-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Add entitlement-key to target cluster
Signed-off-by: Denilson Nastacio <[email protected]>
- Loading branch information
Showing
9 changed files
with
159 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 35 additions & 0 deletions
35
config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
{{- range tuple "cp4a" "cp4aiops" "cp4d" "cp4i" "cp4s" }} | ||
--- | ||
apiVersion: apps.open-cluster-management.io/v1 | ||
kind: PlacementRule | ||
metadata: | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "200" | ||
name: placement-openshift-gitops-entitlement-key-{{.}} | ||
namespace: {{ .Values.argocd_app_namespace }} | ||
spec: | ||
clusterConditions: | ||
- status: 'True' | ||
type: ManagedClusterConditionAvailable | ||
clusterSelector: | ||
matchExpressions: | ||
- key: {{.}} | ||
operator: Exists | ||
values: [] | ||
--- | ||
apiVersion: policy.open-cluster-management.io/v1 | ||
kind: PlacementBinding | ||
metadata: | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "300" | ||
name: binding-openshift-gitops-entitlement-key-{{.}} | ||
namespace: {{ .Values.argocd_app_namespace }} | ||
placementRef: | ||
name: placement-openshift-gitops-entitlement-key-{{.}} | ||
kind: PlacementRule | ||
apiGroup: apps.open-cluster-management.io | ||
subjects: | ||
- name: cloudpak-entitlement-key | ||
kind: Policy | ||
apiGroup: policy.open-cluster-management.io | ||
{{- end }} |
File renamed without changes.
41 changes: 41 additions & 0 deletions
41
config/rhacm/cloudpaks/templates/policy-entitlement-key.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
--- | ||
apiVersion: policy.open-cluster-management.io/v1 | ||
kind: Policy | ||
metadata: | ||
name: cloudpak-entitlement-key | ||
namespace: openshift-gitops | ||
annotations: | ||
argocd.argoproj.io/compare-options: IgnoreExtraneous | ||
argocd.argoproj.io/sync-options: SkipPrune | ||
argocd.argoproj.io/sync-wave: "200" | ||
policy.open-cluster-management.io/categories: CM Configuration Management | ||
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration | ||
policy.open-cluster-management.io/standards: NIST SP 800-53 | ||
spec: | ||
disabled: false | ||
policy-templates: | ||
- objectDefinition: | ||
apiVersion: policy.open-cluster-management.io/v1 | ||
kind: ConfigurationPolicy | ||
metadata: | ||
name: policy-entkey | ||
spec: | ||
namespaceSelector: | ||
exclude: | ||
- kube-* | ||
include: | ||
- default | ||
object-templates: | ||
- complianceType: musthave | ||
objectDefinition: | ||
apiVersion: v1 | ||
data: | ||
.dockerconfigjson: '{{ "{{hub index (lookup \"v1\" \"Secret\" \"openshift-gitops\" \"ibm-entitlement-key\").data \".dockerconfigjson\" hub}}" }}' | ||
kind: Secret | ||
metadata: | ||
name: ibm-entitled-key | ||
namespace: openshift-gitops | ||
type: kubernetes.io/dockerconfigjson | ||
remediationAction: inform | ||
severity: low | ||
remediationAction: enforce |
2 changes: 1 addition & 1 deletion
2
config/rhacm/seeds/templates/0200-gitops-managed-cluster-set.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
config/rhacm/seeds/templates/9000-post-multi-cluster-engine.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,7 +26,7 @@ | |
|
||
## Prerequisites | ||
|
||
- An OpenShift Container Platform cluster, version 4.8 or later. | ||
- An OpenShift Container Platform cluster, version 4.12 or later. | ||
|
||
The applications were tested on both managed and self-managed deployments. | ||
|
||
|
@@ -61,7 +61,7 @@ | |
```sh | ||
oc version --client | ||
|
||
# Client Version: 4.10.60 | ||
# Client Version: 4.12.47 | ||
``` | ||
|
||
Ideally, the client's minor version should be at most one iteration behind the server version. Most commands here are pretty basic and will work with more significant differences, but keep that in mind if you see errors about unrecognized commands and parameters. | ||
|
@@ -155,7 +155,7 @@ oc create secret docker-registry ibm-entitlement-key \ | |
--docker-server=cp.icr.io \ | ||
--docker-username=cp \ | ||
--docker-password="${IBM_ENTITLEMENT_KEY:?}" \ | ||
--docker-email="non-existent-replace-with0[email protected]" \ | ||
--docker-email="non-existent-replace-with[email protected]" \ | ||
--namespace=openshift-gitops | ||
``` | ||
|
@@ -380,7 +380,7 @@ After completing the list of activities listed in the previous sections, you can | |
argocd app list -l app.kubernetes.io/instance=${app_name} | ||
``` | ||
1. You can also use the ArgoCD command-line interface to wait for the application to be synchronized and healthy: | ||
1. You can also use the Argo CD command-line interface to wait for the application to be synchronized and healthy: | ||
```sh | ||
argocd app wait "${app_name}" \ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,8 +5,12 @@ | |
- [Red Hat Advanced Cluster Management for Kubernetes](#red-hat-advanced-cluster-management-for-kubernetes) | ||
- [Contents](#contents) | ||
- [Overview](#overview) | ||
- [Prerequisites](#prerequisites) | ||
- [Installation](#installation) | ||
- [Install RHACM on OCP cluster via Argo](#install-rhacm-on-ocp-cluster-via-argo) | ||
- [Install the OpenShift GitOps operator](#install-the-openshift-gitops-operator) | ||
- [Install RHACM on OCP cluster via Argo CD](#install-rhacm-on-ocp-cluster-via-argo-cd) | ||
- [Obtain an entitlement key](#obtain-an-entitlement-key) | ||
- [Update the pull secret in the openshift-gitops namespace](#update-the-pull-secret-in-the-openshift-gitops-namespace) | ||
- [Using the policies](#using-the-policies) | ||
- [Policies](#policies) | ||
- [Label your clusters](#label-your-clusters) | ||
|
@@ -23,10 +27,29 @@ Red Hat Advanced Cluster Management for Kubernetes (referred to as RHACM through | |
|
||
This repository contains governance policies and placement rules for Argo CD itself and the Argo CD Application resources representing the Cloud Paks. | ||
|
||
--- | ||
|
||
## Prerequisites | ||
|
||
- An OpenShift Container Platform cluster, version 4.12 or later. | ||
|
||
The applications were tested on both managed and self-managed deployments. | ||
|
||
- Adequate worker node capacity in the cluster for RHACM to be installed. | ||
|
||
Refer to the [RHACM documentation](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/install/installing#sizing-your-cluster) to determine the required capacity for the cluster. | ||
|
||
- [An entitlement key to the IBM Entitled Registry](#obtain-an-entitlement-key). This key is required in the RHACM cluster so it can be copied over to the managed clusters when a cluster matches a policy to install a Cloud Pak. | ||
|
||
--- | ||
|
||
## Installation | ||
|
||
### Install the OpenShift GitOps operator | ||
|
||
### Install RHACM on OCP cluster via Argo | ||
Follow the instructions in the [Red Hat OpenShift GitOps Installation page](https://docs.openshift.com/gitops/1.8/installing_gitops/installing-openshift-gitops.html) with special care to **use the `gitops-1.8` subscription channel instead of `latest`** (at least, until issue [#289](https://github.com/IBM/cloudpak-gitops/issues/289) is addressed.) | ||
|
||
### Install RHACM on OCP cluster via Argo CD | ||
|
||
These steps assume you logged in to the OCP server with the `oc` command-line interface: | ||
|
||
|
@@ -71,6 +94,44 @@ These steps assume you logged in to the OCP server with the `oc` command-line in | |
--health | ||
``` | ||
|
||
## Obtain an entitlement key | ||
|
||
If you don't already have an entitlement key to the IBM Entitled Registry, obtain your key using the following instructions: | ||
|
||
1. Go to the [Container software library](https://myibm.ibm.com/products-services/containerlibrary). | ||
|
||
1. Click the "Copy key." | ||
|
||
1. Copy the entitlement key to a safe place to update the cluster's global pull secret. | ||
|
||
1. (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry using a container tool: | ||
|
||
```sh | ||
export IBM_ENTITLEMENT_KEY=the key from the previous steps | ||
podman login cp.icr.io --username cp --password "${IBM_ENTITLEMENT_KEY:?}" | ||
``` | ||
|
||
--- | ||
|
||
## Update the pull secret in the openshift-gitops namespace | ||
|
||
Global pull secrets require granting too much privilege to the OpenShift GitOps service account, so we have started transitioning to the definition of pull secrets at a namespace level. | ||
|
||
The Application resources are transitioning to use `PreSync` hooks to copy the entitlement key from a `Secret` named `ibm-entitlement-key` in the `openshift-gitops` namespace, so issue the following command to create that secret: | ||
|
||
```sh | ||
# Note that if you just created the OpenShift GitOps operator | ||
# the namespace may not be ready yet, so you may need to wait | ||
# a minute or two | ||
oc create secret docker-registry ibm-entitlement-key \ | ||
--docker-server=cp.icr.io \ | ||
--docker-username=cp \ | ||
--docker-password="${IBM_ENTITLEMENT_KEY:?}" \ | ||
--docker-email="[email protected]" \ | ||
--namespace=openshift-gitops | ||
``` | ||
|
||
--- | ||
|
||
## Using the policies | ||
|
||
|
@@ -96,32 +157,32 @@ Labels: | |
- `gitops-branch` + `cp4i`: Placement for Cloud Pak for Integration. | ||
- `gitops-branch` + `cp4s`: Placement for Cloud Pak for Security. | ||
- `gitops-branch` + `cp4aiops`: Placement for Cloud Pak for AIOps. | ||
- `gitops-remote` + `true`: Assign cluster to the `gitops-cluster` cluster-set, registering it to the [GitOps Cluster](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/applications/managing-applications#gitops-config). | ||
- `gitops-remote` + `true`: Assign cluster to the `gitops-cluster` cluster-set, registering it to the [GitOps Cluster](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/applications/managing-applications#gitops-config). | ||
|
||
Values for each label: | ||
|
||
- `gitops-branch`: Branch of this repo for the Argo applications. Unless you are developing and testing on a new branch, use the default value `main`. | ||
- cp4a: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`. | ||
- `cp4aiops`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`. | ||
- `cp4d`: Namespace for deploying the Cloud Pak. As of release 4.0.6, and as a product limitation, do not use the same namespace as other Cloud Paks if installing Cloud Pak for Data to the same cluster. | ||
- `cp4i`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`. | ||
- `cp4s`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`. | ||
- cp4a: Namespace for deploying the Cloud Pak. | ||
- `cp4aiops`: Namespace for deploying the Cloud Pak. | ||
- `cp4d`: Namespace for deploying the Cloud Pak. | ||
- `cp4i`: Namespace for deploying the Cloud Pak. | ||
- `cp4s`: Namespace for deploying the Cloud Pak. | ||
|
||
### Examples | ||
|
||
Labeling an OCP cluster with `gitops-branch=main` and `cp4i=ibm-cloudpaks` deploys the following policies to a target cluster: | ||
Labeling an OCP cluster with `gitops-branch=main` and `cp4i=cp4ins` deploys the following policies to a target cluster: | ||
|
||
- `openshift-gitops-installed` | ||
- `openshift-gitops-argo-app` | ||
- `openshift-gitops-cloudpaks-cp-shared` | ||
- `openshift-gitops-cloudpaks-cp4i` | ||
|
||
Labeling an OCP cluster with `gitops-branch=main` and `cp4i=ibm-cloudpaks` deploys the following policies to a target cluster: | ||
Labeling an OCP cluster with `gitops-branch=main` and `cp4i=cp4ins` deploys the following policies to a target cluster: | ||
|
||
- `openshift-gitops-installed`: The latest version of the OpenShift GitOps operator. | ||
- `openshift-gitops-argo-app`: The Argo configuration is pulled from the `main` branch of this repository. | ||
`openshift-gitops-cloudpaks-cp-shared`: The Argo configuration is pulled from this repository's `main` branch. | ||
- `openshift-gitops-cloudpaks-cp4i`: The Cloud Pak is deployed to the namespace `ibm-cloudpaks` | ||
- `openshift-gitops-cloudpaks-cp4i`: The Cloud Pak is deployed to the namespace `cp4ins` | ||
|
||
## The "rhacm-users" group | ||
|
||
|
@@ -137,6 +198,7 @@ Once you have the respective users added to the cluster, you can add them to the | |
oc adm groups add-users rhacm-users "${username:?}" | ||
``` | ||
|
||
--- | ||
|
||
## Contributing | ||
|
||
|
@@ -146,6 +208,8 @@ If using OpenShift GitOps installed in the RHACM server, you need to modify the | |
|
||
The instructions for that setup are documented in the [CONTRIBUTING.md](../CONTRIBUTING.md) page, where you need to ensure you use the `rhacm-app` application name as the parameter for the `argocd app set` commands. | ||
|
||
--- | ||
|
||
## References | ||
|
||
- [Announcement of RHACM and GitOps integration](https://cloud.redhat.com/blog/red-hat-advanced-cluster-management-with-openshift-gitops) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters