├── .gitignore ├── README.md ├── apps ├── 00-machine-config │ ├── 00-create-lvs-for-lso.yaml │ ├── 50-master-enable-sctp.yaml │ ├── 50-worker-enable-sctp.yaml │ ├── create-local-user.yaml │ └── mcp │ │ ├── README.md │ │ ├── mcp-worker-job-sa.yaml │ │ ├── mcp-worker-pause-job.yaml │ │ └── mcp-worker-resume-job.yaml ├── 01-openshift-gitops │ ├── base │ │ ├── .gitignore │ │ ├── 02-cr-config.yaml │ │ ├── 04-cluster-admin-gitops.yaml │ │ ├── 06-argocdadmins-group-base.yaml │ │ └── kustomization.yaml │ ├── bootstrap │ │ ├── 01-install.yaml │ │ └── kustomization.yaml │ └── overlays │ │ ├── ca-central │ │ └── kustomization.yaml │ │ └── default │ │ └── kustomization.yaml ├── 02-sealed-secrets │ ├── bootstrap │ │ ├── .gitignore │ │ ├── 01-sealed-secret-namespace.yaml │ │ ├── 02-sealed-secrets-secret-EXAMPLE.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── update-status.yaml ├── 03-letsencrypt-certs │ ├── .gitignore │ ├── 01-namespace.yaml │ ├── 02-job-serviceaccount.yaml │ ├── 03-rbac.yaml │ ├── 04-job.yaml │ ├── 05-sealed-aws-credentials.yaml │ ├── README.md │ └── kustomization.yaml ├── 04-local-storage-operator │ ├── 01-install.yaml │ ├── 02-localvolumediscovery.yaml │ ├── 03-localvolumeset-block.yaml │ ├── 04-localvolumeset-fs.yaml │ ├── 05-localvolume.yaml │ ├── kustomization.yaml │ └── test │ │ ├── pv-block-example.yaml │ │ └── pvc-test.yaml ├── 05-openshift-container-storage │ ├── 00-cli-job-sa-and-role.yaml │ ├── 00-install.yaml │ ├── 01-presync-csi-tolerations.yaml │ ├── 01-presync-label-worker-job.yaml │ ├── 02-ocs-lso-storagecluster.yaml │ ├── 02-ocs-storagecluster.yaml │ ├── 04-registry-pvc-create.yaml │ ├── 05-ocs-internal-registry.yaml │ ├── 06-metrics-use-ocs.yaml │ ├── 07-postsync-default-storageclass.yaml │ ├── kustomization.yaml │ └── untitled.txt ├── 06-rhsso │ ├── base │ │ ├── 00-presync-create-cert-cm-job.yaml │ │ ├── 01-install.yaml │ │ ├── 02-keycloak.yaml │ │ ├── 03-postsync-keycloak-migration.yaml │ │ ├── 04-console-link.yaml │ │ ├── 05-cluster-admin-users-rolebinding.yaml │ │ └── kustomization.yaml │ └── overlays │ │ ├── ca-central │ │ ├── 01-sealed-rhsso-config.yaml │ │ ├── config │ │ │ ├── .gitignore │ │ │ ├── 01-realms.yaml │ │ │ ├── 04-groups.yaml │ │ │ ├── README.md │ │ │ ├── keycloak-changelog.yml │ │ │ └── kustomization.yaml │ │ └── kustomization.yaml │ │ └── default │ │ ├── 01-sealed-rhsso-config.yaml │ │ ├── config │ │ ├── .gitignore │ │ ├── 01-realms.yaml │ │ ├── 04-groups.yaml │ │ ├── README.md │ │ ├── keycloak-changelog.yml │ │ └── kustomization.yaml │ │ └── kustomization.yaml ├── 07-oauth │ ├── base │ │ ├── .gitignore │ │ ├── 01-oauth-cluster.yaml │ │ ├── 02-sealed-rhsso-client-secret.yaml │ │ ├── kustomization.yaml │ │ └── login │ │ │ ├── kustomization.yaml │ │ │ ├── login.html │ │ │ └── providers.html │ └── overlays │ │ ├── ca-central │ │ └── kustomization.yaml │ │ └── default │ │ └── kustomization.yaml ├── 08-openshift-elasticsearch │ ├── 01-install.yaml │ └── kustomization.yaml ├── 09-openshift-logging │ ├── 01-install.yaml │ ├── 02-cluster-logging.yaml │ ├── 03-cluster-log-fowarder.yaml │ ├── 04-console-link.yaml │ └── kustomization.yaml ├── 10-ansible-automation-platform │ └── overlays │ │ ├── ca-central │ │ └── kustomization.yaml │ │ └── default │ │ └── kustomization.yaml ├── 11-quay-container-security │ ├── 01-install.yaml │ └── kustomization.yaml ├── 12-advanced-cluster-management │ ├── .gitignore │ ├── 00-install-creds.yaml │ ├── 01-sealed-aws-creds.yaml │ ├── 01-sealed-clustermanager.yaml │ ├── 01-sealed-tower-creds.yaml │ ├── 02-cluster-curator.yaml │ ├── 03-subscription-admin.yaml │ ├── 04-auto-import-in-argocd.yaml │ ├── bk │ │ ├── remove-acm-observability.sh │ │ └── remove-acm.sh │ ├── idp.yaml │ └── kustomization.yaml ├── 15-advanced-cluster-managment-observability │ ├── 00-namespace.yaml │ ├── 01-acm-observability-bucket.yaml │ ├── 02-install-observability.yaml │ ├── 03-multiclusterobservability.yaml │ ├── argo-app │ │ ├── argo-app.yaml │ │ └── kustomization.yaml │ └── kustomization.yaml ├── 16-acs │ ├── base │ │ ├── .gitignore │ │ ├── 01-console-link.yaml │ │ ├── 02-sealed-rhsso-client-secret.yaml │ │ ├── 03-job-sso-integration.yaml │ │ ├── README.md │ │ └── kustomization.yaml │ └── overlays │ │ ├── ca-central │ │ └── kustomization.yaml │ │ └── default │ │ └── kustomization.yaml ├── 17-net-obs │ ├── 00-loki.yaml │ ├── 01-install.yaml │ ├── 02-flowcollector.yaml │ └── kustomization.yaml ├── pipeline │ ├── README.md │ ├── containerfile │ ├── docs │ │ ├── pr-trigger.png │ │ └── push-trigger.png │ ├── pr-trigger.yaml │ └── push-trigger.yaml └── telco │ ├── README.md │ ├── kustomization.yaml │ ├── numa-scheduler │ ├── 00-install.yaml │ ├── 01-numaresourceoperator.yaml │ ├── 02-kubeletconfig.yaml │ ├── 03-numaresourcescheduler.yaml │ └── kustomization.yaml │ ├── pao-mcp.yaml │ ├── pao │ ├── 00-install.yaml │ ├── 01-pp-cr.yaml │ ├── config │ │ └── sctp │ │ │ ├── 50-worker-enable-sctp.yaml │ │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── pod.yaml │ ├── ptp │ ├── 00-install.yaml │ ├── 01-ptp-operator-config.yaml │ └── kustomization.yaml │ └── sriov │ ├── 00-install.yaml │ ├── 01-sriov-operator-config.yaml │ └── kustomization.yaml ├── bootstrap ├── bootstrap.sh ├── ca-central │ ├── app-of-apps.yaml │ └── kustomization.yaml └── default │ ├── app-of-apps.yaml │ └── kustomization.yaml ├── build-cluster-config.sh ├── clusters ├── ca-central │ ├── Chart.yaml │ └── values.yaml └── default │ ├── Chart.yaml │ └── values.yaml ├── config ├── alert-manager.yaml ├── etcd-backup.yaml ├── kustomization.yaml └── misc.txt └── helm ├── Chart.yaml ├── templates └── application.yaml └── values.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | **/Chart.lock 2 | **/charts -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # GitOps cluster and application configuration 2 | 3 | This repository contains all the cluster and application configuration for my various lab environments. 4 | 5 | All the applications can be customized using overlay, following the kustomize practice. 6 | 7 | ## Table of Contents 8 | 9 | 10 | - [Create new cluster configuration](#create-new-cluster-configuration) 11 | - [Required customization](#required-customization) 12 | - [Deploy the cluster configuration](#deploy-the-cluster-configuration) 13 | - [Helm packaging for app-of-apps](#helm-packaging-for-app-of-apps) 14 | - [Helm chart repository](#helm-chart-repository) 15 | - [Helm chart release process](#helm-chart-release-process) 16 | 17 | 18 | ## Create new cluster configuration 19 | 20 | In order to provision a new cluster, few things needs to be adjusted in the various applications. In order to do so, the script `build-cluster.config.sh` can be used. 21 | 22 | It will create new overlay folders based on the `default` one, and adjust the following: 23 | - the FDQN in the various configuration to reflect that new cluster name and domain name. The FQDN is as follow: `$CLUSTER_NAME.$DOMAIN_NAME` 24 | - create the necessary boostrap elements so you can kick-start the provisioning 25 | - regenerate all the SealedSecret 26 | 27 | The script can be used as follow: 28 | ~~~ 29 | ./build-cluster-config.sh $CLUSTER_NAME $DOMAIN_NAME 30 | ~~~ 31 | 32 | Once the boilerplate is created, I recommand going over the required customization below. 33 | 34 | ## Required customization 35 | 36 | ### openshift-gitops 37 | The installation assumes OIDC will be use as external SSO provider (in this case, RH-SSO). So the user of this application needs to: 38 | - create the RH-SSO client-secret 39 | Create a file named rhsso-client-secret.yaml with the following 40 | ~~~ 41 | apiVersion: v1 42 | data: 43 | oidc.keycloak.clientSecret: YOUR_SECRET_HERE 44 | kind: Secret 45 | metadata: 46 | name: argocd-secret-oidc 47 | namespace: openshift-gitops 48 | type: Opaque 49 | ~~~ 50 | - seal the secret 51 | ~~~ 52 | kubeseal --cert ~/.bitnami/tls.crt --format yaml < rhsso-client-secret.yaml > apps/01-openshift-gitops/base/07-sealed-rhsso-client-secret.yaml 53 | ~~~ 54 | - create or update the kustommize overlay with the OIDC issuer URL at `/spec/oidcConfig`. 55 | See example [here](apps/01-openshift-gitops/overlays/default/kustomization.yaml#L17) 56 | 57 | ### sealed-secret 58 | If you have pre-defined cert and key for sealed-secrets controller, then populate them [here](https://github.com/adetalhouet/ocp-gitops/blob/main/apps/02-sealed-secrets/bootstrap/02-sealed-secrets-secret-EXAMPLE.yaml) and they will get deployed as part of the bootstrap. 59 | Else, retrieve your sealed-secret cert and key. [Here](https://github.com/redhat-cop/gitops-catalog/tree/main/sealed-secrets-operator/scripts) are tips on how to do so. 60 | 61 | ### letsencrypt-certs (only for Route53) 62 | In order to update the cluster certificate, provide your AWS creds. 63 | 64 | Create a file named aws-credentials.yaml with the following 65 | ~~~ 66 | apiVersion: v1 67 | kind: Secret 68 | metadata: 69 | name: cloud-dns-credentials 70 | namespace: letsencrypt-job 71 | type: Opaque 72 | stringData: 73 | AWS_ACCESS_KEY_ID: "YOUR_ACCESS_ID" 74 | AWS_SECRET_ACCESS_KEY: "YOUR_ACCESS_KEY_" 75 | AWS_DNS_SLOWRATE: "1" 76 | ~~~ 77 | Then seal the secret 78 | ~~~ 79 | kubeseal --cert ~/.bitnami/tls.crt --format yaml < aws-credentials.yaml > apps/03-letsencrypt-certs/05-sealed-aws-credentials.yaml 80 | ~~~ 81 | 82 | For additional details regarding this solution, see GitHub: [OpenShift Let's Encrypt Job](https://github.com/pittar/ocp-letsencrypt-job) project reference. 83 | 84 | ### Red Hat Single Sign-On 85 | Create the realms, clients and users according to your desire setup. 86 | Look [here](https://github.com/adetalhouet/ocp-gitops/blob/main/apps/06-rhsso/overlays/default/config/README.md) for example on how to then seal the information. 87 | 88 | ### OpenShift OAuth 89 | Create the RH SSO client-secret, and seal it 90 | 91 | ~~~ 92 | apiVersion: v1 93 | kind: Secret 94 | metadata: 95 | name: keycloack-openshit-client-secret 96 | namespace: openshift-config 97 | type: Opaque 98 | data: 99 | clientSecret: YOUR_SECRET_HERE 100 | ~~~ 101 | 102 | ~~~ 103 | kubeseal --cert ~/.bitnami/tls.crt --format yaml < rhsso-client-secret.yaml > apps/07-oauth/02-sealed-rhsso-client-secret.yaml 104 | ~~~ 105 | 106 | ## Deploy the cluster configuration 107 | 108 | To start the initial provisioning, the following script can be used: 109 | Note: this operation is to be done once only. 110 | 111 | The bootstrap will take care of the following: 112 | - install `openshift-gitops` operator and adequate RBAC 113 | - sealed-secret namespace 114 | - (optional) sealed-secret secret, with your keypair, if configured 115 | - deply the cluster-config-manager Argo CD application acting as app-of-apps. This is what is pointing to the helm chart 116 | 117 | ~~~ 118 | ./bootstrap/bootstrap.sh $CLUSTER_NAME 119 | ~~~ 120 | 121 | ## Helm packaging for app-of-apps 122 | 123 | To achieve the app-of-apps pattern, few solutions exist: 124 | - using `ApplicationSet` (but the [lack of SyncWaves support](https://github.com/argoproj-labs/applicationset/issues/221}) makes it difficult to adopt) 125 | - using an `Application` for each app/overlay. This makes things very verbose due to the repetition of the `Application` + `kustomization.yaml` requirement. See the number of files removed [in this commit](https://github.com/adetalhouet/ocp-gitops/commit/d9ae7ab6fb5ed0dc2e098563ee6a1c5a154ae6d1) when I moved to helm-based app-of-apps. 126 | - using a Helm Chart with `Application` defined as a template. In my opinion, this makes the deployment elegant and remove all the boilerplate of managing `Application` per app/overlay. 127 | 128 | After experiencing all the above, I ended up building a Helm Chart to defined the ArgoCD `Application`. It can be found in the [helm](helm) folder. 129 | 130 | ### How it works 131 | 132 | If you are familiar with Helm, it should be very easy, because my chart is very simple. 133 | 134 | I have only one [template](helm/templates) to generate AgoCD `Application` manifests. 135 | 136 | The template goes over the defined application in the [values.yaml](helm/values.yaml) file, and create an `Application` for each. 137 | 138 | All my apps are prefixed with a number, so when helm is rendering the templates, it keeps that ordering, that I can then use as index to defined the application `sync-wave` value. 139 | 140 | Finally, some of my application don't have any overlay, so I added the option to specify whether or not to look for overlay. 141 | 142 | ## Helm chart repository 143 | 144 | In order to use that chart from AgoCD, it must be available through a helm repository. Hence I made this Github repository a helm repository, using Github pages. 145 | It is serving the release charts defined in the [index.yaml](index.yaml) file. 146 | 147 | In order to consume the helm chart, simply add the following dependency in yours: 148 | 149 | ~~~ 150 | dependencies: 151 | - name: ocp-gitops 152 | version: 1.0.0 153 | repository: https://adetalhouet.github.io/ocp-gitops/ 154 | ~~~ 155 | 156 | And as you typically do, customize the helm chart with the `values.yaml` file. It will let you pick and choose the applications to deploy. 157 | 158 | ## Helm chart release process 159 | 160 | To release helm chart, I'm using [chart-releaser](https://github.com/helm/chart-releaser/tree/main). 161 | 162 | 1. make your Github repo a helm chart repo, [follow this guide](https://medium.com/@mattiaperi/create-a-public-helm-chart-repository-with-github-pages-49b180dbb417) 163 | 2. create the package: create the chart and put it in the [.helm-chart-released](.helm-chart-released) folder 164 | ~~~ 165 | tar -cvzf ocp-gitops-1.0.0.tgz helm` 166 | ~~~ 167 | 3. upload the package: this will create a new branch and a new release with the latest chart. 168 | ~~~ 169 | cr upload -r ocp-gitops -o adetalhouet --package-path .helm-chart-released -t $AUTH_TOKEN 170 | ~~~ 171 | 4. create/update index: this will regenerate the [index.yaml](index.yaml) file that serves as the chart catalog served by our helm repo. 172 | ~~~ 173 | cr index -c https://github.com/adetalhouet/ocp-gitops/tree/ocp-gitops-1.0.0/.helm-chart-released -r ocp-gitops -o adetalhouet --package-path .helm-chart-released -i . 174 | ~~~ 175 | -------------------------------------------------------------------------------- /apps/00-machine-config/00-create-lvs-for-lso.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: machineconfiguration.openshift.io/v1 2 | kind: MachineConfig 3 | metadata: 4 | name: 50-master-create-lvs-for-lso 5 | labels: 6 | machineconfiguration.openshift.io/role: master 7 | spec: 8 | config: 9 | ignition: 10 | version: 3.2.0 11 | storage: 12 | files: 13 | - contents: 14 | source: >- 15 | data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKIyBCYXNlZCBvbiBodHRwczovL2dpc3QuZ2l0aHViLmNvbS9tdmF6cXVlemMvYTVkNjlmOTk2YjdhYjQzYzFlYTI0YTExOTQ2NzI1OTcKCkRFVklDRT0vZGV2LyR7MX0KTlVNX0xWUz0kezJ9ClNJWkVfTFZTPSR7M30KCmhlbHAoKQp7CiAgZWNobyAiUnVuIHRoZSBzY3JpcHQgYXMgZm9sbG93czogJHswfSA8ZGV2aWNlPiA8bnVtX2x2c190b19jcmVhdGU+IDxzaXplX29mX3RoZV9sdnM+IgogIGVjaG8gIkV4YW1wbGU6ICR7MH0gc2RiIDEwIDMwICB8IFRoaXMgd2lsbCBjcmVhdGUgMTAgbHZzIG9mIDMwRyBlYWNoIgp9CgpjaGVja3MoKQp7CiAgaWYgW1sgJChpZCAtdSkgIT0gIjAiIF1dCiAgdGhlbgogICAgZWNobyAiVGhpcyBzY3JpcHQgbXVzdCBiZSBydW4gYXMgcm9vdCIKICAgIGV4aXQgMQogIGZpCgogIGlmIFtbICR7REVWSUNFfSA9PSAiL2Rldi8iIF1dCiAgdGhlbgogICAgZWNobyAiWW91IG11c3QgcHJvdmlkZSBhIGRldmljZSIKICAgIGhlbHAKICAgIGV4aXQgMQogIGZpCgogIGlmIFtbIC16ICR7TlVNX0xWU30gXV0KICB0aGVuCiAgICBlY2hvICJZb3UgbXVzdCBwcm92aWRlIHRoZSBudW1iZXIgb2YgTFZzIgogICAgaGVscAogICAgZXhpdCAxCiAgZmkKCiAgaWYgW1sgLXogJHtTSVpFX0xWU30gXV0KICB0aGVuCiAgICBlY2hvICJZb3UgbXVzdCBwcm92aWRlIHRoZSBzaXplIGZvciB0aGUgTFZzIgogICAgaGVscAogICAgZXhpdCAxCiAgZmkKCiAgaWYgW1sgISAtYiAke0RFVklDRX0gXV0KICB0aGVuCiAgICBlY2hvICIke0RFVklDRX0gbm90IGZvdW5kIgogICAgZXhpdCAxCiAgZmkKfQoKcHJlcGFyZVBWKCkKewogIGlmIFtbICQocHZkaXNwbGF5ICR7REVWSUNFfSAyPi9kZXYvbnVsbHwgd2MgLWwpID09ICIwIiBdXQogIHRoZW4KICAgIGVjaG8gIkluaXRpYWxpemluZyBQViIKICAgIHB2Y3JlYXRlICR7REVWSUNFfQogIGZpCn0KCnByZXBhcmVWRygpCnsKICBpZiBbWyAkKHZnZGlzcGxheSBhdXRvcGFydCAyPi9kZXYvbnVsbCB8IHdjIC1sKSA9PSAiMCIgXV0KICB0aGVuCiAgICBlY2hvICJJbml0aWFsaXppbmcgVkciCiAgICB2Z2NyZWF0ZSBhdXRvcGFydCAke0RFVklDRX0KICBmaQp9CgpjcmVhdGVMVigpCnsKICBTSVpFPSR7MX0KICBWRz0kezJ9CiAgTEFTVF9MVj0kKGx2cyBhdXRvcGFydCAtLW5vLWhlYWRpbmdzIC0tc2VwYXJhdG9yICwgMj4vZGV2L251bGwgfCBhd2sgLUYgIiwiICd7cHJpbnQgJDF9JyB8IGF3ayAtRiAibHZfIiAne3ByaW50ICQyfScgfCBzb3J0IC1uIHwgdGFpbCAtMSkKICBORVdfTFY9JCgoTEFTVF9MViArIDEpKQogIGx2Y3JlYXRlIC1MICR7U0laRX1HIC0tbmFtZSBsdl8ke05FV19MVn0gJHtWR30KfQoKbWFpbigpCnsKICBjaGVja3MKICBwcmVwYXJlUFYKICBwcmVwYXJlVkcKCiAgZm9yICgoIHBhcnQ9MTsgcGFydDw9JHtOVU1fTFZTfTsgcGFydCsrICkpCiAgZG8KICAgIGNyZWF0ZUxWICR7U0laRV9MVlN9IGF1dG9wYXJ0CiAgZG9uZSAgCn0KCm1haW4= 16 | mode: 493 17 | overwrite: true 18 | path: /usr/local/bin/create-lvs-for-lso.sh 19 | systemd: 20 | units: 21 | - contents: | 22 | [Unit] 23 | Description=Create LVS partitions for LSO 24 | Wants=network-online.target 25 | After=network-online.target ignition-firstboot-complete.service 26 | [Service] 27 | Type=oneshot 28 | RemainAfterExit=yes 29 | EnvironmentFile= 30 | ExecStart=/bin/bash -c "/usr/local/bin/create-lvs-for-lso.sh vdb 6 20" 31 | [Install] 32 | WantedBy=multi-user.target 33 | enabled: true 34 | name: create-lvs-for-lso.service -------------------------------------------------------------------------------- /apps/00-machine-config/50-master-enable-sctp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # SNO requires to match master role 3 | apiVersion: machineconfiguration.openshift.io/v1 4 | kind: MachineConfig 5 | metadata: 6 | labels: 7 | machineconfiguration.openshift.io/role: master 8 | name: 50-master-enable-sctp 9 | spec: 10 | config: 11 | ignition: 12 | version: 3.2.0 13 | storage: 14 | files: 15 | - contents: 16 | source: data:, 17 | mode: 420 18 | overwrite: true 19 | path: /etc/modprobe.d/sctp-blacklist.conf 20 | - contents: 21 | source: data:text/plain;charset=utf-8,sctp 22 | mode: 420 23 | overwrite: true 24 | path: /etc/modules-load.d/sctp-load.conf 25 | -------------------------------------------------------------------------------- /apps/00-machine-config/50-worker-enable-sctp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # SNO requires to match master role 3 | apiVersion: machineconfiguration.openshift.io/v1 4 | kind: MachineConfig 5 | metadata: 6 | labels: 7 | machineconfiguration.openshift.io/role: worker 8 | name: 50-worker-enable-sctp 9 | spec: 10 | config: 11 | ignition: 12 | version: 3.2.0 13 | storage: 14 | files: 15 | - contents: 16 | source: data:, 17 | mode: 420 18 | overwrite: true 19 | path: /etc/modprobe.d/sctp-blacklist.conf 20 | - contents: 21 | source: data:text/plain;charset=utf-8,sctp 22 | mode: 420 23 | overwrite: true 24 | path: /etc/modules-load.d/sctp-load.conf 25 | -------------------------------------------------------------------------------- /apps/00-machine-config/create-local-user.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # 3 | # IF YOU DO THIS - ALL SUPPORT WILL BE INVALIDATED. MAKE SURE TO TALK WITH YOUR ACCOUNT TEAM FIRST 4 | # 5 | # 6 | apiVersion: machineconfiguration.openshift.io/v1 7 | kind: MachineConfig 8 | metadata: 9 | name: 99-create-local-user 10 | labels: 11 | machineconfiguration.openshift.io/role: worker 12 | spec: 13 | config: 14 | ignition: 15 | version: 3.2.0 16 | storage: 17 | files: 18 | - contents: 19 | source: >- 20 | data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKCnVzZXJhZGQgYWRtaW4gLVUgLUcgc3VkbwplY2hvICdsaW51eDkhIScgfCBwYXNzd2QgYWRtaW4gLS1zdGRpbgo= 21 | mode: 493 22 | overwrite: true 23 | path: /usr/local/bin/create-local-user.sh 24 | systemd: 25 | units: 26 | - contents: | 27 | [Unit] 28 | Description=Create local users 29 | Wants=network-online.target 30 | After=network-online.target ignition-firstboot-complete.service 31 | [Service] 32 | Type=oneshot 33 | RemainAfterExit=yes 34 | EnvironmentFile= 35 | ExecStart=/bin/bash -c "/usr/local/bin/create-local-user.sh" 36 | [Install] 37 | WantedBy=multi-user.target 38 | enabled: true 39 | name: create-local-user.service 40 | -------------------------------------------------------------------------------- /apps/00-machine-config/mcp/README.md: -------------------------------------------------------------------------------- 1 | https://developers.redhat.com/articles/2021/12/20/prevent-auto-reboot-during-argo-cd-sync-machine-configs# 2 | 3 | ~~~ 4 | oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/worker 5 | ~~~ -------------------------------------------------------------------------------- /apps/00-machine-config/mcp/mcp-worker-job-sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | annotations: {} 5 | name: sync-job-sa 6 | namespace: openshift-gitops 7 | --- 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRole 10 | metadata: 11 | name: sync-job-sa-role 12 | rules: 13 | - apiGroups: 14 | - apiextensions.k8s.io 15 | - machineconfiguration.openshift.io 16 | resources: 17 | - machineconfigpools 18 | verbs: 19 | - get 20 | - list 21 | - patch 22 | --- 23 | apiVersion: rbac.authorization.k8s.io/v1 24 | kind: ClusterRoleBinding 25 | metadata: 26 | name: sync-job-sa-rolebinding 27 | roleRef: 28 | apiGroup: rbac.authorization.k8s.io 29 | kind: ClusterRole 30 | name: sync-job-sa-role 31 | subjects: 32 | - kind: ServiceAccount 33 | name: sync-job-sa 34 | namespace: openshift-gitops -------------------------------------------------------------------------------- /apps/00-machine-config/mcp/mcp-worker-pause-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | annotations: 5 | argocd.argoproj.io/hook: PreSync 6 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 7 | name: mcp-worker-pause-job 8 | namespace: openshift-gitops 9 | spec: 10 | template: 11 | spec: 12 | containers: 13 | - image: registry.redhat.io/openshift4/ose-cli:v4.4 14 | command: 15 | - /bin/bash 16 | - -c 17 | - | 18 | echo -n "Waiting for the MCP $MCP to converge." 19 | echo $(oc patch --type=merge --patch='{"spec":{"paused":true}}' machineconfigpool/$MCP) 20 | sleep $SLEEP 21 | echo "DONE" 22 | imagePullPolicy: IfNotPresent 23 | name: mcp-worker-pause-job 24 | env: 25 | - name: SLEEP 26 | value: "10" 27 | - name: MCP 28 | value: worker 29 | restartPolicy: Never 30 | serviceAccount: sync-job-sa 31 | -------------------------------------------------------------------------------- /apps/00-machine-config/mcp/mcp-worker-resume-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | annotations: 5 | argocd.argoproj.io/hook: PostSync 6 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 7 | name: mcp-worker-resume-job 8 | namespace: openshift-gitops 9 | spec: 10 | template: 11 | spec: 12 | containers: 13 | - image: registry.redhat.io/openshift4/ose-cli:v4.4 14 | command: 15 | - /bin/bash 16 | - -c 17 | - | 18 | echo -n "Waiting for the MCP $MCP to converge." 19 | sleep $SLEEP 20 | echo $(oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/$MCP) 21 | echo "DONE" 22 | imagePullPolicy: Always 23 | name: mcp-worker-resume-job 24 | env: 25 | - name: SLEEP 26 | value: "5" 27 | - name: MCP 28 | value: worker 29 | dnsPolicy: ClusterFirst 30 | restartPolicy: OnFailure 31 | serviceAccount: sync-job-sa 32 | serviceAccountName: sync-job-sa 33 | terminationGracePeriodSeconds: 30 -------------------------------------------------------------------------------- /apps/01-openshift-gitops/base/.gitignore: -------------------------------------------------------------------------------- 1 | rhsso-client-secret.yaml 2 | -------------------------------------------------------------------------------- /apps/01-openshift-gitops/base/02-cr-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: argoproj.io/v1alpha1 3 | kind: ArgoCD 4 | metadata: 5 | name: openshift-gitops 6 | namespace: openshift-gitops 7 | spec: 8 | repo: 9 | volumes: 10 | - name: kustomize 11 | emptyDir: {} 12 | env: 13 | - name: ARGOCD_EXEC_TIMEOUT 14 | value: 360s 15 | - name: KUSTOMIZE_PLUGIN_HOME 16 | value: /.config/kustomize/plugin 17 | initContainers: 18 | - resources: {} 19 | terminationMessagePath: /dev/termination-log 20 | name: kustomize-plugin 21 | command: 22 | - /exportkustomize.sh 23 | imagePullPolicy: Always 24 | volumeMounts: 25 | - mountPath: /.config 26 | name: kustomize 27 | terminationMessagePolicy: File 28 | image: 'quay.io/openshift-kni/ztp-site-generator:latest' 29 | args: 30 | - /.config 31 | resources: 32 | limits: 33 | cpu: '8' 34 | memory: 16Gi 35 | requests: 36 | cpu: '1' 37 | memory: 2Gi 38 | resourceExclusions: | 39 | - apiGroups: 40 | - tekton.dev 41 | clusters: 42 | - '*' 43 | kinds: 44 | - TaskRun 45 | - PipelineRun 46 | initialSSHKnownHosts: 47 | keys: | 48 | adetalhouet-t640-1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCXBlG+5FRGFwLAxhk88Nce10VwN7W0N9+aBKzoXWx/Y3h5eJmwdy3apo+kBxEbf+GW01u9EFSV3MZR+uaufvT0t0fF1zyFV2pB+HNVBPoOKs7ZGaqNzWi4uR0REBH+rIeoY7eR528kSbxHZNWjzxB6jc/PCmF7gM/MWnNFieZKLBwoLpC3rOEorF6Q5GRj0c7EOYn0sdK149i1BUhJFWEJfxXSS5pkArIa4TCW2hgO06TN41UpCPa17KDG+rxrrgs0i9J//RTke/w4PnddlY0ETASZXgNbDOJwldTGlmQTjzrjrBMgzf950xLnHiB2qX7SgZL2xrC4pO3i2RZezeIPujO3RAQjP+LAkUgG41Ui0d8v2dkZ53/OSfTXx3GB2eIUTGLVK2iK3uKzKys178dwuSvFON60YPi/n/TX8va+XaJzc4JImFNFQW4wF+RlAc3v1hNGOKQhGODtaDZ7oU0BDd4ddXe8ownN7W0LSWufxyJ9x8jH+DiUAI1jDHvhtH0= 49 | applicationSet: 50 | resources: 51 | limits: 52 | cpu: "4" 53 | memory: 2Gi 54 | requests: 55 | cpu: 250m 56 | memory: 512Mi 57 | controller: 58 | env: 59 | - name: ARGOCD_K8S_CLIENT_BURST 60 | value: '500' 61 | - name: ARGOCD_K8S_CLIENT_QPS 62 | value: '500' 63 | resources: 64 | limits: 65 | cpu: "4" 66 | memory: 4Gi 67 | requests: 68 | cpu: 250m 69 | memory: 1Gi 70 | rbac: 71 | policy: | 72 | g, system:cluster-admins, role:admin 73 | g, ArgoCDAdmins, role:admin 74 | scopes: '[groups]' 75 | dex: 76 | openShiftOAuth: true 77 | server: 78 | route: 79 | enabled: true 80 | resourceCustomizations: | 81 | argoproj.io/Application: 82 | health.lua: | 83 | hs = {} 84 | hs.status = "Progressing" 85 | hs.message = "" 86 | if obj.status ~= nil then 87 | if obj.status.health ~= nil then 88 | hs.status = obj.status.health.status 89 | if obj.status.health.message ~= nil then 90 | hs.message = obj.status.health.message 91 | end 92 | end 93 | end 94 | return hs 95 | platform.stackrox.io/Central: 96 | health.lua: | 97 | hs = {} 98 | if obj.status ~= nil and obj.status.conditions ~= nil then 99 | for i, condition in ipairs(obj.status.conditions) do 100 | if condition.status == "True" and (condition.reason == "InstallSuccessful" or condition.reason == "UpgradeSuccessful") then 101 | hs.status = "Healthy" 102 | hs.message = "Install Successful" 103 | return hs 104 | end 105 | end 106 | end 107 | hs.status = "Progressing" 108 | hs.message = "Waiting for Central to deploy." 109 | return hs 110 | route.openshift.io/Route: 111 | ignoreDifferences: | 112 | jsonPointers: 113 | - /status/ingress 114 | health.lua: 115 | health_status = {} 116 | if obj.status ~= nil then 117 | if obj.status.ingress ~= nil then 118 | numIngressRules = 0 119 | for _, ingressRules in pairs(obj.status.ingress) do 120 | numIngressRules = numIngressRules + 1 121 | numTrue = 0 122 | numFalse = 0 123 | if obj.status.ingress ~= nil then 124 | for _, condition in pairs(ingressRules.conditions) do 125 | if condition.type == "Admitted" and condition.status == "True" then 126 | numTrue = numTrue + 1 127 | elseif condition.type == "Admitted" and condition.status == "False" then 128 | numFalse = numFalse + 1 129 | end 130 | end 131 | end 132 | health_status.status = 'Test' 133 | end 134 | if numTrue == numIngressRules then 135 | health_status.status = "Healthy" 136 | health_status.message = "Route is healthy" 137 | return health_status 138 | elseif numFalse > 0 then 139 | health_status.status = "Degraded" 140 | health_status.message = "Route is degraded" 141 | return health_status 142 | else 143 | health_status.status = "Progressing" 144 | health_status.message = "Route is still getting admitted" 145 | return health_status 146 | end 147 | end 148 | end 149 | health_status.status = "Progressing" 150 | health_status.message = "Route is still getting admitted" 151 | return health_status 152 | integreatly.org/GrafanaDataSource: 153 | ignoreDifferences: | 154 | jsonPointers: 155 | - /spec/datasources/0/secureJsonData/httpHeaderValue1 156 | PersistentVolumeClaim: 157 | health.lua: | 158 | hs = {} 159 | if obj.status ~= nil then 160 | if obj.status.phase ~= nil then 161 | if obj.status.phase == "Pending" then 162 | hs.status = "Healthy" 163 | hs.message = obj.status.phase 164 | return hs 165 | end 166 | if obj.status.phase == "Bound" then 167 | hs.status = "Healthy" 168 | hs.message = obj.status.phase 169 | return hs 170 | end 171 | end 172 | end 173 | hs.status = "Progressing" 174 | hs.message = "Waiting for certificate" 175 | return hs 176 | Job: 177 | health.lua: | 178 | hs = {} 179 | if obj.status ~= nil then 180 | if obj.status.active ~= nil then 181 | if obj.status.active == "1" then 182 | hs.status = "Progressing" 183 | hs.message = obj.status.active .. " active job(s)." 184 | return hs 185 | end 186 | end 187 | if obj.status.succeeded ~= nil then 188 | if obj.status.succeeded == 1 then 189 | hs.status = "Healthy" 190 | hs.message = "Job completed successfully." 191 | return hs 192 | end 193 | end 194 | end 195 | hs.status = "Progressing" 196 | hs.message = "Waiting for Job to complete." 197 | return hs 198 | bitnami.com/SealedSecret: 199 | health.lua: | 200 | health_status={} 201 | if obj.status ~= nil then 202 | if obj.status.conditions ~= nil then 203 | for i, condition in ipairs(obj.status.conditions) do 204 | if condition.type == "Synced" and condition.status == "False" then 205 | health_status.status = "Degraded" 206 | health_status.message = condition.message 207 | return health_status 208 | end 209 | if condition.type == "Synced" and condition.status == "True" then 210 | health_status.status = "Healthy" 211 | health_status.message = condition.message 212 | return health_status 213 | end 214 | end 215 | end 216 | end 217 | health_status.status = "Progressing" 218 | health_status.message = "Waiting for Sealed Secret to be decrypted" 219 | return health_status 220 | cluster.open-cluster-management.io/ClusterCurator: 221 | ignoreDifferences: | 222 | jsonPointers: 223 | - / 224 | nmstate.io/NodeNetworkConfigurationPolicy: 225 | health.lua: | 226 | hs = {} 227 | if obj.status ~= nil then 228 | if obj.status.conditions ~= nil then 229 | for i, condition in ipairs(obj.status.conditions) do 230 | if condition.type == "Degraded" and condition.status == "False" then 231 | hs.status = "Degraded" 232 | hs.message = condition.message 233 | return hs 234 | end 235 | if condition.type == "Available" and condition.status == "False" then 236 | hs.status = "Degraded" 237 | hs.message = condition.message 238 | return hs 239 | end 240 | if condition.type == "Available" and condition.status == "True" and condition.reason == "SuccessfullyConfigured" then 241 | hs.status = "Healthy" 242 | hs.message = condition.message 243 | return hs 244 | end 245 | end 246 | end 247 | end 248 | hs.status = "Progressing" 249 | hs.message = "Waiting for NodeNetworkConfigurationPolicy" 250 | return hs 251 | -------------------------------------------------------------------------------- /apps/01-openshift-gitops/base/04-cluster-admin-gitops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: openshift-gitops-cluster-admin-rolebinding 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: openshift-gitops-argocd-application-controller 13 | namespace: openshift-gitops 14 | - kind: ServiceAccount 15 | name: openshift-gitops-argocd-server 16 | namespace: openshift-gitops -------------------------------------------------------------------------------- /apps/01-openshift-gitops/base/06-argocdadmins-group-base.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: user.openshift.io/v1 3 | kind: Group 4 | metadata: 5 | name: ArgoCDAdmins 6 | users: 7 | - adetalhouet 8 | -------------------------------------------------------------------------------- /apps/01-openshift-gitops/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 02-cr-config.yaml 7 | - 04-cluster-admin-gitops.yaml 8 | - 06-argocdadmins-group-base.yaml -------------------------------------------------------------------------------- /apps/01-openshift-gitops/bootstrap/01-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-gitops-operator 6 | --- 7 | apiVersion: operators.coreos.com/v1 8 | kind: OperatorGroup 9 | metadata: 10 | name: openshift-gitops-group 11 | namespace: openshift-gitops-operator 12 | spec: 13 | targetNamespaces: [] 14 | --- 15 | apiVersion: operators.coreos.com/v1alpha1 16 | kind: Subscription 17 | metadata: 18 | name: openshift-gitops-operator 19 | namespace: openshift-gitops-operator 20 | spec: 21 | channel: "stable" 22 | installPlanApproval: Automatic 23 | name: openshift-gitops-operator 24 | source: redhat-operators 25 | sourceNamespace: openshift-marketplace -------------------------------------------------------------------------------- /apps/01-openshift-gitops/bootstrap/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 01-install.yaml -------------------------------------------------------------------------------- /apps/01-openshift-gitops/overlays/ca-central/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | bases: 6 | - ../../base -------------------------------------------------------------------------------- /apps/01-openshift-gitops/overlays/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | bases: 6 | - ../../base -------------------------------------------------------------------------------- /apps/02-sealed-secrets/bootstrap/.gitignore: -------------------------------------------------------------------------------- 1 | 02-sealed-secrets-secret.yaml -------------------------------------------------------------------------------- /apps/02-sealed-secrets/bootstrap/01-sealed-secret-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: sealed-secrets 5 | annotations: 6 | openshift.io/description: Encrypt/Descrypt secrets to support gitops processes 7 | openshift.io/display-name: Sealed Secrets -------------------------------------------------------------------------------- /apps/02-sealed-secrets/bootstrap/02-sealed-secrets-secret-EXAMPLE.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | tls.crt: YOUR_CERT 4 | tls.key: YOUR_KEY 5 | kind: Secret 6 | metadata: 7 | labels: 8 | sealedsecrets.bitnami.com/sealed-secrets-key: active 9 | name: sealed-secrets-key 10 | namespace: sealed-secrets 11 | type: kubernetes.io/tls 12 | -------------------------------------------------------------------------------- /apps/02-sealed-secrets/bootstrap/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | resources: 5 | - 01-sealed-secret-namespace.yaml 6 | - 02-sealed-secrets-secret.yaml -------------------------------------------------------------------------------- /apps/02-sealed-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | # Remote base. Use the configuration from the Red Hat Canada GitOps repo (unofficial). 5 | bases: 6 | - https://github.com/redhat-cop/gitops-catalog/sealed-secrets-operator/operator/overlays/default 7 | 8 | patchesJson6902: 9 | - target: 10 | version: v1 11 | group: apps 12 | kind: Deployment 13 | name: sealed-secrets-controller 14 | namespace: sealed-secrets 15 | path: update-status.yaml 16 | -------------------------------------------------------------------------------- /apps/02-sealed-secrets/update-status.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/containers/0/env 3 | value: 4 | - name: SEALED_SECRETS_UPDATE_STATUS 5 | value: '1' -------------------------------------------------------------------------------- /apps/03-letsencrypt-certs/.gitignore: -------------------------------------------------------------------------------- 1 | aws-credentials.yaml -------------------------------------------------------------------------------- /apps/03-letsencrypt-certs/01-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: letsencrypt-job -------------------------------------------------------------------------------- /apps/03-letsencrypt-certs/02-job-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: letsencrypt-job-sa 5 | -------------------------------------------------------------------------------- /apps/03-letsencrypt-certs/03-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: letsencrypt-ingresscontroller-clusterrole 5 | rules: 6 | - apiGroups: 7 | - operator.openshift.io 8 | resources: 9 | - ingresscontrollers 10 | verbs: 11 | - get 12 | - list 13 | - patch 14 | --- 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: ClusterRole 17 | metadata: 18 | name: letsencrypt-certs-clusterrole 19 | rules: 20 | - apiGroups: 21 | - "" 22 | resources: 23 | - secrets 24 | verbs: 25 | - get 26 | - list 27 | - create 28 | --- 29 | apiVersion: rbac.authorization.k8s.io/v1 30 | kind: ClusterRoleBinding 31 | metadata: 32 | name: letsencrypt-ingresscontroller-patcher 33 | roleRef: 34 | apiGroup: rbac.authorization.k8s.io 35 | kind: ClusterRole 36 | name: letsencrypt-ingresscontroller-clusterrole 37 | subjects: 38 | - kind: ServiceAccount 39 | name: letsencrypt-job-sa 40 | --- 41 | apiVersion: rbac.authorization.k8s.io/v1 42 | kind: ClusterRoleBinding 43 | metadata: 44 | name: letsencrypt-certs-manager 45 | roleRef: 46 | apiGroup: rbac.authorization.k8s.io 47 | kind: ClusterRole 48 | name: letsencrypt-certs-clusterrole 49 | subjects: 50 | - kind: ServiceAccount 51 | name: letsencrypt-job-sa 52 | --- 53 | kind: ClusterRoleBinding 54 | apiVersion: rbac.authorization.k8s.io/v1 55 | metadata: 56 | name: letsencrypt-cluster-admin 57 | roleRef: 58 | apiGroup: rbac.authorization.k8s.io 59 | kind: ClusterRole 60 | name: cluster-admin 61 | subjects: 62 | - kind: ServiceAccount 63 | name: letsencrypt-job-sa 64 | -------------------------------------------------------------------------------- /apps/03-letsencrypt-certs/04-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: letsencrypt-certificates-job 5 | namespace: letsencrypt-job 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - image: quay.io/adetalho/oc-acme:latest 11 | env: 12 | - name: STAGING 13 | value: 'false' 14 | - name: PATCH_API_SERVER 15 | value: 'true' 16 | envFrom: 17 | - secretRef: 18 | name: cloud-dns-credentials 19 | command: 20 | - /bin/bash 21 | - -c 22 | - | 23 | #!/usr/bin/env bash 24 | 25 | /scripts/aws.sh 26 | 27 | echo "Done!" 28 | 29 | imagePullPolicy: Always 30 | name: letsencrypt-certificates-job 31 | dnsPolicy: ClusterFirst 32 | restartPolicy: Never 33 | serviceAccount: letsencrypt-job-sa 34 | serviceAccountName: letsencrypt-job-sa 35 | terminationGracePeriodSeconds: 30 36 | -------------------------------------------------------------------------------- /apps/03-letsencrypt-certs/05-sealed-aws-credentials.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bitnami.com/v1alpha1 2 | kind: SealedSecret 3 | metadata: 4 | creationTimestamp: null 5 | name: cloud-dns-credentials 6 | namespace: letsencrypt-job 7 | spec: 8 | encryptedData: 9 | AWS_ACCESS_KEY_ID: AgAl99ak6NyAmgGRW9UUWbaHvP9gOlsFpdcJoomWMC80aADQ2/wBMAqZE96o/tKBDgmvH9yL8+OfLdGqv8MOmlts0X++75ubkjsr5PzYyo5wCrg4noKPGzS2dqvE0QSNqdVnDriwLdfBShlUhuzBzCDnvz81+1/v26iBh/dnWtKZCwlFviMIVVoa+lA4gkIFfitE5P3HAfZ8Qf64BmGPvGAz49T5F4/VD/vUVIVDo9ZCtg+gYiDCXHS/7rTU46RGR88UWGsvS+INOg28bUBN2WhPaiWdwF9AvCedN1AMeZ04zk0N809vxD2UfrZprNL+zIK4UNzknui5GGQ4v6FPf+YCp4siXNgm2NPpx3AmPc/W1PhJ9ZiAyAy3o/vvqA0pWg8Z8wvc6L29tIf5w9yq/OkUp+wq2u5qmkUpIRHizsUsCGXABw9YVWSi9DjrfNdITAjSt6jmyV82tJfuvRby/L02OJCNyzBVwXyCPS8sRj6l2m5lJ7yE50HdEL3xMEZ0zz23BaQF8BkC4wWfxOdOSG5GUfdnVMfQWlrQ28IVpg4HwS6ORaIHrsLblQxDjX9hVP40WBkV3DsyWWtp1EaaY6RdkmfntiwMCqASqzTX19KFWnLAl59jWZme4KF27nbfl5mEVJR404wz4/BuQmukYwXZAQxnkHYP0twUYSLXEapJkLZEZCktZR6ic4fDAHYU20BJdQXtWqKjpzxptM8rsdBtCvkRhg== 10 | AWS_DNS_SLOWRATE: AgB/Sei+fvUaf5HPUj14AnXO/zPS7xp4UKPs/FeHimgvek7WoEqsXz84qMFrSgikurXTsHdB3+WBtFrZCkM2gvJLcWox5d1dMaOsEp5OgcvJrJ2v8Xmnxrufv1/1WWFwm+4bCnfxRjJsucGsATIAxIv6Ypw8XDbKUzRP6MuFN+jMwPhrwkJj1T082V0kIWwTUJQBrRHERXyr6WB6CSFLuBT8pQJAtxQyU4RY4mMxLvHIKYODk34ooeDqmOGHQ5bdoKdbCNMiHBQArfyQwWIssyWfrTmXpvcd5sm1KxEdYO1FZCUv6+o6Rc1TwcJfkreu2JE00ijWKJKmRJUSDdwlioJR0if59w/ICkks2/thvSXVJbgW0eaN35Cmti2RFoo45whRQhdeBgmceinnH7Ut6UGGn18tpBs3YCX6ba+VQEPCQTJvd+vPvW4qAFSRCNRg/O6tk9q0mPi0Ji79QEAhKnwGy/iFVP4h736G3kF9XpdOOJsEMuSUGbV0VxNxKc2bg2fzxCVGG9KTplK3xXraS2BFg9VTFqV3Zv0GIFptSxPA1kQsgkVrCa7//QxlTO7YCpYygjIJGFHg6VJOkkD75vbM6e6j7hJH2s2W/3hLWuxUvLYds+4mKscsla+icy5viILOdVk0IG2uabj5OHNSNFInqTVyD/f4r+GdxVsc7e4ocLo+IANU7JZsrul6lAhSfwu4 11 | AWS_SECRET_ACCESS_KEY: AgApNFl0kRSQ+3gwyZ9xOR+hGgLx3QI5GsPXkcYgaOhNnZ0aPw8tjFpa4zO6Mx7MFmOs2tfyyy1YEf/ydZ6YE9jw17dVrp9q+17XzgX89gxufiy5zlafJ1WEhR93jrwKFb4Km0PBWhgVfEg4FY1mTBYtg7sKDYnOaUwreBmov3auDzrsgMW3S1qHiNkOy2ie/0Ck732PchIIUOIqbmCFWJ4mrAsI5TGZIhJXrxpDXExKV3krWx1dWmmXu+wLLQhnSaw3PTbMg7Adg9bNlnImH1HGEmYZJGTO53O4L+EXmh/5Zpbpy4SPOawGQqGPt4onKPEaRApkG8dbqJ6yNItaOoxHVjeQQDbY3R5qj9vshfmJt1XjeYPCneoMvYRlq4bq1WdxCU3WiQNu58dEzJ3U8aSFBmf46kfGXsTPLZdzesFbvLcSc+JjywMzFHWPy0qBIDz4cnvhDIPgB3xnTXxhzYBBgrNFA20ROuDwEd4jzJgCsV6mZsup4ML0Gy+goKKjXtJTCZcofNhKUusPsFzOkWYZclBelwdJ22XP5ZvM/wSJfn/Zxk3iEXRsveqiNQd0i12jVXSfIVC/yPcDhXIagy+lvvw8T9iibBiaKWVDcTz7jejJ9vsl+0tqJJSWx8DQ2uH7fYqMunQLVIfowfCWaigc6ufIfgkcYMHgG49ufUViClI+AV3BcwaNxli3s/YY/CIW9OWJzOrjMIxef6Yqx1KaH8z2arRvDXAJhvmJzCoWCuqZ7rz/CIh4 12 | EAB_HMAC_Key: AgBCiZYbbubK6kkM0gJj8ZBqfwTMAiBR4BwlBeEKFDK/SbhhsV32OayJYWaEsolhHbRSprv7uu2q9hxz45EEmhI8V4MMLJnP13sUU8CKyrLlqbsCxyV0x39sI1vYy9adv1XKnYCdqP5McNPTYT9pksQ3eqTm87r8ni5XkUI3kBWP3plVE5P4gg8lo+SFBRneZ1NpR9S688s/MHqb7HKCIeFyncQ/i9dVFBtraCzBSWreg5J0SWPx8+leWcj+ZIazrywNAFqDckXFipbvD+nOeDwlR+YPPCIIHkCUbFPbetP5vs/Exrv4AQDB13CqP+mg28ytgXgUu5nvgAb4krwKWLoR88LwdCpPQ59fZBc9kYg3shBO5XrCEwfLo8rA5YRc3H04h2b6QsRae4QqiNhVx9z8yXAYnjiya22DHXsdTaioa5w12QT+X/jl5JBPX/lvbnpb9FbreV4kNx3jt954CTcRr/P1H/rnjDr15Z4+Fg4pZ1M75yhdG2anAP2y0SmMZoY0XsADYF54oLxOW7hqTR/vhutjjQATA6GeugwDKJBPmZdm0qbTDTp0Z0V1YXGUOM7FuFnit4q4ls6U6+oGpKJKg3ImBRiv3mcB294oRiHNU+P430vnC2dFIbfxjznUj56kcI46nh78t+ySjCb9bAzsggIFq2xYO/SKNEkWlNLvmYHVpZxyPCnDLLykyX0kaA0vRfoACIModvtc38qmqYDCBzGt0FaJUajK3bMaB8huJaKKk3bSnKs4KUfCeUmibXm1tpyguBC+mFrK3fYf34MGuPYFzY421kUNjs7Pkm5WWdZKjB2P8OH+WXEPTTBYwha1Sx9h0x/dKL4R1pzV0cMLWAqJNg== 13 | EAB_KID: AgAg4aeatgJef83/EvmvbQHnqGWh7UOZMBUcIkU+3mJYXfZkF0aZG6uLmwCAKwGzyj6zaJvHP6omZoRqwZijoMM7p4bXBM0i3A7C+zdMqXGDqXJBfSQhyOaIoRGa3PjhvHrpPuugQgmX5lWMFySzR34t6INSD9+uZihwv0PaFZrmw4h/Qa53FShAAKK8w6vYC7O1w2cR3wSwQsMVwIGktqKxLwORc0dHI2EiGuflSDk5WdNDO0o8AWRZbRZ5hY+FrVzPxzdFTTBWtspdD/qrc5crEtNQX49knc5PC7oQKD6T2JswIT94BrQIpk/TMQidtwtUMzTz7rweqg+BVj5L3y/EWRAC/AG6XF8ZkEaq8Ss9B9Wr26uLtFIelcRCo2GgjdOVYq8l1+UNQ8rLEX0J4tcs5htC68uR+8TVoXFhMEJh0GvtMw4ovGWjjdFv4T8KygwBoomumS33kJOM07m58R7qD5iebXI75uil6ed7ccfJom1mrRJtoY2WMtXWId4mX2lLlJ6jyCMCuz6ZSvXXJCH1dBqFlhM26BJnq7lNXgeSvB70I/TVSVldrQXqsg/t5bTWGDg0o70N72nIWS1V/CZ7LJXlqA6TJpkx4GKsJWVHHcgbkQhaM9MKgi552CzgXwE5DrHdxE/0oXhdCjCp2bH/DMwLbBjnhpTw+BqmdnrIqhUlNBeTYVerQTp55/+zuGPU2xIp+9bYtViCAyO9BU31aEPNk3/8a/3O/T9czRSAZw== 14 | template: 15 | data: null 16 | metadata: 17 | creationTimestamp: null 18 | name: cloud-dns-credentials 19 | namespace: letsencrypt-job 20 | type: Opaque 21 | 22 | -------------------------------------------------------------------------------- /apps/03-letsencrypt-certs/README.md: -------------------------------------------------------------------------------- 1 | __Create the RH SSO client secret__ 2 | 3 | Create a file named aws-credentials.yaml with the following 4 | 5 | ~~~ 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: cloud-dns-credentials 10 | namespace: letsencrypt-job 11 | type: Opaque 12 | stringData: 13 | AWS_ACCESS_KEY_ID: "YOUR_ACCESS_ID" 14 | AWS_SECRET_ACCESS_KEY: "YOUR_ACCESS_KEY_" 15 | AWS_DNS_SLOWRATE: "1" 16 | EAB_KID: YOUR_ZERO_SSL_ID 17 | EAB_HMAC_Key: YOUR_ZERO_SSL_KEY 18 | ~~~ 19 | 20 | Then seal the secret 21 | 22 | `kubeseal --cert ~/.bitnami/tls.crt --format yaml < aws-credentials.yaml > 05-sealed-aws-credentials.yaml` 23 | -------------------------------------------------------------------------------- /apps/03-letsencrypt-certs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | # Namespace for the Let's Encrypt job. 5 | namespace: letsencrypt-job 6 | 7 | # Job resources. 8 | resources: 9 | - 01-namespace.yaml 10 | - 02-job-serviceaccount.yaml 11 | - 03-rbac.yaml 12 | - 04-job.yaml 13 | - 05-sealed-aws-credentials.yaml -------------------------------------------------------------------------------- /apps/04-local-storage-operator/01-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | annotations: 6 | # any node can use the local storage operator 7 | openshift.io/node-selector: "" 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | name: openshift-local-storage 11 | --- 12 | apiVersion: operators.coreos.com/v1 13 | kind: OperatorGroup 14 | metadata: 15 | name: local-operator-group 16 | namespace: openshift-local-storage 17 | spec: 18 | targetNamespaces: 19 | - openshift-local-storage 20 | --- 21 | apiVersion: operators.coreos.com/v1alpha1 22 | kind: Subscription 23 | metadata: 24 | name: local-storage-operator 25 | namespace: openshift-local-storage 26 | spec: 27 | channel: "stable" 28 | installPlanApproval: Automatic 29 | name: local-storage-operator 30 | source: redhat-operators 31 | sourceNamespace: openshift-marketplace 32 | -------------------------------------------------------------------------------- /apps/04-local-storage-operator/02-localvolumediscovery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: local.storage.openshift.io/v1alpha1 3 | kind: LocalVolumeDiscovery 4 | metadata: 5 | name: auto-discover-devices 6 | namespace: openshift-local-storage 7 | annotations: 8 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 9 | spec: 10 | nodeSelector: 11 | nodeSelectorTerms: 12 | - matchExpressions: 13 | - key: node-role.kubernetes.io/worker 14 | operator: Exists -------------------------------------------------------------------------------- /apps/04-local-storage-operator/03-localvolumeset-block.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: local.storage.openshift.io/v1alpha1 2 | kind: LocalVolumeSet 3 | metadata: 4 | name: localvolume-block 5 | namespace: openshift-local-storage 6 | annotations: 7 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 8 | spec: 9 | deviceInclusionSpec: 10 | deviceTypes: 11 | - disk 12 | - part 13 | minSize: 1Gi 14 | nodeSelector: 15 | nodeSelectorTerms: 16 | - matchExpressions: 17 | - key: node-role.kubernetes.io/worker 18 | operator: Exists 19 | storageClassName: lso-blockclass 20 | volumeMode: Block -------------------------------------------------------------------------------- /apps/04-local-storage-operator/04-localvolumeset-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: local.storage.openshift.io/v1alpha1 2 | kind: LocalVolumeSet 3 | metadata: 4 | name: localvolume-fs 5 | namespace: openshift-local-storage 6 | annotations: 7 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 8 | spec: 9 | deviceInclusionSpec: 10 | deviceTypes: 11 | - disk 12 | - part 13 | minSize: 1Gi 14 | nodeSelector: 15 | nodeSelectorTerms: 16 | - matchExpressions: 17 | - key: node-role.kubernetes.io/worker 18 | operator: Exists 19 | storageClassName: localvolume-fs 20 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/04-local-storage-operator/05-localvolume.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: local.storage.openshift.io/v1 3 | kind: LocalVolume 4 | metadata: 5 | name: local-disks 6 | namespace: openshift-local-storage 7 | annotations: 8 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 9 | spec: 10 | managementState: Managed 11 | nodeSelector: 12 | nodeSelectorTerms: 13 | - matchExpressions: 14 | - key: node-role.kubernetes.io/worker 15 | operator: Exists 16 | storageClassDevices: 17 | - storageClassName: "lso-blockclass" 18 | volumeMode: Block 19 | devicePaths: 20 | - /dev/vdb 21 | - /dev/vdc 22 | -------------------------------------------------------------------------------- /apps/04-local-storage-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 01-install.yaml 7 | - 02-localvolumediscovery.yaml 8 | # - 03-localvolumeset-block.yaml 9 | # - 04-localvolumeset-fs.yaml 10 | - 05-localvolume.yaml -------------------------------------------------------------------------------- /apps/04-local-storage-operator/test/pv-block-example.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: example-pv-block 6 | spec: 7 | capacity: 8 | storage: 10Gi 9 | volumeMode: Block 10 | accessModes: 11 | - ReadWriteOnce 12 | persistentVolumeReclaimPolicy: Delete 13 | storageClassName: localvolume-block 14 | local: 15 | path: /dev/nvme1n1 16 | nodeAffinity: 17 | required: 18 | nodeSelectorTerms: 19 | - matchExpressions: 20 | - key: node-role.kubernetes.io/worker 21 | operator: Exists -------------------------------------------------------------------------------- /apps/04-local-storage-operator/test/pvc-test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: example-pvc-block 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | volumeMode: Block 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: localvolume-block 14 | --- 15 | apiVersion: v1 16 | kind: Pod 17 | metadata: 18 | name: simple-pod 19 | spec: 20 | containers: 21 | - name: simple-pod 22 | image: registry.access.redhat.com/ubi8/ubi 23 | resources: 24 | requests: 25 | memory: "64M" 26 | cpu: "20m" 27 | limits: 28 | memory: "128M" 29 | cpu: "50m" 30 | command: 31 | - /bin/bash 32 | - -c 33 | - sleep infinity 34 | volumeDevices: 35 | - devicePath: /dev/foo 36 | name: localpvc 37 | volumes: 38 | - name: localpvc 39 | persistentVolumeClaim: 40 | claimName: example-pvc-block -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/00-cli-job-sa-and-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | annotations: 6 | rbac.authorization.kubernetes.io/autoupdate: "true" 7 | argocd.argoproj.io/hook: PreSync 8 | name: storace-cli-job-sa-role 9 | rules: 10 | - apiGroups: 11 | - "*" 12 | resources: ["nodes", "storageclasses"] 13 | verbs: 14 | - list 15 | - get 16 | - patch 17 | --- 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: ClusterRoleBinding 20 | metadata: 21 | name: storace-cli-gitops-rolebinding 22 | annotations: 23 | argocd.argoproj.io/hook: PreSync 24 | roleRef: 25 | apiGroup: rbac.authorization.k8s.io 26 | kind: ClusterRole 27 | name: storace-cli-job-sa-role 28 | subjects: 29 | - kind: ServiceAccount 30 | name: cli-job-sa 31 | namespace: openshift-storage 32 | --- 33 | apiVersion: v1 34 | kind: ServiceAccount 35 | metadata: 36 | name: cli-job-sa 37 | namespace: openshift-storage 38 | annotations: 39 | argocd.argoproj.io/hook: PreSync -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/00-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-storage 6 | --- 7 | apiVersion: operators.coreos.com/v1 8 | kind: OperatorGroup 9 | metadata: 10 | name: openshift-storage 11 | namespace: openshift-storage 12 | spec: 13 | targetNamespaces: 14 | - openshift-storage 15 | --- 16 | apiVersion: operators.coreos.com/v1alpha1 17 | kind: Subscription 18 | metadata: 19 | name: odf-operator 20 | namespace: openshift-storage 21 | spec: 22 | channel: stable-4.15 23 | installPlanApproval: Automatic 24 | name: odf-operator 25 | source: redhat-operators 26 | sourceNamespace: openshift-marketplace 27 | -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/01-presync-csi-tolerations.yaml: -------------------------------------------------------------------------------- 1 | # add toleration to master node so CSI get deployed 2 | # https://access.redhat.com/solutions/6047841 3 | 4 | kind: ConfigMap 5 | apiVersion: v1 6 | metadata: 7 | annotations: 8 | argocd.argoproj.io/hook: PreSync 9 | name: rook-ceph-operator-config 10 | namespace: openshift-storage 11 | data: 12 | CSI_LOG_LEVEL: '5' 13 | CSI_PLUGIN_TOLERATIONS: |- 14 | 15 | - key: node-role.kubernetes.io/master 16 | operator: Exists 17 | effect: NoSchedule 18 | - key: node.ocs.openshift.io/storage 19 | operator: Equal 20 | value: "true" 21 | effect: NoSchedule 22 | CSI_PROVISIONER_TOLERATIONS: |- 23 | 24 | - key: node.ocs.openshift.io/storage 25 | operator: Equal 26 | value: "true" 27 | effect: NoSchedule 28 | -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/01-presync-label-worker-job.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | annotations: 6 | name: presync-label-storage-node 7 | namespace: openshift-storage 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - resources: 13 | limits: 14 | cpu: 500m 15 | memory: 256Mi 16 | requests: 17 | cpu: 250m 18 | memory: 128Mi 19 | image: registry.redhat.io/openshift4/ose-cli:latest 20 | command: 21 | - /bin/bash 22 | - -c 23 | - | 24 | for i in `oc get nodes -l node-role.kubernetes.io/worker -o name`; do 25 | oc label $i cluster.ocs.openshift.io/openshift-storage='' 26 | echo "Worker node $i is labeled with cluster.ocs.openshift.io/openshift-storage=''" 27 | done 28 | imagePullPolicy: IfNotPresent 29 | name: presync-label-storage-node 30 | dnsPolicy: ClusterFirst 31 | restartPolicy: OnFailure 32 | serviceAccount: cli-job-sa 33 | serviceAccountName: cli-job-sa 34 | terminationGracePeriodSeconds: 30 -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/02-ocs-lso-storagecluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: ocs.openshift.io/v1 2 | kind: StorageCluster 3 | metadata: 4 | name: ocs-storagecluster 5 | namespace: openshift-storage 6 | annotations: 7 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 8 | spec: 9 | storageDeviceSets: 10 | - count: 10 11 | dataPVCTemplate: 12 | spec: 13 | accessModes: 14 | - ReadWriteOnce 15 | resources: 16 | requests: 17 | storage: '1' 18 | storageClassName: lso-blockclass 19 | volumeMode: Block 20 | name: ocs-deviceset-lso-blockclass 21 | replica: 1 22 | encryption: 23 | kms: {} 24 | monDataDirHostPath: /var/lib/rook 25 | -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/02-ocs-storagecluster.yaml: -------------------------------------------------------------------------------- 1 | # make sure the nodes are first labeled with cluster.ocs.openshift.io/openshift-storage='' 2 | # ex: for i in `oc get nodes -l node-role.kubernetes.io/worker -o name`; do oc label $i cluster.ocs.openshift.io/openshift-storage=''; done 3 | --- 4 | apiVersion: ocs.openshift.io/v1 5 | kind: StorageCluster 6 | metadata: 7 | name: ocs-storagecluster 8 | namespace: openshift-storage 9 | annotations: 10 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 11 | spec: 12 | encryption: 13 | enable: true 14 | storageDeviceSets: 15 | - name: ocs-deviceset-gp2 16 | dataPVCTemplate: 17 | spec: 18 | accessModes: 19 | - ReadWriteOnce 20 | resources: 21 | requests: 22 | storage: 512Gi 23 | storageClassName: gp2 24 | volumeMode: Block 25 | count: 1 26 | replica: 3 27 | - count: 1 28 | dataPVCTemplate: 29 | spec: 30 | accessModes: 31 | - ReadWriteOnce 32 | resources: 33 | requests: 34 | storage: '1' 35 | storageClassName: lso-blockclass 36 | volumeMode: Block 37 | name: ocs-deviceset2-lso-blockclass 38 | replica: 2 39 | -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/04-registry-pvc-create.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: ocs-registry 6 | namespace: openshift-image-registry 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 150Gi 13 | storageClassName: ocs-storagecluster-cephfs 14 | -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/05-ocs-internal-registry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: imageregistry.operator.openshift.io/v1 3 | kind: Config 4 | metadata: 5 | name: cluster 6 | spec: 7 | storage: 8 | pvc: 9 | claim: ocs-registry 10 | managementState: Managed 11 | -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/06-metrics-use-ocs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cluster-monitoring-config 6 | namespace: openshift-monitoring 7 | data: 8 | config.yaml: | 9 | enableUserWorkload: false 10 | prometheusK8s: 11 | volumeClaimTemplate: 12 | metadata: 13 | name: prometheusdb 14 | spec: 15 | storageClassName: ocs-storagecluster-ceph-rbd 16 | resources: 17 | requests: 18 | storage: 10Gi 19 | alertmanagerMain: 20 | volumeClaimTemplate: 21 | metadata: 22 | name: alertmanager 23 | spec: 24 | storageClassName: ocs-storagecluster-ceph-rbd 25 | resources: 26 | requests: 27 | storage: 10Gi 28 | -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/07-postsync-default-storageclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/hook: PostSync 7 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 8 | name: postsync-default-storageclass 9 | namespace: openshift-storage 10 | spec: 11 | template: 12 | spec: 13 | containers: 14 | - resources: 15 | limits: 16 | cpu: 500m 17 | memory: 256Mi 18 | requests: 19 | cpu: 250m 20 | memory: 128Mi 21 | image: registry.redhat.io/openshift4/ose-cli:latest 22 | command: 23 | - /bin/bash 24 | - -c 25 | - | 26 | kubectl patch storageclass ocs-storagecluster-ceph-rbd -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' 27 | imagePullPolicy: IfNotPresent 28 | name: postsync-default-storageclass 29 | dnsPolicy: ClusterFirst 30 | restartPolicy: OnFailure 31 | serviceAccount: cli-job-sa 32 | serviceAccountName: cli-job-sa 33 | terminationGracePeriodSeconds: 30 -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | # bases: 6 | # - github.com/redhat-cop/gitops-catalog/openshift-data-foundation-operator/operator/overlays/stable-4.10?ref=main 7 | 8 | resources: 9 | - 00-install.yaml 10 | - 00-cli-job-sa-and-role.yaml 11 | - 01-presync-csi-tolerations.yaml 12 | - 01-presync-label-worker-job.yaml 13 | - 02-ocs-lso-storagecluster.yaml 14 | - 04-registry-pvc-create.yaml 15 | - 05-ocs-internal-registry.yaml 16 | - 06-metrics-use-ocs.yaml 17 | - 07-postsync-default-storageclass.yaml 18 | 19 | patches: 20 | # - target: 21 | # kind: Subscription 22 | # name: odf-operator 23 | # patch: |- 24 | # - op: replace 25 | # path: /spec/channel 26 | # value: 'stable-4.10' 27 | -------------------------------------------------------------------------------- /apps/05-openshift-container-storage/untitled.txt: -------------------------------------------------------------------------------- 1 | oc patch cephfilesystem.ceph.rook.io/ocs-storagecluster-cephfilesystem -n openshift-storage -p '{"metadata":{"finalizers":null}}' --type=merge 2 | oc delete cephfilesystem.ceph.rook.io/ocs-storagecluster-cephfilesystem -n openshift-storage 3 | oc patch cephblockpool.ceph.rook.io/ocs-storagecluster-cephblockpool -n openshift-storage -p '{"metadata":{"finalizers":null}}' --type=merge 4 | oc delete cephblockpool.ceph.rook.io/ocs-storagecluster-cephblockpool -n openshift-storage 5 | oc patch noobaa.noobaa.io/noobaa -n openshift-storage -p '{"metadata":{"finalizers":null}}' --type=merge 6 | oc delete noobaa.noobaa.io/noobaa -n openshift-storage 7 | oc patch backingstore.noobaa.io/noobaa-default-backing-store -n openshift-storage -p '{"metadata":{"finalizers":null}}' --type=merge 8 | oc delete backingstore.noobaa.io/noobaa-default-backing-store -n openshift-storage 9 | oc patch bucketclass.noobaa.io/noobaa-default-bucket-class -n openshift-storage -p '{"metadata":{"finalizers":null}}' --type=merge 10 | oc delete bucketclass.noobaa.io/noobaa-default-bucket-class -n openshift-storage 11 | oc patch storagecluster.ocs.openshift.io/ocs-storagecluster -n openshift-storage -p '{"metadata":{"finalizers":null}}' --type=merge 12 | oc patch cephcluster.ceph.rook.io/ocs-storagecluster-cephcluster -n openshift-storage -p '{"metadata":{"finalizers":null}}' --type=merge 13 | oc delete cephcluster.ceph.rook.io/ocs-storagecluster-cephcluster -n openshift-storage 14 | oc delete storagecluster.ocs.openshift.io/ocs-storagecluster -n openshift-storage 15 | 16 | kubectl api-resources --verbs=list --namespaced -o name | grep "ceph\|nooba" \ 17 | | xargs -n 1 kubectl get --show-kind --ignore-not-found -n openshift-storage -------------------------------------------------------------------------------- /apps/06-rhsso/base/00-presync-create-cert-cm-job.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | annotations: 6 | rbac.authorization.kubernetes.io/autoupdate: "true" 7 | name: sso-cli-job-sa-role 8 | rules: 9 | # this is for the 00-presync-create-cert-cm-job 10 | - apiGroups: 11 | - "" 12 | resources: 13 | - configmaps 14 | - secrets 15 | verbs: 16 | - get 17 | - list 18 | - create 19 | - patch 20 | --- 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | kind: ClusterRoleBinding 23 | metadata: 24 | name: sso-gitops-rolebinding 25 | roleRef: 26 | apiGroup: rbac.authorization.k8s.io 27 | kind: ClusterRole 28 | name: sso-cli-job-sa-role 29 | subjects: 30 | - kind: ServiceAccount 31 | name: cli-job-sa 32 | namespace: openshift-sso 33 | --- 34 | apiVersion: v1 35 | kind: ServiceAccount 36 | metadata: 37 | name: cli-job-sa 38 | namespace: openshift-sso 39 | --- 40 | apiVersion: batch/v1 41 | kind: Job 42 | metadata: 43 | name: presync-create-cert-cm-job 44 | namespace: openshift-sso 45 | spec: 46 | template: 47 | spec: 48 | containers: 49 | - resources: 50 | limits: 51 | cpu: 500m 52 | memory: 256Mi 53 | requests: 54 | cpu: 250m 55 | memory: 128Mi 56 | image: registry.redhat.io/openshift4/ose-cli:v4.4 57 | command: 58 | - /bin/bash 59 | - -c 60 | - | 61 | oc get configmap openidcacrt -n openshift-config 62 | if [[ $? == 1 ]] 63 | then 64 | echo "Create a ConfigMap named openidcrt in the openshift-config project." 65 | 66 | # Get name of certs secret. It can be router-certs or router-certs-default. 67 | CERT_SECRET="" 68 | while [[ z$CERT_SECRET == z ]]; do 69 | echo "Wait for letencrypt certs to be deployed, sleep 3 seconds" 70 | sleep 3 71 | CERT_SECRET=$(oc get secrets -n openshift-ingress | grep 'le-certs' | cut -d ' ' -f1) 72 | done; 73 | echo "Certificate found - store in $CERT_SECRET" 74 | tlscert=`oc get secrets/$CERT_SECRET -o jsonpath={.data.'tls\.crt'} -n openshift-ingress | base64 --decode` 75 | oc create configmap openidcacrt --from-literal ca.crt="$tlscert" -n openshift-config 76 | fi 77 | imagePullPolicy: Always 78 | name: presync-create-cert-cm-job 79 | dnsPolicy: ClusterFirst 80 | restartPolicy: OnFailure 81 | serviceAccount: cli-job-sa 82 | serviceAccountName: cli-job-sa 83 | terminationGracePeriodSeconds: 30 -------------------------------------------------------------------------------- /apps/06-rhsso/base/01-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-sso 6 | --- 7 | apiVersion: operators.coreos.com/v1 8 | kind: OperatorGroup 9 | metadata: 10 | name: openshift-sso 11 | namespace: openshift-sso 12 | spec: 13 | targetNamespaces: 14 | - openshift-sso 15 | --- 16 | apiVersion: operators.coreos.com/v1alpha1 17 | kind: Subscription 18 | metadata: 19 | name: openshift-sso 20 | namespace: openshift-sso 21 | spec: 22 | channel: stable 23 | installPlanApproval: Automatic 24 | name: rhsso-operator 25 | source: redhat-operators 26 | sourceNamespace: openshift-marketplace 27 | -------------------------------------------------------------------------------- /apps/06-rhsso/base/02-keycloak.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: keycloak.org/v1alpha1 3 | kind: Keycloak 4 | metadata: 5 | name: keycloak 6 | namespace: openshift-sso 7 | annotations: 8 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 9 | labels: 10 | app: sso 11 | spec: 12 | externalAccess: 13 | enabled: true 14 | instances: 1 15 | storageClassName: ocs-storagecluster-ceph-rbd -------------------------------------------------------------------------------- /apps/06-rhsso/base/03-postsync-keycloak-migration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: keycloak-migration 5 | namespace: openshift-sso 6 | annotations: 7 | argocd.argoproj.io/hook: PostSync 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - image: klg71/keycloakmigration 13 | env: 14 | - name: BASEURL 15 | value: "https://keycloak-openshift-sso.apps.hub.rhtelco.io/auth" 16 | - name: CORRECT_HASHES 17 | value: "true" 18 | - name: ADMIN_USERNAME 19 | valueFrom: 20 | secretKeyRef: 21 | name: credential-keycloak 22 | key: ADMIN_USERNAME 23 | - name: ADMIN_PASSWORD 24 | valueFrom: 25 | secretKeyRef: 26 | name: credential-keycloak 27 | key: ADMIN_PASSWORD 28 | imagePullPolicy: Always 29 | name: keycloak-migration 30 | volumeMounts: 31 | - name: keycloak-migration 32 | mountPath: "/migration" 33 | readOnly: true 34 | - name: logs 35 | mountPath: "/logs" 36 | dnsPolicy: ClusterFirst 37 | restartPolicy: OnFailure 38 | terminationGracePeriodSeconds: 30 39 | volumes: 40 | - name: keycloak-migration 41 | secret: 42 | secretName: keycloak-migration 43 | - name: logs 44 | emptyDir: {} -------------------------------------------------------------------------------- /apps/06-rhsso/base/04-console-link.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: console.openshift.io/v1 2 | kind: ConsoleLink 3 | metadata: 4 | name: keycloack 5 | spec: 6 | applicationMenu: 7 | section: Red Hat applications 8 | imageURL: data:image/png;base64,UklGRlQ2AABXRUJQVlA4TEc2AAAv50FkAEfBNpKkRibSw8Im/8C0fv17pME2kq02DBFDB9QAOf33AFKk0Hvv3xPbRpIU3TOY730Yn39AzAwzs/Mf+7cAHfvl2A8AAfR/ABBRiEIUomyYn/C9v/8DfReYjh0ZIGS+NHAXoJl7d/lGQuO55amrUZeje7u9dmdNyfjc5Wq+aYW6k/rBzC9DzEByS8U4iNq2Ucwf9nb3GoCImIAu9WMUDIt6RGd7tLbtTbJt225qqNLkkfvQG0U8Lp3/Scyx9yMhvPXe94j+OwIAJGqwMMGrZR6o1dZetGTbjRtJNXsCcs7q7vzq/S9TfO9CzsQChIj+w6JtpW7UlRKDiHZCLvhIMt/jUXTehDGt/tUJRe5GAGz8eTyKT6Nfe+/9MLkH/QmO/lX3Y8TxLsB8ktYfRn8+jb4ek94r8Nl14FwhIv+oPo1HcUz6TenQJ+jUCfeoPo1HcUz66tZHRG7Ypc8R+vSoPo3HsPdo33qgZJ9eBz/G0aP6NB7D3v8vs/qv//D/zsLIJ/P1QKhmNn5ulsn29j0Q6uaT5wZWt/vPQKj793b01MDuJ//Tqt9Hb/ptVb6NnphlvL7lcniGQf3zvZs+L8v8dv/9ZyjUr//cX56VzdFkd29pw7H883ObPykexuq7LVYHZCmkp8TDkc9u96GBn+/l6BmB8eb+88/QqPtuPHpGYHdnDk5+4PaIzZ/bbPyErMsbRctDQcote/R08Be3H+jLsLDz93Y8ej6CGBS3GZOejxBa2g/p45AIab534yeDf/vGfMKb/JjpvJDmyXAy8tn3UAQhIOT7yzPhZDQTBDEcqtW2I38e+DukD5KTHLfnwRjzEsSAqe/t5FmgTW930oc8BN5kzsPbevQkwMv3zy/v84P2XCyNexrE66PbPQvWPAT2MxGB7+fAk/GidcPC8PSXvcyege3ljqMNlDTu5RkQzezuCEgnj19CI5HGjWPwaZNv8sCIfMARenQBqFm/3/PBh8nLtwV3AFi/99vgs7e3weFnOXvopa6ALztMg0Ehpa4x7PxbG4T+2AxEtvK9nYyGfeKHpMY3ULZa0nawSSMftzSrI8XV+PNDiQd1Xqidxm0y2KRYf2cz3iD0lw35tJBZ2z/m2rrA0EwLWQw1bIj+sTwoPmd5RPL9ZbCHEPP9JlmW2DKfvTyeeGSznPB3qNkxvzFrtj1X+x+POiXc7zCzR+OGnpYp9/Lx2VDUauTSuPFoiGnZ0O7Dbr6LSMuhJY3K0FJp0f/gB5XK40WQbpPhDUI1gviB2sgWMeNDmA+tvr3/qMqHB+qDIh5ZMeV+MhrYiR+8Ljtyj6wuWC/Da51sBpU9afkVCoQH6oyPIDe4eFDZZbqeQRAD4zLTUtfxoE7XY9PMADgU+SRvvN+GcwnBxI+syJQfTdKzrerRcWJJwwmUBC7bFRBZVtXO/Y1HrdRIkIYSYk53dw/YPFzVtJDVeDSM/NvdqN8kPxjXFp9KNvuUWm03GkhJa5YMIX7Y1cFcJ2otezryAew4+a6Qc+QHmNSy8Qf1e99Mhg9NdxQty33ID05Cw0fHzBY75d6HTt+1QVTJjRmXfYyHMCa5nicebQgDB6O4/VSa4JMH50KUgzd0KeK7s6V+F8uCX3CLEEDHMYG5gJkwTlr+oc37euCAvEBZrtb8zQaqE6nTf5TY3evkbwx7O2zsl3a6nvJ0NjjHs/+pVRc2clzV6k9QNzSHf34GjR2z208HpNjg+P7nz4E9GAUmHtFuoGNuziTXT71ilqwvAmVVxu/lZMhoxhM/siwqf9f/aNWHx599RZ5Pwu9v/6NV5+tPtq6nSti3+cBN/Kh0SDJxisd/1PAe0R78urTrx/mihviMXLuF0oawGyz2ePeT6QsOVklpWb/tH+nf0ebmdX24prjotWj3ja/EZHPCbTJQMF59Z5vTjsvAWR8M4L2F94+yqPmaJPzZRt1gOXOJWF4DULJ3s2GaZd3cRPxsm+HarAXS+zXbN+czhmhzohbcAK4m2Z56LOJ2iDwEk+mNbQtpJnoLgU7yLK6GK8NKLRTN9QtR+6hWOg3THRFHseTuZqi3JPQxbPgBtL8KFwPFPl7+HXCx0AxKCXG5h7QyinyQJtPzpX02TwHZZIUQyW3BKYiPdxBvC+2sYbu+tCLgez48brY2l+rPwiaAaRAJLukSV4sKGFFPJ2MSbYGDkIUW2a5aowlhaNijyY1dVWUqmwBM3UAdsq9Zno/r+J8w6ohdx0k2tVA6wAeGPZHrlkf/z0IC1+YBhHr//KvQj/Yb10JLgG4WgjJFSSoOAtJtNizaTHwdOtM092fHx3aqsONCpdCyWED93tqftmN0kC5QVtNhttGDTh7CUlsWFdIXejVyYuVx1oUwHZAl1jd2aGkNh26wUhTo3K9ZXO/DtiR8FGecG12sPLEMVCak2Q0HjMDEDxu72CUXC6RbuOESR7LPzQufQ+nNvSrJJK39Fm042DPCTdbU5avTHKQNZrMNwTin+isplMqMlGLXN+yTrL/M2EK+N6OBWMaSq8RaSasYmpWZY+pE31xZwgdBBiXicf1lP5oPNNt83Pfv7UCQWlr9ew3brZQRS+M4O8qc6uMd84QevkGeqPFuUsXUxaOQhmK6Xutj7UEfVqIZifEsJGVp/fKdoyF7IEG5iv0KIVcNdBjuZTuKl7vJ4JWsrCj8/ceGLzBGugpIWdM/dvm3SJmMdLAf/i67nNnjh5Fvmel62drbbOeGCwLTL3QHuG6Pf3N8JEFxoxKvn0m4ytjZMLf8BXdEHIYgkM9Z3xepKLJNtiVmFEKWVi7ZGIDubqkiPD6zdp1iZ/GHmdV2iCn3k9EA8OvVB7J9ECwTROFdMsRbwyfIFNGqHyXXv4HafT15+Pca3tW/hnt2Izesf0QEWpJV/5ggzob9ZcFI47ItJZNsf/AC9W/TIKg2tH13t9Aa6hjNFsVTDq7Vn2hPLm4AAdgWVc2sYT/4CX2TZXuBMhOQlN01xhzSRlq9C9hZsm/vciqoRb6diWa7dsxpvQzztwxdmo/GXtPk/YbF7S6ptSsqSFJl1D8moRK5vZKdMV/SFFSTmJicbcacamPy0262alzJ1Nob9du8un3foXLkE23P+agwdGTPgPZB0JKQdf68G6jPc5K5TdLFRaTrvb763i1mPveWbm0CajqJfgcxXW62m9XSfbVu3S183fpE2IvAMVrg+BD0VWzXEdvNy+3zatzbLRGun0/HzWotVWDvfH88nXGKkhGSwgOnpHFfO98CtS44thIcXCxewj0AbtWuRGDp5UD4wtqEVPR7Mv20TeC1lHuJ83z/9fmht8RQJenk9XiYTmZTKS72Yno4vopKHGNp3Otpfyh5QDjA4RLsdCxa1WATisRiWU65aiqi39NvfUqqiUtUuFTNoDocP626u+UsAPMZVuEiFe771wtZu5c5KcuZE8CdmeXkh3mjVAsyDiALCCIvQPnBqq7q97PbMjCTpSPxCs9Fb3XD0StSLy6vp0M5az2APQ+kHAcA8OH0epZlQ4S9i58ttOWiwZiMgAy7RHUA+rzGjM2chRm2LDIOD3tztOHj2oDQQctfzGFOTWbcTgUA8f54vgh80BjPsuV4WDYLGxw+KODjyZRCkMflHjMKzdjowFy8sdBhWBrjuT3qILtgcDABFFPLPl9EkU8GbKe046EDsI54zMBoJKLtSeLg6DTfW+jp30p1OZ/2wL0YezhFuohb7oRjA9LBZi1bimWzfbgwKr4I0AznHlwM0EJTw6N1Y8EXFBBM8fHW6mIKso/xAYeQxMQEF5FVWluYUHWw3lTUehtEqxe5AYmgCUdBEBFsAW+HiRtWoJ5E+qFdTVBzaNvu+hBc4M+ZDcFg0YIXiEcKIx/DvIHTCCQ2lQDgCoL4sgpCbisB/tQKRdFwESElXlwsiDuT2rypqrtXZfSWNg+imKDKe5WJ0tFy+LLmJ4ZGBOFWyCfFCZF9SJ2YsLUrsaVz/GABuueQycLxrWgK4vl0KGCGD6DxriGqnDCehJraXa2na5Gv8ciESPkYR5sgFDzkZuaW4NMjaSeJ2a5ftC4sVEXoKZ8Qpc6MEZEejGjBnuiJM76eYJPdDIe3JGGulEROzgpSNEq9w6Qe68EiIxM6pzfHrw8rHzXE4mPYaof9CQtp5N1lziDRmPISQrMQqqWVeqhQ+rlCTFYZGNq1Ou3iJyxmM8SH4/8QTsRpVyalYZe5cLskHKO13tJTPYA+kyDt1hQf6ZZmMV1P6foM+HNjPDmeXkvBo0q5F70nfpKiknDM9FqMfkrg3HVIUVHACWLafH0YmLXcABI46xWyJcZEpF8ESgvHw9zGD6Vs/VEC1aUtQ0RUZL2gRBAGFwOmznXZeX+BQdhDcyDZUoSMTGA8W+RikGAyaynEqkMcJpKDEZ9PBuQZD2lV1ohohTRUihVWEDC4eJzaa2Ertrvccu9hEAUcEkqPqB0iBHDLvRU/KUUzx3atsuwhO8Jm0KkuBGZ7iKBdY0qgeWOJHK3TfaEZ94Mm5B5HA/Gr4NJfpqlvJCMIVrwey0GCMRDBYW1miChzS7MZKa5LA2+FD9Y67NczXwDRVRCpeF1CYreNGR6PDyAtKLLKmZzf0mz7QZOIBsYc1loKSS4OINlnnWftbtPbK7dfIh4eQBpFLunGDEHRqC8OhnqS+hCX12OFbW6kw0UopEkitovZyyaobfvNSqh/QXD6bO42qEAD4GDBT/x2Yptcp8OsJnhLeuPaiiYTN13IrgW+Wj48GLcw4dHUBs18DrSVxSAl5TSuVHxs9bpLS5LvWUJsOHZJOXRJtt17aL13vrAImA2QOzy2sdib0KjiQcSCPnpVKINOVdmUmYf7NgTgojer90tH8nTOkQWih5bajUVTWLyIgzDuLyvGUO2gBfihXaup9aMjg4kfE4HLmQWZGLBfRDMWQLvmzngoaZ1UhpiCwcViYgJ0fyN9dylpBtYBsjLyImktZEYzIs+wuNN4HleSnOGAP4/a4H5kB51aXZ6QnxYCXQ2QYRzAUhWyE8KRLys3dMNaQotp9aWwL3TVQ1IHMTDG6RBVtXhoMImpCFmQ8eoHE5q4sU7RyrTM6mvD95dJdtbdoL/M98uKjE2sHxaMHMjTJeSZBXluOPHjndxObAIg+sfqGiLatQAiMUSCZDfodFUTKqA+bceUREEx3Aj56mgy5pArJwQbYOJHZR3NkUZt96TrAT9bLPWMmxrG/nSDzmdQlyA12ed2PnriIXGBoe7uyiscbrQ6MqQk2lcXyGhcEMKqT477I5mZhwJNdQjKWSNM5nE5d6n+JOk3OVWWwAXRjRnzlnRJErPxlWVPx5qePC6Y6tBMg4pbyLcJQsdNF0CrSQlmQNkeNd7l3iSC7YrG+7Gihw8L0JBDxhkVigrNiP6xekOIE91kb2paAn4u8Nqa2MY7462hk4pQgdGnMYdS5HJE+whoYXgduiQqrdElUCqusWgVqUXROK5wkw+Un6E7LDCOmU+mVcgEbI4Vmuxogzqt6/aPBbIfQbH3cMq9VLyL53l1VxpXwdCX7rGSWqqQUSnuzdFkMj1HE7iJcgmUWhQYGotCdA0NsOe8k7OS1Cz6Aj0JImqRZw2Eqe0FysSymVevKFAHQ04QojeZ6xPKUhpqu2usvrZa0xetH9O45sAXMdnFiPTRD19Xw/l6RAAMIZVrJlRbYSuOsotUczie+FEONZwcYjEUzsqQw5l7BUSmhuXeprtbaE7kZPpq64JFhK15HM8XrTBONuhUwB4IGLXg7u41yMQRtptML3DGBVEDUCtOiCDplTXyhZaB5VO1xd5xP64S61CsauZM0A26/zK9m6G017va0FKUnoTkFsCEPtMecJcOXVr1w9M+zL4tADaBJiG7DIHVbpCS85PpBbE4HavQAg76lSPooWJXg2G7irQ/LOrAYzGMoBkVDDQiGTMZInRDWoitwkFKiwpbjuVuwZMpth/PF4GHiYxGspkWUo29fiRQgigFArUpcuYSNHOqzW4y8SPx/gv6xxb2PjelT0yMeLbWA4kk7swuTTWG7dIDN3MniwAZmrlLnPkc6zbXG1T0gAL6WyvXtF4DT7wSk0lp3PGknYkdb0wHuJi96AG7H3z3GbEpIs+mIoS2fW/XP6YgnQN1g5ouRO4hQ7QGLmcmMJKOkkUIp+N+vuh+CN3nk000FI6EwZFpvl0QkjybCWI6q7CtQjSeB3khSunutwCm9OmW7sto1tH9IJgmWmHKNB7NkADOarpeOaQsiY4AuFS/6dpEhBGCMdnL2Yn2kA6vM4NObdfI3s/2pmgu2JQ6I2hoMNo+TIJQV8BK/5glQlQdmcP05cySVGxgMqFvX2XTkDzdP/DOGxAJNuXOsDV00QTbIcSCcFA/qPFYNCBEN0WxKNNC2Aoo5ZS5a8eb5q4dVdgrW5jmj5VsgUEw/agRLVA3HL0SDJOmuWk/KPRDhWTa4qgcdAqc/I/Wg1c/VnIWYUaL1uzxfCZDU+c1p53RsNhbXaCMISXRBcoao0XXqtgiGI0yLcT62u8dYa+WVjCTrT9lGpe7DBU623Jn0Mx24gfUNWfwK+gfM1tR8rEllwO92R9fz7D9RhvIODAhnMWkpo5msjWLTOvnDZZsQYhgoAybJM+DuAKzfg3ycoN8eZxw/1hr1267sUex3Kw8DqW/TCulQUju1P18bCosZhArq7tGCcKLHFE+HvYGoxreQ9SMYmlzy9HCdiiW4QGzbC9HOA5H9qI4jGckyaUe+gUMm6sCJltCG5NxyQlkCOccMjJyQUz8+DAbi6boOHk9mAVort4KoSuTwMNbrK72SOoqMUQQHirUmwPxwtFeWz0AGI3bIKQIy2loxySilv2n9d0ME+cMT/wwoi5f/0kEyUXKgroklwXvodQ1SanB9pc5v17g3MJFB/tQNm22Nb5dr+QUCiS4h6VgjTC93mCSS1r3jd36SSRQrQtvAOxAE7F5o0K/gBPifNwsu0faKlw5eWv8KdtiMhEhsqcMIccLvNSNAZ/gJYlnl3I3Q7PBwnMnWRb/ghFyog0ioZF3REyKkQ4KwPL/fddAtMvbs/segGmZhohaI6iJH1FtHpf4fklyWJz7COAFbRf4SyC4OD0tRGInScciOqA7rsSc9psaoNyaVVKO+r5rOKYGaDaFRCodziOsb3+mG472dqJ9iUbTVr+LgNrdGpYKlF0OASfojohJ4m+itDMZqjPmBNn7To1a2iRGj5dI49tvTRH2FAvMHEjg9EOICZrEc6zTqJlLG3H7CKZElAMIavMYs4iyipwo2hxJelWcdsXlTBWS0gf7pvDbviHeXYVoB5js5CClKJPpq+iJG4vG8EO0ysTnHoKb5Ks1dwDlCGLuNjysWXG7pbIyD6lwWHlnYPHSDmfaLlKaujE5ACAauHP4h5tJWnkqPmlPgokfsXNKbAd2OJFu1o4r8iZouT+eQM6vaHe4yIk7kyZb0mbl3gXgf2FCkn1H4MzQjGrKk032pe0gJTYofuKHmA1Lzzhr2cJ6xSQlQDBBQLxOXxKcpqJUJ7prh3MC4+KkVOnqwyyhZVeWmGi5x9vm7fYg4GAySIkc1sBRcV1qP53x+ux4KEKh05wEnZiMEJHajq+uu9qlyEN3IiUSIWzx1W2sIMTWpJRICrvrmzd0SLpJpwaL69Cprx4qnkzPOtFF8DW5ZBKTLSohoI5RaTtTNhWbo0XyOB1BwoiWVbWvbJY2pVa86ctJbRESzNCr3XM9KIjpctrrJOoi66FeZS2+rIWQk0sS2WaCgj4TfEHr5Ojg5EfSvlqydRmXUY2S25JdtiugWUPl5d7sKjymR+Ktv50UvINnxNbZGQ3zDBcqIrAcufTCJn2BHZc08s+vLcQmwsyCwk1olaYqWr5S2iug2ZxUh/pBJHA3Q8WWpu2J+NIvr/RUQwUc31dL4/SNa7NTNViqz2cL0kZhmVgoqUm0rYPpacyG7NG4QA3kVK17vjKblplwVizxrkz8UHGvl9OyjtuYWX0dEUSzObITN2VGAZ9jxWmPSnTktXoJAVs1ki5hN9Tibk2e4VMbXz+obbPXEqgnUsyxFF4ncsbHXsRIQHcTgoU0b4nySJD8aU/8ws7OJ9jrgAQqJNehEHSarOYmHTRkQ5o1wiNpgT5fFYF67dEr5zjO+ZU4HBk66gITXV9LJNrsyN9XSxALgs27SSR7Q1gAyUVlQQBuVgNaGrLB7Nuplsz5G9GupKBkUwYpmTzdvtiYAP90ZB8zKhbEodi+ZDWXfsTRtJBkMejUzy6q0mBJMcjqMXG7QbV+scYOER+BDpWD9re7XU+MRFpZcXcjscTuaOajikjcUJBtm6+8P9yMLDm8OZ4uwkKMh7hA6axIARJhC0vGV2JvZJ1jE7qj8daOXxsEKLRcG7lbfsX1o3I3aFzO8PZjDIZdm+Iw5zZtCYjFpvSXUWcAH4GEPXQXP3sA9LB8PnR2UD4u+JEJHdMBpQUDRsxCm43AzRqfGpDdi41muWjIAQXAeeOrr4+rkY8iAzXxg5Wj4i5sOFJesLczccd37VBNuYfdoASPSn2YedqjmvqW9HaLJLEiCArGonsr5ioa3kyvR5TfVDJAeuH/x/AO8SH1/PW4bxbRCHCAMlMuK0tc+hEYjSJ1pWouEuuQ5MoP73Tcg2RChwFyQUjg2STyYECYQSba7ymxOoQoZV166x+DogRxM7gvljAIhrY/yPQWwCml0GuxcRMiYL+UDvAUES2kVjFRKAG4Y1rCvgvYe+QnJuAoyHpXyAABdZAtIu0+SlQoiybw4BEaLdexaMpTtxisF0K9QfobHYO3w/9jjnp/Wfs0J7uut5YExGOxPL5+gqT0norCUaAjcTkLffvArgqwA8RRcCA/FAE4eZAfhB0Ugb4gVBlwsvEWjE6B3s2bVq07Hk/72IfuZ3Q0c/u0IEJtsWk/vndCfVAxINzp67Afb4cUhkFT8+4onwjCupOGkslQ9ilB3LZdIjomg5MjWOOL1oakyKYaXNG8HD+v6iBKh6JHOIXpCBzyLO195KpXooTBa68noQvhPWlX8rNiY/CBCj2qGis1qPyeqRBU6pH9K8gZjB/RgMObUL1078qSEoTqArEIWLWXak1Z9rsvtY82V5N5Pu0hF/eXtrzDT10/ti8XL1YPiSOu33yACIBHFuEcmVWQ9fvwQHIZyN1S6iXC3bsmVG9YRPWNFDqkyrX1qvFt22xX+2hzO/4deHW52f62DkczJdmNLFuwuO/Te1I16kcUPeoSUbckch5UHYHqM1154AChDtXOvfCg6uA1B2mEGm+wFt+uSrQuVYavuCpHNVjMVV/Z9U88GW+EOOqOJpqR5WZt8pA4DE/W9/36JOMzLJAGfmCL+uA2gYYnRcvfBvbpJdwBOIIOPp+ck8032HQDlNCj8CI926ssf1g+SMVpR34A4rKH1e24dGLvd3pJYmvx39o5YO//vwDuTRLBWcuWYm2gdHUL8ovAPjmlugsIAR49acoCrQp6UY0YR7UmC/bxVP9jJLAPX7BlhVSgEXG3fFxCwgc2T/n30Hzg6ZVh3Xec4LbEsmmpLw7ANap7T1mDUemCZCZW2JAXTSyPn6ETqFuxf52KfMTdKSKqCe0F9SGL+fEzLGiaDiBbySI86n6rVWFiQ0roYhsvO39Rq391UEP5B6zWNwtT5AX2u8+rrn+MITk1reLMPqLn1CNwNzs5UyJwKLMJ2bx8XS3cKHvtP97W2AyCHWQl7RIXHLAqvyvKALrVAE/dIiUxRg1ix1YYwhUeF2rT7R51Zi6aP+FJ7x4Bla0FWdKDcFS5YWJobLf36wO4fQ/r1a4I/HBSA6s7XN17BW0I1AlsjFAHeDPfyNgfxPwe5IGe5GQBlFsRaHMHi6IrUR/5Zmdyy2TGLPD1fV6py25s6prQ8potWvsJ7qPpfAH6RqqgVYnwXHprQ/JJjBWAjXkhImXsmqzgdngeaiWro6WbjLVSXLCHGK1ktsRssDi0iczFj77CqCXBZFQPxUrkyQc9UhwAOTVK/MAcnrygOTk7d3WPFrOyXN338WX0BXdImmwMC+VyQaiFaAIAKg3uvULesqMWWhbUlN7vT203aOKvGvSmYl8pOE6N66UZ4F2LRJuYKqI2iLCaLC4lJn3GR8xgp431bHHRQdjoN4zntVAxQK+3AmkcvYIoMI/oKdVOsrtcD3P8jsEWUTEkW2aJQE2yh821H3AznTMT/HVDbhHcE1vbgzJAsEWCwUY3bz48r4xi4bz2kQSSZ/8ftVqDcZ4fdAkWzWCuHUVFcmxbgbohX8idNct3w9xJNyr+i0Fq/6FlL5Y1EBmJUl++BgOCg3ExuakzVjHB7OKKrCL+KBbqkP3l+GX9zKoiGZztCePEwdEFgcs3frVYunq9DJSorBHeEGjvhFnlyVnySDtzhuluxd9QpK1OWuyYlog6aGMzCEda76P4625cwrkpIlf3dgG2GDBZuvuNNLwSGfen7dpzUn0xYPJhpM7CwN5ets3cQB0GKNPPoCUpsXJ75JsXE1oSmRPLJ9jzonJhQMCqX937BD5ZVkFeFIzKgT5aH4nuGCbZBiT9JATMLpKOw37OoFq8YY+W+5ZWe+hketuqeL75n4JcGpgbQdGC9wnGVeRwoBTHsnjfHT+v1OnHmQ37y579LiecBsW11Q7KUA1egbJ15gsDPYDogRAy8U4gTWe7a13p5ga2JGCzdPc6hK2Hhojs6SDS22H3heAjiUtRGyc3r8ThVjMKTA6FY02BaMDAbNHG7DnAFUZ0TRQw8Jja01nKaOkRTOZLt0RkX1lgzXF16l3R/KGdyNKadYKZQJZdpdiYCToMMBLVjuyHFws3F7W5Faj7015N01AzJP3iduBCaFtDFeRkgmuNdJudqCILQnAlKRx0OdQjs7PyCDP4sAaYMrdcmaBlkSiZfOcG2sDbBgL1qQ6gAVqJKbj3BLxlL70CYmKxa0taZpK1JASRx0c5GgcogWHe5JhMMiKjAW5wVMyQgZv4eNf2mxS+/PLwv08Wscx9XyvoMGkRxohv6u+PX/JpmRFhN0RtbZrDfXMQJJDRptAbcOCDBXm52po9R1/SEC6n44u6sVpknPvpm7PQZVJlFDH/+vx4DyqbFRiTzcNILdcAJws8/8Se4Y8kzNhWoesREqjX7B9LkA8kM/aLxbxx5PDhuPPbc/BWW9ojJs2Vh68RbyfDgQ7Hczj6R1Uv9Z2SWkblMxuIixdB6jJyeUic6vd9QicCoJjL6Qr/L9tcAe3uFljZowZVJoC2WIfqObcT8kTS+11mm0w6MwiSU6/WPTAD3REpU9lu9xdb0QwVATJHgUNLUXJ3SYwH7v72HHwc89XSGgUXwYDXAUu8UXtDqh0sLw/uoHS+E4NtomMEN4q9lYLsmwpXQU38mXI5H/dkVYV+uaS+dPNegI+mSzdGdCSZR51RWbgQ7qXW345VhCQm3S2ADUGjCC6KH+Fou1lryBsDCZzFNQH8iBO4/Wzlfdq3/zCeNktzRAw2BxDyB+ZItIcWThCniOI9GgjSm3Qlk0lKcm6zn71taR+WEwI4n6hBSisisQcut8C20WKy0fnno1ouwoAskcQRRnBxfLk52T3qzH61RjYcjZ1lBoey0MLApeVWGY8A3eTaDyl0lETw8Q7DbUPY2UGnPYSDwyogwkmA2/EriW+SeyAIHpiDTihhHhe7cZUCOMNmf4TgEvKiMeBfiYfEEX9859fSZIdbyG9cuTeGm26jB8+pZ40WSy4m872AxBMtbup82rc8mEwQjM2eyrIYQgDomH+ZNYPgxrbl207XS7wT0HFCb8V2AwOxB+81TOarRTSWqKEuV4fYcRL6Ir9l5JuMXUibNeGDEIcVLBsFqBDoBN4XxCBf7I+fen6Su8clHuwfI/YcBtIp8D6Aj+dLc2fuTFRicTq/SS2Tt4x0EydczX7buR/Gaot0wpEnsKSd0Oe3L7vpejRV0j9GZnHAVcfARdDJeV7LsEXBpkJwO34pV+ehc8uBGvGj/Ieh8uhNAp2EWSQjENpYEtjkDuiSbhN+4seOSLzFH0Dp4PKvHiyNebs9OBSQzZgTL40jPNBI4xgRzDVneNU9xYfYDoeVol0BekkRY7P/+qj/aE8wk0OJv1wDod6WNrBefN3RRRiTV0s6IoWtf6Qdd5Nv+YILBPfAwyKOLwnYIZBTxISGNJgI+Db9Y7D8F3uaLsUXtL2Njmz3FcZl+k9Nclmg1FXW923KphNRqAx0zMlDjJudHfPgu6kEgUHGzuYhceS3TGaGlmJXVVZz6HYH+LKxQYonIwHfoEzsYTKTxh1XmBtWFCwtC6wounH1BDRmRYAL0n9dLS+PKSWiFXABr7sw6sfXi3ZDMhsZUhqnJhmNdAgrTyM0ZEDqCsDgVIdmocVtiWVV+sdMV6GzMyzIcL2v1nKzQr2wvFrYoqWzGvi6qUnA5Zxw9/gVSuPMdKAAWRvpG7M6zBto3WZNWQ8/mtz3ifiQRAUe6O5eNWD/ylY9eLFC/SAtF7bI+SQIr6WtoEWiJ266/HJm++Rx8+EA3jSgGUVB0mySjME2jB7rXTz1ltJX6w0dSLfJffBwuTJF0Qh6wQmpq8kYNV0IlFarIf6AvFsbV4PqsHG/s7/RvXBa5naFbXRguTHhiVAfPGyWxkj2MFKvb4mhsafkxWA5+ZNalTOncPeFvKGMexRqDBEdIx8pM0Mlh5a+bLZRGXaWqBekeWNNblh2HBApGT9JhXPspxh+bAbV4fwp7M9zw9tCRmNjNC1TLn8jaHu41QsY9ef9Oq2sEIybRJOSkoZ0FveXGWbASwED4QLwghohxgYtoMJoaVHngZITOUjp6/gCKb1B/fBwHY0hORqJtijPqKTxIIH+MlrmKu4vA9xAG1Lp0nXsqCO9gYBvNvEDEAQ8fMO7bRfALVFf2ItlmCF3rAkfUF4upzb6XrEx4xG8ZquKKoz3GK9sD7bkpaV9GLiRmml+J1Qt1PVpIY1hu73h0yBgS8JKwmtouOqZW4PCAPb5HtN7C6pQAARQhMyuEpsklERKWn3XTbj1GfmotbOQKllik6HCPmOzfLqAyD9npXFgUhu/HHWhOhKaA/Xxw/MtmuyeNLyEurt37j3YvvUO+ah42JiRZWghJyWJpvB2K3J1KykmyGagDoYNTKTuA/Lrf/X81NIw9MtZf6RxVs7cZQnxsCdJIgmXzeXMJBttpQ76ZgJhA/CD05vYusklUAS+JSbHO321lHaj+2v/kJeO0aVMFyF3WSL0A0XijZbf/PnpWZwBWZLxsSiViCJAKPSCbe68QfGT6EO6nI/AbhfgAaGWvVrakIE9GYqA00KE4ji88LN/ZNI48v9gRJMFbAT7j6j68WWkuNb2VS+aSaW7+6VzcKuBOnyxFCuyOBXi74ohJtpNC3mKgUQqTKhNeSxA5kaBoVkboBlL4MgYkJF4/TruIAwQ2Udl/o8VWjrPBkthS6f/kGwbT9Q34F0CWUgUi8kLcysxMb35pti7SIUPVd/I/ZHGmZEFonW0gKfOIrnikQ5ntfZsz/RTf19F8mBsRfQwkBNGuvRToZrsX3sMu87CrcfI3ScGZCIiUva8XZIwE04S8brL+8vg3WPo8M0/kATqLaIGi4kfOAgZFd95A/rdAcc7a9SvEGyQTDKLSEGQFHYsJm4+OUJoBeM1aN5aD6itgQzS9HL8sp34kWSsspKjULoKEtQv9mxlRRbpABar00X5VMy8h28y7cXW/EEQUN2lSWoKTc6zm2SdpHK4Szrt9kwS6RbcjFA/RpHzmhBpWn5wcLF6KrY+hANZcQc8OlshxHMsY9Nu70yu7c24kLDKxI+XzoAbo555Ml8aILAp1cDETaJ2JWq4h5mHK6J6B5MaVTpg7zgRLIzCfmc3yRo2O1kW5r/0CG4K1IsJfSZo5WJtDh51RtI1QdlDbFf1gb8efQns4puxEDkG3VanqoY4Swmrp7fX2bz4F+Z3xLEp6puTqY2zMgdSihZNSzJ5kAq9k3JXFuqq/jhFUVa3RIojbS5vBvegtZiu97XjoCPrzcJZ7zYn82ZpQnYZu8HTQi5c1lFFGleSD0B0yUDkHVyQRIrbm955QzzOvTTZXZBIeuOsd0KapQECGxK9oIJPl6Seim0yuHi1hoi0RFX9N6TlDfbacuJHElKBBE5SPuy8J+32PrJt2u3LlUCjUh/xJPpCIv/UWeKvRLdcb5DAFTshQ9qQxQQiW/EFqSpx5iKBk6ghQu7jlqRAmLAsIEIFx4KSuvJEJduZaSEbdN0MdCNqsqkOLVCx2SBvv4z5iTWjO8TL1g4abjLUS9LCArkK4UedEZ6whv1lsUJsZJuuCtA+Y/LO9JmPxIbXr6MQKjIfGvJxzFUIBwCQGB/2gJSoUzRxpQfx0FnKiZvYE9Rcp7MNbuoeiMjuaHJZSZn0jayttEH0Fv7VT43p/xYiAJoe8NJfZvEk+hYhUP4TYdE1e2KrgOVVYiVZHN8/JnHSlfX2WJCDS0XrkXsoNHhtBZFjJoQzLW512cRNkIDwQw5THOaGsHAttM+wf5hRtvHR0uRrL5z1lL1YachYqTTiK14nkUNaGscL2AVSVyyJ4zgbZGGDMxe3+XWhaJCktQsWqPfJ2a33yMezRoOoTaFeSFBLMipJ0nt4Oh7a1IPLBoJDN+E3qJawv9k8dUsgE5+9YR2v3fFk93IzRT0lzYjUo0Eu1osivyuGvKlsc2XZA0hNG3oDJbkNbS92NpdAkdMwH7uRWu5Du72vIVREFFtQpRZfLMV1Hm4BH5UTBNqS/Fi9mD+9fRK6UYHXWx8dcm89rIdQ/MCDqys8sNJO+xWWxHEZCrmxLXyTS6AQ1Xv5PWhvO+8w+faokHvpAK+IiBBoN/J72eosFDZ0Qps2THKLTWmyh2UQSWY8n76OWtgNFBpNpqtlZeSHowAlzt3Fz3rtEOstlsQwm0TpsTGc+KFzef6CZ7surdRda6A+TdyUIuqS/kq0iDXliTSvTpjEWHd+WsgWsmFSImsDhIUXmydKVu0+cgNVp5AuQBnqrZMmFqH5gffgmCVlvCA7iakk+6zrGC0PX6BVZWip8W//JTBfXk9f6KB3kX8jA7jJ4sGQ+9lftmqUj8c9D02kPJrFPiykru76EA4rdxd8d65VsQfo6/3N7osMSYmUjmArN0VsxDhCvt6QvZua3Gtt9uK+VSh3XbTg5/t1ph7PRiajoY1n+RA1gzF8FQajsZlbupy/bkXtCl2H3V3s7iY6BJSxSGwtnPXXzub2fa+sfu7XT1UrSng9szMLnyD+SnUNux/lV+z08/oHdu3H4HP8KfGTuPu5f98WzZxVDVtFhjkf9Yz/MB7FNJ/2/fVvC372T/v3UpDpHyFZvIk9VPwon+2+614FdcTV9m6GSUCMa/l178FHrHzp1PjTdIk7/HtwMvbGEpM4RjHyfhvbhXqnkzV/wfMkE28mwkOdcP0cJj/Ma9bCO2dfIBwsPwpr9Rdk4ffdbIz/NBah+otZKGL0AF671K/Xhuun4tAmPKRFp5tAhPZSNzL3ZBTer3+1P1v691odAXuP94d5ne068Fsn/32A2rXRNcFdsMb1x+SHNmZI8ke4klJa8L/quv/cNqNH/7P5zr478BIy4BPOMeGQZuyhC7fD7PfUjRqPY5Jo/j+1l/t2MgS/jzDxu8fKf5tXWaQkvyy0KsSLwvhpdOh/ddp7JJEPHeDzv4/wMLzEo/q//PunwZewd86HM/myBIwK5la7GlzSSCr6/TBcM/ykKXcEfzcehDd4WY+dKRI8qoSkRnKQ38xefoI47/ptScYP0UMWVtxvYZ3lGSPHH6I3KztquvAye6/yg5wYOIt+iWQEmaYL3/zL31UhgaPNojY7lSlWU/eBeFeQsbvXX0Rs0jLfdhe02euyicfQEDhNiP/XgVdcDF6t1yBot7vqXM4yOntq/hS2kEuwz28y2o9hkd2yQ3rXSq1yWze0C3Idjl96fionZcsQ+DSVeCcEnBmaIWo3FUOIxcka8uu/b8T7ajQcb9sAvtHeCj/atWkIkd4EHqIg1BYz9SNCh+phRjkjLqbeQ/DLs/PZIrePA/fSnsaLWxekcZ+0aAZRCbJM6tr2XQmaUeK0hoFf3vW0th3RhbeyPx6WdxiSq3Hxaeq0h1I7LIj1rGu8qy9QlqS/DH+FLFL2LkOGw0n98w2QdHN0gYck62r/C2EL2O+CnIuVHXxc//mt7uN9YN5NSuy+mbzbzDUD13deuo5ZhFb1HUZkyLa8zR3sHxNV4I1/Yu/7bTIaFpjcfqy5WdKV9Zm0IrELbacNQpR5KKJCsBXTMkXmtuZh8zFqbA/RS6wbbetL44qmMCe6Y9QjzqQETsw0EK9/JOZ5EgWG9C7ly3NFl/myGxjd3Wc12ZlahEecduKEBE6cmrLsBGekcXa0LnSD+iC9NNvx8iY4tFVC0D8/AhLOfEYVKSjHftebi/5bqelCBjEbnHXkOvF6lgbA1xX/RI9sSdtLBPvz7+dXtXvK5crdkkFuiM8/O14Wx26YXjHhyBfofQ9lcUZukQjy9Z01iBrvZ/geSaqVSRmF8EEEIZUWAL4w0WRT2st4mF592uK7DpfWWCfcmY6d8EFkm+Y7zY5CM+BbiOCy2tv7bjpYrwD8x1DsKs5r/gSzBfj0VuDzL/RFRFaJXa/cxA+cbXGReFcL7U1yxdtkPFSwpoYuWZ3nItIHJvGERHjyWQYp2e4Mv3mlLlCW5L8Gv6UvqverNZjvSyzXeflZZ9qtbCzi+Sr3MVtFpTUmxc4lJFD/yWxGYfY5ZvJ9iY0G7Y8SoDiZuYNE1a3YiP5dP96Vysk3hVIphKJ9uH7fslmTRZHsvleToXsN4H1413A4TSoOcBYkgQr7ZpgfCuP3O3gvCny+u3fg1eH5nxp7tSEzzKhTLTZMUar3kzdsb5YwJt9ZcC7nSv2j8EQGsxwRJmZj6tpUqrTAOaL35h8cC2afvWb14/dO0YbKw9tPmEpLxNk7OMDEsWeiQ661znVuL4iddCmlnufD9wqiR5JpIWQw5keu7tmcu/8GsaUnS8Yvv2LkQ/p+L71eAV4/6XVpJwXJyoy/HvkQvq9P26Obe/LuRAV72fVP5L6eDOsbh+74wRQ02QxTcvdTdBvEIL6sZPCe8uQFau5KAsh1S4jc/XelO5iv5H7cfJsdZFn0cgcPfZ9qGBnTxqPBfN+9xjl77mCmnbtW57MonTh9KFePbRuCTY2+V+kqV0uDFRqN4B2rDucfAsNK6qpgMuVJVhUw2bo2IShDssxehQSYOf22Gg0lGrVOfqjDZJYacmdynszxe/hqor8hfyBJ/GsgytWL7iyNs13K7USqsatYtrTpaEhhevv5p8tldA9yiFxvZ0H/2OD+5Q36nERyR/c220TmPrj/Kp/pd3DHsk4tjYi5xkm2K1eyJJI0XbifpgkyI/P3wpw2CJcz487efmX7nczCxMmciwP9NteH0pMSAnEeMueycR1OEUlphOn96lcSHvK/t8wolre7Yb29y1lBrhfZzJ4aNjv+8z3If4aXcXOrnaPbJ4zc32KGnK43Geg/jM9PtaOVVazcvSEuAu91iUoXp+H+D9OMtvefGid5NraUK1vL3SqrfiNeBv3/RGGQWDqW2+dOO8uKE4B4l23D/QdNuhE5sCCA3LXBZ7lLFQbL/RH+PzCGmS2eFmJjIddOItmKWaH9aP5iPge0v+zeqQIgm0Ux90MaKwpiNPD/xxHNActVculcqzKRVfvA76uuuikpquj/44gP/P/rRJsUctfqatksS6qfaXmWDS0dclgx/5eVLDt0tnGRxU5vp/uymWw1tHQIp4WYWutclaFDg9H1u4hfAviQs4MeXNwRW3X3I9dKz1kdnd/vWTwF/0+bOglBXP5WlOEpK3FmmVrVf7/LUE4LccpFVypwWZOiZKWJImnWq7EIgngO/t1F9f41K9n2jM69Hpd2382ehP+DkOwl7FukuW6LyOvUARSpH0/8GH52mRZikA10eIBDtXiZlh/Pw/+7aL7DbfdcIw1Z1AQs7BjVJXOd4gMNIX4OVh+V2/BkOwlKrio/1Z352TRvsD4XvtcTNQzrtJCaApdK9fPckXqfOGFmLgiTsIZ0Qh9vsyq3W5O/OiAwAhM/nohF8Y6LdeVIZwXm9SuEgv871rPxdwT7qVfHqp1aaiVnuwwMvMfz5+b/CCavkuV6CTBTTqTleFbWJXKthB3fu8mT9/8iq52r5H7sFQyieTr+MGhx+yFPdROHNnlHvwSrWahvx6MnYxnFqu69bPPj+WOsZDy0VLsO9bQQq3STjeORRZmOIhBlDpErJOWWZhTE4P+VabiiwcZ5lwLKVXZVKFB/9v5vd9kiZt0uV7K4HsLzm9Gz8q8HxJDtDmzufjUi6woueVxl/5+9Z0NIY+skSwuXzljoQJSfmP/Dn/tCNC0k18/OLaxY10HsPhmj/7fgcE/oG4b/ARtBmz4v4C4J4bfKof0VRv5Xsiu/xN09uBha76cQ4lZ8fF5gOSD/J8dY/6/y/0NyN3tuYDyZLlcDoNYRy9bH/2VW//Uf/us//Nd/+K//8GyDAwA= 9 | href: 'https://keycloak-openshift-sso.apps.hub.rhtelco.io/auth/' 10 | location: ApplicationMenu 11 | text: Keycloak -------------------------------------------------------------------------------- /apps/06-rhsso/base/05-cluster-admin-users-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | annotations: 6 | rbac.authorization.kubernetes.io/autoupdate: "true" 7 | labels: 8 | kubernetes.io/bootstrapping: rbac-defaults 9 | name: cluster-admin-users 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: cluster-admin 14 | subjects: 15 | - apiGroup: rbac.authorization.k8s.io 16 | kind: User 17 | name: adetalhouet -------------------------------------------------------------------------------- /apps/06-rhsso/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 00-presync-create-cert-cm-job.yaml 7 | - 01-install.yaml 8 | - 02-keycloak.yaml 9 | - 03-postsync-keycloak-migration.yaml 10 | - 04-console-link.yaml 11 | - 05-cluster-admin-users-rolebinding.yaml -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/ca-central/01-sealed-rhsso-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bitnami.com/v1alpha1 2 | kind: SealedSecret 3 | metadata: 4 | creationTimestamp: null 5 | name: keycloak-migration 6 | namespace: openshift-sso 7 | spec: 8 | encryptedData: 9 | 01-realms.yaml: AgBGWK66M/BoAToMyzOvSLBNgeM3Z6v/3a+QrupsH+qgztruWmV2aZkxGGz8xV+nFfHPuHjUyAQHSTfGfh4zeODFRdRt/xe4r8nxAmNaVPivS4L5gL4FO6j9YkR5qJbJ0YyrJG1slr6l6py4WufPcu9vqe0V3W2ZTYly7HLLoeMXIWty3JlbznqL89RXcoBQdcPAu4ovRYMb6cV7GStrVOzHIGp6PZGJpH/t48dax+hfqKRxDy/8UdD5sPl8THmwmxki1LQA7ysbh3L0/7L0JPrdAKWBRtIOe6q4j2z2j8xAarjJcRVKjCEoDoI4xYB0xfnto8vlnkEIUxYhpEV6QhLo3x4N+iIUI4oB1BtTlBe4Sc7fhQB0Ao36t72js/ojuAIR7VLy7VrnaNwdafRllryUtdkSazyVaHfrUjBFyVNob/1TOVRq5mpBJA2iEuNT7rwDF+H3v75+qU8NDzHD1sbTGWXYEtjxxCM3VNgsNtbUNqRR1rXXOU9oYm53K5rpBqNBp7H17XMiBUUX0Jh+Zc6je6s5JeueQPYiIa/M7l80BEblDzxtJjKdPKw88+cxojolXs/OD03MOIURSy/7Sq1OLU6jpVaIL0pfS9m8DGdKsgrZX6YdUl/jokAPNCILuTW9KjfJIgBa5+ycQDfm9YQFwp1KT26FL4SOnXSQkfWt09HueSE1Aa34FCWTsm7UQEpgx519AktfP6cdBrrvaQ/O/YKrG3UTC75A5jsDhpT8CGTNxoe+aevmXlngxhgo6xrsgIksWwn6ONe+x40ns5FttSTGFrf1B3FraVo= 10 | 02-clients.yaml: AgAtXpt/CXVadgKxWmX6nBC6jklpBFgyS0Cyeb9v7LZq4WiH5GpUviGgCbWwqZSTGjC3+LRhv+lE3HHkngqkRjGhZVKrHIIRBlEP6n7UUAVKw46CdIPuHGu66Gkz+zQXhEwvyxYWMQv7LdNEs85Cq8oGAqL/STmgLJSD0Yi5s1O+BjIkyiUzrN6libDI7T8zMMmDm06lsM1VkvgvIAnWlVUZYbSSbewkG1L/J3Ye120EZ5B7KcTbRqMOP3wpB2pAuXyE8lfUhp0v7DgPNiLfsEwskFB64XvNO8MZ4Te8liRW9/K9gN/E9DZCuG0MUPcuO/YzSw1Db7dQRSU0s5ScPBvWGBy/nw8vcmyiFQhj68Q/VNri/vq6D6cHF29uBXASLfI57Qp8OUcAcIj3QJAmcGjDxlYp46RdEk8r7H1SP4Kebuf3Pb+/w3nOFEln4fb+Ha9m8qeQl2mQikfO0/PyFOykuycob63NskJHZ1Z3IHQz5/grk6mLLNL1tWqYlh6owbaDQ0RkDFFd2JxIRDpF7I541vm5KZrIV6sdzcuPRId3WY9SKsekzHD/abOgbCgeUh7h4mvab08wkccaJ4Cg3RpF93EHbIjIgCGfS8S2qFwCDtXkk4kSfykom8fszHDJHnBGRPft6roSDsORH6TMdUyRKyrIPFfnD2LN8vHaQrm1++P63Y+F/vBCQlyZxmM5O9CC/GO9CZ9gpv72sVFYPsO/Lx44jXyiM2431egEYWG/4dCOltxmqdvG05IosrVbc9CGqRGp82SJiUZQ9exfAJFvHDq/DF1vAQ+qdCsnBidwskNljZkds1JQixfbShVoT9PGJrAkdUDdqwrX8UIz+jtKJYz1ElrCrRAtgmDeIHEmaVIx0bYuAcS2SSUTI/b+IvjqHPkIFdwtM0K3mgJ5rGfDN7yISJ3ZZw8S0R9euA8qpRKJqzCOFH7xZqDxl7lJK49L38YpptT1hYHbQCGQ4Ch3l+9qU1jnTWqjBI6SznNLaUyhvjULXlHuuYTCYI9s4Hh3heETNO4ibT8BnTKD2Jk+pkhRPBLv0ujc5pRA633qbjn4ueGxCCksMREBwl7eMQ9wG5ej2keIYqtCzXPYs6AD0nFqS/74zUOBZxYQKx2UGoH9NRoVd89eYu7LjAx1l7u92SFxPH0sX0oJf98ibf0zwvJl3f4epu6qtt5YStwoKQiBZHcfz683hs+NH1XT4k5LJ27R5KsKIap6gbSl/+Qv6yjJBQO2L4K3IBP3fwvfVPaAM86rTED1cj/K3ukgD5Uzy1Fr6FjT3E333vapnSUquLOykp3G2nKUvyyajYGiavATGEFf8IyLldFmInUATmjUbrEjKmNTSn/aBIgJRy93fJ0x9C+a25dFRFkVTqsRQnmsWSpaDaXFPwBRuAdL/xigO0LEehu0XxBTS9WCdGsSC+Se9bCaHvs1bTaITNcYLsVqbsjqqmgDH7wfQhFaRteSS6Ee8t8b7blr/UdNMKvvSAnEwQ5cQ0z+pvCBh1IqSzYmgMP+oLcq4SINQAqHm7Uzl5cvQIuSk+OTrr9MdkJczaVVATFOuQapO14vmo80t/1UUdwPRDmxDqtPFZngg+/1r4gyn/VNsXPDo6U6Me50U1ZbrQWNt77WIoA/ns1Qr6cstkh/oW/yo9fe67oVpDOS8C4mcZ/yeMeiEkBnfPz70/hRhPqTSSLGb4mSOg4vFomB8VO/loCunveIeg6Jg54t/JN+HkW1DeJg+6GoWYeLN/sZ+Mf/GisnsBOASpRtiFbwijK+Wh4IGHBoU++3G61y8OvVfAMT4rhwVNr7RB4oOSCpjpvTW9IjqHzjIwInM1LZS7g8lfiejYndikwN1yqjDgmOU5nqTxxeTuqcu2hPtT3hp0C3EKywCUjilMQMvArFbRPOjdQDCcQKpLQQmoyqfa0Nr1jmhdHwnVzVj7aHAjdzuZ7HsMzu8e2FiaX1pvnD1OLfx6oqQKonK2ehc54C8438Ul/OktQZ0oGwdk6v7X5/qnRu6c5GIqvWo0swXxSv1frU8cpSsSDGqLhOVFRvJEJ/wn6YVVeyb1wT2WfGfrY0sCc3p2pZk4lWlvhdFplfEVew4MTa74+QvLFlXTIlIgrZ+VjmnQovZkTWEHTzNO4z9nMVnnq48l84u1BSREFJsWDEcVplfSBn1ut0K0M7S6vTKTw0vFcVJUY4Q33bMnyFaNgRayuA0DzouyGvX5WiYUKa18h2a4Zch7YrfOU/zZremNfgNWZ+gDxsqHZDam6oHxJwNwoz3IIqRjvxgWDZIrj3cVx3mBraHy3L3DVS/OSjzCaB5tfAHBYdsSFFkA7PV+I0CCcHRNaGxL0BiJdcDdXtAt91gC9cQ37t73+LRyxUVDIgfm/fBS2LO0+TWt1yX/41yk55q0QtSZhGPRTomzzm8mXbNoa19oYRtR0zr+es0HIUiUB5j1owTmNHzwEdG0uEgD0ZXhPaAN41PJQjHSBMYy6TB3OfN+HMDSbD7cOJeKFDXVUGr/joXkQPVrPjYIQU2xWD7ekxY3qPeyt7iABrrOE28ExvpxU4w9rxO6ZN/LbkG4KnzR/CN+05swUT9gqooQjxTywZ6iiBctwAmIvxHgeXzUbQu3BxrmcbBbBcG/i2cwZneQBFpE3zHtVIIYxFFzlhXHz9pM6BoLZnlDyLD8mNa3LzaQoIhWD+Dw0Eb+nxn7GrVA75Zm/++uNrhTN6kyjB17leXjzv82mYtPSj4qOcWkhgKyV3VPSYHS4YfF6RU08vDfi9ruAIaG5zXv6L1TV6YeyrIZzaFrtmcEeiJJye9o6nJvP8Jw0kFEVQ1sQwHF6O1wTdh1hmSKKE5xPIka+coCcNWNx4SRsteRxCbHq7niF43oKEZHogI0L1LDD79pS8vLB+MdezWm3wKbhHpIlgvjAeH4XWK9aOoMkTxpXOqF6So6Vns0uU8F8s5UwKAavrgf8E+BbKULT7IiWL0kPJ8dvztSBF6C/IEa7yIS6YsTcnJNJWAqVXSSOza647xyKonC9K5oqe1v4SqydmL5TZTlj86DQAesqvYLvYTTuTxHcHJiQYGF/JHcBnWYh+I/kRHDNrmvv1nNfUapi0gLFyDOyq62g8Ik39TNYapZrTL8ZKr5g69xLnxtfFiGTigLQbK6afCNudIrnR5dOTJ79PnLE+SSwvMsvRL9air1UAV+ubLH7ZTHQZMCn/Iy7vV+zua3EHCkrlCS1sOCVmL4aHFz68koSujgjr9d3v3URRYEuQg2pOf7kY3JJy5bCFFxUMqAJhvdJBba7IUEmooFPeoowAQ/rs0R+INw8ujQ== 11 | 03-users.yaml: AgCDNXDGAm7ZQJY7GC1LdmqnJknUu357lYfeBBKDaoEXAEnCsz13u94+qE83aZ989qgEYFmfBqRH/uICYX1bnpDDuoGwkVLq0woy2vWY0H/JJEM6O+AldpTp2IlkJvwvc1v0VUaY+qeRyBYO2TIPD8fOXdpQPmWiytYhqSSP/ukVJxkWPvibOdbqlM1jVaX57uIIjAMTckjEih1+hPOi9HYRKy2yK1lcEA3odcHhBhECqIpl+RvOs9pcXZvs8eaoqobM6bQZ4+vYWjTp+LVMOzaM7YVMC7WSCEygbwOEvulgdIMwE/7T2af1yzlMdaLJhSlJhu0NBrcw0aME8gE8lJsR/B5t8g71uqYDPunWjLpDUpZ8DmM9l05ceppIkNg5c0lBWl6u6VecgrH1urADyGrTkcJXGnI0/Lz9gDyBElMwZBxVnWC5wNv5QvYox+KQzzn41LrxL+EwgjEkJKe1HsEJwLL2zOBdC4K6poq2747QMnGmjPg8qzj/RNQTm2IOFltI8XY3CjbBZPBEo9u2+oktTP4JV4uRcd7iuSo5UFCoeWOvOiI2KSFTJ/xBybYp0tm+lCN6lU2i/0aLubiWYFe2m0KjJuNG/JgBx0PCp8vLA6V+igGajOXKA1csWs+MXaEwRcJBq2a1gXYoQg4ocNb/VZlRK9kAE9jBeum0qDGapAcNGnSbmVpK6w/TqmHGCySUvT9kagGKhRoBiENno1QxP8R6hM2oCSn6NeE9I64cFenA5cJ2ttVfCtVhq8QOlHjvNrbZ05qUDW1QZXfyrgJIpnvq5seO9vvXoh76FZnGZZfITqg6J2t6rzibTBahsPdM2odBpF9g9iJmXfKs7kLt6lyaKCvsU9RPh3l6zEgS1MpjGaopuQGYpeb9a0Ffx+wXolOJSrdxOh9RH35kPsjIaW590joTYUYCYrefY6PkSaKBkN10kDu2dWJTFA5vfCdawQ7g6NWelJFnK51ZVYyXPu9wntKikjreaG7iHZ4k/sVOYJO/06gZ1bjlvm1/kuOeUO7UgdXV8LJXBurh7WI= 12 | 04-groups.yaml: AgByKApfCC4pe53NBZkv9Bu7G9mjliFLo0wz883CrptZxjFBmUNj/WU3HO/NdrcCeqD4aw3OMliY9dKUCeRF3jzuaVuZ5MEQ1MADlhTKAQkelMn7VIfjkaxeTBPFutncJuErDWBy0R2wsz89nSO/XhbMkph6b66LeJNmnS2ZUc/MBBlVR8ps+l9QQ6CBiMC6zBWXckvW+Dxm286WGjMNfNXj+EleTLC+SsSsGC8CGyHw1EY6ntQ9CDTqHhj1V0PfIN1ux2SOyKd+0Nd1issGxJITqXOr2pQ6SExXu7Pd04KHCmHymyRk/wbFRR/JUBg2WXosq+AQr379lMqbW6GZEFK3YDwlWx9rSLLL6pD6nmmfsKd8rwPYTvn55GPzZb8LGoYBDGXncbayFasHkR6V6kBJzI0VcJ+mka6w3ijWQhrNY/Mb26j11YtAlpd2M6ZLnjAM+OfO+HBKJwQPlyRJslSHE6GJtKL1NqQ1aXIKQRGAzQ3EXi+LiIKReSea3CusZHLpRBY5SHfkj7XU7Zk+GBEePHnpQsG9/ZBrQF3FCLsDh5rfzLrj484DkP2x2LiPhFvHJNpQESWM6yC3bUbvrQdohQoG+RUa1+lEKhekh6e4AVkz2xmAd7ga66u9QUJ9KP5vLeJAC53ujJbMJWYJnCeTdDweKwyYpelgpghAyK8ihBM3XBWzTntLo20//Y+OZhFLChPgbyAnUAqdJ25KuYHV0dDMfaQ/mkc33RkLxoRm0A6CQJkjs1zDD9lydkKCjEtaWRv3fRpuXxIdnDUOrYgo9JdTQrbqgQBcgnrzPPlt690KHpUX8uWLJQHP2iidGfBycnt/V8kwTjMaJw4BcxcUlanl3TL7bfVPY1mqvTn5OdGboO0mFJLEMBr3caew6XlRAIMh+pUTc4pOllavN3+LITs6+YMfL55RHzdZTT3+3Q1LvecQ8QdCPjm3X6jgmyfm9qBWMyqqmDSiRw5VJUycZOSqcTL94nBqh4vmuXBPV0O1O3TeoRYUzBGmY9H5ZIsm6zkQ4EGiRasF0ZA8h8v+tpvYNXiehii6B0RvgSBRu9jpihc6eOOWLwdaxh+F96kFpFMedUzBy+F2Mrbrt/HJ3eghczhcZFMmHf1eUP4NNpR9vsCB0eELRD1JkuEWprgUtFzLvRGWocb1YNAvCzOp8A== 13 | keycloak-changelog.yml: AgBKFmndSMmxx73yrFEE4uHZ22L5gjH9JTg2N6CyTeZrOIPcf2UZvTIoqvpli0Zo+qy2OYI00zXasOAR//GcAilDRaU7BltDBglSTgARB6TaOE+sh0NLOJ4/EEtKIZbI0lsfq4TcEznzF2uW7Je/I3AaRfhi24OIdhYQJHyB6u9ad4e7rlnLwyezkg1SqEjA4PTQRbg/YAIXCZ+Q9g6+/cIem5ApazZlCxgEEOIqO8ekmeSB46A07OXfvnYlT77W2XWpyysmXc938J78NYKDDgzv4zO4bKDTgWuWoYaRSP0lmbLh4qM2ExIyO070sliUfvZ7sNVZKu4ktOqs7EiYIUWDNdowjvyqc42hq9NRcPDFHBeSdVjhk6ECCRhQVVLzfystWORzKSt/Nm1fwioQBNnbE0fHNo7iQTchwrJ3JapbLHNcLAzMwRXcuLfC5wF710xiIHIGgzmAB1pHM9WgNkBSpwEj9f4v5D6wYrayz8fjchC92OeblqKZbmPFODIJwnBSxLhT4hmqVjMODVyLA5jKCi5JXi98HxdxPEJ2wZxs4rbOUnzOgCUxSdnPcSgY1PLnZQGm4bvmNMAaa8bsTj9/7LP2AoioiFFOM2OeKQfLMs8I5PGrki4Ip5b/V1gFxaTVNEHFJujTx1w3Qeg/uN97hv1qCjBLZ5L4hMQYh2BQRigObD2PF/080jHalEStlfIBYtkyN9yiWG9J8mls7f4oe6fkd8pxni+pR6EQmoPNTzs7bVStl2ABit8uJvBQsr5+HZz50wA9L29L7RmXdQ74IJrDc0Jq9HpQ0jRNIYlglPFqUFDuG9i6itZGkevWMXxCtmwjZ6sbB95snM/2 14 | template: 15 | data: null 16 | metadata: 17 | creationTimestamp: null 18 | name: keycloak-migration 19 | namespace: openshift-sso 20 | type: Opaque 21 | 22 | -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/ca-central/config/.gitignore: -------------------------------------------------------------------------------- 1 | 02-clients.yaml 2 | 03-users.yaml 3 | rhsso-config.yaml -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/ca-central/config/01-realms.yaml: -------------------------------------------------------------------------------- 1 | id: add-realms 2 | author: adetalhouet 3 | changes: 4 | - addRealm: 5 | name: openshift -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/ca-central/config/04-groups.yaml: -------------------------------------------------------------------------------- 1 | id: assign-group 2 | author: adetalhouet 3 | changes: 4 | - addGroup: 5 | realm: openshift 6 | name: ArgoCDAdmins 7 | - assignGroup: 8 | realm: openshift 9 | user: adetalhouet 10 | group: ArgoCDAdmins 11 | - addGroup: 12 | realm: openshift 13 | name: StackroxAdmins 14 | - assignGroup: 15 | realm: openshift 16 | user: adetalhouet 17 | group: StackroxAdmins -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/ca-central/config/README.md: -------------------------------------------------------------------------------- 1 | __Using Keycloack Migration tool for the configurating__ 2 | 3 | Find [here](https://mayope.github.io/keycloakmigration/) how to use it and build your manifest 4 | 5 | _Create Client_ 6 | 7 | ~~~ 8 | id: add-openshift-client 9 | author: adetalhouet 10 | realm: openshift 11 | changes: 12 | # OpenShift client 13 | - addSimpleClient: 14 | clientId: openshift 15 | publicClient: false 16 | secret: " " # change client secret accordingly in oauth app 17 | redirectUris: 18 | - "https://oauth-openshift.apps.ca-central.adetalhouet.ca/oauth2callback/keycloak" 19 | - updateClient: 20 | clientId: openshift 21 | standardFlowEnabled: true 22 | implicitFlowEnabled: false 23 | directAccessGrantEnabled: true 24 | # Stackrox 25 | - addSimpleClient: 26 | clientId: stackrox 27 | publicClient: false 28 | secret: " " # change client secret accordingly in oauth app 29 | redirectUris: 30 | - "https://central-stackrox.apps.ca-central.adetalhouet.ca/sso/providers/oidc/callback" 31 | - "https://central-stackrox.apps.ca-central.adetalhouet.ca/auth/response/oidc" 32 | - updateClient: 33 | clientId: stackrox 34 | standardFlowEnabled: true 35 | implicitFlowEnabled: false 36 | directAccessGrantEnabled: true 37 | - addGroupMembershipMapper: 38 | clientId: stackrox 39 | name: groups 40 | addToAccessToken: true 41 | claimName: groups 42 | - assignDefaultClientScope: 43 | clientId: stackrox 44 | clientScopeName: groups 45 | # Argocd client 46 | - addSimpleClient: 47 | clientId: argocd 48 | publicClient: false 49 | secret: " " # change client secret accordingly in argocd app 50 | redirectUris: 51 | - "https://openshift-gitops-server-openshift-gitops.apps.ca-central.adetalhouet.ca/auth/callback" 52 | - updateClient: 53 | clientId: argocd 54 | standardFlowEnabled: true 55 | implicitFlowEnabled: false 56 | directAccessGrantEnabled: true 57 | baseUrl: /applications 58 | rootUrl: https://openshift-gitops-server-openshift-gitops.apps.ca-central.adetalhouet.ca 59 | - addClientScope: 60 | name: groups 61 | - addGroupMembershipMapper: 62 | clientId: argocd 63 | name: groups 64 | addToAccessToken: true 65 | claimName: groups 66 | - assignDefaultClientScope: 67 | clientId: argocd 68 | clientScopeName: groups 69 | ~~~ 70 | 71 | _Create Users_ 72 | 73 | ~~~ 74 | id: add-users 75 | author: adetalhouet 76 | changes: 77 | - addUser: 78 | realm: openshift 79 | name: adetalhouet 80 | enabled: true 81 | firstName: Alexis 82 | lastName: de Talhouët 83 | - updateUserPassword: 84 | realm: openshift 85 | name: adetalhouet 86 | password: "blah" 87 | ~~~ 88 | 89 | __Generate RH SSO config changelog secret__ 90 | 91 | `kustomize build ./ > rhsso-config.yaml` 92 | 93 | __Seal the RH SSO changelog secret__ 94 | 95 | `kubeseal --cert ~/.bitnami/tls.crt --format yaml < rhsso-config.yaml > ../01-sealed-rhsso-config.yaml` -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/ca-central/config/keycloak-changelog.yml: -------------------------------------------------------------------------------- 1 | includes: 2 | - path: 01-realms.yaml 3 | - path: 02-clients.yaml 4 | - path: 03-users.yaml 5 | - path: 04-groups.yaml -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/ca-central/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: openshift-sso 5 | 6 | generatorOptions: 7 | disableNameSuffixHash: true 8 | 9 | secretGenerator: 10 | - name: keycloak-migration 11 | files: 12 | - keycloak-changelog.yml 13 | - 01-realms.yaml 14 | # - 02-clients.yaml 15 | # - 03-users.yaml 16 | - 04-groups.yaml -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/ca-central/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | bases: 6 | - ../../base 7 | 8 | resources: 9 | - 01-sealed-rhsso-config.yaml 10 | 11 | patches: 12 | - target: 13 | kind: ConsoleLink 14 | name: keycloack 15 | patch: |- 16 | - op: replace 17 | path: /spec/href 18 | value: 'https://keycloak-openshift-sso.apps.ca-central.adetalhouet.ca/auth/' 19 | - target: 20 | kind: Job 21 | name: keycloak-migration 22 | patch: |- 23 | - op: replace 24 | path: /spec/template/spec/containers/0/env/0/value 25 | value: 'https://keycloak-openshift-sso.apps.ca-central.adetalhouet.ca/auth/' -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/default/01-sealed-rhsso-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bitnami.com/v1alpha1 2 | kind: SealedSecret 3 | metadata: 4 | creationTimestamp: null 5 | name: keycloak-migration 6 | namespace: openshift-sso 7 | spec: 8 | encryptedData: 9 | 01-realms.yaml: AgBxlPuQhzNUvJ5dbNL/pMhBIhi5mxh2Fx+VnuZuhkVq36cc/mmfi488bAaaWMNwqEvLdz6TkwGio1YHWT6jNB06zQPJfr1/nS8NfJGezNeXWuvlQlRJdHyRmeCCbe/5GOirGg1fdMZ7U+dWC3ym/3hn4N5gUwa+7tdX5n4lDTMNnyW/V0GG2H3Bu5uWS4FJBV12HxxVVlHFSLJidoZUfLorqxUvOYq2mt4MQZKp4xBbbT4v5HEno9GndkHO9ucyQEwJ3jeOkt4UbRT9hyyPqTTA8vBJDQKRDYgKjEIJXAp6LgEZPV+5J+mv4Mgn1p8GG6YeAN0PIFJ0Reg6VHSGZoDEVH44tum6/e1xUu0+xf8CD4FdG4ZTmGPA2eLODOowRwwvBteidu5ZVhnG3yO3FkM5oHCiDqae11fFCt5r8tHvN8l7Jui53zXaD9kde1euxKOa+CJQn25IsNejxdtQoN/tV5jmA9yvG18pp3mGmQt5eyQRRVuMAZudCx89A0fIzg109bQ1AvfclqQNVQECbJ+2LraIEFg46+3s+EwcH1oUteBQIVQ2c7UVEI5hzehtJeWH7+4OdX+Sd4qJdC/4C+JczgDrvO5F5RcbpkthOfbnIquLsTLNFuMyx+lZuUR1MFnqkKlPeSyooEnTZ0jLMRNk8oMIWPGfxH76BKirjw6bLDCq8WgCj3UGgZumCHX8L6+EB9QWHygwNDAMv4+yoiFkx+L7NPkn40ZFMh46mtWoozT2N0OJNOoINjQH45BrCw7eRQNxgrLoqeAPcF6iDnBsmQHG0AQOTpKpzmo= 10 | 02-clients.yaml: AgCDnUfrzovVD3kETW0NEoy8V+A+8BusLEsjGDtgtQm72UEzZQ8nQlKsMDzcytwnIDLVbiYm0fWhwkGLVicNyFXcfnoOzlbVS6VxGqmxofAn0daAwt5m8do8xvdpyt0IHk7v0d8QOGMMhYp/86/7du5YAwVER1g/IU6XRlQNBur7PYqnXNmYMyeOtYa1MQbVivLlcZdIgJbLIjQoH01gXgovR2aKW2D5NOyQ7E23J1gg9Z0JPTBHbkp+VcYp/uJj/5PssVN7C29cjstEU9oqoPK/TdqDctqBv09vFiFQTsrx5eJ8SI/EWGs4xMJOwQjv74ANiRaVC2x/y1xpE4bNRmDoyCFFofyF5qx73936TGepsPz6sAwFtsOCu+K6hi+GHVEQ2zGoXuIVjXx23RJCw3IlqV852WgE5ry6u3TeykYG40h9edrptT/tdDd+S7KrhlxITZU7WtGT7kB223WPvM2xHcoIWkQqQvBeY9rrEuodL37smKqwHp6HNr9xHmWDlZ9gnoKyC94VXA44O8xe9nCDs7i76uirZtcir1lviHl+3/ActqI4z+DRt90TMtuvJ7y3JVZjs6+27GMog3WvXIqxD+X4Hft+xI1qjfz0uzs6VHRXesqvc0vZGNJ7z6I8GBI4c5ySCO2R8oAPNvFyKIXG3MVCBI5CllWAZWFBHCfQRfoWAxIst1HTO+In/FvV1gdSZnFm20yt7ns5hBJYhoHCT39jduOuYiF1E0zwaM8Xa9zaRq0dWdeO6oNbme4qxqd3BwXj3Obqabtxmks3usFl0k4KbedeREIe4zY3d01hFQvkCgwc4SrcWGlasFOyPR9DAtsnMDUtnXS9jm56ztQrhAmNqFj8TG2OWPRcOQdEeZdMQNjKcqvkMqrDdjVhglx4B4O/hEBJXu33NCQ5XITBQ18gs9A2T36GAfhtMROT3+6TX2yi6dzM78k7W89+cbKhRvJZ99UD7oIc1on+A33+1fnp4JHCaGNXUKH8x3NK3HE53mLGYwQEb0YN8UoTEGc+7zGLXMl1DoFzlrwQyOQOstsnys8lApWixj3JeOlPIbuejezDiy2Fzlr/d68D0OMFAeLs3W0oQN87dK8IGmhpmDzmpUwiFdLYXe4oO2awWTGcPnDH0VQDF8AI3zrGFATAh6VfpYnTQWWwHCIPz9p6RlZvCnjVdcN/Nnq5AxjHbu5f0yAOrZhNeAMg91EtWElFg6ujDQJgj1V/OuIOHI2DhtxauYmrm2Eyy/4/G5RBzEBvTekL1GZWKAG2J0TOs2MOgKWr/OX3d09+Q29ZWk3QycfjlvlNXV7UsQoPwa0Ft+bL069JS1zTSfdIz9uoRmQDCt+/OdiVfyYiyrn9pKO/HbgeBT8EvChn5agYz+srNkxvYpdXNblXKY07cAm32nJ37jHliEUA6BODmB8iqcFOSwzfspk5DT8luMZ5u0/KNkz1NMWC/RMH/bEm+2qXoOQw4Fj7TqXecxH3bRnIuRSmPxZSngsAjVgA6rjP5XzABrHTJ/bRWQ7IMWxTNIhp40a+3kCOrBpD2/iYwUwqJT350FWGixtGYv2YMxywFig78XAyG7SEnlHKquY2J5rM5m2nD13bkVpKvl+QE0f5F5J+URs8Orl0AgForcMovy+WwyrSFq+N8RMCs4e55uw3yPb8Ia8JiHzltFP12bsgIkkPOPB+4+YN9Meq7DodFrHaoG9hnsFVFFyig2qenYITr36kUg/l8Y/A2INwmyxgdFgWrmFQSVQFpQkwaeTqOeAwa9IIncE3AXTrzTyTnN/rWFmgwHCsxO43zNjOsCdeIvKUKeOAyEVItLc+P55+rxn6S5JMNP3iI40XTz1dTApYhwfa5oHmXm9QhknbJKkGcooBYgLpEhxFv/qvX/CehljB6TWZEmtMM9n65isHzCMXO1Ge3nA/l3Dw5B4J2vwhPIduSbRENIj+k38gkYnAFubCwiMdKdZ/SiysZKhBO3EbfmdREOdi+H4LrUD4aeGCTpN2Xi1nlBs+xMRj5OzFbs85gttmJ8mIxiJYe8AgQWgZGwV98bDSMq3VPliqnkrGADrrxD+AZdQn//rBnfk6F59h9HgiQF3z3MD56uXHudXUX3TyXyQyWiyMnw65aV7ovB2Z0kws1FMpnSYKzKLVWf0rzIKYc8gBdQdocf+F8/xr4e+w5UZtsb3Ax04TGJ/EH7FBATMjWzOe7/YSQUGmNUYBG26KKTbEzAaPlEAsVzebwZkhq3lUpdaQaCzAzRvehL+RBLJA/HMBQBTDF7RRNtPPBhrebQtfVDVHtXHbbBdCVG1xlJSJtDkrtOCaDYFEqCKVSpgBmjqJWq78agtZwg6OHXkvns/HIDCvap+oEKjYF/58vU4dikqhtBUs31kRquoCb9bCQ7i9Z7IIlTsOyLuNbI082OmREbqdOPYaTHWlGbEl/pdKNKch5cQ2VcKZPwwxDZ2xjp7tk3ofhGsUBGrQ4oPY+4eBr0SNkmVfbfSsTX/Ggz4Gl4jnvd63NUw/Q+1xKUDPs/I4dt+gLmGmj9HOwcNIeLwz369StTC51ilc1B2nhD7sJXwjxAaM2g1sNeFPd+VTA2TNibwoRDKthOfVHOi4dd/BitBapCb8PntLkjtTG9r4qj5jrEO3hvfaps318MmsRtMC8L6uRJkv3I1SS5BAVVkr155auOGTN3mlDORns7XMmsf7mqPDdUFniBUkEvHXWv+lVSHaYXGoSzrdM7hyzqnaD8VaOS9acifu1s6CRCOUTmBRHJcdWA7rrp71piO/oB1qmLRADw1dvKHqG3K9Nxebvx8pdeOktUEF3Duwqb/63fHOfOvj4vCFqbTZfMMiztZ8ymZODvjwPwH4kjxvNvtREGV1YH95L74rHwxuv0A9L78SRrETu2C2HsUrY/hKT3Ra39IdeMzFqXbgugek5ZuugcpR5WFYeKEpiE2bHmk0lWp0qf7RoibHzGEaM4ZC0Ptw+P6LtcNWt7GRhBRYSjihlm244fR4+Icm95XfoJe9LyY67yw4lqMCyV6KgUSvdpqcxfmjCEbOi8aViNG/kUgpUJ91DrCTHEK+u73Oh/UAHq95TnSUdgzbP5X2+CijwEgN4uZluk0FRU/hPnjYWeWDxv1Dw3/Zfo4CYNEXqwUBhIr1xG3ZIvVhxWfvLvgYNEIJMcU3zy/ZtaHAHj1AaMhNbZBVF7JZqM1ddeWtjn4WdWyvDB3HbcMWLZcDbPJpmJh3vF8Jhlevv69ZYrzPHaEFa4tGDhZkBGxn1wcQ9EQuYXPmEzaAVIXT+31N6t11tTN1wPCzC+D0eithfdmZxz6Lu669QgJnYu+jelbpNchWP1l0Pm9MmYGxr+kLWiMMl1tXLAA4LVQIBnk= 11 | 03-users.yaml: AgCBlPYxfBH/h9XZulIbStvq+lo3Yuq/mieRJke0ko7ZXGA1xHY8tPmaJF8cwtQlwbKQ2JmDDZ4kbUIwZxFLk0ebWdVSU/VbDCB2N0BGOkKilKOTm/cNu5cGWc6YcDnQ80tt+/OtD2Wxj8XkwJShHZvfWRpZM03/6XcOnGr2wS8cu4b2M7qbqpFEHK1t1aLYXThGW7QlOzFg/Xegf0hRVYm4mv2xwHqbCoebKBF3wE+cWDSxbtRHdqe3ZlcvRoSTaVzNX6xb4BDAmQa1BwPDSeHpUet2liBCWPxBxrwHr6+L9ksMGQ7V5EBxOrrkvJ3kAep+GBhzTPIhhx4EFDtmdvfJFBSD+myLU5q2TSwe+kRFGPa3Pka0OYraxNKFsBjazRSh2TGfMqDIB0/RA6v7DlVhh+7uIKPJ8+bcU3u7C/9lzIGlHgvqqnfidkrdw78ZvwWpc3/bsk8wTnfwiktundKOjcjmqRTvaSbfFsFS4EcnbOBk7NKXut2yYJTsWOMl0SZ/yvGiWmtg0CjDqMi/DvHrspjpuJdZzEc9Q+yii/iCDGWuNhIuUCHAtjHtrUcuW0OyXnVtLhbnGxH3CpMGeKEjhMYvnzDl6welAPkTQ66Xw1pef2caI/zzncd39c0v3HkZOcLJMzkNqlB8ccenyiXAilU9SOTBKmQBsmH8fnycAUQLiDhKBB0mZG8YYa4hxcqffNatq6V01u5Rq500YY2sa54qA5inl7gQdKzU/APelcYyfuak3Thj8gEhSb3sjNSCqVwcZG0utVMQC5Toz45fdBGcncG5nDEdwDMNjP3yui9CKbY8++aRrHKPJq/pBUp9YOKUuHudhXUarvaoL9W29E5a4ONNHrHaBjAW0wbJENCNIETwD+4jhXv5QmfS2gMjtbgS4Aw9bw/HbSX1TlYRzrFjrFIb4/3fZj+RM9Oqb+tml6JQOKKoGeDK5ADGO4TFjk3U6MwD0ApnIekaNxV6nHj7hRzuarx1pCJK8Y41R7el89BmovvyBizt1XrztrXXskP5M2JZZgQDQ8odBzI= 12 | 04-groups.yaml: AgAv/Nct4ITkqwZSPLgNG8sCLOmptg1nZLSZBxT31DnJvfypkJWrEHQBb7oVAFG3GzDVQ8wxU0wspnfRMrYsl5vqBSn7QD19TtHobg/7FGBoMsX/XaVgH8autID9daBaHa3iGgiz+TakwFPolYF0v99lNyV4Rfd2PFc7qQVI1ThvBq2Sw7sR8ZORodjeGQoPq9XsSRCdcNSc3yrdPXPbUmNaU/UxtNqwm7P0ojbe9Plt+cDu/3UO8UikiyK+z195Crj/hBLWAoxg/V4TvbtsD6cPVDGvT7qr4YBsw7RGVfz3qldzaH/o7SR9hoApAhmDhvnVDcsPnNXkC579Ym84ST6MX5ynWg7ZW2NlNruEw1TA60pXPOw/oaeFJ+fEoJ92hXHK2/+SQboBUr8YaELdOomduRgrIzVcukYFIMXcPZ1q93mwenWEsDKpW5S2NP+IMPTsotwgxq/ZMFJGxUpSqcywERQ5WgldtM9/onniTOBNziDEksrHrPV2+sbkp3DmuEKAM4DpD/GB0CRRYmAnpHR7ra+2c1aLZQ6ZQ5QBbL/3vfca+mRuI6rf0vM4yg7EpYU4erZtcrS+yg4ZcVJp8FcqpGenPd3Nm+a5tMCC3IJ0wvs998et91fak2xYzEFXv38KLOcjDEeE+R9hdRUItiSub5V3OSO33E/6tmbYJYgErca6OkhfAqqlTezakczStMmoQieu5SBirXQtl0/ppnod5Np/s/xNMAL7ZMbLwofc3XDvIyiBisusdLUhHwHCxjuY6rg0+eJWGtH4PLR3CWmWMNhsLrFpMVwotQjtduct3DDd8Zx5yRxjhgnEfjVzn4hee7F8idoKEIKJP0+AkG8sWnoqJ6/LuWxjStu+8lY2CHT6zvw92RXC2wcT3NFDuHyrU/Rq4aYPanfPbGLKGx4PVxwVQqEdxqeuufMzvWii4SMAZ8D6mJoQLWkK/AJEdrS9heAVuYtNASmNJwWxNTCuevuehSRYP8RP3qoBYSwVFg90gh4o63PT+TgvncZjxg/BTP1+YSKKKBAhlZVJ36KN3xDFLezcr1YgmHaFnS5DqZ2dHtFvorRk/mT6Vnl0i0pGHv13p2q+pGi1lr0BNoo0SsTZ71mV21crqVqgN/Ai7UZ+BgK9eNu6AxirJdIKAlhvYopG9ciXmvQTsVOKNB3mNw== 13 | keycloak-changelog.yml: AgApXUeBLDSKrvydiH6xpd+eqhd4jpCI85hTfDAPPUnLcdULvDa8eg/5NwKLeNPeVdR8F35BRKKVisvSRhSeng38hVkPa3ep8t6Mxev9XxFVl2hN9CuJxRa4D1rAZHfGlCpbN/dkxdfWohUu9z1t6nDdvWsTaepY17jZiU7We8MgspIPqkIfcBt9eJxLzNhZAOVgleHASuhad2kw57iYJZGxkUmARB3kaoTsB+kpV0f+AIySiL4kzR54hVJKDtsrsBUsCTTlWGObjlunFwhANyWj9xMK3sf4Fg39Qs5ivCwaDMcjLJbOilnKWKoDzKxAgaBqEQX8n+TJewArxSm5gldGEOxveuGgY67ALF7CoWtmGvicDYdNva2Kqm3nSx81a+z9+Z/8tHPOTa8enCOWB8WTeXz4eic8NNFpNrP7iIaPbNZaced217ktXacZmIvawCcXNyGYwmkiW3m53zMjeuZdjIHqUA6Kj/mSxAYzb2UuI2YolUW+ObQMnZUPzithc0gSE6ie/befh0sv8ZmZu3oqB+Db4ApCfHXU4R5B7Y2/cTx3AmKprkCcJo6inC4ONlbPDXU6ghk0UadlSX/zNj5D7sFSmxQ9NxwTGKQj/LWcNf4U3BRnNt6745JJVxOpqrYoDATMJMzjGCZNDkPo8eM4/WrMkvIc+tCg/NAT3418vpQZ3e1AFfvz2QZXI9L5AKyRyaDXPA1wkfq/BGJFcRmmViKcONQta5zYfjBa7BeLJTdb0aJAlj5F6x96STtBjrfeze3qXj1NNo/OPEYEFOpGxWDa4ojE5U05kvSlQwIgvuJc16hTnp/HmwUojkVe4pqxrylOgRSeZgRpH7QY 14 | template: 15 | data: null 16 | metadata: 17 | creationTimestamp: null 18 | name: keycloak-migration 19 | namespace: openshift-sso 20 | type: Opaque 21 | 22 | -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/default/config/.gitignore: -------------------------------------------------------------------------------- 1 | 02-clients.yaml 2 | 03-users.yaml 3 | rhsso-config.yaml -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/default/config/01-realms.yaml: -------------------------------------------------------------------------------- 1 | id: add-realms 2 | author: adetalhouet 3 | changes: 4 | - addRealm: 5 | name: openshift -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/default/config/04-groups.yaml: -------------------------------------------------------------------------------- 1 | id: assign-group 2 | author: adetalhouet 3 | changes: 4 | - addGroup: 5 | realm: openshift 6 | name: ArgoCDAdmins 7 | - assignGroup: 8 | realm: openshift 9 | user: adetalhouet 10 | group: ArgoCDAdmins 11 | - addGroup: 12 | realm: openshift 13 | name: StackroxAdmins 14 | - assignGroup: 15 | realm: openshift 16 | user: adetalhouet 17 | group: StackroxAdmins -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/default/config/README.md: -------------------------------------------------------------------------------- 1 | __Using Keycloack Migration tool for the configurating__ 2 | 3 | Find [here](https://mayope.github.io/keycloakmigration/) how to use it and build your manifest 4 | 5 | _Create Client_ 6 | 7 | ~~~ 8 | id: add-openshift-client 9 | author: adetalhouet 10 | realm: openshift 11 | changes: 12 | # OpenShift client 13 | - addSimpleClient: 14 | clientId: openshift 15 | publicClient: false 16 | secret: " " # change client secret accordingly in oauth app 17 | redirectUris: 18 | - "https://oauth-openshift.apps.hub-adetalhouet.rhtelco.io/oauth2callback/keycloak" 19 | - updateClient: 20 | clientId: openshift 21 | standardFlowEnabled: true 22 | implicitFlowEnabled: false 23 | directAccessGrantEnabled: true 24 | # Stackrox 25 | - addSimpleClient: 26 | clientId: stackrox 27 | publicClient: false 28 | secret: " " # change client secret accordingly in oauth app 29 | redirectUris: 30 | - "https://central-stackrox.apps.hub-adetalhouet.rhtelco.io/sso/providers/oidc/callback" 31 | - "https://central-stackrox.apps.hub-adetalhouet.rhtelco.io/auth/response/oidc" 32 | - updateClient: 33 | clientId: stackrox 34 | standardFlowEnabled: true 35 | implicitFlowEnabled: false 36 | directAccessGrantEnabled: true 37 | - addClientScope: 38 | name: groups 39 | - addGroupMembershipMapper: 40 | clientId: stackrox 41 | name: groups 42 | addToAccessToken: true 43 | claimName: groups 44 | - assignDefaultClientScope: 45 | clientId: stackrox 46 | clientScopeName: groups 47 | # Argocd client 48 | - addSimpleClient: 49 | clientId: argocd 50 | publicClient: false 51 | secret: " " # change client secret accordingly in argocd app 52 | redirectUris: 53 | - "https://openshift-gitops-server-openshift-gitops.apps.hub-adetalhouet.rhtelco.io/auth/callback" 54 | - updateClient: 55 | clientId: argocd 56 | standardFlowEnabled: true 57 | implicitFlowEnabled: false 58 | directAccessGrantEnabled: true 59 | baseUrl: /applications 60 | rootUrl: https://openshift-gitops-server-openshift-gitops.apps.hub-adetalhouet.rhtelco.io 61 | - addClientScope: 62 | name: groups 63 | - addGroupMembershipMapper: 64 | clientId: argocd 65 | name: groups 66 | addToAccessToken: true 67 | claimName: groups 68 | - assignDefaultClientScope: 69 | clientId: argocd 70 | clientScopeName: groups 71 | ~~~ 72 | 73 | _Create Users_ 74 | 75 | ~~~ 76 | id: add-users 77 | author: adetalhouet 78 | changes: 79 | - addUser: 80 | realm: openshift 81 | name: adetalhouet 82 | enabled: true 83 | firstName: Alexis 84 | lastName: de Talhouët 85 | - updateUserPassword: 86 | realm: openshift 87 | name: adetalhouet 88 | password: "blah" 89 | ~~~ 90 | 91 | __Generate RH SSO config changelog secret__ 92 | 93 | `kustomize build ./ > rhsso-config.yaml` 94 | 95 | __Seal the RH SSO changelog secret__ 96 | 97 | `kubeseal --cert ~/.bitnami/tls.crt --format yaml < rhsso-config.yaml > ../01-sealed-rhsso-config.yaml` -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/default/config/keycloak-changelog.yml: -------------------------------------------------------------------------------- 1 | includes: 2 | - path: 01-realms.yaml 3 | - path: 02-clients.yaml 4 | - path: 03-users.yaml 5 | - path: 04-groups.yaml -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/default/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: openshift-sso 5 | 6 | generatorOptions: 7 | disableNameSuffixHash: true 8 | 9 | secretGenerator: 10 | - name: keycloak-migration 11 | files: 12 | - keycloak-changelog.yml 13 | - 01-realms.yaml 14 | # - 02-clients.yaml 15 | # - 03-users.yaml 16 | - 04-groups.yaml -------------------------------------------------------------------------------- /apps/06-rhsso/overlays/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | bases: 6 | - ../../base 7 | 8 | resources: 9 | - 01-sealed-rhsso-config.yaml 10 | 11 | patches: 12 | - target: 13 | kind: ConsoleLink 14 | name: keycloack 15 | patch: |- 16 | - op: replace 17 | path: /spec/href 18 | value: 'https://keycloak-openshift-sso.apps.hub-adetalhouet.rhtelco.io/auth/' 19 | - target: 20 | kind: Job 21 | name: keycloak-migration 22 | patch: |- 23 | - op: replace 24 | path: /spec/template/spec/containers/0/env/0/value 25 | value: 'https://keycloak-openshift-sso.apps.hub-adetalhouet.rhtelco.io/auth/' -------------------------------------------------------------------------------- /apps/07-oauth/base/.gitignore: -------------------------------------------------------------------------------- 1 | rhsso-client-secret.yaml 2 | -------------------------------------------------------------------------------- /apps/07-oauth/base/01-oauth-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.openshift.io/v1 2 | kind: OAuth 3 | metadata: 4 | name: cluster 5 | spec: 6 | identityProviders: 7 | - mappingMethod: claim 8 | name: keycloak 9 | openID: 10 | ca: 11 | name: openidcacrt 12 | claims: 13 | email: 14 | - email 15 | name: 16 | - name 17 | preferredUsername: 18 | - preferred_username 19 | - username 20 | clientID: openshift 21 | clientSecret: 22 | name: keycloack-openshit-client-secret 23 | extraScopes: [] 24 | issuer: >- 25 | https://keycloak-openshift-sso.apps.hub.rhtelco.io/auth/realms/openshift 26 | type: OpenID 27 | templates: 28 | login: 29 | name: matrix-login-template 30 | providerSelection: 31 | name: matrix-providers-template -------------------------------------------------------------------------------- /apps/07-oauth/base/02-sealed-rhsso-client-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bitnami.com/v1alpha1 2 | kind: SealedSecret 3 | metadata: 4 | creationTimestamp: null 5 | name: keycloack-openshit-client-secret 6 | namespace: openshift-config 7 | spec: 8 | encryptedData: 9 | clientSecret: AgCGDcjWJ1xJT2hVl6ZWHU7iklpglqOrGgXUa/FvAs02O48YyLa2rpowx7TsoIJkmTppYpJlpOxxJfOUs829Nn4SjM3ploTwNwxLTzoYQIRzTlatGiGqLSTihcIFGCdPyUpXgCS8DazB63h+0UUQCIlBsZ8MzHr9Hkm4M4G3NRgFzjadHTqelCZ+Xu587R4mwH9oFtENPfp8yXF3wlGBDRbNrJNZax7GBws5pwiHedVxV1jcre6PL5WSzulOkBVMFSPQDn106z1mrGcv0rnxjNt7hcwCDT6d1KxNkxktKKVIKZ2IUYBJaeTCg8Ee2f9xwynukYGYaqrPrI1lsCthCRyIpd9QHXtdOPs3cuzgXTE//xfXAfcF4aJkyUBhFpOkcRVlp350GYK7YwmL9XAPWxYQkfxaictZ1E0LNMqMGcsZpb1xDo2HLh5hvoFeOS5OH6/+Zrxf2ebK2TRCIS6DhklO+aQekHBbRWeWcv099UAkq7FWpW9+ucou+gCONTzjXtXn353fQb9TIMt59UVW0svHpTNL7UaJWamSYskNql6tiibRaUbZoGdpCaImK9d2TQTY+mF1HnG7N+mPhpUbv+6vZJUrhIM9w+9wQMwV21Rbim/KcGdelH8qCcmQK43VEo5e7DQ3mWXEGxPW4DWAhKhF8ZfWU3hCSCMZAI+u5WrQAD063iokSZxX7adcF6LwkUsX1axoTXhlvNpqjVPMvR1p3ZTxJOp/lSBNPu8cmP3nZ4OltKE= 10 | template: 11 | data: null 12 | metadata: 13 | creationTimestamp: null 14 | name: keycloack-openshit-client-secret 15 | namespace: openshift-config 16 | type: Opaque 17 | 18 | -------------------------------------------------------------------------------- /apps/07-oauth/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | bases: 5 | - login 6 | 7 | resources: 8 | - 01-oauth-cluster.yaml 9 | - 02-sealed-rhsso-client-secret.yaml -------------------------------------------------------------------------------- /apps/07-oauth/base/login/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | namespace: openshift-config 5 | 6 | secretGenerator: 7 | - name: matrix-login-template 8 | options: 9 | disableNameSuffixHash: true 10 | files: 11 | - login.html 12 | - name: matrix-providers-template 13 | options: 14 | disableNameSuffixHash: true 15 | files: 16 | - providers.html -------------------------------------------------------------------------------- /apps/07-oauth/overlays/ca-central/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | commonAnnotations: 6 | argocd.argoproj.io/compare-options: IgnoreExtraneous 7 | argocd.argoproj.io/sync-options: Prune=false 8 | 9 | bases: 10 | - ../../base 11 | 12 | patches: 13 | - target: 14 | kind: OAuth 15 | name: cluster 16 | patch: |- 17 | - op: replace 18 | path: /spec/identityProviders/0/openID/issuer 19 | value: >- 20 | https://keycloak-openshift-sso.apps.ca-central.adetalhouet.ca/auth/realms/openshift -------------------------------------------------------------------------------- /apps/07-oauth/overlays/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | commonAnnotations: 6 | argocd.argoproj.io/compare-options: IgnoreExtraneous 7 | argocd.argoproj.io/sync-options: Prune=false 8 | 9 | bases: 10 | - ../../base 11 | 12 | patches: 13 | - target: 14 | kind: OAuth 15 | name: cluster 16 | patch: |- 17 | - op: replace 18 | path: /spec/identityProviders/0/openID/issuer 19 | value: >- 20 | https://keycloak-openshift-sso.apps.hub-adetalhouet.rhtelco.io/auth/realms/openshift -------------------------------------------------------------------------------- /apps/08-openshift-elasticsearch/01-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-operators-redhat 6 | annotations: 7 | openshift.io/node-selector: "" 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | --- 11 | apiVersion: operators.coreos.com/v1alpha1 12 | kind: Subscription 13 | metadata: 14 | name: elasticsearch-operator 15 | namespace: openshift-operators 16 | labels: 17 | operators.coreos.com/elasticsearch-operator.openshift-operators: '' 18 | spec: 19 | channel: 'stable' 20 | installPlanApproval: Automatic 21 | name: elasticsearch-operator 22 | source: redhat-operators 23 | sourceNamespace: openshift-marketplace 24 | -------------------------------------------------------------------------------- /apps/08-openshift-elasticsearch/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 01-install.yaml 7 | -------------------------------------------------------------------------------- /apps/09-openshift-logging/01-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-logging 6 | annotations: 7 | openshift.io/node-selector: "" 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | --- 11 | apiVersion: operators.coreos.com/v1 12 | kind: OperatorGroup 13 | metadata: 14 | name: cluster-logging 15 | namespace: openshift-logging 16 | spec: 17 | targetNamespaces: 18 | - openshift-logging 19 | --- 20 | apiVersion: operators.coreos.com/v1alpha1 21 | kind: Subscription 22 | metadata: 23 | name: cluster-logging 24 | namespace: openshift-logging 25 | spec: 26 | channel: "stable" 27 | name: cluster-logging 28 | source: redhat-operators 29 | sourceNamespace: openshift-marketplace 30 | -------------------------------------------------------------------------------- /apps/09-openshift-logging/02-cluster-logging.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: logging.openshift.io/v1 3 | kind: ClusterLogging 4 | metadata: 5 | namespace: openshift-logging 6 | name: instance 7 | annotations: 8 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 9 | spec: 10 | collection: 11 | logs: 12 | fluentd: {} 13 | type: fluentd 14 | curation: 15 | curator: 16 | schedule: 30 3 * * * 17 | type: curator 18 | logStore: 19 | elasticsearch: 20 | nodeCount: 3 21 | redundancyPolicy: SingleRedundancy 22 | storage: 23 | size: 20G 24 | storageClassName: ocs-storagecluster-ceph-rbd 25 | resources: 26 | limits: 27 | memory: 4Gi 28 | requests: 29 | cpu: 200m 30 | memory: 4Gi 31 | retentionPolicy: 32 | application: 33 | maxAge: 15d 34 | audit: 35 | maxAge: 15d 36 | infra: 37 | maxAge: 15d 38 | type: elasticsearch 39 | managementState: Managed 40 | visualization: 41 | kibana: 42 | replicas: 1 43 | type: kibana 44 | -------------------------------------------------------------------------------- /apps/09-openshift-logging/03-cluster-log-fowarder.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: logging.openshift.io/v1 2 | kind: ClusterLogForwarder 3 | metadata: 4 | name: instance 5 | namespace: openshift-logging 6 | annotations: 7 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 8 | spec: 9 | pipelines: 10 | - inputRefs: 11 | - audit 12 | - application 13 | - infrastructure 14 | name: enable-default-log-store 15 | outputRefs: 16 | - default -------------------------------------------------------------------------------- /apps/09-openshift-logging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 01-install.yaml 7 | - 02-cluster-logging.yaml 8 | - 03-cluster-log-fowarder.yaml 9 | - 04-console-link.yaml 10 | -------------------------------------------------------------------------------- /apps/10-ansible-automation-platform/overlays/ca-central/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | # Remote base. Use the configuration from the Red Hat Canada GitOps repo (unofficial). 5 | bases: 6 | - github.com/redhat-cop/gitops-catalog/ansible-automation-platform/operator/overlays/stable-2.4-cluster-scoped?ref=main 7 | - github.com/redhat-cop/gitops-catalog/ansible-automation-platform/instance/overlays/default?ref=main 8 | 9 | patches: 10 | # - target: 11 | # kind: OperatorGroup 12 | # name: ansible-automation-platform-operator 13 | # patch: |- 14 | # - op: replace 15 | # path: /spec/targetNamespaces 16 | # value: [] 17 | - target: 18 | kind: ConsoleLink 19 | name: controller 20 | patch: |- 21 | - op: replace 22 | path: /spec/href 23 | value: 'https://controller-ansible-automation-platform.apps.ca-central.adetalhouet.ca' 24 | - target: 25 | kind: AutomationController 26 | name: controller 27 | patch: |- 28 | - op: add 29 | path: /spec/postgres_storage_class 30 | value: 'ocs-storagecluster-cephfs' 31 | -------------------------------------------------------------------------------- /apps/10-ansible-automation-platform/overlays/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | # Remote base. Use the configuration from the Red Hat Canada GitOps repo (unofficial). 5 | bases: 6 | - github.com/redhat-cop/gitops-catalog/ansible-automation-platform/operator/overlays/stable-2.1-cluster-scoped?ref=main 7 | - github.com/redhat-cop/gitops-catalog/ansible-automation-platform/instance/overlays/default?ref=main 8 | 9 | patches: 10 | # - target: 11 | # kind: Subscription 12 | # name: ansible-automation-platform 13 | # patch: |- 14 | # - op: replace 15 | # path: /metadata/namespace 16 | # value: 'ansible-automation-platform' 17 | # - op: add 18 | # path: /spec/startingCSV 19 | # value: ansible-automation-platform-operator.v2.0.0 20 | # - op: add 21 | # path: /spec/installPlanApproval 22 | # value: Manual 23 | - target: 24 | kind: ConsoleLink 25 | name: tower 26 | patch: |- 27 | - op: replace 28 | path: /spec/href 29 | value: 'https://tower-ansible-automation-platform.apps.hetzner.sandbox1091.opentlc.com' 30 | - target: 31 | kind: AutomationController 32 | name: tower 33 | patch: |- 34 | - op: add 35 | path: /spec/postgres_storage_class 36 | value: 'ocs-storagecluster-cephfs' -------------------------------------------------------------------------------- /apps/11-quay-container-security/01-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: quay-operator 6 | --- 7 | apiVersion: operators.coreos.com/v1 8 | kind: OperatorGroup 9 | metadata: 10 | name: quay-operator-group 11 | namespace: quay-operator 12 | spec: 13 | targetNamespaces: [] 14 | --- 15 | apiVersion: operators.coreos.com/v1alpha1 16 | kind: Subscription 17 | metadata: 18 | name: container-security-operator 19 | namespace: quay-operator 20 | spec: 21 | channel: stable-3.7 22 | installPlanApproval: Automatic 23 | name: container-security-operator 24 | source: redhat-operators 25 | sourceNamespace: openshift-marketplace -------------------------------------------------------------------------------- /apps/11-quay-container-security/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 01-install.yaml -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/.gitignore: -------------------------------------------------------------------------------- 1 | creds/* -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/00-install-creds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: acm-credentials -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/01-sealed-aws-creds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bitnami.com/v1alpha1 2 | kind: SealedSecret 3 | metadata: 4 | creationTimestamp: null 5 | name: aws 6 | namespace: acm-credentials 7 | spec: 8 | encryptedData: 9 | aws_access_key_id: AgB/T5T0gwCbCxbKQPnMIKK9gZdbftz3RZfh3HTY2sP/itz8LtS/lwefaPf2BIOCmGg8V2ozaZcQkpJV3QmUSOuuVy3nJSYSePVw+aOP4LtkDemzvSfwnw406DQIJv2FkTiK7uh0/+Wj4Vxqj+2Va2kCJO6NiMNcN9ux/HNCxSDkumu52XBl90UMOkK+3//L8xWKdDvEqEs13n3KXD/O1wRXISp5QY7996sszgL3Vjaf1QQhuK2Wt/TDc1a2tbGmnbjv3T9KgI5gn1mPj5fXBsH1DRrqsbANKYmtdvnIDx+/EVIrx3EuTIQQnQeaHUWMhfI5GVm/hTTINeopSn9wdavy/EzZ9ARRL92yBX3Dv0/RAxxq6uapZn1MkI3Rqqkl6zXa+VyfW8MIVBg9UAEBCI0nERTsl2+awenlROqyNj3tdvlzj2iQwT1LYxh7CLuqEOAiGOkKb0OtiiKL0tSV/l8w1ZI2gLjUBmtzvtyIu9fHb++6RwZDsrA1N6B5cjjH02XCUKTyxMEuTcUSf49+E/pXjs9D43yO+V7IxHat1uW3l8xeauT0HZ86HeNhNi/qxwY1fpuq4v6KBaHz6qKF6gBjEAdrEQLuY4QFa6Wt9q8tI3DdqM7JOIs1Mh5u+JfKXXEkPmr/A5pPR9abH6FwwqxQauIaU5yjCVhlobxwPhB/7j1+wZ5i/LfheX66HjYSCBGet77Y57NKPrR3tVoP0T9MsmRyEQ== 10 | aws_secret_access_key: AgAoJ5pcp2n5FItbu7UC8QwvC5t8sFtD3kJ2d0av6id/M/cYd5+6IQKfPm26DluDZpuiSKc8aL/cGCtfLViZ1CFNo9NJgJv7yW98WNJTUayToCJXta0lI07fazlFPjSlIO2fYeuSyeCm4RVnm5ZcK70XKvsNJT+pNnwV1Jj/YLJGgGwpq7OisxZSOt0F8M0sWnhFNdAsDMDrelbMJT5ZoI++FmL1tvthHpe1ytv6jhz9htGeh8QtctbNR1gTSPgrlwJfNeH9FOG19DqNkGh4QR2z4shOpjQZyexQeJ8vanRz42cB+OOkOC1ABxFRFoxJ2PeBLcW/lzprSPWTLxcWj5RI6UCaZXNe4DaliJmObIoEeNwYpVOsEF36nqPN4rj2ks/BuNsWZtLNHpnZz92Wz6bMQ3BotKvQnho3u6vtWhObaLs+vyNEO7E7IKNw0bjmf43XwonTlmNrNsoIOgvHzbJbt4woiYny7VhMOEGBxlFgB+KYQ6CBGTQcV3TuqINXaP29naAilvwr3X6aX7hPjIJzhA9W0oEoTvj/I7dhtaG8t5X6ODD+5caTByfYxFYIevJRISGdO6jHzUW+yH8BbqebOg6ftFqTqJqlV3PhU7p6JjJOW5ZZ0F+uSRWpsPu4QhtLmZ85dnxG/wvGxrHAndeJzHeeqkX7h0Xisk1HS9Cpo1g50pThzZzlW++TyZvk1jwCHHZnYNJocBpvb9b32eYoSkwHWz/9D37IGUbMp4PUqM8yGQi+kNBB 11 | baseDomain: AgBI32afEXuTaSlA+c1lyZbtORkNF4iGSveNnTLxaBK9K2jBSt1GhcKDfmdjAbTPROJNKtYdRKQSMdHwk6zhaYDMuHYNsGdDHfi3NUNTttZz0W3MUPfETcsJZOwxHi7MGkc17dy8/G6JXMIQEdgZv8AkN9mmXDUQyNOHWvzNzqCNdWCaKexlhTG+jLNYduoj6nCP8BTjyylJJlIrOs0uzzoeSWjLDklhQJkvignmxL80V/lCiO/BvXNgIbsylnAq17u/zCZvgpnSjfTreb+yjngXC1xob5jqF7vU8D4tWdANXS2c9mY/rP9QgiuPzBH4K+19ZJVCWVJoH58jEDixhCoSFhv3H/HO+6bTaLpinlrO/9rWVsYB/tKPKaTwSz+AoQ+1+w96eT7Z4VXXEo3HMXGaTq6l1rM6cRJIwiWRJjMTRha749/i1uubH1Ay99G7SYm8UAfuRGO21V+nBYC9HP1nT7Ner+1qHk7Z3hRzSQAjR0z5cO5qIMV5m21DsFao/yygiXF9O5CVmWHpwnpzM+L3SGGqXex+dYsPNQ3E9kV4oqrSLNrpZR077AGExi0x9M2I1CFN4NHhA6S5UuX+LIbUqnynhQ3JzVupU2j/Mw4DeV21JU8+f7K+vBIzAJMI8/KS+kdSdSdC234YjvbLibKsHF8YQ/cSmXZVckqus6KxwcrSbOSRFrqujv91HmG2M28IwQCP+92S0HJzUc7hZviD67VLyeOwGw== 12 | pullSecret: AgAsJViYlOG0DegFuYKHiRRwBDfE/3yIiNeYLS0YvizMZs4khF+fJQJEUyOW3bvwASe8SyEZt4vnU8zSY22aKpFUszYqyZQDFSJ49FBuhO/oGQGMIN6CV87UzNiF4TYrWW1h+uyxSI1SOsyRRTrMb4WoTA3YvdlLZHbEmmLD3hZ/gSyEoFy8aed5HgC9nRd+ktwvB0zGWGqv9SDeCv7RuxeoYW8Ruem+IjEbDxUlUhkKq390T9CkEvORFsbnFN8DA+pIFZZGAwbpLpBJ/OkbwSFTXs3YIWaBcsV79QzGYJurHmQptANI/NV7B/OPdiu1i/mbkh5Rz7iRuT352PUm/mWAyybSmrfpR9tQ1Utre7k0HYwHtU/2VF3eCI75ALXClqTsG9wyTrK6rcrTPQcziFglO66OgbjgZYyWZ64sKjKdkNHpIrz8zgEWfRGPEAcgxB8uFmQib3ucMy9YVw/CWKbYZ3cM7XRXpf11gldB60SwJomlbCWWDGEKveIt8F2v2J1dNBiQSio2KH4vEX6mJYWJoiB1ZjwlyFLGbi/JUn1z3FJQuj73LyMFoSU578cnEKdIXtNppQwBaHsGMy2xxeUu1DXCR5Yhx4REbBL5xN88JvlVoKh4oJuJIpKV+1PkcTMqEygSRxDI5RcrIjEz9cFNdo842Xr1zOOxpr0Ci1MWEOL54G2lB5iZZU6gMdKZEdbYIcNQeIrP93AnvkSl03/M/nwQ2RSg9eY1nvbFyDvecTJCD5MOeL8Vq7TzrKbp0ZaYEOTarEPDlG/X2jmkdHEaSzstFscao6ESM/WVHfVnllOHAafyDXWTuVoPoAmm/8TvTdgZ3tacyxyCuBTgL3r3dgg6Y4Wt/C02vuKA+OkhDKO4E96hpkbyHdi/Rt/ZsdmbhHY4lMWN3wgxS1+Ji0NURfOe/XBAYxxWluCWXfoIWEYchYC4jkuXUUslK5N47GyYEb7RSxRJAn/2b0kR3Tf2rF0e1KQM1dXIdW5nvqLAKCSqdfoKVE7aILrJX2PH/2Aplh8SXexbj9FUYhvqiBosU/Wd9ckDx+txqAVlirh8N/wOBmYo78mAsiOor9nQuU8G4zc+Ktm5sFd58lsvQgkt/gl6SzTK/jKPL/6LKK2Im2OpvmCvx4mmFYUdasq3FMUmB+kVk+apSjr0bvo6ffYSzAvDRZF4VwaBTFcNCAWNRQmUhZOlKIu8zqEnSTeVBy4BSrJGyMREb0HSSBe14gHjIPuSM8XVgpdcv2bSppRa6U/+CwM0iRt1yuFm/0Z2GhypUa9Td/k1gJFUDdPLasiCukDqyTRxZ/Dpsxw7sSaiNgoLsy8byGAYBEBdgXPZE4wvuoNEBBEHP+rIMUhdpPC2508uEXg+syS7fbAy8RT07+8EVLu60n255UB6F/UHs2purUtMPb/KhipYDkPdhe0e6pzrMPHEY1LvPOU/lSziG74596UUhyGIOgr5f2sPCo2kP35jmef1EIla59dOr0nj4H9Kx7WXh8eawSzyL3MI7QIrzzpyrjW4CIqu9guaX80zXBRCL6GPAzsAG7gI92WxdAD+NYfp3nDAYYRkb7W88Rjq4oGg8aN77QsGFwYS3CyzXAzbk1Lp+74HLGTrJVqyMpUzNiEFtDB/K3BG03f1Pun91ytVHpuZUe1r5dgLyu0XaDkOLkTAoQcQKEYaKz1hewkdrD2fsb0GqpSfptdvy+KPQASE5K8tQOReznOzmX6XM5mNYJpjETB33AJ6CYl5sWS6sq+oaQjfzL2vMXBQm/zjq/0XnxGXK5PMYd5OsNFh268x2ccisuVivV34TI3HgEReYWKhvcT1kmV7FHlDPYvXY0j/abd/viUwndqEsjdfLORwP3FN1O0Fu+ZMf0VQuemN8NqyrnTK3EkeTpHu5/MOkgTnzMgWwa2wG/PZwDVzh65a6oPCDGdBNr8j+XFbl/nd4vslpEzvHHZbL0J0S2vNpEazAXGI0rhsWdP3TceB+4G0eBy4CSejkNaftz0X7nM9PPnmudoK/gJMtNCGMGtxXvfyXLt+bE6c9LsoUi+NtGYHsds20vs6mwu9nXHYvZHeuu+4z2tLbZi/heE38I1OF/vSheMyyCBwR4Xx7G9IhgyujuR/pWrsou5HLKh6v9tpCS+Bej8Fnn4wBrPR1oMzTWQ3dyzdJr8T2+atNVChEQ1GpWMwUna7xDyjFpg9yLyLaf8gCTs3SbrQRDg6Rv+LhsWlwzY8HH9Fy0xCMyP6W6WcuyTEY527e1IIqwGP0y8bN1IygEEc1hTbLJn6pPmMr5ZeWwX7iMrbPn87t5h6Wi45B9o7nwN2/8HKNbgBo78YEm86Y4Ju+B3revlcLpkqioHgTo6/RPCiVMoSzYNiuILXNI0NuJ0Uel6MzQ62/xP/A4RS6b5p+HyN6GXa3P5/UAeIRwFviFfRAAt1Rtfq75EF6N15YysRi8SDuzdtH6iGcV4TpIv57+Q1aF918asyTk4Imo/WFAcqAvfgdtfP/gfrAdlstu8b0xAaHK1u/41oKew1tQsxJxx+a56SOyH481zAkx5t8fH9M6mjvVoCioxuU27EJw46cvDXHHy9IUzOJ0Qs6wpmo0ZkyLZFbonPw/VZle+ozla4egmr/sVUp1ymXmnLzCYt3rQxpwYIXURD4PPTYvdp0Gi8wCirOWmGWkumeE+PLWh9pFjXHLef8WsCGjVKaYClrH3NpDhSnoozRYUlpwgaWlDZmwblKLzWKgXtd5lICJgluDf2/dBJ6C7T4WhFXR1UMPLWRPXOGZ2yslU2cyJx5tPoG4BvJeQviuLxX460gibTFE/ileDnq0HRWO4lIl0jW1pIrYujwkzFnpVIA92tsw1pcfc2Vuiw+gj19vZ/Pq8grU6+VQz8W0aF619Xe1turJCUTdzK8zSRpCy9z+2yHbJugRsHFX+Z3T3Au1oYAZQAs9Bn5zfapPc9BzQO8nXCGfHtek0M2hqFu4mMyLHzRiTqdaPa7gfDxPcozE53dBqa5F/R5DmJIto4K1ZbXcjmrZLCx7Tg6vt8an2pKKj4KMq8Au1KWEHTzTHUiVh7ejY/asn7Wggf8Vjc5yalN5o9jgQ3zjT5NE21RGHrb94LEYnn4xyJspmYzPS9tVJaysjeLiGy23wG3XdvHD9CdYZzN8X3RdoUcx+5+RKwbjRejdUAmdr/J7vDqjdaTPJXh6lqoOgMEZDbZrjuBjqQFgkE42IKUAu4w+M4Mam3IjK7ISpT41C15Rj9rufHaSLf4IfTifaMre+T7TQZJJQ9d4arW7JvlEpzjdNJ3mCWOxh+BKEtxf/jMy3BmAtkHG6kBj2EPFJjxNOn39OvX+DMmAyT6ZRZGhhOb2KOCRTe1UBerxOLnlpBdWPsBPnetBFXGoGJerqXN7l/CW9wlOdcGPT3ml0QL8GKpXPanjOkv0VwDUAS3fbI25W/0cYbqRjSY4y/31Dc16AACRjUNfrMmK7X1oTWPNIgyMRbiTn8BaAbElrK3j1x6oqUKWMWReDpIjDz+p61cpd/9t9uhTtPc0uxzkd1Lmkv8oI5cwUEui74qZq570hssVEgfLREM3S38tOa+5yMkdyZda/JST43Tc4iSk4CTHFfO0GhOdG+R+cDjC/5FpvuJk8oGzJbjgTyCbwkjbT7FvvSURHMa6TXXwZyzKXFd+4tZQ5gJIYfSiOOcoku+TizED80kPwvwHQAL9EPwFPyCyToKZvoqG/Q8h8wie4TtadnOACZPmTSYLT/qJcYD5ny1NnOaipoC0kswf3g0FUWaPzqiVcciImhKrKWpMAqKQOMSJEo7kng4WPl7uKVsNGa67nZSIbeo8FWrfFvWQ8XrDyXD+eyOsbpqQDLLPSVnahq6ZuqDJjI10DxdDjD6S8dELf1qHT62divWvR0TEuhSypEsA4OwAq8q4n8u779jmLPsSQU8Ug+TNQqebxGD5vGH462hMaxp9O9mv5bXajEYvYbzVqq9QFD+47pw07zhPKwdWTEIA69YyDun/PMEwdD/fBeXbQTufkES2cp8JV4cyoXwL6uzjN2UHyMuTwRJbfv4Eb8TmsC0hsK8IXg+cWHPUjLB0iWGQFoXOsMtvG1TOzyvEG4oLcANyi7BC5b5MKSBAtDCpeIeScXNNMcMpK0rSN3+3IBSaJ7M5P6i/tBYj5/A9oN1HtJcoM6cDXmBpjN20UNeQrGjIIfrtxDEn3mq+3hfR1sYinQ88ZosMtGa8ySRAm8wzRQWoyCvhENrvclnIvq5X7uFMPjFgEyhTBhn6LCPaZeFtHKdCYBIY8dmxx0uz9eNxuRVvK1S0owgtCuMSsbhtzUaaroNERYrgy4PUw3dhIY3j73ztSvvWB3m1/v8SrAyrf3Kl2XcSBf9JQgDQO7n43KkmD0qpEtd7vSmoOb0WfD0Ls= 13 | ssh-privatekey: AgBvSHay6dagM5psJGOByvZUVw64J0dOvVdDSeyWC6kgAljBoOBvT2sA0jAi5r+0XkmeuwJmLjLjXgxanRNfNVPwHF6PCUkvNlbrNEIhPloSHpVYPyZTDQLiQO/Cq3oLf7OZjzY7hnUJTaBJSpdo8Gq79fY0EN5z84V0lnNrRI4fJ0qmTI1pL2qmIopipvMmRXqFlelXPV5GD/LmM4//Nzwq2V9AD5sTIl5dY4QQ+1m7kEKxIO60aFHwcfh4w4lIaNaA92trE4Xu5+6iE4/81Zu3ktLLenroF60PgGtqDdqsSW4I0xSiG8GWrN08Ak7bRj1GkSdFzLrNshM//G/mjCdooLXw0JVkHPQPpQ+mIKXU/+9SYev8yU5lXIQA+uYW9jNIMlvnPTZo8QVwI/l2uDNp8rB54L3Pepq9U1VvlN6MdOc+p8ZFaawhlGYU+1lwrxZM/5HSJl7JU1veK4CAlEMzh9V606x7PAPNb+e0/AQqjHuZlbiLxYAau5I/BWsKwlkFsEgx65ddSdkbKQXhZBtByL4K1p5HOQi9Og/zQrQmAucfW8eOqZ+IEDSo0x1O1+NVhV1qbS8Ce3FAgUS3ZvSCDShXwpI+Cy+qB2UXA1ypHtC3o9Vz2mK4ee5JHGF6lGkUfhtG48rNjccNPeo5LhRa1aYl5jeGxJj0D3q0HzYhv4ucDsS4aKIzXMY6ZxFbBq1MDms4jSjb+pdUUlo0tv44t1q1oGfNMmlmBbvA4/qAiMEbCXnxMMPPUA3llmWkYVOdIC5MyOYtcdF2dPlGGSEBpOZOAaM7zWDg5KlbmIWIhdfV15S89XpYY2zkySwnMIjo2awXqhIGbQNA6g1mLNcf/D7N2EaZ7tdLXfxomewsfI9a7PdZHeaVZ1DIU2sCqbbU3FkYFjUrNV/mm6Ep+WNhSb0++5UNLnJwzOzZ/Ja2STqec7JishyAVFasCtRhDTGDNqdKZ9dVfMBbSBjAxOKkDsZVPEGQ8S7icUD9SnhIegbQrKyxNBmg7CkKIAA8xaesw59p0/LrqPb20TwEbbcE0nxbAk4Nw9wUlza3TMWyiEyKSyKq4bOgK/Vj8BO+ZnHqtZWWYdvQwApWZeZoBHuFGCaGIDxVKfH8A0l8dBTWtq1mgYox/mvcJpR0u8sOqB7yuiYIZMEU3Q9O3Xe8R2DXVu0yfPcZdjnfFnL8MmdISR5oN+3Y/CYRXKq11avBTWBUjyVn3zNYZLBFv+pVDWckJDZoCLVR9e1b+xOJzVBFIq7fcmXcpB0iun+Y662anpQU1SSlIPBLbVqtZoa+KFdHsnVsCwE8cFEdV6J1c6437CLewqOMF7zXFKymnpCxMlhuml4bf7wPEoGEgZXs2qyWTNdEciy5gT7kCfXsVrnGJs8ZN/0VsU7JhKYHE+ACfRFoQwhXBXCwUSn9zvBN7ANd0repXokANQLhYAYQtb1Xj13PEXV7Au/KJZ4FInQv9XN7rMc0HQyIBi3wyjEzfxBxwlrQkxeCde061d6uw74yQTgdRizJfr96IXuKheuS/BBdTgbt2qE86uGzwX878CH/BLagmwMgDvKGU5PD58wC1wwVEvW+RPwJFOMfeTYdBnJpZd86/BOaPypgJmnK1iZIQmPPGCLDBQjTErWobiG9LgTX5Gmlql7E55kgErTk+Xuk1aqI6mfb6EYYaD044Tgtr6QTP4/1gUGvp2rKe51WKR6Wc/25ajE34kmLVsPf14rNE2+YJF0pHvyD6J7Wyb5qQO7/lAyo1GXYww85CUXArFYsBiMV37yAHQj+BOlTmUm7Ln6dpBSA8OZTodpbmyVlxpUfkFcJvuLtbLRanQTsicxCPZ5eLH4QSG/4fPo44Cq0pjeoxT7xxBRp0j25uVvhypohMyN2YwVCd7SO6I+GerYouBBbziXmi+9cGaUunziUPxFHDN8jMax59zii5CMSwihxeGKHZFIXtnQGOJ8YlLoHWaRoS5mPTM0+gw28NKSpFIZTj2+QOHn9iiLO3W40Xuq3TVPpLjzCfQadlvhSqlP9dEGz60XOC3+J6lQh077p88VzVnU1Os5vNgaeSr2NmpDwOERKAUBB1gNp1zEDTSmcKiIzbNgi8iPM/LiferiZBeZ02HGaxCGFCVO+mb58Mjg6R2fkzXwiNd7D20rQWl5ke9QAnBRHpUClaiNmA2tPXc8tzlTjoFvEPqKkDo0B6kAfmlfFBSr75vcf/xy9QCWvTXX8UY7rpO9voK3fC6YIsLh56HyrrPs938J+CNIRw1AH6nQOlJJby19X3OPJBc4sStHuGqTjK5RThuA/7t3ayYkKK0Vg+XGj7psw+5oT8tp4i85rg8TkkqzHNkdrxTNMTr8Za3cyIII52HOAWoX2bzzc7tughy2A1jmmwKw/TZjAT6Oxo7sJPURl4kVSZDze8f7o1UWOR6fV6AI2gZajB94t4n2b76BaTjK1oVlYK6X8Pl1Uf9/5JU/PGqs9KwEXsAh5vFwGrPNcrQr3ZHN6W8m2DBBxyoq7NMStjCaWb4x2/l0H9V0PEY2az6uGHuTkWPsUui7j7IyCAHCpVgvYw0KeZv8Qsjaap70S52YTbn7xeQbrWTAiVi6u2/xY4u3KUVTW29FVFcWIbAKQOCeGmzhRTwaV/FM7XeURnTBjRYnCvbBoArNhlFC+MWhwpFVfN2ldJ+ZROeIpp+mv9EEeP8Etiuqh68snIDZRcy31B5q5ajS5qfp5xgt+KaanWZSk0Fcp6B00IIqY4xbHdKQsNdbPBDA6+Ey6biEe+/Gx5AnpsBC8J/N8jgbsCVgHyPn+ksikZN8GtOgVefed36MAgAkUphJzOW2roSEi4b/FZGkrCE/dKOFZkUKlt3G1sHdnk4SjQD/S71QvKVGadRk1FsrM3M8dnCmLYcdpdVMx+qJSoOa/LPT4eGKElXfBr3XJKnInpNXr9+2SzqRyvg== 14 | ssh-publickey: AgAryCwXtEo3RLOw59OWYab6TjMVOmE6k/bjcpqAoSCB41nwsMASEDn0Ye0rNty871vv+27m1I6QQEDqY95l/AgxE2StmZ5MLubRj1Xi9RM1qTr3vE2S12NqcOvIyketJNASBrKvjTs0Z1dyL1bhlawNsFIDC2DLUkrDgRT3CnwpRlQtlz70sz+Rf3luALxmdFxxOniLbOwVs6ozcd5RFM6o4n26mtEZI89PJ3zZL95I/XHGRZYPH89NsH53PinZpvD/+9k+uHMUQhwpJEh7V2dd7x74FdvlW6IbFKY/q3iGxdzKikVmMaQACZd2/go8oiV1gFbg4wwxRoH+L4Mm/BG1NG9PoV6jXJEf9ZLw5zQuOxWG1Ef7B7cEv069ytqL39S0B52VuD0UuFs+K5NbOnxWzbohIn8fpxHxsfgKyoh+x4l8sTA5iZiY1hOOeQVReOu9AofRIBW8DzZ99q/uAF6DaUm8uh6Z14zQOYgggX2Y60q13sVC8QMBm00tiTJ25Zro9p3knUi28h46oxEtBBIEgtDwnrPWsFCvVaaGitUO6iTnlTHuYbuKYv8Fd7wovAixIL4t+HfGn8nCqzaufG/55U4LV+g7yVqrbs2P3Vmhz4T5NDYQ9on1In+JsMg5HgabFbZw2JNELqvtd9CJu5PvLKLkpeFaS/TgdvjDmXFSmN6noh+Hg1JWCTPf1m0oUxuivGlibyi/9/DciW5STRdMt0zovmqBqM17Tm4fQFNq7mBGai7PK96CERL8tQKQTUeFRsXKWHENtk//a5b8qB7qdesp2TaGUCA3952bgiqJaQkKL2prOit5bP6h6kehV7pDDq1toC5nPrbiuuYZ8GyeTWC33ECkElshCAxH9XCL0QMOqnEePyhnhGmLrjOFahrxp71oId8pVJOLjXIxr1ZAZSvCctsPzTI5AisQBjGeorWvs4l9Wyveid0NFf/fIIGlBwpDuc9Qk5VXRQlP+1PB2nffoK4/2WezDGGBo8L7znqbWEZ8p5qQ7EdD42HiD1t0HWBF9gMeMQdQkS42SvkZynSD9yLwkI8mNZLaRNCcYGQBBDuNfHgZwQNI1/262ZoBPnY8pbqooiiXBCVYMADw/TKpCVr6lf3Z2BrLdFxHOyJZIrqM2RgFye69TNMlgYQrYmxrwezSCyB9Gwoy0HrM2+eoWgofYSO6dM/Wfp8hYfcfDEOxLjoDx01Af9Y= 15 | template: 16 | data: null 17 | metadata: 18 | creationTimestamp: null 19 | labels: 20 | cluster.open-cluster-management.io/credentials: "" 21 | cluster.open-cluster-management.io/type: aws 22 | name: aws 23 | namespace: acm-credentials 24 | type: Opaque 25 | 26 | -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/01-sealed-clustermanager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bitnami.com/v1alpha1 2 | kind: SealedSecret 3 | metadata: 4 | creationTimestamp: null 5 | name: cluster-manager 6 | namespace: acm-credentials 7 | spec: 8 | encryptedData: 9 | ocmAPIToken: AgA/216svmTBMCWGVMEFJ+wHgoSGHgDRoCxUymOVqwFndwc+TdlHFwdLi2cGtWL5RA4GAC9Q81GF43AXdl3K1YEg7noPTn6wbd27+nTMtlEoFNvIUAM18vQNF4DeN7vcuXO/sTsw8CBDXnHCF6ebyzKTCME90iiJutWTjoRan4Pu3lPjxBokx06hzgrrzD7cjefxQHN/JMC3R/GpWMkXjXllMkTLAlHdSMRzlstTlZmcVcV+Wcj3hwIKLZL/iyvthlgqbJD5+3eWdRHQ3jIk6pYY4hUiMJPHa/YphBzI/shBnFn55Ea87Ve5sS+lZe05oKR7vJv+KIusSKvZjgLrCcUXBtb9LPxu2gyE6HCY+y6LUbbtAR+nN0su4BHERaXXO6WpYDvOEgcL6MSXYV9AGTQtjfJmMhiPQtWodi+DUBOPWvD2Ww2bgN+IVuMGDwyyNfEalPhvzl7mIkPa8Rx8LsKJPgGAvqdi6djmw4EC3C3TV0XiwBlDN3nvn2RFidw2Z+JEzmVNm1sjGjZtZRDK7Ee6Npmoktx1Hdk2A0N3lIa2QQcBIvDofjBQe4wA0ylEupzMbVWzvroBdhX2+TpLg8UKyt/tk9ugdSFMD8BHG16+zuiW2NG9s78IgevxaC0TzuQ9XoP+mSRmejqgGqUm/MfnBm7S0b77iMxTxd8vJAinhiTnA+hU4quxkHlt0cy7+Oqvi9PPN20Ujn/fiAfzq/ErDWBopeM/vC1SK/b9dw5zsyLbmJ6i/Q3Drgwj/9jYNZqJgj2+IDiQxXjYfRPGJJ7GIaZIlPx4K9oAh3pXFz9cWcmnipTFvrWSax+P7ugSwvuTbIgxOV7Vhdcl6nOwNH+ZiQsqtf00tNwK1PZ+1YlvfjDU5LJ4xSUg2azXTiT836goPPKTFtnWSLXW38+9rYIyJK5pMtWbGN2h4fgPn6AoZwEjCO5OUzjq5KoUk9VlTsrRBzr25pKkEKT5zQzSWt1eSYcG84lYUPV0KqT6n1sVW19msy5DQjcfXML2TnNBG1lMGWRVxOskMlSERijriekGQEV3MsjXv7/7IIy/QJv8Sj+X0v86ZZZIP15eCnkxW0perQGtpfiX9dOxsJCwyzOTi7JlClsA9y5hmtqC9ac4zcNTuK/j0RJP+Z3XD1J2HPNpGRJAEYzqdD22c/E65mhe2qMo3LnhlIp2RRaiUg481s2ybnJwQ8aQxvz84ww5CzRfuCUtAZ9BkeNUuT7SQLc6OMRB0zjhyIHEALuTSv/KvcFuYI9PI09zkarXBjpOTqVRPJvzAT345Yfu0kM3Xib3vyjaRL0dEcQu4TI4LNKtFkDHl3VkZHSAsFhEUo4j5R1Rc1OT9z0qc4z4UFetnDhs2Ej0WLHotfxQcR8pfxpqWaWqg3l0k5TTPYK/bkrK0EnH+9dvvEQtVAClbPL4/XA40z5xxXxD5UBbweKt0SuMTraS1fHA8pDyd1zoEDguERKULf5AQQIjoQ8FwuY5ca3haic4IrxgPEXhdIIH81Nbq0uqT04FNQ4SOemA1iCf6RKCOl4XubyvlJqVDWm7t/VAEIX70r2liG46JWUpQMgj/mz4Hslv4RjbrXDzX2pvIe33oWJIbcCA+W/hNvIHB+bN6HTACtvu7IzWC+oycKV6IXde0qi/ 10 | template: 11 | data: null 12 | metadata: 13 | creationTimestamp: null 14 | labels: 15 | cluster.open-cluster-management.io/credentials: "" 16 | cluster.open-cluster-management.io/type: rhocm 17 | name: cluster-manager 18 | namespace: acm-credentials 19 | type: Opaque 20 | 21 | -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/01-sealed-tower-creds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bitnami.com/v1alpha1 2 | kind: SealedSecret 3 | metadata: 4 | creationTimestamp: null 5 | name: tower 6 | namespace: acm-credentials 7 | spec: 8 | encryptedData: 9 | host: AgArS3G+lVFoL2AbWz5Pj6YE/XLZcDNH47dzejwT8ZR9mHYRnitVPhTXQycsqB55t0liw5D2s8+1UykhnEGrbK562rp11SjpJIeW/O7AI+sXD6B7e15dtJtAzHrkqtflJlgigKOf+he04vstC8P3JF0iaalLl8Yt9DCHT3TC2ruoUO3YctG4RQxJ+T9/IHfU9mhcdUnSAEZTqERnZCdh4EhnkDj9hcUuueB88q2OCu3CRGQ0QxYjoEPmr0ZmBKVArzyA+rFe3zCCioPwMCjWapG/B0Y1iVPIR7H+tWy38tZNGliuLcfFraqMnJ+r360AfH3jvp4MoI6tiYWxnAICHey6292CEGVtuyYkCZ7JilrTn7/HbeEJ3rqeL6czEBv0bFko9u8Z30zeOgunJI70qeAZFnOJGEqfdpRk/IgWLLaaetHdY70vgzo3sFsiYZnsGqSwdU5TsvsroSKWinPUJTI89EwuDmd1zoInIeD2s55S4OzZuYZtMK3x2gFOcgfc4X4/Hc2fvX3yQKdCNXNkSfjoN7ATpBr9k/NKA6A1VI4G1C2aw7LhrP/qYgnhs9KGbwto+VHafoCu/33jZPRVwvgngHuUfK2wzd35W+u+OK9rHpCCensUjyAHW7PFirpfE/qwqYMtAPAAl4mNC0jKJkvXmA1jgpo26GltqAHnaVhs9wgEG2F34h98w/ocusjEOWMTK/nm2TlZO0RhaJ+adwPMsFtl0MN0MYyg8NnwD6UyrdgPPTu/kZaIahS9Z++XNF+h7DPSUL0jkf7yFZ/Q7UX41LneKwn+QDpDSBguRVY= 10 | token: AgB6ow+hnLVpOkaHKQkJYi1DXeFszGnm4nsA/DOK+QO0Ea3r/ScAqQRPXiFDziIwHw9pBV/xo/ZRk5WmPK5a2P7Bv9qQElLh5r7h21EhIq6uvijaOoIjcjfQ9pMvWtatPB1wjl9Otn4s1krPgoVfkCRGlEVSpXLBjzeJAFS2eTBu4CLf6x/Lk7+Ebs4L2tbsSuu95YxAlkJf1mUZcUqsmOYV1ITJ/pNeDUX4JhBrVoaRuoTPEQRUUV+mwQ15yY6mSKnNB1vim8lvlP9cD3l/z5upxZdGDEVL7/FzrU+anM5KiBzKTpKT2Vgc5Xc5phl7/WTTlj8LMj/9DvZQ19AfKfPtgb6kztPmiizVaExFdlMqseo4uGN+m4XP6IzVsi1zOP8BVnX+p17l1NnzsPWxYHTjd9P0xz3LefyArBkDdfyliRqPUDKi6UmZVeYMLsHER1XqPmUPxdP+CtD193E1YDfNwAzSLyRWvfw6Zi5JZnDqRbOFFvpHIwvBxBiI1QaM6cwHfCC6X6UljKCJP7zr7fDn31YaXXPrcj0xghijRPN+xtqU4Upz3IC6DPV2jtrhmvuzN7e5ogy5T71XipvN5Qug7aBJCGeHFXOocrUj8L3m0y+IIVYJmJJImDf014Bm0PnmAJaolIysN2lvHtkZoUn+IaYIZTaE7FyYEYLxLFckuPnwRCsY9cnXRQsnT8R2HlZpq5sD9p82xfKUr7HESxXIWsxMyW1PjfDmW0w/mOE= 11 | template: 12 | data: null 13 | metadata: 14 | creationTimestamp: null 15 | labels: 16 | cluster.open-cluster-management.io/credentials: "" 17 | cluster.open-cluster-management.io/type: ans 18 | name: tower 19 | namespace: acm-credentials 20 | type: Opaque 21 | 22 | -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/02-cluster-curator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1beta1 2 | kind: ClusterCurator 3 | metadata: 4 | name: cluster-automation 5 | namespace: acm-playground 6 | spec: 7 | destroy: 8 | posthook: 9 | - extra_vars: 10 | message: RHACM_CLUSTER_DELETION_ENDED 11 | name: send-slack-message-cluster-deploy 12 | prehook: 13 | - extra_vars: 14 | message: RHACM_CLUSTER_DELETION_STATED 15 | name: send-slack-message-cluster-deploy 16 | towerAuthSecret: toweraccess 17 | install: 18 | posthook: 19 | - extra_vars: 20 | message: RHACM_CLUSTER_DEPLOYMENT_ENDED 21 | name: send-slack-message-cluster-deploy 22 | prehook: 23 | - extra_vars: 24 | message: RHACM_CLUSTER_DEPLOYMENT_STATED 25 | name: send-slack-message-cluster-deploy 26 | towerAuthSecret: toweraccess 27 | scale: 28 | posthook: 29 | - extra_vars: 30 | message: RHACM_CLUSTER_SCALE_ENDED 31 | name: send-slack-message-cluster-deploy 32 | prehook: 33 | - extra_vars: 34 | message: RHACM_CLUSTER_SCALE_STATED 35 | name: send-slack-message-cluster-deploy 36 | towerAuthSecret: toweraccess 37 | upgrade: 38 | posthook: 39 | - extra_vars: 40 | message: RHACM_CLUSTER_UPGRADE_ENDED 41 | name: send-slack-message-cluster-deploy 42 | prehook: 43 | - extra_vars: 44 | message: RHACM_CLUSTER_UPGRADE_STATED 45 | name: send-slack-message-cluster-deploy 46 | towerAuthSecret: toweraccess 47 | -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/03-subscription-admin.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: open-cluster-management-subscription-admin 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: open-cluster-management:subscription-admin 9 | subjects: 10 | - apiGroup: rbac.authorization.k8s.io 11 | kind: User 12 | name: kube:admin 13 | - apiGroup: rbac.authorization.k8s.io 14 | kind: User 15 | name: system:admin 16 | - apiGroup: rbac.authorization.k8s.io 17 | kind: User 18 | name: adetalhouet -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/04-auto-import-in-argocd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cluster.open-cluster-management.io/v1alpha1 3 | kind: ManagedClusterSet 4 | metadata: 5 | name: 5g-core 6 | annotations: 7 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 8 | spec: {} 9 | --- 10 | apiVersion: cluster.open-cluster-management.io/v1alpha1 11 | kind: ManagedClusterSetBinding 12 | metadata: 13 | name: 5g-core 14 | namespace: openshift-gitops 15 | annotations: 16 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 17 | spec: 18 | clusterSet: 5g-core 19 | --- 20 | apiVersion: cluster.open-cluster-management.io/v1alpha1 21 | kind: Placement 22 | metadata: 23 | name: 5g-core-clusters 24 | namespace: openshift-gitops 25 | annotations: 26 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 27 | spec: 28 | predicates: 29 | - requiredClusterSelector: 30 | labelSelector: 31 | matchLabels: 32 | 5g-core: "True" 33 | --- 34 | apiVersion: apps.open-cluster-management.io/v1beta1 35 | kind: GitOpsCluster 36 | metadata: 37 | name: argo-acm-clusters 38 | namespace: openshift-gitops 39 | annotations: 40 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 41 | spec: 42 | argoServer: 43 | cluster: local-cluster 44 | argoNamespace: openshift-gitops 45 | placementRef: 46 | kind: Placement 47 | apiVersion: cluster.open-cluster-management.io/v1alpha1 48 | name: 5g-core-clusters 49 | namespace: openshift-gitops -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/bk/remove-acm-observability.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Ref: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/install/installing#removing-a-multiclusterhub-instance-by-using-commands 4 | 5 | ACM_NAMESPACE=open-cluster-management 6 | oc delete mco observability 7 | oc delete multiclusterhub --all 8 | oc delete mch --all -n $ACM_NAMESPACE 9 | helm ls --namespace $ACM_NAMESPACE | cut -f 1 | tail -n +2 | xargs -n 1 helm delete --namespace $ACM_NAMESPACE 10 | oc delete apiservice v1beta1.webhook.certmanager.k8s.io v1.admission.cluster.open-cluster-management.io v1.admission.work.open-cluster-management.io 11 | oc delete clusterimageset --all 12 | oc delete configmap -n $ACM_NAMESPACE cert-manager-controller cert-manager-cainjector-leader-election cert-manager-cainjector-leader-election-core 13 | oc delete consolelink acm-console-link 14 | oc delete crd klusterletaddonconfigs.agent.open-cluster-management.io placementbindings.policy.open-cluster-management.io policies.policy.open-cluster-management.io userpreferences.console.open-cluster-management.io searchservices.search.acm.com 15 | oc delete mutatingwebhookconfiguration cert-manager-webhook cert-manager-webhook-v1alpha1 16 | oc delete oauthclient multicloudingress 17 | oc delete rolebinding -n kube-system cert-manager-webhook-webhook-authentication-reader 18 | oc delete scc kui-proxy-scc 19 | oc delete validatingwebhookconfiguration cert-manager-webhook cert-manager-webhook-v1alpha1 -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/bk/remove-acm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "${OPERATOR_NAMESPACE}" ]; then 4 | OPERATOR_NAMESPACE="open-cluster-management" 5 | fi 6 | 7 | if [ -z "${KLUSTERLET_NAMESPACE}" ]; then 8 | KLUSTERLET_NAMESPACE="open-cluster-management-hub" 9 | fi 10 | 11 | KUBECTL=oc 12 | 13 | # Force delete klusterlet 14 | echo "attempt to delete klusterlet" 15 | ${KUBECTL} delete klusterlet klusterlet --timeout=60s 16 | ${KUBECTL} delete namespace ${KLUSTERLET_NAMESPACE} --wait=false 17 | echo "force removing klusterlet" 18 | ${KUBECTL} patch klusterlet klusterlet --type="json" -p '[{"op": "remove", "path":"/metadata/finalizers"}]' 19 | echo "removing klusterlet crd" 20 | ${KUBECTL} delete crd klusterlets.operator.open-cluster-management.io --timeout=30s 21 | 22 | # Force delete all component CRDs if they still exist 23 | component_crds=( 24 | baremetalassets.inventory.open-cluster-management.io 25 | channels.apps.open-cluster-management.io 26 | clustermanagementaddons.addon.open-cluster-management.io 27 | clustermanagers.operator.open-cluster-management.io 28 | deployables.apps.open-cluster-management.io 29 | helmreleases.apps.open-cluster-management.io 30 | klusterletaddonconfigs.agent.open-cluster-management.io 31 | managedclusteractions.action.open-cluster-management.io 32 | managedclusteraddons.addon.open-cluster-management.io 33 | managedclusterinfos.internal.open-cluster-management.io 34 | managedclusters.cluster.open-cluster-management.io 35 | managedclustersetbindings.cluster.open-cluster-management.io 36 | managedclustersets.cluster.open-cluster-management.io 37 | managedclusterviews.view.open-cluster-management.io 38 | manifestworks.work.open-cluster-management.io 39 | mirroredmanagedclusters.cluster.open-cluster-management.io 40 | multiclusterhubs.operator.open-cluster-management.io 41 | multiclusterobservabilities.observability.open-cluster-management.io 42 | observabilityaddons.observability.open-cluster-management.io 43 | placementbindings.policy.open-cluster-management.io 44 | placementrules.apps.open-cluster-management.io 45 | policies.policy.open-cluster-management.io 46 | searchcustomizations.search.open-cluster-management.io 47 | searchoperators.search.open-cluster-management.io 48 | submarinerconfigs.submarineraddon.open-cluster-management.io 49 | subscriptions.apps.open-cluster-management.io 50 | userpreferences.console.open-cluster-management.io 51 | ) 52 | 53 | for crd in "${component_crds[@]}"; do 54 | echo "force delete all CustomResourceDefinition ${crd} resources..." 55 | for resource in `${KUBECTL} get ${crd} -o name -n ${OPERATOR_NAMESPACE}`; do 56 | echo "attempt to delete ${crd} resource ${resource}..." 57 | ${KUBECTL} delete ${resource} -n ${OPERATOR_NAMESPACE} --timeout=30s 58 | echo "force remove ${crd} resource ${resource}..." 59 | ${KUBECTL} patch ${resource} -n ${OPERATOR_NAMESPACE} --type="json" -p '[{"op": "remove", "path":"/metadata/finalizers"}]' 60 | done 61 | echo "force delete all CustomResourceDefinition ${crd} resources..." 62 | ${KUBECTL} delete crd ${crd} 63 | done 64 | 65 | ${KUBECTL} delete namespace ${OPERATOR_NAMESPACE} 66 | -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/idp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: idp-mgmt-config 5 | --- 6 | apiVersion: operators.coreos.com/v1alpha1 7 | kind: CatalogSource 8 | metadata: 9 | name: ocp410 10 | namespace: idp-mgmt-config 11 | spec: 12 | displayName: '' 13 | image: 'registry.redhat.io/redhat/redhat-operator-index:v4.10' 14 | publisher: '' 15 | sourceType: grpc 16 | --- 17 | apiVersion: operators.coreos.com/v1 18 | kind: OperatorGroup 19 | metadata: 20 | name: idp-mgmt-operatorgroup 21 | namespace: idp-mgmt-config 22 | spec: 23 | targetNamespaces: 24 | - idp-mgmt-config 25 | --- 26 | apiVersion: operators.coreos.com/v1alpha1 27 | kind: Subscription 28 | metadata: 29 | name: idp-mgmt-operator-subscription 30 | namespace: idp-mgmt-config 31 | spec: 32 | sourceNamespace: openshift-marketplace 33 | source: redhat-operators 34 | channel: alpha 35 | installPlanApproval: Automatic 36 | name: idp-mgmt-operator 37 | --- 38 | apiVersion: identityconfig.identitatem.io/v1alpha1 39 | kind: IDPConfig 40 | metadata: 41 | name: idp-config 42 | namespace: idp-mgmt-config 43 | spec: 44 | --- 45 | kind: ConfigMap 46 | apiVersion: v1 47 | metadata: 48 | name: openidcacrt 49 | namespace: idp-mgmt-config 50 | data: 51 | ca.crt: |- 52 | -----BEGIN CERTIFICATE----- 53 | MIIFYzCCBEugAwIBAgISA2dFvGv30kQtQmEm396x7lrRMA0GCSqGSIb3DQEBCwUA 54 | MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD 55 | EwJSMzAeFw0yMjA5MjIxMzQ2NDhaFw0yMjEyMjExMzQ2NDdaMCgxJjAkBgNVBAMT 56 | HWFwaS5jYS1jZW50cmFsLmFkZXRhbGhvdWV0LmNhMIIBIjANBgkqhkiG9w0BAQEF 57 | AAOCAQ8AMIIBCgKCAQEAz3tasyRD5lw19RLTca2D+CHcj+8Og00GDFwZTa4ht4L0 58 | tIoc4xLjWXf+Um7C/sSzVTnqEYZPoa13kgR5ZET5mxfYeAHuXA+vGVUc23i1ZUsC 59 | ZjqAy5SxXG9fKolsNOTYMwxfXe7LIYzAad38pdcV5CDcNOKs+4Y0saKFTB7Tod1m 60 | TC5RanCEl/qmsrXUs9S4/qZkXkrhdDkrclYvaQ19KhyK9WwLs8FcmZRfTu6YSMwx 61 | F8shRa8TkkjfyV1niN69+PBgmZDVh+HzvSceWERuX5/Fq+36t52k89Zpi+7v2iPn 62 | mI5XvfXbK7o4KGr8V1jeivtZ3R8K6p/6yrrjM+zeKwIDAQABo4ICezCCAncwDgYD 63 | VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV 64 | HRMBAf8EAjAAMB0GA1UdDgQWBBQpGicUD8g0v0Sii55VbJQOvgIzDTAfBgNVHSME 65 | GDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB 66 | BQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov 67 | L3IzLmkubGVuY3Iub3JnLzBKBgNVHREEQzBBgiAqLmFwcHMuY2EtY2VudHJhbC5h 68 | ZGV0YWxob3VldC5jYYIdYXBpLmNhLWNlbnRyYWwuYWRldGFsaG91ZXQuY2EwTAYD 69 | VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa 70 | aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHz 71 | APEAdwBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAYNlqmP+AAAE 72 | AwBIMEYCIQCFszbFKIvCYM0WGsp3Qk22pASSo3N11HWfm6RNocyvEAIhAK4MXlJS 73 | J6iUPBrujmXG0cIh8zuLGjFggGQLtViY8fV+AHYARqVV63X6kSAwtaKJafTzfREs 74 | QXS+/Um4havy/HD+bUcAAAGDZapj2gAABAMARzBFAiA5rEjEnEQpJcYrUYXQDNti 75 | CxnDMSBXPXW03AedNU3MggIhAN36LaLtF6DYiT8+i++uct/aIP6QDeXvwyC0eGPc 76 | 98+JMA0GCSqGSIb3DQEBCwUAA4IBAQBgqWfHm4rJHRucKQ0QhdGBxXoazDjSdMk5 77 | 2czO5lbAaKVyxPMcipeBAF5UBJ3YDc++ZL7O6ogaks7HNL6p8RsYc0lhqmXlF0EF 78 | 9oOwOL4yGvfoE5aGCICyFCHDnU8395iOW5ilA80Nh/bJFjRqmKHO9raZHoU3v87B 79 | 0yFo30yIagfgMvg0+mTzp3ouIIRRVQt/g/BAuzE549pW1xI8dwqsldNPYsrYBhu0 80 | Pil3of0tr2/YVIIq2jLeXlQtiksFio0fUSlqYr6pUIYV93RKQI2043zGqseJoLDB 81 | UdwMUcziJ9NbbRfcjsxv1BOUF3rkT/ow+MhJUzSD98xmtVwYp9qY 82 | -----END CERTIFICATE----- 83 | 84 | -----BEGIN CERTIFICATE----- 85 | MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw 86 | TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh 87 | cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw 88 | WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg 89 | RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK 90 | AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP 91 | R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx 92 | sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm 93 | NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg 94 | Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG 95 | /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC 96 | AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB 97 | Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA 98 | FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw 99 | AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw 100 | Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB 101 | gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W 102 | PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl 103 | ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz 104 | CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm 105 | lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 106 | avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 107 | yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O 108 | yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids 109 | hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ 110 | HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv 111 | MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX 112 | nLRbwHOoq7hHwg== 113 | -----END CERTIFICATE----- 114 | 115 | -----BEGIN CERTIFICATE----- 116 | MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ 117 | MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT 118 | DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow 119 | TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh 120 | cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB 121 | AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC 122 | ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL 123 | wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D 124 | LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 125 | 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 126 | bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y 127 | sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ 128 | Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 129 | FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc 130 | SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql 131 | PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND 132 | TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw 133 | SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 134 | c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx 135 | +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB 136 | ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu 137 | b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E 138 | U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu 139 | MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC 140 | 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW 141 | 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG 142 | WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O 143 | he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC 144 | Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 145 | -----END CERTIFICATE----- 146 | --- 147 | apiVersion: cluster.open-cluster-management.io/v1beta1 148 | kind: Placement 149 | metadata: 150 | name: identity-placement 151 | namespace: idp-mgmt-config 152 | spec: {} 153 | --- 154 | apiVersion: identityconfig.identitatem.io/v1alpha1 155 | kind: AuthRealm 156 | metadata: 157 | name: authrealm-openid 158 | namespace: idp-mgmt-config 159 | spec: 160 | placementRef: 161 | name: identity-placement 162 | routeSubDomain: ad 163 | type: dex 164 | identityProviders: 165 | - name: oidc 166 | mappingMethod: add 167 | type: OpenID 168 | openID: 169 | ca: 170 | name: openidcacrt 171 | claims: 172 | email: 173 | - email 174 | name: 175 | - name 176 | preferredUsername: 177 | - preferred_username 178 | - username 179 | clientID: openshift 180 | clientSecret: 181 | name: keycloack-openshit-client-secret 182 | extraScopes: [] 183 | issuer: >- 184 | https://keycloak-openshift-sso.apps.ca-central.adetalhouet.ca/auth/realms/openshift -------------------------------------------------------------------------------- /apps/12-advanced-cluster-management/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | bases: 6 | - github.com/redhat-cop/gitops-catalog/advanced-cluster-management/operator/overlays/release-2.9?ref=main 7 | - github.com/redhat-cop/gitops-catalog/advanced-cluster-management/instance/base?ref=main 8 | 9 | resources: 10 | # - 00-install-creds.yaml 11 | # - 01-sealed-aws-creds.yaml 12 | # - 01-sealed-clustermanager.yaml 13 | # - 01-sealed-tower-creds.yaml 14 | # - 02-cluster-curator.yaml 15 | - 03-subscription-admin.yaml 16 | # - 04-auto-import-in-argocd.yaml 17 | 18 | patches: 19 | - target: 20 | kind: Subscription 21 | name: advanced-cluster-management 22 | patch: |- 23 | - op: replace 24 | path: /spec/channel 25 | value: 'release-2.10' 26 | -------------------------------------------------------------------------------- /apps/15-advanced-cluster-managment-observability/00-namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: open-cluster-management-observability 6 | labels: 7 | openshift.io/cluster-monitoring: "true" -------------------------------------------------------------------------------- /apps/15-advanced-cluster-managment-observability/01-acm-observability-bucket.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: objectbucket.io/v1alpha1 2 | kind: ObjectBucketClaim 3 | metadata: 4 | name: acm-observability 5 | namespace: open-cluster-management-observability 6 | spec: 7 | additionalConfig: 8 | bucketclass: noobaa-default-bucket-class 9 | generateBucketName: acm-observability 10 | objectBucketName: obc-open-cluster-management-observability-acm-observability 11 | storageClassName: openshift-storage.noobaa.io 12 | -------------------------------------------------------------------------------- /apps/15-advanced-cluster-managment-observability/02-install-observability.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | annotations: 6 | rbac.authorization.kubernetes.io/autoupdate: "true" 7 | name: acm-cli-job-sa-role 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - secrets 13 | verbs: 14 | - get 15 | - list 16 | - create 17 | - patch 18 | - apiGroups: 19 | - objectbucket.io 20 | resources: 21 | - objectbucketclaims 22 | verbs: 23 | - get 24 | - list 25 | - create 26 | - patch 27 | --- 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: ClusterRoleBinding 30 | metadata: 31 | name: acm-gitops-rolebinding 32 | roleRef: 33 | apiGroup: rbac.authorization.k8s.io 34 | kind: ClusterRole 35 | name: acm-cli-job-sa-role 36 | subjects: 37 | - kind: ServiceAccount 38 | name: cli-job-sa 39 | namespace: open-cluster-management-observability 40 | --- 41 | apiVersion: v1 42 | kind: ServiceAccount 43 | metadata: 44 | name: cli-job-sa 45 | namespace: open-cluster-management-observability 46 | --- 47 | apiVersion: batch/v1 48 | kind: Job 49 | metadata: 50 | name: observability-setup 51 | namespace: open-cluster-management-observability 52 | spec: 53 | template: 54 | spec: 55 | containers: 56 | - image: registry.redhat.io/openshift4/ose-cli:latest 57 | command: 58 | - /bin/bash 59 | - -c 60 | - | 61 | 62 | echo "Define pull-secret for MultiClusterHub Operator" 63 | DOCKER_CONFIG_JSON=`oc extract secret/pull-secret -n openshift-config --to=-` 64 | oc create secret generic multiclusterhub-operator-pull-secret \ 65 | -n open-cluster-management-observability \ 66 | --from-literal=.dockerconfigjson="$DOCKER_CONFIG_JSON" \ 67 | --type=kubernetes.io/dockerconfigjson 68 | 69 | echo "Retreive acm-observability bucket ACCESS_KEY and SECRET_KEY" 70 | ACCESS_KEY="" 71 | SECRET_KEY="" 72 | while [[ z$ACCESS_KEY == z ]]; do 73 | echo "Wait for acm-observability bucket to be created, sleep 3 seconds" 74 | sleep 3 75 | ACCESS_KEY=$(oc get secret acm-observability -n open-cluster-management-observability --template={{.data.AWS_ACCESS_KEY_ID}} | base64 -d) 76 | SECRET_KEY=$(oc get secret acm-observability -n open-cluster-management-observability --template={{.data.AWS_SECRET_ACCESS_KEY}} | base64 -d) 77 | done; 78 | 79 | echo "Retreive bucket NAME" 80 | BUCKET_NAME=$(oc get ObjectBucketClaim acm-observability -n open-cluster-management-observability --template={{.spec.bucketName}}) 81 | 82 | oc get secret thanos-object-storage -n open-cluster-management-observability 83 | if [[ $? == 1 ]] 84 | then 85 | echo "Create thanos object storage configuration" 86 | 87 | echo "--- 88 | apiVersion: v1 89 | kind: Secret 90 | metadata: 91 | name: thanos-object-storage 92 | namespace: open-cluster-management-observability 93 | type: Opaque 94 | stringData: 95 | thanos.yaml: | 96 | type: s3 97 | config: 98 | bucket: $BUCKET_NAME 99 | endpoint: s3.openshift-storage.svc 100 | insecure: true 101 | access_key: $ACCESS_KEY 102 | secret_key: $SECRET_KEY" | oc create -f - 103 | fi 104 | echo -n "thanos object storage configuration already exists" 105 | 106 | imagePullPolicy: IfNotPresent 107 | name: observability-setup 108 | dnsPolicy: ClusterFirst 109 | restartPolicy: OnFailure 110 | serviceAccount: cli-job-sa 111 | serviceAccountName: cli-job-sa 112 | terminationGracePeriodSeconds: 30 -------------------------------------------------------------------------------- /apps/15-advanced-cluster-managment-observability/03-multiclusterobservability.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: observability.open-cluster-management.io/v1beta2 3 | kind: MultiClusterObservability 4 | metadata: 5 | name: observability 6 | annotations: 7 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 8 | spec: 9 | enableDownsampling: true 10 | imagePullPolicy: Always 11 | imagePullSecret: multiclusterhub-operator-pull-secret 12 | observabilityAddonSpec: 13 | enableMetrics: true 14 | interval: 300 15 | storageConfig: 16 | alertmanagerStorageSize: 1Gi 17 | compactStorageSize: 100Gi 18 | metricObjectStorage: 19 | key: thanos.yaml 20 | name: thanos-object-storage 21 | receiveStorageSize: 100Gi 22 | ruleStorageSize: 1Gi 23 | storageClass: ocs-storagecluster-ceph-rbd 24 | storeStorageSize: 10Gi -------------------------------------------------------------------------------- /apps/15-advanced-cluster-managment-observability/argo-app/argo-app.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: argoproj.io/v1alpha1 3 | kind: Application 4 | metadata: 5 | name: 15-advanced-cluster-management-obs 6 | namespace: openshift-gitops 7 | annotations: 8 | argocd.argoproj.io/compare-options: IgnoreExtraneous 9 | argocd.argoproj.io/sync-wave: '15' 10 | spec: 11 | project: default 12 | destination: 13 | server: https://kubernetes.default.svc 14 | source: 15 | repoURL: https://github.com/adetalhouet/ocp-gitops.git 16 | targetRevision: HEAD 17 | path: apps/15-advance-cluster-managment-observability 18 | syncPolicy: 19 | automated: 20 | selfHeal: true 21 | allowEmpty: true 22 | syncOptions: 23 | - Validate=false 24 | - CreateNamespace=true 25 | retry: 26 | limit: -1 27 | backoff: 28 | duration: 5s 29 | factor: 2 30 | maxDuration: 3m -------------------------------------------------------------------------------- /apps/15-advanced-cluster-managment-observability/argo-app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - argo-app.yaml -------------------------------------------------------------------------------- /apps/15-advanced-cluster-managment-observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 00-namespace.yaml 7 | - 01-acm-observability-bucket.yaml 8 | - 02-install-observability.yaml 9 | - 03-multiclusterobservability.yaml -------------------------------------------------------------------------------- /apps/16-acs/base/.gitignore: -------------------------------------------------------------------------------- 1 | rhsso-client-secret.yaml 2 | -------------------------------------------------------------------------------- /apps/16-acs/base/02-sealed-rhsso-client-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bitnami.com/v1alpha1 2 | kind: SealedSecret 3 | metadata: 4 | creationTimestamp: null 5 | name: sso-secret 6 | namespace: stackrox 7 | spec: 8 | encryptedData: 9 | clientSecret: AgADMNot0c+mjC/mcGPEcJ6htMC6Rk3oOGAu3xK0vC2N3Qv7eLECYv0BY8hw2k6YpE4LvBmOfyiuvtiowBswk9Jmf0JzJSajq9ODziFB1dd1pMidx/dqqY/VKnqCIQucLdmW59dgjT5jSyZe1M9zpv5wU81jJsRr+VdMTta5b/AICJkLEnaO/wEiUfvJolMv4VH5ROBz8jzRzVa3IkWwmT8p3azhfvvoUVNIf7UksLwmsz3O8R5LhsRb7KBiqI8jh0MFqIbQb0TbeKdopo+Ai7/wqFsTccp1nLdYuzi/wrJdV2pj0n+oF76xhrtNOqW68edcg5L1XC/QULOTekiJyiVFhqjRvF5QkXA7Nr2FBEq5mMwAzdAlpbC5HLI97DrkQ/L8be9n3IesLKJfDvhnkG7mbkWT82HJBrKgf8rYtBVvr9uSNS/pse1QTMTd9nwGE1JTMMvefYKihSg/pQ9HjrC0+zkEE9OC6iudDEafQC1+qv1fd0K9UvIOr4+82cu0gzDOKci3T7c7mjdn444RNuRXS3MAigD63lAIhgWE975g2/FA29NOHhXtbflYi1PpQWuEmtkTbs9Ahe5cEraAdRRkVcSyvzwaO4Gab6JdEoQW5L2kFmSgIOifHRu7keO0cpy18X+jJvN1qwBEhL0BIDQjnB9Kp2PwDq1l5wrGGcgE+0HLsm/kjpGUQ5YLpOKDY9INrlZRJYccOJ6SGrnbyRiZUmm2dvCUyr1dVWUP2RLdc0hYhjU= 10 | template: 11 | data: null 12 | metadata: 13 | creationTimestamp: null 14 | name: sso-secret 15 | namespace: stackrox 16 | type: Opaque 17 | 18 | -------------------------------------------------------------------------------- /apps/16-acs/base/03-job-sso-integration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | annotations: 5 | argocd.argoproj.io/sync-wave: "10" 6 | name: create-sso-auth-provider 7 | namespace: stackrox 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - resources: 13 | limits: 14 | cpu: 500m 15 | memory: 512Mi 16 | requests: 17 | cpu: 250m 18 | memory: 256Mi 19 | image: registry.redhat.io/openshift4/ose-cli:v4.4 20 | env: 21 | - name: CLIENT_SECRET 22 | valueFrom: 23 | secretKeyRef: 24 | name: sso-secret 25 | key: clientSecret 26 | - name: PASSWORD 27 | valueFrom: 28 | secretKeyRef: 29 | name: central-htpasswd 30 | key: password 31 | - name: ISSUER 32 | value: REPLACE_ME_HERE 33 | - name: EXTERNAL_ROUTE 34 | value: REPLACE_ME_HERE 35 | command: 36 | - /bin/bash 37 | - -c 38 | - | 39 | #!/usr/bin/env bash 40 | 41 | # Wait for central to be ready 42 | attempt_counter=0 43 | max_attempts=20 44 | echo "Waiting for central to be available..." 45 | until $(curl -k --output /dev/null --silent --head --fail https://central); do 46 | if [ ${attempt_counter} -eq ${max_attempts} ];then 47 | echo "Max attempts reached" 48 | exit 1 49 | fi 50 | printf '.' 51 | attempt_counter=$(($attempt_counter+1)) 52 | echo "Made attempt $attempt_counter, waiting..." 53 | sleep 5 54 | done 55 | 56 | echo "Test if SSO Provider already exists" 57 | RESPONSE=$(curl -k -u "admin:$PASSWORD" https://central/v1/authProviders?name=keycloak | python -c "import sys, json; print(json.load(sys.stdin)['authProviders'])") 58 | if [[ "$RESPONSE" != "[]" ]] ; then 59 | echo "OpenShift Provider already exists, exiting" 60 | exit 0 61 | fi 62 | 63 | echo "Create keycloak SSO Provider" 64 | export DATA='{"name":"keycloak","type":"oidc","uiEndpoint":"'${EXTERNAL_ROUTE}'","enabled":true,"config":{"client_id":"stackrox","client_secret":"'${CLIENT_SECRET}'","issuer":"'${ISSUER}'","mode":"post"},"validated":true,"extraUiEndpoints":[],"active":true}' 65 | CLIENT_ID=$(curl -k -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/authProviders | python -c "import sys, json; print(json.load(sys.stdin)['id'])") 66 | 67 | echo "Add role mapping to keycloak IDP for admins" 68 | export DATA='{"required_groups":[{"props":{"authProviderId":"'${CLIENT_ID}'","key":"","value":""},"roleName":"Admin"},{"props":{"authProviderId":"'${CLIENT_ID}'","key":"groups","value":"StackroxAdmins"},"roleName":"StackroxAdmins"}]}' 69 | curl -k -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/groupsbatch 70 | 71 | imagePullPolicy: Always 72 | name: create-sso-auth-provider 73 | dnsPolicy: ClusterFirst 74 | restartPolicy: Never 75 | terminationGracePeriodSeconds: 30 -------------------------------------------------------------------------------- /apps/16-acs/base/README.md: -------------------------------------------------------------------------------- 1 | __Create the RH SSO client secret__ 2 | 3 | `kubeseal --cert ~/.bitnami/tls.crt --format yaml < rhsso-client-secret.yaml > 02-sealed-rhsso-client-secret.yaml` -------------------------------------------------------------------------------- /apps/16-acs/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | # Remote base. Use the configuration from the Red Hat Canada GitOps repo (unofficial). 5 | bases: 6 | - https://github.com/redhat-cop/gitops-catalog/advanced-cluster-security-operator/aggregate/minimal 7 | 8 | resources: 9 | - 01-console-link.yaml 10 | - 02-sealed-rhsso-client-secret.yaml 11 | - 03-job-sso-integration.yaml 12 | -------------------------------------------------------------------------------- /apps/16-acs/overlays/ca-central/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | bases: 5 | - ../../base 6 | 7 | patches: 8 | - target: 9 | kind: ConsoleLink 10 | name: acs 11 | patch: |- 12 | - op: replace 13 | path: /spec/href 14 | value: 'https://central-stackrox.apps.ca-central.adetalhouet.ca/main/dashboard' 15 | - target: 16 | kind: Job 17 | name: create-sso-auth-provider 18 | namespace: stackrox 19 | patch: |- 20 | - op: replace 21 | path: /spec/template/spec/containers/0/env/2/value 22 | value: >- 23 | https://keycloak-openshift-sso.apps.ca-central.adetalhouet.ca/auth/realms/openshift 24 | - target: 25 | kind: Job 26 | name: create-sso-auth-provider 27 | namespace: stackrox 28 | patch: |- 29 | - op: replace 30 | path: /spec/template/spec/containers/0/env/3/value 31 | value: >- 32 | central-stackrox.apps.ca-central.adetalhouet.ca 33 | - target: 34 | kind: Job 35 | name: create-cluster-init-bundle 36 | namespace: stackrox 37 | patch: |- 38 | - op: replace 39 | path: /spec/template/spec/containers/0/image 40 | value: >- 41 | registry.redhat.io/openshift4/ose-cli:latest -------------------------------------------------------------------------------- /apps/16-acs/overlays/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | bases: 5 | - ../../base 6 | 7 | patches: 8 | - target: 9 | kind: ConsoleLink 10 | name: acs 11 | patch: |- 12 | - op: replace 13 | path: /spec/href 14 | value: 'https://central-stackrox.apps.hub-adetalhouet.rhtelco.io/main/dashboard' 15 | - target: 16 | kind: Job 17 | name: create-sso-auth-provider 18 | namespace: stackrox 19 | patch: |- 20 | - op: replace 21 | path: /spec/template/spec/containers/0/env/2/value 22 | value: >- 23 | https://keycloak-openshift-sso.apps.hub-adetalhouet.rhtelco.io/auth/realms/openshift 24 | - target: 25 | kind: Job 26 | name: create-sso-auth-provider 27 | namespace: stackrox 28 | patch: |- 29 | - op: replace 30 | path: /spec/template/spec/containers/0/env/3/value 31 | value: >- 32 | central-stackrox.apps.hub-adetalhouet.rhtelco.io -------------------------------------------------------------------------------- /apps/17-net-obs/00-loki.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: netobserv 6 | --- 7 | apiVersion: v1 8 | kind: PersistentVolumeClaim 9 | metadata: 10 | name: loki-store 11 | namespace: netobserv 12 | spec: 13 | resources: 14 | requests: 15 | storage: 1G 16 | volumeMode: Filesystem 17 | accessModes: 18 | - ReadWriteOnce 19 | --- 20 | apiVersion: v1 21 | kind: ConfigMap 22 | metadata: 23 | name: loki-config 24 | namespace: netobserv 25 | data: 26 | local-config.yaml: | 27 | auth_enabled: false 28 | server: 29 | http_listen_port: 3100 30 | grpc_listen_port: 9096 31 | http_server_read_timeout: 1m 32 | http_server_write_timeout: 1m 33 | log_level: error 34 | target: all 35 | common: 36 | path_prefix: /loki-store 37 | storage: 38 | filesystem: 39 | chunks_directory: /loki-store/chunks 40 | rules_directory: /loki-store/rules 41 | replication_factor: 1 42 | ring: 43 | instance_addr: 127.0.0.1 44 | kvstore: 45 | store: inmemory 46 | compactor: 47 | compaction_interval: 5m 48 | frontend: 49 | compress_responses: true 50 | ingester: 51 | chunk_encoding: snappy 52 | chunk_retain_period: 1m 53 | query_range: 54 | align_queries_with_step: true 55 | cache_results: true 56 | max_retries: 5 57 | results_cache: 58 | cache: 59 | enable_fifocache: true 60 | fifocache: 61 | max_size_bytes: 500MB 62 | validity: 24h 63 | parallelise_shardable_queries: true 64 | schema_config: 65 | configs: 66 | - from: 2022-01-01 67 | store: boltdb-shipper 68 | object_store: filesystem 69 | schema: v11 70 | index: 71 | prefix: index_ 72 | period: 24h 73 | storage_config: 74 | filesystem: 75 | directory: /loki-store/storage 76 | boltdb_shipper: 77 | active_index_directory: /loki-store/index 78 | shared_store: filesystem 79 | cache_location: /loki-store/boltdb-cache 80 | cache_ttl: 24h 81 | limits_config: 82 | ingestion_rate_strategy: global 83 | ingestion_rate_mb: 4 84 | ingestion_burst_size_mb: 6 85 | max_label_name_length: 1024 86 | max_label_value_length: 2048 87 | max_label_names_per_series: 30 88 | reject_old_samples: true 89 | reject_old_samples_max_age: 15m 90 | creation_grace_period: 10m 91 | enforce_metric_name: false 92 | max_line_size: 256000 93 | max_line_size_truncate: false 94 | max_entries_limit_per_query: 10000 95 | max_streams_per_user: 0 96 | max_global_streams_per_user: 0 97 | unordered_writes: true 98 | max_chunks_per_query: 2000000 99 | max_query_length: 721h 100 | max_query_parallelism: 32 101 | max_query_series: 10000 102 | cardinality_limit: 100000 103 | max_streams_matchers_per_query: 1000 104 | max_concurrent_tail_requests: 10 105 | retention_period: 24h 106 | max_cache_freshness_per_query: 5m 107 | max_queriers_per_tenant: 0 108 | per_stream_rate_limit: 3MB 109 | per_stream_rate_limit_burst: 15MB 110 | max_query_lookback: 0 111 | min_sharding_lookback: 0s 112 | split_queries_by_interval: 1m 113 | --- 114 | apiVersion: apps/v1 115 | kind: Deployment 116 | metadata: 117 | namespace: netobserv 118 | name: loki 119 | spec: 120 | selector: 121 | matchLabels: 122 | app: loki 123 | replicas: 1 124 | template: 125 | metadata: 126 | labels: 127 | app: loki 128 | spec: 129 | securityContext: 130 | runAsGroup: 1000 131 | runAsUser: 1000 132 | fsGroup: 1000 133 | containers: 134 | - name: loki 135 | image: grafana/loki:2.5.0 136 | volumeMounts: 137 | - mountPath: "/loki-store" 138 | name: loki-store 139 | - mountPath: "/etc/loki" 140 | name: loki-config 141 | volumes: 142 | - name: loki-store 143 | persistentVolumeClaim: 144 | claimName: loki-store 145 | - name: loki-config 146 | configMap: 147 | name: loki-config 148 | --- 149 | kind: Service 150 | apiVersion: v1 151 | metadata: 152 | name: loki 153 | namespace: netobserv 154 | spec: 155 | selector: 156 | app: loki 157 | ports: 158 | - port: 3100 159 | protocol: TCP -------------------------------------------------------------------------------- /apps/17-net-obs/01-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: network-obs-groups 6 | namespace: network-observability 7 | spec: 8 | targetNamespaces: [] 9 | --- 10 | apiVersion: operators.coreos.com/v1alpha1 11 | kind: Subscription 12 | metadata: 13 | name: network-obs-operator 14 | namespace: network-observability 15 | spec: 16 | channel: alpha 17 | installPlanApproval: Automatic 18 | name: netobserv-operator 19 | source: community-operators 20 | sourceNamespace: openshift-marketplace 21 | -------------------------------------------------------------------------------- /apps/17-net-obs/02-flowcollector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: flows.netobserv.io/v1alpha1 2 | kind: FlowCollector 3 | metadata: 4 | name: cluster 5 | spec: 6 | agent: ipfix 7 | clusterNetworkOperator: 8 | namespace: openshift-network-operator 9 | consolePlugin: 10 | logLevel: info 11 | port: 9001 12 | register: true 13 | portNaming: 14 | enable: true 15 | portNames: 16 | '3100': loki 17 | imagePullPolicy: IfNotPresent 18 | image: 'quay.io/netobserv/network-observability-console-plugin:v0.1.2' 19 | replicas: 1 20 | ebpf: 21 | logLevel: info 22 | cacheMaxFlows: 1000 23 | imagePullPolicy: IfNotPresent 24 | excludeInterfaces: 25 | - lo 26 | cacheActiveTimeout: 5s 27 | interfaces: [] 28 | image: 'quay.io/netobserv/netobserv-ebpf-agent:v0.1.0' 29 | sampling: 0 30 | flowlogsPipeline: 31 | logLevel: info 32 | port: 2055 33 | prometheusPort: 9090 34 | imagePullPolicy: IfNotPresent 35 | enableKubeProbes: true 36 | image: 'quay.io/netobserv/flowlogs-pipeline:v0.1.1' 37 | replicas: 1 38 | healthPort: 8080 39 | kind: DaemonSet 40 | ipfix: 41 | cacheActiveTimeout: 60s 42 | cacheMaxFlows: 100 43 | sampling: 1 44 | loki: 45 | timeout: 10s 46 | maxRetries: 10 47 | maxBackoff: 300s 48 | staticLabels: 49 | app: netobserv-flowcollector 50 | url: 'http://loki:3100/' 51 | batchWait: 1s 52 | minBackoff: 1s 53 | batchSize: 102400 54 | timestampLabel: TimeFlowEnd 55 | namespace: network-observability 56 | -------------------------------------------------------------------------------- /apps/17-net-obs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | resources: 5 | - 00-loki.yaml 6 | - 01-install.yaml 7 | - 02-flowcollector.yaml 8 | -------------------------------------------------------------------------------- /apps/pipeline/README.md: -------------------------------------------------------------------------------- 1 | ## Load the github-set-status tekton task 2 | 3 | ``` 4 | kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/github-set-status/0.4/github-set-status.yaml -n pipeline-demo 5 | ``` 6 | 7 | ## Create your github secret 8 | 9 | ``` 10 | kubectl create secret generic github --from-literal token="***" -n pipeline-demo 11 | ``` 12 | 13 | ## Properly create webhook in github 14 | 15 | ### Webhook sending Push events 16 | ![](docs/push-trigger.png) 17 | 18 | ### Webhook sending Pull Request events 19 | ![](docs/pr-trigger.png) -------------------------------------------------------------------------------- /apps/pipeline/containerfile: -------------------------------------------------------------------------------- 1 | FROM registry.redhat.io/openshift4/ose-cli:latest 2 | 3 | RUN dnf install -y --setopt=tsflags=nodocs --nogpgcheck --disableplugin=subscription-manager git tar wget 4 | 5 | RUN wget https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.5.2/kustomize_v4.5.2_linux_amd64.tar.gz && tar xzf ./kustomize_v4.5.2_linux_amd64.tar.gz 6 | 7 | RUN wget https://raw.githubusercontent.com/redhat-cop/gitops-catalog/main/hack/validate_manifests.sh 8 | 9 | ENV KUSTOMIZE=/kustomize 10 | 11 | RUN chmod +x kustomize validate_manifests.sh -------------------------------------------------------------------------------- /apps/pipeline/docs/pr-trigger.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adetalhouet/ocp-gitops/d94d71e3c0bd146e66f12cf39d7018bb98b8efb0/apps/pipeline/docs/pr-trigger.png -------------------------------------------------------------------------------- /apps/pipeline/docs/push-trigger.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adetalhouet/ocp-gitops/d94d71e3c0bd146e66f12cf39d7018bb98b8efb0/apps/pipeline/docs/push-trigger.png -------------------------------------------------------------------------------- /apps/pipeline/pr-trigger.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: tekton.dev/v1beta1 3 | kind: Task 4 | metadata: 5 | name: sanitize-yaml 6 | namespace: pipeline-demo 7 | spec: 8 | workspaces: 9 | - name: output 10 | results: 11 | - name: status 12 | description: Execution Status 13 | steps: 14 | - name: validate-manifests 15 | image: quay.io/adetalho/tekton-task:latest 16 | workingDir: /workspace/source 17 | command: ["/bin/bash", "-c"] 18 | args: 19 | - |- 20 | cd / && ./validate_manifests.sh 21 | if [[ $? == 0 ]] 22 | then 23 | echo -n "success" | tee $(results.status.path) 24 | else 25 | echo -n "failure" | tee $(results.status.path) 26 | fi 27 | --- 28 | apiVersion: tekton.dev/v1beta1 29 | kind: Pipeline 30 | metadata: 31 | name: pipeline-git-pr-status 32 | namespace: pipeline-demo 33 | spec: 34 | params: 35 | - name: pr-repository 36 | description: The source git repo for the PullRequest 37 | default: "" 38 | - name: pr-revision 39 | description: the commit id/sha for the PullRequest 40 | default: "" 41 | workspaces: 42 | - name: pipeline-ws 43 | tasks: 44 | - name: set-git-commit-pending 45 | taskRef: 46 | name: github-set-status 47 | kind: Task 48 | params: 49 | - name: REPO_FULL_NAME 50 | value: adetalhouet/ocp-gitops 51 | - name: SHA 52 | value: $(params.pr-revision) 53 | - name: DESCRIPTION 54 | value: "Build is starting" 55 | - name: STATE 56 | value: "pending" 57 | - name: TARGET_URL 58 | value: https://console-openshift-console.apps.ca-central.adetalhouet.ca/k8s/ns/pipeline-demo/tekton.dev~v1beta1~PipelineRun/sanitize-yaml-$(params.pr-revision)/ 59 | - name: GITHUB_TOKEN_SECRET_NAME 60 | value: github 61 | - name: GITHUB_TOKEN_SECRET_KEY 62 | value: token 63 | - name: git-clone 64 | taskRef: 65 | name: git-clone 66 | kind: ClusterTask 67 | runAfter: [set-git-commit-pending] 68 | params: 69 | - name: url 70 | value: $(params.pr-repository) 71 | - name: subdirectory 72 | value: "" 73 | - name: deleteExisting 74 | value: "true" 75 | - name: revision 76 | value: $(params.pr-revision) 77 | workspaces: 78 | - name: output 79 | workspace: pipeline-ws 80 | - name: sanitize 81 | runAfter: [git-clone] 82 | taskRef: 83 | name: sanitize-yaml 84 | workspaces: 85 | - name: output 86 | workspace: pipeline-ws 87 | finally: 88 | - name: set-git-commit-status 89 | taskRef: 90 | name: github-set-status 91 | kind: Task 92 | params: 93 | - name: REPO_FULL_NAME 94 | value: adetalhouet/ocp-gitops 95 | - name: SHA 96 | value: $(params.pr-revision) 97 | - name: DESCRIPTION 98 | value: "Build is finished" 99 | - name: STATE 100 | value: $(tasks.sanitize.results.status) 101 | - name: TARGET_URL 102 | value: https://console-openshift-console.apps.ca-central.adetalhouet.ca/k8s/ns/pipeline-demo/tekton.dev~v1beta1~PipelineRun/sanitize-yaml-$(params.pr-revision)/ 103 | - name: GITHUB_TOKEN_SECRET_NAME 104 | value: github 105 | - name: GITHUB_TOKEN_SECRET_KEY 106 | value: token 107 | --- 108 | apiVersion: triggers.tekton.dev/v1beta1 109 | kind: TriggerTemplate 110 | metadata: 111 | namespace: pipeline-demo 112 | name: triggertemplate-git-pr-status 113 | spec: 114 | params: 115 | - name: pr-repository 116 | description: The source git repo for the PullRequest 117 | default: "https://github.com/adetalhouet/ocp-gitops" 118 | - name: pr-revision 119 | description: the commit id/sha for the PullRequest 120 | default: " " 121 | resourcetemplates: 122 | - apiVersion: tekton.dev/v1beta1 123 | kind: PipelineRun 124 | metadata: 125 | name: sanitize-yaml-$(tt.params.pr-revision) 126 | spec: 127 | pipelineRef: 128 | name: pipeline-git-pr-status 129 | params: 130 | - name: pr-repository 131 | value: $(tt.params.pr-repository) 132 | - name: pr-revision 133 | value: $(tt.params.pr-revision) 134 | workspaces: 135 | - name: pipeline-ws 136 | volumeClaimTemplate: 137 | spec: 138 | accessModes: 139 | - ReadWriteOnce 140 | resources: 141 | requests: 142 | storage: 500Mi 143 | --- 144 | apiVersion: triggers.tekton.dev/v1beta1 145 | kind: TriggerBinding 146 | metadata: 147 | namespace: pipeline-demo 148 | name: triggerbinding-git-pr-status-github-pr 149 | spec: 150 | params: 151 | - name: pr-repository 152 | value: "$(body.pull_request.head.repo.clone_url)" 153 | - name: pr-revision 154 | value: "$(body.pull_request.head.sha)" 155 | --- 156 | apiVersion: triggers.tekton.dev/v1beta1 157 | kind: Trigger 158 | metadata: 159 | name: trigger-git-pr-status-github-pr 160 | namespace: pipeline-demo 161 | spec: 162 | serviceAccountName: pipeline 163 | interceptors: 164 | - ref: 165 | name: "github" 166 | params: 167 | - name: "eventTypes" 168 | value: ["pull_request"] 169 | bindings: 170 | - ref: triggerbinding-git-pr-status-github-pr 171 | template: 172 | ref: triggertemplate-git-pr-status 173 | --- 174 | apiVersion: triggers.tekton.dev/v1beta1 175 | kind: EventListener 176 | metadata: 177 | namespace: pipeline-demo 178 | name: eventlistener-git-pr-status-github-pr 179 | spec: 180 | serviceAccountName: pipeline 181 | triggers: 182 | - triggerRef: trigger-git-pr-status-github-pr 183 | --- 184 | apiVersion: route.openshift.io/v1 185 | kind: Route 186 | metadata: 187 | labels: 188 | eventlistener: eventlistener-git-pr-status-github-pr 189 | name: eventlistener-git-pr-status 190 | namespace: pipeline-demo 191 | spec: 192 | port: 193 | targetPort: http-listener 194 | to: 195 | kind: Service 196 | name: el-eventlistener-git-pr-status-github-pr -------------------------------------------------------------------------------- /apps/pipeline/push-trigger.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: Pipeline 3 | metadata: 4 | name: pipeline-git-push-status 5 | namespace: pipeline-demo 6 | spec: 7 | workspaces: 8 | - name: shared-workspace 9 | params: 10 | - name: git-url 11 | type: string 12 | description: url of the git repo for the code of deployment 13 | - name: git-revision 14 | type: string 15 | description: revision to be used from repo of the code for deployment 16 | default: "main" 17 | tasks: 18 | - name: fetch-repository 19 | taskRef: 20 | name: git-clone 21 | kind: ClusterTask 22 | workspaces: 23 | - name: output 24 | workspace: shared-workspace 25 | params: 26 | - name: url 27 | value: $(params.git-url) 28 | - name: subdirectory 29 | value: "" 30 | - name: deleteExisting 31 | value: "true" 32 | - name: revision 33 | value: $(params.git-revision) 34 | - name: sanitize 35 | taskRef: 36 | name: sanitize-yaml 37 | workspaces: 38 | - name: output 39 | workspace: shared-workspace 40 | runAfter: 41 | - fetch-repository 42 | --- 43 | apiVersion: triggers.tekton.dev/v1beta1 44 | kind: TriggerBinding 45 | metadata: 46 | name: triggerbinding-git-push-status 47 | namespace: pipeline-demo 48 | spec: 49 | params: 50 | - name: git-repo-url 51 | value: $(body.repository.url) 52 | - name: git-repo-name 53 | value: $(body.repository.name) 54 | - name: commit.id 55 | value: $(body.head_commit.id) 56 | - name: commit.message 57 | value: $(body.head_commit.message) 58 | - name: commit.author 59 | value: $(body.head_commit.author.name) 60 | --- 61 | apiVersion: triggers.tekton.dev/v1beta1 62 | kind: TriggerTemplate 63 | metadata: 64 | name: triggertemplate-git-push-status 65 | namespace: pipeline-demo 66 | spec: 67 | params: 68 | - name: git-repo-url 69 | description: The git repository url 70 | - name: git-repo-name 71 | description: The name of the deployment to be created / patched 72 | - name: commit-id 73 | description: The git commit id 74 | - name: commit-message 75 | description: The git commit message 76 | - name: commit-author 77 | description: The git commit author 78 | 79 | resourcetemplates: 80 | - apiVersion: tekton.dev/v1beta1 81 | kind: PipelineRun 82 | metadata: 83 | generateName: sanitize-yaml-$(tt.params.git-repo-name)- 84 | namespace: pipeline-demo 85 | spec: 86 | serviceAccountName: pipeline 87 | pipelineRef: 88 | name: pipeline-git-push-status 89 | params: 90 | - name: git-repo-name 91 | value: $(tt.params.git-repo-name) 92 | - name: git-url 93 | value: $(tt.params.git-repo-url) 94 | - name: commit-id 95 | value: $(tt.params.commit-id) 96 | - name: commit-message 97 | value: $(tt.params.commit-message) 98 | - name: commit-author 99 | value: $(tt.params.commit-author) 100 | workspaces: 101 | - name: shared-workspace 102 | volumeClaimTemplate: 103 | spec: 104 | accessModes: 105 | - ReadWriteOnce 106 | resources: 107 | requests: 108 | storage: 500Mi 109 | --- 110 | apiVersion: triggers.tekton.dev/v1beta1 111 | kind: Trigger 112 | metadata: 113 | name: trigger-git-push-status-github 114 | namespace: pipeline-demo 115 | spec: 116 | serviceAccountName: pipeline 117 | interceptors: 118 | - ref: 119 | name: "github" 120 | params: 121 | - name: "eventTypes" 122 | value: ["push"] 123 | bindings: 124 | - ref: triggerbinding-git-push-status 125 | template: 126 | ref: triggertemplate-git-push-status 127 | --- 128 | apiVersion: triggers.tekton.dev/v1beta1 129 | kind: EventListener 130 | metadata: 131 | name: eventlistener-git-push-status-github 132 | namespace: pipeline-demo 133 | spec: 134 | serviceAccountName: pipeline 135 | triggers: 136 | - triggerRef: trigger-git-push-status-github 137 | --- 138 | apiVersion: route.openshift.io/v1 139 | kind: Route 140 | metadata: 141 | labels: 142 | eventlistener: eventlistener-git-push-status-github 143 | name: eventlistener-git-push-status-route 144 | namespace: pipeline-demo 145 | spec: 146 | port: 147 | targetPort: http-listener 148 | to: 149 | kind: Service 150 | name: el-eventlistener-git-push-status-github -------------------------------------------------------------------------------- /apps/telco/README.md: -------------------------------------------------------------------------------- 1 | __This is still TBD__ 2 | 3 | docker run -v /Users/adetalhouet/.kube/configs/:/kubeconfig -e KUBECONFIG=/kubeconfig/apps-adetalhouet-kubeconfig.yaml -e ROLE_WORKER_CNF=worker-pao registry.redhat.io/openshift4/cnf-tests-rhel8:v4.6 /usr/bin/test-run.sh 4 | 5 | 6 | https://docs.openshift.com/container-platform/4.7/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.html -------------------------------------------------------------------------------- /apps/telco/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | bases: 6 | - pao 7 | - ptp 8 | - sriov -------------------------------------------------------------------------------- /apps/telco/numa-scheduler/00-install.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: openshift-numaresources 5 | --- 6 | apiVersion: operators.coreos.com/v1 7 | kind: OperatorGroup 8 | metadata: 9 | name: numaresources-operator 10 | namespace: openshift-numaresources 11 | spec: 12 | targetNamespaces: 13 | - openshift-numaresources 14 | --- 15 | apiVersion: operators.coreos.com/v1alpha1 16 | kind: Subscription 17 | metadata: 18 | name: numaresources-operator 19 | namespace: openshift-numaresources 20 | spec: 21 | channel: "4.11" 22 | name: numaresources-operator 23 | source: redhat-operators 24 | sourceNamespace: openshift-marketplace -------------------------------------------------------------------------------- /apps/telco/numa-scheduler/01-numaresourceoperator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: nodetopology.openshift.io/v1alpha1 2 | kind: NUMAResourcesOperator 3 | metadata: 4 | name: numaresourcesoperator 5 | spec: 6 | nodeGroups: 7 | - machineConfigPoolSelector: 8 | matchLabels: 9 | pools.operator.machineconfiguration.openshift.io/worker: "" -------------------------------------------------------------------------------- /apps/telco/numa-scheduler/02-kubeletconfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: machineconfiguration.openshift.io/v1 2 | kind: KubeletConfig 3 | metadata: 4 | name: cnf-worker-tuning 5 | spec: 6 | machineConfigPoolSelector: 7 | matchLabels: 8 | cnf-worker-tuning: enabled 9 | kubeletConfig: 10 | cpuManagerPolicy: "static" 11 | cpuManagerReconcilePeriod: "5s" 12 | reservedSystemCPUs: "0,1" 13 | memoryManagerPolicy: "Static" 14 | evictionHard: 15 | memory.available: "100Mi" 16 | kubeReserved: 17 | memory: "512Mi" 18 | reservedMemory: 19 | - numaNode: 0 20 | limits: 21 | memory: "1124Mi" 22 | systemReserved: 23 | memory: "512Mi" 24 | topologyManagerPolicy: "single-numa-node" 25 | topologyManagerScope: "pod" -------------------------------------------------------------------------------- /apps/telco/numa-scheduler/03-numaresourcescheduler.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: nodetopology.openshift.io/v1alpha1 2 | kind: NUMAResourcesScheduler 3 | metadata: 4 | name: numaresourcesscheduler 5 | spec: 6 | imageSpec: "registry.redhat.io/openshift4/noderesourcetopology-scheduler-container-rhel8:v4.11" -------------------------------------------------------------------------------- /apps/telco/numa-scheduler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 00-install.yaml 7 | - 01-numaresourceoperator 8 | - 02-kubeletconfig.yaml 9 | - 03-numaresourcescheduler.yaml 10 | -------------------------------------------------------------------------------- /apps/telco/pao-mcp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: machineconfiguration.openshift.io/v1 2 | kind: MachineConfigPool 3 | metadata: 4 | name: worker-pao 5 | labels: 6 | machineconfiguration.openshift.io/role: worker-pao 7 | spec: 8 | machineConfigSelector: 9 | matchExpressions: 10 | - {key: machineconfiguration.openshift.io/role, operator: In, values: [worker, worker-pao]} 11 | nodeSelector: 12 | matchLabels: 13 | node-role.kubernetes.io/worker-pao: "" -------------------------------------------------------------------------------- /apps/telco/pao/00-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-performance-addon-operator 6 | labels: 7 | openshift.io/run-level: "1" 8 | --- 9 | apiVersion: operators.coreos.com/v1 10 | kind: OperatorGroup 11 | metadata: 12 | name: openshift-performance-addon-operator 13 | namespace: openshift-performance-addon-operator 14 | --- 15 | apiVersion: operators.coreos.com/v1alpha1 16 | kind: Subscription 17 | metadata: 18 | name: openshift-performance-addon-operator-subscription 19 | namespace: openshift-performance-addon-operator 20 | spec: 21 | channel: "4.7" 22 | name: performance-addon-operator 23 | source: redhat-operators 24 | sourceNamespace: openshift-marketplace -------------------------------------------------------------------------------- /apps/telco/pao/01-pp-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: performance.openshift.io/v2 2 | kind: PerformanceProfile 3 | metadata: 4 | name: performanceprofile 5 | annotations: 6 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 7 | spec: 8 | additionalKernelArgs: 9 | - nmi_watchdog=0 10 | - audit=0 11 | - mce=off 12 | - processor.max_cstate=1 13 | - idle=poll 14 | - intel_idle.max_cstate=0 15 | # - nosmt # disable hyperthreading 16 | cpu: 17 | isolated: 3-4 18 | reserved: 0-1 19 | globallyDisableIrqLoadBalancing: false 20 | hugepages: 21 | defaultHugepagesSize: 1G 22 | pages: 23 | - count: 2 24 | node: 0 25 | size: 1G 26 | nodeSelector: 27 | node-role.kubernetes.io/worker-pao: '' 28 | realTimeKernel: 29 | enabled: true -------------------------------------------------------------------------------- /apps/telco/pao/config/sctp/50-worker-enable-sctp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: machineconfiguration.openshift.io/v1 2 | kind: MachineConfig 3 | metadata: 4 | labels: 5 | machineconfiguration.openshift.io/role: worker-pao 6 | name: 50-load-sctp-module 7 | spec: 8 | config: 9 | ignition: 10 | version: 3.1.0 11 | storage: 12 | files: 13 | - contents: 14 | source: data:, 15 | mode: 420 16 | overwrite: true 17 | path: /etc/modprobe.d/sctp-blacklist.conf 18 | - contents: 19 | source: data:text/plain;charset=utf-8,sctp 20 | mode: 420 21 | overwrite: true 22 | path: /etc/modules-load.d/sctp-load.conf 23 | -------------------------------------------------------------------------------- /apps/telco/pao/config/sctp/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 50-worker-enable-sctp.yaml 7 | -------------------------------------------------------------------------------- /apps/telco/pao/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | bases: 6 | - config/sctp 7 | 8 | resources: 9 | - 00-install.yaml 10 | - 01-pp-cr.yaml 11 | -------------------------------------------------------------------------------- /apps/telco/pao/pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: dynamic-irq-pod 5 | annotations: 6 | irq-load-balancing.crio.io: "disable" 7 | cpu-quota.crio.io: "disable" 8 | spec: 9 | containers: 10 | - name: dynamic-irq-pod 11 | image: "quay.io/openshift-kni/cnf-tests:4.6" 12 | command: ["sleep", "10h"] 13 | resources: 14 | requests: 15 | cpu: 2 16 | memory: "200M" 17 | limits: 18 | cpu: 2 19 | memory: "200M" 20 | nodeSelector: 21 | node-role.kubernetes.io/worker-pao: "" 22 | runtimeClassName: performance-performanceprofile -------------------------------------------------------------------------------- /apps/telco/ptp/00-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-ptp 6 | labels: 7 | name: openshift-ptp 8 | openshift.io/cluster-monitoring: "true" 9 | --- 10 | apiVersion: operators.coreos.com/v1 11 | kind: OperatorGroup 12 | metadata: 13 | name: ptp-operators 14 | namespace: openshift-ptp 15 | spec: 16 | targetNamespaces: 17 | - openshift-ptp 18 | --- 19 | apiVersion: operators.coreos.com/v1alpha1 20 | kind: Subscription 21 | metadata: 22 | name: ptp-operator-subscription 23 | namespace: openshift-ptp 24 | spec: 25 | channel: "4.7" 26 | installPlanApproval: Automatic 27 | name: ptp-operator 28 | source: redhat-operators 29 | sourceNamespace: openshift-marketplace 30 | -------------------------------------------------------------------------------- /apps/telco/ptp/01-ptp-operator-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ptp.openshift.io/v1 3 | kind: PtpOperatorConfig 4 | metadata: 5 | name: default 6 | namespace: openshift-ptp 7 | annotations: 8 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 9 | spec: 10 | daemonNodeSelector: 11 | node-role.kubernetes.io/worker-pao: "" -------------------------------------------------------------------------------- /apps/telco/ptp/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 00-install.yaml 7 | - 01-ptp-operator-config.yaml 8 | -------------------------------------------------------------------------------- /apps/telco/sriov/00-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-sriov-network-operator 6 | labels: 7 | openshift.io/run-level: "1" 8 | openshift.io/cluster-monitoring: "true" 9 | --- 10 | apiVersion: operators.coreos.com/v1 11 | kind: OperatorGroup 12 | metadata: 13 | name: sriov-network-operators 14 | namespace: openshift-sriov-network-operator 15 | spec: 16 | targetNamespaces: 17 | - openshift-sriov-network-operator 18 | --- 19 | apiVersion: operators.coreos.com/v1alpha1 20 | kind: Subscription 21 | metadata: 22 | name: sriov-network-operator-subscription 23 | namespace: openshift-sriov-network-operator 24 | spec: 25 | channel: "4.7" 26 | installPlanApproval: Automatic 27 | name: sriov-network-operator 28 | source: redhat-operators 29 | sourceNamespace: openshift-marketplace -------------------------------------------------------------------------------- /apps/telco/sriov/01-sriov-operator-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: sriovnetwork.openshift.io/v1 3 | kind: SriovOperatorConfig 4 | metadata: 5 | name: default 6 | namespace: openshift-sriov-network-operator 7 | annotations: 8 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 9 | spec: 10 | configDaemonNodeSelector: 11 | node-role.kubernetes.io/worker-pao: "" 12 | enableInjector: true 13 | enableOperatorWebhook: true 14 | logLevel: 2 -------------------------------------------------------------------------------- /apps/telco/sriov/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - 00-install.yaml 7 | - 01-sriov-operator-config.yaml 8 | -------------------------------------------------------------------------------- /bootstrap/bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | CLUSTER_NAME=$1 4 | 5 | if [[ z$CLUSTER_NAME == z ]]; then 6 | echo " You must provide a cluster name." 7 | echo "Example: ./bootstrap.sh CLUSTER_NAME" 8 | exit 1 9 | fi 10 | 11 | # Install Argo, create sealed-secret namespace, and add sealed-secret-key 12 | oc kustomize bootstrap/$CLUSTER_NAME | oc apply -f- 13 | 14 | # Wait for ArgoCD to be ready 15 | SLEEP=3 16 | CSV_STATUS="Pausing $SLEEP seconds..." 17 | while [ "$CSV_STATUS" != "Succeeded" ]; do 18 | echo "Waiting for the GitOps Operator to be ready. ($CSV_STATUS)" 19 | sleep $SLEEP 20 | CSV_STATUS=$( oc get csv -n openshift-gitops-operator -l operators.coreos.com/openshift-gitops-operator.openshift-gitops-operator='' -o jsonpath={..status.phase} ) 21 | done 22 | 23 | #Then apply the app-of-apps that will control everything 24 | oc apply -f bootstrap/$CLUSTER_NAME/app-of-apps.yaml -------------------------------------------------------------------------------- /bootstrap/ca-central/app-of-apps.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: 00-hub-cluster-manager 5 | namespace: openshift-gitops 6 | spec: 7 | destination: 8 | server: https://kubernetes.default.svc 9 | project: default 10 | source: 11 | path: clusters/ca-central 12 | repoURL: https://github.com/adetalhouet/ocp-gitops.git 13 | targetRevision: main 14 | syncPolicy: 15 | automated: 16 | prune: false 17 | selfHeal: true -------------------------------------------------------------------------------- /bootstrap/ca-central/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | commonLabels: 6 | gitops/cluster-name: hub-adetalhouet 7 | 8 | bases: 9 | - ../../apps/01-openshift-gitops/bootstrap 10 | - ../../apps/02-sealed-secrets/bootstrap 11 | 12 | -------------------------------------------------------------------------------- /bootstrap/default/app-of-apps.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: 00-hub-cluster-manager 5 | namespace: openshift-gitops 6 | spec: 7 | destination: 8 | server: https://kubernetes.default.svc 9 | project: default 10 | source: 11 | path: clusters/default 12 | repoURL: https://github.com/adetalhouet/ocp-gitops.git 13 | targetRevision: main 14 | syncPolicy: 15 | automated: 16 | prune: false 17 | selfHeal: true -------------------------------------------------------------------------------- /bootstrap/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | commonLabels: 6 | gitops/cluster-name: hub-adetalhouet 7 | 8 | bases: 9 | - ../../apps/01-openshift-gitops/bootstrap 10 | - ../../apps/02-sealed-secrets/bootstrap 11 | 12 | -------------------------------------------------------------------------------- /build-cluster-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | CLUSTER_NAME=$1 4 | DOMAIN_NAME=$2 5 | 6 | if [[ z$CLUSTER_NAME == z ]]; then 7 | echo " You must provide a cluster name." 8 | echo "Usage: ./build-cluster-config.sh CLUSTER_NAME DOMAIN_NAME" 9 | exit 1 10 | fi 11 | 12 | if [[ z$DOMAIN_NAME == z ]]; then 13 | echo " You must provide a domain name." 14 | echo "Usage: ./build-cluster-config.sh CLUSTER_NAME DOMAIN_NAME" 15 | exit 1 16 | fi 17 | 18 | # prepare schafolding 19 | cp -r bootstrap/default bootstrap/$CLUSTER_NAME 20 | cp -r clusters/default clusters/$CLUSTER_NAME 21 | cp -r apps/01-openshift-gitops/overlays/default apps/01-openshift-gitops/overlays/$CLUSTER_NAME 22 | cp -r apps/06-rhsso/overlays/default apps/06-rhsso/overlays/$CLUSTER_NAME 23 | cp -r apps/07-oauth/overlays/default apps/07-oauth/overlays/$CLUSTER_NAME 24 | cp -r apps/16-acs/overlays/default apps/16-acs/overlays/$CLUSTER_NAME 25 | 26 | # replace fqdn cluster name 27 | find . -type f -path "*$CLUSTER_NAME*" -exec gsed -i "s/hub-adetalhouet.rhtelco.io/$CLUSTER_NAME.$DOMAIN_NAME/g" {} + 28 | 29 | # configure bootstrap 30 | gsed -i "s/clusters\/default/clusters\/$CLUSTER_NAME/g" bootstrap/$CLUSTER_NAME/app-of-apps.yaml 31 | 32 | # configure cluster 33 | gsed -i "s/cluster: default/cluster: $CLUSTER_NAME/g" clusters/$CLUSTER_NAME/applicationset.yaml 34 | gsed -i "s/overlays\/default/overlays\/$CLUSTER_NAME/g" clusters/$CLUSTER_NAME/applicationset.yaml 35 | 36 | # Regenerate RH SSO Sealed Secret 37 | RH_SSO_OVERLAY=apps/06-rhsso/overlays/$CLUSTER_NAME 38 | kustomize build $RH_SSO_OVERLAY/config > $RH_SSO_OVERLAY/config/rhsso-config.yaml 39 | kubeseal --cert ~/.bitnami/tls.crt --format yaml < $RH_SSO_OVERLAY/config/rhsso-config.yaml > $RH_SSO_OVERLAY/01-sealed-rhsso-config.yaml -------------------------------------------------------------------------------- /clusters/ca-central/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | description: Alexis de Talhouët clusters config 3 | name: ca-central-cluster 4 | version: 1.0.0 5 | 6 | dependencies: 7 | - name: ocp-gitops 8 | version: 1.0.0 9 | repository: https://adetalhouet.github.io/ocp-gitops/ 10 | # repository: file://../../helm -------------------------------------------------------------------------------- /clusters/ca-central/values.yaml: -------------------------------------------------------------------------------- 1 | ocp-gitops: 2 | config: 3 | repoURL: https://github.com/adetalhouet/ocp-gitops.git 4 | overlay: ca-central 5 | 6 | applications: 7 | 01-openshift-gitops: 8 | enabled: true 9 | 02-sealed-secrets: 10 | enabled: true 11 | 03-letsencrypt-certs: 12 | enabled: true 13 | 04-local-storage-operator: 14 | enabled: true 15 | 05-openshift-container-storage: 16 | enabled: true 17 | 06-rhsso: 18 | enabled: true 19 | 07-oauth: 20 | enabled: true 21 | 08-openshift-elasticsearch: 22 | enabled: false 23 | 09-openshift-logging: 24 | enabled: false 25 | 10-ansible-automation-platform: 26 | enabled: false 27 | 11-quay-container-security: 28 | enabled: false 29 | 12-advanced-cluster-management: 30 | enabled: true 31 | 13-advanced-cluster-management-policies: 32 | enabled: false 33 | 14-advanced-cluster-management-apps: 34 | enabled: false 35 | 15-advanced-cluster-managment-observability: 36 | enabled: true 37 | 16-acs: 38 | enabled: false 39 | overlays: false 40 | -------------------------------------------------------------------------------- /clusters/default/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | description: Alexis de Talhouët clusters config 3 | name: default-cluster 4 | version: 1.0.0 5 | 6 | dependencies: 7 | - name: ocp-gitops 8 | version: 1.0.0 9 | repository: https://adetalhouet.github.io/ocp-gitops/ 10 | # repository: file://../../helm -------------------------------------------------------------------------------- /clusters/default/values.yaml: -------------------------------------------------------------------------------- 1 | ocp-gitops: 2 | config: 3 | repoURL: https://github.com/adetalhouet/ocp-gitops.git 4 | overlay: default 5 | applications: 6 | 01-openshift-gitops: 7 | enabled: true 8 | 02-sealed-secrets: 9 | enabled: true 10 | 03-letsencrypt-certs: 11 | enabled: true 12 | 04-local-storage-operator: 13 | enabled: false 14 | 05-openshift-container-storage: 15 | enabled: false 16 | 06-rhsso: 17 | enabled: false 18 | 07-oauth: 19 | enabled: false 20 | 08-openshift-elasticsearch: 21 | enabled: false 22 | 09-openshift-logging: 23 | enabled: false 24 | 10-ansible-automation-platform: 25 | enabled: false 26 | 11-quay-container-security: 27 | enabled: true 28 | 12-advanced-cluster-management: 29 | enabled: false 30 | 13-advanced-cluster-management-policies: 31 | enabled: false 32 | 14-advanced-cluster-management-apps: 33 | enabled: false 34 | 15-advanced-cluster-managment-observability: 35 | enabled: false 36 | 16-acs: 37 | enabled: false -------------------------------------------------------------------------------- /config/alert-manager.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | resolve_timeout: 5m 3 | slack_api_url: >- 4 | https://hooks.slack.com/services/$HOOK_TO_ENTER_CAN_BE_FOUND_HERE: https://functionalhops.slack.com/services/B02GAFSTE3V 5 | inhibit_rules: 6 | - equal: 7 | - namespace 8 | - alertname 9 | source_match: 10 | severity: critical 11 | target_match_re: 12 | severity: warning|info 13 | - equal: 14 | - namespace 15 | - alertname 16 | source_match: 17 | severity: warning 18 | target_match_re: 19 | severity: info 20 | receivers: 21 | - name: Critical 22 | slack_configs: 23 | - channel: adetalhouet-sandbox 24 | - name: Default 25 | slack_configs: 26 | - channel: adetalhouet-sandbox 27 | - name: Watchdog 28 | slack_configs: 29 | - channel: adetalhouet-sandbox 30 | route: 31 | group_by: 32 | - namespace 33 | group_interval: 5m 34 | group_wait: 30s 35 | receiver: Default 36 | repeat_interval: 12h 37 | routes: 38 | - receiver: Watchdog 39 | match: 40 | alertname: Watchdog 41 | - receiver: Critical 42 | match: 43 | severity: critical 44 | -------------------------------------------------------------------------------- /config/etcd-backup.yaml: -------------------------------------------------------------------------------- 1 | kind: ServiceAccount 2 | apiVersion: v1 3 | metadata: 4 | name: openshift-backup 5 | namespace: ocp-etcd-backup 6 | labels: 7 | app: openshift-backup 8 | --- 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: ClusterRole 11 | metadata: 12 | name: cluster-etcd-backup 13 | rules: 14 | - apiGroups: [""] 15 | resources: 16 | - "nodes" 17 | verbs: ["get", "list"] 18 | - apiGroups: [""] 19 | resources: 20 | - "pods" 21 | - "pods/log" 22 | verbs: ["get", "list", "create", "delete", "watch"] 23 | --- 24 | kind: ClusterRoleBinding 25 | apiVersion: rbac.authorization.k8s.io/v1 26 | metadata: 27 | name: openshift-backup 28 | labels: 29 | app: openshift-backup 30 | subjects: 31 | - kind: ServiceAccount 32 | name: openshift-backup 33 | namespace: ocp-etcd-backup 34 | roleRef: 35 | apiGroup: rbac.authorization.k8s.io 36 | kind: ClusterRole 37 | name: cluster-etcd-backup 38 | --- 39 | apiVersion: rbac.authorization.k8s.io/v1 40 | kind: RoleBinding 41 | metadata: 42 | name: system:openshift:scc:privileged 43 | namespace: ocp-etcd-backup 44 | roleRef: 45 | apiGroup: rbac.authorization.k8s.io 46 | kind: ClusterRole 47 | name: system:openshift:scc:privileged 48 | subjects: 49 | - kind: ServiceAccount 50 | name: openshift-backup 51 | namespace: ocp-etcd-backup 52 | --- 53 | kind: CronJob 54 | apiVersion: batch/v1 55 | metadata: 56 | name: openshift-backup 57 | namespace: ocp-etcd-backup 58 | labels: 59 | app: openshift-backup 60 | spec: 61 | schedule: "0 0 * * *" 62 | concurrencyPolicy: Forbid 63 | successfulJobsHistoryLimit: 5 64 | failedJobsHistoryLimit: 5 65 | jobTemplate: 66 | metadata: 67 | labels: 68 | app: openshift-backup 69 | spec: 70 | backoffLimit: 0 71 | template: 72 | metadata: 73 | labels: 74 | app: openshift-backup 75 | spec: 76 | containers: 77 | - name: backup 78 | image: "registry.redhat.io/openshift4/ose-cli" 79 | command: 80 | - "/bin/bash" 81 | - "-c" 82 | - oc get no -l node-role.kubernetes.io/master --no-headers -o name | head -n 1 |xargs -I {} -- oc debug {} -- bash -c 'chroot /host rm -rf /home/core/backup && chroot /host mkdir /home/core/backup && chroot /host sudo -E mount -t nfs 192.168.123.1:/home/adetalhouet/Documents/etcd-backup/data /home/core/backup && chroot /host sudo -E /usr/local/bin/cluster-backup.sh /home/core/backup && chroot /host sudo -E find /home/core/backup/ -type f -mmin +"1" -delete' 83 | restartPolicy: "Never" 84 | terminationGracePeriodSeconds: 30 85 | activeDeadlineSeconds: 500 86 | dnsPolicy: "ClusterFirst" 87 | serviceAccountName: "openshift-backup" 88 | serviceAccount: "openshift-backup" 89 | -------------------------------------------------------------------------------- /config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | kind: Kustomization 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | 4 | # https://issues.redhat.com/browse/AAP-512 5 | 6 | # oc edit kubeapiservers.operator.openshift.io cluster 7 | # oc edit kubecontrollermanager cluster 8 | # unsupportedConfigOverrides: 9 | # apiServerArguments: 10 | # feature-gates: 11 | # - TTLAfterFinished=false 12 | 13 | patches: 14 | - target: 15 | kind: KubeAPIServer 16 | name: cluster 17 | patch: |- 18 | - op: add 19 | path: /spec/unsupportedConfigOverrides/apiServerArguments/feature-gates/ 20 | value: false 21 | - target: 22 | kind: KubeControllerManager 23 | name: cluster 24 | patch: |- 25 | - op: add 26 | path: /spec/unsupportedConfigOverrides/apiServerArguments/feature-gates/ 27 | value: false -------------------------------------------------------------------------------- /config/misc.txt: -------------------------------------------------------------------------------- 1 | ``` 2 | oc patch clusterversion version --type json -p '[{"op": "add", "path": "/spec/overrides", "value": [{"kind": "ClusterOperator", "group": "config.openshift.io", "namespace": "default", "name": "kube-controller-manager", "unmanaged": true}]}]' 3 | 4 | oc patch clusterversion version --type json -p '[{"op": "remove", "path": "/spec/overrides"}]' 5 | ``` -------------------------------------------------------------------------------- /helm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | description: Alexis de Talhouët clusters config 3 | name: ocp-gitops 4 | version: 1.0.0 -------------------------------------------------------------------------------- /helm/templates/application.yaml: -------------------------------------------------------------------------------- 1 | {{- $c := 1 | int64 }} 2 | {{- range $key,$val := .Values.applications }} 3 | {{- if $val.enabled }} 4 | --- 5 | apiVersion: argoproj.io/v1alpha1 6 | kind: Application 7 | metadata: 8 | name: {{ $key }} 9 | namespace: openshift-gitops 10 | annotations: 11 | argocd.argoproj.io/compare-options: IgnoreExtraneous 12 | argocd.argoproj.io/sync-wave: {{ quote $c |}} 13 | spec: 14 | project: default 15 | destination: 16 | server: https://kubernetes.default.svc 17 | source: 18 | repoURL: {{ $.Values.config.repoURL }} 19 | targetRevision: HEAD 20 | {{ if $val.overlays }} 21 | path: apps/{{ $key }}/overlays/{{ $.Values.config.overlay }} 22 | {{ else }} 23 | path: apps/{{ $key }} 24 | {{ end }} 25 | syncPolicy: 26 | automated: 27 | selfHeal: true 28 | allowEmpty: true 29 | syncOptions: 30 | - Validate=false 31 | - CreateNamespace=true 32 | retry: 33 | limit: -1 34 | backoff: 35 | duration: 5s 36 | factor: 2 37 | maxDuration: 3m 38 | {{- end }} 39 | {{ $c = add1 $c }} 40 | {{- end }} -------------------------------------------------------------------------------- /helm/values.yaml: -------------------------------------------------------------------------------- 1 | config: 2 | repoURL: https://github.com/adetalhouet/ocp-gitops.git 3 | overlay: ca-central 4 | 5 | applications: 6 | 01-openshift-gitops: 7 | enabled: true 8 | overlays: true 9 | 02-sealed-secrets: 10 | enabled: true 11 | 03-letsencrypt-certs: 12 | enabled: true 13 | 04-local-storage-operator: 14 | enabled: true 15 | 05-openshift-container-storage: 16 | enabled: true 17 | 06-rhsso: 18 | enabled: true 19 | overlays: true 20 | 07-oauth: 21 | enabled: true 22 | overlays: true 23 | 08-openshift-elasticsearch: 24 | enabled: true 25 | 09-openshift-logging: 26 | enabled: true 27 | 10-ansible-automation-platform: 28 | enabled: true 29 | overlays: true 30 | 11-quay-container-security: 31 | enabled: true 32 | 12-advanced-cluster-management: 33 | enabled: true 34 | 15-advanced-cluster-managment-observability: 35 | enabled: true 36 | 16-acs: 37 | enabled: true 38 | overlays: true 39 | 17-net-obs: 40 | enabled: true --------------------------------------------------------------------------------