From 440c2566bf8ce3e0a619bcae83f0de46931b66ee Mon Sep 17 00:00:00 2001 From: day0hero Date: Wed, 22 Apr 2026 21:02:55 +0100 Subject: [PATCH] openshift-pipelines added to pattern - Externalized charts for pipelines, hypershift and cluster-autoscaler - Pipelines have been added for deploying hive and hypershift clusters - Added chart for hcp-cli imagestream - Added letsencrypt(cert-manager) chart --- .gitignore | 1 + charts/all/hcp-cli/Chart.yaml | 6 + charts/all/hcp-cli/templates/buildconfig.yaml | 38 +++++ charts/all/hcp-cli/templates/imagestream.yaml | 8 ++ charts/all/hcp-cli/templates/rbac.yaml | 41 ++++++ charts/all/hcp-cli/values.yaml | 17 +++ charts/all/hypershift/.helmignore | 26 ---- charts/all/hypershift/Chart.yaml | 24 ---- .../autoscaling/clusterautoscaler.yaml | 42 ------ .../autoscaling/machineautoscaler.yaml | 21 --- .../templates/eso-hypershift-aws.yaml | 26 ---- .../templates/multiclusterengine.yaml | 17 --- .../templates/rbac/hcp-admin-crole.yaml | 134 ------------------ .../rbac/hcp-admin-crolebinding.yaml | 22 --- charts/all/hypershift/values.yaml | 126 ---------------- charts/all/pattern-credentials/Chart.yaml | 6 + .../templates/eso-aws-credentials.yaml | 19 +++ .../templates/eso-hypershift-iam.yaml | 18 +++ .../templates/eso-pullsecret.yaml | 20 +++ .../templates/eso-push-secret.yaml | 26 ++++ charts/all/pattern-credentials/values.yaml | 18 +++ .../pipelinerun-destroy-hive.yaml | 17 +++ .../pipelinerun-destroy-hypershift.yaml | 28 ++++ .../pipelineruns/pipelinerun-hive-aws.yaml | 48 +++++++ .../pipelinerun-hypershift-aws.yaml | 42 ++++++ .../pipelinerun-pattern-test-mcgitops.yaml | 41 ++++++ values-prod.yaml | 103 +++++++++++++- values-secret.yaml.template | 8 ++ 28 files changed, 501 insertions(+), 442 deletions(-) create mode 100644 charts/all/hcp-cli/Chart.yaml create mode 100644 charts/all/hcp-cli/templates/buildconfig.yaml create mode 100644 charts/all/hcp-cli/templates/imagestream.yaml create mode 100644 charts/all/hcp-cli/templates/rbac.yaml create mode 100644 charts/all/hcp-cli/values.yaml delete mode 100644 charts/all/hypershift/.helmignore delete mode 100644 charts/all/hypershift/Chart.yaml delete mode 100644 charts/all/hypershift/templates/autoscaling/clusterautoscaler.yaml delete mode 100644 charts/all/hypershift/templates/autoscaling/machineautoscaler.yaml delete mode 100644 charts/all/hypershift/templates/eso-hypershift-aws.yaml delete mode 100644 charts/all/hypershift/templates/multiclusterengine.yaml delete mode 100644 charts/all/hypershift/templates/rbac/hcp-admin-crole.yaml delete mode 100644 charts/all/hypershift/templates/rbac/hcp-admin-crolebinding.yaml delete mode 100644 charts/all/hypershift/values.yaml create mode 100644 charts/all/pattern-credentials/Chart.yaml create mode 100644 charts/all/pattern-credentials/templates/eso-aws-credentials.yaml create mode 100644 charts/all/pattern-credentials/templates/eso-hypershift-iam.yaml create mode 100644 charts/all/pattern-credentials/templates/eso-pullsecret.yaml create mode 100644 charts/all/pattern-credentials/templates/eso-push-secret.yaml create mode 100644 charts/all/pattern-credentials/values.yaml create mode 100644 examples/pipelineruns/pipelinerun-destroy-hive.yaml create mode 100644 examples/pipelineruns/pipelinerun-destroy-hypershift.yaml create mode 100644 examples/pipelineruns/pipelinerun-hive-aws.yaml create mode 100644 examples/pipelineruns/pipelinerun-hypershift-aws.yaml create mode 100644 examples/pipelineruns/pipelinerun-pattern-test-mcgitops.yaml diff --git a/.gitignore b/.gitignore index 01d23719..8904b1c9 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ vault.init super-linter.log common/pattern-vault.init .cursor/* +examples/* diff --git a/charts/all/hcp-cli/Chart.yaml b/charts/all/hcp-cli/Chart.yaml new file mode 100644 index 00000000..0923d463 --- /dev/null +++ b/charts/all/hcp-cli/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: hcp-cli +description: Builds the hcp CLI from ConsoleCLIDownload into an ImageStream for pipeline use +type: application +version: 0.1.0 +appVersion: "0.1.0" diff --git a/charts/all/hcp-cli/templates/buildconfig.yaml b/charts/all/hcp-cli/templates/buildconfig.yaml new file mode 100644 index 00000000..fdf63924 --- /dev/null +++ b/charts/all/hcp-cli/templates/buildconfig.yaml @@ -0,0 +1,38 @@ +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + name: {{ .Values.buildConfig.name }} + namespace: {{ .Values.namespace }} +spec: + {{- if .Values.buildConfig.schedule }} + triggers: + - type: ConfigChange + - type: Cron + cron: + schedule: {{ .Values.buildConfig.schedule | quote }} + {{- else }} + triggers: + - type: ConfigChange + {{- end }} + runPolicy: Serial + serviceAccount: {{ .Values.serviceAccount.name }} + source: + type: Dockerfile + dockerfile: | + FROM {{ .Values.buildConfig.baseImage }} AS base + + USER root + RUN curl -sSL "http://{{ .Values.buildConfig.hcpDownloadService }}/linux/amd64/hcp.tar.gz" \ + -o /tmp/hcp.tar.gz && \ + tar xzf /tmp/hcp.tar.gz -C /usr/local/bin && \ + chmod +x /usr/local/bin/hcp && \ + rm -f /tmp/hcp.tar.gz && \ + hcp version + strategy: + type: Docker + dockerStrategy: + noCache: true + output: + to: + kind: ImageStreamTag + name: {{ .Values.imageStream.name }}:latest diff --git a/charts/all/hcp-cli/templates/imagestream.yaml b/charts/all/hcp-cli/templates/imagestream.yaml new file mode 100644 index 00000000..3143fa6d --- /dev/null +++ b/charts/all/hcp-cli/templates/imagestream.yaml @@ -0,0 +1,8 @@ +apiVersion: image.openshift.io/v1 +kind: ImageStream +metadata: + name: {{ .Values.imageStream.name }} + namespace: {{ .Values.namespace }} +spec: + lookupPolicy: + local: true diff --git a/charts/all/hcp-cli/templates/rbac.yaml b/charts/all/hcp-cli/templates/rbac.yaml new file mode 100644 index 00000000..b56ad11f --- /dev/null +++ b/charts/all/hcp-cli/templates/rbac.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.serviceAccount.name }} +rules: +- apiGroups: ["console.openshift.io"] + resources: ["consoleclidownloads"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.serviceAccount.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.serviceAccount.name }} +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.serviceAccount.name }}-builder + namespace: {{ .Values.namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-builder +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace }} diff --git a/charts/all/hcp-cli/values.yaml b/charts/all/hcp-cli/values.yaml new file mode 100644 index 00000000..a1da10b5 --- /dev/null +++ b/charts/all/hcp-cli/values.yaml @@ -0,0 +1,17 @@ +namespace: cluster-provisioning + +imageStream: + name: hcp-cli + +buildConfig: + name: hcp-cli + # Base image that provides oc + kubectl + baseImage: quay.io/openshift/origin-cli:latest + # Schedule periodic rebuilds to pick up new hcp versions (cron format, empty to disable) + schedule: "" + # Internal service that serves the hcp CLI binaries (runs in the multicluster-engine namespace) + hcpDownloadService: hcp-cli-download.multicluster-engine.svc.cluster.local + +serviceAccount: + # SA used by the BuildConfig — needs permission to read consoleclidownloads + name: hcp-cli-builder diff --git a/charts/all/hypershift/.helmignore b/charts/all/hypershift/.helmignore deleted file mode 100644 index 721bd964..00000000 --- a/charts/all/hypershift/.helmignore +++ /dev/null @@ -1,26 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ - -# Ignore Ansible Directory -templates/ansible/ diff --git a/charts/all/hypershift/Chart.yaml b/charts/all/hypershift/Chart.yaml deleted file mode 100644 index 1baa2882..00000000 --- a/charts/all/hypershift/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: hypershift -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" diff --git a/charts/all/hypershift/templates/autoscaling/clusterautoscaler.yaml b/charts/all/hypershift/templates/autoscaling/clusterautoscaler.yaml deleted file mode 100644 index 10dad6e1..00000000 --- a/charts/all/hypershift/templates/autoscaling/clusterautoscaler.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if .Values.autoscaling.clusterAutoscaler.enabled }} -apiVersion: autoscaling.openshift.io/v1 -kind: ClusterAutoscaler -metadata: - name: default - annotations: - argocd.argoproj.io/sync-wave: "10" -spec: - balanceSimilarNodeGroups: {{ .Values.autoscaling.clusterAutoscaler.balanceSimilarNodeGroups | default true }} - balancingIgnoredLabels: - - topology.kubernetes.io/zone - - topology.ebs.csi.aws.com/zone - skipNodesWithLocalStorage: {{ .Values.autoscaling.clusterAutoscaler.skipNodesWithLocalStorage | default false }} - podPriorityThreshold: {{ .Values.autoscaling.clusterAutoscaler.podPriorityThreshold | default -10 }} - resourceLimits: - maxNodesTotal: {{ .Values.autoscaling.clusterAutoscaler.resourceLimits.maxNodesTotal }} - {{- if .Values.autoscaling.clusterAutoscaler.resourceLimits.cores }} - cores: - min: {{ .Values.autoscaling.clusterAutoscaler.resourceLimits.cores.min }} - max: {{ .Values.autoscaling.clusterAutoscaler.resourceLimits.cores.max }} - {{- end }} - {{- if .Values.autoscaling.clusterAutoscaler.resourceLimits.memory }} - memory: - min: {{ .Values.autoscaling.clusterAutoscaler.resourceLimits.memory.min }} - max: {{ .Values.autoscaling.clusterAutoscaler.resourceLimits.memory.max }} - {{- end }} - {{- if .Values.autoscaling.clusterAutoscaler.resourceLimits.gpus }} - gpus: - {{- range .Values.autoscaling.clusterAutoscaler.resourceLimits.gpus }} - - type: {{ .type }} - min: {{ .min }} - max: {{ .max }} - {{- end }} - {{- end }} - scaleDown: - enabled: {{ .Values.autoscaling.clusterAutoscaler.scaleDown.enabled }} - delayAfterAdd: {{ .Values.autoscaling.clusterAutoscaler.scaleDown.delayAfterAdd | default "10m" }} - delayAfterDelete: {{ .Values.autoscaling.clusterAutoscaler.scaleDown.delayAfterDelete | default "5m" }} - delayAfterFailure: {{ .Values.autoscaling.clusterAutoscaler.scaleDown.delayAfterFailure | default "30s" }} - unneededTime: {{ .Values.autoscaling.clusterAutoscaler.scaleDown.unneededTime | default "5m" }} - utilizationThreshold: {{ .Values.autoscaling.clusterAutoscaler.scaleDown.utilizationThreshold | default "0.4" | quote }} -{{- end }} diff --git a/charts/all/hypershift/templates/autoscaling/machineautoscaler.yaml b/charts/all/hypershift/templates/autoscaling/machineautoscaler.yaml deleted file mode 100644 index 34b47332..00000000 --- a/charts/all/hypershift/templates/autoscaling/machineautoscaler.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.autoscaling.machineAutoscalers }} -{{- range .Values.autoscaling.machineAutoscalers }} -{{- if .enabled }} ---- -apiVersion: autoscaling.openshift.io/v1beta1 -kind: MachineAutoscaler -metadata: - name: {{ .name }} - namespace: openshift-machine-api - annotations: - argocd.argoproj.io/sync-wave: "11" -spec: - minReplicas: {{ .minReplicas }} - maxReplicas: {{ .maxReplicas }} - scaleTargetRef: - apiVersion: machine.openshift.io/v1beta1 - kind: MachineSet - name: {{ .machineSetName }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/all/hypershift/templates/eso-hypershift-aws.yaml b/charts/all/hypershift/templates/eso-hypershift-aws.yaml deleted file mode 100644 index 2ad37b65..00000000 --- a/charts/all/hypershift/templates/eso-hypershift-aws.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.global.useExternalSecrets }} ---- -apiVersion: "external-secrets.io/v1" -kind: ExternalSecret -metadata: - name: hypershift-eso-aws - namespace: local-cluster - annotations: - argocd.argoproj.io/sync-wave: '5' -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secretStore.name }} - kind: {{ .Values.secretStore.kind }} - target: - name: hypershift-operator-oidc-provider-s3-credentials - template: - mergePolicy: Merge - type: Opaque - data: - region: {{ .Values.global.hypershift.oidc.region }} - bucket: {{ .Values.global.hypershift.oidc.bucketName }} - dataFrom: - - extract: - key: {{ .Values.awsCredentials.key }} -{{- end }} diff --git a/charts/all/hypershift/templates/multiclusterengine.yaml b/charts/all/hypershift/templates/multiclusterengine.yaml deleted file mode 100644 index 44a0820b..00000000 --- a/charts/all/hypershift/templates/multiclusterengine.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: multicluster.openshift.io/v1 -kind: MultiClusterEngine -metadata: - name: engine - namespace: multicluster-engine - annotations: - argocd.argoproj.io/sync-wave: "-5" -spec: - availabilityConfig: {{ .Values.mce.availabilityConfig }} - overrides: - components: - {{- range .Values.mce.components }} - - name: {{ .name }} - enabled: {{ .enabled | default "true" }} - configOverrides: {} - {{- end }} - targetNamespace: {{ .Values.mce.targetNS }} diff --git a/charts/all/hypershift/templates/rbac/hcp-admin-crole.yaml b/charts/all/hypershift/templates/rbac/hcp-admin-crole.yaml deleted file mode 100644 index 28581187..00000000 --- a/charts/all/hypershift/templates/rbac/hcp-admin-crole.yaml +++ /dev/null @@ -1,134 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Values.rbac.role.name }} -rules: -# Full lifecycle control for Hypershift clusters -- apiGroups: - - hypershift.openshift.io - resources: - - hostedclusters - - nodepools - - nodepools/scale - verbs: - - '*' -# Full permissions for Hive cluster deployments (used by Hypershift) -- apiGroups: - - hive.openshift.io - resources: - - clusterdeployments - verbs: - - '*' -# Read-only access to managed clusters (for viewing cluster status) -- apiGroups: - - cluster.open-cluster-management.io - resources: - - managedclusters - verbs: - - get - - list - - watch -# Read-only access to cluster API resources (for monitoring cluster state) -- apiGroups: - - bootstrap.cluster.x-k8s.io - - controlplane.cluster.x-k8s.io - - infrastructure.cluster.x-k8s.io - - machines.cluster.x-k8s.io - - exp.infrastructure.cluster.x-k8s.io - - addons.cluster.x-k8s.io - - exp.cluster.x-k8s.io - - cluster.x-k8s.io - resources: - - '*' - verbs: - - get - - list - - watch -# Read-only access to monitoring resources -- apiGroups: - - monitoring.coreos.com - - monitoring.rhobs - resources: - - '*' - verbs: - - get - - list - - watch -# Namespace-scoped resources - only within Hypershift-managed namespaces -# These are needed for Hypershift cluster lifecycle but scoped to prevent cluster-wide creation -- apiGroups: - - "" - resources: - - events - - configmaps - - secrets - - serviceaccounts - - services - - endpoints - - namespaces - verbs: - - '*' -# Read-only access to pods (for debugging/troubleshooting) -- apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get - - list - - watch -# Read-only access to nodes (for cluster status) -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -# Read-only access to OpenShift config (for cluster information) -- apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - list - - watch -# Read-only access to ArgoCD applications (prevents installing new patterns) -- apiGroups: - - argoproj.io - resources: - - applications - verbs: - - get - - list - - watch -# Autoscaling resources - manage cluster and machine autoscalers -- apiGroups: - - autoscaling.openshift.io - resources: - - clusterautoscalers - - machineautoscalers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -# Machine API resources - for autoscaling integration -- apiGroups: - - machine.openshift.io - resources: - - machinesets - - machinesets/scale - - machines - verbs: - - get - - list - - watch -{{- end }} diff --git a/charts/all/hypershift/templates/rbac/hcp-admin-crolebinding.yaml b/charts/all/hypershift/templates/rbac/hcp-admin-crolebinding.yaml deleted file mode 100644 index 8e92aa34..00000000 --- a/charts/all/hypershift/templates/rbac/hcp-admin-crolebinding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.rbac.create }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Values.rbac.roleBinding.name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.rbac.role.name }} -subjects: -{{- range .Values.rbac.users }} -- apiGroup: rbac.authorization.k8s.io - kind: User - name: {{ . }} -{{- end }} -{{- range .Values.rbac.groups }} -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: {{ . }} -{{- end }} -{{- end }} diff --git a/charts/all/hypershift/values.yaml b/charts/all/hypershift/values.yaml deleted file mode 100644 index fb2fceb9..00000000 --- a/charts/all/hypershift/values.yaml +++ /dev/null @@ -1,126 +0,0 @@ -# Default values for hypershift. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Cluster Autoscaling Configuration -# -# Enable and configure cluster autoscaling for dynamic node management -autoscaling: - # ClusterAutoscaler - cluster-wide autoscaler settings - clusterAutoscaler: - enabled: false - # Balance similar node groups (e.g., MachineSets across AZs) to spread nodes evenly - balanceSimilarNodeGroups: true - # Allow scale-down of nodes with pods using local storage (emptyDir) - # Set to true to prevent scaling down nodes with local storage pods - skipNodesWithLocalStorage: false - # Pods with priority lower than this will not prevent node scale down - podPriorityThreshold: -10 - resourceLimits: - # Maximum number of nodes in the cluster (including control plane) - maxNodesTotal: 24 - # Optional: CPU cores limits across all nodes - cores: - min: 8 - max: 128 - # Optional: Memory limits across all nodes (in GB) - memory: - min: 32 - max: 512 - scaleDown: - enabled: true - # How long after scale up before scale down evaluation - delayAfterAdd: "10m" - # How long after node deletion before another deletion - delayAfterDelete: "5m" - # How long after scale down failure before retry - delayAfterFailure: "30s" - # How long a node should be unneeded before scale down - unneededTime: "5m" - # Node utilization threshold below which scale down is considered - utilizationThreshold: "0.4" - - # MachineAutoscalers - per-MachineSet autoscaling configuration - # Define one entry per MachineSet you want to autoscale - machineAutoscalers: [] - # Example configuration: - # - name: worker-us-east-1a - # enabled: true - # machineSetName: cluster-name-worker-us-east-1a - # minReplicas: 1 - # maxReplicas: 6 - # - name: worker-us-east-1b - # enabled: true - # machineSetName: cluster-name-worker-us-east-1b - # minReplicas: 1 - # maxReplicas: 6 - -# Role Based Access Controls -# -# Provide a list of users and/or groups to add to the clusterrolebinding -rbac: - create: true - role: - name: hcp-admins-crole - roleBinding: - name: hcp-admins-crb - users: [] - groups: [] - -clusterGroup: - isHubCluster: true - -# Reference the Hashicorp Vault backend for ESO -secretStore: - name: vault-backend - kind: ClusterSecretStore - -# Secret provisioned for the HyperShift installation -awsCredentials: - key: secret/data/hub/awsCreds - -# Begin global parameters -global: - hubClusterDomain: hub.example.com - localClusterDomain: region-one.example.com - -# Provision External Secret resources: default true - useExternalSecrets: true - -# S3 bucket information - hypershift: - oidc: - region: '' - bucketName: '' - -# End global parameters - -# MultiCluster Engine Components -mce: - targetNS: multicluster-engine - availabilityConfig: High - components: - - name: image-based-install-operator - enabled: "false" - - name: assisted-service - - name: cluster-lifecycle - - name: cluster-manager - - name: discovery - - name: hive - - name: server-foundation - - name: cluster-proxy-addon - - name: local-cluster - - name: hypershift-local-hosting - - name: managedserviceaccount - - name: hypershift - - name: console-mce - - name: cluster-api - enabled: "false" - - name: cluster-api-provider-aws - enabled: "false" - - name: cluster-api-provider-metal3 - enabled: "false" - - name: cluster-api-provider-openshift-assisted - enabled: "false" - - name: cluster-api-provider-azure-preview - enabled: "false" diff --git a/charts/all/pattern-credentials/Chart.yaml b/charts/all/pattern-credentials/Chart.yaml new file mode 100644 index 00000000..95eb798b --- /dev/null +++ b/charts/all/pattern-credentials/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: pattern-credentials +description: External Secrets for provisioning credentials (AWS, pull secret, HyperShift IAM) +type: application +version: 0.1.0 +appVersion: "0.1.0" diff --git a/charts/all/pattern-credentials/templates/eso-aws-credentials.yaml b/charts/all/pattern-credentials/templates/eso-aws-credentials.yaml new file mode 100644 index 00000000..5aaf65ff --- /dev/null +++ b/charts/all/pattern-credentials/templates/eso-aws-credentials.yaml @@ -0,0 +1,19 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: eso-aws-creds + namespace: hive + annotations: + argocd.argoproj.io/sync-wave: "-10" +spec: + refreshInterval: 15s + secretStoreRef: + name: {{ .Values.secretStore.name }} + kind: {{ .Values.secretStore.kind }} + target: + name: aws-creds + template: + type: Opaque + dataFrom: + - extract: + key: {{ .Values.awsCreds.key }} diff --git a/charts/all/pattern-credentials/templates/eso-hypershift-iam.yaml b/charts/all/pattern-credentials/templates/eso-hypershift-iam.yaml new file mode 100644 index 00000000..7461b604 --- /dev/null +++ b/charts/all/pattern-credentials/templates/eso-hypershift-iam.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: hypershift-iam-config + namespace: cluster-provisioning + annotations: + argocd.argoproj.io/sync-wave: "-10" +spec: + refreshInterval: 5m + secretStoreRef: + name: {{ .Values.secretStore.name }} + kind: {{ .Values.secretStore.kind }} + target: + name: hypershift-iam-config + creationPolicy: Owner + dataFrom: + - extract: + key: {{ .Values.hypershiftIAM.key }} diff --git a/charts/all/pattern-credentials/templates/eso-pullsecret.yaml b/charts/all/pattern-credentials/templates/eso-pullsecret.yaml new file mode 100644 index 00000000..d5af2716 --- /dev/null +++ b/charts/all/pattern-credentials/templates/eso-pullsecret.yaml @@ -0,0 +1,20 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: global-pullsecret + namespace: hive + annotations: + argocd.argoproj.io/sync-wave: "2" +spec: + refreshInterval: 15s + secretStoreRef: + name: {{ .Values.secretStore.name }} + kind: {{ .Values.secretStore.kind }} + target: + name: global-pullsecret + creationPolicy: Owner + data: + - secretKey: .dockerconfigjson + remoteRef: + key: {{ .Values.pullSecret.key }} + property: docker diff --git a/charts/all/pattern-credentials/templates/eso-push-secret.yaml b/charts/all/pattern-credentials/templates/eso-push-secret.yaml new file mode 100644 index 00000000..1a271a41 --- /dev/null +++ b/charts/all/pattern-credentials/templates/eso-push-secret.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1alpha1 +kind: PushSecret +metadata: + name: eso-push-secret + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-wave: "1" +spec: + secretStoreRefs: + - kind: ClusterSecretStore + name: {{ .Values.secretStore.name }} + selector: + secret: + name: pull-secret + template: + data: + docker-config-json: '{{ `{{ index . ".dockerconfigjson" | toString }}` }}' + data: + - match: + secretKey: docker-config-json + remoteRef: + remoteKey: pushsecrets/global-pull-secret + property: docker + refreshInterval: 10s + updatePolicy: Replace + deletionPolicy: Delete diff --git a/charts/all/pattern-credentials/values.yaml b/charts/all/pattern-credentials/values.yaml new file mode 100644 index 00000000..953739e4 --- /dev/null +++ b/charts/all/pattern-credentials/values.yaml @@ -0,0 +1,18 @@ +secretStore: + name: vault-backend + kind: ClusterSecretStore + +awsCreds: + key: secret/data/hub/aws + +pullSecret: + key: pushsecrets/global-pull-secret + +hypershiftIAM: + key: secret/data/hub/hypershift-iam + +global: + hypershift: + oidc: + region: "" + bucketName: "" diff --git a/examples/pipelineruns/pipelinerun-destroy-hive.yaml b/examples/pipelineruns/pipelinerun-destroy-hive.yaml new file mode 100644 index 00000000..cbc79925 --- /dev/null +++ b/examples/pipelineruns/pipelinerun-destroy-hive.yaml @@ -0,0 +1,17 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: destroy-hive- + namespace: cluster-provisioning +spec: + pipelineRef: + name: destroy-hive-cluster + params: + - name: cluster-name + value: hivetest + - name: timeout-minutes + value: "30" + - name: delete-namespace + value: "true" + taskRunTemplate: + serviceAccountName: provisioner diff --git a/examples/pipelineruns/pipelinerun-destroy-hypershift.yaml b/examples/pipelineruns/pipelinerun-destroy-hypershift.yaml new file mode 100644 index 00000000..42520412 --- /dev/null +++ b/examples/pipelineruns/pipelinerun-destroy-hypershift.yaml @@ -0,0 +1,28 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: destroy-hypershift- + namespace: cluster-provisioning +spec: + pipelineRef: + name: destroy-hypershift-cluster + params: + - name: cluster-name + value: my-hypershift-cluster + - name: cloud-region + value: us-east-2 + - name: role-arn + value: "arn:aws:iam::123456789012:role/hypershift-cli-role" + - name: timeout-minutes + value: "30" + taskRunTemplate: + serviceAccountName: provisioner + workspaces: + - name: credentials + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/examples/pipelineruns/pipelinerun-hive-aws.yaml b/examples/pipelineruns/pipelinerun-hive-aws.yaml new file mode 100644 index 00000000..461f5aa6 --- /dev/null +++ b/examples/pipelineruns/pipelinerun-hive-aws.yaml @@ -0,0 +1,48 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: deploy-hive- + namespace: cluster-provisioning +spec: + pipelineRef: + name: deploy-hive-cluster + params: + - name: cluster-name + value: test + - name: base-domain + value: aws.validatedpatterns.io + - name: cloud-provider + value: aws + - name: cloud-region + value: us-west-2 + - name: cluster-version + value: img4.21.6-x86-64-appsub + - name: control-plane-machine-type + value: m5.xlarge + - name: worker-machine-type + value: m5.xlarge + - name: control-plane-replicas + value: "3" + - name: worker-replicas + value: "3" + - name: timeout-minutes + value: "90" + taskRunTemplate: + serviceAccountName: provisioner + workspaces: + - name: install-config + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + - name: kubeconfig + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/examples/pipelineruns/pipelinerun-hypershift-aws.yaml b/examples/pipelineruns/pipelinerun-hypershift-aws.yaml new file mode 100644 index 00000000..c2a599bc --- /dev/null +++ b/examples/pipelineruns/pipelinerun-hypershift-aws.yaml @@ -0,0 +1,42 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: deploy-hypershift- + namespace: cluster-provisioning +spec: + pipelineRef: + name: deploy-hypershift-cluster + params: + - name: cluster-name + value: hcptest + - name: base-domain + value: aws.validatedpatterns.io + - name: cloud-region + value: us-west-2 + - name: node-pool-replicas + value: "1" + - name: instance-type + value: m5.xlarge + - name: role-arn + value: "arn:aws:iam::296267305927:role/hypershift_cli_role" + - name: timeout-minutes + value: "30" + taskRunTemplate: + serviceAccountName: provisioner + workspaces: + - name: credentials + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + - name: kubeconfig + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/examples/pipelineruns/pipelinerun-pattern-test-mcgitops.yaml b/examples/pipelineruns/pipelinerun-pattern-test-mcgitops.yaml new file mode 100644 index 00000000..575ba561 --- /dev/null +++ b/examples/pipelineruns/pipelinerun-pattern-test-mcgitops.yaml @@ -0,0 +1,41 @@ +# Example: Provision a right-sized cluster for the multicloud-gitops pattern +# using the pattern-test-provision pipeline. +# +# The pipeline reads pattern-metadata.yaml from the pattern repo, +# extracts sizing for the chosen cloud/role, applies a Crossplane +# LegionCluster claim, and validates the resulting cluster. +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: pattern-test-mcgitops- + namespace: cluster-provisioning +spec: + pipelineRef: + name: pattern-test-provision + taskRunTemplate: + serviceAccountName: provisioner + workspaces: + - name: kubeconfig + emptyDir: {} + params: + - name: pattern-repo-url + value: https://github.com/validatedpatterns/multicloud-gitops.git + - name: pattern-repo-revision + value: main + - name: cloud-provider + value: aws + - name: cloud-region + value: us-east-2 + - name: cluster-role + value: hub + - name: base-domain + value: qe.example.com + - name: name-prefix + value: qe + - name: cluster-version + value: img4.21.6-x86-64-appsub + # Leave empty to auto-detect from metadata (hcp if hypershift_support=true) + - name: cluster-type-override + value: "hive" + - name: timeout-minutes + value: "90" diff --git a/values-prod.yaml b/values-prod.yaml index 57fb8ee9..9263a88e 100644 --- a/values-prod.yaml +++ b/values-prod.yaml @@ -16,28 +16,52 @@ clusterGroup: operatorGroup: true targetNamespaces: [] external-secrets: + openshift-pipelines: + cluster-provisioning: + # When listed (and not disabled), charts/all/pipelines enables create-klusterlet-addon alongside acm app below. + # open-cluster-management: + # Operator subscriptions default to sync wave 0. Give them an explicit early band so + # CSVs exist before Applications that install CRs for those operators (Argo advances + # waves only after prior-wave resources are Synced + Healthy where health applies). subscriptions: eso: name: openshift-external-secrets-operator namespace: external-secrets-operator channel: stable-v1 + annotations: + argocd.argoproj.io/sync-wave: "5" mce: name: multicluster-engine namespace: multicluster-engine channel: stable-2.11 + annotations: + argocd.argoproj.io/sync-wave: "5" + + openshift-pipelines: + name: openshift-pipelines-operator-rh + channel: latest groupsync: name: group-sync-operator namespace: group-sync-operator source: community-operators channel: alpha + annotations: + argocd.argoproj.io/sync-wave: "5" argoProjects: - hub - hypershift + - pipelines + - infrastructure + # Hub Applications: assign argocd.argoproj.io/sync-wave on every Argo Application so + # ordering is explicit and kubelet-config stays in a terminal wave. Argo advances waves + # only after resources in the current wave are Synced and Healthy; leaving many apps at + # the default wave 0 makes failures harder to reason about and can interact badly with + # MCO (KubeletConfig) rollouts during first sync. applications: vault: name: vault @@ -45,22 +69,82 @@ clusterGroup: project: hub chart: hashicorp-vault chartVersion: 0.1.* + annotations: + argocd.argoproj.io/sync-wave: "28" golang-external-secrets: disabled: true + openshift-external-secrets: name: openshift-external-secrets namespace: external-secrets argoProject: hub chart: openshift-external-secrets chartVersion: 0.0.* + annotations: + argocd.argoproj.io/sync-wave: "38" + + cert-manager: + disabled: false + name: openshift-cert-manager + namespace: cert-manager-operator + argoProject: hub + chart: letsencrypt + chartVersion: 0.1.* + annotations: + argocd.argoproj.io/sync-wave: "22" + ignoreDifferences: + - group: argoproj.io + kind: ArgoCD + jqPathExpressions: + - .metadata.annotations + + autoscaler: + disabled: false + name: cluster-autoscaler + namespace: openshift-machine-api + argoProject: hub + chart: cluster-autoscaler + chartVersion: 0.0.* + annotations: + argocd.argoproj.io/sync-wave: "15" hypershift: disabled: false name: hypershift namespace: multicluster-engine argoProject: hypershift - path: charts/all/hypershift + chart: hypershift-config + chartVersion: 0.0.* + annotations: + argocd.argoproj.io/sync-wave: "18" + + pipelines: + disabled: false + name: pipelines + namespace: openshift-pipelines + argoProject: pipelines + path: charts/all/pipelines + chart: cluster-pipelines + chartVersion: 0.0.* + annotations: + argocd.argoproj.io/sync-wave: "18" + + # Uncomment when ACM is installed — pipelines chart detects this key and enables Klusterlet add-on task. + # acm: + # name: acm + # namespace: open-cluster-management + # argoProject: hub + # chart: acm + # chartVersion: 0.2.* + + credentials: + name: pattern-credentials + namespace: cluster-provisioning + argoProject: infrastructure + path: charts/all/pattern-credentials + annotations: + argocd.argoproj.io/sync-wave: "50" oauth: disabled: false @@ -68,6 +152,8 @@ clusterGroup: namespace: openshift-config argoProject: hub path: charts/all/oauth + annotations: + argocd.argoproj.io/sync-wave: "50" groupsync: disabled: false @@ -75,6 +161,15 @@ clusterGroup: namespace: group-sync-operator argoProject: hub path: charts/all/groupsync + annotations: + argocd.argoproj.io/sync-wave: "60" + + hypershift-cli: + disabled: false + name: hcp-cli + namespace: cluster-provisioning + argoProject: infrastructure + path: charts/all/hcp-cli kubelet-config: disabled: false @@ -82,10 +177,10 @@ clusterGroup: namespace: openshift-machine-config-operator argoProject: hub path: charts/all/kubelet-config - # Apply after other hub Applications (default sync-wave 0). KubeletConfig triggers - # MCO rollouts that can disrupt pods (e.g. Vault) if they run concurrently. + # Terminal wave: KubeletConfig triggers MCO node reconcile and must not run until + # hub workloads above (Vault, ESO, routes, etc.) are healthy. annotations: - argocd.argoproj.io/sync-wave: "100" + argocd.argoproj.io/sync-wave: "999" ignoreDifferences: - group: machineconfiguration.openshift.io kind: KubeletConfig diff --git a/values-secret.yaml.template b/values-secret.yaml.template index a2be8ec8..87559676 100644 --- a/values-secret.yaml.template +++ b/values-secret.yaml.template @@ -19,6 +19,14 @@ secrets: fields: - name: credentials path: ~/.aws/credentials + + - name: hypershift-iam + vaultPrefixes: + - hub + fields: + - name: role-arn + value: "arn:aws:iam:accNumber::role/hypershift_cli_role" + # Begin groupsync/oauth config # - name: oauthCreds # fields: