0 +1,85 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: postsync-create-roxsecrets-job
|
||||
namespace: stackrox
|
||||
annotations:
|
||||
argocd.argoproj.io/hook: PostSync
|
||||
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- image: quay.io/gnunn/tools:4.10-1
|
||||
env:
|
||||
- name: PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: password
|
||||
name: central-htpasswd
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: roxsecret-namespaces
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
# Wait for central to be ready
|
||||
attempt_counter=0
|
||||
max_attempts=20
|
||||
echo "Waiting for central to be available..."
|
||||
until $(curl -k --output /dev/null --silent --head --fail https://$CENTRAL_URL); do
|
||||
if [ ${attempt_counter} -eq ${max_attempts} ];then
|
||||
echo "Max attempts reached"
|
||||
exit 1
|
||||
fi
|
||||
printf '.'
|
||||
attempt_counter=$(($attempt_counter+1))
|
||||
echo "Made attempt $attempt_counter, waiting..."
|
||||
sleep 10
|
||||
done
|
||||
|
||||
API_ENDPOINT="/v1/apitokens/generate"
|
||||
CENTRAL_URL_API="https://$CENTRAL_URL$API_ENDPOINT"
|
||||
echo "Central API endpoint: $CENTRAL_URL_API"
|
||||
echo "Creating secrets in namespaces $NAMESPACES"
|
||||
|
||||
for NAMESPACE in ${NAMESPACES//,/ }
|
||||
do
|
||||
echo "Creating secret for $NAMESPACE"
|
||||
if [[ `oc get namespace $NAMESPACE 2>/dev/null` ]] ;
|
||||
then
|
||||
echo "Namespace '$NAMESPACE' exists, checking secret..."
|
||||
else
|
||||
echo "Namespace '$NAMESPACE' doesn't exist, skipping"
|
||||
continue
|
||||
fi
|
||||
|
||||
# If secret already exists, don't regenerate.
|
||||
if [[ -n `oc get secret roxsecrets -n $NAMESPACE 2>/dev/null` ]] ;
|
||||
then
|
||||
echo "Stackrox token secret already exists in $NAMESPACE"
|
||||
continue
|
||||
fi
|
||||
PAYLOAD="{\"name\": \"$NAMESPACE\", \"role\": \"Continuous Integration\"}"
|
||||
echo "$PAYLOAD"
|
||||
echo "Generate new token."
|
||||
RESPONSE=$(curl -k \
|
||||
-X POST -u "admin:$PASSWORD" \
|
||||
-H "Content-Type: application/json" \
|
||||
--data "$PAYLOAD" \
|
||||
$CENTRAL_URL_API)
|
||||
TOKEN=$(jq -r '.token' <<< "$RESPONSE")
|
||||
|
||||
# Create secret in target namespace
|
||||
oc create secret generic roxsecrets \
|
||||
--from-literal=rox_central_endpoint=$CENTRAL_URL:443 \
|
||||
--from-literal=rox_api_token=$TOKEN \
|
||||
-n $NAMESPACE
|
||||
done
|
||||
name: create-secrets
|
||||
dnsPolicy: ClusterFirst
|
||||
restartPolicy: Never
|
||||
terminationGracePeriodSeconds: 30
|
||||
serviceAccount: postsync-create-roxsecrets
|
||||
serviceAccountName: postsync-create-roxsecrets
|
||||
@@ -0,0 +1,40 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: postsync-create-roxsecrets
|
||||
namespace: stackrox
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
name: postsync-create-roxsecrets
|
||||
namespace: stackrox
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- namespaces
|
||||
verbs:
|
||||
- get
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: postsync-create-roxsecrets
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: postsync-create-roxsecrets
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: postsync-create-roxsecrets
|
||||
namespace: stackrox
|
||||
@@ -0,0 +1,8 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: roxsecret-namespaces
|
||||
namespace: stackrox
|
||||
data:
|
||||
NAMESPACES: product-catalog-cicd,demo-cicd
|
||||
CENTRAL_URL: central-stackrox.apps.hub.ocplab.com
|
||||
1
components/alertmanager/base/README.md
Normal file
1
components/alertmanager/base/README.md
Normal file
@@ -0,0 +1 @@
|
||||
See Jonas Janz's repo for examples of alertmanager configuration and slack template [here](https://github.com/PixelJonas/cluster-gitops/tree/master/manifests/argocd/apps/alertmanager/base/apps/examples).
|
||||
18
components/alertmanager/base/alertmanager-main-secret.yaml
Normal file
18
components/alertmanager/base/alertmanager-main-secret.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: alertmanager-main
|
||||
namespace: openshift-monitoring
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: doppler-cluster
|
||||
target:
|
||||
name: alertmanager-main
|
||||
data:
|
||||
- secretKey: alertmanager.yaml
|
||||
remoteRef:
|
||||
key: ALERTMANAGER
|
||||
- secretKey: slacktemplate.tmpl
|
||||
remoteRef:
|
||||
key: ALERTMANAGER_SLACK_TEMPLATE
|
||||
5
components/alertmanager/base/kustomization.yaml
Normal file
5
components/alertmanager/base/kustomization.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- alertmanager-main-secret.yaml
|
||||
1
components/amq-streams-v1/base/README.md
Normal file
1
components/amq-streams-v1/base/README.md
Normal file
@@ -0,0 +1 @@
|
||||
Experimenting with OLM v1
|
||||
15
components/amq-streams-v1/base/clusterextension.yaml
Normal file
15
components/amq-streams-v1/base/clusterextension.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
apiVersion: olm.operatorframework.io/v1
|
||||
kind: ClusterExtension
|
||||
metadata:
|
||||
name: amq-streams
|
||||
spec:
|
||||
namespace: amq-streams-operator
|
||||
serviceAccount:
|
||||
name: amq-streams-installer
|
||||
source:
|
||||
sourceType: Catalog
|
||||
catalog:
|
||||
packageName: amq-streams
|
||||
channels:
|
||||
- amq-streams-2.9.x
|
||||
upgradeConstraintPolicy: CatalogProvided
|
||||
398
components/amq-streams-v1/base/clusterrole.yaml
Normal file
398
components/amq-streams-v1/base/clusterrole.yaml
Normal file
@@ -0,0 +1,398 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: amq-streams-installer-clusterrole
|
||||
rules:
|
||||
# ClusterRoles and ClusterRoleBindings for the controllers of the extension
|
||||
- apiGroups:
|
||||
- rbac.authorization.k8s.io
|
||||
resources:
|
||||
- clusterroles
|
||||
verbs:
|
||||
- "*"
|
||||
- apiGroups:
|
||||
- rbac.authorization.k8s.io
|
||||
resources:
|
||||
- clusterrolebindings
|
||||
verbs:
|
||||
- "*"
|
||||
- apiGroups:
|
||||
- olm.operatorframework.io
|
||||
resources:
|
||||
- clusterextensions/finalizers
|
||||
verbs:
|
||||
- update
|
||||
# Scoped to the name of the ClusterExtension
|
||||
resourceNames:
|
||||
- amq-streams # the value from <metadata.name> from the extension's custom resource (CR)
|
||||
# Deployments specified in install.spec.deployments
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- deployments
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- deployments
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
# scoped to the extension controller deployment name
|
||||
resourceNames:
|
||||
- amq-streams-cluster-operator
|
||||
- amq-streams-cluster-operator-v2.9.0-0
|
||||
# Service accounts in the CSV
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
# scoped to the extension controller's deployment service account
|
||||
resourceNames:
|
||||
- strimzi-cluster-operator
|
||||
# configmaps
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
# scoped to the configmap name
|
||||
resourceNames:
|
||||
- strimzi-cluster-operator
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
resourceNames:
|
||||
- kafkas.kafka.strimzi.io
|
||||
- kafkanodepools.kafka.strimzi.io
|
||||
- kafkaconnects.kafka.strimzi.io
|
||||
- kafkamirrormakers.kafka.strimzi.io
|
||||
- kafkabridges.kafka.strimzi.io
|
||||
- kafkatopics.kafka.strimzi.io
|
||||
- kafkausers.kafka.strimzi.io
|
||||
- kafkaconnectors.kafka.strimzi.io
|
||||
- kafkamirrormaker2s.kafka.strimzi.io
|
||||
- kafkarebalances.kafka.strimzi.io
|
||||
- strimzipodsets.core.strimzi.io
|
||||
# install permissions from CSV
|
||||
- apiGroups:
|
||||
- "rbac.authorization.k8s.io"
|
||||
resources:
|
||||
# The cluster operator needs to access and manage rolebindings to grant Strimzi components cluster permissions
|
||||
- rolebindings
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "rbac.authorization.k8s.io"
|
||||
resources:
|
||||
# The cluster operator needs to access and manage roles to grant the entity operator permissions
|
||||
- roles
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates
|
||||
- pods
|
||||
# The cluster operator needs to access and manage service accounts to grant Strimzi components cluster permissions
|
||||
- serviceaccounts
|
||||
# The cluster operator needs to access and manage config maps for Strimzi components configuration
|
||||
- configmaps
|
||||
# The cluster operator needs to access and manage services and endpoints to expose Strimzi components to network traffic
|
||||
- services
|
||||
- endpoints
|
||||
# The cluster operator needs to access and manage secrets to handle credentials
|
||||
# The entity operator user-operator needs to access and manage secrets to store generated credentials
|
||||
- secrets
|
||||
# The cluster operator needs to access and manage persistent volume claims to bind them to Strimzi components for persistent data
|
||||
- persistentvolumeclaims
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "kafka.strimzi.io"
|
||||
resources:
|
||||
# The Cluster Operator operates the Strimzi custom resources
|
||||
- kafkas
|
||||
- kafkanodepools
|
||||
- kafkaconnects
|
||||
- kafkaconnectors
|
||||
- kafkamirrormakers
|
||||
- kafkabridges
|
||||
- kafkamirrormaker2s
|
||||
- kafkarebalances
|
||||
- kafkatopics
|
||||
- kafkausers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "kafka.strimzi.io"
|
||||
resources:
|
||||
# The Cluster Operator needs to manage the status of the Strimzi custom resources
|
||||
- kafkas/status
|
||||
- kafkanodepools/status
|
||||
- kafkaconnects/status
|
||||
- kafkaconnectors/status
|
||||
- kafkamirrormakers/status
|
||||
- kafkabridges/status
|
||||
- kafkamirrormaker2s/status
|
||||
- kafkarebalances/status
|
||||
- kafkatopics/status
|
||||
- kafkausers/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "core.strimzi.io"
|
||||
resources:
|
||||
# The cluster operator uses StrimziPodSets to manage the Kafka and ZooKeeper pods
|
||||
- strimzipodsets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "core.strimzi.io"
|
||||
resources:
|
||||
# The Cluster Operator needs to manage the status of the StrimziPodSet custom resource
|
||||
- strimzipodsets/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "kafka.strimzi.io"
|
||||
resources:
|
||||
# The Cluster Operator needs deletion for KafkaRebalance only (during auto-rebalancing)
|
||||
- kafkarebalances
|
||||
verbs:
|
||||
- delete
|
||||
- apiGroups:
|
||||
- "apps"
|
||||
resources:
|
||||
# The cluster operator needs to access and manage deployments to run deployment based Strimzi components
|
||||
- deployments
|
||||
# The cluster operator needs to access and manage stateful sets to run stateful sets based Strimzi components
|
||||
- statefulsets
|
||||
# The cluster operator needs to access replica-sets to manage Strimzi components and to determine error states
|
||||
- replicasets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "apps"
|
||||
resources:
|
||||
# The Cluster Operator needs to scale Deployments while migrating Connect and Mirror Maker 2 clusters from Deployments to StrimziPodSets
|
||||
- deployments/scale
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "" # legacy core events api, used by topic operator
|
||||
- "events.k8s.io" # new events api, used by cluster operator
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
# Kafka Connect Build on OpenShift requirement
|
||||
- build.openshift.io
|
||||
resources:
|
||||
- buildconfigs
|
||||
- buildconfigs/instantiate
|
||||
- builds
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
# The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
|
||||
- networkpolicies
|
||||
# The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- route.openshift.io
|
||||
resources:
|
||||
# The cluster operator needs to access and manage routes to expose Strimzi components for external access
|
||||
- routes
|
||||
- routes/custom-host
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- image.openshift.io
|
||||
resources:
|
||||
# The cluster operator needs to verify the image stream when used for Kafka Connect image build
|
||||
- imagestreams
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- policy
|
||||
resources:
|
||||
# The cluster operator needs to access and manage pod disruption budgets this limits the number of concurrent disruptions
|
||||
# that a Streams component experiences, allowing for higher availability
|
||||
- poddisruptionbudgets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
# The cluster operator needs to access and manage leases for leader election
|
||||
# The "create" verb cannot be used with "resourceNames"
|
||||
- leases
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
# The cluster operator needs to access and manage leases for leader election
|
||||
- leases
|
||||
resourceNames:
|
||||
# The default RBAC files give the operator only access to the Lease resource names strimzi-cluster-operator
|
||||
# If you want to use another resource name or resource namespace, you have to configure the RBAC resources accordingly
|
||||
- strimzi-cluster-operator
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
# Cluster permissions from CSV
|
||||
- apiGroups:
|
||||
- "rbac.authorization.k8s.io"
|
||||
resources:
|
||||
# The cluster operator needs to create and manage cluster role bindings in the case of an install where a user
|
||||
# has specified they want their cluster role bindings generated
|
||||
- clusterrolebindings
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- storage.k8s.io
|
||||
resources:
|
||||
# The cluster operator requires "get" permissions to view storage class details
|
||||
# This is because only a persistent volume of a supported storage class type can be resized
|
||||
- storageclasses
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# The cluster operator requires "list" permissions to view all nodes in a cluster
|
||||
# The listing is used to determine the node addresses when NodePort access is configured
|
||||
# These addresses are then exposed in the custom resource states
|
||||
# The Kafka Brokers require "get" permissions to view the node they are on
|
||||
# This information is used to generate a Rack ID that is used for High Availability configurations
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
12
components/amq-streams-v1/base/clusterrolebinding.yaml
Normal file
12
components/amq-streams-v1/base/clusterrolebinding.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: amq-streams-installer-binding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: amq-streams-installer-clusterrole
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: amq-streams-installer
|
||||
namespace: amq-streams-operator
|
||||
6
components/amq-streams-v1/base/kustomization.yaml
Normal file
6
components/amq-streams-v1/base/kustomization.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- clusterrole.yaml
|
||||
- clusterrolebinding.yaml
|
||||
- serviceaccount.yaml
|
||||
- clusterextension.yaml
|
||||
4
components/amq-streams-v1/base/namespace.yaml
Normal file
4
components/amq-streams-v1/base/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: amq-streams-operator
|
||||
5
components/amq-streams-v1/base/serviceaccount.yaml
Normal file
5
components/amq-streams-v1/base/serviceaccount.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: amq-streams-installer
|
||||
namespace: amq-streams-operator
|
||||
2
components/amq-streams/base/kustomization.yaml
Normal file
2
components/amq-streams/base/kustomization.yaml
Normal file
@@ -0,0 +1,2 @@
|
||||
resources:
|
||||
- subscription.yaml
|
||||
11
components/amq-streams/base/subscription.yaml
Normal file
11
components/amq-streams/base/subscription.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
apiVersion: operators.coreos.com/v1alpha1
|
||||
kind: Subscription
|
||||
metadata:
|
||||
name: amq-streams
|
||||
namespace: openshift-operators
|
||||
spec:
|
||||
channel: stable
|
||||
installPlanApproval: Automatic
|
||||
name: amq-streams
|
||||
source: redhat-operators
|
||||
sourceNamespace: openshift-marketplace
|
||||
@@ -0,0 +1,11 @@
|
||||
resources:
|
||||
- ../../base
|
||||
|
||||
patches:
|
||||
- patch: |
|
||||
- op: replace
|
||||
path: /spec/channel
|
||||
value: 'amq-streams-2.7.x'
|
||||
target:
|
||||
kind: Subscription
|
||||
name: amq-streams
|
||||
6
components/argo-rollouts/base/kustomization.yaml
Normal file
6
components/argo-rollouts/base/kustomization.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
namespace: argo-rollouts
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- rollouts-analysis-monitoring.yaml
|
||||
- https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml
|
||||
7
components/argo-rollouts/base/namespace.yaml
Normal file
7
components/argo-rollouts/base/namespace.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: argo-rollouts
|
||||
annotations:
|
||||
openshift.io/description: Argo Rollouts Progressive Delivery
|
||||
openshift.io/display-name: Argo Rollouts
|
||||
@@ -0,0 +1,11 @@
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: rollouts-analysis-monitoring
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argo-rollouts
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-monitoring-view
|
||||
3
components/banner/base/README.md
Normal file
3
components/banner/base/README.md
Normal file
@@ -0,0 +1,3 @@
|
||||
Displays a banner in the OpenShift Console with the cluster ID and name.
|
||||
|
||||
Note that is leveraging ACM to populate the GitOps subscription with environment variables coupled with a plugin in Argo CD to post-process kustomize.
|
||||
12
components/banner/base/banner.yaml
Normal file
12
components/banner/base/banner.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
apiVersion: console.openshift.io/v1
|
||||
kind: ConsoleNotification
|
||||
metadata:
|
||||
name: banner
|
||||
spec:
|
||||
text: "Cluster: ${CLUSTER_NAME}"
|
||||
location: BannerTop
|
||||
color: '#fff'
|
||||
backgroundColor: "#${COLOR}"
|
||||
link:
|
||||
href: https://console.redhat.com/openshift/details/${CLUSTER_ID}
|
||||
text: "(${CLUSTER_ID})"
|
||||
2
components/banner/base/kustomization.yaml
Normal file
2
components/banner/base/kustomization.yaml
Normal file
@@ -0,0 +1,2 @@
|
||||
resources:
|
||||
- banner.yaml
|
||||
5
components/camel-k-operator/base/kustomization.yaml
Normal file
5
components/camel-k-operator/base/kustomization.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- subscription.yaml
|
||||
11
components/camel-k-operator/base/subscription.yaml
Normal file
11
components/camel-k-operator/base/subscription.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
apiVersion: operators.coreos.com/v1alpha1
|
||||
kind: Subscription
|
||||
metadata:
|
||||
name: red-hat-camel-k
|
||||
namespace: openshift-operators
|
||||
spec:
|
||||
channel: latest
|
||||
installPlanApproval: Automatic
|
||||
name: red-hat-camel-k
|
||||
source: redhat-operators
|
||||
sourceNamespace: openshift-marketplace
|
||||
@@ -0,0 +1,4 @@
|
||||
resources:
|
||||
- ../../../operator/base
|
||||
- ../../../instance/base
|
||||
- ../../../issuers/letsencrypt-route53/base
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: operator.openshift.io/v1alpha1
|
||||
kind: CertManager
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: cluster
|
||||
spec:
|
||||
logLevel: Normal
|
||||
managementState: Managed
|
||||
observedConfig: null
|
||||
operatorLogLevel: Normal
|
||||
controllerConfig:
|
||||
overrideArgs:
|
||||
- '--dns01-recursive-nameservers=8.8.8.8:53,8.8.4.4:53'
|
||||
- '--dns01-recursive-nameservers-only'
|
||||
@@ -0,0 +1,2 @@
|
||||
resources:
|
||||
- certmanager.yaml
|
||||
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cert-manager
|
||||
@@ -0,0 +1,11 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
|
||||
resources:
|
||||
- cert-manager-ns.yaml
|
||||
- letsencrypt-aws-external.yaml
|
||||
- letsencrypt-staging-cluster-issuer.yaml
|
||||
- letsencrypt-prod-cluster-issuer.yaml
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: letsencrypt-aws
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: doppler-cluster
|
||||
target:
|
||||
name: letsencrypt-aws
|
||||
data:
|
||||
- secretKey: secret-access-key
|
||||
remoteRef:
|
||||
key: AWS_LETSENCRYPT
|
||||
@@ -0,0 +1,23 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-prod
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
email: gnunn@redhat.com
|
||||
# This key doesn't exist, cert-manager creates it
|
||||
privateKeySecretRef:
|
||||
name: gnunn-redhat-issuer-account-key
|
||||
solvers:
|
||||
- selector:
|
||||
dnsZones:
|
||||
- "ocplab.com"
|
||||
dns01:
|
||||
route53:
|
||||
region: ca-central-1
|
||||
accessKeyID: AKIAVW7HGAZVWLIKXRCA
|
||||
hostedZoneID: Z1LKUX3GLO9GW9
|
||||
secretAccessKeySecretRef:
|
||||
name: letsencrypt-aws
|
||||
key: secret-access-key
|
||||
@@ -0,0 +1,23 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
email: gnunn@redhat.com
|
||||
# This key doesn't exist, cert-manager creates it
|
||||
privateKeySecretRef:
|
||||
name: gnunn-redhat-issuer-account-key
|
||||
solvers:
|
||||
- selector:
|
||||
dnsZones:
|
||||
- "ocplab.com"
|
||||
dns01:
|
||||
route53:
|
||||
region: ca-central-1
|
||||
accessKeyID: AKIAVW7HGAZVWLIKXRCA
|
||||
hostedZoneID: Z1LKUX3GLO9GW9
|
||||
secretAccessKeySecretRef:
|
||||
name: letsencrypt-aws
|
||||
key: secret-access-key
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
|
||||
namespace: cert-manager-operator
|
||||
|
||||
resources:
|
||||
- operator-namespace.yaml
|
||||
- operator-group.yaml
|
||||
- subscription.yaml
|
||||
@@ -0,0 +1,8 @@
|
||||
apiVersion: operators.coreos.com/v1
|
||||
kind: OperatorGroup
|
||||
metadata:
|
||||
name: openshift-cert-manager-operator
|
||||
spec:
|
||||
targetNamespaces:
|
||||
- cert-manager-operator
|
||||
upgradeStrategy: Default
|
||||
@@ -0,0 +1,8 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
annotations:
|
||||
openshift.io/display-name: Red Hat Certificate Manager Operator
|
||||
labels:
|
||||
openshift.io/cluster-monitoring: 'true'
|
||||
name: cert-manager-operator
|
||||
@@ -0,0 +1,10 @@
|
||||
apiVersion: operators.coreos.com/v1alpha1
|
||||
kind: Subscription
|
||||
metadata:
|
||||
name: openshift-cert-manager-operator
|
||||
spec:
|
||||
channel: stable-v1
|
||||
installPlanApproval: Automatic
|
||||
name: openshift-cert-manager-operator
|
||||
source: redhat-operators
|
||||
sourceNamespace: openshift-marketplace
|
||||
14
components/certificates/base/apiserver.yaml
Normal file
14
components/certificates/base/apiserver.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: config.openshift.io/v1
|
||||
kind: APIServer
|
||||
metadata:
|
||||
name: cluster
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
argocd.argoproj.io/sync-options: Validate=false,ServerSideApply=true
|
||||
spec:
|
||||
servingCerts:
|
||||
namedCertificates:
|
||||
- names:
|
||||
- api.${BASE_DOMAIN}
|
||||
servingCertificate:
|
||||
name: openshift-api-certificate
|
||||
11
components/certificates/base/ingresscontroller.yaml
Normal file
11
components/certificates/base/ingresscontroller.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
apiVersion: operator.openshift.io/v1
|
||||
kind: IngressController
|
||||
metadata:
|
||||
name: default
|
||||
namespace: openshift-ingress-operator
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
argocd.argoproj.io/sync-options: Validate=false,ServerSideApply=true
|
||||
spec:
|
||||
defaultCertificate:
|
||||
name: openshift-wildcard-certificate
|
||||
8
components/certificates/base/kustomization.yaml
Normal file
8
components/certificates/base/kustomization.yaml
Normal file
@@ -0,0 +1,8 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- openshift-api-certificate.yaml
|
||||
- openshift-wildcard-certificate.yaml
|
||||
- apiserver.yaml
|
||||
- ingresscontroller.yaml
|
||||
14
components/certificates/base/openshift-api-certificate.yaml
Normal file
14
components/certificates/base/openshift-api-certificate.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: openshift-api
|
||||
namespace: openshift-config
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: '0'
|
||||
spec:
|
||||
secretName: openshift-api-certificate
|
||||
issuerRef:
|
||||
name: letsencrypt-prod
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- api.${BASE_DOMAIN}
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: openshift-wildcard
|
||||
namespace: openshift-ingress
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: '0'
|
||||
spec:
|
||||
secretName: openshift-wildcard-certificate
|
||||
issuerRef:
|
||||
name: letsencrypt-prod
|
||||
kind: ClusterIssuer
|
||||
commonName: '*.${SUB_DOMAIN}'
|
||||
dnsNames:
|
||||
- '*.${SUB_DOMAIN}'
|
||||
3
components/clean-completed-pods/base/README.md
Normal file
3
components/clean-completed-pods/base/README.md
Normal file
@@ -0,0 +1,3 @@
|
||||
Cronjob that periodically removes completed jobs, based on KCS here:
|
||||
|
||||
https://access.redhat.com/solutions/6934861
|
||||
@@ -0,0 +1,40 @@
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: completed-pod-cleanup
|
||||
spec:
|
||||
jobTemplate:
|
||||
metadata:
|
||||
name: completed-pod-cleanup
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
set -euo pipefail
|
||||
echo "// Listed Completed Pod."
|
||||
oc get pods -o wide --all-namespaces --sort-by='{.metadata.creationTimestamp}','{.metadata.namespace}','{.metadata.name}' --field-selector=status.phase==Succeeded
|
||||
COMPLETED_POD=`oc get pods -o jsonpath="{range .items[*]}{.metadata.namespace}{'\t'}{.metadata.name}{'\n'}{end}" --all-namespaces --field-selector=metadata.namespace!=ocp-completed-pod-cleanup,status.phase==Succeeded`
|
||||
if [ -n "$COMPLETED_POD" ]; then
|
||||
echo "// Deleted Completed Pod."
|
||||
while read NS_NAME POD_NAME
|
||||
do
|
||||
oc -n $NS_NAME delete pod $POD_NAME;
|
||||
done <<< "$COMPLETED_POD"
|
||||
fi
|
||||
image: registry.redhat.io/openshift4/ose-cli:latest # change the image in disconnected environment
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: completed-pod-cleanup
|
||||
terminationMessagePath: /dev/termination-log
|
||||
terminationMessagePolicy: File
|
||||
dnsPolicy: ClusterFirst
|
||||
restartPolicy: OnFailure
|
||||
serviceAccount: completed-pod-cleanup
|
||||
serviceAccountName: completed-pod-cleanup
|
||||
terminationGracePeriodSeconds: 30
|
||||
schedule: "0 11 * * *"
|
||||
suspend: false
|
||||
status: {}
|
||||
6
components/clean-completed-pods/base/kustomization.yaml
Normal file
6
components/clean-completed-pods/base/kustomization.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
namespace: clean-completed-pods
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- clean-completed-pods-cronjob.yaml
|
||||
- sa-rbac.yaml
|
||||
4
components/clean-completed-pods/base/namespace.yaml
Normal file
4
components/clean-completed-pods/base/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clean-completed-pods
|
||||
31
components/clean-completed-pods/base/sa-rbac.yaml
Normal file
31
components/clean-completed-pods/base/sa-rbac.yaml
Normal file
@@ -0,0 +1,31 @@
|
||||
kind: ServiceAccount
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: completed-pod-cleanup
|
||||
labels:
|
||||
app: completed-pod-cleanup
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cluster-completed-pod-cleanup
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- "pods"
|
||||
verbs: ["get", "list", "create", "delete", "watch"]
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: completed-pod-cleanup
|
||||
labels:
|
||||
app: completed-pod-cleanup
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: completed-pod-cleanup
|
||||
namespace: clean-completed-pods
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-completed-pod-cleanup
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: org.eclipse.che/v1
|
||||
kind: CheCluster
|
||||
metadata:
|
||||
name: codeready-workspaces
|
||||
namespace: openshift-workspaces
|
||||
spec:
|
||||
auth:
|
||||
identityProviderURL: 'https://sso-sso.apps.home.ocplab.com'
|
||||
identityProviderRealm: openshift
|
||||
identityProviderClientId: codeready-public
|
||||
externalIdentityProvider: true
|
||||
server:
|
||||
selfSignedCert: false
|
||||
gitSelfSignedCert: false
|
||||
tlsSupport: true
|
||||
@@ -0,0 +1,5 @@
|
||||
resources:
|
||||
- ../cis-compliance
|
||||
|
||||
patchesStrategicMerge:
|
||||
- patch-scansetting.yaml
|
||||
@@ -0,0 +1,8 @@
|
||||
apiVersion: compliance.openshift.io/v1alpha1
|
||||
debug: true
|
||||
kind: ScanSetting
|
||||
metadata:
|
||||
name: cis-compliance
|
||||
namespace: openshift-compliance
|
||||
roles:
|
||||
- master
|
||||
@@ -0,0 +1,19 @@
|
||||
apiVersion: compliance.openshift.io/v1alpha1
|
||||
kind: ScanSettingBinding
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
name: cis-compliance
|
||||
namespace: openshift-compliance
|
||||
profiles:
|
||||
- apiGroup: compliance.openshift.io/v1alpha1
|
||||
kind: TailoredProfile
|
||||
name: ocp4-cis-node-lab
|
||||
- apiGroup: compliance.openshift.io/v1alpha1
|
||||
kind: TailoredProfile
|
||||
name: ocp4-cis-lab
|
||||
settingsRef:
|
||||
apiGroup: compliance.openshift.io/v1alpha1
|
||||
kind: ScanSetting
|
||||
name: default
|
||||
@@ -0,0 +1,37 @@
|
||||
apiVersion: compliance.openshift.io/v1alpha1
|
||||
kind: ScanSetting
|
||||
metadata:
|
||||
name: cis-compliance
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
rawResultStorage:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
pvAccessModes:
|
||||
- ReadWriteOnce
|
||||
rotation: 3
|
||||
size: 1Gi
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
key: node.kubernetes.io/not-ready
|
||||
operator: Exists
|
||||
tolerationSeconds: 300
|
||||
- effect: NoExecute
|
||||
key: node.kubernetes.io/unreachable
|
||||
operator: Exists
|
||||
tolerationSeconds: 300
|
||||
- effect: NoSchedule
|
||||
key: node.kubernetes.io/memory-pressure
|
||||
operator: Exists
|
||||
roles:
|
||||
- master
|
||||
- worker
|
||||
scanTolerations:
|
||||
- operator: Exists
|
||||
schedule: 0 */3 * * *
|
||||
showNotApplicable: false
|
||||
strictNodeScan: true
|
||||
@@ -0,0 +1,27 @@
|
||||
# Assumes the cluster admin had pre-created the sealed-secrets project and secret.
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: openshift-compliance
|
||||
|
||||
resources:
|
||||
- github.com/redhat-cop/gitops-catalog/compliance-operator/operator/overlays/release-0.1
|
||||
- ocp-cis-tailored-profile.yaml
|
||||
- ocp-cis-node-tailored-profile.yaml
|
||||
- cis-compliance-scan-setting-binding.yaml
|
||||
- cis-compliance-scansetting.yaml
|
||||
|
||||
patches:
|
||||
- patch: |-
|
||||
- op: add
|
||||
path: /metadata/labels
|
||||
value: {"openshift.io/cluster-monitoring": "true"}
|
||||
target:
|
||||
kind: Namespace
|
||||
- patch: |-
|
||||
- op: replace
|
||||
path: /spec/channel
|
||||
value: stable
|
||||
target:
|
||||
kind: Subscription
|
||||
name: compliance-operator
|
||||
@@ -0,0 +1,18 @@
|
||||
apiVersion: compliance.openshift.io/v1alpha1
|
||||
kind: TailoredProfile
|
||||
metadata:
|
||||
name: ocp4-cis-node-lab
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
spec:
|
||||
extends: ocp4-cis-node
|
||||
description: Lab CIS node profile
|
||||
title: Lab CIS node profile
|
||||
disableRules:
|
||||
- name: ocp4-file-permissions-etcd-data-dir
|
||||
rationale: Default value of `drwxr-xr-x.` is fine
|
||||
- name: ocp4-kubelet-enable-protect-kernel-defaults
|
||||
rationale: Not applicable
|
||||
- name: ocp4-kubelet-enable-protect-kernel-sysctl
|
||||
rationale: Not applicable
|
||||
@@ -0,0 +1,38 @@
|
||||
apiVersion: compliance.openshift.io/v1alpha1
|
||||
kind: TailoredProfile
|
||||
metadata:
|
||||
name: ocp4-cis-lab
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
spec:
|
||||
extends: ocp4-cis
|
||||
description: Lab CIS profile
|
||||
title: Lab CIS profile
|
||||
disableRules:
|
||||
- name: ocp4-api-server-encryption-provider-cipher
|
||||
rationale: Using letsencrypt certificates, not applicable
|
||||
- name: ocp4-audit-log-forwarding-enabled
|
||||
rationale: Homelab so no log forwarding available
|
||||
- name: ocp4-scc-limit-container-allowed-capabilities
|
||||
rationale: Some containers require extra privileges
|
||||
- name: ocp4-configure-network-policies-namespaces
|
||||
rationale: Home lab supports ad-hoc demos
|
||||
- name: ocp4-api-server-audit-log-maxsize
|
||||
rationale: Home lab, no need for auditing
|
||||
- name: ocp4-ocp-api-server-audit-log-maxsize
|
||||
rationale: Home lab, no need for auditing
|
||||
- name: ocp4-audit-profile-set
|
||||
rationale: Home lab, default auditing is sufficient
|
||||
- name: ocp4-ocp-allowed-registries
|
||||
rationale: Home lab, open registries is fine
|
||||
- name: ocp4-ocp-allowed-registries-for-import
|
||||
rationale: Home lab, open registries is fine
|
||||
- name: ocp4-api-server-api-priority-gate-enabled
|
||||
rationale: Need to understand mis-behaving clients in Home lab
|
||||
- name: ocp4-kubelet-configure-tls-cipher-suites-ingresscontroller
|
||||
rationale: Home lab
|
||||
- name: ocp4-api-server-tls-cipher-suites
|
||||
rationale: Home lab
|
||||
- name: ocp4-kubelet-configure-tls-cipher-suites
|
||||
rationale: Home lab
|
||||
6
components/consolelinks/base/kustomization.yaml
Normal file
6
components/consolelinks/base/kustomization.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- quay-link.yaml
|
||||
- sso-link.yaml
|
||||
11
components/consolelinks/base/quay-link.yaml
Normal file
11
components/consolelinks/base/quay-link.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
apiVersion: console.openshift.io/v1
|
||||
kind: ConsoleLink
|
||||
metadata:
|
||||
name: quay
|
||||
spec:
|
||||
href: 'https://quay.io/repository'
|
||||
location: ApplicationMenu
|
||||
text: Quay
|
||||
applicationMenu:
|
||||
section: Tools
|
||||
imageURL: https://quay.io/static/img/quay_favicon.png
|
||||
8
components/consolelinks/base/sso-link.yaml
Normal file
8
components/consolelinks/base/sso-link.yaml
Normal file
@@ -0,0 +1,8 @@
|
||||
apiVersion: console.openshift.io/v1
|
||||
kind: ConsoleLink
|
||||
metadata:
|
||||
name: sso-account
|
||||
spec:
|
||||
href: 'https://sso.ocplab.com/realms/ocplab/account'
|
||||
location: UserMenu
|
||||
text: Account Settings
|
||||
@@ -0,0 +1,2 @@
|
||||
resources:
|
||||
- subscription.yaml
|
||||
@@ -0,0 +1,11 @@
|
||||
apiVersion: operators.coreos.com/v1alpha1
|
||||
kind: Subscription
|
||||
metadata:
|
||||
name: container-security-operator
|
||||
namespace: openshift-operators
|
||||
spec:
|
||||
channel: stable-3.7
|
||||
installPlanApproval: Automatic
|
||||
name: container-security-operator
|
||||
source: redhat-operators
|
||||
sourceNamespace: openshift-marketplace
|
||||
@@ -0,0 +1,11 @@
|
||||
resources:
|
||||
- ../../base
|
||||
|
||||
patches:
|
||||
- patch: |-
|
||||
- op: replace
|
||||
path: /spec/channel
|
||||
value: 'stable-3.10'
|
||||
target:
|
||||
kind: Subscription
|
||||
name: container-security-operator
|
||||
@@ -0,0 +1,11 @@
|
||||
resources:
|
||||
- ../../base
|
||||
|
||||
patches:
|
||||
- patch: |-
|
||||
- op: replace
|
||||
path: /spec/channel
|
||||
value: 'stable-3.13'
|
||||
target:
|
||||
kind: Subscription
|
||||
name: container-security-operator
|
||||
@@ -0,0 +1,11 @@
|
||||
resources:
|
||||
- ../../base
|
||||
|
||||
patches:
|
||||
- patch: |-
|
||||
- op: replace
|
||||
path: /spec/channel
|
||||
value: 'stable-3.9'
|
||||
target:
|
||||
kind: Subscription
|
||||
name: container-security-operator
|
||||
25
components/defrag-etcd/base/cronjob.yaml
Normal file
25
components/defrag-etcd/base/cronjob.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: defrag-etcd
|
||||
spec:
|
||||
schedule: "0 11 * * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: defrag-etcd
|
||||
image: registry.redhat.io/openshift4/ose-cli:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
#!/usr/bin/env bash
|
||||
|
||||
oc get pods -l app=etcd -n openshift-etcd --no-headers -o custom-columns=":metadata.name" | while read -r pod ; do
|
||||
oc exec -n openshift-etcd $pod --container etcdctl -- sh -c "unset ETCDCTL_ENDPOINTS && etcdctl --command-timeout=30s --endpoints=https://localhost:2379 defrag"
|
||||
done
|
||||
serviceAccountName: defrag-etcd
|
||||
restartPolicy: OnFailure
|
||||
5
components/defrag-etcd/base/kustomization.yaml
Normal file
5
components/defrag-etcd/base/kustomization.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
namespace: openshift-etcd
|
||||
|
||||
resources:
|
||||
- sa-rbac.yaml
|
||||
- cronjob.yaml
|
||||
36
components/defrag-etcd/base/sa-rbac.yaml
Normal file
36
components/defrag-etcd/base/sa-rbac.yaml
Normal file
@@ -0,0 +1,36 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: defrag-etcd
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: defrag-etcd
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- exec
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods/exec
|
||||
verbs:
|
||||
- create
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: defrag-etcd
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: defrag-etcd
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: defrag-etcd
|
||||
16
components/dev-console-plugin/base/kustomization.yaml
Normal file
16
components/dev-console-plugin/base/kustomization.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
|
||||
helmGlobals:
|
||||
chartHome: charts/openshift-console-plugin
|
||||
|
||||
helmCharts:
|
||||
- name: openshift-console-plugin
|
||||
version: 0.3.0
|
||||
repo: https://gnunn-gitops.github.io/helm-charts
|
||||
valuesFile: values.yaml
|
||||
namespace: dev-console-plugin
|
||||
releaseName: dev-console-plugin
|
||||
4
components/dev-console-plugin/base/namespace.yaml
Normal file
4
components/dev-console-plugin/base/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: dev-console-plugin
|
||||
4
components/dev-console-plugin/base/values.yaml
Normal file
4
components/dev-console-plugin/base/values.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
plugin:
|
||||
name: dev-console-plugin
|
||||
namespace: dev-console-plugin
|
||||
image: quay.io/gnunn/dev-console-plugin:latest
|
||||
@@ -0,0 +1,33 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: configure-sonarqube
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.access.redhat.com/ubi8/ubi:8.3
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
curl -H 'Cache-Control: no-cache' -o /tmp/sonarqube-plugins -s ${SCRIPT_URL};
|
||||
chmod +x /tmp/sonarqube-plugins;
|
||||
/tmp/sonarqube-plugins
|
||||
imagePullPolicy: Always
|
||||
name: configure-sonarqube
|
||||
env:
|
||||
- name: SONARQUBE_PLUGINS
|
||||
value: "java,javascript,dependencycheck,jacoco,pmd,scmgit"
|
||||
- name: SONARQUBE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: sonarqube-admin
|
||||
key: password
|
||||
- name: SCRIPT_URL
|
||||
value: "https://raw.githubusercontent.com/gnunn-gitops/cluster-config/main/components/dev-tools/scripts/sonarqube-config"
|
||||
dnsPolicy: ClusterFirst
|
||||
restartPolicy: OnFailure
|
||||
serviceAccount: default
|
||||
serviceAccountName: default
|
||||
terminationGracePeriodSeconds: 30
|
||||
48
components/dev-tools/overlays/default/kustomization.yaml
Normal file
48
components/dev-tools/overlays/default/kustomization.yaml
Normal file
@@ -0,0 +1,48 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: dev-tools
|
||||
|
||||
bases:
|
||||
# Nexus
|
||||
- https://github.com/redhat-cop/gitops-catalog/nexus2/base
|
||||
# Sonarqube
|
||||
- sonarqube-admin-secret.yaml
|
||||
- https://github.com/redhat-cop/gitops-catalog/sonarqube8/base
|
||||
- configure-sonarqube-job.yaml
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
|
||||
patches:
|
||||
- patch: |-
|
||||
- op: replace
|
||||
path: /spec/template/spec/containers/0/image
|
||||
value: sonarqube:lts-community
|
||||
target:
|
||||
kind: Deployment
|
||||
name: sonarqube
|
||||
- patch: |-
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/env
|
||||
value:
|
||||
- name: SONAR_JDBC_PASSWORD
|
||||
value: kHPdpIYtdtGXeStv
|
||||
- name: SONAR_JDBC_URL
|
||||
value: 'jdbc:postgresql://postgresql-sonarqube/sonar'
|
||||
- name: SONAR_JDBC_USERNAME
|
||||
value: sonar
|
||||
- name: SONAR_TELEMETRY_ENABLE
|
||||
value: 'false'
|
||||
- name: SONAR_PLUGINS_RISK_CONSENT
|
||||
value: ACCEPTED
|
||||
target:
|
||||
kind: Deployment
|
||||
name: sonarqube
|
||||
- patch: |-
|
||||
- op: add
|
||||
path: /spec/tls
|
||||
value:
|
||||
termination: edge
|
||||
target:
|
||||
kind: Route
|
||||
7
components/dev-tools/overlays/default/namespace.yaml
Normal file
7
components/dev-tools/overlays/default/namespace.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
annotations:
|
||||
openshift.io/description: Project for development tools like nexus and sonarqube
|
||||
openshift.io/display-name: Development Tools
|
||||
name: dev-tools
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: sonarqube-admin
|
||||
namespace: dev-tools
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: doppler-cluster
|
||||
target:
|
||||
name: sonarqube-admin
|
||||
data:
|
||||
- secretKey: password
|
||||
remoteRef:
|
||||
key: SONARQUBE_ADMIN_PASSWORD
|
||||
27
components/dev-tools/scripts/sonarqube-config
Normal file
27
components/dev-tools/scripts/sonarqube-config
Normal file
@@ -0,0 +1,27 @@
|
||||
SONARQUBE_HOST=sonarqube:9000
|
||||
|
||||
echo "Waiting for sonarqube to be ready..."
|
||||
|
||||
until [ "$(curl --silent --show-error --connect-timeout 1 http://${SONARQUBE_HOST}/api/system/status | grep 'UP')" ];
|
||||
do
|
||||
sleep 5
|
||||
done
|
||||
echo "SonarQube reporting UP. Wait 5 seconds to be sure."
|
||||
sleep 5
|
||||
|
||||
echo "Updating admin password on host ${SONARQUBE_HOST}"
|
||||
curl -u admin:admin -X POST "http://${SONARQUBE_HOST}/api/users/change_password?login=admin&previousPassword=admin&password=${SONARQUBE_PASSWORD}"
|
||||
|
||||
echo "Disabling force authentication for demo purposes"
|
||||
curl -u admin:${SONARQUBE_PASSWORD} --request POST "http://sonarqube:9000/api/settings/set?key=sonar.forceAuthentication&value=false"
|
||||
|
||||
echo "Installing plugins ${SONARQUBE_PLUGINS} on server ${SONARQUBE_HOST}"
|
||||
|
||||
for i in ${SONARQUBE_PLUGINS//,/ }
|
||||
do
|
||||
echo "Installing $i"
|
||||
curl -u admin:${SONARQUBE_PASSWORD} --data "key=$i" http://${SONARQUBE_HOST}/api/plugins/install
|
||||
done
|
||||
|
||||
echo "Restarting server ${SONARQUBE_HOST} ..."
|
||||
curl -u admin:${SONARQUBE_PASSWORD} -X POST http://${SONARQUBE_HOST}/api/system/restart
|
||||
7
components/eso/instance/base/kustomization.yaml
Normal file
7
components/eso/instance/base/kustomization.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
namespace: external-secrets
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- operatorconfig.yaml
|
||||
- podmonitor.yaml
|
||||
- prometheus-rule.yaml
|
||||
4
components/eso/instance/base/namespace.yaml
Normal file
4
components/eso/instance/base/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: external-secrets
|
||||
22
components/eso/instance/base/operatorconfig.yaml
Normal file
22
components/eso/instance/base/operatorconfig.yaml
Normal file
@@ -0,0 +1,22 @@
|
||||
apiVersion: operator.external-secrets.io/v1alpha1
|
||||
kind: OperatorConfig
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
name: cluster
|
||||
spec:
|
||||
crds:
|
||||
conversion:
|
||||
enabled: false
|
||||
prometheus:
|
||||
enabled: true
|
||||
service:
|
||||
port: 8080
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 96Mi
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
27
components/eso/instance/base/podmonitor.yaml
Normal file
27
components/eso/instance/base/podmonitor.yaml
Normal file
@@ -0,0 +1,27 @@
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: external-secrets-controller
|
||||
namespace: external-secrets
|
||||
labels:
|
||||
app.kubernetes.io/name: external-secrets-cert-controller
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: external-secrets-cert-controller
|
||||
podMetricsEndpoints:
|
||||
- port: metrics
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: external-secrets
|
||||
namespace: external-secrets
|
||||
labels:
|
||||
app.kubernetes.io/name: external-secrets
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: external-secrets
|
||||
podMetricsEndpoints:
|
||||
- port: metrics
|
||||
20
components/eso/instance/base/prometheus-rule.yaml
Normal file
20
components/eso/instance/base/prometheus-rule.yaml
Normal file
@@ -0,0 +1,20 @@
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: external-secrets
|
||||
namespace: external-secrets
|
||||
spec:
|
||||
groups:
|
||||
- name: ExternalSecrets
|
||||
rules:
|
||||
- alert: ExternalSecretSyncError
|
||||
annotations:
|
||||
description: |-
|
||||
The external secret {{ $labels.exported_namespace }}/{{ $labels.name }} failed to synced.
|
||||
Use this command to check the status:
|
||||
oc get externalsecret {{ $labels.name }} -n {{ $labels.exported_namespace }}
|
||||
summary: External secret failed to sync
|
||||
labels:
|
||||
severity: warning
|
||||
expr: externalsecret_status_condition{status="False"} == 1
|
||||
for: 5m
|
||||
7
components/eso/operator/base/kustomization.yaml
Normal file
7
components/eso/operator/base/kustomization.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
namespace: external-secrets-operator
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- operatorgroup.yaml
|
||||
- subscription.yaml
|
||||
- github.com/redhat-cop/gitops-catalog/installplan-approver/base
|
||||
4
components/eso/operator/base/namespace.yaml
Normal file
4
components/eso/operator/base/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: external-secrets-operator
|
||||
6
components/eso/operator/base/operatorgroup.yaml
Normal file
6
components/eso/operator/base/operatorgroup.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
apiVersion: operators.coreos.com/v1
|
||||
kind: OperatorGroup
|
||||
metadata:
|
||||
name: external-secrets-operator
|
||||
spec:
|
||||
upgradeStrategy: Default
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user