diff --git a/charts/all/routingtests/Chart.yaml b/charts/all/routingtests/Chart.yaml new file mode 100644 index 00000000..0ee2d422 --- /dev/null +++ b/charts/all/routingtests/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +description: Example +name: routing-tests +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.0.0" diff --git a/charts/all/routingtests/templates/ingress-based-route.yaml b/charts/all/routingtests/templates/ingress-based-route.yaml new file mode 100644 index 00000000..ade291e7 --- /dev/null +++ b/charts/all/routingtests/templates/ingress-based-route.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: test +spec: + ingressClassName: openshift-default + rules: + - host: test.test.coco.t9t8p.azure.redhatworkshops.io + http: + paths: + - backend: + service: + name: standard + port: + number: 8888 + path: / + pathType: Prefix \ No newline at end of file diff --git a/charts/all/routingtests/templates/standard-pod.yaml b/charts/all/routingtests/templates/standard-pod.yaml new file mode 100644 index 00000000..eb7b43b5 --- /dev/null +++ b/charts/all/routingtests/templates/standard-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: standard + labels: + app: standard +spec: + runtimeClassName: {{ .Values.global.runtimeClass }} + containers: + - name: hello-openshift + image: quay.io/openshift/origin-hello-openshift + ports: + - containerPort: 8888 + securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault \ No newline at end of file diff --git a/charts/all/routingtests/templates/standard-route.yaml b/charts/all/routingtests/templates/standard-route.yaml new file mode 100644 index 00000000..b4386dbd --- /dev/null +++ b/charts/all/routingtests/templates/standard-route.yaml @@ -0,0 +1,12 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: defacto-standards +spec: + port: + targetPort: 8888 + to: + kind: Service + name: standard + weight: 100 + wildcardPolicy: None diff --git a/charts/all/routingtests/templates/standard-svc.yaml b/charts/all/routingtests/templates/standard-svc.yaml new file mode 100644 index 00000000..d7e49607 --- /dev/null +++ b/charts/all/routingtests/templates/standard-svc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: standard +spec: + ports: + - name: 8888-tcp + port: 8888 + protocol: TCP + targetPort: 8888 + selector: + app: standard + sessionAffinity: None + type: ClusterIP diff --git a/charts/all/routingtests/values.yaml b/charts/all/routingtests/values.yaml new file mode 100644 index 00000000..b8e0d9c9 --- /dev/null +++ b/charts/all/routingtests/values.yaml @@ -0,0 +1,17 @@ + +secretStore: + name: vault-backend + kind: ClusterSecretStore + +# Secret provisioned for the AWS Controller for Kubernetes - S3 +# Begin global parameters + + +dsp: + name: science-project + description: "My science project" + notebookStorage: '20Gi' + pushSecret: true + +# https://github.com/openshift-ai-examples/openshift-ai-examples/blob/main/openshift-ai-deploy-llm/manifests/3-notebook-template.yaml + diff --git a/charts/coco-supported/custom-init/Chart.yaml b/charts/coco-supported/custom-init/Chart.yaml new file mode 100644 index 00000000..0eb7f655 --- /dev/null +++ b/charts/coco-supported/custom-init/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +description: A Helm chart which uses ACM to deploy a pod with custom init data including inferring the certificate. +keywords: +- pattern +- upstream +- sandbox +name: custom-init +version: 0.0.1 diff --git a/charts/coco-supported/custom-init/initdata.toml.tpl b/charts/coco-supported/custom-init/initdata.toml.tpl new file mode 100644 index 00000000..ca7818a6 --- /dev/null +++ b/charts/coco-supported/custom-init/initdata.toml.tpl @@ -0,0 +1,69 @@ +algorithm = "sha384" +version = "0.1.0" + +[data] +"aa.toml" = ''' +[token_configs] +[token_configs.coco_as] +url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}' + + +[token_configs.kbs] +url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}' +cert = """ +acmmagickey_trustee_cert +""" +''' + +"cdh.toml" = ''' +socket = 'unix:///run/confidential-containers/cdh.sock' +credentials = [] + +[kbc] +name = 'cc_kbc' +url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}' +kbs_cert = """ +acmmagickey_trustee_cert +""" +''' + +"policy.rego" = ''' +package agent_policy + +default AddARPNeighborsRequest := true +default AddSwapRequest := true +default CloseStdinRequest := true +default CopyFileRequest := true +default CreateContainerRequest := true +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest := true +default GetMetricsRequest := true +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := true +default ListRoutesRequest := true +default MemHotplugByProbeRequest := true +default OnlineCPUMemRequest := true +default PauseContainerRequest := true +default PullImageRequest := true +default ReadStreamRequest := true +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := true +default ResumeContainerRequest := true +default SetGuestDateTimeRequest := true +default SetPolicyRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := true +default StatsContainerRequest := true +default StopTracingRequest := true +default TtyWinResizeRequest := true +default UpdateContainerRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := true +''' diff --git a/charts/coco-supported/custom-init/templates/custom-initdata-injection.yaml b/charts/coco-supported/custom-init/templates/custom-initdata-injection.yaml new file mode 100644 index 00000000..ac2798d4 --- /dev/null +++ b/charts/coco-supported/custom-init/templates/custom-initdata-injection.yaml @@ -0,0 +1,79 @@ +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: custominit-pod-policy +spec: + remediationAction: enforce + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: custominit-pod-cp + spec: + remediationAction: enforce + severity: medium + object-templates: + + - complianceType: mustonlyhave + objectDefinition: + apiVersion: v1 + kind: Pod + metadata: + name: custom + namespace: custom-init + labels: + app: custom + annotations: + io.katacontainers.config.runtime.cc_init_data: '{{ `{{if (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name "tls.crt" | base64dec) | base64enc }}{{ else }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" "router-certs-default" "tls.crt" | base64dec) | base64enc }}{{ end }}` }}' + peerpods: "true" + spec: + runtimeClassName: kata-remote + containers: + - name: hello-openshift + image: quay.io/openshift/origin-hello-openshift + ports: + - containerPort: 8888 + securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: custominit-placement-binding + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +placementRef: + name: custominit-placement-rule + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: custominit-pod-policy + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: custominit-placement-rule +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchLabels: + cloud: Azure +--- +{{- end }} diff --git a/charts/coco-supported/custom-init/templates/custom-route.yaml b/charts/coco-supported/custom-init/templates/custom-route.yaml new file mode 100644 index 00000000..fe29a887 --- /dev/null +++ b/charts/coco-supported/custom-init/templates/custom-route.yaml @@ -0,0 +1,13 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: custom + namespace: custom-init +spec: + port: + targetPort: 8888 + to: + kind: Service + name: custom + weight: 100 + wildcardPolicy: None diff --git a/charts/coco-supported/custom-init/templates/custom-svc.yaml b/charts/coco-supported/custom-init/templates/custom-svc.yaml new file mode 100644 index 00000000..7f582a44 --- /dev/null +++ b/charts/coco-supported/custom-init/templates/custom-svc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: custom + namespace: custom-init +spec: + ports: + - name: 8888-tcp + port: 8888 + protocol: TCP + targetPort: 8888 + selector: + app: custom + sessionAffinity: None + type: ClusterIP diff --git a/charts/coco-supported/custom-init/values.yaml b/charts/coco-supported/custom-init/values.yaml new file mode 100644 index 00000000..e69de29b diff --git a/charts/coco-supported/hello-openshift/templates/secure-route.yaml b/charts/coco-supported/hello-openshift/templates/secure-route.yaml index 7e1364fc..d30f2ab2 100644 --- a/charts/coco-supported/hello-openshift/templates/secure-route.yaml +++ b/charts/coco-supported/hello-openshift/templates/secure-route.yaml @@ -9,4 +9,4 @@ spec: kind: Service name: secure weight: 100 - wildcardPolicy: None + wildcardPolicy: None \ No newline at end of file diff --git a/charts/coco-supported/sandbox/initdata.toml.tpl b/charts/coco-supported/sandbox/initdata.toml.tpl index 56796c13..ca7818a6 100644 --- a/charts/coco-supported/sandbox/initdata.toml.tpl +++ b/charts/coco-supported/sandbox/initdata.toml.tpl @@ -5,10 +5,14 @@ version = "0.1.0" "aa.toml" = ''' [token_configs] [token_configs.coco_as] -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}' + [token_configs.kbs] -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}' +cert = """ +acmmagickey_trustee_cert +""" ''' "cdh.toml" = ''' @@ -16,6 +20,50 @@ socket = 'unix:///run/confidential-containers/cdh.sock' credentials = [] [kbc] -name = "cc_kbc" -url = "https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}" +name = 'cc_kbc' +url = 'https://kbs-trustee-operator-system.{{ .Values.global.hubClusterDomain }}' +kbs_cert = """ +acmmagickey_trustee_cert +""" +''' + +"policy.rego" = ''' +package agent_policy + +default AddARPNeighborsRequest := true +default AddSwapRequest := true +default CloseStdinRequest := true +default CopyFileRequest := true +default CreateContainerRequest := true +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest := true +default GetMetricsRequest := true +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := true +default ListRoutesRequest := true +default MemHotplugByProbeRequest := true +default OnlineCPUMemRequest := true +default PauseContainerRequest := true +default PullImageRequest := true +default ReadStreamRequest := true +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := true +default ResumeContainerRequest := true +default SetGuestDateTimeRequest := true +default SetPolicyRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := true +default StatsContainerRequest := true +default StopTracingRequest := true +default TtyWinResizeRequest := true +default UpdateContainerRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := true ''' diff --git a/charts/coco-supported/sandbox/templates/initdata-placeholder.yaml b/charts/coco-supported/sandbox/templates/initdata-placeholder.yaml new file mode 100644 index 00000000..6b32662e --- /dev/null +++ b/charts/coco-supported/sandbox/templates/initdata-placeholder.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: initdata-placeholder +data: + initdata: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}' # keep as b64 + + diff --git a/charts/coco-supported/sandbox/templates/kata-config.yaml b/charts/coco-supported/sandbox/templates/kata-config.yaml index 8f5c0ba4..eb26e7d7 100644 --- a/charts/coco-supported/sandbox/templates/kata-config.yaml +++ b/charts/coco-supported/sandbox/templates/kata-config.yaml @@ -7,4 +7,5 @@ metadata: name: default-kata-config spec: enablePeerPods: true + logLevel: debug {{ end }} \ No newline at end of file diff --git a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml b/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml index 38910397..d157dbde 100644 --- a/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml +++ b/charts/coco-supported/sandbox/templates/peer-pods-cm.yaml @@ -28,7 +28,12 @@ spec: data: CLOUD_PROVIDER: "azure" VXLAN_PORT: "9000" + # IF +{{- if .Values.sandbox.peerPodImage }} + AZURE_IMAGE_ID: {{ .Values.sandbox.peerPodImage }} +{{- else }} AZURE_IMAGE_ID: '{{ `{{if (lookup "v1" "ConfigMap" "openshift-sandboxed-containers-operator" "peer-pods-cm").metadata.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "peer-pods-cm" "AZURE_IMAGE_ID" }}{{ else }}{{ end }}` }}' +{{- end }} AZURE_INSTANCE_SIZE: "{{ .Values.global.coco.azure.defaultVMFlavour }}" AZURE_INSTANCE_SIZES: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5" AZURE_RESOURCE_GROUP: '{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).vnetResourceGroup }}` }}' @@ -37,7 +42,8 @@ spec: AZURE_NSG_ID: '/subscriptions/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).subscriptionId }}` }}/resourceGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).resourceGroup }}` }}/providers/Microsoft.Network/networkSecurityGroups/{{ `{{ (fromJson (fromConfigMap "openshift-cloud-controller-manager" "cloud-conf" "cloud.conf" | toLiteral)).securityGroupName }}` }}' DISABLECVM: "false" PROXY_TIMEOUT: "5m" - INITDATA: '{{ tpl ( .Files.Get "initdata.toml.tpl") . | b64enc }}' + INITDATA: '{{ `{{if (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").spec.defaultCertificate.name "tls.crt" | base64dec) | base64enc }}{{ else }}{{ fromConfigMap "openshift-sandboxed-containers-operator" "initdata-placeholder" "initdata" | base64dec | replace "acmmagickey_trustee_cert" (fromSecret "openshift-ingress" "router-certs-default" "tls.crt" | base64dec) | base64enc }}{{ end }}` }}' + --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding diff --git a/charts/coco-supported/sandbox/values.yaml b/charts/coco-supported/sandbox/values.yaml index 4d41d6d9..101db95b 100644 --- a/charts/coco-supported/sandbox/values.yaml +++ b/charts/coco-supported/sandbox/values.yaml @@ -11,13 +11,14 @@ secretStore: name: vault-backend kind: ClusterSecretStore - - sandbox: deploy: true sshKey: secret/data/global/sshKey azure: true - peerpodsCreds: secret/data/global/azure + # Peer pod image defined, if required to avoid rebuilds. + peerPodImage: "" + # image below is not available in eastasia + #peerPodImage: '/CommunityGalleries/cococommunity-42d8482d-92cd-415b-b332-7648bd978eff/Images/peerpod-podvm-fedora-debug/Versions/0.12.0' # These variables today limit to one cluster # revise using imperative framework to infer from cluster vars # Strongly advised to override in values-global.yaml or values-{cluster-group}.yaml diff --git a/rhdp/install-config.yaml.j2 b/rhdp/install-config.yaml.j2 index 28411a8a..146bd1a1 100644 --- a/rhdp/install-config.yaml.j2 +++ b/rhdp/install-config.yaml.j2 @@ -7,7 +7,7 @@ compute: name: worker platform: azure: - type: Standard_D8s_v5 + type: Standard_D16s_v5 replicas: 3 controlPlane: architecture: amd64 diff --git a/values-simple.yaml b/values-simple.yaml index ad2a1b41..2698020e 100644 --- a/values-simple.yaml +++ b/values-simple.yaml @@ -4,17 +4,15 @@ clusterGroup: name: simple isHubCluster: true namespaces: - - open-cluster-management - - vault - - golang-external-secrets - - openshift-sandboxed-containers-operator - - trustee-operator-system - - hello-openshift - - cert-manager-operator - - cert-manager - - letsencrypt - - kbs-access - - encrypted-storage + - open-cluster-management + - vault + - golang-external-secrets + - openshift-sandboxed-containers-operator + - trustee-operator-system + - hello-openshift + - cert-manager-operator + - cert-manager + - kbs-access subscriptions: # ACM is kept anticipating acm: @@ -40,17 +38,17 @@ clusterGroup: channel: stable-v1 projects: - - hub - - vault - - trustee - - golang-external-secrets - - sandbox - - workloads - - default - # Explicitly mention the cluster-state based overrides we plan to use for this pattern. - # We can use self-referential variables because the chart calls the tpl function with these variables defined + - hub + - vault + - trustee + - golang-external-secrets + - sandbox + - workloads + - default + # Explicitly mention the cluster-state based overrides we plan to use for this pattern. + # We can use self-referential variables because the chart calls the tpl function with these variables defined sharedValueFiles: - - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml' + - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml' applications: acm: name: acm @@ -84,16 +82,6 @@ clusterGroup: namespace: openshift-sandboxed-containers-operator #upstream config project: sandbox path: charts/coco-supported/sandbox - - letsencrypt: - name: letsencrypt - namespace: letsencrypt - project: hub - path: charts/all/letsencrypt - # Default to 'safe' for ARO - overrides: - - name: letsencrypt.enabled - value: false hello-openshift: name: hello-openshift namespace: hello-openshift @@ -105,7 +93,16 @@ clusterGroup: namespace: kbs-access project: workloads path: charts/coco-supported/kbs-access - + custom-init: + name: custom-init + namespace: custom-init + project: workloads + path: charts/coco-supported/custom-init + route: + name: routingtest + namespace: routetest + project: workloads + path: charts/all/routingtests imperative: # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm # The default schedule is every 10 minutes: imperative.schedule @@ -114,26 +111,20 @@ clusterGroup: # For additional overrides that apply to the jobs, please refer to # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations jobs: - - name: install-deps - playbook: ansible/install-deps.yaml - verbosity: -vvv - timeout: 3600 - - name: configure-azure-dns - playbook: ansible/configure-issuer.yaml - # this image has not been changes. TBD would make sense - #image: quay.io/hybridcloudpatterns/ansible-edge-gitops-ee:latest - verbosity: -vvv - timeout: 3600 - - name: configure-azure-nat-gateway - playbook: ansible/azure-nat-gateway.yaml - verbosity: -vvv - timeout: 3600 + - name: install-deps + playbook: ansible/install-deps.yaml + verbosity: -vvv + timeout: 3600 + - name: configure-azure-nat-gateway + playbook: ansible/azure-nat-gateway.yaml + verbosity: -vvv + timeout: 3600 managedClusterGroups: exampleRegion: name: group-one acmlabels: - - name: clusterGroup - value: group-one + - name: clusterGroup + value: group-one helmOverrides: - - name: clusterGroup.isHubCluster - value: false + - name: clusterGroup.isHubCluster + value: false