Skip to content

Commit

Permalink
fix: Add entitlement-key to target cluster
Browse files Browse the repository at this point in the history
Signed-off-by: Denilson Nastacio <[email protected]>
  • Loading branch information
nastacio committed Oct 27, 2023
1 parent bc94f6f commit e2f1d21
Show file tree
Hide file tree
Showing 9 changed files with 159 additions and 18 deletions.
2 changes: 1 addition & 1 deletion .github/pull_request_template.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ Description of changes:
- <change 1 ... >
- <change 2 ... >

Output of `argocd app list` command or screenshot of the ArgoCD Application synchronization window showing successful application of changes in this branch.
Output of `argocd app list` command or screenshot of the Argo CD Application synchronization window showing successful application of changes in this branch.

35 changes: 35 additions & 0 deletions config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{{- range tuple "cp4a" "cp4aiops" "cp4d" "cp4i" "cp4s" }}
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
annotations:
argocd.argoproj.io/sync-wave: "200"
name: placement-openshift-gitops-entitlement-key-{{.}}
namespace: {{ .Values.argocd_app_namespace }}
spec:
clusterConditions:
- status: 'True'
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- key: {{.}}
operator: Exists
values: []
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
annotations:
argocd.argoproj.io/sync-wave: "300"
name: binding-openshift-gitops-entitlement-key-{{.}}
namespace: {{ .Values.argocd_app_namespace }}
placementRef:
name: placement-openshift-gitops-entitlement-key-{{.}}
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: cloudpak-entitlement-key
kind: Policy
apiGroup: policy.open-cluster-management.io
{{- end }}
41 changes: 41 additions & 0 deletions config/rhacm/cloudpaks/templates/policy-entitlement-key.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: cloudpak-entitlement-key
namespace: {{ .Values.argocd_app_namespace }}
annotations:
argocd.argoproj.io/compare-options: IgnoreExtraneous
argocd.argoproj.io/sync-options: SkipPrune
argocd.argoproj.io/sync-wave: "200"
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/standards: NIST SP 800-53
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-entkey
spec:
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
data:
.dockerconfigjson: '{{ "{{hub index (lookup \"v1\" \"Secret\" \"openshift-gitops\" \"ibm-entitlement-key\").data \".dockerconfigjson\" hub}}" }}'
kind: Secret
metadata:
name: ibm-entitled-key
namespace: openshift-gitops
type: kubernetes.io/dockerconfigjson
remediationAction: inform
severity: low
remediationAction: enforce
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/applications/managing-applications#gitops-config
# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/applications/managing-applications#gitops-config
---
apiVersion: cluster.open-cluster-management.io/v1beta2
kind: ManagedClusterSet
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html-single/clusters/index#hosting-service-cluster-configure-aws
# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html-single/clusters/index#hosting-service-cluster-configure-aws
---
apiVersion: batch/v1
kind: Job
Expand Down
8 changes: 4 additions & 4 deletions docs/install.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

## Prerequisites

- An OpenShift Container Platform cluster, version 4.8 or later.
- An OpenShift Container Platform cluster, version 4.12 or later.

The applications were tested on both managed and self-managed deployments.

Expand Down Expand Up @@ -61,7 +61,7 @@
```sh
oc version --client

# Client Version: 4.10.60
# Client Version: 4.12.47
```

Ideally, the client's minor version should be at most one iteration behind the server version. Most commands here are pretty basic and will work with more significant differences, but keep that in mind if you see errors about unrecognized commands and parameters.
Expand Down Expand Up @@ -155,7 +155,7 @@ oc create secret docker-registry ibm-entitlement-key \
--docker-server=cp.icr.io \
--docker-username=cp \
--docker-password="${IBM_ENTITLEMENT_KEY:?}" \
--docker-email="non-existent-replace-with0[email protected]" \
--docker-email="non-existent-replace-with[email protected]" \
--namespace=openshift-gitops
```
Expand Down Expand Up @@ -380,7 +380,7 @@ After completing the list of activities listed in the previous sections, you can
argocd app list -l app.kubernetes.io/instance=${app_name}
```
1. You can also use the ArgoCD command-line interface to wait for the application to be synchronized and healthy:
1. You can also use the Argo CD command-line interface to wait for the application to be synchronized and healthy:
```sh
argocd app wait "${app_name}" \
Expand Down
86 changes: 75 additions & 11 deletions docs/rhacm.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,12 @@
- [Red Hat Advanced Cluster Management for Kubernetes](#red-hat-advanced-cluster-management-for-kubernetes)
- [Contents](#contents)
- [Overview](#overview)
- [Prerequisites](#prerequisites)
- [Installation](#installation)
- [Install RHACM on OCP cluster via Argo](#install-rhacm-on-ocp-cluster-via-argo)
- [Install the OpenShift GitOps operator](#install-the-openshift-gitops-operator)
- [Install RHACM on OCP cluster via Argo CD](#install-rhacm-on-ocp-cluster-via-argo-cd)
- [Obtain an entitlement key](#obtain-an-entitlement-key)
- [Update the pull secret in the openshift-gitops namespace](#update-the-pull-secret-in-the-openshift-gitops-namespace)
- [Using the policies](#using-the-policies)
- [Policies](#policies)
- [Label your clusters](#label-your-clusters)
Expand All @@ -23,10 +27,29 @@ Red Hat Advanced Cluster Management for Kubernetes (referred to as RHACM through

This repository contains governance policies and placement rules for Argo CD itself and the Argo CD Application resources representing the Cloud Paks.

---

## Prerequisites

- An OpenShift Container Platform cluster, version 4.12 or later.

The applications were tested on both managed and self-managed deployments.

- Adequate worker node capacity in the cluster for RHACM to be installed.

Refer to the [RHACM documentation](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/install/installing#sizing-your-cluster) to determine the required capacity for the cluster.

- [An entitlement key to the IBM Entitled Registry](#obtain-an-entitlement-key). This key is required in the RHACM cluster so it can be copied over to the managed clusters when a cluster matches a policy to install a Cloud Pak.

---

## Installation

### Install the OpenShift GitOps operator

### Install RHACM on OCP cluster via Argo
Follow the instructions in the [Red Hat OpenShift GitOps Installation page](https://docs.openshift.com/gitops/1.8/installing_gitops/installing-openshift-gitops.html) with special care to **use the `gitops-1.8` subscription channel instead of `latest`** (at least, until issue [#289](https://github.com/IBM/cloudpak-gitops/issues/289) is addressed.)

### Install RHACM on OCP cluster via Argo CD

These steps assume you logged in to the OCP server with the `oc` command-line interface:

Expand Down Expand Up @@ -71,6 +94,44 @@ These steps assume you logged in to the OCP server with the `oc` command-line in
--health
```

## Obtain an entitlement key

If you don't already have an entitlement key to the IBM Entitled Registry, obtain your key using the following instructions:

1. Go to the [Container software library](https://myibm.ibm.com/products-services/containerlibrary).

1. Click the "Copy key."

1. Copy the entitlement key to a safe place to update the cluster's global pull secret.

1. (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry using a container tool:

```sh
export IBM_ENTITLEMENT_KEY=the key from the previous steps
podman login cp.icr.io --username cp --password "${IBM_ENTITLEMENT_KEY:?}"
```

---

## Update the pull secret in the openshift-gitops namespace

Global pull secrets require granting too much privilege to the OpenShift GitOps service account, so we have started transitioning to the definition of pull secrets at a namespace level.

The Application resources are transitioning to use `PreSync` hooks to copy the entitlement key from a `Secret` named `ibm-entitlement-key` in the `openshift-gitops` namespace, so issue the following command to create that secret:

```sh
# Note that if you just created the OpenShift GitOps operator
# the namespace may not be ready yet, so you may need to wait
# a minute or two
oc create secret docker-registry ibm-entitlement-key \
--docker-server=cp.icr.io \
--docker-username=cp \
--docker-password="${IBM_ENTITLEMENT_KEY:?}" \
--docker-email="[email protected]" \
--namespace=openshift-gitops
```

---

## Using the policies

Expand All @@ -96,32 +157,32 @@ Labels:
- `gitops-branch` + `cp4i`: Placement for Cloud Pak for Integration.
- `gitops-branch` + `cp4s`: Placement for Cloud Pak for Security.
- `gitops-branch` + `cp4aiops`: Placement for Cloud Pak for AIOps.
- `gitops-remote` + `true`: Assign cluster to the `gitops-cluster` cluster-set, registering it to the [GitOps Cluster](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/applications/managing-applications#gitops-config).
- `gitops-remote` + `true`: Assign cluster to the `gitops-cluster` cluster-set, registering it to the [GitOps Cluster](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/applications/managing-applications#gitops-config).

Values for each label:

- `gitops-branch`: Branch of this repo for the Argo applications. Unless you are developing and testing on a new branch, use the default value `main`.
- cp4a: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`.
- `cp4aiops`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`.
- `cp4d`: Namespace for deploying the Cloud Pak. As of release 4.0.6, and as a product limitation, do not use the same namespace as other Cloud Paks if installing Cloud Pak for Data to the same cluster.
- `cp4i`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`.
- `cp4s`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`.
- cp4a: Namespace for deploying the Cloud Pak.
- `cp4aiops`: Namespace for deploying the Cloud Pak.
- `cp4d`: Namespace for deploying the Cloud Pak.
- `cp4i`: Namespace for deploying the Cloud Pak.
- `cp4s`: Namespace for deploying the Cloud Pak.

### Examples

Labeling an OCP cluster with `gitops-branch=main` and `cp4i=ibm-cloudpaks` deploys the following policies to a target cluster:
Labeling an OCP cluster with `gitops-branch=main` and `cp4i=cp4ins` deploys the following policies to a target cluster:

- `openshift-gitops-installed`
- `openshift-gitops-argo-app`
- `openshift-gitops-cloudpaks-cp-shared`
- `openshift-gitops-cloudpaks-cp4i`

Labeling an OCP cluster with `gitops-branch=main` and `cp4i=ibm-cloudpaks` deploys the following policies to a target cluster:
Labeling an OCP cluster with `gitops-branch=main` and `cp4i=cp4ins` deploys the following policies to a target cluster:

- `openshift-gitops-installed`: The latest version of the OpenShift GitOps operator.
- `openshift-gitops-argo-app`: The Argo configuration is pulled from the `main` branch of this repository.
`openshift-gitops-cloudpaks-cp-shared`: The Argo configuration is pulled from this repository's `main` branch.
- `openshift-gitops-cloudpaks-cp4i`: The Cloud Pak is deployed to the namespace `ibm-cloudpaks`
- `openshift-gitops-cloudpaks-cp4i`: The Cloud Pak is deployed to the namespace `cp4ins`

## The "rhacm-users" group

Expand All @@ -137,6 +198,7 @@ Once you have the respective users added to the cluster, you can add them to the
oc adm groups add-users rhacm-users "${username:?}"
```

---

## Contributing

Expand All @@ -146,6 +208,8 @@ If using OpenShift GitOps installed in the RHACM server, you need to modify the

The instructions for that setup are documented in the [CONTRIBUTING.md](../CONTRIBUTING.md) page, where you need to ensure you use the `rhacm-app` application name as the parameter for the `argocd app set` commands.

---

## References

- [Announcement of RHACM and GitOps integration](https://cloud.redhat.com/blog/red-hat-advanced-cluster-management-with-openshift-gitops)
Expand Down
1 change: 1 addition & 0 deletions tests/prebuild/yamllint-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ ignore: |
config/rhacm/cloudpaks/templates/placement-argocd.yaml
config/rhacm/cloudpaks/templates/placement-cloudpaks.yaml
config/rhacm/cloudpaks/templates/placement-cp-shared.yaml
config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml
config/rhacm/seeds/templates/0000-namespace-multi-cluster-engine.yaml
config/rhacm/seeds/templates/0020-rhacm-hypershift-preview-roles.yaml
Expand Down

0 comments on commit e2f1d21

Please sign in to comment.