Squashed 'cluster-config/' content from commit 654f2390

git-subtree-dir: cluster-config
git-subtree-split: 654f23903bd1f9a27a4810bd289d165b6cfdbb0c
This commit is contained in:
2025-03-30 15:46:16 -05:00
commit fe564d7227
346 changed files with 11754 additions and 0 deletions

View File

@@ -0,0 +1,38 @@
apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
name: apimanager
namespace: 3scale
spec:
resourceRequirementsEnabled: true
wildcardDomain: 3scale.apps.home.ocplab.com
system:
database:
postgresql:
persistentVolumeClaim:
storageClassName: iscsi
redisPersistentVolumeClaim:
storageClassName: iscsi
fileStorage:
persistentVolumeClaim:
storageClassName: managed-nfs-storage
redisResources:
requests:
cpu: 150m
memory: 256Mi
limits:
cpu: 500m
memory: 4Gi
backend:
redisPersistentVolumeClaim:
storageClassName: iscsi
redisResources:
limits:
cpu: 500m
memory: 4Gi
requests:
cpu: 150m
memory: 256Mi
fileStorage:
persistentVolumeClaim:
storageClassName: managed-nfs-storage

View File

@@ -0,0 +1,125 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: declarative-configurations
namespace: stackrox
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: declarative-configurations
creationPolicy: Owner
template:
data:
keycloak-auth.yaml: |
name: keycloak
minimumRole: None
uiEndpoint: central-stackrox.${SUB_DOMAIN}:443
oidc:
issuer: https://keycloak.${SUB_DOMAIN}/realms/openshift
mode: auto
clientID: acs
clientSecret: {{ .keycloak_client_secret }}
disableOfflineAccessScope: true
groups:
- key: email
value: admin@ocplab.com
role: Admin
- key: email
value: clusteradmin@workshop-noreply.com
role: Admin
- key: email
value: gnunn+user1@redhat.com
role: Product Catalog Admins
openshift-auth.yaml: |
name: openshift
uiEndpoint: central-stackrox.${SUB_DOMAIN}:443
openshift:
enable: true
minimumRole: None
groups:
- key: name
value: admin
role: Admin
- key: groups
value: product-catalog-admins
role: Product Catalog Admins
product-catalog-access-scope.yaml: |
name: product-catalog-admins
description: Access rights for users that can manage Product Catalog namespaces
rules:
includedNamespaces:
- clusterName: home
namespaceName: product-catalog-dev
- clusterName: home
namespaceName: product-catalog-test
- clusterName: home
namespaceName: product-catalog-monitor
- clusterName: home
namespaceName: product-catalog-prod
- clusterName: home
namespaceName: product-catalog-cicd
- clusterName: home
namespaceName: product-catalog-gitops
namespace-admin-permission-set.yaml: |
name: Namespace Administrator
description: A user that is an administrator of one or namespaces across various clusters
resources:
- resource: Access
access: NO_ACCESS
- resource: Administration
access: NO_ACCESS
- resource: Alert
access: READ_ACCESS
- resource: CVE
access: READ_ACCESS
- resource: Cluster
access: READ_ACCESS
- resource: Compliance
access: READ_ACCESS
- resource: Deployment
access: READ_ACCESS
- resource: DeploymentExtension
access: READ_ACCESS
- resource: Detection
access: READ_ACCESS
- resource: Image
access: READ_ACCESS
- resource: Integration
access: NO_ACCESS
- resource: K8sRole
access: READ_ACCESS
- resource: K8sRoleBinding
access: READ_ACCESS
- resource: K8sSubject
access: READ_ACCESS
- resource: Namespace
access: READ_ACCESS
- resource: NetworkGraph
access: READ_ACCESS
- resource: NetworkPolicy
access: READ_ACCESS
- resource: Node
access: READ_ACCESS
- resource: Secret
access: READ_ACCESS
- resource: ServiceAccount
access: READ_ACCESS
- resource: WatchedImage
access: READ_WRITE_ACCESS
- resource: VulnerabilityManagementApprovals
access: READ_ACCESS
- resource: VulnerabilityManagementRequests
access: READ_WRITE_ACCESS
product-catalog-roles.yaml: |
name: Product Catalog Admins
description: Administrators of product catalog namespaces
permissionSet: Namespace Administrator
accessScope: product-catalog-admins
globalAccess: NO_ACCESS
data:
- secretKey: keycloak_client_secret
remoteRef:
key: ACS_KEYCLOAK_CLIENT_SECRET

View File

@@ -0,0 +1,2 @@
resources:
- declarative-config.yaml

View File

@@ -0,0 +1,26 @@
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: admission-tls
namespace: stackrox
spec:
refreshInterval: 10s
secretStoreRefs:
- name: doppler-push-secret
kind: ClusterSecretStore
selector:
secret:
name: admission-control-tls
data:
- match:
secretKey: ca.pem
remoteRef:
remoteKey: ACS_ADMISSION_CONTROL_TLS_CA
- match:
secretKey: admission-control-cert.pem
remoteRef:
remoteKey: ACS_ADMISSION_CONTROL_TLS_CERT
- match:
secretKey: admission-control-key.pem
remoteRef:
remoteKey: ACS_ADMISSION_CONTROL_TLS_KEY

View File

@@ -0,0 +1,26 @@
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: collector-tls
namespace: stackrox
spec:
refreshInterval: 10s
secretStoreRefs:
- name: doppler-push-secret
kind: ClusterSecretStore
selector:
secret:
name: collector-tls
data:
- match:
secretKey: ca.pem
remoteRef:
remoteKey: ACS_COLLECTOR_TLS_CA
- match:
secretKey: collector-cert.pem
remoteRef:
remoteKey: ACS_COLLECTOR_TLS_CERT
- match:
secretKey: collector-key.pem
remoteRef:
remoteKey: ACS_COLLECTOR_TLS_KEY

View File

@@ -0,0 +1,31 @@
commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
resources:
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/aggregate/default
- admission-control-tls-push-secret.yaml
- collector-tls-push-secret.yaml
- sensor-tls-push-secret.yaml
patches:
- patch: |-
- op: replace
path: /spec/channel
value: 'rhacs-4.7'
target:
kind: Subscription
name: rhacs-operator
- patch: |-
- op: replace
path: /spec/perNode/collector/collection
value: EBPF
target:
kind: SecuredCluster
- patch: |-
- op: add
path: /spec/central/declarativeConfiguration
value:
secrets:
- name: declarative-configurations
target:
kind: Central

View File

@@ -0,0 +1,26 @@
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: sensor-tls
namespace: stackrox
spec:
refreshInterval: 10s
secretStoreRefs:
- name: doppler-push-secret
kind: ClusterSecretStore
selector:
secret:
name: sensor-tls
data:
- match:
secretKey: ca.pem
remoteRef:
remoteKey: ACS_SENSOR_TLS_CA
- match:
secretKey: sensor-cert.pem
remoteRef:
remoteKey: ACS_SENSOR_TLS_CERT
- match:
secretKey: sensor-key.pem
remoteRef:
remoteKey: ACS_SENSOR_TLS_KEY

View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: admission-control-tls
namespace: stackrox-secured-cluster-service
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: admission-control-tls
creationPolicy: Owner
data:
- secretKey: ca.pem
remoteRef:
key: ACS_ADMISSION_CONTROL_TLS_CA
- secretKey: admission-control-cert.pem
remoteRef:
key: ACS_ADMISSION_CONTROL_TLS_CERT
- secretKey: admission-control-key.pem
remoteRef:
key: ACS_ADMISSION_CONTROL_TLS_KEY

View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: collector-tls
namespace: stackrox-secured-cluster-service
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: collector-tls
creationPolicy: Owner
data:
- secretKey: ca.pem
remoteRef:
key: ACS_COLLECTOR_TLS_CA
- secretKey: collector-cert.pem
remoteRef:
key: ACS_COLLECTOR_TLS_CERT
- secretKey: collector-key.pem
remoteRef:
key: ACS_COLLECTOR_TLS_KEY

View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: sensor-tls
namespace: stackrox-secured-cluster-service
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: sensor-tls
creationPolicy: Owner
data:
- secretKey: ca.pem
remoteRef:
key: ACS_SENSOR_TLS_CA
- secretKey: sensor-cert.pem
remoteRef:
key: ACS_SENSOR_TLS_CERT
- secretKey: sensor-key.pem
remoteRef:
key: ACS_SENSOR_TLS_KEY

View File

@@ -0,0 +1,19 @@
# commonAnnotations:
# argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
resources:
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/operator/overlays/latest
- namespace.yaml
- acs-admission-control-tls-secret.yaml
- acs-sensor-tls-secret.yaml
- acs-collector-tls-secret.yaml
- secured-cluster.yaml
patches:
- patch: |-
- op: replace
path: /spec/channel
value: 'rhacs-4.7'
target:
kind: Subscription
name: rhacs-operator

View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: stackrox-secured-cluster-service

View File

@@ -0,0 +1,18 @@
kind: SecuredCluster
apiVersion: platform.stackrox.io/v1alpha1
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: stackrox-secured-cluster-services
namespace: stackrox-secured-cluster-service
spec:
clusterName: ${CLUSTER_NAME}
centralEndpoint: central-stackrox.apps.hub.ocplab.com:443
admissionControl:
contactImageScanners: ScanIfMissing
listenOnCreates: true
listenOnUpdates: true
timeoutSeconds: 6
scannerV4:
scannerComponent: Default

View File

@@ -0,0 +1,79 @@
apiVersion: batch/v1
kind: Job
metadata:
annotations:
argocd.argoproj.io/sync-wave: "10"
name: create-sso-auth-provider
namespace: stackrox
spec:
template:
spec:
containers:
- image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
env:
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: sso-secret
key: client-secret
- name: PASSWORD
valueFrom:
secretKeyRef:
name: central-htpasswd
key: password
- name: ISSUER
value: https://sso-sso.apps.home.ocplab.com/auth/realms/openshift
- name: DEFAULT_ROLE
value: Admin
command:
- /bin/bash
- -c
- |
#!/usr/bin/env bash
# Wait for central to be ready
attempt_counter=0
max_attempts=20
echo "Waiting for central to be available..."
until $(curl -k --output /dev/null --silent --head --fail https://central); do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts reached"
exit 1
fi
printf '.'
attempt_counter=$(($attempt_counter+1))
echo "Made attempt $attempt_counter, waiting..."
sleep 5
done
echo "Configuring SSO Provider"
echo "Test if SSO Provider already exists"
response=$(curl -k -u "admin:$PASSWORD" https://central/v1/authProviders?name=OpenShift | python3 -c "import sys, json; print(json.load(sys.stdin)['authProviders'], end = '')")
if [[ "$response" != "[]" ]] ; then
echo "OpenShift Provider already exists, exiting"
exit 0
fi
export DATA='{"name":"OpenShift","type":"oidc","uiEndpoint":"central-stackrox.apps.home.ocplab.com","enabled":true,"config":{"client_id":"stackrox","client_secret":"'${CLIENT_SECRET}'","issuer":"'$ISSUER'","mode":"post"},"validated":true,"extraUiEndpoints":[],"active":true}'
echo "Posting data: ${DATA}"
authid=$(curl -k -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/authProviders | python3 -c "import sys, json; print(json.load(sys.stdin)['id'], end = '')")
echo "Authentication Provider created with id ${authid}"
echo "Updating minimum role to Admin"
export DATA='{"previous_groups":[],"required_groups":[{"props":{"authProviderId":"'${authid}'"},"roleName":"'${DEFAULT_ROLE}'"}]}'
curl -k -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/groupsbatch
imagePullPolicy: Always
name: create-sso-auth-provider
dnsPolicy: ClusterFirst
restartPolicy: Never
serviceAccount: create-cluster-init
serviceAccountName: create-cluster-init
terminationGracePeriodSeconds: 30

View File

@@ -0,0 +1,18 @@
commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
resources:
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/operator/overlays/latest
- github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/instance/overlays/internal-registry-integration
- sso-sealed-secret.yaml
- create-sso-auth-provider-job.yaml
# Use Andrew's Pipeline to create Stackrox API Tokens in tenant namespaces
- github.com/pittar-gitops/gitops-mono-repo-admins/03-cluster-services/08-advanced-cluster-security/pipelines-and-secrets
patchesJson6902:
- path: patch-resources.yaml
target:
group: platform.stackrox.io
kind: Central
name: central
version: v1alpha1

View File

@@ -0,0 +1,22 @@
- op: add
path: /spec/central/resources
value:
limits:
memory: 2Gi
requests:
cpu: 500m
memory: 512Mi
- op: add
path: /spec/scanner/analyzer/resources
value:
limits:
memory: 1Gi
requests:
cpu: 250m
memory: 500Mi
- op: replace
path: /spec/scanner/analyzer/scaling/autoScaling
value: Disabled
- op: replace
path: /spec/scanner/analyzer/scaling/replicas
value: 2

View File

@@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
argocd.argoproj.io/sync-wave: "0"
name: sso-secret
namespace: stackrox
spec:
encryptedData:
client-secret: AgCk7m6UEoCoLvvLbUW+lXnYxaZ9Hm520Xg9/h9KMifm9mqFnzfxdlPksgZ0SIyw446ThrpAd/x39K1Azm5tMgQwIn+DaTOaDS3NVrwQWnaTBFph5AJ8DbcAMKFfSZAddCCizPlfkB3kv7zL8EIbj9d59Qbn3/0mu4hgqN0I2kOptQwFXt+kYYChrJ13LwDVJ5/wxPCa1VKUQ/osSX9wrddRBn/UQLPpXtH8loePfjn+9/oMMq49S4oiN9AjNUzuLLQHmg0OmeRtH34lGAkFgWHjNboOUDsmDCb78olGKTDIzNJ/Xz6iFmszZm1bhj7IG/VtcGoxroC/eddp1chGq4M8pMYEQkON6vp1bzP6LY3x6PxLjFg0Yl1EPSMZXyONNWJ9pl4drPsJqnw0QqLQG172ucbpGy2CwiaZ4ZwPtp/JcPJCDVW2nwwJNyNodfS8DgUbTF+cHm3/W0Z5BWi5CQvXBMRF3a9LyIuRoFW9w5XNnqKQP0lP/8NKW1K5LmgpVuJSGNg6JEQyRSDnK7WAnfDReDTTTEoivjFFQ7uUJFP/RDYWiXvSE3hNYse331QO5DCATmyDPm36txFaKtfVy/TdVhU7gV07FHPQju7IqfoI9pkc0pQtFUUYB9nFamuHsvkO4brnAjIYuCl7SJeM8xK37xLO4KgbKm/ldqxb80eUScBH963Lk9+H4zgyJ5Wq04dDdnxWrBedXjY00UBbmJ4CVDoGL/24HHbi118ZFTa3N9AJDss=
template:
metadata:
name: sso-secret
namespace: stackrox
type: Opaque

View File

@@ -0,0 +1,7 @@
## Not being used at the moment, use at your own risk :)
Uses a post-sync hook to generate ACS tokens for various namespaces to consume. Useful when there is a need to integrate with ACS for image scanning, etc.
Namespaces can be passed in a comma-separated list via environment variables.
based on Andrew Pitt's tekton task here: https://github.com/pittar-gitops/gitops-mono-repo-admins/tree/main/03-cluster-services/08-advanced-cluster-security/pipelines-and-secrets

View File

@@ -0,0 +1,6 @@
namespace: stackrox
resources:
- postsync-create-roxsecrets-sa-rbac.yaml
- postsync-create-roxsecrets-job.yaml
- postsync-roxsecret-namespaces.yaml

View File

@@ -0,0 +1,85 @@
apiVersion: batch/v1
kind: Job
metadata:
name: postsync-create-roxsecrets-job
namespace: stackrox
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
template:
spec:
containers:
- image: quay.io/gnunn/tools:4.10-1
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
key: password
name: central-htpasswd
envFrom:
- configMapRef:
name: roxsecret-namespaces
command:
- /bin/bash
- -c
- |
# Wait for central to be ready
attempt_counter=0
max_attempts=20
echo "Waiting for central to be available..."
until $(curl -k --output /dev/null --silent --head --fail https://$CENTRAL_URL); do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts reached"
exit 1
fi
printf '.'
attempt_counter=$(($attempt_counter+1))
echo "Made attempt $attempt_counter, waiting..."
sleep 10
done
API_ENDPOINT="/v1/apitokens/generate"
CENTRAL_URL_API="https://$CENTRAL_URL$API_ENDPOINT"
echo "Central API endpoint: $CENTRAL_URL_API"
echo "Creating secrets in namespaces $NAMESPACES"
for NAMESPACE in ${NAMESPACES//,/ }
do
echo "Creating secret for $NAMESPACE"
if [[ `oc get namespace $NAMESPACE 2>/dev/null` ]] ;
then
echo "Namespace '$NAMESPACE' exists, checking secret..."
else
echo "Namespace '$NAMESPACE' doesn't exist, skipping"
continue
fi
# If secret already exists, don't regenerate.
if [[ -n `oc get secret roxsecrets -n $NAMESPACE 2>/dev/null` ]] ;
then
echo "Stackrox token secret already exists in $NAMESPACE"
continue
fi
PAYLOAD="{\"name\": \"$NAMESPACE\", \"role\": \"Continuous Integration\"}"
echo "$PAYLOAD"
echo "Generate new token."
RESPONSE=$(curl -k \
-X POST -u "admin:$PASSWORD" \
-H "Content-Type: application/json" \
--data "$PAYLOAD" \
$CENTRAL_URL_API)
TOKEN=$(jq -r '.token' <<< "$RESPONSE")
# Create secret in target namespace
oc create secret generic roxsecrets \
--from-literal=rox_central_endpoint=$CENTRAL_URL:443 \
--from-literal=rox_api_token=$TOKEN \
-n $NAMESPACE
done
name: create-secrets
dnsPolicy: ClusterFirst
restartPolicy: Never
terminationGracePeriodSeconds: 30
serviceAccount: postsync-create-roxsecrets
serviceAccountName: postsync-create-roxsecrets

View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: postsync-create-roxsecrets
namespace: stackrox
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
argocd.argoproj.io/sync-wave: "1"
name: postsync-create-roxsecrets
namespace: stackrox
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: postsync-create-roxsecrets
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: postsync-create-roxsecrets
subjects:
- kind: ServiceAccount
name: postsync-create-roxsecrets
namespace: stackrox

View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: roxsecret-namespaces
namespace: stackrox
data:
NAMESPACES: product-catalog-cicd,demo-cicd
CENTRAL_URL: central-stackrox.apps.hub.ocplab.com

View File

@@ -0,0 +1 @@
See Jonas Janz's repo for examples of alertmanager configuration and slack template [here](https://github.com/PixelJonas/cluster-gitops/tree/master/manifests/argocd/apps/alertmanager/base/apps/examples).

View File

@@ -0,0 +1,18 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: alertmanager-main
namespace: openshift-monitoring
spec:
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: alertmanager-main
data:
- secretKey: alertmanager.yaml
remoteRef:
key: ALERTMANAGER
- secretKey: slacktemplate.tmpl
remoteRef:
key: ALERTMANAGER_SLACK_TEMPLATE

View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- alertmanager-main-secret.yaml

View File

@@ -0,0 +1 @@
Experimenting with OLM v1

View File

@@ -0,0 +1,15 @@
apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
name: amq-streams
spec:
namespace: amq-streams-operator
serviceAccount:
name: amq-streams-installer
source:
sourceType: Catalog
catalog:
packageName: amq-streams
channels:
- amq-streams-2.9.x
upgradeConstraintPolicy: CatalogProvided

View File

@@ -0,0 +1,398 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: amq-streams-installer-clusterrole
rules:
# ClusterRoles and ClusterRoleBindings for the controllers of the extension
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- "*"
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- "*"
- apiGroups:
- olm.operatorframework.io
resources:
- clusterextensions/finalizers
verbs:
- update
# Scoped to the name of the ClusterExtension
resourceNames:
- amq-streams # the value from <metadata.name> from the extension's custom resource (CR)
# Deployments specified in install.spec.deployments
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- update
- patch
- delete
# scoped to the extension controller deployment name
resourceNames:
- amq-streams-cluster-operator
- amq-streams-cluster-operator-v2.9.0-0
# Service accounts in the CSV
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- update
- patch
- delete
# scoped to the extension controller's deployment service account
resourceNames:
- strimzi-cluster-operator
# configmaps
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- patch
- delete
# scoped to the configmap name
resourceNames:
- strimzi-cluster-operator
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- update
- patch
- delete
resourceNames:
- kafkas.kafka.strimzi.io
- kafkanodepools.kafka.strimzi.io
- kafkaconnects.kafka.strimzi.io
- kafkamirrormakers.kafka.strimzi.io
- kafkabridges.kafka.strimzi.io
- kafkatopics.kafka.strimzi.io
- kafkausers.kafka.strimzi.io
- kafkaconnectors.kafka.strimzi.io
- kafkamirrormaker2s.kafka.strimzi.io
- kafkarebalances.kafka.strimzi.io
- strimzipodsets.core.strimzi.io
# install permissions from CSV
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
# The cluster operator needs to access and manage rolebindings to grant Strimzi components cluster permissions
- rolebindings
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
# The cluster operator needs to access and manage roles to grant the entity operator permissions
- roles
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- ""
resources:
# The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates
- pods
# The cluster operator needs to access and manage service accounts to grant Strimzi components cluster permissions
- serviceaccounts
# The cluster operator needs to access and manage config maps for Strimzi components configuration
- configmaps
# The cluster operator needs to access and manage services and endpoints to expose Strimzi components to network traffic
- services
- endpoints
# The cluster operator needs to access and manage secrets to handle credentials
# The entity operator user-operator needs to access and manage secrets to store generated credentials
- secrets
# The cluster operator needs to access and manage persistent volume claims to bind them to Strimzi components for persistent data
- persistentvolumeclaims
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- "kafka.strimzi.io"
resources:
# The Cluster Operator operates the Strimzi custom resources
- kafkas
- kafkanodepools
- kafkaconnects
- kafkaconnectors
- kafkamirrormakers
- kafkabridges
- kafkamirrormaker2s
- kafkarebalances
- kafkatopics
- kafkausers
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- "kafka.strimzi.io"
resources:
# The Cluster Operator needs to manage the status of the Strimzi custom resources
- kafkas/status
- kafkanodepools/status
- kafkaconnects/status
- kafkaconnectors/status
- kafkamirrormakers/status
- kafkabridges/status
- kafkamirrormaker2s/status
- kafkarebalances/status
- kafkatopics/status
- kafkausers/status
verbs:
- get
- patch
- update
- apiGroups:
- "core.strimzi.io"
resources:
# The cluster operator uses StrimziPodSets to manage the Kafka and ZooKeeper pods
- strimzipodsets
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- "core.strimzi.io"
resources:
# The Cluster Operator needs to manage the status of the StrimziPodSet custom resource
- strimzipodsets/status
verbs:
- get
- patch
- update
- apiGroups:
- "kafka.strimzi.io"
resources:
# The Cluster Operator needs deletion for KafkaRebalance only (during auto-rebalancing)
- kafkarebalances
verbs:
- delete
- apiGroups:
- "apps"
resources:
# The cluster operator needs to access and manage deployments to run deployment based Strimzi components
- deployments
# The cluster operator needs to access and manage stateful sets to run stateful sets based Strimzi components
- statefulsets
# The cluster operator needs to access replica-sets to manage Strimzi components and to determine error states
- replicasets
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- "apps"
resources:
# The Cluster Operator needs to scale Deployments while migrating Connect and Mirror Maker 2 clusters from Deployments to StrimziPodSets
- deployments/scale
verbs:
- get
- patch
- update
- apiGroups:
- "" # legacy core events api, used by topic operator
- "events.k8s.io" # new events api, used by cluster operator
resources:
- events
verbs:
- create
- apiGroups:
# Kafka Connect Build on OpenShift requirement
- build.openshift.io
resources:
- buildconfigs
- buildconfigs/instantiate
- builds
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
# The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
- networkpolicies
# The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster
- ingresses
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- route.openshift.io
resources:
# The cluster operator needs to access and manage routes to expose Strimzi components for external access
- routes
- routes/custom-host
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- image.openshift.io
resources:
# The cluster operator needs to verify the image stream when used for Kafka Connect image build
- imagestreams
verbs:
- get
- apiGroups:
- policy
resources:
# The cluster operator needs to access and manage pod disruption budgets this limits the number of concurrent disruptions
# that a Streams component experiences, allowing for higher availability
- poddisruptionbudgets
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
# The cluster operator needs to access and manage leases for leader election
# The "create" verb cannot be used with "resourceNames"
- leases
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
# The cluster operator needs to access and manage leases for leader election
- leases
resourceNames:
# The default RBAC files give the operator only access to the Lease resource names strimzi-cluster-operator
# If you want to use another resource name or resource namespace, you have to configure the RBAC resources accordingly
- strimzi-cluster-operator
verbs:
- get
- list
- watch
- delete
- patch
- update
# Cluster permissions from CSV
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
# The cluster operator needs to create and manage cluster role bindings in the case of an install where a user
# has specified they want their cluster role bindings generated
- clusterrolebindings
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- storage.k8s.io
resources:
# The cluster operator requires "get" permissions to view storage class details
# This is because only a persistent volume of a supported storage class type can be resized
- storageclasses
verbs:
- get
- apiGroups:
- ""
resources:
# The cluster operator requires "list" permissions to view all nodes in a cluster
# The listing is used to determine the node addresses when NodePort access is configured
# These addresses are then exposed in the custom resource states
# The Kafka Brokers require "get" permissions to view the node they are on
# This information is used to generate a Rack ID that is used for High Availability configurations
- nodes
verbs:
- get
- list

View File

@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: amq-streams-installer-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: amq-streams-installer-clusterrole
subjects:
- kind: ServiceAccount
name: amq-streams-installer
namespace: amq-streams-operator

View File

@@ -0,0 +1,6 @@
resources:
- namespace.yaml
- clusterrole.yaml
- clusterrolebinding.yaml
- serviceaccount.yaml
- clusterextension.yaml

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: amq-streams-operator

View File

@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: amq-streams-installer
namespace: amq-streams-operator

View File

@@ -0,0 +1,2 @@
resources:
- subscription.yaml

View File

@@ -0,0 +1,11 @@
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: amq-streams
namespace: openshift-operators
spec:
channel: stable
installPlanApproval: Automatic
name: amq-streams
source: redhat-operators
sourceNamespace: openshift-marketplace

View File

@@ -0,0 +1,11 @@
resources:
- ../../base
patches:
- patch: |
- op: replace
path: /spec/channel
value: 'amq-streams-2.7.x'
target:
kind: Subscription
name: amq-streams

View File

@@ -0,0 +1,6 @@
namespace: argo-rollouts
resources:
- namespace.yaml
- rollouts-analysis-monitoring.yaml
- https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml

View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: argo-rollouts
annotations:
openshift.io/description: Argo Rollouts Progressive Delivery
openshift.io/display-name: Argo Rollouts

View File

@@ -0,0 +1,11 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rollouts-analysis-monitoring
subjects:
- kind: ServiceAccount
name: argo-rollouts
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-monitoring-view

View File

@@ -0,0 +1,3 @@
Displays a banner in the OpenShift Console with the cluster ID and name.
Note that is leveraging ACM to populate the GitOps subscription with environment variables coupled with a plugin in Argo CD to post-process kustomize.

View File

@@ -0,0 +1,12 @@
apiVersion: console.openshift.io/v1
kind: ConsoleNotification
metadata:
name: banner
spec:
text: "Cluster: ${CLUSTER_NAME}"
location: BannerTop
color: '#fff'
backgroundColor: "#${COLOR}"
link:
href: https://console.redhat.com/openshift/details/${CLUSTER_ID}
text: "(${CLUSTER_ID})"

View File

@@ -0,0 +1,2 @@
resources:
- banner.yaml

View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- subscription.yaml

View File

@@ -0,0 +1,11 @@
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: red-hat-camel-k
namespace: openshift-operators
spec:
channel: latest
installPlanApproval: Automatic
name: red-hat-camel-k
source: redhat-operators
sourceNamespace: openshift-marketplace

View File

@@ -0,0 +1,4 @@
resources:
- ../../../operator/base
- ../../../instance/base
- ../../../issuers/letsencrypt-route53/base

View File

@@ -0,0 +1,15 @@
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: cluster
spec:
logLevel: Normal
managementState: Managed
observedConfig: null
operatorLogLevel: Normal
controllerConfig:
overrideArgs:
- '--dns01-recursive-nameservers=8.8.8.8:53,8.8.4.4:53'
- '--dns01-recursive-nameservers-only'

View File

@@ -0,0 +1,2 @@
resources:
- certmanager.yaml

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager

View File

@@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
resources:
- cert-manager-ns.yaml
- letsencrypt-aws-external.yaml
- letsencrypt-staging-cluster-issuer.yaml
- letsencrypt-prod-cluster-issuer.yaml

View File

@@ -0,0 +1,15 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: letsencrypt-aws
namespace: cert-manager
spec:
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: letsencrypt-aws
data:
- secretKey: secret-access-key
remoteRef:
key: AWS_LETSENCRYPT

View File

@@ -0,0 +1,23 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: gnunn@redhat.com
# This key doesn't exist, cert-manager creates it
privateKeySecretRef:
name: gnunn-redhat-issuer-account-key
solvers:
- selector:
dnsZones:
- "ocplab.com"
dns01:
route53:
region: ca-central-1
accessKeyID: AKIAVW7HGAZVWLIKXRCA
hostedZoneID: Z1LKUX3GLO9GW9
secretAccessKeySecretRef:
name: letsencrypt-aws
key: secret-access-key

View File

@@ -0,0 +1,23 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: gnunn@redhat.com
# This key doesn't exist, cert-manager creates it
privateKeySecretRef:
name: gnunn-redhat-issuer-account-key
solvers:
- selector:
dnsZones:
- "ocplab.com"
dns01:
route53:
region: ca-central-1
accessKeyID: AKIAVW7HGAZVWLIKXRCA
hostedZoneID: Z1LKUX3GLO9GW9
secretAccessKeySecretRef:
name: letsencrypt-aws
key: secret-access-key

View File

@@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
namespace: cert-manager-operator
resources:
- operator-namespace.yaml
- operator-group.yaml
- subscription.yaml

View File

@@ -0,0 +1,8 @@
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: openshift-cert-manager-operator
spec:
targetNamespaces:
- cert-manager-operator
upgradeStrategy: Default

View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/display-name: Red Hat Certificate Manager Operator
labels:
openshift.io/cluster-monitoring: 'true'
name: cert-manager-operator

View File

@@ -0,0 +1,10 @@
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-cert-manager-operator
spec:
channel: stable-v1
installPlanApproval: Automatic
name: openshift-cert-manager-operator
source: redhat-operators
sourceNamespace: openshift-marketplace

View File

@@ -0,0 +1,14 @@
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
annotations:
argocd.argoproj.io/sync-wave: "1"
argocd.argoproj.io/sync-options: Validate=false,ServerSideApply=true
spec:
servingCerts:
namedCertificates:
- names:
- api.${BASE_DOMAIN}
servingCertificate:
name: openshift-api-certificate

View File

@@ -0,0 +1,11 @@
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
annotations:
argocd.argoproj.io/sync-wave: "1"
argocd.argoproj.io/sync-options: Validate=false,ServerSideApply=true
spec:
defaultCertificate:
name: openshift-wildcard-certificate

View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- openshift-api-certificate.yaml
- openshift-wildcard-certificate.yaml
- apiserver.yaml
- ingresscontroller.yaml

View File

@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: openshift-api
namespace: openshift-config
annotations:
argocd.argoproj.io/sync-wave: '0'
spec:
secretName: openshift-api-certificate
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- api.${BASE_DOMAIN}

View File

@@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: openshift-wildcard
namespace: openshift-ingress
annotations:
argocd.argoproj.io/sync-wave: '0'
spec:
secretName: openshift-wildcard-certificate
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: '*.${SUB_DOMAIN}'
dnsNames:
- '*.${SUB_DOMAIN}'

View File

@@ -0,0 +1,3 @@
Cronjob that periodically removes completed jobs, based on KCS here:
https://access.redhat.com/solutions/6934861

View File

@@ -0,0 +1,40 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: completed-pod-cleanup
spec:
jobTemplate:
metadata:
name: completed-pod-cleanup
spec:
template:
spec:
containers:
- command:
- /bin/bash
- -c
- |
set -euo pipefail
echo "// Listed Completed Pod."
oc get pods -o wide --all-namespaces --sort-by='{.metadata.creationTimestamp}','{.metadata.namespace}','{.metadata.name}' --field-selector=status.phase==Succeeded
COMPLETED_POD=`oc get pods -o jsonpath="{range .items[*]}{.metadata.namespace}{'\t'}{.metadata.name}{'\n'}{end}" --all-namespaces --field-selector=metadata.namespace!=ocp-completed-pod-cleanup,status.phase==Succeeded`
if [ -n "$COMPLETED_POD" ]; then
echo "// Deleted Completed Pod."
while read NS_NAME POD_NAME
do
oc -n $NS_NAME delete pod $POD_NAME;
done <<< "$COMPLETED_POD"
fi
image: registry.redhat.io/openshift4/ose-cli:latest # change the image in disconnected environment
imagePullPolicy: IfNotPresent
name: completed-pod-cleanup
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: OnFailure
serviceAccount: completed-pod-cleanup
serviceAccountName: completed-pod-cleanup
terminationGracePeriodSeconds: 30
schedule: "0 11 * * *"
suspend: false
status: {}

View File

@@ -0,0 +1,6 @@
namespace: clean-completed-pods
resources:
- namespace.yaml
- clean-completed-pods-cronjob.yaml
- sa-rbac.yaml

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: clean-completed-pods

View File

@@ -0,0 +1,31 @@
kind: ServiceAccount
apiVersion: v1
metadata:
name: completed-pod-cleanup
labels:
app: completed-pod-cleanup
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-completed-pod-cleanup
rules:
- apiGroups: [""]
resources:
- "pods"
verbs: ["get", "list", "create", "delete", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: completed-pod-cleanup
labels:
app: completed-pod-cleanup
subjects:
- kind: ServiceAccount
name: completed-pod-cleanup
namespace: clean-completed-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-completed-pod-cleanup

View File

@@ -0,0 +1,15 @@
apiVersion: org.eclipse.che/v1
kind: CheCluster
metadata:
name: codeready-workspaces
namespace: openshift-workspaces
spec:
auth:
identityProviderURL: 'https://sso-sso.apps.home.ocplab.com'
identityProviderRealm: openshift
identityProviderClientId: codeready-public
externalIdentityProvider: true
server:
selfSignedCert: false
gitSelfSignedCert: false
tlsSupport: true

View File

@@ -0,0 +1,5 @@
resources:
- ../cis-compliance
patchesStrategicMerge:
- patch-scansetting.yaml

View File

@@ -0,0 +1,8 @@
apiVersion: compliance.openshift.io/v1alpha1
debug: true
kind: ScanSetting
metadata:
name: cis-compliance
namespace: openshift-compliance
roles:
- master

View File

@@ -0,0 +1,19 @@
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "1"
name: cis-compliance
namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: ocp4-cis-node-lab
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: ocp4-cis-lab
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default

View File

@@ -0,0 +1,37 @@
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
name: cis-compliance
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "1"
rawResultStorage:
nodeSelector:
node-role.kubernetes.io/master: ""
pvAccessModes:
- ReadWriteOnce
rotation: 3
size: 1Gi
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
- effect: NoSchedule
key: node.kubernetes.io/memory-pressure
operator: Exists
roles:
- master
- worker
scanTolerations:
- operator: Exists
schedule: 0 */3 * * *
showNotApplicable: false
strictNodeScan: true

View File

@@ -0,0 +1,27 @@
# Assumes the cluster admin had pre-created the sealed-secrets project and secret.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: openshift-compliance
resources:
- github.com/redhat-cop/gitops-catalog/compliance-operator/operator/overlays/release-0.1
- ocp-cis-tailored-profile.yaml
- ocp-cis-node-tailored-profile.yaml
- cis-compliance-scan-setting-binding.yaml
- cis-compliance-scansetting.yaml
patches:
- patch: |-
- op: add
path: /metadata/labels
value: {"openshift.io/cluster-monitoring": "true"}
target:
kind: Namespace
- patch: |-
- op: replace
path: /spec/channel
value: stable
target:
kind: Subscription
name: compliance-operator

View File

@@ -0,0 +1,18 @@
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: ocp4-cis-node-lab
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "1"
spec:
extends: ocp4-cis-node
description: Lab CIS node profile
title: Lab CIS node profile
disableRules:
- name: ocp4-file-permissions-etcd-data-dir
rationale: Default value of `drwxr-xr-x.` is fine
- name: ocp4-kubelet-enable-protect-kernel-defaults
rationale: Not applicable
- name: ocp4-kubelet-enable-protect-kernel-sysctl
rationale: Not applicable

View File

@@ -0,0 +1,38 @@
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: ocp4-cis-lab
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "1"
spec:
extends: ocp4-cis
description: Lab CIS profile
title: Lab CIS profile
disableRules:
- name: ocp4-api-server-encryption-provider-cipher
rationale: Using letsencrypt certificates, not applicable
- name: ocp4-audit-log-forwarding-enabled
rationale: Homelab so no log forwarding available
- name: ocp4-scc-limit-container-allowed-capabilities
rationale: Some containers require extra privileges
- name: ocp4-configure-network-policies-namespaces
rationale: Home lab supports ad-hoc demos
- name: ocp4-api-server-audit-log-maxsize
rationale: Home lab, no need for auditing
- name: ocp4-ocp-api-server-audit-log-maxsize
rationale: Home lab, no need for auditing
- name: ocp4-audit-profile-set
rationale: Home lab, default auditing is sufficient
- name: ocp4-ocp-allowed-registries
rationale: Home lab, open registries is fine
- name: ocp4-ocp-allowed-registries-for-import
rationale: Home lab, open registries is fine
- name: ocp4-api-server-api-priority-gate-enabled
rationale: Need to understand mis-behaving clients in Home lab
- name: ocp4-kubelet-configure-tls-cipher-suites-ingresscontroller
rationale: Home lab
- name: ocp4-api-server-tls-cipher-suites
rationale: Home lab
- name: ocp4-kubelet-configure-tls-cipher-suites
rationale: Home lab

View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- quay-link.yaml
- sso-link.yaml

View File

@@ -0,0 +1,11 @@
apiVersion: console.openshift.io/v1
kind: ConsoleLink
metadata:
name: quay
spec:
href: 'https://quay.io/repository'
location: ApplicationMenu
text: Quay
applicationMenu:
section: Tools
imageURL: https://quay.io/static/img/quay_favicon.png

View File

@@ -0,0 +1,8 @@
apiVersion: console.openshift.io/v1
kind: ConsoleLink
metadata:
name: sso-account
spec:
href: 'https://sso.ocplab.com/realms/ocplab/account'
location: UserMenu
text: Account Settings

View File

@@ -0,0 +1,2 @@
resources:
- subscription.yaml

View File

@@ -0,0 +1,11 @@
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: container-security-operator
namespace: openshift-operators
spec:
channel: stable-3.7
installPlanApproval: Automatic
name: container-security-operator
source: redhat-operators
sourceNamespace: openshift-marketplace

View File

@@ -0,0 +1,11 @@
resources:
- ../../base
patches:
- patch: |-
- op: replace
path: /spec/channel
value: 'stable-3.10'
target:
kind: Subscription
name: container-security-operator

View File

@@ -0,0 +1,11 @@
resources:
- ../../base
patches:
- patch: |-
- op: replace
path: /spec/channel
value: 'stable-3.13'
target:
kind: Subscription
name: container-security-operator

View File

@@ -0,0 +1,11 @@
resources:
- ../../base
patches:
- patch: |-
- op: replace
path: /spec/channel
value: 'stable-3.9'
target:
kind: Subscription
name: container-security-operator

View File

@@ -0,0 +1,25 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: defrag-etcd
spec:
schedule: "0 11 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: defrag-etcd
image: registry.redhat.io/openshift4/ose-cli:latest
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -c
- |
#!/usr/bin/env bash
oc get pods -l app=etcd -n openshift-etcd --no-headers -o custom-columns=":metadata.name" | while read -r pod ; do
oc exec -n openshift-etcd $pod --container etcdctl -- sh -c "unset ETCDCTL_ENDPOINTS && etcdctl --command-timeout=30s --endpoints=https://localhost:2379 defrag"
done
serviceAccountName: defrag-etcd
restartPolicy: OnFailure

View File

@@ -0,0 +1,5 @@
namespace: openshift-etcd
resources:
- sa-rbac.yaml
- cronjob.yaml

View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: defrag-etcd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: defrag-etcd
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- exec
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: defrag-etcd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: defrag-etcd
subjects:
- kind: ServiceAccount
name: defrag-etcd

View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
helmGlobals:
chartHome: charts/openshift-console-plugin
helmCharts:
- name: openshift-console-plugin
version: 0.3.0
repo: https://gnunn-gitops.github.io/helm-charts
valuesFile: values.yaml
namespace: dev-console-plugin
releaseName: dev-console-plugin

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: dev-console-plugin

View File

@@ -0,0 +1,4 @@
plugin:
name: dev-console-plugin
namespace: dev-console-plugin
image: quay.io/gnunn/dev-console-plugin:latest

View File

@@ -0,0 +1,33 @@
apiVersion: batch/v1
kind: Job
metadata:
name: configure-sonarqube
spec:
template:
spec:
containers:
- image: registry.access.redhat.com/ubi8/ubi:8.3
command:
- /bin/bash
- -c
- |
curl -H 'Cache-Control: no-cache' -o /tmp/sonarqube-plugins -s ${SCRIPT_URL};
chmod +x /tmp/sonarqube-plugins;
/tmp/sonarqube-plugins
imagePullPolicy: Always
name: configure-sonarqube
env:
- name: SONARQUBE_PLUGINS
value: "java,javascript,dependencycheck,jacoco,pmd,scmgit"
- name: SONARQUBE_PASSWORD
valueFrom:
secretKeyRef:
name: sonarqube-admin
key: password
- name: SCRIPT_URL
value: "https://raw.githubusercontent.com/gnunn-gitops/cluster-config/main/components/dev-tools/scripts/sonarqube-config"
dnsPolicy: ClusterFirst
restartPolicy: OnFailure
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30

View File

@@ -0,0 +1,48 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: dev-tools
bases:
# Nexus
- https://github.com/redhat-cop/gitops-catalog/nexus2/base
# Sonarqube
- sonarqube-admin-secret.yaml
- https://github.com/redhat-cop/gitops-catalog/sonarqube8/base
- configure-sonarqube-job.yaml
resources:
- namespace.yaml
patches:
- patch: |-
- op: replace
path: /spec/template/spec/containers/0/image
value: sonarqube:lts-community
target:
kind: Deployment
name: sonarqube
- patch: |-
- op: add
path: /spec/template/spec/containers/0/env
value:
- name: SONAR_JDBC_PASSWORD
value: kHPdpIYtdtGXeStv
- name: SONAR_JDBC_URL
value: 'jdbc:postgresql://postgresql-sonarqube/sonar'
- name: SONAR_JDBC_USERNAME
value: sonar
- name: SONAR_TELEMETRY_ENABLE
value: 'false'
- name: SONAR_PLUGINS_RISK_CONSENT
value: ACCEPTED
target:
kind: Deployment
name: sonarqube
- patch: |-
- op: add
path: /spec/tls
value:
termination: edge
target:
kind: Route

View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/description: Project for development tools like nexus and sonarqube
openshift.io/display-name: Development Tools
name: dev-tools

View File

@@ -0,0 +1,15 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: sonarqube-admin
namespace: dev-tools
spec:
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: sonarqube-admin
data:
- secretKey: password
remoteRef:
key: SONARQUBE_ADMIN_PASSWORD

View File

@@ -0,0 +1,27 @@
SONARQUBE_HOST=sonarqube:9000
echo "Waiting for sonarqube to be ready..."
until [ "$(curl --silent --show-error --connect-timeout 1 http://${SONARQUBE_HOST}/api/system/status | grep 'UP')" ];
do
sleep 5
done
echo "SonarQube reporting UP. Wait 5 seconds to be sure."
sleep 5
echo "Updating admin password on host ${SONARQUBE_HOST}"
curl -u admin:admin -X POST "http://${SONARQUBE_HOST}/api/users/change_password?login=admin&previousPassword=admin&password=${SONARQUBE_PASSWORD}"
echo "Disabling force authentication for demo purposes"
curl -u admin:${SONARQUBE_PASSWORD} --request POST "http://sonarqube:9000/api/settings/set?key=sonar.forceAuthentication&value=false"
echo "Installing plugins ${SONARQUBE_PLUGINS} on server ${SONARQUBE_HOST}"
for i in ${SONARQUBE_PLUGINS//,/ }
do
echo "Installing $i"
curl -u admin:${SONARQUBE_PASSWORD} --data "key=$i" http://${SONARQUBE_HOST}/api/plugins/install
done
echo "Restarting server ${SONARQUBE_HOST} ..."
curl -u admin:${SONARQUBE_PASSWORD} -X POST http://${SONARQUBE_HOST}/api/system/restart

View File

@@ -0,0 +1,7 @@
namespace: external-secrets
resources:
- namespace.yaml
- operatorconfig.yaml
- podmonitor.yaml
- prometheus-rule.yaml

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: external-secrets

View File

@@ -0,0 +1,22 @@
apiVersion: operator.external-secrets.io/v1alpha1
kind: OperatorConfig
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "1"
name: cluster
spec:
crds:
conversion:
enabled: false
prometheus:
enabled: true
service:
port: 8080
resources:
requests:
cpu: 10m
memory: 96Mi
limits:
cpu: 100m
memory: 256Mi

View File

@@ -0,0 +1,27 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: external-secrets-controller
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets-cert-controller
spec:
selector:
matchLabels:
app.kubernetes.io/name: external-secrets-cert-controller
podMetricsEndpoints:
- port: metrics
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: external-secrets
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets
spec:
selector:
matchLabels:
app.kubernetes.io/name: external-secrets
podMetricsEndpoints:
- port: metrics

View File

@@ -0,0 +1,20 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: external-secrets
namespace: external-secrets
spec:
groups:
- name: ExternalSecrets
rules:
- alert: ExternalSecretSyncError
annotations:
description: |-
The external secret {{ $labels.exported_namespace }}/{{ $labels.name }} failed to synced.
Use this command to check the status:
oc get externalsecret {{ $labels.name }} -n {{ $labels.exported_namespace }}
summary: External secret failed to sync
labels:
severity: warning
expr: externalsecret_status_condition{status="False"} == 1
for: 5m

View File

@@ -0,0 +1,7 @@
namespace: external-secrets-operator
resources:
- namespace.yaml
- operatorgroup.yaml
- subscription.yaml
- github.com/redhat-cop/gitops-catalog/installplan-approver/base

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: external-secrets-operator

View File

@@ -0,0 +1,6 @@
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: external-secrets-operator
spec:
upgradeStrategy: Default

Some files were not shown because too many files have changed in this diff Show More